directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kayyag...@apache.org
Subject svn commit: r1042354 - /directory/apacheds/branches/apacheds-kerberos-codec-2.0/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
Date Sun, 05 Dec 2010 13:58:00 GMT
Author: kayyagari
Date: Sun Dec  5 13:57:59 2010
New Revision: 1042354

URL: http://svn.apache.org/viewvc?rev=1042354&view=rev
Log:
o fixed many compiler errors

Modified:
    directory/apacheds/branches/apacheds-kerberos-codec-2.0/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java

Modified: directory/apacheds/branches/apacheds-kerberos-codec-2.0/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos-codec-2.0/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java?rev=1042354&r1=1042353&r2=1042354&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos-codec-2.0/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
(original)
+++ directory/apacheds/branches/apacheds-kerberos-codec-2.0/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
Sun Dec  5 13:57:59 2010
@@ -31,6 +31,7 @@ import javax.security.auth.kerberos.Kerb
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.server.kerberos.kdc.KdcContext;
 import org.apache.directory.server.kerberos.kdc.KdcServer;
+import org.apache.directory.server.kerberos.protocol.KerberosDecoder;
 import org.apache.directory.server.kerberos.shared.KerberosConstants;
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
@@ -39,12 +40,13 @@ import org.apache.directory.server.kerbe
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
 import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
-import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
+import org.apache.directory.shared.kerberos.KerberosMessageType;
 import org.apache.directory.shared.kerberos.KerberosTime;
 import org.apache.directory.shared.kerberos.KerberosUtils;
+import org.apache.directory.shared.kerberos.codec.options.ApOptions;
 import org.apache.directory.shared.kerberos.codec.options.KdcOptions;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
 import org.apache.directory.shared.kerberos.codec.types.PaDataType;
@@ -62,6 +64,7 @@ import org.apache.directory.shared.kerbe
 import org.apache.directory.shared.kerberos.components.PrincipalName;
 import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
 import org.apache.directory.shared.kerberos.exceptions.ErrorType;
+import org.apache.directory.shared.kerberos.exceptions.InvalidTicketException;
 import org.apache.directory.shared.kerberos.flags.TicketFlag;
 import org.apache.directory.shared.kerberos.messages.Authenticator;
 import org.apache.directory.shared.kerberos.messages.EncTgsRepPart;
@@ -217,7 +220,7 @@ public class TicketGrantingService
             throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
         }
 
-        String tgtServerName = tgt.getServerPrincipal().getName();
+        String tgtServerName = tgt.getSName().getNameString();
         String requestServerName = tgsContext.getRequest().getKdcReqBody().getSName().getNameString();
 
         /*
@@ -234,10 +237,11 @@ public class TicketGrantingService
     
     private static void getTicketPrincipalEntry( TicketGrantingContext tgsContext ) throws
KerberosException
     {
-        KerberosPrincipal principal = tgsContext.getTgt().getServerPrincipal();
+        PrincipalName principal = tgsContext.getTgt().getSName();
         PrincipalStore store = tgsContext.getStore();
-
-        PrincipalStoreEntry entry = KerberosUtils.getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN
);
+        
+        KerberosPrincipal principalWithRealm = KerberosUtils.getKerberosPrincipal( principal,
tgsContext.getTgt().getRealm() );
+        PrincipalStoreEntry entry = getEntry( principalWithRealm, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN
);
         tgsContext.setTicketPrincipalEntry( entry );
     }
 
@@ -258,7 +262,7 @@ public class TicketGrantingService
         InetAddress clientAddress = tgsContext.getClientAddress();
         CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
 
-        Authenticator authenticator = KerberosUtils.verifyAuthHeader( authHeader, tgt, serverKey,
clockSkew, replayCache,
+        Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew,
replayCache,
             emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER7, isValidate
);
 
         tgsContext.setAuthenticator( authenticator );
@@ -271,7 +275,7 @@ public class TicketGrantingService
 
         if ( config.isBodyChecksumVerified() )
         {
-            byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
+            byte[] bodyBytes = tgsContext.getRequest().getKdcReqBody().getBodyBytes();
             Checksum authenticatorChecksum = tgsContext.getAuthenticator().getCksum();
 
             if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType()
== null
@@ -293,12 +297,12 @@ public class TicketGrantingService
             tgsContext.getRequest().getKdcReqBody().getSName(), tgsContext.getRequest().getKdcReqBody().getRealm()
);
         PrincipalStore store = tgsContext.getStore();
 
-        PrincipalStoreEntry entry = KerberosUtils.getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN
);
+        PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN
);
         tgsContext.setRequestPrincipalEntry( entry );
     }
 
     
-    private static void generateTicket( TicketGrantingContext tgsContext ) throws KerberosException
+    private static void generateTicket( TicketGrantingContext tgsContext ) throws KerberosException,
InvalidTicketException
     {
         KdcReq request = tgsContext.getRequest();
         Ticket tgt = tgsContext.getTgt();
@@ -312,30 +316,28 @@ public class TicketGrantingService
 
         KdcServer config = tgsContext.getConfig();
 
-        EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+        EncTicketPart newTicketPart = new EncTicketPart();
 
-        newTicketBody.setClientAddresses( tgt.getEncTicketPart().getClientAddresses() );
+        newTicketPart.setClientAddresses( tgt.getEncTicketPart().getClientAddresses() );
 
-        processFlags( config, request, tgt, newTicketBody );
+        processFlags( config, request, tgt, newTicketPart );
 
         EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType()
);
-        newTicketBody.setSessionKey( sessionKey );
+        newTicketPart.setKey( sessionKey );
 
-        newTicketBody.setClientPrincipal( tgt.getEncTicketPart().getCName() );
+        newTicketPart.setCName( tgt.getEncTicketPart().getCName() );
 
         if ( request.getKdcReqBody().getEncAuthorizationData() != null )
         {
-            AuthorizationData authData = ( AuthorizationData ) cipherTextHandler.unseal(
AuthorizationData.class,
-                authenticator.getSubKey(), request.getKdcReqBody().getEncAuthorizationData(),
KeyUsage.NUMBER4 );
-            authData.addEntry( tgt.getEncTicketPart().getAuthorizationData() );
-            newTicketBody.setAuthorizationData( authData );
+            byte[] authorizationData = cipherTextHandler.decrypt( authenticator.getSubKey(),
request.getKdcReqBody().getEncAuthorizationData(), KeyUsage.NUMBER4 );
+            AuthorizationData authData = KerberosDecoder.decodeAuthorizationData( authorizationData
); 
+            authData.addEntry( tgt.getEncTicketPart().getAuthorizationData().getCurrentAD()
);
+            newTicketPart.setAuthorizationData( authData );
         }
 
-        processTransited( newTicketBody, tgt );
-
-        processTimes( config, request, newTicketBody, tgt );
+        processTransited( newTicketPart, tgt );
 
-        EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+        processTimes( config, request, newTicketPart, tgt );
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
         {
@@ -355,10 +357,9 @@ public class TicketGrantingService
         }
         else
         {
-            EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart,
KeyUsage.NUMBER2 );
+            EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart,
KeyUsage.NUMBER2 );
 
-            Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
-            newTicket.setEncTicketPart( ticketPart );
+            Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData
);
 
             tgsContext.setNewTicket( newTicket );
         }
@@ -513,11 +514,11 @@ public class TicketGrantingService
 
     
     private static void processFlags( KdcServer config, KdcReq request, Ticket tgt,
-        EncTicketPartModifier newTicketBody ) throws KerberosException
+        EncTicketPart newTicketPart ) throws KerberosException
     {
         if ( tgt.getEncTicketPart().getFlags().isPreAuth() )
         {
-            newTicketBody.setFlag( TicketFlag.PRE_AUTHENT );
+            newTicketPart.setFlag( TicketFlag.PRE_AUTHENT );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDABLE ) )
@@ -532,7 +533,7 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
             }
 
-            newTicketBody.setFlag( TicketFlag.FORWARDABLE );
+            newTicketPart.setFlag( TicketFlag.FORWARDABLE );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDED ) )
@@ -550,7 +551,7 @@ public class TicketGrantingService
             if ( request.getKdcReqBody().getAddresses() != null && request.getKdcReqBody().getAddresses().getAddresses()
!= null
                 && request.getKdcReqBody().getAddresses().getAddresses().length >
0 )
             {
-                newTicketBody.setClientAddresses( request.getKdcReqBody().getAddresses()
);
+                newTicketPart.setClientAddresses( request.getKdcReqBody().getAddresses()
);
             }
             else
             {
@@ -560,12 +561,12 @@ public class TicketGrantingService
                 }
             }
 
-            newTicketBody.setFlag( TicketFlag.FORWARDED );
+            newTicketPart.setFlag( TicketFlag.FORWARDED );
         }
 
         if ( tgt.getEncTicketPart().getFlags().isForwarded() )
         {
-            newTicketBody.setFlag( TicketFlag.FORWARDED );
+            newTicketPart.setFlag( TicketFlag.FORWARDED );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXIABLE ) )
@@ -580,7 +581,7 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
             }
 
-            newTicketBody.setFlag( TicketFlag.PROXIABLE );
+            newTicketPart.setFlag( TicketFlag.PROXIABLE );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY ) )
@@ -598,7 +599,7 @@ public class TicketGrantingService
             if ( request.getKdcReqBody().getAddresses() != null && request.getKdcReqBody().getAddresses().getAddresses()
!= null
                 && request.getKdcReqBody().getAddresses().getAddresses().length >
0 )
             {
-                newTicketBody.setClientAddresses( request.getKdcReqBody().getAddresses()
);
+                newTicketPart.setClientAddresses( request.getKdcReqBody().getAddresses()
);
             }
             else
             {
@@ -608,7 +609,7 @@ public class TicketGrantingService
                 }
             }
 
-            newTicketBody.setFlag( TicketFlag.PROXY );
+            newTicketPart.setFlag( TicketFlag.PROXY );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ALLOW_POSTDATE ) )
@@ -623,7 +624,7 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
             }
 
-            newTicketBody.setFlag( TicketFlag.MAY_POSTDATE );
+            newTicketPart.setFlag( TicketFlag.MAY_POSTDATE );
         }
 
         /*
@@ -648,10 +649,10 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
             }
 
-            newTicketBody.setFlag( TicketFlag.POSTDATED );
-            newTicketBody.setFlag( TicketFlag.INVALID );
+            newTicketPart.setFlag( TicketFlag.POSTDATED );
+            newTicketPart.setFlag( TicketFlag.INVALID );
 
-            newTicketBody.setStartTime( request.getKdcReqBody().getFrom() );
+            newTicketPart.setStartTime( request.getKdcReqBody().getFrom() );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE ) )
@@ -675,8 +676,8 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
             }
 
-            echoTicket( newTicketBody, tgt );
-            newTicketBody.clearFlag( TicketFlag.INVALID );
+            echoTicket( newTicketPart, tgt );
+            newTicketPart.getFlags().clearFlag( TicketFlag.INVALID );
         }
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_0 ) || 
@@ -705,12 +706,12 @@ public class TicketGrantingService
     }
 
 
-    private static void processTimes( KdcServer config, KdcReq request, EncTicketPartModifier
newTicketBody,
+    private static void processTimes( KdcServer config, KdcReq request, EncTicketPart newTicketPart,
         Ticket tgt ) throws KerberosException
     {
         KerberosTime now = new KerberosTime();
 
-        newTicketBody.setAuthTime( tgt.getEncTicketPart().getAuthTime() );
+        newTicketPart.setAuthTime( tgt.getEncTicketPart().getAuthTime() );
 
         KerberosTime startTime = request.getKdcReqBody().getFrom();
 
@@ -759,9 +760,9 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
             }
 
-            echoTicket( newTicketBody, tgt );
+            echoTicket( newTicketPart, tgt );
 
-            newTicketBody.setStartTime( now );
+            newTicketPart.setStartTime( now );
 
             KerberosTime tgtStartTime = ( tgt.getEncTicketPart().getStartTime() != null )
? 
                 tgt.getEncTicketPart().getStartTime() : 
@@ -770,13 +771,13 @@ public class TicketGrantingService
             long oldLife = tgt.getEncTicketPart().getEndTime().getTime() - tgtStartTime.getTime();
 
             kerberosEndTime = new KerberosTime( Math.min( tgt.getEncTicketPart().getRenewTill().getTime(),
now.getTime() + oldLife ) );
-            newTicketBody.setEndTime( kerberosEndTime );
+            newTicketPart.setEndTime( kerberosEndTime );
         }
         else
         {
-            if ( newTicketBody.getEncTicketPart().getStartTime() == null )
+            if ( newTicketPart.getStartTime() == null )
             {
-                newTicketBody.setStartTime( now );
+                newTicketPart.setStartTime( now );
             }
 
             KerberosTime till;
@@ -800,7 +801,7 @@ public class TicketGrantingService
             minimizer.add( tgt.getEncTicketPart().getEndTime() );
             kerberosEndTime = Collections.min( minimizer );
 
-            newTicketBody.setEndTime( kerberosEndTime );
+            newTicketPart.setEndTime( kerberosEndTime );
 
             if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEWABLE_OK ) &&
kerberosEndTime.lessThan( request.getKdcReqBody().getTill() )
                 && tgt.getEncTicketPart().getFlags().isRenewable() )
@@ -839,7 +840,7 @@ public class TicketGrantingService
                 throw new KerberosException( ErrorType.KDC_ERR_POLICY );
             }
 
-            newTicketBody.setFlag( TicketFlag.RENEWABLE );
+            newTicketPart.setFlag( TicketFlag.RENEWABLE );
 
             /*
              * The renew-till time is the minimum of (a) the requested renew-till
@@ -858,7 +859,7 @@ public class TicketGrantingService
 
             minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumRenewableLifetime()
) );
             minimizer.add( tgt.getEncTicketPart().getRenewTill() );
-            newTicketBody.setRenewTill( Collections.min( minimizer ) );
+            newTicketPart.setRenewTill( Collections.min( minimizer ) );
         }
 
         /*
@@ -892,24 +893,194 @@ public class TicketGrantingService
      *         new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
      * endif
      */    
-    private static void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt
)
+    private static void processTransited( EncTicketPart newTicketPart, Ticket tgt )
     {
         // TODO - currently no transited support other than local
-        newTicketBody.setTransitedEncoding( tgt.getEncTicketPart().getTransitedEncoding()
);
+        newTicketPart.setTransited( tgt.getEncTicketPart().getTransited() );
     }
 
     
-    private static void echoTicket( EncTicketPartModifier newTicketBody, Ticket tgt )
+    private static void echoTicket( EncTicketPart newTicketPart, Ticket tgt )
     {
         EncTicketPart encTicketpart = tgt.getEncTicketPart();
-        newTicketBody.setAuthorizationData( encTicketpart.getAuthorizationData() );
-        newTicketBody.setAuthTime( encTicketpart.getAuthTime() );
-        newTicketBody.setClientAddresses( encTicketpart.getClientAddresses() );
-        newTicketBody.setClientPrincipal( encTicketpart.getCName() );
-        newTicketBody.setEndTime( encTicketpart.getEndTime() );
-        newTicketBody.setFlags( encTicketpart.getFlags() );
-        newTicketBody.setRenewTill( encTicketpart.getRenewTill() );
-        newTicketBody.setSessionKey( encTicketpart.getKey() );
-        newTicketBody.setTransitedEncoding( encTicketpart.getTransitedEncoding() );
+        newTicketPart.setAuthorizationData( encTicketpart.getAuthorizationData() );
+        newTicketPart.setAuthTime( encTicketpart.getAuthTime() );
+        newTicketPart.setClientAddresses( encTicketpart.getClientAddresses() );
+        newTicketPart.setCName( encTicketpart.getCName() );
+        newTicketPart.setEndTime( encTicketpart.getEndTime() );
+        newTicketPart.setFlags( encTicketpart.getFlags() );
+        newTicketPart.setRenewTill( encTicketpart.getRenewTill() );
+        newTicketPart.setKey( encTicketpart.getKey() );
+        newTicketPart.setTransited( encTicketpart.getTransited() );
+    }
+    
+    /**
+     * Get a PrincipalStoreEntry given a principal.  The ErrorType is used to indicate
+     * whether any resulting error pertains to a server or client.
+     *
+     * @param principal
+     * @param store
+     * @param errorType
+     * @return The PrincipalStoreEntry
+     * @throws Exception
+     */
+    public static PrincipalStoreEntry getEntry( KerberosPrincipal principal, PrincipalStore
store, ErrorType errorType )
+        throws KerberosException
+    {
+        PrincipalStoreEntry entry = null;
+
+        try
+        {
+            entry = store.getPrincipal( principal );
+        }
+        catch ( Exception e )
+        {
+            throw new KerberosException( errorType, e );
+        }
+
+        if ( entry == null )
+        {
+            throw new KerberosException( errorType );
+        }
+
+        if ( entry.getKeyMap() == null || entry.getKeyMap().isEmpty() )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
+        }
+
+        return entry;
+    }
+    
+    
+
+    /**
+     * Verifies an AuthHeader using guidelines from RFC 1510 section A.10., "KRB_AP_REQ verification."
+     *
+     * @param authHeader
+     * @param ticket
+     * @param serverKey
+     * @param clockSkew
+     * @param replayCache
+     * @param emptyAddressesAllowed
+     * @param clientAddress
+     * @param lockBox
+     * @param authenticatorKeyUsage
+     * @param isValidate
+     * @return The authenticator.
+     * @throws KerberosException
+     */
+    public static Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket,
EncryptionKey serverKey,
+        long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress
clientAddress,
+        CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean isValidate ) throws
KerberosException
+    {
+        if ( authHeader.getProtocolVersionNumber() != KerberosConstants.KERBEROS_V5 )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
+        }
+
+        if ( authHeader.getMessageType() != KerberosMessageType.AP_REQ )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
+        }
+
+        if ( authHeader.getTicket().getTktVno() != KerberosConstants.KERBEROS_V5 )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
+        }
+
+        EncryptionKey ticketKey = null;
+
+        if ( authHeader.getOption( ApOptions.USE_SESSION_KEY ) )
+        {
+            ticketKey = authHeader.getTicket().getEncTicketPart().getKey();
+        }
+        else
+        {
+            ticketKey = serverKey;
+        }
+
+        if ( ticketKey == null )
+        {
+            // TODO - check server key version number, skvno; requires store
+//            if ( false )
+//            {
+//                throw new KerberosException( ErrorType.KRB_AP_ERR_BADKEYVER );
+//            }
+
+            throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
+        }
+        
+        byte[] encTicketPartData = lockBox.decrypt( ticketKey, ticket.getEncPart(), KeyUsage.NUMBER2
);
+        EncTicketPart encPart = KerberosDecoder.decodeEncTicketPart( encTicketPartData );

+        ticket.setEncTicketPart( encPart );
+
+        byte[] authenticatorData = lockBox.decrypt( ticket.getEncTicketPart().getKey(), 
authHeader.getEncPart(), authenticatorKeyUsage );
+        
+        Authenticator authenticator = KerberosDecoder.decodeAuthenticator( authenticatorData
); 
+
+        if ( !authenticator.getCName().getNameString().equals( ticket.getEncTicketPart().getCName().getNameString()
) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
+        }
+
+        if ( ticket.getEncTicketPart().getClientAddresses() != null )
+        {
+            if ( !ticket.getEncTicketPart().getClientAddresses().contains( new HostAddress(
clientAddress ) ) )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
+            }
+        }
+        else
+        {
+            if ( !emptyAddressesAllowed )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
+            }
+        }
+
+        KerberosPrincipal serverPrincipal = KerberosUtils.getKerberosPrincipal( ticket.getSName(),
ticket.getRealm() );
+        KerberosPrincipal clientPrincipal = KerberosUtils.getKerberosPrincipal( authenticator.getCName(),
authenticator.getCRealm() );
+        KerberosTime clientTime = authenticator.getCtime();
+        int clientMicroSeconds = authenticator.getCusec();
+
+        if ( replayCache.isReplay( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds
) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
+        }
+
+        replayCache.save( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds
);
+
+        if ( !authenticator.getCtime().isInClockSkew( clockSkew ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
+        }
+
+        /*
+         * "The server computes the age of the ticket: local (server) time minus
+         * the starttime inside the Ticket.  If the starttime is later than the
+         * current time by more than the allowable clock skew, or if the INVALID
+         * flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is returned."
+         */
+        KerberosTime startTime = ( ticket.getEncTicketPart().getStartTime() != null ) ? ticket.getEncTicketPart().getStartTime()
: ticket.getEncTicketPart().getAuthTime();
+
+        KerberosTime now = new KerberosTime();
+        boolean isValidStartTime = startTime.lessThan( now );
+
+        if ( !isValidStartTime || ( ticket.getEncTicketPart().getFlags().isInvalid() &&
!isValidate ) )
+        {
+            // it hasn't yet become valid
+            throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
+        }
+
+        // TODO - doesn't take into account skew
+        if ( !ticket.getEncTicketPart().getEndTime().greaterThan( now ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+        }
+
+        authHeader.setOption( ApOptions.MUTUAL_REQUIRED );
+
+        return authenticator;
     }
+
 }



Mime
View raw message