harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smish...@apache.org
Subject svn commit: r487127 - in /harmony/enhanced/classlib/trunk/modules/auth/src: main/java/common/javax/security/auth/kerberos/ main/java/common/org/apache/harmony/auth/internal/kerberos/v5/ main/java/common/org/apache/harmony/auth/module/ test/java/common/...
Date Thu, 14 Dec 2006 08:26:07 GMT
Author: smishura
Date: Thu Dec 14 00:26:06 2006
New Revision: 487127

URL: http://svn.apache.org/viewvc?view=rev&rev=487127
Log:
Move setting env. from Krb5LoginModule to KrbClient. Start implementation of TGS protocol

Added:
    harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KerberosException.java
  (with props)
Modified:
    harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/javax/security/auth/kerberos/KerberosTicket.java
    harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KrbClient.java
    harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/module/Krb5LoginModule.java
    harmony/enhanced/classlib/trunk/modules/auth/src/test/java/common/org/apache/harmony/auth/tests/javax/security/auth/kerberos/KerberosTicketTest.java

Modified: harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/javax/security/auth/kerberos/KerberosTicket.java
URL: http://svn.apache.org/viewvc/harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/javax/security/auth/kerberos/KerberosTicket.java?view=diff&rev=487127&r1=487126&r2=487127
==============================================================================
--- harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/javax/security/auth/kerberos/KerberosTicket.java
(original)
+++ harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/javax/security/auth/kerberos/KerberosTicket.java
Thu Dec 14 00:26:06 2006
@@ -21,12 +21,15 @@
 import java.net.InetAddress;
 import java.util.Arrays;
 import java.util.Date;
+
 import javax.crypto.SecretKey;
 import javax.security.auth.DestroyFailedException;
 import javax.security.auth.Destroyable;
 import javax.security.auth.RefreshFailedException;
 import javax.security.auth.Refreshable;
 
+import org.apache.harmony.auth.internal.kerberos.v5.KerberosException;
+import org.apache.harmony.auth.internal.kerberos.v5.KrbClient;
 import org.apache.harmony.auth.internal.nls.Messages;
 import org.apache.harmony.security.utils.Array;
 
@@ -308,8 +311,11 @@
             throw new RefreshFailedException(Messages.getString("auth.45")); //$NON-NLS-1$
         }
 
-        //TODO: need access to a KDC server          
-        throw new UnsupportedOperationException();
+        try {
+            KrbClient.doTGS();
+        } catch (KerberosException e) {
+            throw new RefreshFailedException(e.getMessage());
+        }
     }
 
     public boolean isCurrent() {

Added: harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KerberosException.java
URL: http://svn.apache.org/viewvc/harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KerberosException.java?view=auto&rev=487127
==============================================================================
--- harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KerberosException.java
(added)
+++ harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KerberosException.java
Thu Dec 14 00:26:06 2006
@@ -0,0 +1,28 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.harmony.auth.internal.kerberos.v5;
+
+public class KerberosException extends RuntimeException {
+
+    public KerberosException() {
+    }
+
+    public KerberosException(String message) {
+        super(message);
+    }
+}

Propchange: harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KerberosException.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KrbClient.java
URL: http://svn.apache.org/viewvc/harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KrbClient.java?view=diff&rev=487127&r1=487126&r2=487127
==============================================================================
--- harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KrbClient.java
(original)
+++ harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/internal/kerberos/v5/KrbClient.java
Thu Dec 14 00:26:06 2006
@@ -23,7 +23,8 @@
 import java.net.DatagramSocket;
 import java.net.InetAddress;
 
-import javax.crypto.SecretKey;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.harmony.auth.internal.nls.Messages;
 import org.apache.harmony.security.asn1.DerInputStream;
@@ -33,12 +34,47 @@
  */
 public class KrbClient {
 
+    // default kdc server
+    private static final String DEFAULT_KDC = "java.security.krb5.kdc"; //$NON-NLS-1$
+
+    // default realm
+    private static final String DEFAULT_REALM = "java.security.krb5.realm"; //$NON-NLS-1$
+
+    private static String kdc;
+
+    private static String realm;
+
+    private static int port = 88;//default
+
     private static final int BUF_SIZE = 1024;
 
     private KrbClient() {
         // no objects
     }
 
+    private static void setEnv() throws KerberosException {
+        if (kdc != null && realm != null) {
+            return;
+        }
+
+        //TODO put in doPrivileged
+        kdc = System.getProperty(DEFAULT_KDC);
+        realm = System.getProperty(DEFAULT_REALM);
+        if (kdc == null && realm != null || kdc != null && realm == null)
{
+            // both properties should be set or unset together
+            throw new KerberosException();//FIXME message
+        } else if (kdc == null && realm == null) {
+            // reading config from configuration file 'krb5.conf'
+            throw new KerberosException();//FIXME not yet implemented
+        }
+
+        int pos = kdc.indexOf(':');
+        if (pos != -1) {
+            port = Integer.parseInt(kdc.substring(pos + 1));
+            kdc = kdc.substring(0, pos);
+        }
+    }
+
     /**
      * Get credentials from Authentication Service.
      * 
@@ -48,15 +84,20 @@
      * @param realm - client's realm
      * @return - ticket
      */
-    public static KDCReply doAS(InetAddress address, int port,
-            PrincipalName cname, String realm, PrincipalName sname,
-            SecretKey key) {
+    public static KDCReply doAS(PrincipalName cname, char[] password)
+            throws KerberosException {
+
+        setEnv();
+
+        PrincipalName sname = new PrincipalName(PrincipalName.NT_SRV_XHST,
+                new String[] { "krbtgt", realm }); //$NON-NLS-1$
 
         KDCRequest request = new KDCRequest(KDCRequest.AS_REQ, cname, realm,
                 sname);
 
         try {
-            DatagramSocket socket = request.send(address, port);
+            DatagramSocket socket = request.send(InetAddress.getByName(kdc),
+                    port);
 
             ByteArrayOutputStream out = new ByteArrayOutputStream(BUF_SIZE);
 
@@ -76,21 +117,31 @@
             if (in.tag == KDCReply.AS_REP_ASN1.constrId) { //TODO AS reply
                 KDCReply reply = (KDCReply) KDCReply.AS_REP_ASN1.decode(in);
 
+                KerberosKey key = new KerberosKey(new KerberosPrincipal(cname
+                        .getName()[0]
+                        + '@' + realm, cname.getType()), password, "DES");
+
                 reply.decrypt(key);
 
                 return reply;
             } else if (in.tag == KerberosErrorMessage.ASN1.constrId) {
                 KerberosErrorMessage errMsg = KerberosErrorMessage.decode(in);
                 // auth.52=Error code: {0}
-                throw new RuntimeException(Messages.getString(
+                throw new KerberosException(Messages.getString(
                         "auth.52", errMsg.getErrorCode())); //$NON-NLS-1$
             } else {
-                new RuntimeException(); //FIXME
+                new KerberosException(); //FIXME
             }
 
         } catch (IOException e) {
-            new RuntimeException(e); //FIXME 
+            new KerberosException(e.getMessage()); //FIXME 
         }
+
+        return null;
+    }
+
+    public static KDCReply doTGS() throws KerberosException {
+        setEnv();
 
         return null;
     }

Modified: harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/module/Krb5LoginModule.java
URL: http://svn.apache.org/viewvc/harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/module/Krb5LoginModule.java?view=diff&rev=487127&r1=487126&r2=487127
==============================================================================
--- harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/module/Krb5LoginModule.java
(original)
+++ harmony/enhanced/classlib/trunk/modules/auth/src/main/java/common/org/apache/harmony/auth/module/Krb5LoginModule.java
Thu Dec 14 00:26:06 2006
@@ -17,7 +17,6 @@
 
 package org.apache.harmony.auth.module;
 
-import java.net.InetAddress;
 import java.util.Map;
 
 import javax.security.auth.DestroyFailedException;
@@ -25,7 +24,6 @@
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.kerberos.KerberosTicket;
 import javax.security.auth.login.LoginException;
@@ -37,12 +35,6 @@
 
 public class Krb5LoginModule implements LoginModule {
 
-    // default kdc server
-    private static final String DEFAULT_KDC = "java.security.krb5.kdc"; //$NON-NLS-1$
-
-    // default realm
-    private static final String DEFAULT_REALM = "java.security.krb5.realm"; //$NON-NLS-1$
-
     // client's principal identifier name
     private static final String PRINCIPAL = "principal";//$NON-NLS-1$
 
@@ -85,16 +77,6 @@
     }
 
     public boolean login() throws LoginException {
-        //TODO put in doPrivileged
-        String kdc = System.getProperty(DEFAULT_KDC);
-        String realm = System.getProperty(DEFAULT_REALM);
-        if (kdc == null && realm != null || kdc != null && realm == null)
{
-            // both properties should be set or unset together
-            throw new LoginException();//FIXME message
-        } else if (kdc == null && realm == null) {
-            // reading config from configuration file 'krb5.conf'
-            throw new LoginException();//FIXME not yet implemented
-        }
 
         String name = (String) options.get(PRINCIPAL);
 
@@ -102,31 +84,16 @@
             throw new LoginException();//FIXME check params
         }
 
-        int port = 88;//default
-        int pos = kdc.indexOf(':');
-        if (pos != -1) {
-            port = Integer.parseInt(kdc.substring(pos + 1));
-            kdc = kdc.substring(0, pos);
-        }
-
         PrincipalName cname = new PrincipalName(PrincipalName.NT_UNKNOWN,
                 new String[] { name });
 
-        PrincipalName krbtgt = new PrincipalName(PrincipalName.NT_SRV_XHST,
-                new String[] { "krbtgt", realm }); //$NON-NLS-1$
-
         try {
             // get client's password
             PasswordCallback callback = new PasswordCallback("Password for "
                     + name, false);
             callbackHandler.handle(new Callback[] { callback });
 
-            KerberosKey key = new KerberosKey(new KerberosPrincipal(name + '@'
-                    + realm, KerberosPrincipal.KRB_NT_UNKNOWN), callback
-                    .getPassword(), "DES");
-
-            KDCReply reply = KrbClient.doAS(InetAddress.getByName(kdc), port,
-                    cname, realm, krbtgt, key);
+            KDCReply reply = KrbClient.doAS(cname, callback.getPassword());
 
             // add principal to subject
             String[] pName = reply.getCname().getName();
@@ -139,8 +106,8 @@
             buf.append('@');
             buf.append(reply.getCrealm());
 
-            client = new KerberosPrincipal(buf.toString(),
-                    reply.getCname().getType());
+            client = new KerberosPrincipal(buf.toString(), reply.getCname()
+                    .getType());
 
             // add ticket to private credentials
             byte[] ticket = reply.getTicket().getEncoded();
@@ -163,10 +130,9 @@
 
             boolean[] flags = reply.getFlags().toBooleanArray();
 
-            krbTicket = new KerberosTicket(ticket, client,
-                    server, sessionKey, keyType, flags, reply.getAuthtime(),
-                    reply.getStarttime(), reply.getEndtime(), reply
-                            .getRenewtill(),
+            krbTicket = new KerberosTicket(ticket, client, server, sessionKey,
+                    keyType, flags, reply.getAuthtime(), reply.getStarttime(),
+                    reply.getEndtime(), reply.getRenewtill(),
                     //TODO InetAddress[] clientAddresses
                     null);
 

Modified: harmony/enhanced/classlib/trunk/modules/auth/src/test/java/common/org/apache/harmony/auth/tests/javax/security/auth/kerberos/KerberosTicketTest.java
URL: http://svn.apache.org/viewvc/harmony/enhanced/classlib/trunk/modules/auth/src/test/java/common/org/apache/harmony/auth/tests/javax/security/auth/kerberos/KerberosTicketTest.java?view=diff&rev=487127&r1=487126&r2=487127
==============================================================================
--- harmony/enhanced/classlib/trunk/modules/auth/src/test/java/common/org/apache/harmony/auth/tests/javax/security/auth/kerberos/KerberosTicketTest.java
(original)
+++ harmony/enhanced/classlib/trunk/modules/auth/src/test/java/common/org/apache/harmony/auth/tests/javax/security/auth/kerberos/KerberosTicketTest.java
Thu Dec 14 00:26:06 2006
@@ -24,13 +24,20 @@
 
 import javax.crypto.SecretKey;
 import javax.security.auth.RefreshFailedException;
+import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.kerberos.KerberosTicket;
 
 import junit.framework.TestCase;
 
+import org.apache.harmony.auth.tests.support.TestUtils;
+
 public class KerberosTicketTest extends TestCase {
 
+    private static final String ENV_KDC = "java.security.krb5.kdc";
+
+    private static final String ENV_REALM = "java.security.krb5.realm";
+
     // ticket's ASN.1 encoding  
     private static final byte[] ticket = { 0x01, 0x02, 0x03, 0x04 };
 
@@ -49,7 +56,7 @@
 
     // number of flags used by Kerberos protocol
     private static final int FLAGS_NUM = 32;
-    
+
     private static final boolean[] flags = { true, false, true, false, true,
             false, true, false, true, false, true, false, };
 
@@ -442,7 +449,9 @@
                 true // hw-authent 
         };
 
-        // test: should not renew ticket because renewTill < current time 
+        //
+        // test: should not renew ticket because renewTill < current time
+        //
         Date newRenewTill = new Date((new Date()).getTime() - 3600000);
 
         KerberosTicket krbTicket = new KerberosTicket(ticket, pClient, pServer,
@@ -455,21 +464,116 @@
             fail("No expected RefreshFailedException");
         } catch (RefreshFailedException e) {
         }
-        
+
+        //
         // test: should not renew ticket because renewable flag is false
+        //
         newRenewTill = new Date((new Date()).getTime() + 3600000);
         myFlags[8] = false;
 
-        krbTicket = new KerberosTicket(ticket, pClient, pServer, sessionKey,
+        krbTicket = new KerberosTicket(encTicket, pClient, pServer, sessionKey,
                 KEY_TYPE, myFlags, // <=== we test this: it is not renewable
                 authTime, startTime, endTime, newRenewTill, addesses);
-        
+
         try {
             krbTicket.refresh();
             fail("No expected RefreshFailedException");
         } catch (RefreshFailedException e) {
         }
-        
+
+        //
+        // test: dependency on system props 'kdc' and 'realm'
+        //
+
+        // verify that env. is clean
+        assertNull(System.getProperty(ENV_KDC));
+        assertNull(System.getProperty(ENV_REALM));
+
+        // create real DES key
+        byte[] newSessionKey = new KerberosKey(new KerberosPrincipal(
+                "me@MY.REALM"), "pwd".toCharArray(), "DES").getEncoded();
+
+        myFlags[8] = true;
+        krbTicket = new KerberosTicket(encTicket, pClient, pServer,
+                newSessionKey, KEY_TYPE, myFlags, authTime, startTime, endTime,
+                newRenewTill, addesses);
+
+        // case 1: unset 'kdc' and set 'realm'
+        TestUtils.setSystemProperty(ENV_KDC, "some_value");
+        try {
+            krbTicket.refresh();
+            fail("No expected RefreshFailedException");
+        } catch (RefreshFailedException e) {
+        } finally {
+            TestUtils.setSystemProperty(ENV_KDC, null);
+        }
+
+        // case 2: set 'kdc' and unset 'realm' sys.props
+        TestUtils.setSystemProperty(ENV_REALM, "some_value");
+        try {
+            krbTicket.refresh();
+            fail("No expected RefreshFailedException");
+        } catch (RefreshFailedException e) {
+        } finally {
+            TestUtils.setSystemProperty(ENV_REALM, null);
+        }
+
         // TODO test: ticket refreshing 
     }
+
+    // Hands-created ticket encoding:
+    // - tkt-vno: 5
+    // - realm: 'MY.REALM'
+    // - sname: {type=0, string=krbtgt/MY.REALM}
+    // - enc-part: {etype=3,kvno=1,cipher=0} (i.e. it is empty)
+    private static final byte[] encTicket = {
+            // [APPLICATION 1]
+            (byte) 0x61,
+            (byte) 0x45,
+            // SEQUENCE 
+            (byte) 0x30,
+            (byte) 0x43,
+
+            // tkt-vno [0] INTEGER (5)
+            (byte) 0xa0,
+            (byte) 0x03,
+            (byte) 0x02,
+            (byte) 0x01,
+            (byte) 0x05,
+
+            // realm [1] Realm = 'MY.REALM'
+            (byte) 0xa1, (byte) 0x0a, (byte) 0x1b, (byte) 0x08, (byte) 0x4d,
+            (byte) 0x59, (byte) 0x2e, (byte) 0x52,
+            (byte) 0x45,
+            (byte) 0x41,
+            (byte) 0x4c,
+            (byte) 0x4d,
+
+            // sname [2] PrincipalName
+            (byte) 0xa2,
+            (byte) 0x1d,
+            (byte) 0x30,
+            (byte) 0x1b,
+            // name-type
+            (byte) 0xa0, (byte) 0x03,
+            (byte) 0x02,
+            (byte) 0x01,
+            (byte) 0x00,
+            // name-string: SEQUENCE OF krbtgt/MY.REALM
+            (byte) 0xa1, (byte) 0x14, (byte) 0x30, (byte) 0x12, (byte) 0x1b,
+            (byte) 0x06, (byte) 0x6b, (byte) 0x72, (byte) 0x62, (byte) 0x74,
+            (byte) 0x67, (byte) 0x74, (byte) 0x1b, (byte) 0x08, (byte) 0x4d,
+            (byte) 0x59, (byte) 0x2e, (byte) 0x52, (byte) 0x45, (byte) 0x41,
+            (byte) 0x4c, (byte) 0x4d,
+
+            // enc-part [3] EncryptedData 
+            (byte) 0xa3, (byte) 0x11,
+            // SEQUENCE
+            (byte) 0x30, (byte) 0x0F,
+            // etype
+            (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x03,
+            // kvno
+            (byte) 0xa1, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x01,
+            // cipher  
+            (byte) 0xa2, (byte) 0x03, (byte) 0x04, (byte) 0x01, (byte) 0x00 };
 }



Mime
View raw message