directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: Changes for HAS.
Date Tue, 18 Apr 2017 07:57:43 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk e34b1ef8f -> 17ecdd3f2


Changes for HAS.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/17ecdd3f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/17ecdd3f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/17ecdd3f

Branch: refs/heads/trunk
Commit: 17ecdd3f2541cbf3499c416cb151e8bf48028e95
Parents: e34b1ef
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Tue Apr 18 16:04:15 2017 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Tue Apr 18 16:04:15 2017 +0800

----------------------------------------------------------------------
 .../kerb/server/preauth/token/TokenPreauth.java | 24 ++++++++++++--------
 .../kerberos/kerb/server/request/AsRequest.java | 10 +++++---
 .../kerb/server/request/KdcRequest.java         |  9 ++++++++
 3 files changed, 31 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ecdd3f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index f630b70..b39439e 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -69,12 +69,18 @@ public class TokenPreauth extends AbstractPreauthPlugin {
                 "Token preauth is not allowed.");
         }
         if (paData.getPaDataType() == PaDataType.TOKEN_REQUEST) {
-            EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
-            EncryptionKey clientKey = kdcRequest.getArmorKey();
-            kdcRequest.setClientKey(clientKey);
+            PaTokenRequest paTokenRequest;
+            if (kdcRequest.isHttps()) {
+                paTokenRequest = KrbCodec.decode(paData.getPaDataValue(),
+                    PaTokenRequest.class);
+            } else {
+                EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
+                EncryptionKey clientKey = kdcRequest.getArmorKey();
+                kdcRequest.setClientKey(clientKey);
 
-            PaTokenRequest paTokenRequest = EncryptionUtil.unseal(encData, clientKey,
-                KeyUsage.PA_TOKEN, PaTokenRequest.class);
+                paTokenRequest = EncryptionUtil.unseal(encData, clientKey,
+                    KeyUsage.PA_TOKEN, PaTokenRequest.class);
+            }
 
             KrbTokenBase token = paTokenRequest.getToken();
             List<String> issuers = kdcRequest.getKdcContext().getConfig().getIssuers();
@@ -83,21 +89,21 @@ public class TokenPreauth extends AbstractPreauthPlugin {
             if (!issuers.contains(issuer)) {
                 throw new KrbException("Unconfigured issuer: " + issuer);
             }
-            
+
             // Configure keys
             TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
             configureKeys(tokenDecoder, kdcRequest, issuer);
-            
+
             AuthToken authToken = null;
             try {
                 authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
-                if (!tokenDecoder.isSigned()) {
+                if (!tokenDecoder.isSigned() && !kdcRequest.isHttps()) {
                     throw new KrbException("Token should be signed.");
                 }
             } catch (IOException e) {
                 throw new KrbException("Decoding failed", e);
             }
-            
+
             if (authToken == null) {
                 throw new KrbException("Token Decoding failed");
             }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ecdd3f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index df903a5..66634e6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -133,9 +133,13 @@ public class AsRequest extends KdcRequest {
         reply.setEncPart(encKdcRepPart);
 
         EncryptionKey clientKey = getClientKey();
-        EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
-            clientKey, KeyUsage.AS_REP_ENCPART);
-        reply.setEncryptedEncPart(encryptedData);
+        if (clientKey != null) {
+            EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
+                clientKey, KeyUsage.AS_REP_ENCPART);
+            reply.setEncryptedEncPart(encryptedData);
+        } else {
+            throw new KrbException("Cant't get the client key to encrypt the kdc rep part.");
+        }
 
         if (isPkinit()) {
             reply.setPaData(getPreauthContext().getOutputPaData());

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ecdd3f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 7b4c79d..24a5579 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -99,6 +99,7 @@ public abstract class KdcRequest {
     private boolean isAnonymous = false;
     private EncryptionKey sessionKey;
     private ByteBuffer reqPackage;
+    private boolean isHttps = false;
 
     /**
      * Get session key.
@@ -809,6 +810,14 @@ public abstract class KdcRequest {
         return isToken;
     }
 
+    public boolean isHttps() {
+        return isHttps;
+    }
+
+    public void setHttps(boolean https) {
+        isHttps = https;
+    }
+
     /**
      * Set auth token.
      * @param authToken The auth token


Mime
View raw message