directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 56108 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc
Date Sun, 31 Oct 2004 02:09:18 GMT
Author: erodriguez
Date: Sat Oct 30 19:09:18 2004
New Revision: 56108

Modified:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Updated service workflow classes to use KerberosPrincipals.

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
Sat Oct 30 19:09:18 2004
@@ -23,6 +23,8 @@
 import org.apache.kerberos.messages.components.*;
 import org.apache.kerberos.messages.value.*;
 
+import javax.security.auth.kerberos.*;
+
 public class AuthenticationService {
 	
 	private PrincipalStore _store;
@@ -34,47 +36,44 @@
 	
 	public AuthenticationReply getReplyFor(KdcRequest request) throws KerberosException {
 		
-		Realm realm = request.getRealm();
-		
-		PrincipalName client = request.getCname();
-		client.setRealm(realm);
+		KerberosPrincipal clientPrincipal = request.getClientPrincipal();
 		
-		System.out.println("Client:  " + client.getNameString());
-		PrincipalStoreEntry clientEntry = _bootstrap.getEntry(client);
+		System.out.println("Client:  " + clientPrincipal.toString());
+		PrincipalStoreEntry clientEntry = _bootstrap.getEntry(clientPrincipal);
 		EncryptionKey clientKey;
 		if (clientEntry != null) {
 			clientKey = clientEntry.getEncryptionKey();
 		} else {
 			System.out.println("Going to look up client");
-			clientKey = _store.getEntry(client).getEncryptionKey();
+			clientKey = _store.getEntry(clientPrincipal).getEncryptionKey();
 		}
 		
-		PrincipalName server = request.getSname();
-		server.setRealm(realm);
+		KerberosPrincipal serverPrincipal = request.getServerPrincipal();
 		
-		System.out.println("Server:  " + server.getNameString());
-		PrincipalStoreEntry serverEntry = _bootstrap.getEntry(server);
+		System.out.println("Server:  " + serverPrincipal.toString());
+		PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 		EncryptionKey serverKey;
 		if (serverEntry != null) {
 			serverKey = serverEntry.getEncryptionKey();
 		} else {
 			System.out.println("Going to look up client");
-			serverKey = _store.getEntry(server).getEncryptionKey();
+			serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
 		}
 		
-		verifyPreAuthentication(request, client);
+		verifyPreAuthentication(request, clientPrincipal);
 		
-		Ticket ticket = getTicket(request);
-		encryptTicketPart(ticket, serverKey);		
+		Ticket ticket = getNewTicket(request, serverKey);
 		AuthenticationReply reply = getAuthenticationReply(request, ticket);
 		encryptReplyPart(reply, clientKey);
-		System.out.print("Got request from client " + client.toString() + " ");
-		System.out.println("for access to " + server.toString());
+		
+		System.out.print("Got request from client " + clientPrincipal.toString() + " ");
+		System.out.println("for access to " + serverPrincipal.toString());
+		
 		return reply;
 	}
 	
 	// TODO - currently no support for pre-auth; requires server store support
-	private void verifyPreAuthentication(KdcRequest request, PrincipalName client) {
+	private void verifyPreAuthentication(KdcRequest request, KerberosPrincipal clientPrincipal)
{
 		/*
 		if(client.pa_enc_timestamp_required and
 		   pa_enc_timestamp not present) then
@@ -111,22 +110,20 @@
 	}
 	
 	// TODO - client and server parameters; requires store
-	private Ticket getTicket(KdcRequest request) throws KerberosException {
+	private Ticket getNewTicket(KdcRequest request, EncryptionKey serverKey) throws KerberosException
{
 		
-		Ticket newTicket = new Ticket();
-		newTicket.setTicketVersionNumber(LocalConfig.TICKET_VNO);
+		KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
 		
-		newTicket.setServerName(request.getSname());
-		newTicket.setRealm(request.getRealm());
+		EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
 		
 		if(request.getKdcOptions().get(KdcOptions.FORWARDABLE))
-			newTicket.getFlags().set(TicketFlags.FORWARDABLE);
+			newTicketBody.setFlag(TicketFlags.FORWARDABLE);
 		
 		if(request.getKdcOptions().get(KdcOptions.PROXIABLE))
-			newTicket.getFlags().set(TicketFlags.PROXIABLE);
+			newTicketBody.setFlag(TicketFlags.PROXIABLE);
 		
 		if(request.getKdcOptions().get(KdcOptions.ALLOW_POSTDATE))
-			newTicket.getFlags().set(TicketFlags.MAY_POSTDATE);
+			newTicketBody.setFlag(TicketFlags.MAY_POSTDATE);
 		
 		if(request.getKdcOptions().get(KdcOptions.RENEW) ||
 				request.getKdcOptions().get(KdcOptions.VALIDATE) ||
@@ -135,20 +132,19 @@
 				request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
 			throw KerberosException.KDC_ERR_BADOPTION;
 		
-		newTicket.setSessionKey(CryptoService.getNewSessionKey());
-		newTicket.setClientName(request.getCname());
-		newTicket.setClientRealm(request.getRealm());
-		newTicket.setTransitedEncoding(new TransitedEncoding());
+		newTicketBody.setSessionKey(CryptoService.getNewSessionKey());
+		newTicketBody.setClientPrincipal(request.getClientPrincipal());
+		newTicketBody.setTransitedEncoding(new TransitedEncoding());
 		
 		KerberosTime now = new KerberosTime();
-		newTicket.setAuthtime(now);
+		newTicketBody.setAuthTime(now);
 	
-		if(request.getKdcOptions().get(KdcOptions.POSTDATED)) {
+		if (request.getKdcOptions().get(KdcOptions.POSTDATED)) {
 			// TODO - possibly allow req.from range
 			if (!LocalConfig.KDC_POSTDATE_ALLOWED)
 				throw KerberosException.KDC_ERR_POLICY;
-			newTicket.setFlag(TicketFlags.INVALID);
-			newTicket.setStartTime(request.getFrom());
+			newTicketBody.setFlag(TicketFlags.INVALID);
+			newTicketBody.setStartTime(request.getFrom());
 		}
 	
 	long till = 0;
@@ -163,11 +159,12 @@
 	                      new_tkt.starttime+max_life_for_realm);
 	*/
 	long endTime = Math.min(now.getTime() + LocalConfig.DEFAULT_MAXIMUM_TICKET_LIFETIME, till);
-	newTicket.setEndTime(new KerberosTime(endTime));
+	KerberosTime kerberosEndTime = new KerberosTime(endTime);
+	newTicketBody.setEndTime(kerberosEndTime);
 
 	long tempRtime = 0;
 	if (request.getKdcOptions().get(KdcOptions.RENEWABLE_OK) &&
-			request.getTill().greaterThan(newTicket.getEndTime())) {
+			request.getTill().greaterThan(kerberosEndTime)) {
 		request.getKdcOptions().set(KdcOptions.RENEWABLE);
 		tempRtime = request.getTill().getTime();
 	}
@@ -189,33 +186,41 @@
 			tempRtime = request.getRtime().getTime();
 
 		if (request.getKdcOptions().get(KdcOptions.RENEWABLE)) {
-			newTicket.getFlags().set(TicketFlags.RENEWABLE);
-			long renewTill = Math.min(newTicket.getStartTime().getTime()
+			newTicketBody.setFlag(TicketFlags.RENEWABLE);
+			long renewTill = Math.min(request.getFrom().getTime()
 					+ LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME, tempRtime);
-			newTicket.setRenewTill(new KerberosTime(renewTill));
+			newTicketBody.setRenewTill(new KerberosTime(renewTill));
 		}
 
-		if (request.getAddresses() != null)
-			newTicket.setClientAddresses(request.getAddresses());
+		if (request.getAddresses() != null) {
+			newTicketBody.setClientAddresses(request.getAddresses());
+		}
+		
+		EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+		
+		EncryptedData encryptedData = encryptTicketPart(ticketPart, serverKey);
+		
+		Ticket newTicket = new Ticket(ticketPrincipal, encryptedData);
+		newTicket.setEncTicketPart(ticketPart);
+		
 		return newTicket;
 	}
 	
 	// TODO - support multiple encryption types
-	private void encryptTicketPart(Ticket ticket, EncryptionKey serverKey) {
+	private EncryptedData encryptTicketPart(EncTicketPart ticketPart, EncryptionKey serverKey)
{
 		EncTicketPartEncoder encoder = new EncTicketPartEncoder();
-
+		EncryptedData encryptedTicketPart = null;
 		try {
-			byte[] plainText = encoder.encode(ticket);
+			byte[] plainText = encoder.encode(ticketPart);
 			
 			CryptoService enc = new CryptoService();
 			
-			EncryptedData cipherText = enc.getEncryptedData(serverKey, plainText);
-			
-			ticket.setEncPart(cipherText);
+			encryptedTicketPart = enc.getEncryptedData(serverKey, plainText);
 			
 		} catch (Exception e) {
 			e.printStackTrace();
 		}
+		return encryptedTicketPart;
 	}
 	
 	// TODO - support multiple encryption types
@@ -238,8 +243,7 @@
 	private AuthenticationReply getAuthenticationReply(KdcRequest request, Ticket ticket) {
 		AuthenticationReply reply = new AuthenticationReply();
 		
-		reply.setCname(request.getCname());
-		reply.setCrealm(request.getRealm());
+		reply.setClientPrincipal(request.getClientPrincipal());
 		reply.setTicket(ticket);
 		reply.setKey(ticket.getSessionKey());
 		
@@ -250,15 +254,14 @@
 		reply.setNonce(request.getNonce());
 		
 		reply.setFlags(ticket.getFlags());
-		reply.setAuthTime(ticket.getAuthtime());
+		reply.setAuthTime(ticket.getAuthTime());
 		reply.setStartTime(ticket.getStartTime());
 		reply.setEndTime(ticket.getEndTime());
 		
 		if (ticket.getFlags().get(TicketFlags.RENEWABLE))
 			reply.setRenewTill(ticket.getRenewTill());
 		
-		reply.setServerRealm(ticket.getRealm());
-		reply.setServerName(ticket.getServerName());
+		reply.setServerPrincipal(ticket.getServerPrincipal());
 		reply.setClientAddresses(ticket.getClientAddresses());
 		
 		return reply;

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
Sat Oct 30 19:09:18 2004
@@ -24,16 +24,16 @@
 public class DefaultConfig {
 	
     // Default inet port
-	public static final int KDC_INET_DEFAULT_PORT    = 88;
+	public static final int KDC_INET_DEFAULT_PORT           = 88;
     // Default server name
-	public static final String TGS_DEFAULT_SRV_NAME  = "krbtgt";
+	public static final String TGS_DEFAULT_SRV_NAME         = "krbtgt";
 	// Default NT
-	public static final int TGS_DEFAULT_NT           = PrincipalName.KRB_NT_SRV_INST;
+	public static final PrincipalNameType TGS_DEFAULT_NT    = PrincipalNameType.KRB_NT_SRV_INST;
 	
-    public static final ReplayCache REPLAY_CACHE     = new InMemoryReplayCache();
+    public static final ReplayCache REPLAY_CACHE            = new InMemoryReplayCache();
     
     // Default encryption type
-	public static final EncryptionType DEFAULT_ETYPE = EncryptionType.DES_CBC_MD5;
+	public static final EncryptionType DEFAULT_ETYPE        = EncryptionType.DES_CBC_MD5;
 
     // Default encryption type list 
 	public static final EncryptionType[] DEFAULT_ETYPE_LIST = { EncryptionType.DES_CBC_MD5,
@@ -94,12 +94,8 @@
 	// Protocol constants and associated values
     // Kerberos protocol version number
 	public static final int PVNO              = 5;
-    // Authenticator version number
-	public static final int AUTHENTICATOR_VNO = 5;
-    // Ticket version number
-	public static final int TICKET_VNO        = 5;
     // Default keytab version number
 	public static final int KT_VNO            = Keytab.VNO_2;
-	
+
 }
 

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Sat Oct 30 19:09:18 2004
@@ -30,6 +30,8 @@
 import java.io.*;
 import java.util.*;
 
+import javax.security.auth.kerberos.*;
+
 /**
  * RFC 1510 A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
  */
@@ -46,7 +48,7 @@
 	
 	public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
{
 		
-		System.out.println("Got request from " + request.getCname() + "@" + request.getRealm());
+		System.out.println("Got request for " + request.getServerPrincipal());
 		
 		ApplicationRequest authHeader = getAuthHeader(request);
 		
@@ -56,23 +58,13 @@
 		
 		verifyTicket(authHeader, request);
 		
-		Realm realm = tgt.getRealm();
-		
 		verifyBodyChecksum(authenticator.getChecksum(), request);
 		
-		EncryptionKey serverKey = getServerKey(request);
-		
 		EncryptionKey sessionKey = CryptoService.getNewSessionKey();
 		
 		EncryptionType eType = CryptoService.getBestEncryptionType(request.getEType());
 		
-		Ticket newTicket = getNewTicket(request, tgt, realm, sessionKey, authenticator);
-		
-		processTimes(request, newTicket, tgt);
-		
-		processTransited(newTicket, tgt);
-		
-		encryptTicketPart(newTicket, serverKey, request);
+		Ticket newTicket = getNewTicket(request, tgt, sessionKey, authenticator);
 		
 		TicketGrantReply reply = getReply(tgt, newTicket, sessionKey, request);
 		
@@ -121,14 +113,13 @@
 		if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
 			serverKey = authHeader.getTicket().getSessionKey();
 		} else {
-			PrincipalName server = tgt.getServerName();
-			server.setRealm(tgt.getRealm());
-			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(server);
+			KerberosPrincipal serverPrincipal = tgt.getServerPrincipal();
+			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
 			} else {
 				System.out.println("Going to look up client");
-				serverKey = _store.getEntry(server).getEncryptionKey();
+				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
 			}
 		}
 		if (serverKey == null) {
@@ -161,9 +152,9 @@
 			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
 		}
 		
-		if (!authenticator.getClientName().equals(tgt.getClientName()) &&
-				!authenticator.getClientRealm().equals(tgt.getClientRealm()))
+		if (!authenticator.getClientPrincipal().getName().equals(tgt.getClientPrincipal().getName()))
{
 			throw KerberosException.KRB_AP_ERR_BADMATCH;
+		}
 		
 		// TODO - need to get at IP Address for sender
 		if (tgt.getClientAddresses() != null) {
@@ -175,13 +166,11 @@
             //    error_out(KRB_AP_ERR_BADADDR);
         }
 		
-		if(_replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientName(),
-				authenticator.getClientRealm())) {
+		if(_replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientPrincipal()))
{
 			throw KerberosException.KRB_AP_ERR_REPEAT;
 		}
         
-		_replayCache.save(authenticator.getClientTime(), authenticator.getClientName(),
-				authenticator.getClientRealm());
+		_replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
 		
 		if (!authenticator.getClientTime().isInClockSkew())
 			throw KerberosException.KRB_AP_ERR_SKEW;
@@ -211,7 +200,7 @@
 		
 		Ticket tgt = authHeader.getTicket();
 		if (!tgt.getRealm().toString().equals(LocalConfig.KDC_PRIMARY_REALM) &&
-				!tgt.getServerName().equals(request.getSname()))
+				!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
 			throw KerberosException.KRB_AP_ERR_NOT_US;
 	}
 	
@@ -256,15 +245,14 @@
 		EncryptionKey serverKey = null;
 		// TODO - allow lookup with realm
 		try {
-			PrincipalName server = request.getSname();
-			server.setRealm(request.getRealm());
-			System.out.println(server);
-			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(server);
+			KerberosPrincipal serverPrincipal = request.getServerPrincipal();
+			System.out.println(serverPrincipal.getName());
+			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
 			} else {
 				System.out.println("Going to look up client");
-				serverKey = _store.getEntry(server).getEncryptionKey();
+				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
 			}
 			
 		} catch (KerberosException ke) {
@@ -283,83 +271,89 @@
 		return serverKey;
 	}
 	
-	private Ticket getNewTicket(KdcRequest request, Ticket tgt,
-			Realm realm, EncryptionKey sessionKey, Authenticator authenticator)
-			throws KerberosException {
+	private Ticket getNewTicket(KdcRequest request, Ticket tgt, EncryptionKey sessionKey,
+			Authenticator authenticator) throws KerberosException {
+		
+		KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
 
-		Ticket newTicket = new Ticket();
-		newTicket.setTicketVersionNumber(LocalConfig.TICKET_VNO);
-		newTicket.setServerName(request.getSname());
-		newTicket.setRealm(realm);
-		
-		/* 
-		 * Note that local policy may affect the processing of any of these flags.
-		 * For example, some realms may refuse to issue renewable tickets
-		 */
-		newTicket.setClientAddresses(tgt.getClientAddresses());
-		
-		processFlags(request, tgt, newTicket);
-		
-		newTicket.setSessionKey(sessionKey);
-		newTicket.setClientRealm(tgt.getClientRealm());
-		newTicket.setClientName(tgt.getClientName());
+		EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+		
+		newTicketBody.setClientAddresses(tgt.getClientAddresses());
+		
+		processFlags(request, tgt, newTicketBody);
+		
+		newTicketBody.setSessionKey(sessionKey);
+		newTicketBody.setClientPrincipal(tgt.getClientPrincipal());
 		
 		AuthorizationData authData = processAuthorizationData(request, authenticator, tgt);
-		newTicket.setAuthorizationData(authData);
+		newTicketBody.setAuthorizationData(authData);
+		
+		processTransited(newTicketBody, tgt);
+		
+		processTimes(request, newTicketBody, tgt);
+		
+		EncryptionKey serverKey = getServerKey(request);
+		
+		EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+		
+		EncryptedData encryptedData = encryptTicketPart(ticketPart, serverKey, request);
+		
+		Ticket newTicket = new Ticket(ticketPrincipal, encryptedData);
+		newTicket.setEncTicketPart(ticketPart);
 		
 		return newTicket;
 	}
 	
-	private void processFlags(KdcRequest request, Ticket tgt, Ticket newTicket) 
+	private void processFlags(KdcRequest request, Ticket tgt, EncTicketPartModifier newTicketBody)

 			throws KerberosException {
 		
 		if (request.getOption(KdcOptions.FORWARDABLE)) {
 			if (!tgt.getFlag(TicketFlags.FORWARDABLE))
 				throw KerberosException.KDC_ERR_BADOPTION;
-			newTicket.setFlag(TicketFlags.FORWARDABLE);
+			newTicketBody.setFlag(TicketFlags.FORWARDABLE);
 		}
 
 		if (request.getOption(KdcOptions.FORWARDED)) {
 			if (!tgt.getFlag(TicketFlags.FORWARDABLE))
 				throw KerberosException.KDC_ERR_BADOPTION;
-			newTicket.setFlag(TicketFlags.FORWARDED);
-			newTicket.setClientAddresses(request.getAddresses());
+			newTicketBody.setFlag(TicketFlags.FORWARDED);
+			newTicketBody.setClientAddresses(request.getAddresses());
 			// reply.setClientAddresses(request.getClientAddresses()); moved to getReply
 		}
 		
 		if (tgt.getFlag(TicketFlags.FORWARDED))
-			newTicket.setFlag(TicketFlags.FORWARDED);
+			newTicketBody.setFlag(TicketFlags.FORWARDED);
 
 		if (request.getOption(KdcOptions.PROXIABLE)) {
 			if (!tgt.getFlag(TicketFlags.PROXIABLE))
 				throw KerberosException.KDC_ERR_BADOPTION;
-			newTicket.setFlag(TicketFlags.PROXIABLE);
+			newTicketBody.setFlag(TicketFlags.PROXIABLE);
 		}
 		
 		if (request.getOption(KdcOptions.PROXY)) {
 			if (!tgt.getFlag(TicketFlags.PROXIABLE))
 				throw KerberosException.KDC_ERR_BADOPTION;
-			newTicket.setFlag(TicketFlags.PROXY);
-			newTicket.setClientAddresses(request.getAddresses());
+			newTicketBody.setFlag(TicketFlags.PROXY);
+			newTicketBody.setClientAddresses(request.getAddresses());
 			// reply.setClientAddresses(request.getClientAddresses()); moved to getReply
 		}
 		
 		if (request.getOption(KdcOptions.ALLOW_POSTDATE)) {
 			if (!tgt.getFlag(TicketFlags.MAY_POSTDATE))
 				throw KerberosException.KDC_ERR_BADOPTION;
-			newTicket.setFlag(TicketFlags.MAY_POSTDATE);
+			newTicketBody.setFlag(TicketFlags.MAY_POSTDATE);
 		}
 		
 		if (request.getOption(KdcOptions.POSTDATED)) {
 			if (!tgt.getFlag(TicketFlags.MAY_POSTDATE))
 				throw KerberosException.KDC_ERR_BADOPTION;
-			newTicket.setFlag(TicketFlags.POSTDATED);
-			newTicket.setFlag(TicketFlags.INVALID);
+			newTicketBody.setFlag(TicketFlags.POSTDATED);
+			newTicketBody.setFlag(TicketFlags.INVALID);
 			
 			if (!LocalConfig.KDC_POSTDATE_ALLOWED)
 				throw KerberosException.KDC_ERR_POLICY;
 			
-			newTicket.setStartTime(request.getFrom());
+			newTicketBody.setStartTime(request.getFrom());
 		}
 
 		if (request.getOption(KdcOptions.VALIDATE)) {
@@ -374,7 +368,7 @@
 	        */
 			
 			// TODO - tkt = tgt;
-			newTicket.clearFlag(TicketFlags.INVALID);
+			newTicketBody.clearFlag(TicketFlags.INVALID);
 		}
 
 		if (request.getOption(KdcOptions.RESERVED) ||
@@ -383,12 +377,14 @@
 				throw KerberosException.KRB_AP_ERR_TKT_NYV;
 	}
 	
-	private void processTimes(KdcRequest request, Ticket newTicket, Ticket tgt)
+	private void processTimes(KdcRequest request, EncTicketPartModifier newTicketBody, Ticket
tgt)
 			throws KerberosException {
 		
 		KerberosTime now = new KerberosTime();
 		
-		newTicket.setAuthtime(tgt.getAuthtime());
+		newTicketBody.setAuthTime(tgt.getAuthTime());
+		
+		KerberosTime renewalTime = null;
 		
 		if (request.getOption(KdcOptions.RENEW)) {
 			/* 
@@ -400,13 +396,21 @@
 			if (tgt.getRenewTill().greaterThan(now))
 				throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
 			
-			newTicket = tgt;
+			newTicketBody.setAuthorizationData(tgt.getAuthorizationData());
+			newTicketBody.setAuthTime(tgt.getAuthTime());
+			newTicketBody.setClientAddresses(tgt.getClientAddresses());
+			newTicketBody.setClientPrincipal(tgt.getClientPrincipal());
+			newTicketBody.setEndTime(tgt.getEndTime());
+			newTicketBody.setFlags(tgt.getFlags());
+			newTicketBody.setRenewTill(tgt.getRenewTill());
+			newTicketBody.setSessionKey(tgt.getSessionKey());
+			newTicketBody.setTransitedEncoding(tgt.getTransitedEncoding());
 			
-			newTicket.setStartTime(now);
+			newTicketBody.setStartTime(now);
 			long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
-			newTicket.setEndTime(new KerberosTime(Math.min(tgt.getRenewTill().getTime(), newTicket.getStartTime().getTime()
+ oldLife)));
+			newTicketBody.setEndTime(new KerberosTime(Math.min(tgt.getRenewTill().getTime(), now.getTime()
+ oldLife)));
 		} else {
-			newTicket.setStartTime(now);
+			newTicketBody.setStartTime(now);
 			KerberosTime till;
 			if (request.getTill().isZero())
 				till = KerberosTime.INFINITY;
@@ -420,29 +424,34 @@
             */
 			List minimizer = new ArrayList();
 			minimizer.add(till);
-			minimizer.add(new KerberosTime(newTicket.getStartTime().getTime() + LocalConfig.KDC_MAXIMUM_TICKET_LIFETIME));
+			minimizer.add(new KerberosTime(now.getTime() + LocalConfig.KDC_MAXIMUM_TICKET_LIFETIME));
 			minimizer.add(tgt.getEndTime());
-			newTicket.setEndTime((KerberosTime)Collections.min(minimizer));
+			KerberosTime minTime = (KerberosTime)Collections.min(minimizer);
+			newTicketBody.setEndTime(minTime);
 			
 			if (request.getOption(KdcOptions.RENEWABLE_OK) &&
-					newTicket.getEndTime().lessThan(request.getTill()) &&
+					minTime.lessThan(request.getTill()) &&
 					tgt.getFlag(TicketFlags.RENEWABLE)) {
                 // we set the RENEWABLE option for later processing                     
     
 				request.setOption(KdcOptions.RENEWABLE);
 				long rtime = Math.min(request.getTill().getTime(), tgt.getRenewTill().getTime());
-				request.setRtime(new KerberosTime(rtime));
+				renewalTime = new KerberosTime(rtime);
 			}
 		}
 		
+		if (renewalTime == null) {
+			renewalTime = request.getRtime();
+		}
+		
 		KerberosTime rtime;
-		if (request.getRtime() != null && request.getRtime().isZero())
+		if (renewalTime != null && renewalTime.isZero())
 			rtime = KerberosTime.INFINITY;
 		else
-			rtime = request.getRtime();
+			rtime = renewalTime;
 		
 		if (request.getOption(KdcOptions.RENEWABLE) &&
 				tgt.getFlag(TicketFlags.RENEWABLE)) {
-			newTicket.setFlag(TicketFlags.RENEWABLE);
+			newTicketBody.setFlag(TicketFlags.RENEWABLE);
 			
 			/*
 	        new_tkt.starttime+client.max_rlife,
@@ -451,9 +460,9 @@
 			// TODO - client and server configurable; requires store 
 			List minimizer = new ArrayList();
 			minimizer.add(rtime);
-			minimizer.add(new KerberosTime(newTicket.getStartTime().getTime() + LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME));
+			minimizer.add(new KerberosTime(now.getTime() + LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME));
 			minimizer.add(tgt.getRenewTill());
-			newTicket.setRenewTill((KerberosTime)Collections.min(minimizer));
+			newTicketBody.setRenewTill((KerberosTime)Collections.min(minimizer));
 		}
 	}
 	
@@ -494,20 +503,19 @@
 	        new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
 	endif
 	*/
-	private void processTransited(Ticket newTicket, Ticket tgt) {
+	private void processTransited(EncTicketPartModifier newTicketBody, Ticket tgt) {
 		// TODO - currently no transited support other than local
-		newTicket.setTransitedEncoding(tgt.getTransitedEncoding());
+		newTicketBody.setTransitedEncoding(tgt.getTransitedEncoding());
 	}
 	
-	// TODO - support multiple encryption types, this is hardwired for DES_CBC_MD5
-	private void encryptTicketPart(Ticket newTicket, EncryptionKey serverKey, KdcRequest request)
-			throws KerberosException {
+	private EncryptedData encryptTicketPart(EncTicketPart newTicketBody, EncryptionKey serverKey,
+			KdcRequest request) throws KerberosException {
 		
 		byte[] encodedTicket;
 		
 		EncTicketPartEncoder encoder = new EncTicketPartEncoder();
 		try {
-			encodedTicket = encoder.encode(newTicket);
+			encodedTicket = encoder.encode(newTicketBody);
 		} catch (IOException ioe) {
 			// TODO - figure out right error for ASN.1 generation error
 			throw KerberosException.KRB_ERR_GENERIC;
@@ -528,11 +536,9 @@
 				using etype_for_key(second-ticket.key), second-ticket.key;
 			*/
 		} else {
-			
-			EncryptedData cipherText = enc.getEncryptedData(serverKey, encodedTicket);
-			
-			newTicket.setEncPart(cipherText);
+			// encrypt with serverKey
 		}
+		return enc.getEncryptedData(serverKey, encodedTicket);
 	}
 	
 	// TODO - support multiple encryption types, this is hardwired for DES_CBC_MD5
@@ -556,8 +562,7 @@
 			EncryptionKey sessionKey, KdcRequest request) {
 		
 		TicketGrantReply reply = new TicketGrantReply();
-		reply.setCrealm(tgt.getClientRealm());
-		reply.setCname(tgt.getClientName());
+		reply.setClientPrincipal(tgt.getClientPrincipal());
 		reply.setTicket(newTicket);
 		reply.setKey(sessionKey);
 		reply.setNonce(request.getNonce());
@@ -565,11 +570,10 @@
 		reply.setLastRequest(new LastRequest());
 		reply.setFlags(newTicket.getFlags());
 		reply.setClientAddresses(newTicket.getClientAddresses());
-		reply.setAuthTime(newTicket.getAuthtime());
+		reply.setAuthTime(newTicket.getAuthTime());
 		reply.setStartTime(newTicket.getStartTime());
 		reply.setEndTime(newTicket.getEndTime());
-		reply.setServerName(newTicket.getServerName());
-		reply.setServerRealm(newTicket.getRealm());
+		reply.setServerPrincipal(newTicket.getServerPrincipal());
 		
 		if (newTicket.getFlag(TicketFlags.RENEWABLE))
 			reply.setRenewTill(newTicket.getRenewTill());

Mime
View raw message