< prev index next >

src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java

Print this page


   1 /*
   2  * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 /*
  27  *
  28  *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
  29  *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
  30  */
  31 
  32 package sun.security.krb5;
  33 
  34 import sun.security.krb5.internal.*;
  35 import sun.security.krb5.internal.crypto.*;
  36 import java.io.IOException;
  37 import java.net.UnknownHostException;
  38 import java.time.Instant;
  39 import java.util.Arrays;
  40 
  41 /**
  42  * This class encapsulates a Kerberos TGS-REQ that is sent from the
  43  * client to the KDC.
  44  */
  45 public class KrbTgsReq {
  46 
  47     private PrincipalName princName;
  48     private PrincipalName servName;
  49     private TGSReq tgsReqMessg;
  50     private KerberosTime ctime;
  51     private Ticket secondTicket = null;
  52     private boolean useSubkey = false;
  53     EncryptionKey tgsReqKey;
  54 
  55     private static final boolean DEBUG = Krb5.DEBUG;
  56 
  57     private byte[] obuf;
  58     private byte[] ibuf;
  59 
  60     // Used in CredentialsUtil
  61     public KrbTgsReq(KDCOptions options, Credentials asCreds,
  62             PrincipalName cname, PrincipalName sname,
  63             Ticket[] additionalTickets, PAData[] extraPAs)
  64         throws KrbException, IOException {
  65         this(options,
  66              asCreds,
  67              cname,
  68              sname,
  69              null, // KerberosTime from
  70              null, // KerberosTime till
  71              null, // KerberosTime rtime
  72              null, // int[] eTypes
  73              null, // HostAddresses addresses
  74              null, // AuthorizationData authorizationData
  75              additionalTickets,
  76              null, // EncryptionKey subKey
  77              extraPAs);





































  78     }
  79 
  80     // Called by Credentials, KrbCred
  81     KrbTgsReq(
  82             KDCOptions options,
  83             Credentials asCreds,
  84             PrincipalName sname,
  85             KerberosTime from,
  86             KerberosTime till,
  87             KerberosTime rtime,
  88             int[] eTypes,
  89             HostAddresses addresses,
  90             AuthorizationData authorizationData,
  91             Ticket[] additionalTickets,
  92             EncryptionKey subKey) throws KrbException, IOException {
  93         this(options, asCreds, asCreds.getClient(), sname,
  94                 from, till, rtime, eTypes, addresses,
  95                 authorizationData, additionalTickets, subKey, null);
  96     }
  97 
  98     private KrbTgsReq(
  99             KDCOptions options,
 100             Credentials asCreds,
 101             PrincipalName cname,
 102             PrincipalName sname,
 103             KerberosTime from,
 104             KerberosTime till,
 105             KerberosTime rtime,
 106             int[] eTypes,
 107             HostAddresses addresses,
 108             AuthorizationData authorizationData,
 109             Ticket[] additionalTickets,
 110             EncryptionKey subKey,
 111             PAData[] extraPAs) throws KrbException, IOException {
 112 
 113         princName = cname;
 114         servName = sname;
 115         ctime = KerberosTime.now();
 116 
 117         // check if they are valid arguments. The optional fields
 118         // should be consistent with settings in KDCOptions.
 119 
 120         if (options.get(KDCOptions.FORWARDABLE) &&
 121                 (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
 122             options.set(KDCOptions.FORWARDABLE, false);
 123         }
 124         if (options.get(KDCOptions.FORWARDED)) {
 125             if (!(asCreds.flags.get(KDCOptions.FORWARDABLE)))
 126                 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
 127         }
 128         if (options.get(KDCOptions.PROXIABLE) &&
 129                 (!(asCreds.flags.get(Krb5.TKT_OPTS_PROXIABLE)))) {
 130             throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
 131         }


 164         } else {
 165             if (additionalTickets != null)
 166                 additionalTickets = null;
 167         }
 168 
 169         tgsReqMessg = createRequest(
 170                 options,
 171                 asCreds.ticket,
 172                 asCreds.key,
 173                 ctime,
 174                 princName,
 175                 servName,
 176                 from,
 177                 till,
 178                 rtime,
 179                 eTypes,
 180                 addresses,
 181                 authorizationData,
 182                 additionalTickets,
 183                 subKey,
 184                 extraPAs);
 185         obuf = tgsReqMessg.asn1Encode();
 186 
 187         // XXX We need to revisit this to see if can't move it
 188         // up such that FORWARDED flag set in the options
 189         // is included in the marshaled request.
 190         /*
 191          * If this is based on a forwarded ticket, record that in the
 192          * options, because the returned TgsRep will contain the
 193          * FORWARDED flag set.
 194          */
 195         if (asCreds.flags.get(KDCOptions.FORWARDED))
 196             options.set(KDCOptions.FORWARDED, true);
 197 
 198 
 199     }
 200 
 201     /**
 202      * Sends a TGS request to the realm of the target.
 203      * @throws KrbException
 204      * @throws IOException


 230 
 231     KerberosTime getCtime() {
 232         return ctime;
 233     }
 234 
 235     private TGSReq createRequest(
 236                          KDCOptions kdc_options,
 237                          Ticket ticket,
 238                          EncryptionKey key,
 239                          KerberosTime ctime,
 240                          PrincipalName cname,
 241                          PrincipalName sname,
 242                          KerberosTime from,
 243                          KerberosTime till,
 244                          KerberosTime rtime,
 245                          int[] eTypes,
 246                          HostAddresses addresses,
 247                          AuthorizationData authorizationData,
 248                          Ticket[] additionalTickets,
 249                          EncryptionKey subKey,
 250                          PAData[] extraPAs)
 251         throws IOException, KrbException, UnknownHostException {
 252         KerberosTime req_till = null;
 253         if (till == null) {
 254             String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
 255             if (d != null) {
 256                 req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
 257             } else {
 258                 req_till = new KerberosTime(0); // Choose KDC maximum allowed
 259             }
 260         } else {
 261             req_till = till;
 262         }
 263 
 264         /*
 265          * RFC 4120, Section 5.4.2.
 266          * For KRB_TGS_REP, the ciphertext is encrypted in the
 267          * sub-session key from the Authenticator, or if absent,
 268          * the session key from the ticket-granting ticket used
 269          * in the request.
 270          *


 330         case Checksum.CKSUMTYPE_RSA_MD4:
 331         case Checksum.CKSUMTYPE_RSA_MD5:
 332         default:
 333             cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp);
 334         }
 335 
 336         // Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR
 337 
 338         byte[] tgs_ap_req = new KrbApReq(
 339                                          new APOptions(),
 340                                          ticket,
 341                                          key,
 342                                          cname,
 343                                          cksum,
 344                                          ctime,
 345                                          reqKey,
 346                                          null,
 347                                          null).getMessage();
 348 
 349         PAData tgsPAData = new PAData(Krb5.PA_TGS_REQ, tgs_ap_req);
 350         PAData[] pa;
 351         if (extraPAs != null) {
 352             pa = Arrays.copyOf(extraPAs, extraPAs.length + 1);
 353             pa[extraPAs.length] = tgsPAData;
 354         } else {
 355             pa = new PAData[] {tgsPAData};
 356         }
 357         return new TGSReq(pa, reqBody);
 358     }
 359 
 360     TGSReq getMessage() {
 361         return tgsReqMessg;
 362     }
 363 
 364     Ticket getSecondTicket() {
 365         return secondTicket;
 366     }
 367 
 368     private static void debug(String message) {
 369         //      System.err.println(">>> KrbTgsReq: " + message);
 370     }
 371 
 372     boolean usedSubkey() {
 373         return useSubkey;
 374     }
 375 
 376 }
   1 /*
   2  * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 /*
  27  *
  28  *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
  29  *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
  30  */
  31 
  32 package sun.security.krb5;
  33 
  34 import sun.security.krb5.internal.*;
  35 import sun.security.krb5.internal.crypto.*;
  36 import java.io.IOException;
  37 import java.net.UnknownHostException;
  38 import java.time.Instant;

  39 
  40 /**
  41  * This class encapsulates a Kerberos TGS-REQ that is sent from the
  42  * client to the KDC.
  43  */
  44 public class KrbTgsReq {
  45 
  46     private PrincipalName princName;
  47     private PrincipalName servName;
  48     private TGSReq tgsReqMessg;
  49     private KerberosTime ctime;
  50     private Ticket secondTicket = null;
  51     private boolean useSubkey = false;
  52     EncryptionKey tgsReqKey;
  53 
  54     private static final boolean DEBUG = Krb5.DEBUG;
  55 
  56     private byte[] obuf;
  57     private byte[] ibuf;
  58 
  59     // Used in CredentialsUtil
  60     public KrbTgsReq(Credentials asCreds,
  61                      PrincipalName sname)

  62         throws KrbException, IOException {
  63         this(new KDCOptions(),
  64             asCreds,
  65             sname,
  66             null, // KerberosTime from
  67             null, // KerberosTime till
  68             null, // KerberosTime rtime
  69             null, // eTypes, // null, // int[] eTypes
  70             null, // HostAddresses addresses
  71             null, // AuthorizationData authorizationData
  72             null, // Ticket[] additionalTickets
  73             null); // EncryptionKey subSessionKey
  74     }
  75 
  76     // S4U2proxy
  77     public KrbTgsReq(Credentials asCreds,
  78                      Ticket second,
  79                      PrincipalName sname)
  80             throws KrbException, IOException {
  81         this(KDCOptions.with(KDCOptions.CNAME_IN_ADDL_TKT,
  82                 KDCOptions.FORWARDABLE),
  83             asCreds,
  84             sname,
  85             null,
  86             null,
  87             null,
  88             null,
  89             null,
  90             null,
  91             new Ticket[] {second}, // the service ticket
  92             null);
  93     }
  94 
  95     // S4U2user
  96     public KrbTgsReq(Credentials asCreds,
  97                      PrincipalName sname,
  98                      PAData extraPA)
  99         throws KrbException, IOException {
 100         this(KDCOptions.with(KDCOptions.FORWARDABLE),
 101             asCreds,
 102             asCreds.getClient(),
 103             sname,
 104             null,
 105             null,
 106             null,
 107             null,
 108             null,
 109             null,
 110             null,
 111             null,
 112             extraPA); // the PA-FOR-USER
 113     }
 114 
 115     // Called by Credentials, KrbCred
 116     KrbTgsReq(
 117             KDCOptions options,
 118             Credentials asCreds,
 119             PrincipalName sname,
 120             KerberosTime from,
 121             KerberosTime till,
 122             KerberosTime rtime,
 123             int[] eTypes,
 124             HostAddresses addresses,
 125             AuthorizationData authorizationData,
 126             Ticket[] additionalTickets,
 127             EncryptionKey subKey) throws KrbException, IOException {
 128         this(options, asCreds, asCreds.getClient(), sname,
 129                 from, till, rtime, eTypes, addresses,
 130                 authorizationData, additionalTickets, subKey, null);
 131     }
 132 
 133     private KrbTgsReq(
 134             KDCOptions options,
 135             Credentials asCreds,
 136             PrincipalName cname,
 137             PrincipalName sname,
 138             KerberosTime from,
 139             KerberosTime till,
 140             KerberosTime rtime,
 141             int[] eTypes,
 142             HostAddresses addresses,
 143             AuthorizationData authorizationData,
 144             Ticket[] additionalTickets,
 145             EncryptionKey subKey,
 146             PAData extraPA) throws KrbException, IOException {
 147 
 148         princName = cname;
 149         servName = sname;
 150         ctime = KerberosTime.now();
 151 
 152         // check if they are valid arguments. The optional fields
 153         // should be consistent with settings in KDCOptions.
 154 
 155         if (options.get(KDCOptions.FORWARDABLE) &&
 156                 (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
 157             options.set(KDCOptions.FORWARDABLE, false);
 158         }
 159         if (options.get(KDCOptions.FORWARDED)) {
 160             if (!(asCreds.flags.get(KDCOptions.FORWARDABLE)))
 161                 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
 162         }
 163         if (options.get(KDCOptions.PROXIABLE) &&
 164                 (!(asCreds.flags.get(Krb5.TKT_OPTS_PROXIABLE)))) {
 165             throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
 166         }


 199         } else {
 200             if (additionalTickets != null)
 201                 additionalTickets = null;
 202         }
 203 
 204         tgsReqMessg = createRequest(
 205                 options,
 206                 asCreds.ticket,
 207                 asCreds.key,
 208                 ctime,
 209                 princName,
 210                 servName,
 211                 from,
 212                 till,
 213                 rtime,
 214                 eTypes,
 215                 addresses,
 216                 authorizationData,
 217                 additionalTickets,
 218                 subKey,
 219                 extraPA);
 220         obuf = tgsReqMessg.asn1Encode();
 221 
 222         // XXX We need to revisit this to see if can't move it
 223         // up such that FORWARDED flag set in the options
 224         // is included in the marshaled request.
 225         /*
 226          * If this is based on a forwarded ticket, record that in the
 227          * options, because the returned TgsRep will contain the
 228          * FORWARDED flag set.
 229          */
 230         if (asCreds.flags.get(KDCOptions.FORWARDED))
 231             options.set(KDCOptions.FORWARDED, true);
 232 
 233 
 234     }
 235 
 236     /**
 237      * Sends a TGS request to the realm of the target.
 238      * @throws KrbException
 239      * @throws IOException


 265 
 266     KerberosTime getCtime() {
 267         return ctime;
 268     }
 269 
 270     private TGSReq createRequest(
 271                          KDCOptions kdc_options,
 272                          Ticket ticket,
 273                          EncryptionKey key,
 274                          KerberosTime ctime,
 275                          PrincipalName cname,
 276                          PrincipalName sname,
 277                          KerberosTime from,
 278                          KerberosTime till,
 279                          KerberosTime rtime,
 280                          int[] eTypes,
 281                          HostAddresses addresses,
 282                          AuthorizationData authorizationData,
 283                          Ticket[] additionalTickets,
 284                          EncryptionKey subKey,
 285                          PAData extraPA)
 286         throws IOException, KrbException, UnknownHostException {
 287         KerberosTime req_till = null;
 288         if (till == null) {
 289             String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
 290             if (d != null) {
 291                 req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
 292             } else {
 293                 req_till = new KerberosTime(0); // Choose KDC maximum allowed
 294             }
 295         } else {
 296             req_till = till;
 297         }
 298 
 299         /*
 300          * RFC 4120, Section 5.4.2.
 301          * For KRB_TGS_REP, the ciphertext is encrypted in the
 302          * sub-session key from the Authenticator, or if absent,
 303          * the session key from the ticket-granting ticket used
 304          * in the request.
 305          *


 365         case Checksum.CKSUMTYPE_RSA_MD4:
 366         case Checksum.CKSUMTYPE_RSA_MD5:
 367         default:
 368             cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp);
 369         }
 370 
 371         // Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR
 372 
 373         byte[] tgs_ap_req = new KrbApReq(
 374                                          new APOptions(),
 375                                          ticket,
 376                                          key,
 377                                          cname,
 378                                          cksum,
 379                                          ctime,
 380                                          reqKey,
 381                                          null,
 382                                          null).getMessage();
 383 
 384         PAData tgsPAData = new PAData(Krb5.PA_TGS_REQ, tgs_ap_req);
 385         return new TGSReq(
 386                 extraPA != null ?
 387                     new PAData[] {extraPA, tgsPAData } :
 388                     new PAData[] {tgsPAData},
 389                 reqBody);



 390     }
 391 
 392     TGSReq getMessage() {
 393         return tgsReqMessg;
 394     }
 395 
 396     Ticket getSecondTicket() {
 397         return secondTicket;
 398     }
 399 
 400     private static void debug(String message) {
 401         //      System.err.println(">>> KrbTgsReq: " + message);
 402     }
 403 
 404     boolean usedSubkey() {
 405         return useSubkey;
 406     }
 407 
 408 }
< prev index next >