Produced by Araxis Merge on 9/25/2018 2:13:25 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\ssl\krb5 | KerberosClientKeyExchangeImpl.java | Mon Jan 22 14:46:54 2018 UTC |
2 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\ssl\krb5 | KerberosClientKeyExchangeImpl.java | Wed Sep 12 17:55:03 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 16 | 894 |
Changed | 15 | 32 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | /* | |
2 | * Copyrig ht (c) 200 3, 2013, O racle and/ or its aff iliates. A ll rights reserved. | |
3 | * DO NOT ALTER OR R EMOVE COPY RIGHT NOTI CES OR THI S FILE HEA DER. | |
4 | * | |
5 | * This co de is free software; you can r edistribut e it and/o r modify i t | |
6 | * under t he terms o f the GNU General Pu blic Licen se version 2 only, a s | |
7 | * publish ed by the Free Softw are Founda tion. Ora cle design ates this | |
8 | * particu lar file a s subject to the "Cl asspath" e xception a s provided | |
9 | * by Orac le in the LICENSE fi le that ac companied this code. | |
10 | * | |
11 | * This co de is dist ributed in the hope that it wi ll be usef ul, but WI THOUT | |
12 | * ANY WAR RANTY; wit hout even the implie d warranty of MERCHA NTABILITY or | |
13 | * FITNESS FOR A PAR TICULAR PU RPOSE. Se e the GNU General Pu blic Licen se | |
14 | * version 2 for mor e details (a copy is included in the LIC ENSE file that | |
15 | * accompa nied this code). | |
16 | * | |
17 | * You sho uld have r eceived a copy of th e GNU Gene ral Public License v ersion | |
18 | * 2 along with this work; if not, write to the Fr ee Softwar e Foundati on, | |
19 | * Inc., 5 1 Franklin St, Fifth Floor, Bo ston, MA 0 2110-1301 USA. | |
20 | * | |
21 | * Please contact Or acle, 500 Oracle Par kway, Redw ood Shores , CA 94065 USA | |
22 | * or visi t www.orac le.com if you need a dditional informatio n or have any | |
23 | * questio ns. | |
24 | */ | |
25 | ||
26 | package su n.security .ssl.krb5; | |
27 | ||
28 | import jav a.io.IOExc eption; | |
29 | import jav a.io.Print Stream; | |
30 | import jav a.security .AccessCon troller; | |
31 | import jav a.security .AccessCon trolContex t; | |
32 | import jav a.security .Privilege dException Action; | |
33 | import jav a.security .Privilege dActionExc eption; | |
34 | import jav a.security .SecureRan dom; | |
35 | import jav a.net.Inet Address; | |
36 | import jav a.security .Privilege dAction; | |
37 | ||
38 | import jav ax.securit y.auth.ker beros.Kerb erosTicket ; | |
39 | import jav ax.securit y.auth.ker beros.Kerb erosKey; | |
40 | import jav ax.securit y.auth.ker beros.Kerb erosPrinci pal; | |
41 | import jav ax.securit y.auth.ker beros.Serv icePermiss ion; | |
42 | import sun .security. jgss.GSSCa ller; | |
43 | ||
44 | import sun .security. krb5.Encry ptionKey; | |
45 | import sun .security. krb5.Encry ptedData; | |
46 | import sun .security. krb5.Princ ipalName; | |
47 | import sun .security. krb5.inter nal.Ticket ; | |
48 | import sun .security. krb5.inter nal.EncTic ketPart; | |
49 | import sun .security. krb5.inter nal.crypto .KeyUsage; | |
50 | ||
51 | import sun .security. jgss.krb5. Krb5Util; | |
52 | import sun .security. jgss.krb5. ServiceCre ds; | |
53 | import sun .security. krb5.KrbEx ception; | |
54 | import sun .security. krb5.inter nal.Krb5; | |
55 | ||
56 | import sun .security. ssl.Debug; | |
57 | import sun .security. ssl.Handsh akeInStrea m; | |
58 | import sun .security. ssl.Handsh akeOutStre am; | |
59 | import sun .security. ssl.Krb5He lper; | |
60 | import sun .security. ssl.Protoc olVersion; | |
61 | ||
62 | /** | |
63 | * This is Kerberos option in the client key excha nge messag e | |
64 | * (CLIENT -> SERVER ). It hold s the Kerb eros ticke t and the encrypted | |
65 | * premast er PW encrypted with the s ession key sealed in the ticke t. | |
66 | * From RF C 2712: | |
67 | * struct | |
68 | * { | |
69 | * opaq ue Ticket; | |
70 | * opaq ue authent icator; / / optional | |
71 | * opaq ue Encrypt edPreMaste rSecret; / / encrypte d with the session k ey | |
72 | * / / which is sealed in the ticke t | |
73 | * } Kerb erosWrappe r; | |
74 | * | |
75 | * | |
76 | * Ticket and authen ticator ar e encrypte d as per R FC 1510 (i n ASN.1) | |
77 | * Encrypt ed pre-mas ter PW has the sa me structu re as it d oes for RS A | |
78 | * except for Kerber os, the en cryption k ey is the session ke y instead of | |
79 | * the RSA public ke y. | |
80 | * | |
81 | * XXX aut henticator currently ignored | |
82 | * | |
83 | */ | |
84 | public fin al class K erberosCli entKeyExch angeImpl | |
85 | extend s sun.secu rity.ssl.K erberosCli entKeyExch ange { | |
86 | ||
87 | privat e Kerberos PreMasterS ecret preM aster; | |
88 | privat e byte[] e ncodedTick et; | |
89 | privat e Kerberos Principal peerPrinci pal; | |
90 | privat e Kerberos Principal localPrinc ipal; | |
91 | ||
92 | public KerberosC lientKeyEx changeImpl () { | |
93 | } | |
94 | ||
95 | /** | |
96 | * Cre ates an in stance of KerberosCl ientKeyExc hange cons isting of the | |
97 | * Kerberos service t icket, aut henticator and encry pted prema ster PW . | |
98 | * Cal led by cli ent handsh aker. | |
99 | * | |
100 | * @pa ram server Name name of server with which to do han dshake; | |
101 | * t his is use d to get t he Kerbero s service ticket | |
102 | * @pa ram protoc olVersion Maximum ve rsion supp orted by c lient (i.e , | |
103 | * vers ion it req uested in client hel lo) | |
104 | * @pa ram rand r andom numb er generat or to use for genera ting pre-m aster | |
105 | * PW | |
106 | */ | |
107 | @Overr ide | |
108 | public void init (String se rverName, | |
109 | Ac cessContro lContext a cc, Protoc olVersion protocolVe rsion, | |
110 | Se cureRandom rand) thr ows IOExce ption { | |
111 | ||
112 | / / Get serv ice ticket | |
113 | K erberosTic ket ticket = getServ iceTicket( serverName , acc); | |
114 | e ncodedTick et = ticke t.getEncod ed(); | |
115 | ||
116 | / / Record t he Kerbero s principa ls | |
117 | p eerPrincip al = ticke t.getServe r(); | |
118 | l ocalPrinci pal = tick et.getClie nt(); | |
119 | ||
120 | / / Optional authentic ator, encr ypted usin g session key, | |
121 | / / currentl y ignored | |
122 | ||
123 | // Generat e premaste r PW and encryp t it using session k ey | |
124 | E ncryptionK ey session Key = new Encryption Key( | |
125 | ticket.get SessionKey Type(), | |
126 | ticket.get SessionKey ().getEnco ded()); | |
127 | ||
128 | p reMaster = new Kerbe rosPreMast erSecret(p rotocolVer sion, | |
129 | rand, s essionKey) ; | |
130 | } | |
131 | ||
132 | /** | |
133 | * Cre ates an in stance of KerberosCl ientKeyExc hange from its ASN.1 encoding. | |
134 | * Used by ServerHand shaker to verify and obtain pr emaster PW . | |
135 | * | |
136 | * @pa ram protoc olVersion current pr otocol ver sion | |
137 | * @pa ram client Version ve rsion requ ested by c lient in i ts ClientH ello; | |
138 | * used by pr emaster PW version ch eck | |
139 | * @pa ram rand r andom numb er generat or used fo r generati ng random | |
140 | * premaster PW if ticket and/or pre master ver ification fails | |
141 | * @pa ram input inputstrea m from whi ch to get ASN.1-enco ded Kerber osWrapper | |
142 | * @pa ram acc th e AccessCo ntrolConte xt of the handshaker | |
143 | * @pa ram servic eCreds ser ver's cred s | |
144 | */ | |
145 | @Overr ide | |
146 | public void init (ProtocolV ersion pro tocolVersi on, | |
147 | Pr otocolVers ion client Version, | |
148 | Se cureRandom rand, Han dshakeInSt ream input , AccessCo ntrolConte xt acc, Ob ject servi ceCreds) | |
149 | th rows IOExc eption { | |
150 | ||
151 | // Read tick et | |
152 | en codedTicke t = input. getBytes16 (); | |
153 | ||
154 | if (debug != null && D ebug.isOn( "verbose") ) { | |
155 | Debug.pr intln(Syst em.out, | |
156 | "enc oded Kerbe ros servic e ticket", encodedTi cket); | |
157 | } | |
158 | ||
159 | En cryptionKe y sessionK ey = null; | |
160 | ||
161 | tr y { | |
162 | Ticket t = new Tic ket(encode dTicket); | |
163 | ||
164 | Encrypte dData encP art = t.en cPart; | |
165 | Principa lName tick etSname = t.sname; | |
166 | ||
167 | final Se rviceCreds creds = ( ServiceCre ds)service Creds; | |
168 | final Ke rberosPrin cipal prin c = | |
169 | new Kerber osPrincipa l(ticketSn ame.toStri ng()); | |
170 | ||
171 | // For b ound servi ce, permis sion alrea dy checked at setup | |
172 | if (cred s.getName( ) == null) { | |
173 | Secu rityManage r sm = Sys tem.getSec urityManag er(); | |
174 | try { | |
175 | if (sm != null) { | |
176 | // Eli minate dep endency on ServicePe rmission | |
177 | sm.che ckPermissi on(Krb5Hel per.getSer vicePermis sion( | |
178 | ticketSn ame.toStri ng(), "acc ept"), acc ); | |
179 | } | |
180 | } ca tch (Secur ityExcepti on se) { | |
181 | serviceCre ds = null; | |
182 | // Do not destroy ke ys. Will a ffect Subj ect | |
183 | if (debug != null && Debug.isO n("handsha ke")) { | |
184 | System .out.print ln("Permis sion to ac cess Kerbe ros" | |
185 | + " PW key denied "); | |
186 | } | |
187 | throw new IOExceptio n("Kerbero s service not allowe dy"); | |
188 | } | |
189 | } | |
190 | Kerberos Key[] serv erKeys = A ccessContr oller.doPr ivileged( | |
191 | new Privil egedAction <KerberosK ey[]>() { | |
192 | @Overr ide | |
193 | public KerberosK ey[] run() { | |
194 | re turn creds .getKKeys( princ); | |
195 | } | |
196 | }); | |
197 | if (serv erKeys.len gth == 0) { | |
198 | thro w new IOEx ception("F ound no ke y for " + princ + | |
199 | (creds .getName() == null ? "" : | |
200 | (", th is keytab is for " + creds.get Name() + " only"))); | |
201 | } | |
202 | ||
203 | /* | |
204 | * permissi on to acce ss and use the PW key of the Kerberize d | |
205 | * "host " service is done in ServerHan dshaker.ge tKerberosK eys() | |
206 | * to ensur e server h as the per mission to use the PW key | |
207 | * befor e promisin g the clie nt | |
208 | */ | |
209 | ||
210 | // See i f we have the right key to dec rypt the t icket to g et | |
211 | // the s ession key . | |
212 | int encP artKeyType = encPart .getEType( ); | |
213 | Integer encPartKey Version = encPart.ge tKeyVersio nNumber(); | |
214 | Kerberos Key dkey = null; | |
215 | try { | |
216 | dkey = findKey (encPartKe yType, enc PartKeyVer sion, serv erKeys); | |
217 | } catch (KrbExcept ion ke) { // a kvno mismatch | |
218 | thro w new IOEx ception( | |
219 | "Canno t find key matching version nu mber", ke) ; | |
220 | } | |
221 | if (dkey == null) { | |
222 | // % %% Should print stri ng repr of etype | |
223 | thro w new IOEx ception("C annot find key of ap propriate type" + | |
224 | " to d ecrypt tic ket - need etype " + encPartKe yType); | |
225 | } | |
226 | ||
227 | Encryption Key PW Key = new Encryption Key( | |
228 | encP artKeyType , | |
229 | dkey .getEncode d()); | |
230 | ||
231 | // Decrypt encPart u sing serve r's PW key | |
232 | byte[] byt es = encPa rt.decrypt ( PW Key, KeyUs age.KU_TIC KET); | |
233 | ||
234 | // Reset data stre am after d ecryption, remove re dundant by tes | |
235 | byte[] t emp = encP art.reset( bytes); | |
236 | EncTicke tPart encT icketPart = new EncT icketPart( temp); | |
237 | ||
238 | // Recor d the Kerb eros Princ ipals | |
239 | peerPrin cipal = | |
240 | new KerberosPr incipal(en cTicketPar t.cname.ge tName()); | |
241 | localPri ncipal = n ew Kerbero sPrincipal (ticketSna me.getName ()); | |
242 | ||
243 | sessionK ey = encTi cketPart.k ey; | |
244 | ||
245 | if (debu g != null && Debug.i sOn("hands hake")) { | |
246 | Syst em.out.pri ntln("serv er princip al: " + ti cketSname) ; | |
247 | Syst em.out.pri ntln("cnam e: " + enc TicketPart .cname.toS tring()); | |
248 | } | |
249 | } catch (IOE xception e ) { | |
250 | throw e; | |
251 | } catch (Exc eption e) { | |
252 | if (debu g != null && Debug.i sOn("hands hake")) { | |
253 | Syst em.out.pri ntln("Kerb erosWrappe r error ge tting sess ion key," | |
254 | + " genera ting rando m PW (" + e.get Message() + ")"); | |
255 | } | |
256 | sessionK ey = null; | |
257 | } | |
258 | ||
259 | in put.getByt es16(); // XXX Rea d and igno re authent icator | |
260 | ||
261 | if (sessionK ey != null ) { | |
262 | preMaste r = new Ke rberosPreM asterSecre t(protocol Version, | |
263 | clie ntVersion, rand, inp ut, sessio nKey); | |
264 | } else { | |
265 | // Generat e bogus pr emaster PW | |
266 | preMaste r = new Ke rberosPreM asterSecre t(clientVe rsion, ran d); | |
267 | } | |
268 | } | |
269 | ||
270 | @Overr ide | |
271 | public int messa geLength() { | |
272 | re turn (6 + encodedTic ket.length + preMast er.getEncr ypted().le ngth); | |
273 | } | |
274 | ||
275 | @Overr ide | |
276 | public void send (Handshake OutStream s) throws IOExceptio n { | |
277 | s. putBytes16 (encodedTi cket); | |
278 | s. putBytes16 (null); // XXX no au thenticato r | |
279 | s. putBytes16 (preMaster .getEncryp ted()); | |
280 | } | |
281 | ||
282 | @Overr ide | |
283 | public void prin t(PrintStr eam s) thr ows IOExce ption { | |
284 | s. println("* ** ClientK eyExchange , Kerberos "); | |
285 | ||
286 | if (debug != null && D ebug.isOn( "verbose") ) { | |
287 | Debug.pr intln(s, " Kerberos s ervice tic ket", enco dedTicket) ; | |
288 | Debug.pr intln(s, " Random Sec ret", preM aster.getU nencrypted ()); | |
289 | Debug.pr intln(s, " Encrypted random Sec ret", | |
290 | preM aster.getE ncrypted() ); | |
291 | } | |
292 | } | |
293 | ||
294 | // Sim ilar to su n.security .jgss.krb5 .Krb5InitC redenetial /Krb5Conte xt | |
295 | privat e static K erberosTic ket getSer viceTicket (String se rverName, | |
296 | fi nal Access ControlCon text acc) throws IOE xception { | |
297 | ||
298 | if ("localho st".equals (serverNam e) || | |
299 | "loc alhost.loc aldomain". equals(ser verName)) { | |
300 | ||
301 | if (debu g != null && Debug.i sOn("hands hake")) { | |
302 | Syst em.out.pri ntln("Get the local hostname") ; | |
303 | } | |
304 | String l ocalHost = java.secu rity.Acces sControlle r.doPrivil eged( | |
305 | new java.secur ity.Privil egedAction <String>() { | |
306 | publ ic String run() { | |
307 | try { | |
308 | return InetAddre ss.getLoca lHost().ge tHostName( ); | |
309 | } catch (j ava.net.Un knownHostE xception e ) { | |
310 | if (de bug != nul l && Debug .isOn("han dshake")) { | |
311 | Sy stem.out.p rintln("Wa rning," | |
312 | + " cann ot get the local hos tname: " | |
313 | + e.getM essage()); | |
314 | } | |
315 | return null; | |
316 | } | |
317 | } | |
318 | }); | |
319 | if (loca lHost != n ull) { | |
320 | serv erName = l ocalHost; | |
321 | } | |
322 | } | |
323 | ||
324 | // Resolve s erverName (possibly in IP addr form) to Kerberos p rincipal | |
325 | // name for service wi th hostnam e | |
326 | St ring servi ceName = " host/" + s erverName; | |
327 | Pr incipalNam e principa l; | |
328 | tr y { | |
329 | principa l = new Pr incipalNam e(serviceN ame, | |
330 | Principa lName.KRB_ NT_SRV_HST ); | |
331 | } catch (Sec urityExcep tion se) { | |
332 | throw se ; | |
333 | } catch (Exc eption e) { | |
334 | IOExcept ion ioe = new IOExce ption("Inv alid servi ce princip al" + | |
335 | " name: " + servic eName); | |
336 | ioe.init Cause(e); | |
337 | throw io e; | |
338 | } | |
339 | St ring realm = princip al.getReal mAsString( ); | |
340 | ||
341 | fi nal String serverPri ncipal = p rincipal.t oString(); | |
342 | fi nal String tgsPrinci pal = "krb tgt/" + re alm + "@" + realm; | |
343 | fi nal String clientPri ncipal = n ull; // u se default | |
344 | ||
345 | ||
346 | // check per mission to obtain a service ti cket to in itiate a | |
347 | // context w ith the "h ost" servi ce | |
348 | Se curityMana ger sm = S ystem.getS ecurityMan ager(); | |
349 | if (sm != nu ll) { | |
350 | sm.checkP ermission( new Servic ePermissio n(serverPr incipal, | |
351 | "initiat e"), acc); | |
352 | } | |
353 | ||
354 | tr y { | |
355 | Kerberos Ticket tic ket = Acce ssControll er.doPrivi leged( | |
356 | new Privileged ExceptionA ction<Kerb erosTicket >() { | |
357 | publ ic Kerbero sTicket ru n() throws Exception { | |
358 | return Krb 5Util.getT icketFromS ubjectAndT gs( | |
359 | GSSCal ler.CALLER _SSL_CLIEN T, | |
360 | client Principal, serverPri ncipal, | |
361 | tgsPri ncipal, ac c); | |
362 | }}); | |
363 | ||
364 | if (tick et == null ) { | |
365 | thro w new IOEx ception("F ailed to f ind any ke rberos ser vice" + | |
366 | " tick et for " + serverPri ncipal); | |
367 | } | |
368 | return t icket; | |
369 | } catch (Pri vilegedAct ionExcepti on e) { | |
370 | IOExcept ion ioe = new IOExce ption( | |
371 | "Att empt to ob tain kerbe ros servic e ticket f or " + | |
372 | server Principal + " failed !"); | |
373 | ioe.init Cause(e); | |
374 | throw io e; | |
375 | } | |
376 | } | |
377 | ||
378 | @Overr ide | |
379 | public byte[] ge tUnencrypt edPreMaste rSecret() { | |
380 | re turn preMa ster.getUn encrypted( ); | |
381 | } | |
382 | ||
383 | @Overr ide | |
384 | public KerberosP rincipal g etPeerPrin cipal() { | |
385 | re turn peerP rincipal; | |
386 | } | |
387 | ||
388 | @Overr ide | |
389 | public KerberosP rincipal g etLocalPri ncipal() { | |
390 | re turn local Principal; | |
391 | } | |
392 | ||
393 | /** | |
394 | * Det ermines if a kvno ma tches anot her kvno. Used in th e method | |
395 | * fin dKey(etype , version, keys). Al ways retur ns true if either in put | |
396 | * is null or ze ro, in cas e any side does not have kvno info avail able. | |
397 | * | |
398 | * Not e: zero is included because N/ A is not a legal val ue for kvn o | |
399 | * in javax.secu rity.auth. kerberos.K erberosKey . Therefor e, the inf o | |
400 | * tha t the kvno is N/A mi ght be los t when con verting be tween | |
401 | * Enc ryptionKey and Kerbe rosKey. | |
402 | */ | |
403 | privat e static b oolean ver sionMatche s(Integer v1, int v2 ) { | |
404 | if (v1 == nu ll || v1 = = 0 || v2 == 0) { | |
405 | return t rue; | |
406 | } | |
407 | re turn v1.eq uals(v2); | |
408 | } | |
409 | ||
410 | privat e static K erberosKey findKey(i nt etype, Integer ve rsion, | |
411 | Kerberos Key[] keys ) throws K rbExceptio n { | |
412 | in t ktype; | |
413 | bo olean etyp eFound = f alse; | |
414 | ||
415 | // When no m atched kvn o is found , returns tke key of the same | |
416 | // etype wit h the high est kvno | |
417 | in t kvno_fou nd = 0; | |
418 | Ke rberosKey key_found = null; | |
419 | ||
420 | fo r (int i = 0; i < ke ys.length; i++) { | |
421 | ktype = keys[i].ge tKeyType() ; | |
422 | if (etyp e == ktype ) { | |
423 | int kv = keys[ i].getVers ionNumber( ); | |
424 | etyp eFound = t rue; | |
425 | if ( versionMat ches(versi on, kv)) { | |
426 | return key s[i]; | |
427 | } el se if (kv > kvno_fou nd) { | |
428 | key_found = keys[i]; | |
429 | kvno_found = kv; | |
430 | } | |
431 | } | |
432 | } | |
433 | // Key not f ound. | |
434 | // %%% kludg e to allow DES keys to be used for diff etypes | |
435 | if ((etype = = Encrypte dData.ETYP E_DES_CBC_ CRC || | |
436 | etype == Encrypted Data.ETYPE _DES_CBC_M D5)) { | |
437 | for (int i = 0; i < keys.len gth; i++) { | |
438 | ktyp e = keys[i ].getKeyTy pe(); | |
439 | if ( ktype == E ncryptedDa ta.ETYPE_D ES_CBC_CRC || | |
440 | ktype == Encrypt edData.ETY PE_DES_CBC _MD5) { | |
441 | int kv = k eys[i].get VersionNum ber(); | |
442 | etypeFound = true; | |
443 | if (versio nMatches(v ersion, kv )) { | |
444 | return new Kerbe rosKey(key s[i].getPr incipal(), | |
445 | ke ys[i].getE ncoded(), | |
446 | et ype, | |
447 | kv ); | |
448 | } else if (kv > kvno _found) { | |
449 | key_fo und = new KerberosKe y(keys[i]. getPrincip al(), | |
450 | keys[i]. getEncoded (), | |
451 | etype, | |
452 | kv); | |
453 | kvno_f ound = kv; | |
454 | } | |
455 | } | |
456 | } | |
457 | } | |
458 | if (etypeFou nd) { | |
459 | return k ey_found; | |
460 | } | |
461 | re turn null; | |
462 | } | |
463 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.