directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r535693 - in /directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos: kdc/authentication/ kdc/preauthentication/ kdc/ticketgrant/ sam/
Date Mon, 07 May 2007 00:31:51 GMT
Author: erodriguez
Date: Sun May  6 17:31:50 2007
New Revision: 535693

URL: http://svn.apache.org/viewvc?view=rev&rev=535693
Log:
Updated kerberos-protocol to use key usage and to support multiple key types.

Modified:
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
    directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/TimestampChecker.java

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
Sun May  6 17:31:50 2007
@@ -24,6 +24,8 @@
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
@@ -36,6 +38,7 @@
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
 import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
 import org.apache.directory.server.kerberos.shared.messages.value.TransitedEncoding;
+import org.apache.directory.shared.ldap.util.StringTools;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 import org.slf4j.Logger;
@@ -53,6 +56,7 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute(
getContextKey() );
@@ -60,7 +64,10 @@
         KdcRequest request = authContext.getRequest();
         CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
         KerberosPrincipal serverPrincipal = request.getServerPrincipal();
-        EncryptionKey serverKey = authContext.getServerEntry().getEncryptionKey();
+
+        EncryptionType encryptionType = authContext.getEncryptionType();
+        EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType
);
+
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
         EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
         KdcConfiguration config = authContext.getConfig();
@@ -138,9 +145,9 @@
          endif
          */
 
-        if ( tempRtime == 0 )
+        if ( tempRtime == 0 || request.getRtime() == null )
         {
-            tempRtime = Long.MAX_VALUE;
+            tempRtime = request.getTill().getTime();
         }
         else
         {
@@ -172,7 +179,7 @@
 
         EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
 
-        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart );
+        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2
);
 
         Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
         newTicket.setEncTicketPart( ticketPart );

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
Sun May  6 17:31:50 2007
@@ -21,6 +21,7 @@
 
 
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
@@ -36,6 +37,7 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute(
getContextKey() );
@@ -44,7 +46,7 @@
         EncryptionKey clientKey = authContext.getClientKey();
         CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
 
-        EncryptedData encryptedData = cipherTextHandler.seal( clientKey, reply );
+        EncryptedData encryptedData = cipherTextHandler.seal( clientKey, reply, KeyUsage.NUMBER3
);
         reply.setEncPart( encryptedData );
 
         next.execute( session, message );

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
Sun May  6 17:31:50 2007
@@ -25,6 +25,8 @@
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
@@ -76,7 +78,8 @@
                     + " has no SAM type: proceeding with standard pre-authentication" );
             }
 
-            clientKey = clientEntry.getEncryptionKey();
+            EncryptionType encryptionType = authContext.getEncryptionType();
+            clientKey = clientEntry.getKeyMap().get( encryptionType );
 
             if ( clientKey == null )
             {
@@ -89,7 +92,8 @@
 
                 if ( preAuthData == null )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
config.getEncryptionTypes() ) );
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                        preparePreAuthenticationError( config.getEncryptionTypes() ) );
                 }
 
                 EncryptedTimeStamp timestamp = null;
@@ -113,14 +117,15 @@
                             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY
);
                         }
 
-                        timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal( EncryptedTimeStamp.class,
clientKey,
-                            dataValue );
+                        timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal( EncryptedTimeStamp.class,
+                            clientKey, dataValue, KeyUsage.NUMBER1 );
                     }
                 }
 
                 if ( timestamp == null )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
config.getEncryptionTypes() ) );
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                        preparePreAuthenticationError( config.getEncryptionTypes() ) );
                 }
 
                 if ( !timestamp.getTimeStamp().isInClockSkew( config.getClockSkew() ) )

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
Sun May  6 17:31:50 2007
@@ -28,6 +28,8 @@
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
@@ -53,6 +55,7 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute(
getContextKey() );
@@ -62,7 +65,10 @@
         Authenticator authenticator = tgsContext.getAuthenticator();
         CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
-        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getEncryptionKey();
+
+        EncryptionType encryptionType = tgsContext.getEncryptionType();
+        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get(
encryptionType );
+
         KdcConfiguration config = tgsContext.getConfig();
         EncryptionKey sessionKey = tgsContext.getSessionKey();
 
@@ -77,8 +83,8 @@
 
         if ( request.getEncAuthorizationData() != null )
         {
-            AuthorizationData authData = ( AuthorizationData ) cipherTextHandler.unseal(
AuthorizationData.class, authenticator
-                .getSubSessionKey(), request.getEncAuthorizationData() );
+            AuthorizationData authData = ( AuthorizationData ) cipherTextHandler.unseal(
AuthorizationData.class,
+                authenticator.getSubSessionKey(), request.getEncAuthorizationData(), KeyUsage.NUMBER4
);
             authData.add( tgt.getAuthorizationData() );
             newTicketBody.setAuthorizationData( authData );
         }
@@ -105,7 +111,7 @@
             throw new KerberosException( ErrorType.KDC_ERR_SVC_UNAVAILABLE );
         }
 
-        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart );
+        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2
);
 
         Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
         newTicket.setEncTicketPart( ticketPart );

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java
Sun May  6 17:31:50 2007
@@ -21,6 +21,7 @@
 
 
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
@@ -37,6 +38,7 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute(
getContextKey() );
@@ -50,11 +52,11 @@
 
         if ( authenticator.getSubSessionKey() != null )
         {
-            encryptedData = cipherTextHandler.seal( authenticator.getSubSessionKey(), reply
);
+            encryptedData = cipherTextHandler.seal( authenticator.getSubSessionKey(), reply,
KeyUsage.NUMBER9 );
         }
         else
         {
-            encryptedData = cipherTextHandler.seal( tgt.getSessionKey(), reply );
+            encryptedData = cipherTextHandler.seal( tgt.getSessionKey(), reply, KeyUsage.NUMBER8
);
         }
 
         reply.setEncPart( encryptedData );

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
Sun May  6 17:31:50 2007
@@ -27,6 +27,7 @@
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -78,7 +79,7 @@
                 + authenticatorChecksum.getChecksumType() + "'." );
         }
 
-        checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null );
+        checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8
);
 
         next.execute( session, message );
     }

Modified: directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/TimestampChecker.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/TimestampChecker.java?view=diff&rev=535693&r1=535692&r2=535693
==============================================================================
--- directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/TimestampChecker.java
(original)
+++ directory/apacheds/branches/kerberos-encryption-types/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/TimestampChecker.java
Sun May  6 17:31:50 2007
@@ -24,8 +24,9 @@
 
 import javax.security.auth.kerberos.KerberosKey;
 
-import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
@@ -58,7 +59,7 @@
             // Decrypt the EncryptedData structure to get the PA-ENC-TS-ENC
             // Decode the decrypted timestamp into our timestamp object.
             EncryptedTimeStamp timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal(
EncryptedTimeStamp.class, key,
-                sadValue );
+                sadValue, KeyUsage.NUMBER1 );
 
             // Since we got here we must have a valid timestamp structure that we can
             // validate to be within a five minute skew.



Mime
View raw message