Beispiel #1
0
  /**
   * Constructs a KeyImpl from a password.
   *
   * @param principal the principal from which to derive the salt
   * @param password the password that should be used to compute the key.
   * @param algorithm the name for the algorithm that this key wil be used for. This parameter may
   *     be null in which case "DES" will be assumed.
   */
  public KeyImpl(KerberosPrincipal principal, char[] password, String algorithm) {

    try {
      PrincipalName princ = new PrincipalName(principal.getName());
      EncryptionKey key = new EncryptionKey(password, princ.getSalt(), algorithm);
      this.keyBytes = key.getBytes();
      this.keyType = key.getEType();
    } catch (KrbException e) {
      throw new IllegalArgumentException(e.getMessage());
    }
  }
  private Krb5InitCredential(
      Krb5NameElement name,
      byte[] asn1Encoding,
      KerberosPrincipal client,
      KerberosPrincipal server,
      byte[] sessionKey,
      int keyType,
      boolean[] flags,
      Date authTime,
      Date startTime,
      Date endTime,
      Date renewTill,
      InetAddress[] clientAddresses)
      throws GSSException {
    super(
        asn1Encoding,
        client,
        server,
        sessionKey,
        keyType,
        flags,
        authTime,
        startTime,
        endTime,
        renewTill,
        clientAddresses);

    this.name = name;

    try {
      // Cache this for later use by the sun.security.krb5 package.
      krb5Credentials =
          new Credentials(
              asn1Encoding,
              client.getName(),
              server.getName(),
              sessionKey,
              keyType,
              flags,
              authTime,
              startTime,
              endTime,
              renewTill,
              clientAddresses);
    } catch (KrbException e) {
      throw new GSSException(GSSException.NO_CRED, -1, e.getMessage());
    } catch (IOException e) {
      throw new GSSException(GSSException.NO_CRED, -1, e.getMessage());
    }
  }
  private static KerberosTicket getTgt(int caller, Krb5NameElement name, int initLifetime)
      throws GSSException {

    String realm = null;
    final String clientPrincipal, tgsPrincipal = null;

    /*
     * Find the TGT for the realm that the client is in. If the client
     * name is not available, then use the default realm.
     */
    if (name != null) {
      clientPrincipal = (name.getKrb5PrincipalName()).getName();
      realm = (name.getKrb5PrincipalName()).getRealmAsString();
    } else {
      clientPrincipal = null;
      try {
        Config config = Config.getInstance();
        realm = config.getDefaultRealm();
      } catch (KrbException e) {
        GSSException ge =
            new GSSException(
                GSSException.NO_CRED,
                -1,
                "Attempt to obtain INITIATE credentials failed!" + " (" + e.getMessage() + ")");
        ge.initCause(e);
        throw ge;
      }
    }

    final AccessControlContext acc = AccessController.getContext();

    try {
      final int realCaller = (caller == GSSUtil.CALLER_UNKNOWN) ? GSSUtil.CALLER_INITIATE : caller;
      return AccessController.doPrivileged(
          new PrivilegedExceptionAction<KerberosTicket>() {
            public KerberosTicket run() throws Exception {
              return Krb5Util.getTicket(realCaller, clientPrincipal, tgsPrincipal, acc);
            }
          });
    } catch (PrivilegedActionException e) {
      GSSException ge =
          new GSSException(
              GSSException.NO_CRED,
              -1,
              "Attempt to obtain new INITIATE credentials failed!" + " (" + e.getMessage() + ")");
      ge.initCause(e.getException());
      throw ge;
    }
  }
Beispiel #4
0
  /** Deletes an entry from the key table. */
  void deleteEntry() {
    PrincipalName pname = null;
    try {
      pname = new PrincipalName(principal);
      if (pname.getRealm() == null) {
        pname.setRealm(Config.getInstance().getDefaultRealm());
      }
      String answer;
      BufferedReader cis = new BufferedReader(new InputStreamReader(System.in));
      System.out.print(
          "Are you sure you want to "
              + " delete service key for "
              + pname.toString()
              + " in "
              + table.tabName()
              + "?(Y/N) :");

      System.out.flush();
      answer = cis.readLine();
      if (answer.equalsIgnoreCase("Y") || answer.equalsIgnoreCase("Yes")) ;
      else {
        // no error, the user did not want to delete the entry
        System.exit(0);
      }

    } catch (KrbException e) {
      System.err.println("Error occured while deleting the entry. " + "Deletion failed.");
      e.printStackTrace();
      System.exit(-1);
    } catch (IOException e) {
      System.err.println("Error occured while deleting the entry. " + " Deletion failed.");
      e.printStackTrace();
      System.exit(-1);
    }
    // admin.deleteEntry(pname);
    table.deleteEntry(pname);

    try {
      table.save();
    } catch (IOException e) {
      System.err.println("Error occurs while saving the keytab." + "Deletion fails.");
      e.printStackTrace();
      System.exit(-1);
    }
    System.out.println("Done!");
  }
Beispiel #5
0
  /**
   * Adds a service key to key table. If the specified key table does not exist, the program will
   * automatically generate a new key table.
   */
  void addEntry() {
    PrincipalName pname = null;
    try {
      pname = new PrincipalName(principal);
      if (pname.getRealm() == null) {
        pname.setRealm(Config.getInstance().getDefaultRealm());
      }
    } catch (KrbException e) {
      System.err.println("Failed to add " + principal + " to keytab.");
      e.printStackTrace();
      System.exit(-1);
    }
    if (password == null) {
      try {
        BufferedReader cis = new BufferedReader(new InputStreamReader(System.in));
        System.out.print("Password for " + pname.toString() + ":");
        System.out.flush();
        password = new StringBuffer().append(cis.readLine());
      } catch (IOException e) {
        System.err.println("Failed to read the password.");
        e.printStackTrace();
        System.exit(-1);
      }
    }
    try {
      // admin.addEntry(pname, password);
      table.addEntry(pname, password);
      // admin.save();
      table.save();
      System.out.println("Done!");
      System.out.println("Service key for " + principal + " is saved in " + table.tabName());

    } catch (KrbCryptoException e) {
      System.err.println("Failed to add " + principal + " to keytab.");
      e.printStackTrace();
      System.exit(-1);
    } catch (IOException e) {
      System.err.println("Failed to save new entry.");
      e.printStackTrace();
      System.exit(-1);
    }
  }
  void go() throws Exception {
    OneKDC k = new OneKDC(null);
    k.writeJAASConf();

    Files.delete(Paths.get(OneKDC.KTAB));

    // Starts with no keytab
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");

    // Test 1: read new key 1 from keytab
    k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
    k.writeKtab(OneKDC.KTAB);
    connect();

    // Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
    k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    connect();

    // Test 3: re-login. Now find 2 in keytab
    c = Context.fromJAAS("client");
    connect();

    // Test 4: re-login, KDC use 3 this time.
    c = Context.fromJAAS("client");
    // Put 3 and 4 into keytab but keep the real key back to 3.
    k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
    connect();

    // Test 5: invalid keytab file, should ignore
    try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) {
      fos.write("BADBADBAD".getBytes());
    }
    connect();

    // Test 6: delete keytab file, identical to revoke all
    Files.delete(Paths.get(OneKDC.KTAB));
    try {
      connect();
      throw new Exception("Should not success");
    } catch (GSSException gsse) {
      System.out.println(gsse);
      KrbException ke = (KrbException) gsse.getCause();
      // KrbApReq.authenticate(*) if (dkey == null)...
      // This should have been Krb5.KRB_AP_ERR_NOKEY
      if (ke.returnCode() != Krb5.API_INVALID_ARG) {
        throw new Exception("Not expected failure code: " + ke.returnCode());
      }
    }

    // Test 7: 3 revoked, should fail (now contains only 5)
    k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
    k.writeKtab(OneKDC.KTAB); // overwrite keytab, which means
    // old key is revoked
    try {
      connect();
      throw new Exception("Should not success");
    } catch (GSSException gsse) {
      System.out.println(gsse);
      // Since 7197159, different kvno is accepted, this return code
      // will never be thrown out again.
      // KrbException ke = (KrbException)gsse.getCause();
      // if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
      //    throw new Exception("Not expected failure code: " +
      //            ke.returnCode());
      // }
    }

    // Test 8: an empty KDC means revoke all
    KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
    try {
      connect();
      throw new Exception("Should not success");
    } catch (GSSException gsse) {
      System.out.println(gsse);
      KrbException ke = (KrbException) gsse.getCause();
      // KrbApReq.authenticate(*) if (dkey == null)...
      // This should have been Krb5.KRB_AP_ERR_NOKEY
      if (ke.returnCode() != Krb5.API_INVALID_ARG) {
        throw new Exception("Not expected failure code: " + ke.returnCode());
      }
    }
  }