directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r149531 - in incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam: KeyIntegrityChecker.java SamSubsystem.java SamVerifier.java
Date Wed, 02 Feb 2005 16:49:12 GMT
Author: akarasulu
Date: Wed Feb  2 08:49:08 2005
New Revision: 149531

URL: http://svn.apache.org/viewcvs?view=rev&rev=149531
Log:
changes ...

 o to make sam work we have to generate and test sad data to decrypt timestamps
   o we changed verifier which now has new veryify signature and is initialized
     with a KeyIntegrityChecker
   o we require the SamSubsystem to be setup with KeyIntegrityChecker to 
     function
 o added new KeyIntegrityChecker interface to be used by SamVerifiers to 
   generate the KerberosKey to use for payload encryption.


Added:
    incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java
Modified:
    incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java
    incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java

Added: incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java
URL: http://svn.apache.org/viewcvs/incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java?view=auto&rev=149531
==============================================================================
--- incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java
(added)
+++ incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java
Wed Feb  2 08:49:08 2005
@@ -0,0 +1,43 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.sam;
+
+
+import javax.security.auth.kerberos.KerberosKey;
+
+
+/**
+ * Checks the integrity of a kerberos key to decode-decrypt an encrypted
+ * generalized timestamp representing the pre-auth data.
+ *
+ * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public interface KeyIntegrityChecker
+{
+    /**
+     * Checks the integrity of a KerberosKey to decrypt-decode and compare an
+     * encrypted encoded generalized timestamp representing the preauth data.
+     *
+     * @param preauthData the generalized timestamp encrypted with client hotp
+     * generated KerberosKey
+     * @param key the KerberosKey generated from server side hotp value
+     * @return true if the key can decrypt-decode and make sense out of the
+     * timestamp verifying that it is in skew, false otherwise
+     */
+    boolean checkKeyIntegrity( byte[] preauthData, KerberosKey key );
+}

Modified: incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java
URL: http://svn.apache.org/viewcvs/incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java?view=diff&r1=149530&r2=149531
==============================================================================
--- incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java
(original)
+++ incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java
Wed Feb  2 08:49:08 2005
@@ -19,6 +19,8 @@
 
 import java.util.HashMap;
 
+import javax.security.auth.kerberos.KerberosKey;
+
 import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
 
 
@@ -37,21 +39,40 @@
     /** a map of verifiers so we do not need to create a new one every time */
     private static final HashMap verifiers = new HashMap();
 
+    /** the key integrity checker used by the subsystem for all sam types */
+    private static KeyIntegrityChecker keyChecker;
+
+
+    /**
+     * Sets the KeyIntegrityChecker used by the entire SamSubsystem.
+     *
+     * @param keyChecker the KeyIntegrityChecker used by the entire SamSubsystem
+     */
+    public static void setIntegrityChecker( KeyIntegrityChecker keyChecker )
+    {
+        SamSubsystem.keyChecker = keyChecker;
+    }
+
 
     /**
      * Uses the principal entry information to load the approapriate SamVerifier
      * and verify the Single-use password.
      *
      * @param entry the store entry for the Kerberos principal
-     * @param sup the single use password value
+     * @param sad the single-use authentication data encrypted timestamp payload
      * @return true if verification passed, false otherwise
      * @throws SamException thrown when there is a failure within the verifier
      * or a verifier cannot be found.
      */
-    public static boolean verify( PrincipalStoreEntry entry, String sup ) throws SamException
+    public static KerberosKey verify( PrincipalStoreEntry entry, byte[] sad ) throws SamException
     {
         SamVerifier verifier = null;
 
+        if ( keyChecker == null )
+        {
+            throw new IllegalStateException( "SamSubsystem not enabled with key integrity
checker" );
+        }
+
         if ( entry.getSamType() == null )
         {
             throw new SamException( entry.getSamType(), "Entry has null SAM type" );
@@ -63,7 +84,7 @@
 
             String user = entry.getPrincipal().getName();
 
-            return verifier.verify( user, entry.getRealmName(), sup );
+            return verifier.verify( user, entry.getRealmName(), sad );
         }
 
         String key = PROPKEY_BASE + entry.getSamType().getOrdinal();
@@ -83,6 +104,8 @@
 
             verifier = ( SamVerifier ) c.newInstance();
 
+            verifier.setIntegrityChecker( keyChecker );
+
             if ( ! verifier.getSamType().equals( entry.getSamType() ) )
             {
                 String msg = "Expecting entries with SAM type of " + verifier.getSamType();
@@ -96,7 +119,7 @@
 
             verifiers.put( verifier.getSamType(), verifier );
 
-            return verifier.verify( user, entry.getRealmName(), sup );
+            return verifier.verify( user, entry.getRealmName(), sad );
         }
         catch ( ClassNotFoundException e )
         {

Modified: incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java?view=diff&r1=149530&r2=149531
==============================================================================
--- incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java
(original)
+++ incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java
Wed Feb  2 08:49:08 2005
@@ -17,6 +17,9 @@
 package org.apache.kerberos.sam;
 
 
+import javax.security.auth.kerberos.KerberosKey;
+
+
 /**
  * Single-use Authentication Mechanism verifier (subsystem) interface.
  *
@@ -26,14 +29,25 @@
 public interface SamVerifier
 {
     /**
+     * SamVerifiers require a KeyIntegrityChecker to calculate the integrity of
+     * a HOTP generated KerberosKey.  The Kerberos service exposes this interface
+     * and supplies it to the verifier to check generated keys to conduct the
+     * verification workflow.
+     *
+     * @param keyChecker the integrity checker that validates whether or not a
+     * key can decrypt-decode preauth data (an encryped-encoded generalized
+     * timestamp)
+     */
+    void setIntegrityChecker( KeyIntegrityChecker keyChecker );
+
+    /**
      * Verifies the single use password supplied.
      *
      * @param uid the unique id of the user within an authentication domain
      * @param domain the authentication domain of the user
-     * @param sup the value of the single use password
-     * @return true if the single-use password is verified a correct, false otherwise
+     * @param sad single-use authentication data (encrypted generalized timestamp)
      */
-    boolean verify( String uid, String domain, String sup ) throws SamException;
+    KerberosKey verify( String uid, String domain, byte[] sad ) throws SamException;
 
     /**
      * Gets the registered SAM algorithm type implemented by this SamVerifier.



Mime
View raw message