PageRenderTime 55ms CodeModel.GetById 27ms RepoModel.GetById 0ms app.codeStats 0ms

/src/sun/security/jgss/krb5/Krb5InitCredential.java

https://gitlab.com/borneywpf/openjdk-7-src
Java | 359 lines | 233 code | 44 blank | 82 comment | 12 complexity | 59467015300145901e8d45482482939b MD5 | raw file
  1. /*
  2. * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
  3. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  4. *
  5. * This code is free software; you can redistribute it and/or modify it
  6. * under the terms of the GNU General Public License version 2 only, as
  7. * published by the Free Software Foundation. Oracle designates this
  8. * particular file as subject to the "Classpath" exception as provided
  9. * by Oracle in the LICENSE file that accompanied this code.
  10. *
  11. * This code is distributed in the hope that it will be useful, but WITHOUT
  12. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13. * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
  14. * version 2 for more details (a copy is included in the LICENSE file that
  15. * accompanied this code).
  16. *
  17. * You should have received a copy of the GNU General Public License version
  18. * 2 along with this work; if not, write to the Free Software Foundation,
  19. * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20. *
  21. * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22. * or visit www.oracle.com if you need additional information or have any
  23. * questions.
  24. */
  25. package sun.security.jgss.krb5;
  26. import org.ietf.jgss.*;
  27. import sun.security.jgss.GSSCaller;
  28. import sun.security.jgss.spi.*;
  29. import sun.security.krb5.*;
  30. import sun.security.krb5.Config;
  31. import javax.security.auth.kerberos.*;
  32. import java.net.InetAddress;
  33. import java.io.IOException;
  34. import java.util.Date;
  35. import java.security.AccessController;
  36. import java.security.AccessControlContext;
  37. import java.security.PrivilegedExceptionAction;
  38. import java.security.PrivilegedActionException;
  39. /**
  40. * Implements the krb5 initiator credential element.
  41. *
  42. * @author Mayank Upadhyay
  43. * @author Ram Marti
  44. * @since 1.4
  45. */
  46. public class Krb5InitCredential
  47. extends KerberosTicket
  48. implements Krb5CredElement {
  49. private static final long serialVersionUID = 7723415700837898232L;
  50. private Krb5NameElement name;
  51. private Credentials krb5Credentials;
  52. private Krb5InitCredential(Krb5NameElement name,
  53. byte[] asn1Encoding,
  54. KerberosPrincipal client,
  55. KerberosPrincipal server,
  56. byte[] sessionKey,
  57. int keyType,
  58. boolean[] flags,
  59. Date authTime,
  60. Date startTime,
  61. Date endTime,
  62. Date renewTill,
  63. InetAddress[] clientAddresses)
  64. throws GSSException {
  65. super(asn1Encoding,
  66. client,
  67. server,
  68. sessionKey,
  69. keyType,
  70. flags,
  71. authTime,
  72. startTime,
  73. endTime,
  74. renewTill,
  75. clientAddresses);
  76. this.name = name;
  77. try {
  78. // Cache this for later use by the sun.security.krb5 package.
  79. krb5Credentials = new Credentials(asn1Encoding,
  80. client.getName(),
  81. server.getName(),
  82. sessionKey,
  83. keyType,
  84. flags,
  85. authTime,
  86. startTime,
  87. endTime,
  88. renewTill,
  89. clientAddresses);
  90. } catch (KrbException e) {
  91. throw new GSSException(GSSException.NO_CRED, -1,
  92. e.getMessage());
  93. } catch (IOException e) {
  94. throw new GSSException(GSSException.NO_CRED, -1,
  95. e.getMessage());
  96. }
  97. }
  98. private Krb5InitCredential(Krb5NameElement name,
  99. Credentials delegatedCred,
  100. byte[] asn1Encoding,
  101. KerberosPrincipal client,
  102. KerberosPrincipal server,
  103. byte[] sessionKey,
  104. int keyType,
  105. boolean[] flags,
  106. Date authTime,
  107. Date startTime,
  108. Date endTime,
  109. Date renewTill,
  110. InetAddress[] clientAddresses)
  111. throws GSSException {
  112. super(asn1Encoding,
  113. client,
  114. server,
  115. sessionKey,
  116. keyType,
  117. flags,
  118. authTime,
  119. startTime,
  120. endTime,
  121. renewTill,
  122. clientAddresses);
  123. this.name = name;
  124. // A delegated cred does not have all fields set. So do not try to
  125. // creat new Credentials out of the delegatedCred.
  126. this.krb5Credentials = delegatedCred;
  127. }
  128. static Krb5InitCredential getInstance(GSSCaller caller, Krb5NameElement name,
  129. int initLifetime)
  130. throws GSSException {
  131. KerberosTicket tgt = getTgt(caller, name, initLifetime);
  132. if (tgt == null)
  133. throw new GSSException(GSSException.NO_CRED, -1,
  134. "Failed to find any Kerberos tgt");
  135. if (name == null) {
  136. String fullName = tgt.getClient().getName();
  137. name = Krb5NameElement.getInstance(fullName,
  138. Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);
  139. }
  140. return new Krb5InitCredential(name,
  141. tgt.getEncoded(),
  142. tgt.getClient(),
  143. tgt.getServer(),
  144. tgt.getSessionKey().getEncoded(),
  145. tgt.getSessionKeyType(),
  146. tgt.getFlags(),
  147. tgt.getAuthTime(),
  148. tgt.getStartTime(),
  149. tgt.getEndTime(),
  150. tgt.getRenewTill(),
  151. tgt.getClientAddresses());
  152. }
  153. static Krb5InitCredential getInstance(Krb5NameElement name,
  154. Credentials delegatedCred)
  155. throws GSSException {
  156. EncryptionKey sessionKey = delegatedCred.getSessionKey();
  157. /*
  158. * all of the following data is optional in a KRB-CRED
  159. * messages. This check for each field.
  160. */
  161. PrincipalName cPrinc = delegatedCred.getClient();
  162. PrincipalName sPrinc = delegatedCred.getServer();
  163. KerberosPrincipal client = null;
  164. KerberosPrincipal server = null;
  165. Krb5NameElement credName = null;
  166. if (cPrinc != null) {
  167. String fullName = cPrinc.getName();
  168. credName = Krb5NameElement.getInstance(fullName,
  169. Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);
  170. client = new KerberosPrincipal(fullName);
  171. }
  172. // XXX Compare name to credName
  173. if (sPrinc != null) {
  174. server =
  175. new KerberosPrincipal(sPrinc.getName(),
  176. KerberosPrincipal.KRB_NT_SRV_INST);
  177. }
  178. return new Krb5InitCredential(credName,
  179. delegatedCred,
  180. delegatedCred.getEncoded(),
  181. client,
  182. server,
  183. sessionKey.getBytes(),
  184. sessionKey.getEType(),
  185. delegatedCred.getFlags(),
  186. delegatedCred.getAuthTime(),
  187. delegatedCred.getStartTime(),
  188. delegatedCred.getEndTime(),
  189. delegatedCred.getRenewTill(),
  190. delegatedCred.getClientAddresses());
  191. }
  192. /**
  193. * Returns the principal name for this credential. The name
  194. * is in mechanism specific format.
  195. *
  196. * @return GSSNameSpi representing principal name of this credential
  197. * @exception GSSException may be thrown
  198. */
  199. public final GSSNameSpi getName() throws GSSException {
  200. return name;
  201. }
  202. /**
  203. * Returns the init lifetime remaining.
  204. *
  205. * @return the init lifetime remaining in seconds
  206. * @exception GSSException may be thrown
  207. */
  208. public int getInitLifetime() throws GSSException {
  209. int retVal = 0;
  210. retVal = (int)(getEndTime().getTime()
  211. - (new Date().getTime()));
  212. return retVal/1000;
  213. }
  214. /**
  215. * Returns the accept lifetime remaining.
  216. *
  217. * @return the accept lifetime remaining in seconds
  218. * @exception GSSException may be thrown
  219. */
  220. public int getAcceptLifetime() throws GSSException {
  221. return 0;
  222. }
  223. public boolean isInitiatorCredential() throws GSSException {
  224. return true;
  225. }
  226. public boolean isAcceptorCredential() throws GSSException {
  227. return false;
  228. }
  229. /**
  230. * Returns the oid representing the underlying credential
  231. * mechanism oid.
  232. *
  233. * @return the Oid for this credential mechanism
  234. * @exception GSSException may be thrown
  235. */
  236. public final Oid getMechanism() {
  237. return Krb5MechFactory.GSS_KRB5_MECH_OID;
  238. }
  239. public final java.security.Provider getProvider() {
  240. return Krb5MechFactory.PROVIDER;
  241. }
  242. /**
  243. * Returns a sun.security.krb5.Credentials instance so that it maybe
  244. * used in that package for th Kerberos protocol.
  245. */
  246. Credentials getKrb5Credentials() {
  247. return krb5Credentials;
  248. }
  249. /*
  250. * XXX Call to this.refresh() should refresh the locally cached copy
  251. * of krb5Credentials also.
  252. */
  253. /**
  254. * Called to invalidate this credential element.
  255. */
  256. public void dispose() throws GSSException {
  257. try {
  258. destroy();
  259. } catch (javax.security.auth.DestroyFailedException e) {
  260. GSSException gssException =
  261. new GSSException(GSSException.FAILURE, -1,
  262. "Could not destroy credentials - " + e.getMessage());
  263. gssException.initCause(e);
  264. }
  265. }
  266. // XXX call to this.destroy() should destroy the locally cached copy
  267. // of krb5Credentials and then call super.destroy().
  268. private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name,
  269. int initLifetime)
  270. throws GSSException {
  271. String realm = null;
  272. final String clientPrincipal, tgsPrincipal = null;
  273. /*
  274. * Find the TGT for the realm that the client is in. If the client
  275. * name is not available, then use the default realm.
  276. */
  277. if (name != null) {
  278. clientPrincipal = (name.getKrb5PrincipalName()).getName();
  279. realm = (name.getKrb5PrincipalName()).getRealmAsString();
  280. } else {
  281. clientPrincipal = null;
  282. try {
  283. Config config = Config.getInstance();
  284. realm = config.getDefaultRealm();
  285. } catch (KrbException e) {
  286. GSSException ge =
  287. new GSSException(GSSException.NO_CRED, -1,
  288. "Attempt to obtain INITIATE credentials failed!" +
  289. " (" + e.getMessage() + ")");
  290. ge.initCause(e);
  291. throw ge;
  292. }
  293. }
  294. final AccessControlContext acc = AccessController.getContext();
  295. try {
  296. final GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN)
  297. ? GSSCaller.CALLER_INITIATE
  298. : caller;
  299. return AccessController.doPrivileged(
  300. new PrivilegedExceptionAction<KerberosTicket>() {
  301. public KerberosTicket run() throws Exception {
  302. return Krb5Util.getTicket(
  303. realCaller,
  304. clientPrincipal, tgsPrincipal, acc);
  305. }});
  306. } catch (PrivilegedActionException e) {
  307. GSSException ge =
  308. new GSSException(GSSException.NO_CRED, -1,
  309. "Attempt to obtain new INITIATE credentials failed!" +
  310. " (" + e.getMessage() + ")");
  311. ge.initCause(e.getException());
  312. throw ge;
  313. }
  314. }
  315. }