Produced by Araxis Merge on 9/25/2018 2:13:23 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\krb5 | KrbAsReqBuilder.java | Mon Jan 22 14:46:54 2018 UTC |
2 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\krb5 | KrbAsReqBuilder.java | Wed Sep 12 17:52:07 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 3 | 798 |
Changed | 2 | 4 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | /* | |
2 | * Copyrig ht (c) 201 0, 2012, O racle and/ or its aff iliates. A ll rights reserved. | |
3 | * DO NOT ALTER OR R EMOVE COPY RIGHT NOTI CES OR THI S FILE HEA DER. | |
4 | * | |
5 | * This co de is free software; you can r edistribut e it and/o r modify i t | |
6 | * under t he terms o f the GNU General Pu blic Licen se version 2 only, a s | |
7 | * publish ed by the Free Softw are Founda tion. Ora cle design ates this | |
8 | * particu lar file a s subject to the "Cl asspath" e xception a s provided | |
9 | * by Orac le in the LICENSE fi le that ac companied this code. | |
10 | * | |
11 | * This co de is dist ributed in the hope that it wi ll be usef ul, but WI THOUT | |
12 | * ANY WAR RANTY; wit hout even the implie d warranty of MERCHA NTABILITY or | |
13 | * FITNESS FOR A PAR TICULAR PU RPOSE. Se e the GNU General Pu blic Licen se | |
14 | * version 2 for mor e details (a copy is included in the LIC ENSE file that | |
15 | * accompa nied this code). | |
16 | * | |
17 | * You sho uld have r eceived a copy of th e GNU Gene ral Public License v ersion | |
18 | * 2 along with this work; if not, write to the Fr ee Softwar e Foundati on, | |
19 | * Inc., 5 1 Franklin St, Fifth Floor, Bo ston, MA 0 2110-1301 USA. | |
20 | * | |
21 | * Please contact Or acle, 500 Oracle Par kway, Redw ood Shores , CA 94065 USA | |
22 | * or visi t www.orac le.com if you need a dditional informatio n or have any | |
23 | * questio ns. | |
24 | */ | |
25 | ||
26 | package su n.security .krb5; | |
27 | ||
28 | import jav a.io.IOExc eption; | |
29 | import jav a.util.Arr ays; | |
30 | import jav ax.securit y.auth.ker beros.KeyT ab; | |
31 | import sun .security. jgss.krb5. Krb5Util; | |
32 | import sun .security. krb5.inter nal.HostAd dresses; | |
33 | import sun .security. krb5.inter nal.KDCOpt ions; | |
34 | import sun .security. krb5.inter nal.KRBErr or; | |
35 | import sun .security. krb5.inter nal.Kerber osTime; | |
36 | import sun .security. krb5.inter nal.Krb5; | |
37 | import sun .security. krb5.inter nal.PAData ; | |
38 | import sun .security. krb5.inter nal.crypto .EType; | |
39 | ||
40 | /** | |
41 | * A manag er class f or AS-REQ communicat ions. | |
42 | * | |
43 | * This cl ass does: | |
44 | * 1. Gath er informa tion to cr eate AS-RE Q | |
45 | * 2. Crea te and sen d AS-REQ | |
46 | * 3. Rece ive AS-REP and KRB-E RROR (-KRB _ERR_RESPO NSE_TOO_BI G) and par se them | |
47 | * 4. Emit credentia ls and PW keys (for JAAS store Key=true w ith passwo rd) | |
48 | * | |
49 | * This cl ass does n ot: | |
50 | * 1. Deal with real communica tions (Kdc Comm does it, and TG S-REQ) | |
51 | * a. N ame of KDC s for a re alm | |
52 | * b. S erver avai lability, timeout, U DP or TCP | |
53 | * d. K RB_ERR_RES PONSE_TOO_ BIG | |
54 | * 2. Stor es its own copy of p assword, t his means: | |
55 | * a. D o not chan ge/wipe it before Bu ilder fini sh | |
56 | * b. B uilder wil l not wipe it for yo u | |
57 | * | |
58 | * With th is class: | |
59 | * 1. KrbA sReq has o nly one co nstructor | |
60 | * 2. Krb5 LoginModul e and Kini t call a s ingle buil der | |
61 | * 3. Bett er handlin g of sensi tive info | |
62 | * | |
63 | * @since 1.7 | |
64 | */ | |
65 | ||
66 | public fin al class K rbAsReqBui lder { | |
67 | ||
68 | // Com mon data f or AS-REQ fields | |
69 | privat e KDCOptio ns options ; | |
70 | privat e Principa lName cnam e; | |
71 | privat e Principa lName snam e; | |
72 | privat e Kerberos Time from; | |
73 | privat e Kerberos Time till; | |
74 | privat e Kerberos Time rtime ; | |
75 | privat e HostAddr esses addr esses; | |
76 | ||
77 | // Sec ret source : can't be changed o nce assign ed, only o ne (of the two | |
78 | // sou rces) can be set to non-null | |
79 | privat e final ch ar[] passw ord; | |
80 | privat e final Ke yTab ktab; | |
81 | ||
82 | // Use d to creat e a ENC-TI MESTAMP in the 2nd A S-REQ | |
83 | privat e PAData[] paList; // P A-DATA fro m both KRB -ERROR and AS-REP. | |
84 | // U sed by get Keys() onl y. | |
85 | // O nly AS-REP should be enough pe r RFC, | |
86 | // c ombined in case etyp es are dif ferent. | |
87 | ||
88 | // The generated and recei ved: | |
89 | privat e KrbAsReq req; | |
90 | privat e KrbAsRep rep; | |
91 | ||
92 | privat e static e num State { | |
93 | IN IT, // Initial ized, can still add more initi alization info | |
94 | RE Q_OK, // AS-REQ performed | |
95 | DE STROYED, // Destroy ed, not us able anymo re | |
96 | } | |
97 | privat e State st ate; | |
98 | ||
99 | // Cal led by oth er constru ctors | |
100 | privat e void ini t(Principa lName cnam e) | |
101 | throws K rbExceptio n { | |
102 | th is.cname = cname; | |
103 | st ate = Stat e.INIT; | |
104 | } | |
105 | ||
106 | /** | |
107 | * Cre ates a bui lder to be used by { @code cnam e} with ex isting key s. | |
108 | * | |
109 | * @pa ram cname the client of the AS -REQ. Must not be nu ll. Might have no | |
110 | * rea lm, where default re alm will b e used. Th is realm w ill be the target | |
111 | * rea lm for AS- REQ. I bel ieve a cli ent should only get initial TG T from | |
112 | * its own realm . | |
113 | * @pa ram keys m ust not be null. if empty, mig ht be quit e useless. | |
114 | * Thi s argument will neit her be mod ified nor stored by the method . | |
115 | * @th rows KrbEx ception | |
116 | */ | |
117 | public KrbAsReqB uilder(Pri ncipalName cname, Ke yTab ktab) | |
118 | throws K rbExceptio n { | |
119 | in it(cname); | |
120 | th is.ktab = ktab; | |
121 | th is.passwor d = null; | |
122 | } | |
123 | ||
124 | /** | |
125 | * Cre ates a bui lder to be used by { @code cnam e} with a known pass word. | |
126 | * | |
127 | * @pa ram cname the client of the AS -REQ. Must not be nu ll. Might have no | |
128 | * rea lm, where default re alm will b e used. Th is realm w ill be the target | |
129 | * rea lm for AS- REQ. I bel ieve a cli ent should only get initial TG T from | |
130 | * its own realm . | |
131 | * @pa ram pass m ust not be null. Thi s argument will neit her be mod ified | |
132 | * nor stored by the metho d. | |
133 | * @th rows KrbEx ception | |
134 | */ | |
135 | public KrbAsReqB uilder(Pri ncipalName cname, ch ar[] pass) | |
136 | throws K rbExceptio n { | |
137 | in it(cname); | |
138 | th is.passwor d = pass.c lone(); | |
139 | th is.ktab = null; | |
140 | } | |
141 | ||
142 | /** | |
143 | * Retrieve s an array of PW keys for t he client. This is u sed when | |
144 | * the client su pplies pas sword but need keys to act as an accepto r. For | |
145 | * an initiator, it must b e called a fter AS-RE Q is perfo rmed (stat e is OK). | |
146 | * For an accept or, it can be called when this KrbAsReqB uilder obj ect is | |
147 | * con structed ( state is I NIT). | |
148 | * @pa ram isInit iator if t he caller is an init iator | |
149 | * @re turn gener ated keys from passw ord. PA-DA TA from se rver might be used. | |
150 | * All "default_ tkt_enctyp es" keys w ill be gen erated, Ne ver null. | |
151 | * @th rows Illeg alStateExc eption if not constr ucted from a passwor d | |
152 | * @th rows KrbEx ception | |
153 | */ | |
154 | public Encryptio nKey[] get Keys(boole an isIniti ator) thro ws KrbExce ption { | |
155 | ch eckState(i sInitiator ?State.REQ _OK:State. INIT, "Can not get ke ys"); | |
156 | if (password != null) { | |
157 | int[] eT ypes = ETy pe.getDefa ults("defa ult_tkt_en ctypes"); | |
158 | Encrypti onKey[] re sult = new Encryptio nKey[eType s.length]; | |
159 | ||
160 | /* | |
161 | * Retur ns an arra y of keys. Before Kr bAsReqBuil der, all e types | |
162 | * use t he same sa lt which i s either t he default one or a new salt | |
163 | * comin g from PA- DATA. Afte r KrbAsReq Builder, e ach etype uses its | |
164 | * own n ew salt fr om PA-DATA . For an e type with no PA-DATA new salt | |
165 | * at al l, what sa lt should it use? | |
166 | * | |
167 | * Commo nly, the s tored keys are only to be used by an acc eptor to | |
168 | * decry pt service ticket in AP-REQ. M ost impls only allow keys | |
169 | * from a keytab o n acceptor , but unfo rtunately (?) Java s upports | |
170 | * accep tor using password. In this ca se, if the service t icket is | |
171 | * encry pted using an etype which we d on't have PA-DATA ne w salt, | |
172 | * using the defau lt salt mi ght be wro ng (say, c ase-insens itive | |
173 | * user name). Ins tead, we w ould use t he new sal t of anoth er etype. | |
174 | */ | |
175 | ||
176 | String s alt = null ; // t he saved n ew salt | |
177 | try { | |
178 | for (int i=0; i<eTypes.l ength; i++ ) { | |
179 | // First r ound, only calculate those hav e a PA ent ry | |
180 | PAData.Sal tAndParams snp = | |
181 | PA Data.getSa ltAndParam s(eTypes[i ], paList) ; | |
182 | if (snp != null) { | |
183 | // Nev er uses a salt for r c4-hmac, i t does not use | |
184 | // a s alt at all | |
185 | if (eT ypes[i] != Encrypted Data.ETYPE _ARCFOUR_H MAC && | |
186 | snp.salt != null) { | |
187 | sa lt = snp.s alt; | |
188 | } | |
189 | result [i] = Encr yptionKey. acquireSec retKey(cna me, | |
190 | password , | |
191 | eTypes[i ], | |
192 | snp); | |
193 | } | |
194 | } | |
195 | // N o new salt from PA, maybe empt y, maybe o nly rc4-hm ac | |
196 | if ( salt == nu ll) salt = cname.get Salt(); | |
197 | for (int i=0; i<eTypes.l ength; i++ ) { | |
198 | // Second round, cal culate tho se with no PA entry | |
199 | if (result [i] == nul l) { | |
200 | result [i] = Encr yptionKey. acquireSec retKey(pas sword, | |
201 | salt, | |
202 | eTypes[i ], | |
203 | null); | |
204 | } | |
205 | } | |
206 | } catch (IOExcepti on ioe) { | |
207 | KrbE xception k e = new Kr bException (Krb5.ASN1 _PARSE_ERR OR); | |
208 | ke.i nitCause(i oe); | |
209 | thro w ke; | |
210 | } | |
211 | return r esult; | |
212 | } else { | |
213 | throw ne w IllegalS tateExcept ion("Requi red passwo rd not pro vided"); | |
214 | } | |
215 | } | |
216 | ||
217 | /** | |
218 | * Set s or clear s options. If cleare d, default options w ill be use d | |
219 | * at creation t ime. | |
220 | * @pa ram option s | |
221 | */ | |
222 | public void setO ptions(KDC Options op tions) { | |
223 | ch eckState(S tate.INIT, "Cannot s pecify opt ions"); | |
224 | th is.options = options ; | |
225 | } | |
226 | ||
227 | /** | |
228 | * Set s or clear s target. If cleared , KrbAsReq might cho ose krbtgt | |
229 | * for cname rea lm | |
230 | * @pa ram sname | |
231 | */ | |
232 | public void setT arget(Prin cipalName sname) { | |
233 | ch eckState(S tate.INIT, "Cannot s pecify tar get"); | |
234 | th is.sname = sname; | |
235 | } | |
236 | ||
237 | /** | |
238 | * Add s or clear s addresse s. KrbAsRe q might ad d some if empty | |
239 | * fie ld not all owed | |
240 | * @pa ram addres ses | |
241 | */ | |
242 | public void setA ddresses(H ostAddress es address es) { | |
243 | ch eckState(S tate.INIT, "Cannot s pecify add resses"); | |
244 | th is.address es = addre sses; | |
245 | } | |
246 | ||
247 | /** | |
248 | * Bui ld a KrbAs Req object from all info fed a bove. Norm ally this method | |
249 | * wil l be calle d twice: i nitial AS- REQ and se cond with pakey | |
250 | * @pa ram key nu ll (initia l AS-REQ) or pakey ( with preau th) | |
251 | * @re turn the K rbAsReq ob ject | |
252 | * @th rows KrbEx ception | |
253 | * @th rows IOExc eption | |
254 | */ | |
255 | privat e KrbAsReq build(Enc ryptionKey key) thro ws KrbExce ption, IOE xception { | |
256 | in t[] eTypes ; | |
257 | if (password != null) { | |
258 | eTypes = EType.get Defaults(" default_tk t_enctypes "); | |
259 | } else { | |
260 | Encrypti onKey[] ks = Krb5Uti l.keysFrom JavaxKeyTa b(ktab, cn ame); | |
261 | eTypes = EType.get Defaults(" default_tk t_enctypes ", | |
262 | ks); | |
263 | for (Enc ryptionKey k: ks) k. destroy(); | |
264 | } | |
265 | re turn new K rbAsReq(ke y, | |
266 | options, | |
267 | cname, | |
268 | sname, | |
269 | from, | |
270 | till, | |
271 | rtime, | |
272 | eTypes, | |
273 | addresse s); | |
274 | } | |
275 | ||
276 | /** | |
277 | * Par ses AS-REP , decrypts enc-part, retrieves ticket an d session key | |
278 | * @th rows KrbEx ception | |
279 | * @th rows Asn1E xception | |
280 | * @th rows IOExc eption | |
281 | */ | |
282 | privat e KrbAsReq Builder re solve() | |
283 | throws K rbExceptio n, Asn1Exc eption, IO Exception { | |
284 | if (ktab != null) { | |
285 | rep.decr yptUsingKe yTab(ktab, req, cnam e); | |
286 | } else { | |
287 | rep.decr yptUsingPa ssword(pas sword, req , cname); | |
288 | } | |
289 | if (rep.getP A() != nul l) { | |
290 | if (paLi st == null || paList .length == 0) { | |
291 | paLi st = rep.g etPA(); | |
292 | } else { | |
293 | int extraLen = rep.getPA ().length; | |
294 | if ( extraLen > 0) { | |
295 | int oldLen = paList. length; | |
296 | paList = A rrays.copy Of(paList, paList.le ngth + ext raLen); | |
297 | System.arr aycopy(rep .getPA(), 0, paList, oldLen, e xtraLen); | |
298 | } | |
299 | } | |
300 | } | |
301 | re turn this; | |
302 | } | |
303 | ||
304 | /** | |
305 | * Com munication until AS- REP or non preauth-r elated KRB -ERROR rec eived | |
306 | * @th rows KrbEx ception | |
307 | * @th rows IOExc eption | |
308 | */ | |
309 | privat e KrbAsReq Builder se nd() throw s KrbExcep tion, IOEx ception { | |
310 | bo olean preA uthFailedO nce = fals e; | |
311 | Kd cComm comm = new Kdc Comm(cname .getRealmA sString()) ; | |
312 | En cryptionKe y pakey = null; | |
313 | wh ile (true) { | |
314 | try { | |
315 | req = build(pa key); | |
316 | rep = new KrbA sRep(comm. send(req.e ncoding()) ); | |
317 | retu rn this; | |
318 | } catch (KrbExcept ion ke) { | |
319 | if ( !preAuthFa iledOnce & & ( | |
320 | ke.ret urnCode() == Krb5.KD C_ERR_PREA UTH_FAILED || | |
321 | ke.ret urnCode() == Krb5.KD C_ERR_PREA UTH_REQUIR ED)) { | |
322 | if (Krb5.D EBUG) { | |
323 | System .out.print ln("KrbAsR eqBuilder: " + | |
324 | "PREAUTH FAILED/RE Q, re-send AS-REQ"); | |
325 | } | |
326 | preAuthFai ledOnce = true; | |
327 | KRBError k err = ke.g etError(); | |
328 | int paETyp e = PAData .getPrefer redEType(k err.getPA( ), | |
329 | ET ype.getDef aults("def ault_tkt_e nctypes")[ 0]); | |
330 | if (passwo rd == null ) { | |
331 | Encryp tionKey[] ks = Krb5U til.keysFr omJavaxKey Tab(ktab, cname); | |
332 | pakey = Encrypti onKey.find Key(paETyp e, ks); | |
333 | if (pa key != nul l) pakey = (Encrypti onKey)pake y.clone(); | |
334 | for (E ncryptionK ey k: ks) k.destroy( ); | |
335 | } else { | |
336 | pakey = Encrypti onKey.acqu ireSecretK ey(cname, | |
337 | password , | |
338 | paEType, | |
339 | PAData.g etSaltAndP arams( | |
340 | paET ype, kerr. getPA())); | |
341 | } | |
342 | paList = k err.getPA( ); // Upd ate curren t paList | |
343 | } el se { | |
344 | throw ke; | |
345 | } | |
346 | } | |
347 | } | |
348 | } | |
349 | ||
350 | /** | |
351 | * Per forms AS-R EQ send an d AS-REP r eceive. | |
352 | * May be a state is needed here, to divide pre pare proce ss and get Creds. | |
353 | * @th rows KrbEx ception | |
354 | * @th rows Asn1E xception | |
355 | * @th rows IOExc eption | |
356 | */ | |
357 | public KrbAsReqB uilder act ion() | |
358 | throws K rbExceptio n, Asn1Exc eption, IO Exception { | |
359 | ch eckState(S tate.INIT, "Cannot c all action "); | |
360 | st ate = Stat e.REQ_OK; | |
361 | re turn send( ).resolve( ); | |
362 | } | |
363 | ||
364 | /** | |
365 | * Get s Credenti als object after act ion | |
366 | */ | |
367 | public Credentia ls getCred s() { | |
368 | ch eckState(S tate.REQ_O K, "Cannot retrieve creds"); | |
369 | re turn rep.g etCreds(); | |
370 | } | |
371 | ||
372 | /** | |
373 | * Get s another type of Cr edentials after acti on | |
374 | */ | |
375 | public sun.secur ity.krb5.i nternal.cc ache.Crede ntials get CCreds() { | |
376 | ch eckState(S tate.REQ_O K, "Cannot retrieve CCreds"); | |
377 | re turn rep.g etCCreds() ; | |
378 | } | |
379 | ||
380 | /** | |
381 | * Des troys the object and clears ke ys and pas sword info . | |
382 | */ | |
383 | public void dest roy() { | |
384 | st ate = Stat e.DESTROYE D; | |
385 | if (password != null) { | |
386 | Arrays.f ill(passwo rd, (char) 0); | |
387 | } | |
388 | } | |
389 | ||
390 | /** | |
391 | * Che cks if the current s tate is th e specifie d one. | |
392 | * @pa ram st the expected state | |
393 | * @pa ram msg er ror messag e if state is not co rrect | |
394 | * @th rows Illeg alStateExc eption if state is n ot correct | |
395 | */ | |
396 | privat e void che ckState(St ate st, St ring msg) { | |
397 | if (state != st) { | |
398 | throw ne w IllegalS tateExcept ion(msg + " at " + s t + " stat e"); | |
399 | } | |
400 | } | |
401 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.