directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r280945 - in /directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos: crypto/encryption/EncryptionEngine.java service/LockBox.java service/VerifyAuthHeader.java
Date Wed, 14 Sep 2005 21:35:48 GMT
Author: erodriguez
Date: Wed Sep 14 14:35:44 2005
New Revision: 280945

URL: http://svn.apache.org/viewcvs?rev=280945&view=rev
Log:
Update to kerberos-common to address DIRKERBEROS-4:
o  Added a Hashed Adapter encapsulating ASN.1 and cipher processing to perform one-step seal()
and unseal() operations.  A seal() operation performs an encode and an encrypt, while an unseal()
operation performs a decrypt and a decode.
o  Removed some exceptions thrown by EncryptionEngine that are now encapsulated in the hashed
adapter.
o  Updated VerifyAuthHeader to use the new unseal() method with Tickets and Authenticators.

http://issues.apache.org/jira/browse/DIRKERBEROS-4

Added:
    directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
  (with props)
Modified:
    directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java
    directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java

Modified: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java?rev=280945&r1=280944&r2=280945&view=diff
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java
(original)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java
Wed Sep 14 14:35:44 2005
@@ -20,7 +20,6 @@
 
 import org.apache.kerberos.crypto.checksum.ChecksumEngine;
 import org.apache.kerberos.crypto.checksum.ChecksumType;
-import org.apache.kerberos.exceptions.KerberosException;
 import org.apache.kerberos.messages.value.EncryptedData;
 import org.apache.kerberos.messages.value.EncryptionKey;
 import org.bouncycastle.crypto.BlockCipher;
@@ -43,7 +42,6 @@
     public abstract int keySize();
 
     public byte[] getDecryptedData( EncryptionKey key, EncryptedData data )
-            throws KerberosException
     {
         byte[] decryptedData = decrypt( data.getCipherText(), key.getKeyValue() );
 
@@ -51,7 +49,6 @@
     }
 
     public EncryptedData getEncryptedData( EncryptionKey key, byte[] plainText )
-            throws KerberosException
     {
         byte[] conFounder = getRandomBytes( confounderSize() );
         byte[] zeroedChecksum = new byte[ checksumSize() ];

Added: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java?rev=280945&view=auto
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
(added)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
Wed Sep 14 14:35:44 2005
@@ -0,0 +1,235 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+
+package org.apache.kerberos.service;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.kerberos.crypto.encryption.Des3CbcMd5Encryption;
+import org.apache.kerberos.crypto.encryption.Des3CbcSha1Encryption;
+import org.apache.kerberos.crypto.encryption.DesCbcCrcEncryption;
+import org.apache.kerberos.crypto.encryption.DesCbcMd4Encryption;
+import org.apache.kerberos.crypto.encryption.DesCbcMd5Encryption;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
+import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
+import org.apache.kerberos.io.decoder.Decoder;
+import org.apache.kerberos.io.decoder.DecoderFactory;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
+import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.io.encoder.Encoder;
+import org.apache.kerberos.io.encoder.EncoderFactory;
+import org.apache.kerberos.messages.AuthenticationReply;
+import org.apache.kerberos.messages.Encodable;
+import org.apache.kerberos.messages.TicketGrantReply;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.value.AuthorizationData;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptedTimeStamp;
+import org.apache.kerberos.messages.value.EncryptionKey;
+
+/**
+ * A Hashed Adapter encapsulating ASN.1 encoders and decoders and cipher text engines to
+ * perform seal() and unseal() operations.  A seal() operation performs an encode and an
+ * encrypt, while an unseal() operation performs a decrypt and a decode.
+ */
+public class LockBox
+{
+    /** a map of the default encodable class names to the encoder class names */
+    private static final Map DEFAULT_ENCODERS;
+    /** a map of the default encodable class names to the decoder class names */
+    private static final Map DEFAULT_DECODERS;
+    /** a map of the default encryption types to the encryption engine class names */
+    private static final Map DEFAULT_CIPHERS;
+
+    static
+    {
+        Map map = new HashMap();
+
+        map.put( EncTicketPart.class, EncTicketPartEncoder.class );
+        map.put( AuthenticationReply.class, EncAsRepPartEncoder.class );
+        map.put( TicketGrantReply.class, EncTgsRepPartEncoder.class );
+
+        DEFAULT_ENCODERS = Collections.unmodifiableMap( map );
+    }
+
+    static
+    {
+        Map map = new HashMap();
+
+        map.put( EncTicketPart.class, EncTicketPartDecoder.class );
+        map.put( Authenticator.class, AuthenticatorDecoder.class );
+        map.put( EncryptedTimeStamp.class, EncryptedTimestampDecoder.class );
+        map.put( AuthorizationData.class, AuthorizationDataDecoder.class );
+
+        DEFAULT_DECODERS = Collections.unmodifiableMap( map );
+    }
+
+    static
+    {
+        Map map = new HashMap();
+
+        map.put( EncryptionType.DES_CBC_CRC, DesCbcCrcEncryption.class );
+        map.put( EncryptionType.DES_CBC_MD4, DesCbcMd4Encryption.class );
+        map.put( EncryptionType.DES_CBC_MD5, DesCbcMd5Encryption.class );
+        map.put( EncryptionType.DES3_CBC_MD5, Des3CbcMd5Encryption.class );
+        map.put( EncryptionType.DES3_CBC_SHA1, Des3CbcSha1Encryption.class );
+
+        DEFAULT_CIPHERS = Collections.unmodifiableMap( map );
+    }
+
+    public EncryptedData seal( EncryptionKey key, Encodable encodable ) throws KerberosException
+    {
+        try
+        {
+            return encrypt( key, encode( encodable ) );
+        }
+        catch ( IOException ioe )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
+        }
+        catch ( ClassCastException cce )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+        }
+    }
+
+    public Encodable unseal( Class hint, EncryptionKey key, EncryptedData data ) throws KerberosException
+    {
+        try
+        {
+            return decode( hint, decrypt( key, data ) );
+        }
+        catch ( IOException ioe )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
+        }
+        catch ( ClassCastException cce )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+        }
+    }
+
+    private EncryptedData encrypt( EncryptionKey key, byte[] plainText ) throws IOException
+    {
+        EncryptionEngine engine = getEngine( key );
+
+        return engine.getEncryptedData( key, plainText );
+    }
+
+    private byte[] decrypt( EncryptionKey key, EncryptedData data ) throws IOException
+    {
+        EncryptionEngine engine = getEngine( key );
+
+        return engine.getDecryptedData( key, data );
+    }
+
+    private byte[] encode( Encodable encodable ) throws IOException
+    {
+        Class encodableClass = encodable.getClass();
+
+        Class clazz = (Class) DEFAULT_ENCODERS.get( encodableClass );
+
+        if ( clazz == null )
+        {
+            throw new IOException( "Encoder unavailable for " + encodableClass );
+        }
+
+        EncoderFactory factory = null;
+
+        try
+        {
+            factory = (EncoderFactory) clazz.newInstance();
+        }
+        catch ( IllegalAccessException iae )
+        {
+            throw new IOException( "Error accessing encoder for " + encodableClass );
+        }
+        catch ( InstantiationException ie )
+        {
+            throw new IOException( "Error instantiating encoder for " + encodableClass );
+        }
+
+        Encoder encoder = factory.getEncoder();
+
+        return encoder.encode( encodable );
+    }
+
+    private Encodable decode( Class encodable, byte[] plainText ) throws IOException
+    {
+        Class clazz = (Class) DEFAULT_DECODERS.get( encodable );
+
+        if ( clazz == null )
+        {
+            throw new IOException( "Decoder unavailable for " + encodable );
+        }
+
+        DecoderFactory factory = null;
+
+        try
+        {
+            factory = (DecoderFactory) clazz.newInstance();
+        }
+        catch ( IllegalAccessException iae )
+        {
+            throw new IOException( "Error accessing decoder for " + encodable );
+        }
+        catch ( InstantiationException ie )
+        {
+            throw new IOException( "Error instantiating decoder for " + encodable );
+        }
+
+        Decoder decoder = factory.getDecoder();
+
+        return decoder.decode( plainText );
+    }
+
+    private EncryptionEngine getEngine( EncryptionKey key ) throws IOException
+    {
+        EncryptionType encryptionType = key.getKeyType();
+
+        Class clazz = (Class) DEFAULT_CIPHERS.get( encryptionType );
+
+        if ( clazz == null )
+        {
+            throw new IOException( "Unsupported encryption type " + encryptionType );
+        }
+
+        try
+        {
+            return (EncryptionEngine) clazz.newInstance();
+        }
+        catch ( IllegalAccessException iae )
+        {
+            throw new IOException( "Error accessing cipher for " + encryptionType );
+        }
+        catch ( InstantiationException ie )
+        {
+            throw new IOException( "Error instantiating cipher for " + encryptionType );
+        }
+    }
+}

Propchange: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java?rev=280945&r1=280944&r2=280945&view=diff
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
(original)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
Wed Sep 14 14:35:44 2005
@@ -16,16 +16,11 @@
  */
 package org.apache.kerberos.service;
 
-import java.io.IOException;
 import java.net.InetAddress;
 
 import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
 import org.apache.kerberos.exceptions.ErrorType;
 import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
-import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
 import org.apache.kerberos.messages.ApplicationRequest;
 import org.apache.kerberos.messages.MessageType;
 import org.apache.kerberos.messages.components.Authenticator;
@@ -45,8 +40,8 @@
 {
     // RFC 1510 A.10.  KRB_AP_REQ verification
     public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket,
EncryptionKey serverKey,
-            long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress
clientAddress )
-            throws KerberosException, IOException
+            long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress
clientAddress, LockBox lockBox )
+            throws KerberosException
     {
         if ( authHeader.getProtocolVersionNumber() != 5 )
         {
@@ -85,35 +80,10 @@
             throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
         }
 
-        try
-        {
-            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticketKey
);
-
-            byte[] decTicketPart = engine.getDecryptedData( ticketKey, ticket.getEncPart()
);
-
-            EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
-            EncTicketPart encPart = ticketPartDecoder.decode( decTicketPart );
-            ticket.setEncTicketPart( encPart );
-        }
-        catch ( KerberosException ke )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
-        }
+        EncTicketPart encPart = (EncTicketPart) lockBox.unseal( EncTicketPart.class, ticketKey,
ticket.getEncPart() );
+        ticket.setEncTicketPart( encPart );
 
-        Authenticator authenticator;
-
-        try
-        {
-            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticket.getSessionKey()
);
-
-            byte[] decAuthenticator = engine.getDecryptedData( ticket.getSessionKey(), authHeader.getEncPart()
);
-            AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
-            authenticator = authDecoder.decode( decAuthenticator );
-        }
-        catch ( KerberosException ke )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
-        }
+        Authenticator authenticator = (Authenticator) lockBox.unseal( Authenticator.class,
ticket.getSessionKey(), authHeader.getEncPart() );
 
         if ( !authenticator.getClientPrincipal().getName().equals( ticket.getClientPrincipal().getName()
) )
         {



Mime
View raw message