directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r280958 - in /directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos: kdc/ kdc/authentication/ kdc/preauthentication/ kdc/ticketgrant/ sam/
Date Wed, 14 Sep 2005 22:18:59 GMT
Author: erodriguez
Date: Wed Sep 14 15:18:50 2005
New Revision: 280958

URL: http://svn.apache.org/viewcvs?rev=280958&view=rev
Log:
Update to kerberos-protocol AS and TGS chains to address DIRKERBEROS-4:
o  Added seal() and unseal() hashed adapter to AS and TGS chain context and chain configuration.
o  Removed entire methods and error-prone exception handling from ticket generation, reply
sealing, auth header verification, authorization data processing, and pre-authentication.

http://issues.apache.org/jira/browse/DIRKERBEROS-4

Modified:
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/SealReply.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/sam/TimestampChecker.java

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java
Wed Sep 14 15:18:50 2005
@@ -21,6 +21,7 @@
 import org.apache.kerberos.chain.impl.ContextBase;
 import org.apache.kerberos.messages.KdcRequest;
 import org.apache.kerberos.messages.KerberosMessage;
+import org.apache.kerberos.service.LockBox;
 import org.apache.kerberos.store.PrincipalStore;
 
 public class KdcContext extends ContextBase
@@ -30,6 +31,7 @@
     private KdcRequest request;
     private KerberosMessage reply;
     private InetAddress clientAddress;
+    private LockBox lockBox;
 
     /**
      * @return Returns the config.
@@ -64,35 +66,35 @@
     }
 
     /**
-     * @return Returns the reply.
+     * @return Returns the request.
      */
-    public KerberosMessage getReply()
+    public KdcRequest getRequest()
     {
-        return reply;
+        return request;
     }
 
     /**
-     * @param reply The reply to set.
+     * @param request The request to set.
      */
-    public void setReply( KerberosMessage reply )
+    public void setRequest( KdcRequest request )
     {
-        this.reply = reply;
+        this.request = request;
     }
 
     /**
-     * @return Returns the request.
+     * @return Returns the reply.
      */
-    public KdcRequest getRequest()
+    public KerberosMessage getReply()
     {
-        return request;
+        return reply;
     }
 
     /**
-     * @param request The request to set.
+     * @param reply The reply to set.
      */
-    public void setRequest( KdcRequest request )
+    public void setReply( KerberosMessage reply )
     {
-        this.request = request;
+        this.reply = reply;
     }
 
     /**
@@ -109,5 +111,21 @@
     public void setClientAddress( InetAddress clientAddress )
     {
         this.clientAddress = clientAddress;
+    }
+
+    /**
+     * @return Returns the lockBox.
+     */
+    public LockBox getLockBox()
+    {
+        return lockBox;
+    }
+
+    /**
+     * @param lockBox The lockBox to set.
+     */
+    public void setLockBox( LockBox lockBox )
+    {
+        this.lockBox = lockBox;
     }
 }

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
Wed Sep 14 15:18:50 2005
@@ -27,16 +27,19 @@
 import org.apache.kerberos.crypto.checksum.Sha1Checksum;
 import org.apache.kerberos.replay.InMemoryReplayCache;
 import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.LockBox;
 
 public class ConfigureAuthenticationChain extends CommandBase
 {
     private static final ReplayCache replayCache = new InMemoryReplayCache();
+    private static final LockBox lockBox = new LockBox();
 
     public boolean execute( Context context ) throws Exception
     {
         AuthenticationContext authContext = (AuthenticationContext) context;
 
         authContext.setReplayCache( replayCache );
+        authContext.setLockBox( lockBox );
 
         Map checksumEngines = authContext.getChecksumEngines();
         checksumEngines.put( ChecksumType.CRC32, new Crc32Checksum() );

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java
Wed Sep 14 15:18:50 2005
@@ -20,11 +20,8 @@
 
 import org.apache.kerberos.chain.Context;
 import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
 import org.apache.kerberos.exceptions.ErrorType;
 import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
 import org.apache.kerberos.kdc.KdcConfiguration;
 import org.apache.kerberos.messages.KdcRequest;
 import org.apache.kerberos.messages.components.EncTicketPart;
@@ -36,6 +33,7 @@
 import org.apache.kerberos.messages.value.KerberosTime;
 import org.apache.kerberos.messages.value.TicketFlags;
 import org.apache.kerberos.messages.value.TransitedEncoding;
+import org.apache.kerberos.service.LockBox;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -47,8 +45,9 @@
     public boolean execute(Context context) throws Exception
     {
         AuthenticationContext authContext = (AuthenticationContext) context;
-        KdcRequest request = authContext.getRequest();
 
+        KdcRequest request = authContext.getRequest();
+        LockBox lockBox = authContext.getLockBox();
         KerberosPrincipal serverPrincipal = request.getServerPrincipal();
         EncryptionKey serverKey = authContext.getServerEntry().getEncryptionKey();
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
@@ -166,7 +165,7 @@
 
         EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
 
-        EncryptedData encryptedData = encryptTicketPart(ticketPart, serverKey);
+        EncryptedData encryptedData = lockBox.seal( serverKey, ticketPart );
 
         Ticket newTicket = new Ticket(ticketPrincipal, encryptedData);
         newTicket.setEncTicketPart(ticketPart);
@@ -179,25 +178,5 @@
         authContext.setTicket( newTicket );
         
         return CONTINUE_CHAIN;
-    }
-    
-    private EncryptedData encryptTicketPart(EncTicketPart ticketPart, EncryptionKey serverKey)
-    {
-        EncTicketPartEncoder encoder = new EncTicketPartEncoder();
-        EncryptedData encryptedTicketPart = null;
-        try
-        {
-            byte[] plainText = encoder.encode(ticketPart);
-
-            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey
);
-
-            encryptedTicketPart = engine.getEncryptedData(serverKey, plainText);
-
-        }
-        catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        return encryptedTicketPart;
     }
 }

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/SealReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/SealReply.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/SealReply.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/authentication/SealReply.java
Wed Sep 14 15:18:50 2005
@@ -18,12 +18,10 @@
 
 import org.apache.kerberos.chain.Context;
 import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
-import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
 import org.apache.kerberos.messages.AuthenticationReply;
 import org.apache.kerberos.messages.value.EncryptedData;
 import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.service.LockBox;
 
 public class SealReply extends CommandBase
 {
@@ -33,22 +31,10 @@
 
         AuthenticationReply reply = (AuthenticationReply) authContext.getReply();
         EncryptionKey clientKey = authContext.getClientKey();
+        LockBox lockBox = authContext.getLockBox();
 
-        EncAsRepPartEncoder encoder = new EncAsRepPartEncoder();
-        try
-        {
-            byte[] plainText = encoder.encode( reply );
-
-            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( clientKey
);
-
-            EncryptedData cipherText = engine.getEncryptedData( clientKey, plainText );
-
-            reply.setEncPart( cipherText );
-        }
-        catch ( Exception e )
-        {
-            e.printStackTrace();
-        }
+        EncryptedData encryptedData = lockBox.seal( clientKey, reply );
+        reply.setEncPart( encryptedData );
 
         return CONTINUE_CHAIN;
     }

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
Wed Sep 14 15:18:50 2005
@@ -19,12 +19,9 @@
 import java.io.IOException;
 
 import org.apache.kerberos.chain.Context;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
 import org.apache.kerberos.exceptions.ErrorType;
 import org.apache.kerberos.exceptions.KerberosException;
 import org.apache.kerberos.io.decoder.EncryptedDataDecoder;
-import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
 import org.apache.kerberos.kdc.KdcConfiguration;
 import org.apache.kerberos.kdc.authentication.AuthenticationContext;
 import org.apache.kerberos.messages.KdcRequest;
@@ -33,6 +30,7 @@
 import org.apache.kerberos.messages.value.EncryptionKey;
 import org.apache.kerberos.messages.value.PreAuthenticationData;
 import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+import org.apache.kerberos.service.LockBox;
 import org.apache.kerberos.store.PrincipalStoreEntry;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -54,6 +52,7 @@
         log.debug( "Verifying using encrypted timestamp." );
         KdcConfiguration config = authContext.getConfig();
         KdcRequest request = authContext.getRequest();
+        LockBox lockBox = authContext.getLockBox();
         PrincipalStoreEntry clientEntry = authContext.getClientEntry();
         String clientName = clientEntry.getPrincipal().getName();
 
@@ -91,20 +90,11 @@
                     if ( preAuthData[ ii ].getDataType().equals(
                             PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
                     {
-                        try
-                        {
-                            EncryptedData dataValue = EncryptedDataDecoder.decode( preAuthData[
ii ]
-                                    .getDataValue() );
-                            EncryptionEngine engine = EncryptionEngineFactory
-                                    .getEncryptionEngineFor( clientKey );
-                            byte[] decTimestamp = engine.getDecryptedData( clientKey, dataValue
);
+                        EncryptedData dataValue;
 
-                            EncryptedTimestampDecoder timeStampDecoder = new EncryptedTimestampDecoder();
-                            timestamp = timeStampDecoder.decode( decTimestamp );
-                        }
-                        catch ( KerberosException ke )
+                        try
                         {
-                            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY
);
+                            dataValue = EncryptedDataDecoder.decode( preAuthData[ ii ].getDataValue()
);
                         }
                         catch ( IOException ioe )
                         {
@@ -114,6 +104,8 @@
                         {
                             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY
);
                         }
+
+                        timestamp = (EncryptedTimeStamp) lockBox.unseal( EncryptedTimeStamp.class,
clientKey, dataValue );
                     }
                 }
 

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
Wed Sep 14 15:18:50 2005
@@ -20,16 +20,19 @@
 import org.apache.kerberos.chain.impl.CommandBase;
 import org.apache.kerberos.replay.InMemoryReplayCache;
 import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.LockBox;
 
 public class ConfigureTicketGrantingChain extends CommandBase
 {
     private static final ReplayCache replayCache = new InMemoryReplayCache();
+    private static final LockBox lockBox = new LockBox();
 
     public boolean execute( Context context ) throws Exception
     {
         TicketGrantingContext tgsContext = (TicketGrantingContext) context;
 
         tgsContext.setReplayCache( replayCache );
+        tgsContext.setLockBox( lockBox );
 
         return CONTINUE_CHAIN;
     }

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
Wed Sep 14 15:18:50 2005
@@ -16,7 +16,6 @@
  */
 package org.apache.kerberos.kdc.ticketgrant;
 
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -25,12 +24,8 @@
 
 import org.apache.kerberos.chain.Context;
 import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
 import org.apache.kerberos.exceptions.ErrorType;
 import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
-import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
 import org.apache.kerberos.kdc.KdcConfiguration;
 import org.apache.kerberos.messages.KdcRequest;
 import org.apache.kerberos.messages.components.Authenticator;
@@ -43,6 +38,7 @@
 import org.apache.kerberos.messages.value.KdcOptions;
 import org.apache.kerberos.messages.value.KerberosTime;
 import org.apache.kerberos.messages.value.TicketFlags;
+import org.apache.kerberos.service.LockBox;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -54,10 +50,11 @@
     public boolean execute( Context context ) throws Exception
     {
         TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
         KdcRequest request = tgsContext.getRequest();
         Ticket tgt = tgsContext.getTgt();
         Authenticator authenticator = tgsContext.getAuthenticator();
-
+        LockBox lockBox = tgsContext.getLockBox();
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
         EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getEncryptionKey();
         KdcConfiguration config = tgsContext.getConfig();
@@ -72,8 +69,12 @@
         newTicketBody.setSessionKey( sessionKey );
         newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
 
-        AuthorizationData authData = processAuthorizationData( request, authenticator, tgt
);
-        newTicketBody.setAuthorizationData( authData );
+        if ( request.getEncAuthorizationData() != null )
+        {
+            AuthorizationData authData = (AuthorizationData) lockBox.unseal( AuthorizationData.class,
authenticator.getSubSessionKey(), request.getEncAuthorizationData() );
+            authData.add( tgt.getAuthorizationData() );
+            newTicketBody.setAuthorizationData( authData );
+        }
 
         processTransited( newTicketBody, tgt );
 
@@ -81,7 +82,23 @@
 
         EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
 
-        EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request );
+        if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+        {
+            /*
+             if (server not specified) then
+             server = req.second_ticket.client;
+             endif
+             if ((req.second_ticket is not a TGT) or
+             (req.second_ticket.client != server)) then
+             error_out(KDC_ERR_POLICY);
+             endif
+             new_tkt.enc-part := encrypt OCTET STRING
+             using etype_for_key(second-ticket.key), second-ticket.key;
+             */
+            throw new KerberosException( ErrorType.KDC_ERR_SVC_UNAVAILABLE );
+        }
+
+        EncryptedData encryptedData = lockBox.seal( serverKey, ticketPart );
 
         Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
         newTicket.setEncTicketPart( ticketPart );
@@ -112,7 +129,6 @@
             }
             newTicketBody.setFlag( TicketFlags.FORWARDED );
             newTicketBody.setClientAddresses( request.getAddresses() );
-            // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
         }
 
         if ( tgt.getFlag( TicketFlags.FORWARDED ) )
@@ -139,7 +155,6 @@
 
             newTicketBody.setFlag( TicketFlags.PROXY );
             newTicketBody.setClientAddresses( request.getAddresses() );
-            // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
         }
 
         if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
@@ -301,39 +316,6 @@
         }
     }
 
-    private AuthorizationData processAuthorizationData( KdcRequest request, Authenticator
authHeader, Ticket tgt )
-            throws KerberosException
-    {
-        AuthorizationData authData = null;
-
-        if ( request.getEncAuthorizationData() != null )
-        {
-            try
-            {
-                EncryptionEngine engine = EncryptionEngineFactory
-                        .getEncryptionEngineFor( authHeader.getSubSessionKey() );
-
-                byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(),
request
-                        .getEncAuthorizationData() );
-                AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
-                authData = decoder.decode( decryptedAuthData );
-            }
-            catch ( KerberosException e )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
-            }
-            catch ( IOException ioe )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
-            }
-
-            AuthorizationData ticketData = tgt.getAuthorizationData();
-            authData.add( ticketData );
-        }
-
-        return authData;
-    }
-
     /*
      if (realm_tgt_is_for(tgt) := tgt.realm) then
      // tgt issued by local realm
@@ -363,44 +345,5 @@
         newTicketBody.setRenewTill( tgt.getRenewTill() );
         newTicketBody.setSessionKey( tgt.getSessionKey() );
         newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
-    }
-
-    private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey,
KdcRequest request )
-            throws KerberosException
-    {
-        byte[] encodedTicket = null;
-
-        EncTicketPartEncoder encoder = new EncTicketPartEncoder();
-        try
-        {
-            encodedTicket = encoder.encode( newTicketBody );
-        }
-        catch ( IOException ioe )
-        {
-            log.error( "failed while encoding new ticket body", ioe );
-        }
-
-        if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
-        {
-            /*
-             if (server not specified) then
-             server = req.second_ticket.client;
-             endif
-             if ((req.second_ticket is not a TGT) or
-             (req.second_ticket.client != server)) then
-             error_out(KDC_ERR_POLICY);
-             endif
-             new_tkt.enc-part := encrypt OCTET STRING
-             using etype_for_key(second-ticket.key), second-ticket.key;
-             */
-        }
-        else
-        {
-            // encrypt with serverKey
-        }
-
-        EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey
);
-
-        return engine.getEncryptedData( serverKey, encodedTicket );
     }
 }

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
Wed Sep 14 15:18:50 2005
@@ -18,14 +18,11 @@
 
 import org.apache.kerberos.chain.Context;
 import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
-import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
 import org.apache.kerberos.messages.TicketGrantReply;
 import org.apache.kerberos.messages.components.Authenticator;
 import org.apache.kerberos.messages.components.Ticket;
 import org.apache.kerberos.messages.value.EncryptedData;
-import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.service.LockBox;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -37,39 +34,25 @@
     public boolean execute( Context ctx ) throws Exception
     {
         TicketGrantingContext tgsContext = (TicketGrantingContext) ctx;
+
         TicketGrantReply reply = (TicketGrantReply) tgsContext.getReply();
         Ticket tgt = tgsContext.getTgt();
-
+        LockBox lockBox = tgsContext.getLockBox();
         Authenticator authenticator = tgsContext.getAuthenticator();
 
+        EncryptedData encryptedData;
+
         if ( authenticator.getSubSessionKey() != null )
         {
-            encryptReplyPart( reply, authenticator.getSubSessionKey() );
+            encryptedData = lockBox.seal( authenticator.getSubSessionKey(), reply );
         }
         else
         {
-            encryptReplyPart( reply, tgt.getSessionKey() );
+            encryptedData = lockBox.seal( tgt.getSessionKey(), reply );
         }
 
-        return CONTINUE_CHAIN;
-    }
-
-    private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key )
-    {
-        EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
-        try
-        {
-            byte[] plainText = encoder.encode( reply );
-            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( key
);
+        reply.setEncPart( encryptedData );
 
-            EncryptedData cipherText = engine.getEncryptedData( key, plainText );
-
-            reply.setEncPart( cipherText );
-
-        }
-        catch ( Exception e )
-        {
-            log.error( "Failed to encrypt the reply part", e );
-        }
+        return CONTINUE_CHAIN;
     }
 }

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
Wed Sep 14 15:18:50 2005
@@ -24,6 +24,7 @@
 import org.apache.kerberos.messages.components.Ticket;
 import org.apache.kerberos.messages.value.EncryptionKey;
 import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.LockBox;
 import org.apache.kerberos.service.VerifyAuthHeader;
 
 public class VerifyTgtAuthHeader extends VerifyAuthHeader
@@ -39,9 +40,10 @@
         ReplayCache replayCache = tgsContext.getReplayCache();
         boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
         InetAddress clientAddress = tgsContext.getClientAddress();
+        LockBox lockBox = tgsContext.getLockBox();
 
         Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew,
replayCache,
-                emptyAddressesAllowed, clientAddress );
+                emptyAddressesAllowed, clientAddress, lockBox );
 
         tgsContext.setAuthenticator( authenticator );
 

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/sam/TimestampChecker.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/sam/TimestampChecker.java?rev=280958&r1=280957&r2=280958&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/sam/TimestampChecker.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/sam/TimestampChecker.java
Wed Sep 14 15:18:50 2005
@@ -20,20 +20,19 @@
 
 import javax.security.auth.kerberos.KerberosKey;
 
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
 import org.apache.kerberos.crypto.encryption.EncryptionType;
 import org.apache.kerberos.exceptions.KerberosException;
 import org.apache.kerberos.io.decoder.EncryptedDataDecoder;
-import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
 import org.apache.kerberos.messages.value.EncryptedData;
 import org.apache.kerberos.messages.value.EncryptedTimeStamp;
 import org.apache.kerberos.messages.value.EncryptionKey;
 import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.service.LockBox;
 
 public class TimestampChecker implements KeyIntegrityChecker
 {
     private static final long FIVE_MINUTES = 300000;
+    private static final LockBox lockBox = new LockBox();
 
     public boolean checkKeyIntegrity( byte[] encryptedData, KerberosKey kerberosKey )
     {
@@ -47,12 +46,8 @@
             EncryptedData sadValue = EncryptedDataDecoder.decode( encryptedData );
 
             // Decrypt the EncryptedData structure to get the PA-ENC-TS-ENC
-            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( key
);
-            byte[] decryptedTimestamp = engine.getDecryptedData( key, sadValue );
-
             // Decode the decrypted timestamp into our timestamp object.
-            EncryptedTimestampDecoder decoder = new EncryptedTimestampDecoder();
-            EncryptedTimeStamp timestamp = decoder.decode( decryptedTimestamp );
+            EncryptedTimeStamp timestamp = (EncryptedTimeStamp) lockBox.unseal( EncryptedTimeStamp.class,
key, sadValue );
 
             // Since we got here we must have a valid timestamp structure that we can
             // validate to be within a five minute skew.



Mime
View raw message