Path: blob/master/src/java.security.jgss/share/classes/sun/security/krb5/KrbCred.java
41159 views
/*1* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425/*26*27* (C) Copyright IBM Corp. 1999 All Rights Reserved.28* Copyright 1997 The Open Group Research Institute. All rights reserved.29*/3031package sun.security.krb5;3233import sun.security.krb5.internal.*;34import sun.security.krb5.internal.crypto.KeyUsage;35import java.io.IOException;3637import sun.security.util.DerValue;3839/**40* This class encapsulates the KRB-CRED message that a client uses to41* send its delegated credentials to a server.42*43* Supports delegation of one ticket only.44* @author Mayank Upadhyay45*/46public class KrbCred {4748private static boolean DEBUG = Krb5.DEBUG;4950private byte[] obuf = null;51private KRBCred credMessg = null;52private Ticket ticket = null;53private EncKrbCredPart encPart = null;54private Credentials creds = null;55private KerberosTime timeStamp = null;5657// Used in InitialToken with null key58public KrbCred(Credentials tgt,59Credentials serviceTicket,60EncryptionKey key)61throws KrbException, IOException {6263PrincipalName client = tgt.getClient();64PrincipalName tgService = tgt.getServer();65if (!serviceTicket.getClient().equals(client))66throw new KrbException(Krb5.KRB_ERR_GENERIC,67"Client principal does not match");6869// XXX Check Windows flag OK-TO-FORWARD-TO7071// Invoke TGS-REQ to get a forwarded TGT for the peer7273KDCOptions options = new KDCOptions();74options.set(KDCOptions.FORWARDED, true);75options.set(KDCOptions.FORWARDABLE, true);7677KrbTgsReq tgsReq = new KrbTgsReq(options, tgt, tgService,78null, null, null, null, null,79null, // No easy way to get addresses right80null, null, null);81credMessg = createMessage(tgsReq.sendAndGetCreds(), key);8283obuf = credMessg.asn1Encode();84}8586KRBCred createMessage(Credentials delegatedCreds, EncryptionKey key)87throws KrbException, IOException {8889EncryptionKey sessionKey90= delegatedCreds.getSessionKey();91PrincipalName princ = delegatedCreds.getClient();92PrincipalName tgService = delegatedCreds.getServer();9394KrbCredInfo credInfo = new KrbCredInfo(sessionKey,95princ, delegatedCreds.flags, delegatedCreds.authTime,96delegatedCreds.startTime, delegatedCreds.endTime,97delegatedCreds.renewTill, tgService,98delegatedCreds.cAddr);99100timeStamp = KerberosTime.now();101KrbCredInfo[] credInfos = {credInfo};102EncKrbCredPart encPart =103new EncKrbCredPart(credInfos,104timeStamp, null, null, null, null);105106EncryptedData encEncPart = new EncryptedData(key,107encPart.asn1Encode(), KeyUsage.KU_ENC_KRB_CRED_PART);108109Ticket[] tickets = {delegatedCreds.ticket};110111credMessg = new KRBCred(tickets, encEncPart);112113return credMessg;114}115116// Used in InitialToken, NULL_KEY might be used117public KrbCred(byte[] asn1Message, EncryptionKey key)118throws KrbException, IOException {119120credMessg = new KRBCred(asn1Message);121122ticket = credMessg.tickets[0];123124if (credMessg.encPart.getEType() == 0) {125key = EncryptionKey.NULL_KEY;126}127byte[] temp = credMessg.encPart.decrypt(key,128KeyUsage.KU_ENC_KRB_CRED_PART);129byte[] plainText = credMessg.encPart.reset(temp);130DerValue encoding = new DerValue(plainText);131EncKrbCredPart encPart = new EncKrbCredPart(encoding);132133timeStamp = encPart.timeStamp;134135KrbCredInfo credInfo = encPart.ticketInfo[0];136EncryptionKey credInfoKey = credInfo.key;137PrincipalName pname = credInfo.pname;138TicketFlags flags = credInfo.flags;139KerberosTime authtime = credInfo.authtime;140KerberosTime starttime = credInfo.starttime;141KerberosTime endtime = credInfo.endtime;142KerberosTime renewTill = credInfo.renewTill;143PrincipalName sname = credInfo.sname;144HostAddresses caddr = credInfo.caddr;145146if (DEBUG) {147System.out.println(">>>Delegated Creds have pname=" + pname148+ " sname=" + sname149+ " authtime=" + authtime150+ " starttime=" + starttime151+ " endtime=" + endtime152+ "renewTill=" + renewTill);153}154creds = new Credentials(ticket, pname, null, sname, null, credInfoKey,155flags, authtime, starttime, endtime, renewTill, caddr);156}157158/**159* Returns the delegated credentials from the peer.160*/161public Credentials[] getDelegatedCreds() {162163Credentials[] allCreds = {creds};164return allCreds;165}166167/**168* Returns the ASN.1 encoding that should be sent to the peer.169*/170public byte[] getMessage() {171return obuf;172}173}174175176