/*
 * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.jgss.krb5;

import org.ietf.jgss.*;
import sun.security.jgss.GSSCaller;
import sun.security.jgss.spi.*;
import sun.security.krb5.*;
import sun.security.krb5.Config;
import javax.security.auth.kerberos.*;
import java.net.InetAddress;
import java.io.IOException;
import java.util.Date;
import java.security.AccessController;
import java.security.AccessControlContext;
import java.security.PrivilegedExceptionAction;
import java.security.PrivilegedActionException;

Implements the krb5 initiator credential element.
Author:Mayank Upadhyay, Ram Marti
Since:1.4
/** * Implements the krb5 initiator credential element. * * @author Mayank Upadhyay * @author Ram Marti * @since 1.4 */
public class Krb5InitCredential extends KerberosTicket implements Krb5CredElement { private static final long serialVersionUID = 7723415700837898232L; private Krb5NameElement name; private Credentials krb5Credentials; public KerberosTicket proxyTicket; private Krb5InitCredential(Krb5NameElement name, byte[] asn1Encoding, KerberosPrincipal client, KerberosPrincipal clientAlias, KerberosPrincipal server, KerberosPrincipal serverAlias, byte[] sessionKey, int keyType, boolean[] flags, Date authTime, Date startTime, Date endTime, Date renewTill, InetAddress[] clientAddresses) throws GSSException { super(asn1Encoding, client, server, sessionKey, keyType, flags, authTime, startTime, endTime, renewTill, clientAddresses); KerberosSecrets.getJavaxSecurityAuthKerberosAccess() .kerberosTicketSetClientAlias(this, clientAlias); KerberosSecrets.getJavaxSecurityAuthKerberosAccess() .kerberosTicketSetServerAlias(this, serverAlias); this.name = name; try { // Cache this for later use by the sun.security.krb5 package. krb5Credentials = new Credentials(asn1Encoding, client.getName(), (clientAlias != null ? clientAlias.getName() : null), server.getName(), (serverAlias != null ? serverAlias.getName() : null), sessionKey, keyType, flags, authTime, startTime, endTime, renewTill, clientAddresses); } catch (KrbException e) { throw new GSSException(GSSException.NO_CRED, -1, e.getMessage()); } catch (IOException e) { throw new GSSException(GSSException.NO_CRED, -1, e.getMessage()); } } private Krb5InitCredential(Krb5NameElement name, Credentials delegatedCred, byte[] asn1Encoding, KerberosPrincipal client, KerberosPrincipal clientAlias, KerberosPrincipal server, KerberosPrincipal serverAlias, byte[] sessionKey, int keyType, boolean[] flags, Date authTime, Date startTime, Date endTime, Date renewTill, InetAddress[] clientAddresses) throws GSSException { super(asn1Encoding, client, server, sessionKey, keyType, flags, authTime, startTime, endTime, renewTill, clientAddresses); KerberosSecrets.getJavaxSecurityAuthKerberosAccess() .kerberosTicketSetClientAlias(this, clientAlias); KerberosSecrets.getJavaxSecurityAuthKerberosAccess() .kerberosTicketSetServerAlias(this, serverAlias); this.name = name; // A delegated cred does not have all fields set. So do not try to // creat new Credentials out of the delegatedCred. this.krb5Credentials = delegatedCred; } static Krb5InitCredential getInstance(GSSCaller caller, Krb5NameElement name, int initLifetime) throws GSSException { KerberosTicket tgt = getTgt(caller, name, initLifetime); if (tgt == null) throw new GSSException(GSSException.NO_CRED, -1, "Failed to find any Kerberos tgt"); if (name == null) { String fullName = tgt.getClient().getName(); name = Krb5NameElement.getInstance(fullName, Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); } KerberosPrincipal clientAlias = KerberosSecrets .getJavaxSecurityAuthKerberosAccess() .kerberosTicketGetClientAlias(tgt); KerberosPrincipal serverAlias = KerberosSecrets .getJavaxSecurityAuthKerberosAccess() .kerberosTicketGetServerAlias(tgt); Krb5InitCredential result = new Krb5InitCredential(name, tgt.getEncoded(), tgt.getClient(), clientAlias, tgt.getServer(), serverAlias, tgt.getSessionKey().getEncoded(), tgt.getSessionKeyType(), tgt.getFlags(), tgt.getAuthTime(), tgt.getStartTime(), tgt.getEndTime(), tgt.getRenewTill(), tgt.getClientAddresses()); result.proxyTicket = KerberosSecrets.getJavaxSecurityAuthKerberosAccess(). kerberosTicketGetProxy(tgt); return result; } static Krb5InitCredential getInstance(Krb5NameElement name, Credentials delegatedCred) throws GSSException { EncryptionKey sessionKey = delegatedCred.getSessionKey(); /* * all of the following data is optional in a KRB-CRED * messages. This check for each field. */ PrincipalName cPrinc = delegatedCred.getClient(); PrincipalName cAPrinc = delegatedCred.getClientAlias(); PrincipalName sPrinc = delegatedCred.getServer(); PrincipalName sAPrinc = delegatedCred.getServerAlias(); KerberosPrincipal client = null; KerberosPrincipal clientAlias = null; KerberosPrincipal server = null; KerberosPrincipal serverAlias = null; Krb5NameElement credName = null; if (cPrinc != null) { String fullName = cPrinc.getName(); credName = Krb5NameElement.getInstance(fullName, Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); client = new KerberosPrincipal(fullName); } if (cAPrinc != null) { clientAlias = new KerberosPrincipal(cAPrinc.getName()); } // XXX Compare name to credName if (sPrinc != null) { server = new KerberosPrincipal(sPrinc.getName(), KerberosPrincipal.KRB_NT_SRV_INST); } if (sAPrinc != null) { serverAlias = new KerberosPrincipal(sAPrinc.getName()); } return new Krb5InitCredential(credName, delegatedCred, delegatedCred.getEncoded(), client, clientAlias, server, serverAlias, sessionKey.getBytes(), sessionKey.getEType(), delegatedCred.getFlags(), delegatedCred.getAuthTime(), delegatedCred.getStartTime(), delegatedCred.getEndTime(), delegatedCred.getRenewTill(), delegatedCred.getClientAddresses()); }
Returns the principal name for this credential. The name is in mechanism specific format.
Throws:
Returns:GSSNameSpi representing principal name of this credential
/** * Returns the principal name for this credential. The name * is in mechanism specific format. * * @return GSSNameSpi representing principal name of this credential * @exception GSSException may be thrown */
public final GSSNameSpi getName() throws GSSException { return name; }
Returns the init lifetime remaining.
Throws:
Returns:the init lifetime remaining in seconds
/** * Returns the init lifetime remaining. * * @return the init lifetime remaining in seconds * @exception GSSException may be thrown */
public int getInitLifetime() throws GSSException { Date d = getEndTime(); if (d == null) { return 0; } long retVal = d.getTime() - System.currentTimeMillis(); return (int)(retVal/1000); }
Returns the accept lifetime remaining.
Throws:
Returns:the accept lifetime remaining in seconds
/** * Returns the accept lifetime remaining. * * @return the accept lifetime remaining in seconds * @exception GSSException may be thrown */
public int getAcceptLifetime() throws GSSException { return 0; } public boolean isInitiatorCredential() throws GSSException { return true; } public boolean isAcceptorCredential() throws GSSException { return false; }
Returns the oid representing the underlying credential mechanism oid.
Throws:
Returns:the Oid for this credential mechanism
/** * Returns the oid representing the underlying credential * mechanism oid. * * @return the Oid for this credential mechanism * @exception GSSException may be thrown */
public final Oid getMechanism() { return Krb5MechFactory.GSS_KRB5_MECH_OID; } public final java.security.Provider getProvider() { return Krb5MechFactory.PROVIDER; }
Returns a sun.security.krb5.Credentials instance so that it maybe used in that package for th Kerberos protocol.
/** * Returns a sun.security.krb5.Credentials instance so that it maybe * used in that package for th Kerberos protocol. */
Credentials getKrb5Credentials() { return krb5Credentials; } /* * XXX Call to this.refresh() should refresh the locally cached copy * of krb5Credentials also. */
Called to invalidate this credential element.
/** * Called to invalidate this credential element. */
public void dispose() throws GSSException { try { destroy(); } catch (javax.security.auth.DestroyFailedException e) { GSSException gssException = new GSSException(GSSException.FAILURE, -1, "Could not destroy credentials - " + e.getMessage()); gssException.initCause(e); } } // XXX call to this.destroy() should destroy the locally cached copy // of krb5Credentials and then call super.destroy(). private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name, int initLifetime) throws GSSException { final String clientPrincipal; /* * Find the TGT for the realm that the client is in. If the client * name is not available, then use the default realm. */ if (name != null) { clientPrincipal = (name.getKrb5PrincipalName()).getName(); } else { clientPrincipal = null; } final AccessControlContext acc = AccessController.getContext(); try { final GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN) ? GSSCaller.CALLER_INITIATE : caller; return AccessController.doPrivileged( new PrivilegedExceptionAction<KerberosTicket>() { public KerberosTicket run() throws Exception { // It's OK to use null as serverPrincipal. TGT is almost // the first ticket for a principal and we use list. return Krb5Util.getInitialTicket( realCaller, clientPrincipal, acc); }}); } catch (PrivilegedActionException e) { GSSException ge = new GSSException(GSSException.NO_CRED, -1, "Attempt to obtain new INITIATE credentials failed!" + " (" + e.getMessage() + ")"); ge.initCause(e.getException()); throw ge; } } @Override public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException { try { Krb5NameElement kname = (Krb5NameElement)name; Credentials newCred = Credentials.acquireS4U2selfCreds( kname.getKrb5PrincipalName(), krb5Credentials); return new Krb5ProxyCredential(this, kname, newCred.getTicket()); } catch (IOException | KrbException ke) { GSSException ge = new GSSException(GSSException.FAILURE, -1, "Attempt to obtain S4U2self credentials failed!"); ge.initCause(ke); throw ge; } } }