/** {@inheritDoc} */
@Override
protected void makeReply() throws KrbException {
Ticket ticket = getTicket();
TgsRep reply = new TgsRep();
if (getClientEntry() == null) {
reply.setCname(ticket.getEncPart().getCname());
} else {
reply.setCname(getClientEntry().getPrincipal());
}
reply.setCrealm(getKdcContext().getKdcRealm());
reply.setTicket(ticket);
EncKdcRepPart encKdcRepPart = makeEncKdcRepPart();
reply.setEncPart(encKdcRepPart);
EncryptionKey sessionKey;
if (getToken() != null) {
sessionKey = getSessionKey();
} else {
sessionKey = getTgtSessionKey();
}
EncryptedData encryptedData =
EncryptionUtil.seal(encKdcRepPart, sessionKey, KeyUsage.TGS_REP_ENCPART_SESSKEY);
reply.setEncryptedEncPart(encryptedData);
setReply(reply);
}
/**
* Verify authenticator.
*
* @throws org.apache.kerby.kerberos.kerb.KrbException e
* @param paDataEntry preauthentication data entry
*/
public void verifyAuthenticator(PaDataEntry paDataEntry) throws KrbException {
ApReq apReq = KrbCodec.decode(paDataEntry.getPaDataValue(), ApReq.class);
if (apReq.getPvno() != KrbConstant.KRB_V5) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
}
if (apReq.getMsgType() != KrbMessageType.AP_REQ) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE);
}
tgtTicket = apReq.getTicket();
EncryptionType encType = tgtTicket.getEncryptedEncPart().getEType();
EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
if (tgtTicket.getTktvno() != KrbConstant.KRB_V5) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
}
EncTicketPart encPart =
EncryptionUtil.unseal(
tgtTicket.getEncryptedEncPart(), tgsKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
tgtTicket.setEncPart(encPart);
EncryptionKey encKey = null;
// if (apReq.getApOptions().isFlagSet(ApOptions.USE_SESSION_KEY)) {
encKey = tgtTicket.getEncPart().getKey();
if (encKey == null) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY);
}
Authenticator authenticator =
EncryptionUtil.unseal(
apReq.getEncryptedAuthenticator(), encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class);
if (!authenticator.getCname().equals(tgtTicket.getEncPart().getCname())) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
}
HostAddresses hostAddresses = tgtTicket.getEncPart().getClientAddresses();
if (hostAddresses == null || hostAddresses.isEmpty()) {
if (!getKdcContext().getConfig().isEmptyAddressesAllowed()) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
}
} else if (!hostAddresses.contains(getClientAddress())) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
}
PrincipalName serverPrincipal = tgtTicket.getSname();
serverPrincipal.setRealm(tgtTicket.getRealm());
PrincipalName clientPrincipal = authenticator.getCname();
clientPrincipal.setRealm(authenticator.getCrealm());
KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
setClientEntry(clientEntry);
if (!authenticator
.getCtime()
.isInClockSkew(getKdcContext().getConfig().getAllowableClockSkew() * 1000)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
}
KerberosTime now = KerberosTime.now();
KerberosTime startTime = tgtTicket.getEncPart().getStartTime();
if (startTime == null) {
startTime = tgtTicket.getEncPart().getAuthTime();
}
if (!startTime.lessThan(now)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
}
KerberosTime endTime = tgtTicket.getEncPart().getEndTime();
if (!endTime.greaterThan(now)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
}
apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
setTgtSessionKey(tgtTicket.getEncPart().getKey());
}
