directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 57141 - in incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos: changepw kdc
Date Wed, 10 Nov 2004 05:19:42 GMT
Author: erodriguez
Date: Tue Nov  9 21:19:42 2004
New Revision: 57141

Added:
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
Modified:
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Added new KerberosService and started moving common service functionality to it.  Want to
check it in before upcoming major refactoring move.

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
Tue Nov  9 21:19:42 2004
@@ -16,45 +16,54 @@
  */
 package org.apache.kerberos.changepw;
 
-import org.apache.kerberos.changepw.io.*;
-import org.apache.kerberos.changepw.messages.*;
-import org.apache.kerberos.changepw.store.*;
-import org.apache.kerberos.changepw.value.*;
-import org.apache.kerberos.crypto.*;
-import org.apache.kerberos.io.decoder.*;
-import org.apache.kerberos.io.encoder.*;
-import org.apache.kerberos.kdc.*;
-import org.apache.kerberos.kdc.store.*;
-import org.apache.kerberos.messages.*;
-import org.apache.kerberos.messages.application.*;
+import org.apache.kerberos.changepw.io.ChangePasswordDataDecoder;
+import org.apache.kerberos.changepw.messages.ChangePasswordReply;
+import org.apache.kerberos.changepw.messages.ChangePasswordReplyModifier;
+import org.apache.kerberos.changepw.messages.ChangePasswordRequest;
+import org.apache.kerberos.changepw.store.PasswordStore;
+import org.apache.kerberos.changepw.value.ChangePasswordData;
+import org.apache.kerberos.changepw.value.ChangePasswordDataModifier;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
+import org.apache.kerberos.io.decoder.EncKrbPrivPartDecoder;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.io.encoder.EncApRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncKrbPrivPartEncoder;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.kdc.KerberosException;
+import org.apache.kerberos.kdc.KerberosService;
+import org.apache.kerberos.kdc.store.PrincipalStore;
+import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.MessageType;
+import org.apache.kerberos.messages.application.ApplicationReply;
+import org.apache.kerberos.messages.application.PrivateMessage;
 import org.apache.kerberos.messages.components.*;
-import org.apache.kerberos.messages.components.Authenticator;
 import org.apache.kerberos.messages.value.*;
 
-import java.io.*;
-import java.net.*;
-
-import javax.security.auth.kerberos.*;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import java.io.IOException;
+import java.net.InetAddress;
 
 /**
  * Kerberos Change Password and Set Password Protocols (RFC 3244)
  */
-public class ChangePasswordService {
+public class ChangePasswordService extends KerberosService {
 	
-	private PasswordStore    _store;
-	private PrincipalStore   _bootstrap;
-	private CryptoService    _cryptoService;
-	private KdcConfiguration _config;
+	private PasswordStore    store;
+	private PrincipalStore   bootstrap;
+	private KdcConfiguration config;
 	
-	public ChangePasswordService(PasswordStore store, PrincipalStore bootstrap,
-			CryptoService cryptoService, KdcConfiguration config) {
-		
-		_store         = store;
-		_bootstrap     = bootstrap;
-		_cryptoService = cryptoService;
-		_config        = config;
+	public ChangePasswordService(PasswordStore store, PrincipalStore bootstrap, KdcConfiguration
config)
+    {
+		super(config, bootstrap, null);
+
+		this.store     = store;
+		this.bootstrap = bootstrap;
+		this.config    = config;
 	}
-	
+
 	public ChangePasswordReply getReplyFor(ChangePasswordRequest request)
 			throws KerberosException, IOException {
 		
@@ -64,21 +73,23 @@
 		
 		Authenticator authenticator = verifyAuthHeader(authHeader, ticket);
 		
-		verifyTicket(ticket, _config.getChangepwPrincipal());
+		verifyTicket(ticket, config.getChangepwPrincipal());
 		
 		// TODO - check ticket is for service authorized to change passwords
-		// ticket.getServerPrincipal().getName().equals(_config.getChangepwPrincipal().getName()));
+		// ticket.getServerPrincipal().getName().equals(config.getChangepwPrincipal().getName()));
 		
 		// TODO - check client principal in ticket is authorized to change password
 		
 		// get the subsession key from the Authenticator
 		EncryptionKey sessionKey = authenticator.getSubSessionKey();
 		
-		// decrypt the request's private message with the subsession key
+		// getDecryptedData the request's private message with the subsession key
 		EncryptedData encReqPrivPart = request.getPrivateMessage().getEncryptedPart();
 		EncKrbPrivPart privatePart;
 		try {
-			byte[] decPrivPart = _cryptoService.decrypt(sessionKey, encReqPrivPart);
+            EncryptionEngine engine = getEncryptionEngine(sessionKey);
+
+			byte[] decPrivPart = engine.getDecryptedData(sessionKey, encReqPrivPart);
 
 			EncKrbPrivPartDecoder privDecoder = new EncKrbPrivPartDecoder();
 			privatePart = privDecoder.decode(decPrivPart);
@@ -110,7 +121,7 @@
 		KerberosKey newKey = new KerberosKey(clientPrincipal, password.toCharArray(), "DES");
 		
 		// store password in database
-		String principalName = _store.changePassword(clientPrincipal, newKey.getEncoded());
+		String principalName = store.changePassword(clientPrincipal, newKey.getEncoded());
 		System.out.println("Successfully modified principal named " + principalName);
 		
 		// begin building reply
@@ -129,7 +140,9 @@
 		
 		EncryptedData encPrivPart = null;
 		try {
-			encPrivPart = _cryptoService.getEncryptedData(sessionKey, encodedPrivPart);
+            EncryptionEngine engine = getEncryptionEngine(sessionKey);
+
+			encPrivPart = engine.getEncryptedData(sessionKey, encodedPrivPart);
 		} catch (KerberosException ke) {
 			ke.printStackTrace();
 		}
@@ -148,7 +161,9 @@
 		
 		EncryptedData encRepPart = null;
 		try {
-			encRepPart = _cryptoService.getEncryptedData(ticket.getSessionKey(), encodedRepPart);
+            EncryptionEngine engine = getEncryptionEngine(ticket.getSessionKey());
+
+			encRepPart = engine.getEncryptedData(ticket.getSessionKey(), encodedRepPart);
 		} catch (KerberosException ke) {
 			ke.printStackTrace();
 		}
@@ -176,19 +191,18 @@
 		if (authHeader.getTicket().getTicketVersionNumber() != 5)
 			throw KerberosException.KRB_AP_ERR_BADVERSION;
 		
-		// TODO - support multiple encryption types
 		EncryptionKey serverKey = null;
 		if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
 			serverKey = authHeader.getTicket().getSessionKey();
 		} else {
 			KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
-			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
+			PrincipalStoreEntry serverEntry = bootstrap.getEntry(serverPrincipal);
 			
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
 			}/*
 			 else {
-				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
+				serverKey = store.getEntry(serverPrincipal).getEncryptionKey();
 			}
 			*/
 		}
@@ -201,7 +215,9 @@
 		}
 		
 		try {
-			byte[] decTicketPart = _cryptoService.decrypt(serverKey, ticket.getEncPart());
+            EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+			byte[] decTicketPart = engine.getDecryptedData(serverKey, ticket.getEncPart());
 
 			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
 			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
@@ -213,7 +229,9 @@
 		Authenticator authenticator;
 		
 		try {
-			byte[] decAuthenticator = _cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
+            EncryptionEngine engine = getEncryptionEngine(ticket.getSessionKey());
+
+			byte[] decAuthenticator = engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
 			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
 			authenticator = authDecoder.decode(decAuthenticator);
 		} catch (KerberosException ke) {
@@ -242,10 +260,10 @@
 		_replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
 		*/
 		
-		if (!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
+		if (!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
 			throw KerberosException.KRB_AP_ERR_SKEW;
 		
-		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(_config.getClockSkew())
||
+		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(config.getClockSkew())
||
 				ticket.getFlag(TicketFlags.INVALID))
 				// it hasn't yet become valid
                 throw KerberosException.KRB_AP_ERR_TKT_NYV;
@@ -257,15 +275,6 @@
 		authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
 		
 		return authenticator;
-	}
-	
-	// TODO - this is a duplicate from the TGS service
-	private void verifyTicket(Ticket ticket, KerberosPrincipal serverPrincipal)
-			throws KerberosException {
-
-		if (!ticket.getRealm().equals(_config.getPrimaryRealm())
-				&& !ticket.getServerPrincipal().equals(serverPrincipal))
-			throw KerberosException.KRB_AP_ERR_NOT_US;
 	}
 }
 

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
Tue Nov  9 21:19:42 2004
@@ -16,67 +16,51 @@
  */
 package org.apache.kerberos.kdc;
 
-import org.apache.kerberos.crypto.*;
-import org.apache.kerberos.io.encoder.*;
-import org.apache.kerberos.kdc.store.*;
-import org.apache.kerberos.messages.*;
-import org.apache.kerberos.messages.components.*;
+import org.apache.kerberos.crypto.RandomKey;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.kdc.store.PrincipalStore;
+import org.apache.kerberos.messages.AuthenticationReply;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.components.EncTicketPartModifier;
+import org.apache.kerberos.messages.components.Ticket;
 import org.apache.kerberos.messages.value.*;
 
-import javax.security.auth.kerberos.*;
+import javax.security.auth.kerberos.KerberosPrincipal;
 
-public class AuthenticationService {
+public class AuthenticationService extends KerberosService {
 	
-	private PrincipalStore   _store;
-	private PrincipalStore   _bootstrap;
-	private CryptoService    _cryptoService;
-	private KdcConfiguration _config;
-	
-	public AuthenticationService(PrincipalStore store, PrincipalStore bootstrap,
-			CryptoService cryptoService, KdcConfiguration config) {
-		
-		_store         = store;
-		_bootstrap     = bootstrap;
-		_cryptoService = cryptoService;
-		_config        = config;
-	}
+	private KdcConfiguration config;
 	
+	public AuthenticationService(PrincipalStore store, PrincipalStore bootstrap, KdcConfiguration
config)
+    {
+        super(config, bootstrap, store);
+
+		this.config = config;
+	}
+
 	public AuthenticationReply getReplyFor(KdcRequest request) throws KerberosException {
 		
 		KerberosPrincipal clientPrincipal = request.getClientPrincipal();
 
-        System.out.println(clientPrincipal.getName());
+		EncryptionKey clientKey = getKeyForPrincipal(clientPrincipal);
+
+        if (clientKey == null)
+        {
+            throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
+        }
 
-		EncryptionKey clientKey;
-		try {
-			PrincipalStoreEntry clientEntry = _bootstrap.getEntry(clientPrincipal);
-			if (clientEntry != null) {
-				clientKey = clientEntry.getEncryptionKey();
-			} else {
-				clientKey = _store.getEntry(clientPrincipal).getEncryptionKey();
-			}
-		} catch (Exception e) {
-            e.printStackTrace();
-			throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
-		}
-		
 		KerberosPrincipal serverPrincipal = request.getServerPrincipal();
 
-        System.out.println(serverPrincipal.getName());
+        EncryptionKey serverKey = getKeyForPrincipal(serverPrincipal);
+
+        if (serverKey == null)
+        {
+            throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        }
 
-		EncryptionKey serverKey;
-		try {
-			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
-			if (serverEntry != null) {
-				serverKey = serverEntry.getEncryptionKey();
-			} else {
-				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
-			}
-		} catch (Exception e) {
-            e.printStackTrace();
-			throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
-		}
-		
 		verifyPreAuthentication(request, clientPrincipal);
 		
 		Ticket ticket = getNewTicket(request, serverKey);
@@ -100,7 +84,7 @@
 		
 		/*
 		if(pa_enc_timestamp present) then
-		        decrypt req.padata-value into decrypted_enc_timestamp
+		        getDecryptedData req.padata-value into decrypted_enc_timestamp
 		                using client.key;
 		                using auth_hdr.authenticator.subkey;
 		        if (decrypt_error()) then
@@ -149,7 +133,7 @@
 				request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
 			throw KerberosException.KDC_ERR_BADOPTION;
 		
-		newTicketBody.setSessionKey(_cryptoService.getNewSessionKey());
+		newTicketBody.setSessionKey(new RandomKey().getNewSessionKey());
 		newTicketBody.setClientPrincipal(request.getClientPrincipal());
 		newTicketBody.setTransitedEncoding(new TransitedEncoding());
 		
@@ -158,7 +142,7 @@
 	
 		if (request.getKdcOptions().get(KdcOptions.POSTDATED)) {
 			// TODO - possibly allow req.from range
-			if (!_config.isPostdateAllowed())
+			if (!config.isPostdateAllowed())
 				throw KerberosException.KDC_ERR_POLICY;
 			newTicketBody.setFlag(TicketFlags.INVALID);
 			newTicketBody.setStartTime(request.getFrom());
@@ -175,7 +159,7 @@
 	                      new_tkt.starttime+server.max_life,
 	                      new_tkt.starttime+max_life_for_realm);
 	*/
-	long endTime = Math.min(now.getTime() + _config.getMaximumTicketLifetime(), till);
+	long endTime = Math.min(now.getTime() + config.getMaximumTicketLifetime(), till);
 	KerberosTime kerberosEndTime = new KerberosTime(endTime);
 	newTicketBody.setEndTime(kerberosEndTime);
 
@@ -205,7 +189,7 @@
 		if (request.getKdcOptions().get(KdcOptions.RENEWABLE)) {
 			newTicketBody.setFlag(TicketFlags.RENEWABLE);
 			long renewTill = Math.min(request.getFrom().getTime()
-					+ _config.getMaximumRenewableLifetime(), tempRtime);
+					+ config.getMaximumRenewableLifetime(), tempRtime);
 			newTicketBody.setRenewTill(new KerberosTime(renewTill));
 		}
 
@@ -223,14 +207,15 @@
 		return newTicket;
 	}
 	
-	// TODO - support multiple encryption types
 	private EncryptedData encryptTicketPart(EncTicketPart ticketPart, EncryptionKey serverKey)
{
 		EncTicketPartEncoder encoder = new EncTicketPartEncoder();
 		EncryptedData encryptedTicketPart = null;
 		try {
 			byte[] plainText = encoder.encode(ticketPart);
-			
-			encryptedTicketPart = _cryptoService.getEncryptedData(serverKey, plainText);
+
+            EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+			encryptedTicketPart = engine.getEncryptedData(serverKey, plainText);
 			
 		} catch (Exception e) {
 			e.printStackTrace();
@@ -238,13 +223,14 @@
 		return encryptedTicketPart;
 	}
 	
-	// TODO - support multiple encryption types
 	private void encryptReplyPart(AuthenticationReply reply, EncryptionKey clientKey) {
 		EncAsRepPartEncoder encoder = new EncAsRepPartEncoder();
 		try {
 			byte[] plainText = encoder.encode(reply);
-			
-			EncryptedData cipherText = _cryptoService.getEncryptedData(clientKey, plainText);
+
+            EncryptionEngine engine = getEncryptionEngine(clientKey);
+
+			EncryptedData cipherText = engine.getEncryptedData(clientKey, plainText);
 
 			reply.setEncPart(cipherText);
 			

Added: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
Tue Nov  9 21:19:42 2004
@@ -0,0 +1,108 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc;
+
+import org.apache.kerberos.crypto.checksum.*;
+import org.apache.kerberos.crypto.encryption.DesCbcMd5Encryption;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.kdc.store.PrincipalStore;
+import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+import java.util.HashMap;
+import java.util.Map;
+
+public class KerberosService
+{
+    private KdcConfiguration config;
+    private PrincipalStore   bootstrap;
+    private PrincipalStore   store;
+
+    private Map checksumEngines = new HashMap();
+
+    public KerberosService(KdcConfiguration config, PrincipalStore bootstrap, PrincipalStore
store)
+    {
+        this.config    = config;
+        this.bootstrap = bootstrap;
+        this.store     = store;
+
+        checksumEngines.put(ChecksumType.CRC32,   new Crc32Checksum());
+        checksumEngines.put(ChecksumType.RSA_MD4, new RsaMd4Checksum());
+        checksumEngines.put(ChecksumType.RSA_MD5, new RsaMd5Checksum());
+        checksumEngines.put(ChecksumType.SHA1,    new Sha1Checksum());
+    }
+
+    public EncryptionKey getKeyForPrincipal(KerberosPrincipal principal)
+    {
+        System.out.println(principal.getName());
+
+		EncryptionKey key = null;
+
+		try {
+			PrincipalStoreEntry entry = bootstrap.getEntry(principal);
+			if (entry != null) {
+				key = entry.getEncryptionKey();
+			} else {
+				key = store.getEntry(principal).getEncryptionKey();
+			}
+		} catch (Exception e) {
+            e.printStackTrace();
+		}
+
+        return key;
+    }
+
+    public EncryptionEngine getEncryptionEngine(EncryptionKey key)
+            throws KerberosException
+    {
+        int type = key.getKeyType().getOrdinal();
+
+        switch (type)
+        {
+            case 3:
+                return new DesCbcMd5Encryption();
+        }
+
+        throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
+    }
+
+    protected EncryptionType getBestEncryptionType(EncryptionType[] requestedTypes)
+			throws KerberosException
+    {
+		EncryptionType[] encryptionTypes = config.getEncryptionTypes();
+
+		for (int i = 0; i < requestedTypes.length; i++) {
+			for (int j = 0; j < encryptionTypes.length; j++) {
+				if (requestedTypes[i] == encryptionTypes[j])
+					return encryptionTypes[j];
+			}
+		}
+		throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
+	}
+
+    protected void verifyTicket(Ticket ticket, KerberosPrincipal serverPrincipal)
+			throws KerberosException {
+
+		if (!ticket.getRealm().equals(config.getPrimaryRealm())
+				&& !ticket.getServerPrincipal().equals(serverPrincipal))
+			throw KerberosException.KRB_AP_ERR_NOT_US;
+	}
+}
+

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Tue Nov  9 21:19:42 2004
@@ -16,9 +16,10 @@
  */
 package org.apache.kerberos.kdc;
 
-import org.apache.kerberos.crypto.CryptoService;
+import org.apache.kerberos.crypto.RandomKey;
 import org.apache.kerberos.crypto.checksum.ChecksumEngine;
-import org.apache.kerberos.crypto.checksum.ChecksumType;
+import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
 import org.apache.kerberos.crypto.encryption.EncryptionType;
 import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
 import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
@@ -29,7 +30,6 @@
 import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
 import org.apache.kerberos.kdc.replay.ReplayCache;
 import org.apache.kerberos.kdc.store.PrincipalStore;
-import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
 import org.apache.kerberos.messages.ApplicationRequest;
 import org.apache.kerberos.messages.KdcRequest;
 import org.apache.kerberos.messages.MessageType;
@@ -49,22 +49,18 @@
 /**
  * RFC 1510 A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
  */
-public class TicketGrantingService {
-	
-	private PrincipalStore   _store;
-	private PrincipalStore   _bootstrap;
-	private CryptoService    _cryptoService;
-	private KdcConfiguration _config;
-	private ReplayCache      _replayCache;
+public class TicketGrantingService extends KerberosService {
 	
+	private KdcConfiguration config;
+	private ReplayCache      replayCache;
+
 	public TicketGrantingService(PrincipalStore store, PrincipalStore bootstrap,
-			CryptoService cryptoService, KdcConfiguration config, ReplayCache replay) {
-		
-		_store         = store;
-		_bootstrap     = bootstrap;
-		_cryptoService = cryptoService;
-		_config        = config;
-		_replayCache   = replay;
+			KdcConfiguration config, ReplayCache replay)
+    {
+        super(config, bootstrap, store);
+
+		this.config    = config;
+		replayCache    = replay;
 	}
 	
 	public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
{
@@ -79,7 +75,7 @@
 		
 		verifyBodyChecksum(authenticator.getChecksum(), request);
 		
-		EncryptionKey sessionKey = _cryptoService.getNewSessionKey();
+		EncryptionKey sessionKey = new RandomKey().getNewSessionKey();
 		
 		EncryptionType eType = getBestEncryptionType(request.getEType());
 		
@@ -119,21 +115,22 @@
 			throw KerberosException.KRB_AP_ERR_MSG_TYPE;
 		if (authHeader.getTicket().getTicketVersionNumber() != 5)
 			throw KerberosException.KRB_AP_ERR_BADVERSION;
-		
-		// TODO - support multiple encryption types
+
+        KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
+
 		EncryptionKey serverKey = null;
-		if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
+
+		if (authHeader.getOption(ApOptions.USE_SESSION_KEY))
+        {
 			serverKey = authHeader.getTicket().getSessionKey();
-		} else {
-			KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
-			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
-			if (serverEntry != null) {
-				serverKey = serverEntry.getEncryptionKey();
-			} else {
-				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
-			}
 		}
-		if (serverKey == null) {
+        else
+        {
+			serverKey = getKeyForPrincipal(serverPrincipal);
+		}
+
+		if (serverKey == null)
+        {
 			// TODO - check server key version number, skvno; requires store
 			if (false)
 				throw KerberosException.KRB_AP_ERR_BADKEYVER;
@@ -142,7 +139,9 @@
 		}
 		
 		try {
-			byte[] decTicketPart = _cryptoService.decrypt(serverKey, ticket.getEncPart());
+            EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+			byte[] decTicketPart = engine.getDecryptedData(serverKey, ticket.getEncPart());
 
 			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
 			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
@@ -154,7 +153,9 @@
 		Authenticator authenticator;
 		
 		try {
-			byte[] decAuthenticator = _cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
+            EncryptionEngine engine = getEncryptionEngine(ticket.getSessionKey());
+
+			byte[] decAuthenticator = engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
 			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
 			authenticator = authDecoder.decode(decAuthenticator);
 		} catch (KerberosException ke) {
@@ -175,16 +176,16 @@
             //    error_out(KRB_AP_ERR_BADADDR);
         }
 		
-		if(_replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientPrincipal()))
{
+		if(replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientPrincipal()))
{
 			throw KerberosException.KRB_AP_ERR_REPEAT;
 		}
         
-		_replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
+		replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
 		
-		if (!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
+		if (!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
 			throw KerberosException.KRB_AP_ERR_SKEW;
 		
-		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(_config.getClockSkew())
||
+		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(config.getClockSkew())
||
 				ticket.getFlag(TicketFlags.INVALID))
 				// it hasn't yet become valid
                 throw KerberosException.KRB_AP_ERR_TKT_NYV;
@@ -198,14 +199,6 @@
 		return authenticator;
 	}
 	
-	private void verifyTicket( Ticket ticket, KerberosPrincipal serverPrincipal )
-			throws KerberosException
-    {
-		if (!ticket.getRealm().equals(_config.getPrimaryRealm()) &&
-				!ticket.getServerPrincipal().equals(serverPrincipal))
-			throw KerberosException.KRB_AP_ERR_NOT_US;
-	}
-	
 	// TODO - configurable checksum
 	private void verifyBodyChecksum(Checksum authChecksum, KdcRequest request)
 			throws KerberosException {
@@ -233,7 +226,7 @@
 			ioe.printStackTrace();
 		}
 		
-		ChecksumEngine digester = CryptoService.getInstance(ChecksumType.RSA_MD5);
+		ChecksumEngine digester = new RsaMd5Checksum();
 		Checksum newChecksum = new Checksum(digester.checksumType(), digester.calculateChecksum(bytes));
 		
 		boolean equal = newChecksum.equals(authChecksum);
@@ -242,33 +235,16 @@
 			throw KerberosException.KRB_AP_ERR_MODIFIED;
 	}
 
-    private EncryptionType getBestEncryptionType(EncryptionType[] requestedTypes)
-			throws KerberosException {
-
-		EncryptionType[] encryptionTypes = _config.getEncryptionTypes();
-
-		for (int i = 0; i < requestedTypes.length; i++) {
-			for (int j = 0; j < encryptionTypes.length; j++) {
-				if (requestedTypes[i] == encryptionTypes[j])
-					return encryptionTypes[j];
-			}
-		}
-		throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
-	}
-
 	private EncryptionKey getServerKey(KerberosPrincipal serverPrincipal) throws KerberosException
{
 		
 		EncryptionKey serverKey = null;
 		// TODO - allow lookup with realm
-		try {
-			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
-			if (serverEntry != null) {
-				serverKey = serverEntry.getEncryptionKey();
-			} else {
-				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
-			}
-			
-		} catch (Exception e) {
+		try
+        {
+			serverKey = getKeyForPrincipal(serverPrincipal);
+		}
+        catch (Exception e)
+        {
 			/*
 			if (!server) then
 			        if (is_foreign_tgt_name(server)) then
@@ -363,7 +339,7 @@
 			newTicketBody.setFlag(TicketFlags.POSTDATED);
 			newTicketBody.setFlag(TicketFlags.INVALID);
 			
-			if (!_config.isPostdateAllowed())
+			if (!config.isPostdateAllowed())
 				throw KerberosException.KDC_ERR_POLICY;
 			
 			newTicketBody.setStartTime(request.getFrom());
@@ -437,7 +413,7 @@
             */
 			List minimizer = new ArrayList();
 			minimizer.add(till);
-			minimizer.add(new KerberosTime(now.getTime() + _config.getMaximumTicketLifetime()));
+			minimizer.add(new KerberosTime(now.getTime() + config.getMaximumTicketLifetime()));
 			minimizer.add(tgt.getEndTime());
 			KerberosTime minTime = (KerberosTime)Collections.min(minimizer);
 			newTicketBody.setEndTime(minTime);
@@ -473,7 +449,7 @@
 			// TODO - client and server configurable; requires store 
 			List minimizer = new ArrayList();
 			minimizer.add(rtime);
-			minimizer.add(new KerberosTime(now.getTime() + _config.getMaximumRenewableLifetime()));
+			minimizer.add(new KerberosTime(now.getTime() + config.getMaximumRenewableLifetime()));
 			minimizer.add(tgt.getRenewTill());
 			newTicketBody.setRenewTill((KerberosTime)Collections.min(minimizer));
 		}
@@ -486,7 +462,9 @@
 
 		if (request.getEncAuthorizationData() != null) {
 			try {
-				byte[] decryptedAuthData = _cryptoService.decrypt(authHeader.getSubSessionKey(),
+                EncryptionEngine engine = getEncryptionEngine(authHeader.getSubSessionKey());
+
+				byte[] decryptedAuthData = engine.getDecryptedData(authHeader.getSubSessionKey(),
 						request.getEncAuthorizationData());
 				AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
 				authData = decoder.decode(decryptedAuthData);
@@ -548,16 +526,18 @@
 		} else {
 			// encrypt with serverKey
 		}
-		return _cryptoService.getEncryptedData(serverKey, encodedTicket);
+        EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+		return engine.getEncryptedData(serverKey, encodedTicket);
 	}
 	
-	// TODO - support multiple encryption types, this is hardwired for DES_CBC_MD5
 	private void encryptReplyPart(TicketGrantReply reply, EncryptionKey key) {
 		EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
 		try {
 			byte[] plainText = encoder.encode(reply);
-			
-			EncryptedData cipherText = _cryptoService.getEncryptedData(key, plainText);
+            EncryptionEngine engine = getEncryptionEngine(key);
+
+			EncryptedData cipherText = engine.getEncryptedData(key, plainText);
 
 			reply.setEncPart(cipherText);
 			

Mime
View raw message