Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java
41159 views
1
/*

2
 * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
/*

27
 *

28
 *  (C) Copyright IBM Corp. 1999 All Rights Reserved.

29
 *  Copyright 1997 The Open Group Research Institute.  All rights reserved.

30
 */

31


32
package sun.security.krb5;

33


34
import sun.security.krb5.internal.*;

35
import sun.security.krb5.internal.crypto.*;

36
import java.io.IOException;

37
import java.net.UnknownHostException;

38
import java.time.Instant;

39
import java.util.Arrays;

40


41
/**

42
 * This class encapsulates a Kerberos TGS-REQ that is sent from the

43
 * client to the KDC.

44
 */

45
public class KrbTgsReq {

46


47
    private PrincipalName princName;

48
    private PrincipalName clientAlias;

49
    private PrincipalName servName;

50
    private PrincipalName serverAlias;

51
    private TGSReq tgsReqMessg;

52
    private KerberosTime ctime;

53
    private Ticket secondTicket = null;

54
    private boolean useSubkey = false;

55
    EncryptionKey tgsReqKey;

56


57
    private byte[] obuf;

58
    private byte[] ibuf;

59


60
    // Used in CredentialsUtil

61
    public KrbTgsReq(KDCOptions options, Credentials asCreds,

62
            PrincipalName cname, PrincipalName clientAlias,

63
            PrincipalName sname, PrincipalName serverAlias,

64
            Ticket[] additionalTickets, PAData[] extraPAs)

65
        throws KrbException, IOException {

66
        this(options,

67
             asCreds,

68
             cname,

69
             clientAlias,

70
             sname,

71
             serverAlias,

72
             null, // KerberosTime from

73
             null, // KerberosTime till

74
             null, // KerberosTime rtime

75
             null, // int[] eTypes

76
             null, // HostAddresses addresses

77
             null, // AuthorizationData authorizationData

78
             additionalTickets,

79
             null, // EncryptionKey subKey

80
             extraPAs);

81
    }

82


83
    // Called by Credentials, KrbCred

84
    KrbTgsReq(

85
            KDCOptions options,

86
            Credentials asCreds,

87
            PrincipalName sname,

88
            PrincipalName serverAlias,

89
            KerberosTime from,

90
            KerberosTime till,

91
            KerberosTime rtime,

92
            int[] eTypes,

93
            HostAddresses addresses,

94
            AuthorizationData authorizationData,

95
            Ticket[] additionalTickets,

96
            EncryptionKey subKey) throws KrbException, IOException {

97
        this(options, asCreds, asCreds.getClient(), asCreds.getClientAlias(),

98
                sname, serverAlias, from, till, rtime, eTypes,

99
                addresses, authorizationData, additionalTickets, subKey, null);

100
    }

101


102
    private KrbTgsReq(

103
            KDCOptions options,

104
            Credentials asCreds,

105
            PrincipalName cname,

106
            PrincipalName clientAlias,

107
            PrincipalName sname,

108
            PrincipalName serverAlias,

109
            KerberosTime from,

110
            KerberosTime till,

111
            KerberosTime rtime,

112
            int[] eTypes,

113
            HostAddresses addresses,

114
            AuthorizationData authorizationData,

115
            Ticket[] additionalTickets,

116
            EncryptionKey subKey,

117
            PAData[] extraPAs) throws KrbException, IOException {

118


119
        princName = cname;

120
        this.clientAlias = clientAlias;

121
        servName = sname;

122
        this.serverAlias = serverAlias;

123
        ctime = KerberosTime.now();

124


125
        // check if they are valid arguments. The optional fields

126
        // should be consistent with settings in KDCOptions.

127


128
        if (options.get(KDCOptions.FORWARDABLE) &&

129
                (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {

130
            options.set(KDCOptions.FORWARDABLE, false);

131
        }

132
        if (options.get(KDCOptions.FORWARDED)) {

133
            if (!(asCreds.flags.get(KDCOptions.FORWARDABLE)))

134
                throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

135
        }

136
        if (options.get(KDCOptions.PROXIABLE) &&

137
                (!(asCreds.flags.get(Krb5.TKT_OPTS_PROXIABLE)))) {

138
            throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

139
        }

140
        if (options.get(KDCOptions.PROXY)) {

141
            if (!(asCreds.flags.get(KDCOptions.PROXIABLE)))

142
                throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

143
        }

144
        if (options.get(KDCOptions.ALLOW_POSTDATE) &&

145
                (!(asCreds.flags.get(Krb5.TKT_OPTS_MAY_POSTDATE)))) {

146
            throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

147
        }

148
        if (options.get(KDCOptions.RENEWABLE) &&

149
                (!(asCreds.flags.get(Krb5.TKT_OPTS_RENEWABLE)))) {

150
            throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

151
        }

152


153
        if (options.get(KDCOptions.POSTDATED)) {

154
            if (!(asCreds.flags.get(KDCOptions.POSTDATED)))

155
                throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

156
        } else {

157
            if (from != null)  from = null;

158
        }

159
        if (options.get(KDCOptions.RENEWABLE)) {

160
            if (!(asCreds.flags.get(KDCOptions.RENEWABLE)))

161
                throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

162
        } else {

163
            if (rtime != null)  rtime = null;

164
        }

165
        if (options.get(KDCOptions.ENC_TKT_IN_SKEY) || options.get(KDCOptions.CNAME_IN_ADDL_TKT)) {

166
            if (additionalTickets == null)

167
                throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);

168
            // in TGS_REQ there could be more than one additional

169
            // tickets,  but in file-based credential cache,

170
            // there is only one additional ticket field.

171
            secondTicket = additionalTickets[0];

172
        } else {

173
            if (additionalTickets != null)

174
                additionalTickets = null;

175
        }

176


177
        tgsReqMessg = createRequest(

178
                options,

179
                asCreds.ticket,

180
                asCreds.key,

181
                ctime,

182
                princName,

183
                servName,

184
                from,

185
                till,

186
                rtime,

187
                eTypes,

188
                addresses,

189
                authorizationData,

190
                additionalTickets,

191
                subKey,

192
                extraPAs);

193
        obuf = tgsReqMessg.asn1Encode();

194


195
        // XXX We need to revisit this to see if can't move it

196
        // up such that FORWARDED flag set in the options

197
        // is included in the marshaled request.

198
        /*

199
         * If this is based on a forwarded ticket, record that in the

200
         * options, because the returned TgsRep will contain the

201
         * FORWARDED flag set.

202
         */

203
        if (asCreds.flags.get(KDCOptions.FORWARDED))

204
            options.set(KDCOptions.FORWARDED, true);

205


206


207
    }

208


209
    /**

210
     * Sends a TGS request to the realm of the target.

211
     * @throws KrbException

212
     * @throws IOException

213
     */

214
    public void send() throws IOException, KrbException {

215
        String realmStr = null;

216
        if (servName != null)

217
            realmStr = servName.getRealmString();

218
        KdcComm comm = new KdcComm(realmStr);

219
        ibuf = comm.send(obuf);

220
    }

221


222
    public KrbTgsRep getReply()

223
        throws KrbException, IOException {

224
        return new KrbTgsRep(ibuf, this);

225
    }

226


227
    /**

228
     * Sends the request, waits for a reply, and returns the Credentials.

229
     * Used in Credentials, KrbCred, and internal/CredentialsUtil.

230
     */

231
    public Credentials sendAndGetCreds() throws IOException, KrbException {

232
        KrbTgsRep tgs_rep = null;

233
        String kdc = null;

234
        send();

235
        tgs_rep = getReply();

236
        return tgs_rep.getCreds();

237
    }

238


239
    KerberosTime getCtime() {

240
        return ctime;

241
    }

242


243
    private TGSReq createRequest(

244
                         KDCOptions kdc_options,

245
                         Ticket ticket,

246
                         EncryptionKey key,

247
                         KerberosTime ctime,

248
                         PrincipalName cname,

249
                         PrincipalName sname,

250
                         KerberosTime from,

251
                         KerberosTime till,

252
                         KerberosTime rtime,

253
                         int[] eTypes,

254
                         HostAddresses addresses,

255
                         AuthorizationData authorizationData,

256
                         Ticket[] additionalTickets,

257
                         EncryptionKey subKey,

258
                         PAData[] extraPAs)

259
        throws IOException, KrbException, UnknownHostException {

260
        KerberosTime req_till = null;

261
        if (till == null) {

262
            String d = Config.getInstance().get("libdefaults", "ticket_lifetime");

263
            if (d != null) {

264
                req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));

265
            } else {

266
                req_till = new KerberosTime(0); // Choose KDC maximum allowed

267
            }

268
        } else {

269
            req_till = till;

270
        }

271


272
        /*

273
         * RFC 4120, Section 5.4.2.

274
         * For KRB_TGS_REP, the ciphertext is encrypted in the

275
         * sub-session key from the Authenticator, or if absent,

276
         * the session key from the ticket-granting ticket used

277
         * in the request.

278
         *

279
         * To support this, use tgsReqKey to remember which key to use.

280
         */

281
        tgsReqKey = key;

282


283
        int[] req_eTypes = null;

284
        if (eTypes == null) {

285
            req_eTypes = EType.getDefaults("default_tgs_enctypes");

286
        } else {

287
            req_eTypes = eTypes;

288
        }

289


290
        EncryptionKey reqKey = null;

291
        EncryptedData encAuthorizationData = null;

292
        if (authorizationData != null) {

293
            byte[] ad = authorizationData.asn1Encode();

294
            if (subKey != null) {

295
                reqKey = subKey;

296
                tgsReqKey = subKey;    // Key to use to decrypt reply

297
                useSubkey = true;

298
                encAuthorizationData = new EncryptedData(reqKey, ad,

299
                    KeyUsage.KU_TGS_REQ_AUTH_DATA_SUBKEY);

300
            } else

301
                encAuthorizationData = new EncryptedData(key, ad,

302
                    KeyUsage.KU_TGS_REQ_AUTH_DATA_SESSKEY);

303
        }

304


305
        KDCReqBody reqBody = new KDCReqBody(

306
                                            kdc_options,

307
                                            cname,

308
                                            sname,

309
                                            from,

310
                                            req_till,

311
                                            rtime,

312
                                            Nonce.value(),

313
                                            req_eTypes,

314
                                            addresses,

315
                                            encAuthorizationData,

316
                                            additionalTickets);

317


318
        byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ);

319
        // if the checksum type is one of the keyed checksum types,

320
        // use session key.

321
        Checksum cksum  = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,

322
                KeyUsage.KU_PA_TGS_REQ_CKSUM);

323


324
        // Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR

325


326
        byte[] tgs_ap_req = new KrbApReq(

327
                                         new APOptions(),

328
                                         ticket,

329
                                         key,

330
                                         cname,

331
                                         cksum,

332
                                         ctime,

333
                                         reqKey,

334
                                         null,

335
                                         null).getMessage();

336


337
        PAData tgsPAData = new PAData(Krb5.PA_TGS_REQ, tgs_ap_req);

338
        PAData[] pa;

339
        if (extraPAs != null) {

340
            pa = Arrays.copyOf(extraPAs, extraPAs.length + 1);

341
            pa[extraPAs.length] = tgsPAData;

342
        } else {

343
            pa = new PAData[] {tgsPAData};

344
        }

345
        return new TGSReq(pa, reqBody);

346
    }

347


348
    TGSReq getMessage() {

349
        return tgsReqMessg;

350
    }

351


352
    Ticket getSecondTicket() {

353
        return secondTicket;

354
    }

355


356
    PrincipalName getClientAlias() {

357
        return clientAlias;

358
    }

359


360
    PrincipalName getServerAlias() {

361
        return serverAlias;

362
    }

363


364
    private static void debug(String message) {

365
        //      System.err.println(">>> KrbTgsReq: " + message);

366
    }

367


368
    boolean usedSubkey() {

369
        return useSubkey;

370
    }

371


372
}

373


374