Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5ProxyCredential.java
41161 views
1
/*

2
 * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
package sun.security.jgss.krb5;

27


28
import org.ietf.jgss.*;

29
import sun.security.jgss.GSSCaller;

30
import sun.security.jgss.spi.*;

31


32
import java.io.IOException;

33


34
import sun.security.krb5.Credentials;

35
import sun.security.krb5.KrbException;

36
import sun.security.krb5.internal.Ticket;

37


38
import javax.security.auth.kerberos.KerberosTicket;

39


40
/**

41
 * Implements the krb5 proxy credential element used in constrained

42
 * delegation. It is used in both impersonation (where there is no Kerberos 5

43
 * communication between the middle server and the client) and normal

44
 * constrained delegation (where there is, but client has not called

45
 * requestCredDeleg(true)).

46
 * @since 1.8

47
 */

48


49
public class Krb5ProxyCredential

50
    implements Krb5CredElement {

51


52
    public final Krb5InitCredential self;   // the middle server

53
    private final Krb5NameElement client;     // the client

54


55
    // The ticket with cname=client and sname=self. This can be a normal

56
    // service ticket or an S4U2self ticket.

57
    public final Ticket tkt;

58


59
    Krb5ProxyCredential(Krb5InitCredential self, Krb5NameElement client,

60
            Ticket tkt) {

61
        this.self = self;

62
        this.tkt = tkt;

63
        this.client = client;

64
    }

65


66
    // The client name behind the proxy

67
    @Override

68
    public final Krb5NameElement getName() throws GSSException {

69
        return client;

70
    }

71


72
    @Override

73
    public int getInitLifetime() throws GSSException {

74
        // endTime of tkt is not used by KDC, and it's also not

75
        // available in the case of kerberos constr deleg

76
        return self.getInitLifetime();

77
    }

78


79
    @Override

80
    public int getAcceptLifetime() throws GSSException {

81
        return 0;

82
    }

83


84
    @Override

85
    public boolean isInitiatorCredential() throws GSSException {

86
        return true;

87
    }

88


89
    @Override

90
    public boolean isAcceptorCredential() throws GSSException {

91
        return false;

92
    }

93


94
    @Override

95
    public final Oid getMechanism() {

96
        return Krb5MechFactory.GSS_KRB5_MECH_OID;

97
    }

98


99
    @Override

100
    public final java.security.Provider getProvider() {

101
        return Krb5MechFactory.PROVIDER;

102
    }

103


104
    @Override

105
    public void dispose() throws GSSException {

106
        try {

107
            self.destroy();

108
        } catch (javax.security.auth.DestroyFailedException e) {

109
            GSSException gssException =

110
                new GSSException(GSSException.FAILURE, -1,

111
                 "Could not destroy credentials - " + e.getMessage());

112
            gssException.initCause(e);

113
        }

114
    }

115


116
    @Override

117
    public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {

118
        // Cannot impersonate multiple levels without the impersonatee's TGT.

119
        throw new GSSException(GSSException.FAILURE, -1,

120
                "Only an initiate credentials can impersonate");

121
    }

122


123
    // Try to see if a default credential should act as an impersonator.

124
    static Krb5CredElement tryImpersonation(GSSCaller caller,

125
            Krb5InitCredential initiator) throws GSSException {

126


127
        try {

128
            KerberosTicket proxy = initiator.proxyTicket;

129
            if (proxy != null) {

130
                Credentials proxyCreds = Krb5Util.ticketToCreds(proxy);

131
                return new Krb5ProxyCredential(initiator,

132
                        Krb5NameElement.getInstance(proxyCreds.getClient()),

133
                        proxyCreds.getTicket());

134
            } else {

135
                return initiator;

136
            }

137
        } catch (KrbException | IOException e) {

138
            throw new GSSException(GSSException.DEFECTIVE_CREDENTIAL, -1,

139
                    "Cannot create proxy credential");

140
        }

141
    }

142
}

143


144