directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r233542 - /directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/
Date Fri, 19 Aug 2005 18:46:24 GMT
Author: erodriguez
Date: Fri Aug 19 11:46:16 2005
New Revision: 233542

URL: http://svn.apache.org/viewcvs?rev=233542&view=rev
Log:
Common code for supporting Kerberos chain processing, shared by AS, TGS, and Changepw:
o  Base context
o  Getting principals
o  Monitors for requests, replies, and context
o  Selection of checksums and encryption types based on policy or configuration.
o  Verification of message components

Added:
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/GetPrincipalStoreEntry.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/KdcContext.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorContext.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorReply.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorRequest.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectChecksumType.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectEncryptionType.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
  (with props)
    directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyTicket.java
  (with props)

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/GetPrincipalStoreEntry.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/GetPrincipalStoreEntry.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/GetPrincipalStoreEntry.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/GetPrincipalStoreEntry.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,51 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+import org.apache.kerberos.store.operations.GetPrincipal;
+
+public abstract class GetPrincipalStoreEntry extends CommandBase
+{
+    public PrincipalStoreEntry getEntry( KerberosPrincipal principal, PrincipalStore store,
+            ErrorType errorType ) throws Exception
+    {
+        PrincipalStoreEntry entry = null;
+
+        try
+        {
+            entry = (PrincipalStoreEntry) store.execute( new GetPrincipal( principal ) );
+        }
+        catch ( Exception e )
+        {
+            throw new KerberosException( errorType );
+        }
+
+        if ( entry == null || entry.getEncryptionKey() == null )
+        {
+            throw new KerberosException( errorType );
+        }
+
+        return entry;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/GetPrincipalStoreEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/KdcContext.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/KdcContext.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/KdcContext.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/KdcContext.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,94 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import org.apache.kerberos.chain.impl.ContextBase;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.KerberosMessage;
+import org.apache.kerberos.store.PrincipalStore;
+
+public class KdcContext extends ContextBase
+{
+    private KdcConfiguration config;
+    private PrincipalStore store;
+    private KdcRequest request;
+    private KerberosMessage reply;
+
+    /**
+     * @return Returns the config.
+     */
+    public KdcConfiguration getConfig()
+    {
+        return config;
+    }
+
+    /**
+     * @param config The config to set.
+     */
+    public void setConfig( KdcConfiguration config )
+    {
+        this.config = config;
+    }
+
+    /**
+     * @return Returns the store.
+     */
+    public PrincipalStore getStore()
+    {
+        return store;
+    }
+
+    /**
+     * @param store The store to set.
+     */
+    public void setStore( PrincipalStore store )
+    {
+        this.store = store;
+    }
+
+    /**
+     * @return Returns the reply.
+     */
+    public KerberosMessage getReply()
+    {
+        return reply;
+    }
+
+    /**
+     * @param reply The reply to set.
+     */
+    public void setReply( KerberosMessage reply )
+    {
+        this.reply = reply;
+    }
+
+    /**
+     * @return Returns the request.
+     */
+    public KdcRequest getRequest()
+    {
+        return request;
+    }
+
+    /**
+     * @param request The request to set.
+     */
+    public void setRequest( KdcRequest request )
+    {
+        this.request = request;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/KdcContext.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorContext.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorContext.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorContext.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorContext.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,45 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+
+public class MonitorContext extends CommandBase
+{
+    /** the log for this class */
+    private static final Log log = LogFactory.getLog( MonitorContext.class );
+
+    public boolean execute( Context context ) throws Exception
+    {
+        KdcContext kdcContext = (KdcContext) context;
+
+        if ( log.isDebugEnabled() )
+        {
+            log.debug( "Monitoring context:"
+                    + "\n\tconfig:                 " + kdcContext.getConfig()
+                    + "\n\tstore:                  " + kdcContext.getStore()
+                    + "\n\trequest:                " + kdcContext.getRequest()
+                    + "\n\treply:                  " + kdcContext.getReply()
+                     );
+        }
+        
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorContext.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorReply.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorReply.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorReply.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorReply.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,80 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.ErrorMessage;
+import org.apache.kerberos.messages.KdcReply;
+
+public class MonitorReply extends CommandBase
+{
+    /** the log for this class */
+    private static final Log log = LogFactory.getLog( MonitorReply.class );
+
+    public boolean execute( Context context ) throws Exception
+    {
+        KdcContext kdcContext = (KdcContext) context;
+        Object message = kdcContext.getReply();
+        
+        if ( message instanceof KdcReply )
+        {
+            KdcReply reply = (KdcReply) message;
+            
+            if ( log.isDebugEnabled() )
+            {
+                log.debug( "Responding to authentication request with reply:"
+                        + "\n\tclient realm:          " + reply.getClientRealm()
+                        + "\n\tserver realm:          " + reply.getServerRealm()
+                        + "\n\tserverPrincipal:       " + reply.getServerPrincipal()
+                        + "\n\tclientPrincipal:       " + reply.getClientPrincipal()
+                        + "\n\thostAddresses:         " + reply.getClientAddresses()
+                        + "\n\tstart time:            " + reply.getStartTime()
+                        + "\n\tend time:              " + reply.getEndTime()
+                        + "\n\tauth time:             " + reply.getAuthTime()
+                        + "\n\trenew till time:       " + reply.getRenewTill()
+                        + "\n\tmessageType:           " + reply.getMessageType()
+                        + "\n\tnonce:                 " + reply.getNonce()
+                        + "\n\tprotocolVersionNumber: " + reply.getProtocolVersionNumber()
+                         );
+            }
+        }
+        else
+        {
+            if ( message instanceof ErrorMessage )
+            {
+                ErrorMessage error = (ErrorMessage) message;
+                
+                if ( log.isDebugEnabled() )
+                {
+                    log.debug( "Responding to authentication request with error:"
+                            + "\n\tserverPrincipal:       " + error.getServerPrincipal()
+                            + "\n\tclientPrincipal:       " + error.getClientPrincipal()
+                            + "\n\tserver time:           " + error.getClientTime()
+                            + "\n\tclient time:           " + error.getServerTime()
+                            + "\n\terror code:            " + error.getErrorCode()
+                            + "\n\texplanatory text:      " + error.getExplanatoryText()
+                             );
+                }
+            }
+        }
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorReply.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorRequest.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorRequest.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorRequest.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorRequest.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,55 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.KdcRequest;
+
+public class MonitorRequest extends CommandBase
+{
+    /** the log for this class */
+    private static final Log log = LogFactory.getLog( MonitorRequest.class );
+
+    public boolean execute( Context context ) throws Exception
+    {
+        KdcContext kdcContext = (KdcContext) context;
+        KdcRequest request = kdcContext.getRequest();
+        
+        if ( log.isDebugEnabled() )
+        {
+            log.debug( "Responding to authentication request:"
+                    + "\n\trealm:                 " + request.getRealm()
+                    + "\n\tserverPrincipal:       " + request.getServerPrincipal()
+                    + "\n\tclientPrincipal:       " + request.getClientPrincipal()
+                    + "\n\thostAddresses:         " + request.getAddresses()
+                    + "\n\tencryptionType:        " + request.getEType()
+                    + "\n\tfrom krb time:         " + request.getFrom()
+                    + "\n\trealm krb time:        " + request.getRtime()
+                    + "\n\tkdcOptions:            " + request.getKdcOptions()
+                    + "\n\tmessageType:           " + request.getMessageType()
+                    + "\n\tnonce:                 " + request.getNonce()
+                    + "\n\tprotocolVersionNumber: " + request.getProtocolVersionNumber()
+                    + "\n\ttill:                  " + request.getTill()
+                     );
+        }
+        
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/MonitorRequest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectChecksumType.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectChecksumType.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectChecksumType.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectChecksumType.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,63 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.checksum.ChecksumType;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+
+public class SelectChecksumType extends CommandBase
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        System.out.println( "Selecting checksum type." );
+
+        KdcContext kdcContext = (KdcContext) context;
+        KdcConfiguration config = kdcContext.getConfig();
+
+        EncryptionType[] requestedTypes = kdcContext.getRequest().getEType();
+
+        /*
+        EncryptionType bestType = getBestChecksumType( requestedTypes, config.getEncryptionTypes()
);
+
+        if ( bestType == null )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
+        }
+        */
+
+        return CONTINUE_CHAIN;
+    }
+
+    protected ChecksumType getBestChecksumType( ChecksumType[] requestedTypes,
+            ChecksumType[] configuredTypes )
+    {
+        for ( int ii = 0; ii < requestedTypes.length; ii++ )
+        {
+            for ( int jj = 0; jj < configuredTypes.length; jj++ )
+            {
+                if ( requestedTypes[ ii ] == configuredTypes[ jj ] )
+                {
+                    return configuredTypes[ jj ];
+                }
+            }
+        }
+
+        return null;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectChecksumType.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectEncryptionType.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectEncryptionType.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectEncryptionType.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectEncryptionType.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,62 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+
+public class SelectEncryptionType extends CommandBase
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        System.out.println( "Selecting encryption type." );
+
+        KdcContext kdcContext = (KdcContext) context;
+        KdcConfiguration config = kdcContext.getConfig();
+
+        EncryptionType[] requestedTypes = kdcContext.getRequest().getEType();
+
+        EncryptionType bestType = getBestEncryptionType( requestedTypes, config.getEncryptionTypes()
);
+
+        if ( bestType == null )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
+        }
+
+        return CONTINUE_CHAIN;
+    }
+
+    protected EncryptionType getBestEncryptionType( EncryptionType[] requestedTypes,
+            EncryptionType[] configuredTypes )
+    {
+        for ( int ii = 0; ii < requestedTypes.length; ii++ )
+        {
+            for ( int jj = 0; jj < configuredTypes.length; jj++ )
+            {
+                if ( requestedTypes[ ii ] == configuredTypes[ jj ] )
+                {
+                    return configuredTypes[ jj ];
+                }
+            }
+        }
+
+        return null;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/SelectEncryptionType.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,164 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.MessageType;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.ApOptions;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.messages.value.TicketFlags;
+import org.apache.kerberos.replay.ReplayCache;
+
+/*
+ * Shared by TGS and Changepw
+ */
+public abstract class VerifyAuthHeader extends CommandBase
+{
+    // RFC 1510 A.10.  KRB_AP_REQ verification
+    public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket,
+            EncryptionKey serverKey, KdcConfiguration config, ReplayCache replayCache )
+            throws KerberosException, IOException
+    {
+        if ( authHeader.getProtocolVersionNumber() != 5 )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
+        }
+
+        if ( authHeader.getMessageType() != MessageType.KRB_AP_REQ )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
+        }
+
+        if ( authHeader.getTicket().getVersionNumber() != 5 )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
+        }
+
+        EncryptionKey ticketKey = null;
+
+        if ( authHeader.getOption( ApOptions.USE_SESSION_KEY ) )
+        {
+            ticketKey = authHeader.getTicket().getSessionKey();
+        }
+        else
+        {
+            ticketKey = serverKey;
+        }
+
+        if ( ticketKey == null )
+        {
+            // TODO - check server key version number, skvno; requires store
+            if ( false )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BADKEYVER );
+            }
+
+            throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
+        }
+
+        try
+        {
+            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticketKey
);
+
+            byte[] decTicketPart = engine.getDecryptedData( ticketKey, ticket.getEncPart()
);
+
+            EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
+            EncTicketPart encPart = ticketPartDecoder.decode( decTicketPart );
+            ticket.setEncTicketPart( encPart );
+        }
+        catch ( KerberosException ke )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+        }
+
+        Authenticator authenticator;
+
+        try
+        {
+            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticket.getSessionKey()
);
+
+            byte[] decAuthenticator = engine.getDecryptedData( ticket.getSessionKey(), authHeader.getEncPart()
);
+            AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
+            authenticator = authDecoder.decode( decAuthenticator );
+        }
+        catch ( KerberosException ke )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+        }
+
+        if ( !authenticator.getClientPrincipal().getName().equals(
+                ticket.getClientPrincipal().getName() ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
+        }
+
+        // TODO - need to get at IP Address for sender
+        if ( ticket.getClientAddresses() != null )
+        {
+            // if (sender_address(packet) is not in decr_ticket.caddr)
+            //    then error_out(KRB_AP_ERR_BADADDR);
+        }
+        else
+        {
+            // if (application requires addresses) then
+            //    error_out(KRB_AP_ERR_BADADDR);
+        }
+
+        if ( replayCache.isReplay( authenticator.getClientTime(), authenticator.getClientPrincipal()
) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
+        }
+
+        replayCache.save( authenticator.getClientTime(), authenticator.getClientPrincipal()
);
+
+        if ( !authenticator.getClientTime().isInClockSkew( config.getClockSkew() ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
+        }
+
+        if ( ticket.getStartTime() != null
+                && !ticket.getStartTime().isInClockSkew( config.getClockSkew() )
+                || ticket.getFlag( TicketFlags.INVALID ) )
+        {
+            // it hasn't yet become valid
+            throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
+        }
+
+        // TODO - doesn't take into account skew
+        if ( !ticket.getEndTime().greaterThan( new KerberosTime() ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+        }
+
+        authHeader.setOption( ApOptions.MUTUAL_REQUIRED );
+
+        return authenticator;
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyTicket.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyTicket.java?rev=233542&view=auto
==============================================================================
--- directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyTicket.java
(added)
+++ directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyTicket.java
Fri Aug 19 11:46:16 2005
@@ -0,0 +1,39 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.service;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.messages.components.Ticket;
+
+/*
+ * Shared by TGS and Changepw
+ */
+public abstract class VerifyTicket extends CommandBase
+{
+    public void verifyTicket( KdcConfiguration config, Ticket ticket, KerberosPrincipal serverPrincipal
) throws Exception
+    {
+        if ( !ticket.getRealm().equals( config.getPrimaryRealm() )
+                && !ticket.getServerPrincipal().equals( serverPrincipal ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
+        }
+    }
+}

Propchange: directory/shared/kerberos/branches/refactor-to-chain/common/src/java/org/apache/kerberos/service/VerifyTicket.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message