|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
*/ |
|
|
|
package sun.security.jgss.krb5; |
|
|
|
import com.sun.security.jgss.AuthorizationDataEntry; |
|
import org.ietf.jgss.*; |
|
import java.io.InputStream; |
|
import java.io.IOException; |
|
|
|
import sun.security.action.GetPropertyAction; |
|
import sun.security.krb5.*; |
|
import java.net.InetAddress; |
|
import sun.security.krb5.internal.AuthorizationData; |
|
import sun.security.krb5.internal.KerberosTime; |
|
|
|
class InitSecContextToken extends InitialToken { |
|
|
|
// If non-mutual authentication is requested, there is no AP-REP message. |
|
// The acceptor thus has no chance to send the seq-number field to the |
|
// initiator. In this case, the initiator and acceptor should has an |
|
// agreement to derive acceptor's initial seq-number if the acceptor wishes |
|
// to send messages to the initiator. |
|
|
|
// If this flag is true, it will the same as the initiator's initial |
|
// seq-number (as MIT krb5 and Windows SSPI do). Otherwise, it will be zero |
|
|
|
private static final boolean ACCEPTOR_USE_INITIATOR_SEQNUM; |
|
|
|
static { |
|
// The ACCEPTOR_USE_INITIATOR_SEQNUM value is determined by the system |
|
// property "sun.security.krb5.acceptor.sequence.number.nonmutual", |
|
|
|
String propName = "sun.security.krb5.acceptor.sequence.number.nonmutual"; |
|
String s = GetPropertyAction.privilegedGetProperty(propName, "initiator"); |
|
if (s.equals("initiator")) { |
|
ACCEPTOR_USE_INITIATOR_SEQNUM = true; |
|
} else if (s.equals("zero") || s.equals("0")) { |
|
ACCEPTOR_USE_INITIATOR_SEQNUM = false; |
|
} else { |
|
throw new AssertionError("Unrecognized value for " + propName |
|
+ ": " + s); |
|
} |
|
} |
|
|
|
private KrbApReq apReq = null; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
*/ |
|
InitSecContextToken(Krb5Context context, |
|
Credentials tgt, |
|
Credentials serviceTicket) |
|
throws KrbException, IOException, GSSException { |
|
|
|
boolean mutualRequired = context.getMutualAuthState(); |
|
boolean useSubkey = true; |
|
boolean useSequenceNumber = true; |
|
|
|
OverloadedChecksum gssChecksum = |
|
new OverloadedChecksum(context, tgt, serviceTicket); |
|
|
|
Checksum checksum = gssChecksum.getChecksum(); |
|
|
|
context.setTktFlags(serviceTicket.getFlags()); |
|
context.setAuthTime( |
|
new KerberosTime(serviceTicket.getAuthTime()).toString()); |
|
apReq = new KrbApReq(serviceTicket, |
|
mutualRequired, |
|
useSubkey, |
|
useSequenceNumber, |
|
checksum); |
|
|
|
context.resetMySequenceNumber(apReq.getSeqNumber().intValue()); |
|
|
|
EncryptionKey subKey = apReq.getSubKey(); |
|
if (subKey != null) |
|
context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey); |
|
else |
|
context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey()); |
|
|
|
if (!mutualRequired) |
|
context.resetPeerSequenceNumber( |
|
ACCEPTOR_USE_INITIATOR_SEQNUM |
|
? apReq.getSeqNumber().intValue() |
|
: 0); |
|
} |
|
|
|
|
|
|
|
|
|
*/ |
|
InitSecContextToken(Krb5Context context, Krb5AcceptCredential cred, |
|
InputStream is) |
|
throws IOException, GSSException, KrbException { |
|
|
|
int tokenId = ((is.read()<<8) | is.read()); |
|
|
|
if (tokenId != Krb5Token.AP_REQ_ID) |
|
throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
|
"AP_REQ token id does not match!"); |
|
|
|
|
|
byte[] apReqBytes = |
|
new sun.security.util.DerValue(is).toByteArray(); |
|
//debug("=====ApReqBytes: [" + getHexBytes(apReqBytes) + "]\n"); |
|
|
|
InetAddress addr = null; |
|
if (context.getChannelBinding() != null) { |
|
addr = context.getChannelBinding().getInitiatorAddress(); |
|
} |
|
apReq = new KrbApReq(apReqBytes, cred, addr); |
|
//debug("\nReceived AP-REQ and authenticated it.\n"); |
|
|
|
EncryptionKey sessionKey = apReq.getCreds().getSessionKey(); |
|
|
|
/* |
|
System.out.println("\n\nSession key from service ticket is: " + |
|
getHexBytes(sessionKey.getBytes())); |
|
*/ |
|
|
|
EncryptionKey subKey = apReq.getSubKey(); |
|
if (subKey != null) { |
|
context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey); |
|
/* |
|
System.out.println("Sub-Session key from authenticator is: " + |
|
getHexBytes(subKey.getBytes()) + "\n"); |
|
*/ |
|
} else { |
|
context.setKey(Krb5Context.SESSION_KEY, sessionKey); |
|
//System.out.println("Sub-Session Key Missing in Authenticator.\n"); |
|
} |
|
|
|
OverloadedChecksum gssChecksum = new OverloadedChecksum( |
|
context, apReq.getChecksum(), sessionKey, subKey); |
|
gssChecksum.setContextFlags(context); |
|
Credentials delegCred = gssChecksum.getDelegatedCreds(); |
|
if (delegCred != null) { |
|
Krb5CredElement credElement = |
|
Krb5InitCredential.getInstance( |
|
(Krb5NameElement)context.getSrcName(), |
|
delegCred); |
|
context.setDelegCred(credElement); |
|
} |
|
|
|
Integer apReqSeqNumber = apReq.getSeqNumber(); |
|
int peerSeqNumber = (apReqSeqNumber != null ? |
|
apReqSeqNumber.intValue() : |
|
0); |
|
context.resetPeerSequenceNumber(peerSeqNumber); |
|
if (!context.getMutualAuthState()) { |
|
context.resetMySequenceNumber( |
|
ACCEPTOR_USE_INITIATOR_SEQNUM |
|
? peerSeqNumber |
|
: 0); |
|
} |
|
context.setAuthTime( |
|
new KerberosTime(apReq.getCreds().getAuthTime()).toString()); |
|
context.setTktFlags(apReq.getCreds().getFlags()); |
|
AuthorizationData ad = apReq.getCreds().getAuthzData(); |
|
if (ad == null) { |
|
context.setAuthzData(null); |
|
} else { |
|
AuthorizationDataEntry[] authzData = |
|
new AuthorizationDataEntry[ad.count()]; |
|
for (int i=0; i<ad.count(); i++) { |
|
authzData[i] = new AuthorizationDataEntry( |
|
ad.item(i).adType, ad.item(i).adData); |
|
} |
|
context.setAuthzData(authzData); |
|
} |
|
} |
|
|
|
public final KrbApReq getKrbApReq() { |
|
return apReq; |
|
} |
|
|
|
public final byte[] encode() throws IOException { |
|
byte[] apReqBytes = apReq.getMessage(); |
|
byte[] retVal = new byte[2 + apReqBytes.length]; |
|
writeInt(Krb5Token.AP_REQ_ID, retVal, 0); |
|
System.arraycopy(apReqBytes, 0, retVal, 2, apReqBytes.length); |
|
// System.out.println("GSS-Token with AP_REQ is:"); |
|
|
|
return retVal; |
|
} |
|
} |