From commits-return-5374-apmail-directory-commits-archive=directory.apache.org@directory.apache.org Fri Jul 22 19:05:19 2005 Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 62613 invoked from network); 22 Jul 2005 19:05:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 22 Jul 2005 19:05:19 -0000 Received: (qmail 16030 invoked by uid 500); 22 Jul 2005 19:05:19 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 15990 invoked by uid 500); 22 Jul 2005 19:05:18 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 15976 invoked by uid 99); 22 Jul 2005 19:05:18 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Jul 2005 12:05:18 -0700 X-ASF-Spam-Status: No, hits=-9.8 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 22 Jul 2005 12:05:12 -0700 Received: (qmail 62565 invoked by uid 65534); 22 Jul 2005 19:05:16 -0000 Message-ID: <20050722190516.62564.qmail@minotaur.apache.org> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r224383 - /directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java Date: Fri, 22 Jul 2005 19:05:16 -0000 To: commits@directory.apache.org From: akarasulu@apache.org X-Mailer: svnmailer-1.0.2 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Author: akarasulu Date: Fri Jul 22 12:05:12 2005 New Revision: 224383 URL: http://svn.apache.org/viewcvs?rev=224383&view=rev Log: adding more log statements for debugging Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java?rev=224383&r1=224382&r2=224383&view=diff ============================================================================== --- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java (original) +++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java Fri Jul 22 12:05:12 2005 @@ -25,18 +25,14 @@ import javax.security.auth.kerberos.KerberosPrincipal; import org.apache.kerberos.crypto.RandomKey; -import org.apache.kerberos.crypto.checksum.ChecksumEngine; -import org.apache.kerberos.crypto.checksum.RsaMd5Checksum; import org.apache.kerberos.crypto.encryption.EncryptionEngine; import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory; -import org.apache.kerberos.crypto.encryption.EncryptionType; import org.apache.kerberos.exceptions.ErrorType; import org.apache.kerberos.exceptions.KerberosException; import org.apache.kerberos.io.decoder.ApplicationRequestDecoder; import org.apache.kerberos.io.decoder.AuthorizationDataDecoder; import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder; import org.apache.kerberos.io.encoder.EncTicketPartEncoder; -import org.apache.kerberos.io.encoder.KdcReqBodyEncoder; import org.apache.kerberos.messages.ApplicationRequest; import org.apache.kerberos.messages.KdcRequest; import org.apache.kerberos.messages.TicketGrantReply; @@ -45,7 +41,6 @@ import org.apache.kerberos.messages.components.EncTicketPartModifier; import org.apache.kerberos.messages.components.Ticket; import org.apache.kerberos.messages.value.AuthorizationData; -import org.apache.kerberos.messages.value.Checksum; import org.apache.kerberos.messages.value.EncryptedData; import org.apache.kerberos.messages.value.EncryptionKey; import org.apache.kerberos.messages.value.KdcOptions; @@ -56,486 +51,506 @@ import org.apache.kerberos.service.KdcConfiguration; import org.apache.kerberos.service.KerberosService; import org.apache.kerberos.store.PrincipalStore; +import org.apache.commons.logging.LogFactory; +import org.apache.commons.logging.Log; /** * RFC 1510 A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation */ public class TicketGrantingService extends KerberosService { - public TicketGrantingService( KdcConfiguration config, PrincipalStore store ) + private static final Log log = LogFactory.getLog( TicketGrantingService.class ); + + public TicketGrantingService( KdcConfiguration config, PrincipalStore store ) { super( config, store ); - } - - public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException - { - ApplicationRequest authHeader = getAuthHeader( request ); - - Ticket tgt = authHeader.getTicket(); - - Authenticator authenticator = verifyAuthHeader( authHeader, tgt ); - - verifyTicket( tgt, request.getServerPrincipal() ); - - /* - verifyBodyChecksum( authenticator.getChecksum(), request ); - */ - - EncryptionKey sessionKey = new RandomKey().getNewSessionKey(); - - EncryptionType eType = getBestEncryptionType( request.getEType() ); - - Ticket newTicket = getNewTicket( request, tgt, sessionKey, authenticator ); - - TicketGrantReply reply = getReply( tgt, newTicket, sessionKey, request ); - - if ( authenticator.getSubSessionKey() != null ) - { - EncryptionKey subKey = authenticator.getSubSessionKey(); - encryptReplyPart( reply, subKey ); - } - else - { - encryptReplyPart( reply, tgt.getSessionKey() ); - } - - return reply; - } - - private ApplicationRequest getAuthHeader( KdcRequest request ) - throws KerberosException, IOException - { - if ( request.getPreAuthData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ ) - { - throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP ); - } - - byte[] undecodedAuthHeader = request.getPreAuthData()[0].getDataValue(); - ApplicationRequestDecoder decoder = new ApplicationRequestDecoder(); - ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader ); - - return authHeader; - } - - // TODO - configurable checksum - private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request ) - throws KerberosException - { - if ( authChecksum == null ) - { - throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM ); - } - - /* - if (auth_hdr.authenticator.cksum type is not supported) then - error_out(KDC_ERR_SUMTYPE_NOSUPP); - endif - */ - - /* - if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then - error_out(KRB_AP_ERR_INAPP_CKSUM); - endif - */ - - KdcReqBodyEncoder encoder = new KdcReqBodyEncoder(); - byte[] bytes = null; - try - { - bytes = encoder.encode( request ); - } - catch (IOException ioe) - { - ioe.printStackTrace(); - } - - ChecksumEngine digester = new RsaMd5Checksum(); - Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum( bytes ) ); - - boolean equal = newChecksum.equals( authChecksum ); - - if ( !equal ) - { - throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED ); - } - } - - private Ticket getNewTicket( KdcRequest request, Ticket tgt, EncryptionKey sessionKey, - Authenticator authenticator ) throws KerberosException - { - KerberosPrincipal ticketPrincipal = request.getServerPrincipal(); - - EncTicketPartModifier newTicketBody = new EncTicketPartModifier(); - - newTicketBody.setClientAddresses( tgt.getClientAddresses() ); - - processFlags( request, tgt, newTicketBody ); - - newTicketBody.setSessionKey( sessionKey ); - newTicketBody.setClientPrincipal( tgt.getClientPrincipal() ); - - AuthorizationData authData = processAuthorizationData( request, authenticator, tgt ); - newTicketBody.setAuthorizationData( authData ); - - processTransited( newTicketBody, tgt ); - - processTimes( request, newTicketBody, tgt ); - - EncryptionKey serverKey = getServerKey( request.getServerPrincipal() ); - - EncTicketPart ticketPart = newTicketBody.getEncTicketPart(); - - EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request ); - - Ticket newTicket = new Ticket( ticketPrincipal, encryptedData ); - newTicket.setEncTicketPart( ticketPart ); - - return newTicket; - } - - private void processFlags( KdcRequest request, Ticket tgt, EncTicketPartModifier newTicketBody ) - throws KerberosException - { - if ( request.getOption( KdcOptions.FORWARDABLE ) ) - { - if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - - newTicketBody.setFlag( TicketFlags.FORWARDABLE ); - } - - if ( request.getOption( KdcOptions.FORWARDED ) ) - { - if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - newTicketBody.setFlag( TicketFlags.FORWARDED ); - newTicketBody.setClientAddresses( request.getAddresses() ); - // reply.setClientAddresses(request.getClientAddresses()); moved to getReply - } - - if ( tgt.getFlag( TicketFlags.FORWARDED ) ) - { - newTicketBody.setFlag(TicketFlags.FORWARDED); - } - - if ( request.getOption( KdcOptions.PROXIABLE ) ) - { - if ( !tgt.getFlag( TicketFlags.PROXIABLE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - - newTicketBody.setFlag( TicketFlags.PROXIABLE ); - } - - if ( request.getOption( KdcOptions.PROXY ) ) - { - if ( !tgt.getFlag( TicketFlags.PROXIABLE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - - newTicketBody.setFlag( TicketFlags.PROXY ); - newTicketBody.setClientAddresses( request.getAddresses() ); - // reply.setClientAddresses(request.getClientAddresses()); moved to getReply - } - - if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) ) - { - if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - - newTicketBody.setFlag( TicketFlags.MAY_POSTDATE ); - } - - if ( request.getOption( KdcOptions.POSTDATED ) ) - { - if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - - newTicketBody.setFlag( TicketFlags.POSTDATED ); - newTicketBody.setFlag( TicketFlags.INVALID ); - - if ( !config.isPostdateAllowed() ) - { - throw new KerberosException( ErrorType.KDC_ERR_POLICY ); - } - - newTicketBody.setStartTime( request.getFrom() ); - } - - if ( request.getOption( KdcOptions.VALIDATE ) ) - { - if ( !tgt.getFlag( TicketFlags.INVALID ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_POLICY ); - } - - if ( tgt.getStartTime().greaterThan( new KerberosTime() ) ) - { - throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV ); - } - - /* - if (check_hot_list(tgt)) then - error_out(KRB_AP_ERR_REPEAT); - endif - */ - - echoTicket( newTicketBody, tgt ); - newTicketBody.clearFlag( TicketFlags.INVALID ); - } - - if ( request.getOption( KdcOptions.RESERVED ) || - request.getOption( KdcOptions.RENEWABLE_OK ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - } - - private void processTimes( KdcRequest request, EncTicketPartModifier newTicketBody, Ticket tgt ) - throws KerberosException - { - KerberosTime now = new KerberosTime(); - - newTicketBody.setAuthTime( tgt.getAuthTime() ); - - KerberosTime renewalTime = null; - - if ( request.getOption( KdcOptions.RENEW ) ) - { - if ( !tgt.getFlag( TicketFlags.RENEWABLE ) ) - { - throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); - } - - if ( tgt.getRenewTill().greaterThan( now ) ) - { - throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED ); - } + } + + public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException + { + if ( log.isDebugEnabled() ) + { + log.debug( "Responding to authentication request:" + + "\n\trealm: " + request.getRealm() + + "\n\tserverPrincipal: " + request.getServerPrincipal() + + "\n\tclientPrincipal: " + request.getClientPrincipal() + + "\n\thostAddresses: " + request.getAddresses() + + "\n\tencryptionType: " + request.getEType() + + "\n\tfrom krb time: " + request.getFrom() + + "\n\trealm krb time: " + request.getRtime() + + "\n\tkdcOptions: " + request.getKdcOptions() + + "\n\tmessageType: " + request.getMessageType() + + "\n\tnonce: " + request.getNonce() + + "\n\tprotocolVersionNumber: " + request.getProtocolVersionNumber() + + "\n\ttill: " + request.getTill() + ); + } + + ApplicationRequest authHeader = getAuthHeader( request ); + + Ticket tgt = authHeader.getTicket(); + + Authenticator authenticator = verifyAuthHeader( authHeader, tgt ); + + verifyTicket( tgt, request.getServerPrincipal() ); + + /* + verifyBodyChecksum( authenticator.getChecksum(), request ); + */ + + EncryptionKey sessionKey = new RandomKey().getNewSessionKey(); + + Ticket newTicket = getNewTicket( request, tgt, sessionKey, authenticator ); + + TicketGrantReply reply = getReply( tgt, newTicket, sessionKey, request ); + + if ( authenticator.getSubSessionKey() != null ) + { + EncryptionKey subKey = authenticator.getSubSessionKey(); + encryptReplyPart( reply, subKey ); + } + else + { + encryptReplyPart( reply, tgt.getSessionKey() ); + } + + return reply; + } + + private ApplicationRequest getAuthHeader( KdcRequest request ) + throws KerberosException, IOException + { + if ( request.getPreAuthData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ ) + { + throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP ); + } + + byte[] undecodedAuthHeader = request.getPreAuthData()[0].getDataValue(); + ApplicationRequestDecoder decoder = new ApplicationRequestDecoder(); + ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader ); + + return authHeader; + } + + // TODO - configurable checksum +// private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request ) +// throws KerberosException +// { +// if ( authChecksum == null ) +// { +// throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM ); +// } +// +// /* +// if (auth_hdr.authenticator.cksum type is not supported) then +// error_out(KDC_ERR_SUMTYPE_NOSUPP); +// endif +// */ +// +// /* +// if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then +// error_out(KRB_AP_ERR_INAPP_CKSUM); +// endif +// */ +// +// KdcReqBodyEncoder encoder = new KdcReqBodyEncoder(); +// byte[] bytes = null; +// try +// { +// bytes = encoder.encode( request ); +// } +// catch (IOException ioe) +// { +// ioe.printStackTrace(); +// } +// +// ChecksumEngine digester = new RsaMd5Checksum(); +// Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum( bytes ) ); +// +// boolean equal = newChecksum.equals( authChecksum ); +// +// if ( !equal ) +// { +// throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED ); +// } +// } + + private Ticket getNewTicket( KdcRequest request, Ticket tgt, EncryptionKey sessionKey, + Authenticator authenticator ) throws KerberosException + { + KerberosPrincipal ticketPrincipal = request.getServerPrincipal(); + + EncTicketPartModifier newTicketBody = new EncTicketPartModifier(); + + newTicketBody.setClientAddresses( tgt.getClientAddresses() ); + + processFlags( request, tgt, newTicketBody ); + + newTicketBody.setSessionKey( sessionKey ); + newTicketBody.setClientPrincipal( tgt.getClientPrincipal() ); + + AuthorizationData authData = processAuthorizationData( request, authenticator, tgt ); + newTicketBody.setAuthorizationData( authData ); + + processTransited( newTicketBody, tgt ); + + processTimes( request, newTicketBody, tgt ); + + EncryptionKey serverKey = getServerKey( request.getServerPrincipal() ); + + EncTicketPart ticketPart = newTicketBody.getEncTicketPart(); + + EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request ); + + Ticket newTicket = new Ticket( ticketPrincipal, encryptedData ); + newTicket.setEncTicketPart( ticketPart ); + + return newTicket; + } + + private void processFlags( KdcRequest request, Ticket tgt, EncTicketPartModifier newTicketBody ) + throws KerberosException + { + if ( request.getOption( KdcOptions.FORWARDABLE ) ) + { + if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + + newTicketBody.setFlag( TicketFlags.FORWARDABLE ); + } + + if ( request.getOption( KdcOptions.FORWARDED ) ) + { + if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + newTicketBody.setFlag( TicketFlags.FORWARDED ); + newTicketBody.setClientAddresses( request.getAddresses() ); + // reply.setClientAddresses(request.getClientAddresses()); moved to getReply + } + + if ( tgt.getFlag( TicketFlags.FORWARDED ) ) + { + newTicketBody.setFlag(TicketFlags.FORWARDED); + } + + if ( request.getOption( KdcOptions.PROXIABLE ) ) + { + if ( !tgt.getFlag( TicketFlags.PROXIABLE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + + newTicketBody.setFlag( TicketFlags.PROXIABLE ); + } + + if ( request.getOption( KdcOptions.PROXY ) ) + { + if ( !tgt.getFlag( TicketFlags.PROXIABLE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + + newTicketBody.setFlag( TicketFlags.PROXY ); + newTicketBody.setClientAddresses( request.getAddresses() ); + // reply.setClientAddresses(request.getClientAddresses()); moved to getReply + } + + if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) ) + { + if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + + newTicketBody.setFlag( TicketFlags.MAY_POSTDATE ); + } + + if ( request.getOption( KdcOptions.POSTDATED ) ) + { + if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + + newTicketBody.setFlag( TicketFlags.POSTDATED ); + newTicketBody.setFlag( TicketFlags.INVALID ); + + if ( !config.isPostdateAllowed() ) + { + throw new KerberosException( ErrorType.KDC_ERR_POLICY ); + } + + newTicketBody.setStartTime( request.getFrom() ); + } + + if ( request.getOption( KdcOptions.VALIDATE ) ) + { + if ( !tgt.getFlag( TicketFlags.INVALID ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_POLICY ); + } + + if ( tgt.getStartTime().greaterThan( new KerberosTime() ) ) + { + throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV ); + } + + /* + if (check_hot_list(tgt)) then + error_out(KRB_AP_ERR_REPEAT); + endif + */ echoTicket( newTicketBody, tgt ); + newTicketBody.clearFlag( TicketFlags.INVALID ); + } + + if ( request.getOption( KdcOptions.RESERVED ) || + request.getOption( KdcOptions.RENEWABLE_OK ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + } + + private void processTimes( KdcRequest request, EncTicketPartModifier newTicketBody, Ticket tgt ) + throws KerberosException + { + KerberosTime now = new KerberosTime(); + + newTicketBody.setAuthTime( tgt.getAuthTime() ); + + KerberosTime renewalTime = null; + + if ( request.getOption( KdcOptions.RENEW ) ) + { + if ( !tgt.getFlag( TicketFlags.RENEWABLE ) ) + { + throw new KerberosException( ErrorType.KDC_ERR_BADOPTION ); + } + + if ( tgt.getRenewTill().greaterThan( now ) ) + { + throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED ); + } + echoTicket( newTicketBody, tgt ); + + newTicketBody.setStartTime( now ); + long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime(); + newTicketBody.setEndTime( new KerberosTime( Math.min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) ) ); + } + else + { newTicketBody.setStartTime( now ); - long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime(); - newTicketBody.setEndTime( new KerberosTime( Math.min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) ) ); - } - else - { - newTicketBody.setStartTime( now ); - KerberosTime till; - if ( request.getTill().isZero() ) - { - till = KerberosTime.INFINITY; - } - else - { - till = request.getTill(); - } - - // TODO - config; requires store - /* + KerberosTime till; + if ( request.getTill().isZero() ) + { + till = KerberosTime.INFINITY; + } + else + { + till = request.getTill(); + } + + // TODO - config; requires store + /* new_tkt.starttime+client.max_life, new_tkt.starttime+server.max_life, */ - List minimizer = new ArrayList(); - minimizer.add( till ); - minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) ); - minimizer.add( tgt.getEndTime() ); - KerberosTime minTime = (KerberosTime)Collections.min( minimizer ); - newTicketBody.setEndTime( minTime ); - - if ( request.getOption( KdcOptions.RENEWABLE_OK ) && - minTime.lessThan( request.getTill() ) && - tgt.getFlag( TicketFlags.RENEWABLE ) ) - { + List minimizer = new ArrayList(); + minimizer.add( till ); + minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) ); + minimizer.add( tgt.getEndTime() ); + KerberosTime minTime = (KerberosTime)Collections.min( minimizer ); + newTicketBody.setEndTime( minTime ); + + if ( request.getOption( KdcOptions.RENEWABLE_OK ) && + minTime.lessThan( request.getTill() ) && + tgt.getFlag( TicketFlags.RENEWABLE ) ) + { // we set the RENEWABLE option for later processing - request.setOption( KdcOptions.RENEWABLE ); - long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() ); - renewalTime = new KerberosTime( rtime ); - } - } - - if ( renewalTime == null ) - { - renewalTime = request.getRtime(); - } - - KerberosTime rtime; - if ( renewalTime != null && renewalTime.isZero() ) - { - rtime = KerberosTime.INFINITY; - } - else - { - rtime = renewalTime; - } - - if ( request.getOption( KdcOptions.RENEWABLE ) && - tgt.getFlag( TicketFlags.RENEWABLE ) ) - { - newTicketBody.setFlag( TicketFlags.RENEWABLE ); - - /* - new_tkt.starttime+client.max_rlife, - new_tkt.starttime+server.max_rlife, - */ - // TODO - client and server configurable; requires store - List minimizer = new ArrayList(); - - /* - * 'rtime' KerberosTime is OPTIONAL - */ - if ( rtime != null ) - { - minimizer.add( rtime ); - } - - minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) ); - minimizer.add( tgt.getRenewTill() ); - newTicketBody.setRenewTill( (KerberosTime)Collections.min( minimizer ) ); - } - } + request.setOption( KdcOptions.RENEWABLE ); + long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() ); + renewalTime = new KerberosTime( rtime ); + } + } + + if ( renewalTime == null ) + { + renewalTime = request.getRtime(); + } + + KerberosTime rtime; + if ( renewalTime != null && renewalTime.isZero() ) + { + rtime = KerberosTime.INFINITY; + } + else + { + rtime = renewalTime; + } + + if ( request.getOption( KdcOptions.RENEWABLE ) && + tgt.getFlag( TicketFlags.RENEWABLE ) ) + { + newTicketBody.setFlag( TicketFlags.RENEWABLE ); + + /* + new_tkt.starttime+client.max_rlife, + new_tkt.starttime+server.max_rlife, + */ + // TODO - client and server configurable; requires store + List minimizer = new ArrayList(); + + /* + * 'rtime' KerberosTime is OPTIONAL + */ + if ( rtime != null ) + { + minimizer.add( rtime ); + } + + minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) ); + minimizer.add( tgt.getRenewTill() ); + newTicketBody.setRenewTill( (KerberosTime)Collections.min( minimizer ) ); + } + } private AuthorizationData processAuthorizationData( KdcRequest request, - Authenticator authHeader, Ticket tgt ) throws KerberosException - { - AuthorizationData authData = null; - - if ( request.getEncAuthorizationData() != null ) - { - try - { + Authenticator authHeader, Ticket tgt ) throws KerberosException + { + AuthorizationData authData = null; + + if ( request.getEncAuthorizationData() != null ) + { + try + { EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( authHeader.getSubSessionKey() ); - byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(), - request.getEncAuthorizationData() ); - AuthorizationDataDecoder decoder = new AuthorizationDataDecoder(); - authData = decoder.decode( decryptedAuthData ); - } - catch (KerberosException e) - { - throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY ); - } - catch (IOException ioe) - { - throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY ); - } - - AuthorizationData ticketData = tgt.getAuthorizationData(); - authData.add( ticketData ); - } - - return authData; - } - - /* - if (realm_tgt_is_for(tgt) := tgt.realm) then - // tgt issued by local realm - new_tkt.transited := tgt.transited; - else - // was issued for this realm by some other realm - if (tgt.transited.tr-type not supported) then - error_out(KDC_ERR_TRTYPE_NOSUPP); - endif - new_tkt.transited := compress_transited(tgt.transited + tgt.realm) - endif - */ - private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt ) - { - // TODO - currently no transited support other than local - newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() ); - } - - private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey, - KdcRequest request ) throws KerberosException - { - byte[] encodedTicket = null; - - EncTicketPartEncoder encoder = new EncTicketPartEncoder(); - try + byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(), + request.getEncAuthorizationData() ); + AuthorizationDataDecoder decoder = new AuthorizationDataDecoder(); + authData = decoder.decode( decryptedAuthData ); + } + catch (KerberosException e) + { + throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY ); + } + catch (IOException ioe) + { + throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY ); + } + + AuthorizationData ticketData = tgt.getAuthorizationData(); + authData.add( ticketData ); + } + + return authData; + } + + /* + if (realm_tgt_is_for(tgt) := tgt.realm) then + // tgt issued by local realm + new_tkt.transited := tgt.transited; + else + // was issued for this realm by some other realm + if (tgt.transited.tr-type not supported) then + error_out(KDC_ERR_TRTYPE_NOSUPP); + endif + new_tkt.transited := compress_transited(tgt.transited + tgt.realm) + endif + */ + private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt ) + { + // TODO - currently no transited support other than local + newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() ); + } + + private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey, + KdcRequest request ) throws KerberosException + { + byte[] encodedTicket = null; + + EncTicketPartEncoder encoder = new EncTicketPartEncoder(); + try { - encodedTicket = encoder.encode( newTicketBody ); - } + encodedTicket = encoder.encode( newTicketBody ); + } catch (IOException ioe) { - ioe.printStackTrace(); - } - - if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) ) - { - /* - if (server not specified) then - server = req.second_ticket.client; - endif - if ((req.second_ticket is not a TGT) or - (req.second_ticket.client != server)) then - error_out(KDC_ERR_POLICY); - endif - new_tkt.enc-part := encrypt OCTET STRING - using etype_for_key(second-ticket.key), second-ticket.key; - */ - } - else - { - // encrypt with serverKey - } - + log.error( "failed while encoding new ticket body", ioe ); + } + + if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) ) + { + /* + if (server not specified) then + server = req.second_ticket.client; + endif + if ((req.second_ticket is not a TGT) or + (req.second_ticket.client != server)) then + error_out(KDC_ERR_POLICY); + endif + new_tkt.enc-part := encrypt OCTET STRING + using etype_for_key(second-ticket.key), second-ticket.key; + */ + } + else + { + // encrypt with serverKey + } + EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey ); - return engine.getEncryptedData( serverKey, encodedTicket ); - } - - private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key ) - { - EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder(); - try - { - byte[] plainText = encoder.encode( reply ); + return engine.getEncryptedData( serverKey, encodedTicket ); + } + + private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key ) + { + EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder(); + try + { + byte[] plainText = encoder.encode( reply ); EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( key ); - EncryptedData cipherText = engine.getEncryptedData( key, plainText ); + EncryptedData cipherText = engine.getEncryptedData( key, plainText ); + + reply.setEncPart( cipherText ); + + } + catch ( Exception e ) + { + log.error( "failed to encrypt the reply part", e ); + } + } + + private TicketGrantReply getReply( Ticket tgt, Ticket newTicket, + EncryptionKey sessionKey, KdcRequest request ) + { + TicketGrantReply reply = new TicketGrantReply(); + reply.setClientPrincipal( tgt.getClientPrincipal() ); + reply.setTicket( newTicket ); + reply.setKey( sessionKey ); + reply.setNonce( request.getNonce() ); + // TODO - resp.last-req := fetch_last_request_info(client); requires store + reply.setLastRequest( new LastRequest() ); + reply.setFlags( newTicket.getFlags() ); + reply.setClientAddresses( newTicket.getClientAddresses() ); + reply.setAuthTime( newTicket.getAuthTime() ); + reply.setStartTime( newTicket.getStartTime() ); + reply.setEndTime( newTicket.getEndTime() ); + reply.setServerPrincipal( newTicket.getServerPrincipal() ); + + if ( newTicket.getFlag( TicketFlags.RENEWABLE ) ) + { + reply.setRenewTill( newTicket.getRenewTill() ); + } - reply.setEncPart( cipherText ); - - } - catch (Exception e) - { - e.printStackTrace(); - } - } - - private TicketGrantReply getReply( Ticket tgt, Ticket newTicket, - EncryptionKey sessionKey, KdcRequest request ) - { - TicketGrantReply reply = new TicketGrantReply(); - reply.setClientPrincipal( tgt.getClientPrincipal() ); - reply.setTicket( newTicket ); - reply.setKey( sessionKey ); - reply.setNonce( request.getNonce() ); - // TODO - resp.last-req := fetch_last_request_info(client); requires store - reply.setLastRequest( new LastRequest() ); - reply.setFlags( newTicket.getFlags() ); - reply.setClientAddresses( newTicket.getClientAddresses() ); - reply.setAuthTime( newTicket.getAuthTime() ); - reply.setStartTime( newTicket.getStartTime() ); - reply.setEndTime( newTicket.getEndTime() ); - reply.setServerPrincipal( newTicket.getServerPrincipal() ); - - if ( newTicket.getFlag( TicketFlags.RENEWABLE ) ) - { - reply.setRenewTill( newTicket.getRenewTill() ); - } - - return reply; - } + return reply; + } }