directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 56360 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc
Date Tue, 02 Nov 2004 07:01:54 GMT
Author: erodriguez
Date: Mon Nov  1 23:01:53 2004
New Revision: 56360

Modified:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Minor refactoring, hoping for better code reuse in AP scenarios.

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Mon Nov  1 23:01:53 2004
@@ -59,9 +59,9 @@
 		
 		Ticket tgt = authHeader.getTicket();
 		
-		Authenticator authenticator = verifyApReq(authHeader, tgt);
+		Authenticator authenticator = verifyAuthHeader(authHeader, tgt);
 		
-		verifyTicket(authHeader, request);
+		verifyTicket(tgt, request.getServerPrincipal());
 		
 		verifyBodyChecksum(authenticator.getChecksum(), request);
 		
@@ -96,7 +96,7 @@
 	}
 	
 	// RFC 1510 A.10.  KRB_AP_REQ verification
-	private Authenticator verifyApReq(ApplicationRequest authHeader, Ticket tgt)
+	private Authenticator verifyAuthHeader(ApplicationRequest authHeader, Ticket ticket)
 			throws KerberosException, IOException {
 		
 		if (authHeader.getProtocolVersionNumber() != 5)
@@ -111,7 +111,7 @@
 		if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
 			serverKey = authHeader.getTicket().getSessionKey();
 		} else {
-			KerberosPrincipal serverPrincipal = tgt.getServerPrincipal();
+			KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
 			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
@@ -128,11 +128,11 @@
 		}
 		
 		try {
-			byte[] decTicketPart = _cryptoService.decrypt(serverKey, tgt.getEncPart());
+			byte[] decTicketPart = _cryptoService.decrypt(serverKey, ticket.getEncPart());
 
 			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
 			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
-			tgt.setEncTicketPart(encPart);
+			ticket.setEncTicketPart(encPart);
 		} catch (KerberosException ke) {
 			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
 		}
@@ -140,19 +140,19 @@
 		Authenticator authenticator;
 		
 		try {
-			byte[] decAuthenticator = _cryptoService.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
+			byte[] decAuthenticator = _cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
 			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
 			authenticator = authDecoder.decode(decAuthenticator);
 		} catch (KerberosException ke) {
 			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
 		}
 		
-		if (!authenticator.getClientPrincipal().getName().equals(tgt.getClientPrincipal().getName()))
{
+		if (!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
 			throw KerberosException.KRB_AP_ERR_BADMATCH;
 		}
 		
 		// TODO - need to get at IP Address for sender
-		if (tgt.getClientAddresses() != null) {
+		if (ticket.getClientAddresses() != null) {
 			// if (sender_address(packet) is not in decr_ticket.caddr)
             //    then error_out(KRB_AP_ERR_BADADDR);
 		}
@@ -170,13 +170,13 @@
 		if (!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
 			throw KerberosException.KRB_AP_ERR_SKEW;
 		
-		if (tgt.getStartTime() != null && !tgt.getStartTime().isInClockSkew(_config.getClockSkew())
||
-				tgt.getFlag(TicketFlags.INVALID))
+		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(_config.getClockSkew())
||
+				ticket.getFlag(TicketFlags.INVALID))
 				// it hasn't yet become valid
                 throw KerberosException.KRB_AP_ERR_TKT_NYV;
 		
 		// TODO - doesn't take into account skew
-		if (!tgt.getEndTime().greaterThan(new KerberosTime()))
+		if (!ticket.getEndTime().greaterThan(new KerberosTime()))
             throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
 		
 		authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
@@ -184,12 +184,11 @@
 		return authenticator;
 	}
 	
-	private void verifyTicket(ApplicationRequest authHeader, KdcRequest request)
+	private void verifyTicket(Ticket ticket, KerberosPrincipal serverPrincipal)
 			throws KerberosException {
 		
-		Ticket tgt = authHeader.getTicket();
-		if (!tgt.getRealm().equals(_config.getPrimaryRealm()) &&
-				!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
+		if (!ticket.getRealm().equals(_config.getPrimaryRealm()) &&
+				!ticket.getServerPrincipal().equals(serverPrincipal))
 			throw KerberosException.KRB_AP_ERR_NOT_US;
 	}
 	
@@ -229,12 +228,11 @@
 			throw KerberosException.KRB_AP_ERR_MODIFIED;
 	}
 	
-	private EncryptionKey getServerKey(KdcRequest request) throws KerberosException {
+	private EncryptionKey getServerKey(KerberosPrincipal serverPrincipal) throws KerberosException
{
 		
 		EncryptionKey serverKey = null;
 		// TODO - allow lookup with realm
 		try {
-			KerberosPrincipal serverPrincipal = request.getServerPrincipal();
 			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
@@ -279,7 +277,7 @@
 		
 		processTimes(request, newTicketBody, tgt);
 		
-		EncryptionKey serverKey = getServerKey(request);
+		EncryptionKey serverKey = getServerKey(request.getServerPrincipal());
 		
 		EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
 		

Mime
View raw message