/*
 * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.krb5.internal;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import sun.security.krb5.*;
import sun.security.krb5.internal.crypto.KeyUsage;
import sun.security.krb5.internal.util.KerberosString;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;

import static java.nio.charset.StandardCharsets.UTF_8;

Implements the ASN.1 PA-FOR-USER type.

padata-type  ::= PA-FOR-USER
                 -- value 129
padata-value ::= EncryptedData
                 -- PA-FOR-USER-ENC
PA-FOR-USER-ENC ::= SEQUENCE {
    userName[0] PrincipalName,
    userRealm[1] Realm,
    cksum[2] Checksum,
    auth-package[3] KerberosString
 }

This definition reflects MS-SFU.

/** * Implements the ASN.1 PA-FOR-USER type. * * <pre>{@code * padata-type ::= PA-FOR-USER * -- value 129 * padata-value ::= EncryptedData * -- PA-FOR-USER-ENC * PA-FOR-USER-ENC ::= SEQUENCE { * userName[0] PrincipalName, * userRealm[1] Realm, * cksum[2] Checksum, * auth-package[3] KerberosString * } * }</pre> * * <p> * This definition reflects MS-SFU. */
public class PAForUserEnc { final public PrincipalName name; final private EncryptionKey key; final public static String AUTH_PACKAGE = "Kerberos"; public PAForUserEnc(PrincipalName name, EncryptionKey key) { this.name = name; this.key = key; }
Constructs a PA-FOR-USER object from a DER encoding.
Params:
  • encoding – the input object
  • key – the key to verify the checksum inside encoding
Throws:
  • KrbException – if the verification fails. Note: this method is now only used by test KDC, therefore the verification is ignored (at the moment).
/** * Constructs a PA-FOR-USER object from a DER encoding. * @param encoding the input object * @param key the key to verify the checksum inside encoding * @throws KrbException if the verification fails. * Note: this method is now only used by test KDC, therefore * the verification is ignored (at the moment). */
public PAForUserEnc(DerValue encoding, EncryptionKey key) throws Asn1Exception, KrbException, IOException { DerValue der = null; this.key = key; if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } // Realm after name? Quite abnormal. PrincipalName tmpName = null; der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x00) { try { tmpName = new PrincipalName(der.getData().getDerValue(), new Realm("PLACEHOLDER")); } catch (RealmException re) { // Impossible } } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x01) { try { Realm realm = new Realm(der.getData().getDerValue()); name = new PrincipalName( tmpName.getNameType(), tmpName.getNameStrings(), realm); } catch (RealmException re) { throw new IOException(re); } } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x02) { // Deal with the checksum } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x03) { String authPackage = new KerberosString(der.getData().getDerValue()).toString(); if (!authPackage.equalsIgnoreCase(AUTH_PACKAGE)) { throw new IOException("Incorrect auth-package"); } } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID); } public byte[] asn1Encode() throws Asn1Exception, IOException { DerOutputStream bytes = new DerOutputStream(); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x00), name.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), name.getRealm().asn1Encode()); try { // MS-SFU 2.2.1: use hmac-md5 checksum regardless of key type Checksum cks = new Checksum( Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR, getS4UByteArray(), key, KeyUsage.KU_PA_FOR_USER_ENC_CKSUM); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x02), cks.asn1Encode()); } catch (KrbException ke) { throw new IOException(ke); } DerOutputStream temp = new DerOutputStream(); temp.putDerValue(new KerberosString(AUTH_PACKAGE).toDerValue()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x03), temp); temp = new DerOutputStream(); temp.write(DerValue.tag_Sequence, bytes); return temp.toByteArray(); }
Returns S4UByteArray, the block to calculate checksum inside a PA-FOR-USER-ENC data structure. It includes: 1. userName.name-type encoded as a 4-byte integer in little endian byte order 2. all string values in the sequence of strings contained in the userName.name-string field 3. the string value of the userRealm field 4. the string value of auth-package field
/** * Returns S4UByteArray, the block to calculate checksum inside a * PA-FOR-USER-ENC data structure. It includes: * 1. userName.name-type encoded as a 4-byte integer in little endian * byte order * 2. all string values in the sequence of strings contained in the * userName.name-string field * 3. the string value of the userRealm field * 4. the string value of auth-package field */
public byte[] getS4UByteArray() { ByteArrayOutputStream ba = new ByteArrayOutputStream(); ba.writeBytes(new byte[4]); for (String s: name.getNameStrings()) { ba.writeBytes(s.getBytes(UTF_8)); } ba.writeBytes(name.getRealm().toString().getBytes(UTF_8)); ba.writeBytes(AUTH_PACKAGE.getBytes(UTF_8)); byte[] output = ba.toByteArray(); int pnType = name.getNameType(); output[0] = (byte)(pnType & 0xff); output[1] = (byte)((pnType>>8) & 0xff); output[2] = (byte)((pnType>>16) & 0xff); output[3] = (byte)((pnType>>24) & 0xff); return output; } public PrincipalName getName() { return name; } public String toString() { return "PA-FOR-USER: " + name; } }