Back to index...

	/*
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	/*
	*
	* (C) Copyright IBM Corp. 1999 All Rights Reserved.
	* Copyright 1997 The Open Group Research Institute. All rights reserved.
	*/

	package sun.security.krb5.internal;

	import sun.security.krb5.Config;
	import sun.security.krb5.KrbException;
	import sun.security.krb5.Asn1Exception;
	import sun.security.krb5.internal.util.KerberosFlags;
	import sun.security.util.*;
	import java.io.IOException;

	/**
	* Implements the ASN.1 KDCOptions type.
	*
	* <pre>{@code
	* KDCOptions ::= KerberosFlags
	* -- reserved(0),
	* -- forwardable(1),
	* -- forwarded(2),
	* -- proxiable(3),
	* -- proxy(4),
	* -- allow-postdate(5),
	* -- postdated(6),
	* -- unused7(7),
	* -- renewable(8),
	* -- unused9(9),
	* -- unused10(10),
	* -- opt-hardware-auth(11),
	* -- unused12(12),
	* -- unused13(13),
	* -- 15 is reserved for canonicalize
	* -- unused15(15),
	* -- 26 was unused in 1510
	* -- disable-transited-check(26),
	* -- renewable-ok(27),
	* -- enc-tkt-in-skey(28),
	* -- renew(30),
	* -- validate(31)
	*
	* KerberosFlags ::= BIT STRING (SIZE (32..MAX))
	* -- minimum number of bits shall be sent,
	* -- but no fewer than 32
	*
	* }</pre>
	*
	* <p>
	* This definition reflects the Network Working Group RFC 4120
	* specification available at
	* <a href="http://www.ietf.org/rfc/rfc4120.txt">
	* http://www.ietf.org/rfc/rfc4120.txt</a>.
	*
	* <p>
	* This class appears as data field in the initial request(KRB_AS_REQ)
	* or subsequent request(KRB_TGS_REQ) to the KDC and indicates the flags
	* that the client wants to set on the tickets.
	*
	* The optional bits are:
	* <UL>
	* <LI>KDCOptions.RESERVED
	* <LI>KDCOptions.FORWARDABLE
	* <LI>KDCOptions.FORWARDED
	* <LI>KDCOptions.PROXIABLE
	* <LI>KDCOptions.PROXY
	* <LI>KDCOptions.ALLOW_POSTDATE
	* <LI>KDCOptions.POSTDATED
	* <LI>KDCOptions.RENEWABLE
	* <LI>KDCOptions.RENEWABLE_OK
	* <LI>KDCOptions.ENC_TKT_IN_SKEY
	* <LI>KDCOptions.RENEW
	* <LI>KDCOptions.VALIDATE
	* </UL>
	* <p> Various checks must be made before honoring an option. The restrictions
	* on the use of some options are as follows:
	* <ol>
	* <li> FORWARDABLE, FORWARDED, PROXIABLE, RENEWABLE options may be set in
	* subsequent request only if the ticket_granting ticket on which it is based has
	* the same options (FORWARDABLE, FORWARDED, PROXIABLE, RENEWABLE) set.
	* <li> ALLOW_POSTDATE may be set in subsequent request only if the
	* ticket-granting ticket on which it is based also has its MAY_POSTDATE flag set.
	* <li> POSTDATED may be set in subsequent request only if the
	* ticket-granting ticket on which it is based also has its MAY_POSTDATE flag set.
	* <li> RENEWABLE or RENEW may be set in subsequent request only if the
	* ticket-granting ticket on which it is based also has its RENEWABLE flag set.
	* <li> POXY may be set in subsequent request only if the ticket-granting ticket
	* on which it is based also has its PROXIABLE flag set, and the address(es) of
	* the host from which the resulting ticket is to be valid should be included
	* in the addresses field of the request.
	* <li>FORWARDED, PROXY, ENC_TKT_IN_SKEY, RENEW, VALIDATE are used only in
	* subsequent requests.
	* </ol>
	*/

	public class KDCOptions extends KerberosFlags {

	private static final int KDC_OPT_PROXIABLE = 0x10000000;
	private static final int KDC_OPT_RENEWABLE_OK = 0x00000010;
	private static final int KDC_OPT_FORWARDABLE = 0x40000000;


	// KDC Options

	public static final int RESERVED = 0;
	public static final int FORWARDABLE = 1;
	public static final int FORWARDED = 2;
	public static final int PROXIABLE = 3;
	public static final int PROXY = 4;
	public static final int ALLOW_POSTDATE = 5;
	public static final int POSTDATED = 6;
	public static final int UNUSED7 = 7;
	public static final int RENEWABLE = 8;
	public static final int UNUSED9 = 9;
	public static final int UNUSED10 = 10;
	public static final int UNUSED11 = 11;
	public static final int CNAME_IN_ADDL_TKT = 14;
	public static final int CANONICALIZE = 15;
	public static final int RENEWABLE_OK = 27;
	public static final int ENC_TKT_IN_SKEY = 28;
	public static final int RENEW = 30;
	public static final int VALIDATE = 31;

	private static final String[] names = {
	"RESERVED", //0
	"FORWARDABLE", //1;
	"FORWARDED", //2;
	"PROXIABLE", //3;
	"PROXY", //4;
	"ALLOW_POSTDATE", //5;
	"POSTDATED", //6;
	"UNUSED7", //7;
	"RENEWABLE", //8;
	"UNUSED9", //9;
	"UNUSED10", //10;
	"UNUSED11", //11;
	null,null,
	"CNAME_IN_ADDL_TKT",//14;
	"CANONICALIZE", //15;
	null,null,null,null,null,null,null,null,null,null,null,
	"RENEWABLE_OK", //27;
	"ENC_TKT_IN_SKEY", //28;
	null,
	"RENEW", //30;
	"VALIDATE", //31;
	};

	private boolean DEBUG = Krb5.DEBUG;

	public static KDCOptions with(int... flags) {
	KDCOptions options = new KDCOptions();
	for (int flag: flags) {
	options.set(flag, true);
	}
	return options;
	}

	public KDCOptions() {
	super(Krb5.KDC_OPTS_MAX + 1);
	setDefault();
	}

	public KDCOptions(int size, byte[] data) throws Asn1Exception {
	super(size, data);
	if ((size > data.length * BITS_PER_UNIT) \|\| (size > Krb5.KDC_OPTS_MAX + 1))
	throw new Asn1Exception(Krb5.BITSTRING_BAD_LENGTH);
	}

	/**
	* Constructs a KDCOptions from the specified bit settings.
	*
	* @param data the bits to be set for the KDCOptions.
	* @exception Asn1Exception if an error occurs while decoding an ASN1
	* encoded data.
	*
	*/
	public KDCOptions(boolean[] data) throws Asn1Exception {
	super(data);
	if (data.length > Krb5.KDC_OPTS_MAX + 1) {
	throw new Asn1Exception(Krb5.BITSTRING_BAD_LENGTH);
	}
	}

	public KDCOptions(DerValue encoding) throws Asn1Exception, IOException {
	this(encoding.getUnalignedBitString(true).toBooleanArray());
	}

	/**
	* Constructs a KDCOptions from the passed bit settings.
	*
	* @param options the bits to be set for the KDCOptions.
	*
	*/
	public KDCOptions(byte[] options) {
	super(options.length * BITS_PER_UNIT, options);
	}

	/**
	* Parse (unmarshal) a KDCOptions from a DER input stream. This form
	* parsing might be used when expanding a value which is part of
	* a constructed sequence and uses explicitly tagged type.
	*
	* @param data the Der input stream value, which contains one or more
	* marshaled value.
	* @param explicitTag tag number.
	* @param optional indicate if this data field is optional
	* @return an instance of KDCOptions.
	* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
	* @exception IOException if an I/O error occurs while reading encoded data.
	*
	*/

	public static KDCOptions parse(DerInputStream data, byte explicitTag, boolean optional) throws Asn1Exception, IOException {
	if ((optional) && (((byte)data.peekByte() & (byte)0x1F) != explicitTag))
	return null;
	DerValue der = data.getDerValue();
	if (explicitTag != (der.getTag() & (byte)0x1F)) {
	throw new Asn1Exception(Krb5.ASN1_BAD_ID);
	} else {
	DerValue subDer = der.getData().getDerValue();
	return new KDCOptions(subDer);
	}
	}

	/**
	* Sets the value(true/false) for one of the <code>KDCOptions</code>.
	*
	* @param option an option bit.
	* @param value true if the option is selected, false if the option is not selected.
	* @exception ArrayIndexOutOfBoundsException if array index out of bound occurs.
	* @see sun.security.krb5.internal.Krb5
	*/
	public void set(int option, boolean value) throws ArrayIndexOutOfBoundsException {
	super.set(option, value);
	}

	/**
	* Gets the value(true/false) for one of the <code>KDCOptions</code>.
	*
	* @param option an option bit.
	* @return value true if the option is selected, false if the option is not selected.
	* @exception ArrayIndexOutOfBoundsException if array index out of bound occurs.
	* @see sun.security.krb5.internal.Krb5
	*/

	public boolean get(int option) throws ArrayIndexOutOfBoundsException {
	return super.get(option);
	}

	@Override public String toString() {
	StringBuilder sb = new StringBuilder();
	sb.append("KDCOptions: ");
	for (int i=0; i<Krb5.KDC_OPTS_MAX+1; i++) {
	if (get(i)) {
	if (names[i] != null) {
	sb.append(names[i]).append(",");
	} else {
	sb.append(i).append(",");
	}
	}
	}
	return sb.toString();
	}

	private void setDefault() {
	try {

	Config config = Config.getInstance();

	// If key not present, returns Integer.MIN_VALUE, which is
	// almost all zero.

	int options = config.getIntValue("libdefaults",
	"kdc_default_options");

	if ((options & KDC_OPT_RENEWABLE_OK) == KDC_OPT_RENEWABLE_OK) {
	set(RENEWABLE_OK, true);
	} else {
	if (config.getBooleanValue("libdefaults", "renewable")) {
	set(RENEWABLE_OK, true);
	}
	}
	if ((options & KDC_OPT_PROXIABLE) == KDC_OPT_PROXIABLE) {
	set(PROXIABLE, true);
	} else {
	if (config.getBooleanValue("libdefaults", "proxiable")) {
	set(PROXIABLE, true);
	}
	}

	if ((options & KDC_OPT_FORWARDABLE) == KDC_OPT_FORWARDABLE) {
	set(FORWARDABLE, true);
	} else {
	if (config.getBooleanValue("libdefaults", "forwardable")) {
	set(FORWARDABLE, true);
	}
	}
	} catch (KrbException e) {
	if (DEBUG) {
	System.out.println("Exception in getting default values for " +
	"KDC Options from the configuration ");
	e.printStackTrace();

	}
	}
	}
	}

Back to index...