// KrbSafe, KrbTgsReq
public Checksum(int new_cksumType, byte[] data, EncryptionKey key, int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException {
cksumType = new_cksumType;
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe()) throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
checksum = cksumEngine.calculateKeyedChecksum(data, data.length, key.getBytes(), usage);
}
static Krb5InitCredential getInstance(Krb5NameElement name, Credentials delegatedCred)
throws GSSException {
EncryptionKey sessionKey = delegatedCred.getSessionKey();
/*
* all of the following data is optional in a KRB-CRED
* messages. This check for each field.
*/
PrincipalName cPrinc = delegatedCred.getClient();
PrincipalName sPrinc = delegatedCred.getServer();
KerberosPrincipal client = null;
KerberosPrincipal server = null;
Krb5NameElement credName = null;
if (cPrinc != null) {
String fullName = cPrinc.getName();
credName = Krb5NameElement.getInstance(fullName, Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);
client = new KerberosPrincipal(fullName);
}
// XXX Compare name to credName
if (sPrinc != null) {
server = new KerberosPrincipal(sPrinc.getName(), KerberosPrincipal.KRB_NT_SRV_INST);
}
return new Krb5InitCredential(
credName,
delegatedCred,
delegatedCred.getEncoded(),
client,
server,
sessionKey.getBytes(),
sessionKey.getEType(),
delegatedCred.getFlags(),
delegatedCred.getAuthTime(),
delegatedCred.getStartTime(),
delegatedCred.getEndTime(),
delegatedCred.getRenewTill(),
delegatedCred.getClientAddresses());
}
/**
* Encodes an EncTicketPart object.
*
* @return byte array of encoded EncTicketPart object.
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception IOException if an I/O error occurs while reading encoded data.
*/
public byte[] asn1Encode() throws Asn1Exception, IOException {
DerOutputStream bytes = new DerOutputStream();
DerOutputStream temp = new DerOutputStream();
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), flags.asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), key.asn1Encode());
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cname.getRealm().asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cname.asn1Encode());
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x04), transited.asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x05), authtime.asn1Encode());
if (starttime != null) {
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x06), starttime.asn1Encode());
}
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x07), endtime.asn1Encode());
if (renewTill != null) {
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x08), renewTill.asn1Encode());
}
if (caddr != null) {
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x09), caddr.asn1Encode());
}
if (authorizationData != null) {
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x0A),
authorizationData.asn1Encode());
}
temp.write(DerValue.tag_Sequence, bytes);
bytes = new DerOutputStream();
bytes.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x03), temp);
return bytes.toByteArray();
}
private void init(DerValue encoding) throws Asn1Exception, IOException, RealmException {
DerValue der, subDer;
renewTill = null;
caddr = null;
authorizationData = null;
if (((encoding.getTag() & (byte) 0x1F) != (byte) 0x03)
|| (encoding.isApplication() != true)
|| (encoding.isConstructed() != true)) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
der = encoding.getData().getDerValue();
if (der.getTag() != DerValue.tag_Sequence) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
flags = TicketFlags.parse(der.getData(), (byte) 0x00, false);
key = EncryptionKey.parse(der.getData(), (byte) 0x01, false);
Realm crealm = Realm.parse(der.getData(), (byte) 0x02, false);
cname = PrincipalName.parse(der.getData(), (byte) 0x03, false, crealm);
transited = TransitedEncoding.parse(der.getData(), (byte) 0x04, false);
authtime = KerberosTime.parse(der.getData(), (byte) 0x05, false);
starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true);
endtime = KerberosTime.parse(der.getData(), (byte) 0x07, false);
if (der.getData().available() > 0) {
renewTill = KerberosTime.parse(der.getData(), (byte) 0x08, true);
}
if (der.getData().available() > 0) {
caddr = HostAddresses.parse(der.getData(), (byte) 0x09, true);
}
if (der.getData().available() > 0) {
authorizationData = AuthorizationData.parse(der.getData(), (byte) 0x0A, true);
}
if (der.getData().available() > 0) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
}
/** Verifies the keyed checksum over the data passed in. */
public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException {
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe()) throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
return cksumEngine.verifyKeyedChecksum(data, data.length, key.getBytes(), checksum, usage);
}
/* */ private void authenticate(
EncryptionKey[] paramArrayOfEncryptionKey, InetAddress paramInetAddress)
throws KrbException, IOException
/* */ {
/* 268 */ int i = this.apReqMessg.ticket.encPart.getEType();
/* 269 */ Integer localInteger = this.apReqMessg.ticket.encPart.getKeyVersionNumber();
/* 270 */ EncryptionKey localEncryptionKey =
EncryptionKey.findKey(i, localInteger, paramArrayOfEncryptionKey);
/* */
/* 272 */ if (localEncryptionKey == null) {
/* 273 */ throw new KrbException(
400, "Cannot find key of appropriate type to decrypt AP REP - " + EType.toString(i));
/* */ }
/* */
/* 278 */ byte[] arrayOfByte1 = this.apReqMessg.ticket.encPart.decrypt(localEncryptionKey, 2);
/* */
/* 280 */ byte[] arrayOfByte2 = this.apReqMessg.ticket.encPart.reset(arrayOfByte1);
/* 281 */ EncTicketPart localEncTicketPart = new EncTicketPart(arrayOfByte2);
/* */
/* 283 */ checkPermittedEType(localEncTicketPart.key.getEType());
/* */
/* 285 */ byte[] arrayOfByte3 =
this.apReqMessg.authenticator.decrypt(localEncTicketPart.key, 11);
/* */
/* 287 */ byte[] arrayOfByte4 = this.apReqMessg.authenticator.reset(arrayOfByte3);
/* 288 */ this.authenticator = new Authenticator(arrayOfByte4);
/* 289 */ this.ctime = this.authenticator.ctime;
/* 290 */ this.cusec = this.authenticator.cusec;
/* 291 */ this.authenticator.ctime.setMicroSeconds(this.authenticator.cusec);
/* 292 */ this.authenticator.cname.setRealm(this.authenticator.crealm);
/* 293 */ this.apReqMessg.ticket.sname.setRealm(this.apReqMessg.ticket.realm);
/* 294 */ localEncTicketPart.cname.setRealm(localEncTicketPart.crealm);
/* */
/* 296 */ if (!this.authenticator.cname.equals(localEncTicketPart.cname)) {
/* 297 */ throw new KrbApErrException(36);
/* */ }
/* 299 */ KerberosTime localKerberosTime = new KerberosTime(true);
/* 300 */ if (!this.authenticator.ctime.inClockSkew(localKerberosTime)) {
/* 301 */ throw new KrbApErrException(37);
/* */ }
/* */
/* 304 */ AuthTime localAuthTime =
new AuthTime(this.authenticator.ctime.getTime(), this.authenticator.cusec);
/* */
/* 306 */ String str = this.authenticator.cname.toString();
/* 307 */ if (table.get(localAuthTime, this.authenticator.cname.toString()) != null) {
/* 308 */ throw new KrbApErrException(34);
/* */ }
/* 310 */ table.put(str, localAuthTime, localKerberosTime.getTime());
/* */
/* 313 */ if (paramInetAddress != null)
/* */ {
/* 315 */ localObject = new HostAddress(paramInetAddress);
/* 316 */ if ((localEncTicketPart.caddr != null)
&& (!localEncTicketPart.caddr.inList((HostAddress) localObject)))
/* */ {
/* 318 */ if (DEBUG) {
/* 319 */ System.out.println(
">>> KrbApReq: initiator is "
+ ((HostAddress) localObject).getInetAddress()
+ ", but caddr is "
+ Arrays.toString(localEncTicketPart.caddr.getInetAddresses()));
/* */ }
/* */
/* 325 */ throw new KrbApErrException(38);
/* */ }
/* */
/* */ }
/* */
/* 335 */ Object localObject = new KerberosTime(true);
/* */
/* 337 */ if (((localEncTicketPart.starttime != null)
&& (localEncTicketPart.starttime.greaterThanWRTClockSkew((KerberosTime) localObject)))
|| (localEncTicketPart.flags.get(7)))
/* */ {
/* 340 */ throw new KrbApErrException(33);
/* */ }
/* */
/* 344 */ if ((localEncTicketPart.endtime != null)
&& (((KerberosTime) localObject).greaterThanWRTClockSkew(localEncTicketPart.endtime)))
/* */ {
/* 346 */ throw new KrbApErrException(32);
/* */ }
/* */
/* 349 */ this.creds =
new Credentials(
this.apReqMessg.ticket,
this.authenticator.cname,
this.apReqMessg.ticket.sname,
localEncTicketPart.key,
localEncTicketPart.flags,
localEncTicketPart.authtime,
localEncTicketPart.starttime,
localEncTicketPart.endtime,
localEncTicketPart.renewTill,
localEncTicketPart.caddr,
localEncTicketPart.authorizationData);
/* */
/* 361 */ if (DEBUG) /* 362 */ System.out.println(">>> KrbApReq: authenticate succeed.");
/* */ }