directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r240282 - in /directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication: ./ PreAuthenticationChain.java VerifierBase.java VerifyEncryptedTimestamp.java VerifySam.java
Date Fri, 26 Aug 2005 16:41:15 GMT
Author: erodriguez
Date: Fri Aug 26 09:41:10 2005
New Revision: 240282

URL: http://svn.apache.org/viewcvs?rev=240282&view=rev
Log:
Kerberos pre-authentication chain consisting of verifiers for SAM and PA_ENC_TIMESTAMP.

Added:
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
  (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
  (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
  (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
  (with props)

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
(added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
Fri Aug 26 09:41:10 2005
@@ -0,0 +1,29 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import org.apache.kerberos.chain.impl.ChainBase;
+
+public class PreAuthenticationChain extends ChainBase
+{
+    public PreAuthenticationChain()
+    {
+        super();
+        addCommand( new VerifySam() );
+        addCommand( new VerifyEncryptedTimestamp() );
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
(added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
Fri Aug 26 09:41:10 2005
@@ -0,0 +1,71 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.io.encoder.EncryptionTypeInfoEncoder;
+import org.apache.kerberos.io.encoder.PreAuthenticationDataEncoder;
+import org.apache.kerberos.messages.value.EncryptionTypeInfoEntry;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataModifier;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+
+public abstract class VerifierBase extends CommandBase
+{
+    public byte[] preparePreAuthenticationError()
+    {
+        PreAuthenticationData[] paDataSequence = new PreAuthenticationData[ 2 ];
+
+        PreAuthenticationDataModifier modifier = new PreAuthenticationDataModifier();
+        modifier.setDataType( PreAuthenticationDataType.PA_ENC_TIMESTAMP );
+        modifier.setDataValue( new byte[ 0 ] );
+
+        paDataSequence[ 0 ] = modifier.getPreAuthenticationData();
+
+        EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[ 1 ];
+        entries[ 0 ] = new EncryptionTypeInfoEntry( EncryptionType.DES_CBC_MD5, null );
+
+        byte[] encTypeInfo = null;
+
+        try
+        {
+            encTypeInfo = EncryptionTypeInfoEncoder.encode( entries );
+        }
+        catch ( IOException ioe )
+        {
+            return null;
+        }
+
+        PreAuthenticationDataModifier encTypeModifier = new PreAuthenticationDataModifier();
+        encTypeModifier.setDataType( PreAuthenticationDataType.PA_ENCTYPE_INFO );
+        encTypeModifier.setDataValue( encTypeInfo );
+
+        paDataSequence[ 1 ] = encTypeModifier.getPreAuthenticationData();
+
+        try
+        {
+            return PreAuthenticationDataEncoder.encode( paDataSequence );
+        }
+        catch ( IOException ioe )
+        {
+            return null;
+        }
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
(added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
Fri Aug 26 09:41:10 2005
@@ -0,0 +1,150 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import java.io.IOException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.EncryptedDataDecoder;
+import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
+import org.apache.kerberos.kdc.authentication.AuthenticationContext;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptedTimeStamp;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+import org.apache.kerberos.service.KdcConfiguration;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class VerifyEncryptedTimestamp extends VerifierBase
+{
+    /** the log for this class */
+    private static final Log log = LogFactory.getLog( VerifyEncryptedTimestamp.class );
+
+    public boolean execute( Context ctx ) throws Exception
+    {
+        AuthenticationContext authContext = (AuthenticationContext) ctx;
+
+        if ( authContext.getClientKey() != null )
+        {
+            return CONTINUE_CHAIN;
+        }
+
+        log.debug( "Verifying using encrypted timestamp." );
+        KdcConfiguration config = authContext.getConfig();
+        KdcRequest request = authContext.getRequest();
+        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
+        String clientName = clientEntry.getPrincipal().getName();
+
+        EncryptionKey clientKey = null;
+
+        if ( clientEntry.getSamType() == null )
+        {
+            if ( log.isDebugEnabled() )
+            {
+                log.debug( "entry for client principal " + clientName
+                        + " has no SAM type: proceeding with standard pre-authentication"
);
+            }
+
+            clientKey = clientEntry.getEncryptionKey();
+
+            if ( clientKey == null )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
+            }
+
+            if ( config.isPaEncTimestampRequired() )
+            {
+                PreAuthenticationData[] preAuthData = request.getPreAuthData();
+
+                if ( preAuthData == null )
+                {
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                            preparePreAuthenticationError() );
+                }
+
+                EncryptedTimeStamp timestamp = null;
+
+                for ( int ii = 0; ii < preAuthData.length; ii++ )
+                {
+                    if ( preAuthData[ ii ].getDataType().equals(
+                            PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+                    {
+                        try
+                        {
+                            EncryptedData dataValue = EncryptedDataDecoder.decode( preAuthData[
ii ]
+                                    .getDataValue() );
+                            EncryptionEngine engine = EncryptionEngineFactory
+                                    .getEncryptionEngineFor( clientKey );
+                            byte[] decTimestamp = engine.getDecryptedData( clientKey, dataValue
);
+
+                            EncryptedTimestampDecoder timeStampDecoder = new EncryptedTimestampDecoder();
+                            timestamp = timeStampDecoder.decode( decTimestamp );
+                        }
+                        catch ( KerberosException ke )
+                        {
+                            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY
);
+                        }
+                        catch ( IOException ioe )
+                        {
+                            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY
);
+                        }
+                        catch ( ClassCastException cce )
+                        {
+                            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY
);
+                        }
+                    }
+                }
+
+                if ( timestamp == null )
+                {
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                            preparePreAuthenticationError() );
+                }
+
+                if ( !timestamp.getTimeStamp().isInClockSkew( config.getClockSkew() ) )
+                {
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
+                }
+
+                /*
+                 if(decrypted_enc_timestamp and usec is replay)
+                 error_out(KDC_ERR_PREAUTH_FAILED);
+                 endif
+
+                 add decrypted_enc_timestamp and usec to replay cache;
+                 */
+            }
+        }
+
+        authContext.setClientKey( clientKey );
+
+        if ( log.isDebugEnabled() )
+        {
+            log.debug( "Pre-authentication by encrypted timestamp successful for " + clientName
+ "." );
+        }
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
(added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
Fri Aug 26 09:41:10 2005
@@ -0,0 +1,103 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import javax.security.auth.kerberos.KerberosKey;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.kdc.authentication.AuthenticationContext;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+import org.apache.kerberos.sam.SamException;
+import org.apache.kerberos.sam.SamSubsystem;
+import org.apache.kerberos.sam.TimestampChecker;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class VerifySam extends VerifierBase
+{
+    /** the log for this class */
+    private static final Log log = LogFactory.getLog( VerifySam.class );
+
+    static
+    {
+        log.debug( "Initializing SAM subsystem" );
+        SamSubsystem.getInstance().setIntegrityChecker( new TimestampChecker() );
+    }
+
+    public boolean execute( Context ctx ) throws Exception
+    {
+        log.debug( "Verifying using SAM subsystem." );
+        AuthenticationContext authContext = (AuthenticationContext) ctx;
+        KdcRequest request = authContext.getRequest();
+        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
+        String clientName = clientEntry.getPrincipal().getName();
+
+        EncryptionKey clientKey = null;
+
+        if ( clientEntry.getSamType() != null )
+        {
+            if ( log.isDebugEnabled() )
+            {
+                log.debug( "entry for client principal " + clientName
+                        + " has a valid SAM type: invoking SAM subsystem for pre-authentication"
);
+            }
+
+            PreAuthenticationData[] preAuthData = request.getPreAuthData();
+
+            if ( preAuthData == null || preAuthData.length == 0 )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                        preparePreAuthenticationError() );
+            }
+
+            try
+            {
+                for ( int ii = 0; ii < preAuthData.length; ii++ )
+                {
+                    if ( preAuthData[ ii ].getDataType().equals(
+                            PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+                    {
+                        KerberosKey samKey = SamSubsystem.getInstance().verify( clientEntry,
+                                preAuthData[ ii ].getDataValue() );
+                        clientKey = new EncryptionKey( EncryptionType.getTypeByOrdinal( samKey
+                                .getKeyType() ), samKey.getEncoded() );
+                    }
+                }
+            }
+            catch ( SamException se )
+            {
+                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, se.getMessage() );
+            }
+
+            authContext.setClientKey( clientKey );
+
+            if ( log.isDebugEnabled() )
+            {
+                log.debug( "Pre-authentication using SAM subsystem successful for " + clientName
+ "." );
+            }
+        }
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message