2008-10-17 05:02:00 +00:00
|
|
|
/*
|
2013-12-26 20:04:16 +00:00
|
|
|
* Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
|
2008-10-17 05:02:00 +00:00
|
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
|
|
*
|
|
|
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
|
|
* accompanied this code).
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License version
|
|
|
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
|
*
|
2010-05-25 22:58:33 +00:00
|
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
|
|
|
* questions.
|
2008-10-17 05:02:00 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
import java.lang.reflect.Constructor;
|
|
|
|
|
import java.lang.reflect.Field;
|
|
|
|
|
import java.lang.reflect.InvocationTargetException;
|
|
|
|
|
import java.net.*;
|
|
|
|
|
import java.io.*;
|
|
|
|
|
import java.lang.reflect.Method;
|
|
|
|
|
import java.security.SecureRandom;
|
|
|
|
|
import java.util.*;
|
|
|
|
|
import java.util.concurrent.*;
|
2009-06-17 07:26:58 +00:00
|
|
|
import sun.net.spi.nameservice.NameService;
|
|
|
|
|
import sun.net.spi.nameservice.NameServiceDescriptor;
|
2008-10-17 05:02:00 +00:00
|
|
|
import sun.security.krb5.*;
|
|
|
|
|
import sun.security.krb5.internal.*;
|
2008-11-12 08:01:06 +00:00
|
|
|
import sun.security.krb5.internal.ccache.CredentialsCache;
|
2014-12-09 10:28:26 +00:00
|
|
|
import sun.security.krb5.internal.crypto.EType;
|
2008-10-17 05:02:00 +00:00
|
|
|
import sun.security.krb5.internal.crypto.KeyUsage;
|
|
|
|
|
import sun.security.krb5.internal.ktab.KeyTab;
|
|
|
|
|
import sun.security.util.DerInputStream;
|
|
|
|
|
import sun.security.util.DerOutputStream;
|
|
|
|
|
import sun.security.util.DerValue;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* A KDC server.
|
|
|
|
|
* <p>
|
|
|
|
|
* Features:
|
|
|
|
|
* <ol>
|
|
|
|
|
* <li> Supports TCP and UDP
|
|
|
|
|
* <li> Supports AS-REQ and TGS-REQ
|
|
|
|
|
* <li> Principal db and other settings hard coded in application
|
|
|
|
|
* <li> Options, say, request preauth or not
|
|
|
|
|
* </ol>
|
|
|
|
|
* Side effects:
|
|
|
|
|
* <ol>
|
|
|
|
|
* <li> The Sun-internal class <code>sun.security.krb5.Config</code> is a
|
|
|
|
|
* singleton and initialized according to Kerberos settings (krb5.conf and
|
|
|
|
|
* java.security.krb5.* system properties). This means once it's initialized
|
|
|
|
|
* it will not automatically notice any changes to these settings (or file
|
|
|
|
|
* changes of krb5.conf). The KDC class normally does not touch these
|
|
|
|
|
* settings (except for the <code>writeKtab()</code> method). However, to make
|
|
|
|
|
* sure nothing ever goes wrong, if you want to make any changes to these
|
|
|
|
|
* settings after calling a KDC method, call <code>Config.refresh()</code> to
|
|
|
|
|
* make sure your changes are reflected in the <code>Config</code> object.
|
|
|
|
|
* </ol>
|
2009-11-27 00:51:28 +00:00
|
|
|
* System properties recognized:
|
|
|
|
|
* <ul>
|
|
|
|
|
* <li>test.kdc.save.ccache
|
|
|
|
|
* </ul>
|
2008-10-17 05:02:00 +00:00
|
|
|
* Issues and TODOs:
|
|
|
|
|
* <ol>
|
|
|
|
|
* <li> Generates krb5.conf to be used on another machine, currently the kdc is
|
|
|
|
|
* always localhost
|
|
|
|
|
* <li> More options to KDC, say, error output, say, response nonce !=
|
|
|
|
|
* request nonce
|
|
|
|
|
* </ol>
|
|
|
|
|
* Note: This program uses internal krb5 classes (including reflection to
|
|
|
|
|
* access private fields and methods).
|
|
|
|
|
* <p>
|
|
|
|
|
* Usages:
|
|
|
|
|
* <p>
|
|
|
|
|
* 1. Init and start the KDC:
|
|
|
|
|
* <pre>
|
|
|
|
|
* KDC kdc = KDC.create("REALM.NAME", port, isDaemon);
|
|
|
|
|
* KDC kdc = KDC.create("REALM.NAME");
|
|
|
|
|
* </pre>
|
|
|
|
|
* Here, <code>port</code> is the UDP and TCP port number the KDC server
|
|
|
|
|
* listens on. If zero, a random port is chosen, which you can use getPort()
|
|
|
|
|
* later to retrieve the value.
|
|
|
|
|
* <p>
|
|
|
|
|
* If <code>isDaemon</code> is true, the KDC worker threads will be daemons.
|
|
|
|
|
* <p>
|
|
|
|
|
* The shortcut <code>KDC.create("REALM.NAME")</code> has port=0 and
|
|
|
|
|
* isDaemon=false, and is commonly used in an embedded KDC.
|
|
|
|
|
* <p>
|
|
|
|
|
* 2. Adding users:
|
|
|
|
|
* <pre>
|
|
|
|
|
* kdc.addPrincipal(String principal_name, char[] password);
|
|
|
|
|
* kdc.addPrincipalRandKey(String principal_name);
|
|
|
|
|
* </pre>
|
|
|
|
|
* A service principal's name should look like "host/f.q.d.n". The second form
|
|
|
|
|
* generates a random key. To expose this key, call <code>writeKtab()</code> to
|
|
|
|
|
* save the keys into a keytab file.
|
|
|
|
|
* <p>
|
|
|
|
|
* Note that you need to add the principal name krbtgt/REALM.NAME yourself.
|
|
|
|
|
* <p>
|
|
|
|
|
* Note that you can safely add a principal at any time after the KDC is
|
|
|
|
|
* started and before a user requests info on this principal.
|
|
|
|
|
* <p>
|
|
|
|
|
* 3. Other public methods:
|
|
|
|
|
* <ul>
|
|
|
|
|
* <li> <code>getPort</code>: Returns the port number the KDC uses
|
|
|
|
|
* <li> <code>getRealm</code>: Returns the realm name
|
|
|
|
|
* <li> <code>writeKtab</code>: Writes all principals' keys into a keytab file
|
|
|
|
|
* <li> <code>saveConfig</code>: Saves a krb5.conf file to access this KDC
|
|
|
|
|
* <li> <code>setOption</code>: Sets various options
|
|
|
|
|
* </ul>
|
|
|
|
|
* Read the javadoc for details. Lazy developer can use <code>OneKDC</code>
|
|
|
|
|
* directly.
|
|
|
|
|
*/
|
|
|
|
|
public class KDC {
|
|
|
|
|
|
2014-12-09 10:28:26 +00:00
|
|
|
public static final int DEFAULT_LIFETIME = 39600;
|
|
|
|
|
public static final int DEFAULT_RENEWTIME = 86400;
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
// Under the hood.
|
|
|
|
|
|
|
|
|
|
// The random generator to generate random keys (including session keys)
|
|
|
|
|
private static SecureRandom secureRandom = new SecureRandom();
|
2010-11-12 13:33:14 +00:00
|
|
|
|
|
|
|
|
// Principal db. principal -> pass. A case-insensitive TreeMap is used
|
|
|
|
|
// so that even if the client provides a name with different case, the KDC
|
|
|
|
|
// can still locate the principal and give back correct salt.
|
2011-01-12 21:52:09 +00:00
|
|
|
private TreeMap<String,char[]> passwords = new TreeMap<>
|
2010-11-12 13:33:14 +00:00
|
|
|
(String.CASE_INSENSITIVE_ORDER);
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
// Realm name
|
|
|
|
|
private String realm;
|
2009-06-17 07:26:58 +00:00
|
|
|
// KDC
|
|
|
|
|
private String kdc;
|
2008-10-17 05:02:00 +00:00
|
|
|
// Service port number
|
|
|
|
|
private int port;
|
2009-06-17 07:26:58 +00:00
|
|
|
// The request/response job queue
|
2011-01-12 21:52:09 +00:00
|
|
|
private BlockingQueue<Job> q = new ArrayBlockingQueue<>(100);
|
2008-10-17 05:02:00 +00:00
|
|
|
// Options
|
2011-01-12 21:52:09 +00:00
|
|
|
private Map<Option,Object> options = new HashMap<>();
|
2014-05-30 06:37:43 +00:00
|
|
|
// Realm-specific krb5.conf settings
|
|
|
|
|
private List<String> conf = new ArrayList<>();
|
2008-10-17 05:02:00 +00:00
|
|
|
|
2009-12-24 05:56:19 +00:00
|
|
|
private Thread thread1, thread2, thread3;
|
|
|
|
|
DatagramSocket u1 = null;
|
|
|
|
|
ServerSocket t1 = null;
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
/**
|
|
|
|
|
* Option names, to be expanded forever.
|
|
|
|
|
*/
|
|
|
|
|
public static enum Option {
|
|
|
|
|
/**
|
|
|
|
|
* Whether pre-authentication is required. Default Boolean.TRUE
|
|
|
|
|
*/
|
|
|
|
|
PREAUTH_REQUIRED,
|
2010-06-04 11:28:53 +00:00
|
|
|
/**
|
2010-06-17 05:46:15 +00:00
|
|
|
* Only issue TGT in RC4
|
2010-06-04 11:28:53 +00:00
|
|
|
*/
|
|
|
|
|
ONLY_RC4_TGT,
|
2010-06-17 05:46:15 +00:00
|
|
|
/**
|
2010-11-12 13:33:14 +00:00
|
|
|
* Use RC4 as the first in preauth
|
2010-06-17 05:46:15 +00:00
|
|
|
*/
|
2010-11-12 13:33:14 +00:00
|
|
|
RC4_FIRST_PREAUTH,
|
|
|
|
|
/**
|
|
|
|
|
* Use only one preauth, so that some keys are not easy to generate
|
|
|
|
|
*/
|
|
|
|
|
ONLY_ONE_PREAUTH,
|
2011-08-04 10:18:45 +00:00
|
|
|
/**
|
|
|
|
|
* Set all name-type to a value in response
|
|
|
|
|
*/
|
|
|
|
|
RESP_NT,
|
2011-09-07 00:56:55 +00:00
|
|
|
/**
|
|
|
|
|
* Multiple ETYPE-INFO-ENTRY with same etype but different salt
|
|
|
|
|
*/
|
|
|
|
|
DUP_ETYPE,
|
2012-06-05 09:11:26 +00:00
|
|
|
/**
|
|
|
|
|
* What backend server can be delegated to
|
|
|
|
|
*/
|
|
|
|
|
OK_AS_DELEGATE,
|
2012-11-07 06:13:01 +00:00
|
|
|
/**
|
|
|
|
|
* Allow S4U2self, List<String> of middle servers.
|
|
|
|
|
* If not set, means KDC does not understand S4U2self at all, therefore
|
|
|
|
|
* would ignore any PA-FOR-USER request and send a ticket using the
|
|
|
|
|
* cname of teh requestor. If set, it returns FORWARDABLE tickets to
|
|
|
|
|
* a server with its name in the list
|
|
|
|
|
*/
|
|
|
|
|
ALLOW_S4U2SELF,
|
|
|
|
|
/**
|
|
|
|
|
* Allow S4U2proxy, Map<String,List<String>> of middle servers to
|
|
|
|
|
* backends. If not set or a backend not in a server's list,
|
|
|
|
|
* Krb5.KDC_ERR_POLICY will be send for S4U2proxy request.
|
|
|
|
|
*/
|
|
|
|
|
ALLOW_S4U2PROXY,
|
2008-10-17 05:02:00 +00:00
|
|
|
};
|
|
|
|
|
|
2009-06-17 07:26:58 +00:00
|
|
|
static {
|
|
|
|
|
System.setProperty("sun.net.spi.nameservice.provider.1", "ns,mock");
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
/**
|
|
|
|
|
* A standalone KDC server.
|
|
|
|
|
*/
|
|
|
|
|
public static void main(String[] args) throws Exception {
|
2014-12-09 10:28:26 +00:00
|
|
|
int port = args.length > 0 ? Integer.parseInt(args[0]) : 0;
|
|
|
|
|
KDC kdc = create("RABBIT.HOLE", "kdc.rabbit.hole", port, false);
|
2008-10-17 05:02:00 +00:00
|
|
|
kdc.addPrincipal("dummy", "bogus".toCharArray());
|
|
|
|
|
kdc.addPrincipal("foo", "bar".toCharArray());
|
2009-06-17 07:26:58 +00:00
|
|
|
kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE");
|
|
|
|
|
kdc.addPrincipalRandKey("server/host.rabbit.hole");
|
|
|
|
|
kdc.addPrincipalRandKey("backend/host.rabbit.hole");
|
|
|
|
|
KDC.saveConfig("krb5.conf", kdc, "forwardable = true");
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Creates and starts a KDC running as a daemon on a random port.
|
|
|
|
|
* @param realm the realm name
|
|
|
|
|
* @return the running KDC instance
|
|
|
|
|
* @throws java.io.IOException for any socket creation error
|
|
|
|
|
*/
|
|
|
|
|
public static KDC create(String realm) throws IOException {
|
2009-06-17 07:26:58 +00:00
|
|
|
return create(realm, "kdc." + realm.toLowerCase(), 0, true);
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
2010-11-12 13:33:14 +00:00
|
|
|
public static KDC existing(String realm, String kdc, int port) {
|
|
|
|
|
KDC k = new KDC(realm, kdc);
|
|
|
|
|
k.port = port;
|
|
|
|
|
return k;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
/**
|
|
|
|
|
* Creates and starts a KDC server.
|
|
|
|
|
* @param realm the realm name
|
|
|
|
|
* @param port the TCP and UDP port to listen to. A random port will to
|
|
|
|
|
* chosen if zero.
|
|
|
|
|
* @param asDaemon if true, KDC threads will be daemons. Otherwise, not.
|
|
|
|
|
* @return the running KDC instance
|
|
|
|
|
* @throws java.io.IOException for any socket creation error
|
|
|
|
|
*/
|
2009-06-17 07:26:58 +00:00
|
|
|
public static KDC create(String realm, String kdc, int port, boolean asDaemon) throws IOException {
|
|
|
|
|
return new KDC(realm, kdc, port, asDaemon);
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sets an option
|
|
|
|
|
* @param key the option name
|
2014-05-30 06:37:43 +00:00
|
|
|
* @param value the value
|
2008-10-17 05:02:00 +00:00
|
|
|
*/
|
|
|
|
|
public void setOption(Option key, Object value) {
|
2012-06-05 09:11:26 +00:00
|
|
|
if (value == null) {
|
|
|
|
|
options.remove(key);
|
|
|
|
|
} else {
|
|
|
|
|
options.put(key, value);
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2012-03-20 11:12:21 +00:00
|
|
|
* Writes or appends keys into a keytab.
|
|
|
|
|
* <p>
|
|
|
|
|
* Attention: This is the most basic one of a series of methods below on
|
|
|
|
|
* keytab creation or modification. All these methods reference krb5.conf
|
|
|
|
|
* settings. If you need to modify krb5.conf or switch to another krb5.conf
|
|
|
|
|
* later, please call <code>Config.refresh()</code> again. For example:
|
|
|
|
|
* <pre>
|
|
|
|
|
* kdc.writeKtab("/etc/kdc/ktab", true); // Config is initialized,
|
|
|
|
|
* System.setProperty("java.security.krb5.conf", "/home/mykrb5.conf");
|
|
|
|
|
* Config.refresh();
|
|
|
|
|
* </pre>
|
|
|
|
|
* Inside this method there are 2 places krb5.conf is used:
|
|
|
|
|
* <ol>
|
|
|
|
|
* <li> (Fatal) Generating keys: EncryptionKey.acquireSecretKeys
|
|
|
|
|
* <li> (Has workaround) Creating PrincipalName
|
|
|
|
|
* </ol>
|
|
|
|
|
* @param tab the keytab file name
|
2011-04-20 10:41:32 +00:00
|
|
|
* @param append true if append, otherwise, overwrite.
|
2012-03-20 11:12:21 +00:00
|
|
|
* @param names the names to write into, write all if names is empty
|
2011-04-20 10:41:32 +00:00
|
|
|
*/
|
2012-03-20 11:12:21 +00:00
|
|
|
public void writeKtab(String tab, boolean append, String... names)
|
2011-04-20 10:41:32 +00:00
|
|
|
throws IOException, KrbException {
|
|
|
|
|
KeyTab ktab = append ? KeyTab.getInstance(tab) : KeyTab.create(tab);
|
2012-03-20 11:12:21 +00:00
|
|
|
Iterable<String> entries =
|
|
|
|
|
(names.length != 0) ? Arrays.asList(names): passwords.keySet();
|
|
|
|
|
for (String name : entries) {
|
|
|
|
|
char[] pass = passwords.get(name);
|
|
|
|
|
int kvno = 0;
|
|
|
|
|
if (Character.isDigit(pass[pass.length-1])) {
|
|
|
|
|
kvno = pass[pass.length-1] - '0';
|
2011-04-20 10:41:32 +00:00
|
|
|
}
|
2013-01-08 06:54:56 +00:00
|
|
|
PrincipalName pn = new PrincipalName(name,
|
|
|
|
|
name.indexOf('/') < 0 ?
|
|
|
|
|
PrincipalName.KRB_NT_UNKNOWN :
|
|
|
|
|
PrincipalName.KRB_NT_SRV_HST);
|
|
|
|
|
ktab.addEntry(pn,
|
|
|
|
|
getSalt(pn),
|
2012-03-20 11:12:21 +00:00
|
|
|
pass,
|
|
|
|
|
kvno,
|
|
|
|
|
true);
|
2011-04-20 10:41:32 +00:00
|
|
|
}
|
|
|
|
|
ktab.save();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Writes all principals' keys from multiple KDCs into one keytab file.
|
2008-10-17 05:02:00 +00:00
|
|
|
* @throws java.io.IOException for any file output error
|
|
|
|
|
* @throws sun.security.krb5.KrbException for any realm and/or principal
|
|
|
|
|
* name error.
|
|
|
|
|
*/
|
2009-06-09 06:17:05 +00:00
|
|
|
public static void writeMultiKtab(String tab, KDC... kdcs)
|
|
|
|
|
throws IOException, KrbException {
|
2012-03-20 11:12:21 +00:00
|
|
|
KeyTab.create(tab).save(); // Empty the old keytab
|
|
|
|
|
appendMultiKtab(tab, kdcs);
|
2011-04-20 10:41:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Appends all principals' keys from multiple KDCs to one keytab file.
|
|
|
|
|
*/
|
|
|
|
|
public static void appendMultiKtab(String tab, KDC... kdcs)
|
|
|
|
|
throws IOException, KrbException {
|
2012-03-20 11:12:21 +00:00
|
|
|
for (KDC kdc: kdcs) {
|
|
|
|
|
kdc.writeKtab(tab, true);
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
2009-06-09 06:17:05 +00:00
|
|
|
/**
|
|
|
|
|
* Write a ktab for this KDC.
|
|
|
|
|
*/
|
|
|
|
|
public void writeKtab(String tab) throws IOException, KrbException {
|
2012-03-20 11:12:21 +00:00
|
|
|
writeKtab(tab, false);
|
2009-06-09 06:17:05 +00:00
|
|
|
}
|
|
|
|
|
|
2011-04-20 10:41:32 +00:00
|
|
|
/**
|
|
|
|
|
* Appends keys in this KDC to a ktab.
|
|
|
|
|
*/
|
|
|
|
|
public void appendKtab(String tab) throws IOException, KrbException {
|
2012-03-20 11:12:21 +00:00
|
|
|
writeKtab(tab, true);
|
2011-04-20 10:41:32 +00:00
|
|
|
}
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
/**
|
|
|
|
|
* Adds a new principal to this realm with a given password.
|
|
|
|
|
* @param user the principal's name. For a service principal, use the
|
|
|
|
|
* form of host/f.q.d.n
|
|
|
|
|
* @param pass the password for the principal
|
|
|
|
|
*/
|
|
|
|
|
public void addPrincipal(String user, char[] pass) {
|
2009-06-17 07:26:58 +00:00
|
|
|
if (user.indexOf('@') < 0) {
|
|
|
|
|
user = user + "@" + realm;
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
passwords.put(user, pass);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Adds a new principal to this realm with a random password
|
|
|
|
|
* @param user the principal's name. For a service principal, use the
|
|
|
|
|
* form of host/f.q.d.n
|
|
|
|
|
*/
|
|
|
|
|
public void addPrincipalRandKey(String user) {
|
2009-06-17 07:26:58 +00:00
|
|
|
addPrincipal(user, randomPassword());
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns the name of this realm
|
|
|
|
|
* @return the name of this realm
|
|
|
|
|
*/
|
|
|
|
|
public String getRealm() {
|
|
|
|
|
return realm;
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-17 07:26:58 +00:00
|
|
|
/**
|
|
|
|
|
* Returns the name of kdc
|
|
|
|
|
* @return the name of kdc
|
|
|
|
|
*/
|
|
|
|
|
public String getKDC() {
|
|
|
|
|
return kdc;
|
|
|
|
|
}
|
|
|
|
|
|
2014-05-30 06:37:43 +00:00
|
|
|
/**
|
|
|
|
|
* Add realm-specific krb5.conf setting
|
|
|
|
|
*/
|
|
|
|
|
public void addConf(String s) {
|
|
|
|
|
conf.add(s);
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
/**
|
|
|
|
|
* Writes a krb5.conf for one or more KDC that includes KDC locations for
|
|
|
|
|
* each realm and the default realm name. You can also add extra strings
|
|
|
|
|
* into the file. The method should be called like:
|
|
|
|
|
* <pre>
|
|
|
|
|
* KDC.saveConfig("krb5.conf", kdc1, kdc2, ..., line1, line2, ...);
|
|
|
|
|
* </pre>
|
|
|
|
|
* Here you can provide one or more kdc# and zero or more line# arguments.
|
|
|
|
|
* The line# will be put after [libdefaults] and before [realms]. Therefore
|
|
|
|
|
* you can append new lines into [libdefaults] and/or create your new
|
|
|
|
|
* stanzas as well. Note that a newline character will be appended to
|
|
|
|
|
* each line# argument.
|
|
|
|
|
* <p>
|
|
|
|
|
* For example:
|
|
|
|
|
* <pre>
|
|
|
|
|
* KDC.saveConfig("krb5.conf", this);
|
|
|
|
|
* </pre>
|
|
|
|
|
* generates:
|
|
|
|
|
* <pre>
|
|
|
|
|
* [libdefaults]
|
|
|
|
|
* default_realm = REALM.NAME
|
|
|
|
|
*
|
|
|
|
|
* [realms]
|
|
|
|
|
* REALM.NAME = {
|
2009-06-17 07:26:58 +00:00
|
|
|
* kdc = host:port_number
|
2014-05-30 06:37:43 +00:00
|
|
|
* # realm-specific settings
|
2008-10-17 05:02:00 +00:00
|
|
|
* }
|
|
|
|
|
* </pre>
|
|
|
|
|
*
|
|
|
|
|
* Another example:
|
|
|
|
|
* <pre>
|
|
|
|
|
* KDC.saveConfig("krb5.conf", kdc1, kdc2, "forwardable = true", "",
|
|
|
|
|
* "[domain_realm]",
|
|
|
|
|
* ".kdc1.com = KDC1.NAME");
|
|
|
|
|
* </pre>
|
|
|
|
|
* generates:
|
|
|
|
|
* <pre>
|
|
|
|
|
* [libdefaults]
|
|
|
|
|
* default_realm = KDC1.NAME
|
|
|
|
|
* forwardable = true
|
|
|
|
|
*
|
|
|
|
|
* [domain_realm]
|
|
|
|
|
* .kdc1.com = KDC1.NAME
|
|
|
|
|
*
|
|
|
|
|
* [realms]
|
|
|
|
|
* KDC1.NAME = {
|
2009-06-17 07:26:58 +00:00
|
|
|
* kdc = host:port1
|
2008-10-17 05:02:00 +00:00
|
|
|
* }
|
|
|
|
|
* KDC2.NAME = {
|
2009-06-17 07:26:58 +00:00
|
|
|
* kdc = host:port2
|
2008-10-17 05:02:00 +00:00
|
|
|
* }
|
|
|
|
|
* </pre>
|
|
|
|
|
* @param file the name of the file to write into
|
|
|
|
|
* @param kdc the first (and default) KDC
|
|
|
|
|
* @param more more KDCs or extra lines (in their appearing order) to
|
|
|
|
|
* insert into the krb5.conf file. This method reads each argument's type
|
|
|
|
|
* to determine what it's for. This argument can be empty.
|
|
|
|
|
* @throws java.io.IOException for any file output error
|
|
|
|
|
*/
|
|
|
|
|
public static void saveConfig(String file, KDC kdc, Object... more)
|
|
|
|
|
throws IOException {
|
|
|
|
|
File f = new File(file);
|
|
|
|
|
StringBuffer sb = new StringBuffer();
|
|
|
|
|
sb.append("[libdefaults]\ndefault_realm = ");
|
|
|
|
|
sb.append(kdc.realm);
|
|
|
|
|
sb.append("\n");
|
|
|
|
|
for (Object o: more) {
|
|
|
|
|
if (o instanceof String) {
|
|
|
|
|
sb.append(o);
|
|
|
|
|
sb.append("\n");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
sb.append("\n[realms]\n");
|
2014-05-30 06:37:43 +00:00
|
|
|
sb.append(kdc.realmLine());
|
2008-10-17 05:02:00 +00:00
|
|
|
for (Object o: more) {
|
|
|
|
|
if (o instanceof KDC) {
|
2014-05-30 06:37:43 +00:00
|
|
|
sb.append(((KDC)o).realmLine());
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
FileOutputStream fos = new FileOutputStream(f);
|
|
|
|
|
fos.write(sb.toString().getBytes());
|
|
|
|
|
fos.close();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns the service port of the KDC server.
|
|
|
|
|
* @return the KDC service port
|
|
|
|
|
*/
|
|
|
|
|
public int getPort() {
|
|
|
|
|
return port;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Private helper methods
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Private constructor, cannot be called outside.
|
|
|
|
|
* @param realm
|
|
|
|
|
*/
|
2009-06-17 07:26:58 +00:00
|
|
|
private KDC(String realm, String kdc) {
|
2008-10-17 05:02:00 +00:00
|
|
|
this.realm = realm;
|
2009-06-17 07:26:58 +00:00
|
|
|
this.kdc = kdc;
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* A constructor that starts the KDC service also.
|
|
|
|
|
*/
|
2009-06-17 07:26:58 +00:00
|
|
|
protected KDC(String realm, String kdc, int port, boolean asDaemon)
|
2008-10-17 05:02:00 +00:00
|
|
|
throws IOException {
|
2009-06-17 07:26:58 +00:00
|
|
|
this(realm, kdc);
|
2008-10-17 05:02:00 +00:00
|
|
|
startServer(port, asDaemon);
|
|
|
|
|
}
|
|
|
|
|
/**
|
|
|
|
|
* Generates a 32-char random password
|
|
|
|
|
* @return the password
|
|
|
|
|
*/
|
|
|
|
|
private static char[] randomPassword() {
|
|
|
|
|
char[] pass = new char[32];
|
2010-05-25 10:20:54 +00:00
|
|
|
for (int i=0; i<31; i++)
|
2008-10-17 05:02:00 +00:00
|
|
|
pass[i] = (char)secureRandom.nextInt();
|
2010-05-25 10:20:54 +00:00
|
|
|
// The last char cannot be a number, otherwise, keyForUser()
|
|
|
|
|
// believes it's a sign of kvno
|
|
|
|
|
pass[31] = 'Z';
|
2008-10-17 05:02:00 +00:00
|
|
|
return pass;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Generates a random key for the given encryption type.
|
|
|
|
|
* @param eType the encryption type
|
|
|
|
|
* @return the generated key
|
|
|
|
|
* @throws sun.security.krb5.KrbException for unknown/unsupported etype
|
|
|
|
|
*/
|
|
|
|
|
private static EncryptionKey generateRandomKey(int eType)
|
|
|
|
|
throws KrbException {
|
|
|
|
|
// Is 32 enough for AES256? I should have generated the keys directly
|
|
|
|
|
// but different cryptos have different rules on what keys are valid.
|
|
|
|
|
char[] pass = randomPassword();
|
|
|
|
|
String algo;
|
|
|
|
|
switch (eType) {
|
|
|
|
|
case EncryptedData.ETYPE_DES_CBC_MD5: algo = "DES"; break;
|
|
|
|
|
case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD: algo = "DESede"; break;
|
|
|
|
|
case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96: algo = "AES128"; break;
|
|
|
|
|
case EncryptedData.ETYPE_ARCFOUR_HMAC: algo = "ArcFourHMAC"; break;
|
|
|
|
|
case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96: algo = "AES256"; break;
|
|
|
|
|
default: algo = "DES"; break;
|
|
|
|
|
}
|
|
|
|
|
return new EncryptionKey(pass, "NOTHING", algo); // Silly
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns the password for a given principal
|
|
|
|
|
* @param p principal
|
|
|
|
|
* @return the password
|
|
|
|
|
* @throws sun.security.krb5.KrbException when the principal is not inside
|
|
|
|
|
* the database.
|
|
|
|
|
*/
|
2009-11-27 00:51:28 +00:00
|
|
|
private char[] getPassword(PrincipalName p, boolean server)
|
|
|
|
|
throws KrbException {
|
2009-06-17 07:26:58 +00:00
|
|
|
String pn = p.toString();
|
|
|
|
|
if (p.getRealmString() == null) {
|
|
|
|
|
pn = pn + "@" + getRealm();
|
|
|
|
|
}
|
|
|
|
|
char[] pass = passwords.get(pn);
|
2008-10-17 05:02:00 +00:00
|
|
|
if (pass == null) {
|
2009-11-27 00:51:28 +00:00
|
|
|
throw new KrbException(server?
|
|
|
|
|
Krb5.KDC_ERR_S_PRINCIPAL_UNKNOWN:
|
2013-01-08 06:54:56 +00:00
|
|
|
Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN, pn.toString());
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
return pass;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2009-06-17 07:26:58 +00:00
|
|
|
* Returns the salt string for the principal.
|
2008-10-17 05:02:00 +00:00
|
|
|
* @param p principal
|
|
|
|
|
* @return the salt
|
|
|
|
|
*/
|
2013-01-08 06:54:56 +00:00
|
|
|
protected String getSalt(PrincipalName p) {
|
2010-11-12 13:33:14 +00:00
|
|
|
String pn = p.toString();
|
|
|
|
|
if (p.getRealmString() == null) {
|
|
|
|
|
pn = pn + "@" + getRealm();
|
|
|
|
|
}
|
|
|
|
|
if (passwords.containsKey(pn)) {
|
|
|
|
|
try {
|
|
|
|
|
// Find the principal name with correct case.
|
|
|
|
|
p = new PrincipalName(passwords.ceilingEntry(pn).getKey());
|
|
|
|
|
} catch (RealmException re) {
|
|
|
|
|
// Won't happen
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-06-17 07:26:58 +00:00
|
|
|
String s = p.getRealmString();
|
|
|
|
|
if (s == null) s = getRealm();
|
|
|
|
|
for (String n: p.getNameStrings()) {
|
|
|
|
|
s += n;
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
2009-06-17 07:26:58 +00:00
|
|
|
return s;
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Returns the key for a given principal of the given encryption type
|
|
|
|
|
* @param p the principal
|
|
|
|
|
* @param etype the encryption type
|
2009-11-27 00:51:28 +00:00
|
|
|
* @param server looking for a server principal?
|
2008-10-17 05:02:00 +00:00
|
|
|
* @return the key
|
|
|
|
|
* @throws sun.security.krb5.KrbException for unknown/unsupported etype
|
|
|
|
|
*/
|
2009-11-27 00:51:28 +00:00
|
|
|
private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
|
|
|
|
|
throws KrbException {
|
2008-10-17 05:02:00 +00:00
|
|
|
try {
|
|
|
|
|
// Do not call EncryptionKey.acquireSecretKeys(), otherwise
|
|
|
|
|
// the krb5.conf config file would be loaded.
|
2009-10-28 07:32:30 +00:00
|
|
|
Integer kvno = null;
|
2009-12-24 05:56:28 +00:00
|
|
|
// For service whose password ending with a number, use it as kvno.
|
|
|
|
|
// Kvno must be postive.
|
|
|
|
|
if (p.toString().indexOf('/') > 0) {
|
2009-11-27 00:51:28 +00:00
|
|
|
char[] pass = getPassword(p, server);
|
2009-10-28 07:32:30 +00:00
|
|
|
if (Character.isDigit(pass[pass.length-1])) {
|
|
|
|
|
kvno = pass[pass.length-1] - '0';
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-11-12 13:33:14 +00:00
|
|
|
return new EncryptionKey(EncryptionKeyDotStringToKey(
|
|
|
|
|
getPassword(p, server), getSalt(p), null, etype),
|
2009-10-28 07:32:30 +00:00
|
|
|
etype, kvno);
|
2009-11-27 00:51:28 +00:00
|
|
|
} catch (KrbException ke) {
|
|
|
|
|
throw ke;
|
2008-10-17 05:02:00 +00:00
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new RuntimeException(e); // should not happen
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Processes an incoming request and generates a response.
|
|
|
|
|
* @param in the request
|
|
|
|
|
* @return the response
|
|
|
|
|
* @throws java.lang.Exception for various errors
|
|
|
|
|
*/
|
2013-12-04 01:14:42 +00:00
|
|
|
protected byte[] processMessage(byte[] in) throws Exception {
|
2008-10-17 05:02:00 +00:00
|
|
|
if ((in[0] & 0x1f) == Krb5.KRB_AS_REQ)
|
|
|
|
|
return processAsReq(in);
|
|
|
|
|
else
|
|
|
|
|
return processTgsReq(in);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Processes a TGS_REQ and generates a TGS_REP (or KRB_ERROR)
|
|
|
|
|
* @param in the request
|
|
|
|
|
* @return the response
|
|
|
|
|
* @throws java.lang.Exception for various errors
|
|
|
|
|
*/
|
2013-12-04 01:14:42 +00:00
|
|
|
protected byte[] processTgsReq(byte[] in) throws Exception {
|
2008-10-17 05:02:00 +00:00
|
|
|
TGSReq tgsReq = new TGSReq(in);
|
2011-08-04 10:18:45 +00:00
|
|
|
PrincipalName service = tgsReq.reqBody.sname;
|
|
|
|
|
if (options.containsKey(KDC.Option.RESP_NT)) {
|
2012-07-11 09:10:34 +00:00
|
|
|
service = new PrincipalName((int)options.get(KDC.Option.RESP_NT),
|
|
|
|
|
service.getNameStrings(), service.getRealm());
|
2011-08-04 10:18:45 +00:00
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
try {
|
|
|
|
|
System.out.println(realm + "> " + tgsReq.reqBody.cname +
|
|
|
|
|
" sends TGS-REQ for " +
|
2011-08-04 10:18:45 +00:00
|
|
|
service);
|
2008-10-17 05:02:00 +00:00
|
|
|
KDCReqBody body = tgsReq.reqBody;
|
2010-11-12 13:33:14 +00:00
|
|
|
int[] eTypes = KDCReqBodyDotEType(body);
|
|
|
|
|
int e2 = eTypes[0]; // etype for outgoing session key
|
|
|
|
|
int e3 = eTypes[0]; // etype for outgoing ticket
|
2008-10-17 05:02:00 +00:00
|
|
|
|
2012-11-07 06:13:01 +00:00
|
|
|
PAData[] pas = KDCReqDotPAData(tgsReq);
|
2008-10-17 05:02:00 +00:00
|
|
|
|
|
|
|
|
Ticket tkt = null;
|
|
|
|
|
EncTicketPart etp = null;
|
2012-11-07 06:13:01 +00:00
|
|
|
|
|
|
|
|
PrincipalName cname = null;
|
|
|
|
|
boolean allowForwardable = true;
|
|
|
|
|
|
2008-10-17 05:02:00 +00:00
|
|
|
if (pas == null || pas.length == 0) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
|
|
|
|
|
} else {
|
2012-11-07 06:13:01 +00:00
|
|
|
PrincipalName forUserCName = null;
|
2008-10-17 05:02:00 +00:00
|
|
|
for (PAData pa: pas) {
|
|
|
|
|
if (pa.getType() == Krb5.PA_TGS_REQ) {
|
|
|
|
|
APReq apReq = new APReq(pa.getValue());
|
|
|
|
|
EncryptedData ed = apReq.authenticator;
|
|
|
|
|
tkt = apReq.ticket;
|
2010-11-12 13:33:14 +00:00
|
|
|
int te = tkt.encPart.getEType();
|
|
|
|
|
EncryptionKey kkey = keyForUser(tkt.sname, te, true);
|
2008-10-17 05:02:00 +00:00
|
|
|
byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
|
|
|
|
|
DerInputStream derIn = new DerInputStream(bb);
|
|
|
|
|
DerValue der = derIn.getDerValue();
|
|
|
|
|
etp = new EncTicketPart(der.toByteArray());
|
2012-11-07 06:13:01 +00:00
|
|
|
// Finally, cname will be overwritten by PA-FOR-USER
|
|
|
|
|
// if it exists.
|
|
|
|
|
cname = etp.cname;
|
|
|
|
|
System.out.println(realm + "> presenting a ticket of "
|
|
|
|
|
+ etp.cname + " to " + tkt.sname);
|
|
|
|
|
} else if (pa.getType() == Krb5.PA_FOR_USER) {
|
|
|
|
|
if (options.containsKey(Option.ALLOW_S4U2SELF)) {
|
|
|
|
|
PAForUserEnc p4u = new PAForUserEnc(
|
|
|
|
|
new DerValue(pa.getValue()), null);
|
|
|
|
|
forUserCName = p4u.name;
|
|
|
|
|
System.out.println(realm + "> presenting a PA_FOR_USER "
|
|
|
|
|
+ " in the name of " + p4u.name);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (forUserCName != null) {
|
|
|
|
|
List<String> names = (List<String>)options.get(Option.ALLOW_S4U2SELF);
|
|
|
|
|
if (!names.contains(cname.toString())) {
|
|
|
|
|
// Mimic the normal KDC behavior. When a server is not
|
|
|
|
|
// allowed to send S4U2self, do not send an error.
|
|
|
|
|
// Instead, send a ticket which is useless later.
|
|
|
|
|
allowForwardable = false;
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
2012-11-07 06:13:01 +00:00
|
|
|
cname = forUserCName;
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
if (tkt == null) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Session key for original ticket, TGT
|
|
|
|
|
EncryptionKey ckey = etp.key;
|
|
|
|
|
|
|
|
|
|
// Session key for session with the service
|
2010-11-12 13:33:14 +00:00
|
|
|
EncryptionKey key = generateRandomKey(e2);
|
2008-10-17 05:02:00 +00:00
|
|
|
|
|
|
|
|
// Check time, TODO
|
|
|
|
|
KerberosTime till = body.till;
|
|
|
|
|
if (till == null) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
|
|
|
|
|
} else if (till.isZero()) {
|
|
|
|
|
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
|
2012-11-07 06:13:01 +00:00
|
|
|
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)
|
|
|
|
|
&& allowForwardable) {
|
2008-10-17 05:02:00 +00:00
|
|
|
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.FORWARDED) ||
|
|
|
|
|
etp.flags.get(Krb5.TKT_OPTS_FORWARDED)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_FORWARDED] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
|
|
|
|
|
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
|
|
|
|
|
}
|
2012-11-07 06:13:01 +00:00
|
|
|
if (body.kdcOptions.get(KDCOptions.CNAME_IN_ADDL_TKT)) {
|
|
|
|
|
if (!options.containsKey(Option.ALLOW_S4U2PROXY)) {
|
|
|
|
|
// Don't understand CNAME_IN_ADDL_TKT
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_BADOPTION);
|
|
|
|
|
} else {
|
|
|
|
|
Map<String,List<String>> map = (Map<String,List<String>>)
|
|
|
|
|
options.get(Option.ALLOW_S4U2PROXY);
|
|
|
|
|
Ticket second = KDCReqBodyDotFirstAdditionalTicket(body);
|
|
|
|
|
EncryptionKey key2 = keyForUser(second.sname, second.encPart.getEType(), true);
|
|
|
|
|
byte[] bb = second.encPart.decrypt(key2, KeyUsage.KU_TICKET);
|
|
|
|
|
DerInputStream derIn = new DerInputStream(bb);
|
|
|
|
|
DerValue der = derIn.getDerValue();
|
|
|
|
|
EncTicketPart tktEncPart = new EncTicketPart(der.toByteArray());
|
|
|
|
|
if (!tktEncPart.flags.get(Krb5.TKT_OPTS_FORWARDABLE)) {
|
|
|
|
|
//throw new KrbException(Krb5.KDC_ERR_BADOPTION);
|
|
|
|
|
}
|
|
|
|
|
PrincipalName client = tktEncPart.cname;
|
|
|
|
|
System.out.println(realm + "> and an additional ticket of "
|
|
|
|
|
+ client + " to " + second.sname);
|
|
|
|
|
if (map.containsKey(cname.toString())) {
|
|
|
|
|
if (map.get(cname.toString()).contains(service.toString())) {
|
|
|
|
|
System.out.println(realm + "> S4U2proxy OK");
|
|
|
|
|
} else {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_BADOPTION);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_BADOPTION);
|
|
|
|
|
}
|
|
|
|
|
cname = client;
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-11-27 00:51:28 +00:00
|
|
|
|
2012-06-05 09:11:26 +00:00
|
|
|
String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE);
|
|
|
|
|
if (okAsDelegate != null && (
|
|
|
|
|
okAsDelegate.isEmpty() ||
|
|
|
|
|
okAsDelegate.contains(service.getNameString()))) {
|
2009-11-27 00:51:28 +00:00
|
|
|
bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
|
|
|
|
|
|
|
|
|
|
TicketFlags tFlags = new TicketFlags(bFlags);
|
|
|
|
|
EncTicketPart enc = new EncTicketPart(
|
|
|
|
|
tFlags,
|
|
|
|
|
key,
|
2012-11-07 06:13:01 +00:00
|
|
|
cname,
|
2008-10-17 05:02:00 +00:00
|
|
|
new TransitedEncoding(1, new byte[0]), // TODO
|
|
|
|
|
new KerberosTime(new Date()),
|
|
|
|
|
body.from,
|
|
|
|
|
till, body.rtime,
|
2011-04-07 00:51:33 +00:00
|
|
|
body.addresses != null // always set caddr
|
|
|
|
|
? body.addresses
|
|
|
|
|
: new HostAddresses(
|
|
|
|
|
new InetAddress[]{InetAddress.getLocalHost()}),
|
2008-10-17 05:02:00 +00:00
|
|
|
null);
|
2011-08-04 10:18:45 +00:00
|
|
|
EncryptionKey skey = keyForUser(service, e3, true);
|
2010-11-12 13:33:14 +00:00
|
|
|
if (skey == null) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
Ticket t = new Ticket(
|
2011-08-04 10:18:45 +00:00
|
|
|
service,
|
2008-10-17 05:02:00 +00:00
|
|
|
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
|
|
|
|
|
);
|
|
|
|
|
EncTGSRepPart enc_part = new EncTGSRepPart(
|
|
|
|
|
key,
|
|
|
|
|
new LastReq(new LastReqEntry[]{
|
|
|
|
|
new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000))
|
|
|
|
|
}),
|
|
|
|
|
body.getNonce(), // TODO: detect replay
|
|
|
|
|
new KerberosTime(new Date().getTime() + 1000 * 3600 * 24),
|
|
|
|
|
// Next 5 and last MUST be same with ticket
|
|
|
|
|
tFlags,
|
|
|
|
|
new KerberosTime(new Date()),
|
|
|
|
|
body.from,
|
|
|
|
|
till, body.rtime,
|
2011-08-04 10:18:45 +00:00
|
|
|
service,
|
2011-04-07 00:51:33 +00:00
|
|
|
body.addresses != null // always set caddr
|
|
|
|
|
? body.addresses
|
|
|
|
|
: new HostAddresses(
|
|
|
|
|
new InetAddress[]{InetAddress.getLocalHost()})
|
2008-10-17 05:02:00 +00:00
|
|
|
);
|
|
|
|
|
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
|
|
|
|
|
TGSRep tgsRep = new TGSRep(null,
|
2012-11-07 06:13:01 +00:00
|
|
|
cname,
|
2008-10-17 05:02:00 +00:00
|
|
|
t,
|
|
|
|
|
edata);
|
|
|
|
|
System.out.println(" Return " + tgsRep.cname
|
|
|
|
|
+ " ticket for " + tgsRep.ticket.sname);
|
|
|
|
|
|
|
|
|
|
DerOutputStream out = new DerOutputStream();
|
|
|
|
|
out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
|
|
|
|
|
true, (byte)Krb5.KRB_TGS_REP), tgsRep.asn1Encode());
|
|
|
|
|
return out.toByteArray();
|
|
|
|
|
} catch (KrbException ke) {
|
|
|
|
|
ke.printStackTrace(System.out);
|
|
|
|
|
KRBError kerr = ke.getError();
|
|
|
|
|
KDCReqBody body = tgsReq.reqBody;
|
|
|
|
|
System.out.println(" Error " + ke.returnCode()
|
|
|
|
|
+ " " +ke.returnCodeMessage());
|
|
|
|
|
if (kerr == null) {
|
|
|
|
|
kerr = new KRBError(null, null, null,
|
|
|
|
|
new KerberosTime(new Date()),
|
|
|
|
|
0,
|
|
|
|
|
ke.returnCode(),
|
2012-07-11 09:10:34 +00:00
|
|
|
body.cname,
|
|
|
|
|
service,
|
2008-10-17 05:02:00 +00:00
|
|
|
KrbException.errorMessage(ke.returnCode()),
|
|
|
|
|
null);
|
|
|
|
|
}
|
|
|
|
|
return kerr.asn1Encode();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Processes a AS_REQ and generates a AS_REP (or KRB_ERROR)
|
|
|
|
|
* @param in the request
|
|
|
|
|
* @return the response
|
|
|
|
|
* @throws java.lang.Exception for various errors
|
|
|
|
|
*/
|
2013-12-04 01:14:42 +00:00
|
|
|
protected byte[] processAsReq(byte[] in) throws Exception {
|
2008-10-17 05:02:00 +00:00
|
|
|
ASReq asReq = new ASReq(in);
|
|
|
|
|
int[] eTypes = null;
|
2011-01-12 21:52:09 +00:00
|
|
|
List<PAData> outPAs = new ArrayList<>();
|
2010-11-12 13:33:14 +00:00
|
|
|
|
2011-08-04 10:18:45 +00:00
|
|
|
PrincipalName service = asReq.reqBody.sname;
|
|
|
|
|
if (options.containsKey(KDC.Option.RESP_NT)) {
|
|
|
|
|
service = new PrincipalName(service.getNameStrings(),
|
|
|
|
|
(int)options.get(KDC.Option.RESP_NT));
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
try {
|
|
|
|
|
System.out.println(realm + "> " + asReq.reqBody.cname +
|
|
|
|
|
" sends AS-REQ for " +
|
2011-08-04 10:18:45 +00:00
|
|
|
service);
|
2008-10-17 05:02:00 +00:00
|
|
|
|
|
|
|
|
KDCReqBody body = asReq.reqBody;
|
|
|
|
|
|
2010-11-12 13:33:14 +00:00
|
|
|
eTypes = KDCReqBodyDotEType(body);
|
2008-10-17 05:02:00 +00:00
|
|
|
int eType = eTypes[0];
|
|
|
|
|
|
2014-12-09 10:28:26 +00:00
|
|
|
// Maybe server does not support aes256, but a kinit does
|
|
|
|
|
if (!EType.isSupported(eType)) {
|
|
|
|
|
if (eTypes.length < 2) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
|
|
|
|
|
}
|
|
|
|
|
eType = eTypes[1];
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-27 00:51:28 +00:00
|
|
|
EncryptionKey ckey = keyForUser(body.cname, eType, false);
|
2011-08-04 10:18:45 +00:00
|
|
|
EncryptionKey skey = keyForUser(service, eType, true);
|
2010-06-04 11:28:53 +00:00
|
|
|
|
|
|
|
|
if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
|
|
|
|
|
int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
|
|
|
|
|
boolean found = false;
|
|
|
|
|
for (int i=0; i<eTypes.length; i++) {
|
|
|
|
|
if (eTypes[i] == tgtEType) {
|
|
|
|
|
found = true;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!found) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
|
|
|
|
|
}
|
2011-08-04 10:18:45 +00:00
|
|
|
skey = keyForUser(service, tgtEType, true);
|
2010-06-04 11:28:53 +00:00
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
if (ckey == null) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
|
|
|
|
|
}
|
|
|
|
|
if (skey == null) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Session key
|
|
|
|
|
EncryptionKey key = generateRandomKey(eType);
|
|
|
|
|
// Check time, TODO
|
|
|
|
|
KerberosTime till = body.till;
|
2014-12-09 10:28:26 +00:00
|
|
|
KerberosTime rtime = body.rtime;
|
2008-10-17 05:02:00 +00:00
|
|
|
if (till == null) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
|
|
|
|
|
} else if (till.isZero()) {
|
2014-12-09 10:28:26 +00:00
|
|
|
till = new KerberosTime(
|
|
|
|
|
new Date().getTime() + 1000 * DEFAULT_LIFETIME);
|
|
|
|
|
}
|
|
|
|
|
if (rtime == null && body.kdcOptions.get(KDCOptions.RENEWABLE)) {
|
|
|
|
|
rtime = new KerberosTime(
|
|
|
|
|
new Date().getTime() + 1000 * DEFAULT_RENEWTIME);
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
//body.from
|
|
|
|
|
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
|
|
|
|
|
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
|
|
|
|
|
}
|
|
|
|
|
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
|
|
|
|
|
}
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
|
|
|
|
|
|
2010-11-12 13:33:14 +00:00
|
|
|
// Creating PA-DATA
|
2011-09-07 00:56:55 +00:00
|
|
|
DerValue[] pas2 = null, pas = null;
|
|
|
|
|
if (options.containsKey(KDC.Option.DUP_ETYPE)) {
|
|
|
|
|
int n = (Integer)options.get(KDC.Option.DUP_ETYPE);
|
|
|
|
|
switch (n) {
|
|
|
|
|
case 1: // customer's case in 7067974
|
|
|
|
|
pas2 = new DerValue[] {
|
|
|
|
|
new DerValue(new ETypeInfo2(1, null, null).asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo2(1, "", null).asn1Encode()),
|
2013-03-23 03:49:39 +00:00
|
|
|
new DerValue(new ETypeInfo2(1, realm, new byte[]{1}).asn1Encode()),
|
2011-09-07 00:56:55 +00:00
|
|
|
};
|
|
|
|
|
pas = new DerValue[] {
|
|
|
|
|
new DerValue(new ETypeInfo(1, null).asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo(1, "").asn1Encode()),
|
2013-03-23 03:49:39 +00:00
|
|
|
new DerValue(new ETypeInfo(1, realm).asn1Encode()),
|
2011-09-07 00:56:55 +00:00
|
|
|
};
|
|
|
|
|
break;
|
|
|
|
|
case 2: // we still reject non-null s2kparams and prefer E2 over E
|
|
|
|
|
pas2 = new DerValue[] {
|
2013-03-23 03:49:39 +00:00
|
|
|
new DerValue(new ETypeInfo2(1, realm, new byte[]{1}).asn1Encode()),
|
2011-09-07 00:56:55 +00:00
|
|
|
new DerValue(new ETypeInfo2(1, null, null).asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo2(1, "", null).asn1Encode()),
|
|
|
|
|
};
|
|
|
|
|
pas = new DerValue[] {
|
2013-03-23 03:49:39 +00:00
|
|
|
new DerValue(new ETypeInfo(1, realm).asn1Encode()),
|
2011-09-07 00:56:55 +00:00
|
|
|
new DerValue(new ETypeInfo(1, null).asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo(1, "").asn1Encode()),
|
|
|
|
|
};
|
|
|
|
|
break;
|
|
|
|
|
case 3: // but only E is wrong
|
|
|
|
|
pas = new DerValue[] {
|
2013-03-23 03:49:39 +00:00
|
|
|
new DerValue(new ETypeInfo(1, realm).asn1Encode()),
|
2011-09-07 00:56:55 +00:00
|
|
|
new DerValue(new ETypeInfo(1, null).asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo(1, "").asn1Encode()),
|
|
|
|
|
};
|
|
|
|
|
break;
|
|
|
|
|
case 4: // we also ignore rc4-hmac
|
|
|
|
|
pas = new DerValue[] {
|
|
|
|
|
new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo(1, null).asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo(1, "").asn1Encode()),
|
|
|
|
|
};
|
|
|
|
|
break;
|
|
|
|
|
case 5: // "" should be wrong, but we accept it now
|
|
|
|
|
// See s.s.k.internal.PAData$SaltAndParams
|
|
|
|
|
pas = new DerValue[] {
|
|
|
|
|
new DerValue(new ETypeInfo(1, "").asn1Encode()),
|
|
|
|
|
new DerValue(new ETypeInfo(1, null).asn1Encode()),
|
|
|
|
|
};
|
2010-11-12 13:33:14 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2011-09-07 00:56:55 +00:00
|
|
|
} else {
|
|
|
|
|
int[] epas = eTypes;
|
|
|
|
|
if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) {
|
|
|
|
|
for (int i=1; i<epas.length; i++) {
|
|
|
|
|
if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) {
|
|
|
|
|
epas[i] = epas[0];
|
|
|
|
|
epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
} else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) {
|
|
|
|
|
epas = new int[] { eTypes[0] };
|
|
|
|
|
}
|
|
|
|
|
pas2 = new DerValue[epas.length];
|
2010-11-12 13:33:14 +00:00
|
|
|
for (int i=0; i<epas.length; i++) {
|
2011-09-07 00:56:55 +00:00
|
|
|
pas2[i] = new DerValue(new ETypeInfo2(
|
2010-11-12 13:33:14 +00:00
|
|
|
epas[i],
|
|
|
|
|
epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ?
|
2011-09-07 00:56:55 +00:00
|
|
|
null : getSalt(body.cname),
|
|
|
|
|
null).asn1Encode());
|
|
|
|
|
}
|
|
|
|
|
boolean allOld = true;
|
|
|
|
|
for (int i: eTypes) {
|
|
|
|
|
if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 ||
|
|
|
|
|
i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) {
|
|
|
|
|
allOld = false;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2010-11-12 13:33:14 +00:00
|
|
|
}
|
2011-09-07 00:56:55 +00:00
|
|
|
if (allOld) {
|
|
|
|
|
pas = new DerValue[epas.length];
|
|
|
|
|
for (int i=0; i<epas.length; i++) {
|
|
|
|
|
pas[i] = new DerValue(new ETypeInfo(
|
|
|
|
|
epas[i],
|
|
|
|
|
epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ?
|
|
|
|
|
null : getSalt(body.cname)
|
|
|
|
|
).asn1Encode());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DerOutputStream eid;
|
|
|
|
|
if (pas2 != null) {
|
|
|
|
|
eid = new DerOutputStream();
|
|
|
|
|
eid.putSequence(pas2);
|
|
|
|
|
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray()));
|
|
|
|
|
}
|
|
|
|
|
if (pas != null) {
|
2010-11-12 13:33:14 +00:00
|
|
|
eid = new DerOutputStream();
|
|
|
|
|
eid.putSequence(pas);
|
|
|
|
|
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-07 06:13:01 +00:00
|
|
|
PAData[] inPAs = KDCReqDotPAData(asReq);
|
2010-11-12 13:33:14 +00:00
|
|
|
if (inPAs == null || inPAs.length == 0) {
|
2008-10-17 05:02:00 +00:00
|
|
|
Object preauth = options.get(Option.PREAUTH_REQUIRED);
|
|
|
|
|
if (preauth == null || preauth.equals(Boolean.TRUE)) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
try {
|
2010-11-12 13:33:14 +00:00
|
|
|
EncryptedData data = newEncryptedData(new DerValue(inPAs[0].getValue()));
|
2010-06-04 11:28:53 +00:00
|
|
|
EncryptionKey pakey = keyForUser(body.cname, data.getEType(), false);
|
|
|
|
|
data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS);
|
2008-10-17 05:02:00 +00:00
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
|
|
|
|
|
}
|
|
|
|
|
bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TicketFlags tFlags = new TicketFlags(bFlags);
|
|
|
|
|
EncTicketPart enc = new EncTicketPart(
|
|
|
|
|
tFlags,
|
|
|
|
|
key,
|
|
|
|
|
body.cname,
|
|
|
|
|
new TransitedEncoding(1, new byte[0]),
|
|
|
|
|
new KerberosTime(new Date()),
|
|
|
|
|
body.from,
|
2014-12-09 10:28:26 +00:00
|
|
|
till, rtime,
|
2008-10-17 05:02:00 +00:00
|
|
|
body.addresses,
|
|
|
|
|
null);
|
|
|
|
|
Ticket t = new Ticket(
|
2011-08-04 10:18:45 +00:00
|
|
|
service,
|
2008-10-17 05:02:00 +00:00
|
|
|
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
|
|
|
|
|
);
|
|
|
|
|
EncASRepPart enc_part = new EncASRepPart(
|
|
|
|
|
key,
|
|
|
|
|
new LastReq(new LastReqEntry[]{
|
|
|
|
|
new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000))
|
|
|
|
|
}),
|
|
|
|
|
body.getNonce(), // TODO: detect replay?
|
|
|
|
|
new KerberosTime(new Date().getTime() + 1000 * 3600 * 24),
|
|
|
|
|
// Next 5 and last MUST be same with ticket
|
|
|
|
|
tFlags,
|
|
|
|
|
new KerberosTime(new Date()),
|
|
|
|
|
body.from,
|
2014-12-09 10:28:26 +00:00
|
|
|
till, rtime,
|
2011-08-04 10:18:45 +00:00
|
|
|
service,
|
2008-10-17 05:02:00 +00:00
|
|
|
body.addresses
|
|
|
|
|
);
|
|
|
|
|
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
|
2010-11-12 13:33:14 +00:00
|
|
|
ASRep asRep = new ASRep(
|
|
|
|
|
outPAs.toArray(new PAData[outPAs.size()]),
|
2008-10-17 05:02:00 +00:00
|
|
|
body.cname,
|
|
|
|
|
t,
|
|
|
|
|
edata);
|
|
|
|
|
|
|
|
|
|
System.out.println(" Return " + asRep.cname
|
|
|
|
|
+ " ticket for " + asRep.ticket.sname);
|
|
|
|
|
|
|
|
|
|
DerOutputStream out = new DerOutputStream();
|
|
|
|
|
out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
|
|
|
|
|
true, (byte)Krb5.KRB_AS_REP), asRep.asn1Encode());
|
2008-11-12 08:01:06 +00:00
|
|
|
byte[] result = out.toByteArray();
|
|
|
|
|
|
|
|
|
|
// Added feature:
|
|
|
|
|
// Write the current issuing TGT into a ccache file specified
|
|
|
|
|
// by the system property below.
|
|
|
|
|
String ccache = System.getProperty("test.kdc.save.ccache");
|
|
|
|
|
if (ccache != null) {
|
|
|
|
|
asRep.encKDCRepPart = enc_part;
|
|
|
|
|
sun.security.krb5.internal.ccache.Credentials credentials =
|
|
|
|
|
new sun.security.krb5.internal.ccache.Credentials(asRep);
|
|
|
|
|
CredentialsCache cache =
|
|
|
|
|
CredentialsCache.create(asReq.reqBody.cname, ccache);
|
|
|
|
|
if (cache == null) {
|
|
|
|
|
throw new IOException("Unable to create the cache file " +
|
|
|
|
|
ccache);
|
|
|
|
|
}
|
|
|
|
|
cache.update(credentials);
|
|
|
|
|
cache.save();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return result;
|
2008-10-17 05:02:00 +00:00
|
|
|
} catch (KrbException ke) {
|
|
|
|
|
ke.printStackTrace(System.out);
|
|
|
|
|
KRBError kerr = ke.getError();
|
|
|
|
|
KDCReqBody body = asReq.reqBody;
|
|
|
|
|
System.out.println(" Error " + ke.returnCode()
|
|
|
|
|
+ " " +ke.returnCodeMessage());
|
|
|
|
|
byte[] eData = null;
|
|
|
|
|
if (kerr == null) {
|
|
|
|
|
if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED ||
|
|
|
|
|
ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
|
|
|
|
|
DerOutputStream bytes = new DerOutputStream();
|
|
|
|
|
bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode());
|
2010-11-12 13:33:14 +00:00
|
|
|
for (PAData p: outPAs) {
|
|
|
|
|
bytes.write(p.asn1Encode());
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
DerOutputStream temp = new DerOutputStream();
|
|
|
|
|
temp.write(DerValue.tag_Sequence, bytes);
|
|
|
|
|
eData = temp.toByteArray();
|
|
|
|
|
}
|
|
|
|
|
kerr = new KRBError(null, null, null,
|
|
|
|
|
new KerberosTime(new Date()),
|
|
|
|
|
0,
|
|
|
|
|
ke.returnCode(),
|
2012-07-11 09:10:34 +00:00
|
|
|
body.cname,
|
|
|
|
|
service,
|
2008-10-17 05:02:00 +00:00
|
|
|
KrbException.errorMessage(ke.returnCode()),
|
|
|
|
|
eData);
|
|
|
|
|
}
|
|
|
|
|
return kerr.asn1Encode();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Generates a line for a KDC to put inside [realms] of krb5.conf
|
2014-05-30 06:37:43 +00:00
|
|
|
* @return REALM.NAME = { kdc = host:port etc }
|
2008-10-17 05:02:00 +00:00
|
|
|
*/
|
2014-05-30 06:37:43 +00:00
|
|
|
private String realmLine() {
|
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
|
|
|
sb.append(realm).append(" = {\n kdc = ")
|
|
|
|
|
.append(kdc).append(':').append(port).append('\n');
|
|
|
|
|
for (String s: conf) {
|
|
|
|
|
sb.append(" ").append(s).append('\n');
|
|
|
|
|
}
|
|
|
|
|
return sb.append("}\n").toString();
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Start the KDC service. This server listens on both UDP and TCP using
|
|
|
|
|
* the same port number. It uses three threads to deal with requests.
|
|
|
|
|
* They can be set to daemon threads if requested.
|
|
|
|
|
* @param port the port number to listen to. If zero, a random available
|
|
|
|
|
* port no less than 8000 will be chosen and used.
|
|
|
|
|
* @param asDaemon true if the KDC threads should be daemons
|
|
|
|
|
* @throws java.io.IOException for any communication error
|
|
|
|
|
*/
|
|
|
|
|
protected void startServer(int port, boolean asDaemon) throws IOException {
|
|
|
|
|
if (port > 0) {
|
|
|
|
|
u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1"));
|
|
|
|
|
t1 = new ServerSocket(port);
|
|
|
|
|
} else {
|
|
|
|
|
while (true) {
|
|
|
|
|
// Try to find a port number that's both TCP and UDP free
|
|
|
|
|
try {
|
|
|
|
|
port = 8000 + new java.util.Random().nextInt(10000);
|
|
|
|
|
u1 = null;
|
|
|
|
|
u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1"));
|
|
|
|
|
t1 = new ServerSocket(port);
|
|
|
|
|
break;
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
if (u1 != null) u1.close();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
final DatagramSocket udp = u1;
|
|
|
|
|
final ServerSocket tcp = t1;
|
|
|
|
|
System.out.println("Start KDC on " + port);
|
|
|
|
|
|
|
|
|
|
this.port = port;
|
|
|
|
|
|
|
|
|
|
// The UDP consumer
|
2009-12-24 05:56:19 +00:00
|
|
|
thread1 = new Thread() {
|
2008-10-17 05:02:00 +00:00
|
|
|
public void run() {
|
|
|
|
|
while (true) {
|
|
|
|
|
try {
|
|
|
|
|
byte[] inbuf = new byte[8192];
|
|
|
|
|
DatagramPacket p = new DatagramPacket(inbuf, inbuf.length);
|
|
|
|
|
udp.receive(p);
|
|
|
|
|
System.out.println("-----------------------------------------------");
|
|
|
|
|
System.out.println(">>>>> UDP packet received");
|
|
|
|
|
q.put(new Job(processMessage(Arrays.copyOf(inbuf, p.getLength())), udp, p));
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
e.printStackTrace();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
2009-12-24 05:56:19 +00:00
|
|
|
thread1.setDaemon(asDaemon);
|
|
|
|
|
thread1.start();
|
2008-10-17 05:02:00 +00:00
|
|
|
|
|
|
|
|
// The TCP consumer
|
2009-12-24 05:56:19 +00:00
|
|
|
thread2 = new Thread() {
|
2008-10-17 05:02:00 +00:00
|
|
|
public void run() {
|
|
|
|
|
while (true) {
|
|
|
|
|
try {
|
|
|
|
|
Socket socket = tcp.accept();
|
|
|
|
|
System.out.println("-----------------------------------------------");
|
|
|
|
|
System.out.println(">>>>> TCP connection established");
|
|
|
|
|
DataInputStream in = new DataInputStream(socket.getInputStream());
|
|
|
|
|
DataOutputStream out = new DataOutputStream(socket.getOutputStream());
|
|
|
|
|
byte[] token = new byte[in.readInt()];
|
|
|
|
|
in.readFully(token);
|
|
|
|
|
q.put(new Job(processMessage(token), socket, out));
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
e.printStackTrace();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
2009-12-24 05:56:19 +00:00
|
|
|
thread2.setDaemon(asDaemon);
|
|
|
|
|
thread2.start();
|
2008-10-17 05:02:00 +00:00
|
|
|
|
|
|
|
|
// The dispatcher
|
2009-12-24 05:56:19 +00:00
|
|
|
thread3 = new Thread() {
|
2008-10-17 05:02:00 +00:00
|
|
|
public void run() {
|
|
|
|
|
while (true) {
|
|
|
|
|
try {
|
|
|
|
|
q.take().send();
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
2009-12-24 05:56:19 +00:00
|
|
|
thread3.setDaemon(true);
|
|
|
|
|
thread3.start();
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
|
|
|
|
|
2009-12-24 05:56:19 +00:00
|
|
|
public void terminate() {
|
|
|
|
|
try {
|
|
|
|
|
thread1.stop();
|
|
|
|
|
thread2.stop();
|
|
|
|
|
thread3.stop();
|
|
|
|
|
u1.close();
|
|
|
|
|
t1.close();
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
// OK
|
|
|
|
|
}
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
/**
|
|
|
|
|
* Helper class to encapsulate a job in a KDC.
|
|
|
|
|
*/
|
|
|
|
|
private static class Job {
|
|
|
|
|
byte[] token; // The received request at creation time and
|
|
|
|
|
// the response at send time
|
|
|
|
|
Socket s; // The TCP socket from where the request comes
|
|
|
|
|
DataOutputStream out; // The OutputStream of the TCP socket
|
|
|
|
|
DatagramSocket s2; // The UDP socket from where the request comes
|
|
|
|
|
DatagramPacket dp; // The incoming UDP datagram packet
|
|
|
|
|
boolean useTCP; // Whether TCP or UDP is used
|
|
|
|
|
|
|
|
|
|
// Creates a job object for TCP
|
|
|
|
|
Job(byte[] token, Socket s, DataOutputStream out) {
|
|
|
|
|
useTCP = true;
|
|
|
|
|
this.token = token;
|
|
|
|
|
this.s = s;
|
|
|
|
|
this.out = out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Creates a job object for UDP
|
|
|
|
|
Job(byte[] token, DatagramSocket s2, DatagramPacket dp) {
|
|
|
|
|
useTCP = false;
|
|
|
|
|
this.token = token;
|
|
|
|
|
this.s2 = s2;
|
|
|
|
|
this.dp = dp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Sends the output back to the client
|
|
|
|
|
void send() {
|
|
|
|
|
try {
|
|
|
|
|
if (useTCP) {
|
|
|
|
|
System.out.println(">>>>> TCP request honored");
|
|
|
|
|
out.writeInt(token.length);
|
|
|
|
|
out.write(token);
|
|
|
|
|
s.close();
|
|
|
|
|
} else {
|
|
|
|
|
System.out.println(">>>>> UDP request honored");
|
|
|
|
|
s2.send(new DatagramPacket(token, token.length, dp.getAddress(), dp.getPort()));
|
|
|
|
|
}
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
e.printStackTrace();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-06-17 07:26:58 +00:00
|
|
|
|
|
|
|
|
public static class KDCNameService implements NameServiceDescriptor {
|
|
|
|
|
@Override
|
|
|
|
|
public NameService createNameService() throws Exception {
|
|
|
|
|
NameService ns = new NameService() {
|
|
|
|
|
@Override
|
|
|
|
|
public InetAddress[] lookupAllHostAddr(String host)
|
|
|
|
|
throws UnknownHostException {
|
|
|
|
|
// Everything is localhost
|
|
|
|
|
return new InetAddress[]{
|
|
|
|
|
InetAddress.getByAddress(host, new byte[]{127,0,0,1})
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
@Override
|
|
|
|
|
public String getHostByAddr(byte[] addr)
|
|
|
|
|
throws UnknownHostException {
|
|
|
|
|
// No reverse lookup, PrincipalName use original string
|
|
|
|
|
throw new UnknownHostException();
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
return ns;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public String getProviderName() {
|
|
|
|
|
return "mock";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public String getType() {
|
|
|
|
|
return "ns";
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-11-12 13:33:14 +00:00
|
|
|
|
|
|
|
|
// Calling private methods thru reflections
|
|
|
|
|
private static final Field getPADataField;
|
|
|
|
|
private static final Field getEType;
|
|
|
|
|
private static final Constructor<EncryptedData> ctorEncryptedData;
|
|
|
|
|
private static final Method stringToKey;
|
2012-11-07 06:13:01 +00:00
|
|
|
private static final Field getAddlTkt;
|
2010-11-12 13:33:14 +00:00
|
|
|
|
|
|
|
|
static {
|
|
|
|
|
try {
|
|
|
|
|
ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class);
|
|
|
|
|
ctorEncryptedData.setAccessible(true);
|
|
|
|
|
getPADataField = KDCReq.class.getDeclaredField("pAData");
|
|
|
|
|
getPADataField.setAccessible(true);
|
|
|
|
|
getEType = KDCReqBody.class.getDeclaredField("eType");
|
|
|
|
|
getEType.setAccessible(true);
|
|
|
|
|
stringToKey = EncryptionKey.class.getDeclaredMethod(
|
|
|
|
|
"stringToKey",
|
|
|
|
|
char[].class, String.class, byte[].class, Integer.TYPE);
|
|
|
|
|
stringToKey.setAccessible(true);
|
2012-11-07 06:13:01 +00:00
|
|
|
getAddlTkt = KDCReqBody.class.getDeclaredField("additionalTickets");
|
|
|
|
|
getAddlTkt.setAccessible(true);
|
2010-11-12 13:33:14 +00:00
|
|
|
} catch (NoSuchFieldException nsfe) {
|
|
|
|
|
throw new AssertionError(nsfe);
|
|
|
|
|
} catch (NoSuchMethodException nsme) {
|
|
|
|
|
throw new AssertionError(nsme);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
private EncryptedData newEncryptedData(DerValue der) {
|
|
|
|
|
try {
|
|
|
|
|
return ctorEncryptedData.newInstance(der);
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new AssertionError(e);
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-11-07 06:13:01 +00:00
|
|
|
private static PAData[] KDCReqDotPAData(KDCReq req) {
|
2010-11-12 13:33:14 +00:00
|
|
|
try {
|
|
|
|
|
return (PAData[])getPADataField.get(req);
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new AssertionError(e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
private static int[] KDCReqBodyDotEType(KDCReqBody body) {
|
|
|
|
|
try {
|
|
|
|
|
return (int[]) getEType.get(body);
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new AssertionError(e);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
private static byte[] EncryptionKeyDotStringToKey(char[] password, String salt,
|
|
|
|
|
byte[] s2kparams, int keyType) throws KrbCryptoException {
|
|
|
|
|
try {
|
|
|
|
|
return (byte[])stringToKey.invoke(
|
|
|
|
|
null, password, salt, s2kparams, keyType);
|
|
|
|
|
} catch (InvocationTargetException ex) {
|
|
|
|
|
throw (KrbCryptoException)ex.getCause();
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new AssertionError(e);
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-11-07 06:13:01 +00:00
|
|
|
private static Ticket KDCReqBodyDotFirstAdditionalTicket(KDCReqBody body) {
|
|
|
|
|
try {
|
|
|
|
|
return ((Ticket[])getAddlTkt.get(body))[0];
|
|
|
|
|
} catch (Exception e) {
|
|
|
|
|
throw new AssertionError(e);
|
|
|
|
|
}
|
|
|
|
|
}
|
2008-10-17 05:02:00 +00:00
|
|
|
}
|
