This commit is contained in:
Abhijit Saha 2009-08-11 08:22:09 -07:00
commit 4721c15d98
26 changed files with 768 additions and 76 deletions

View File

@ -972,14 +972,11 @@ class NameClassPairEnumeration implements NamingEnumeration {
} }
/* /*
* ctx will be closed when no longer needed by the enumeration. * ctx will be set to null when no longer needed by the enumeration.
*/ */
public void close () { public void close() {
nodes = null; nodes = null;
if (ctx != null) { ctx = null;
ctx.close();
ctx = null;
}
} }
public boolean hasMore() { public boolean hasMore() {

View File

@ -0,0 +1,68 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Sun designates this
* particular file as subject to the "Classpath" exception as provided
* by Sun in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
package com.sun.security.jgss;
/**
* Kerberos 5 AuthorizationData entry.
*/
final public class AuthorizationDataEntry {
private final int type;
private final byte[] data;
/**
* Create an AuthorizationDataEntry object.
* @param type the ad-type
* @param data the ad-data, a copy of the data will be saved
* inside the object.
*/
public AuthorizationDataEntry(int type, byte[] data) {
this.type = type;
this.data = data.clone();
}
/**
* Get the ad-type field.
* @return ad-type
*/
public int getType() {
return type;
}
/**
* Get a copy of the ad-data field.
* @return ad-data
*/
public byte[] getData() {
return data.clone();
}
public String toString() {
return "AuthorizationDataEntry: type="+type+", data=" +
data.length + " bytes:\n" +
new sun.misc.HexDumpEncoder().encode(data);
}
}

View File

@ -0,0 +1,102 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Sun designates this
* particular file as subject to the "Classpath" exception as provided
* by Sun in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
package com.sun.security.jgss;
import org.ietf.jgss.*;
/**
* The extended GSSContext interface for supporting additional
* functionalities not defined by {@code org.ietf.jgss.GSSContext},
* such as querying context-specific attributes.
*/
public interface ExtendedGSSContext extends GSSContext {
/**
* Return the mechanism-specific attribute associated with {@code type}.
* <br><br>
* For each supported attribute type, the type for the output are
* defined below.
* <ol>
* <li>{@code KRB5_GET_TKT_FLAGS}:
* the returned object is a boolean array for the service ticket flags,
* which is long enough to contain all true bits. This means if
* the user wants to get the <em>n</em>'th bit but the length of the
* returned array is less than <em>n</em>, it is regarded as false.
* <li>{@code KRB5_GET_SESSION_KEY}:
* the returned object is an instance of {@link java.security.Key},
* which has the following properties:
* <ul>
* <li>Algorithm: enctype as a string, where
* enctype is defined in RFC 3961, section 8.
* <li>Format: "RAW"
* <li>Encoded form: the raw key bytes, not in any ASN.1 encoding
* </ul>
* <li>{@code KRB5_GET_AUTHZ_DATA}:
* the returned object is an array of
* {@link com.sun.security.jgss.AuthorizationDataEntry}, or null if the
* optional field is missing in the service ticket.
* <li>{@code KRB5_GET_AUTHTIME}:
* the returned object is a String object in the standard KerberosTime
* format defined in RFC 4120 5.2.3
* </ol>
*
* If there is a security manager, an {@link InquireSecContextPermission}
* with the name {@code type.mech} must be granted. Otherwise, this could
* result in a {@link SecurityException}.<p>
*
* Example:
* <pre>
* GSSContext ctxt = m.createContext(...)
* // Establishing the context
* if (ctxt instanceof ExtendedGSSContext) {
* ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
* try {
* Key key = (key)ex.inquireSecContext(
* InquireType.KRB5_GET_SESSION_KEY);
* // read key info
* } catch (GSSException gsse) {
* // deal with exception
* }
* }
* </pre>
* @param type the type of the attribute requested
* @return the attribute, see the method documentation for details.
* @throws GSSException containing the following
* major error codes:
* {@link GSSException#BAD_MECH GSSException.BAD_MECH} if the mechanism
* does not support this method,
* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE} if the
* type specified is not supported,
* {@link GSSException#NO_CONTEXT GSSException.NO_CONTEXT} if the
* security context is invalid,
* {@link GSSException#FAILURE GSSException.FAILURE} for other
* unspecified failures.
* @throws SecurityException if a security manager exists and a proper
* {@link InquireSecContextPermission} is not granted.
* @see InquireSecContextPermission
*/
public Object inquireSecContext(InquireType type)
throws GSSException;
}

View File

@ -0,0 +1,54 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Sun designates this
* particular file as subject to the "Classpath" exception as provided
* by Sun in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
package com.sun.security.jgss;
import java.security.BasicPermission;
/**
* This class is used to protect various attributes of an established
* GSS security context that can be accessed using the
* {@link com.sun.security.jgss.ExtendedGSSContext#inquireSecContext}
* method.
*
* <p>The target name is the {@link InquireType} allowed.
*/
public final class InquireSecContextPermission extends BasicPermission {
/**
* Constructs a new {@code InquireSecContextPermission} object with
* the specified name. The name is the symbolic name of the
* {@link InquireType} allowed.
*
* @param name the {@link InquireType} allowed by this
* permission. "*" means all {@link InquireType}s are allowed.
*
* @throws NullPointerException if <code>name</code> is <code>null</code>.
* @throws IllegalArgumentException if <code>name</code> is empty.
*/
public InquireSecContextPermission(String name) {
super(name);
}
}

View File

@ -0,0 +1,54 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Sun designates this
* particular file as subject to the "Classpath" exception as provided
* by Sun in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
package com.sun.security.jgss;
/**
* Attribute types that can be specified as an argument of
* {@link com.sun.security.jgss.ExtendedGSSContext#inquireSecContext}
*/
public enum InquireType {
/**
* Attribute type for retrieving the session key of an
* established Kerberos 5 security context.
*/
KRB5_GET_SESSION_KEY,
/**
* Attribute type for retrieving the service ticket flags of an
* established Kerberos 5 security context.
*/
KRB5_GET_TKT_FLAGS,
/**
* Attribute type for retrieving the authorization data in the
* service ticket of an established Kerberos 5 security context.
* Only supported on the acceptor side.
*/
KRB5_GET_AUTHZ_DATA,
/**
* Attribute type for retrieving the authtime in the service ticket
* of an established Kerberos 5 security context.
*/
KRB5_GET_AUTHTIME
}

View File

@ -47,6 +47,14 @@ public class SimpleFileVisitor<T> implements FileVisitor<T> {
protected SimpleFileVisitor() { protected SimpleFileVisitor() {
} }
/**
* Throws NullPointerException if obj is null.
*/
private static void checkNotNull(Object obj) {
if (obj == null)
throw new NullPointerException();
}
/** /**
* Invoked for a directory before entries in the directory are visited. * Invoked for a directory before entries in the directory are visited.
* *
@ -55,6 +63,7 @@ public class SimpleFileVisitor<T> implements FileVisitor<T> {
*/ */
@Override @Override
public FileVisitResult preVisitDirectory(T dir) { public FileVisitResult preVisitDirectory(T dir) {
checkNotNull(dir);
return FileVisitResult.CONTINUE; return FileVisitResult.CONTINUE;
} }
@ -70,6 +79,8 @@ public class SimpleFileVisitor<T> implements FileVisitor<T> {
*/ */
@Override @Override
public FileVisitResult preVisitDirectoryFailed(T dir, IOException exc) { public FileVisitResult preVisitDirectoryFailed(T dir, IOException exc) {
checkNotNull(dir);
checkNotNull(exc);
throw new IOError(exc); throw new IOError(exc);
} }
@ -81,6 +92,8 @@ public class SimpleFileVisitor<T> implements FileVisitor<T> {
*/ */
@Override @Override
public FileVisitResult visitFile(T file, BasicFileAttributes attrs) { public FileVisitResult visitFile(T file, BasicFileAttributes attrs) {
checkNotNull(file);
checkNotNull(attrs);
return FileVisitResult.CONTINUE; return FileVisitResult.CONTINUE;
} }
@ -96,6 +109,8 @@ public class SimpleFileVisitor<T> implements FileVisitor<T> {
*/ */
@Override @Override
public FileVisitResult visitFileFailed(T file, IOException exc) { public FileVisitResult visitFileFailed(T file, IOException exc) {
checkNotNull(file);
checkNotNull(exc);
throw new IOError(exc); throw new IOError(exc);
} }
@ -114,6 +129,7 @@ public class SimpleFileVisitor<T> implements FileVisitor<T> {
*/ */
@Override @Override
public FileVisitResult postVisitDirectory(T dir, IOException exc) { public FileVisitResult postVisitDirectory(T dir, IOException exc) {
checkNotNull(dir);
if (exc != null) if (exc != null)
throw new IOError(exc); throw new IOError(exc);
return FileVisitResult.CONTINUE; return FileVisitResult.CONTINUE;

View File

@ -75,7 +75,7 @@ import java.io.IOException;
* .lookupPrincipalByName("joe"); * .lookupPrincipalByName("joe");
* *
* // get view * // get view
* AclFileAttributeView view = file.newFileAttributeView(AclFileAttributeView.class); * AclFileAttributeView view = file.getFileAttributeView(AclFileAttributeView.class);
* *
* // create ACE to give "joe" read access * // create ACE to give "joe" read access
* AclEntry entry = AclEntry.newBuilder() * AclEntry entry = AclEntry.newBuilder()

View File

@ -61,7 +61,7 @@ import java.io.IOException;
* Suppose we need to print out the owner and access permissions of a file: * Suppose we need to print out the owner and access permissions of a file:
* <pre> * <pre>
* FileRef file = ... * FileRef file = ...
* PosixFileAttributes attrs = file.newFileAttributeView(PosixFileAttributeView.class) * PosixFileAttributes attrs = file.getFileAttributeView(PosixFileAttributeView.class)
* .readAttributes(); * .readAttributes();
* System.out.format("%s %s%n", * System.out.format("%s %s%n",
* attrs.owner().getName(), * attrs.owner().getName(),

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -27,14 +27,13 @@ package sun.security.jgss;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import sun.security.jgss.*;
import sun.security.util.ObjectIdentifier; import sun.security.util.ObjectIdentifier;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.IOException; import java.io.IOException;
import com.sun.security.jgss.*;
/** /**
* This class represents the JGSS security context and its associated * This class represents the JGSS security context and its associated
@ -88,7 +87,7 @@ import java.io.IOException;
* per-message operations are returned in an instance of the MessageProp * per-message operations are returned in an instance of the MessageProp
* class, which is used as an argument in these calls.</dl> * class, which is used as an argument in these calls.</dl>
*/ */
class GSSContextImpl implements GSSContext { class GSSContextImpl implements ExtendedGSSContext {
private GSSManagerImpl gssManager = null; private GSSManagerImpl gssManager = null;
@ -630,4 +629,16 @@ class GSSContextImpl implements GSSContext {
srcName = null; srcName = null;
targName = null; targName = null;
} }
@Override
public Object inquireSecContext(InquireType type) throws GSSException {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(new InquireSecContextPermission(type.toString()));
}
if (mechCtxt == null) {
throw new GSSException(GSSException.NO_CONTEXT);
}
return mechCtxt.inquireSecContext(type);
}
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -25,12 +25,14 @@
package sun.security.jgss.krb5; package sun.security.jgss.krb5;
import com.sun.security.jgss.AuthorizationDataEntry;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException; import java.io.IOException;
import sun.security.krb5.*; import sun.security.krb5.*;
import java.net.InetAddress; import java.net.InetAddress;
import sun.security.krb5.internal.AuthorizationData;
import sun.security.krb5.internal.KerberosTime;
class InitSecContextToken extends InitialToken { class InitSecContextToken extends InitialToken {
@ -59,6 +61,9 @@ class InitSecContextToken extends InitialToken {
Checksum checksum = gssChecksum.getChecksum(); Checksum checksum = gssChecksum.getChecksum();
context.setTktFlags(serviceTicket.getFlags());
context.setAuthTime(
new KerberosTime(serviceTicket.getAuthTime()).toString());
apReq = new KrbApReq(serviceTicket, apReq = new KrbApReq(serviceTicket,
mutualRequired, mutualRequired,
useSubkey, useSubkey,
@ -143,6 +148,21 @@ class InitSecContextToken extends InitialToken {
// Use the same sequence number as the peer // Use the same sequence number as the peer
// (Behaviour exhibited by the Windows SSPI server) // (Behaviour exhibited by the Windows SSPI server)
context.resetMySequenceNumber(peerSeqNumber); context.resetMySequenceNumber(peerSeqNumber);
context.setAuthTime(
new KerberosTime(apReq.getCreds().getAuthTime()).toString());
context.setTktFlags(apReq.getCreds().getFlags());
AuthorizationData ad = apReq.getCreds().getAuthzData();
if (ad == null) {
context.setAuthzData(null);
} else {
AuthorizationDataEntry[] authzData =
new AuthorizationDataEntry[ad.count()];
for (int i=0; i<ad.count(); i++) {
authzData[i] = new AuthorizationDataEntry(
ad.item(i).adType, ad.item(i).adData);
}
context.setAuthzData(authzData);
}
} }
public final KrbApReq getKrbApReq() { public final KrbApReq getKrbApReq() {

View File

@ -25,6 +25,7 @@
package sun.security.jgss.krb5; package sun.security.jgss.krb5;
import com.sun.security.jgss.InquireType;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.misc.HexDumpEncoder; import sun.misc.HexDumpEncoder;
import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSUtil;
@ -38,6 +39,7 @@ import java.io.IOException;
import java.security.Provider; import java.security.Provider;
import java.security.AccessController; import java.security.AccessController;
import java.security.AccessControlContext; import java.security.AccessControlContext;
import java.security.Key;
import java.security.PrivilegedExceptionAction; import java.security.PrivilegedExceptionAction;
import java.security.PrivilegedActionException; import java.security.PrivilegedActionException;
import javax.crypto.Cipher; import javax.crypto.Cipher;
@ -1283,4 +1285,81 @@ class Krb5Context implements GSSContextSpi {
// Currently used by InitialToken only // Currently used by InitialToken only
return caller; return caller;
} }
/**
* The session key returned by inquireSecContext(KRB5_INQ_SSPI_SESSION_KEY)
*/
static class KerberosSessionKey implements Key {
private final EncryptionKey key;
KerberosSessionKey(EncryptionKey key) {
this.key = key;
}
@Override
public String getAlgorithm() {
return Integer.toString(key.getEType());
}
@Override
public String getFormat() {
return "RAW";
}
@Override
public byte[] getEncoded() {
return key.getBytes().clone();
}
@Override
public String toString() {
return "Kerberos session key: etype: " + key.getEType() + "\n" +
new sun.misc.HexDumpEncoder().encodeBuffer(key.getBytes());
}
}
/**
* Return the mechanism-specific attribute associated with {@code type}.
*/
public Object inquireSecContext(InquireType type)
throws GSSException {
if (!isEstablished()) {
throw new GSSException(GSSException.NO_CONTEXT, -1,
"Security context not established.");
}
switch (type) {
case KRB5_GET_SESSION_KEY:
return new KerberosSessionKey(key);
case KRB5_GET_TKT_FLAGS:
return tktFlags.clone();
case KRB5_GET_AUTHZ_DATA:
if (isInitiator()) {
throw new GSSException(GSSException.UNAVAILABLE, -1,
"AuthzData not available on initiator side.");
} else {
return (authzData==null)?null:authzData.clone();
}
case KRB5_GET_AUTHTIME:
return authTime;
}
throw new GSSException(GSSException.UNAVAILABLE, -1,
"Inquire type not supported.");
}
// Helpers for inquireSecContext
private boolean[] tktFlags;
private String authTime;
private com.sun.security.jgss.AuthorizationDataEntry[] authzData;
public void setTktFlags(boolean[] tktFlags) {
this.tktFlags = tktFlags;
}
public void setAuthTime(String authTime) {
this.authTime = authTime;
}
public void setAuthzData(com.sun.security.jgss.AuthorizationDataEntry[] authzData) {
this.authzData = authzData;
}
} }

View File

@ -1,5 +1,5 @@
/* /*
* Portions Copyright 2000-2005 Sun Microsystems, Inc. All Rights Reserved. * Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -46,6 +46,7 @@ import org.ietf.jgss.*;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.security.Provider; import java.security.Provider;
import com.sun.security.jgss.*;
/** /**
* This interface is implemented by a mechanism specific instance of a GSS * This interface is implemented by a mechanism specific instance of a GSS
@ -265,7 +266,6 @@ public interface GSSContextSpi {
* @param msgPro on input it contains the requested qop and * @param msgPro on input it contains the requested qop and
* confidentiality state, on output, the applied values * confidentiality state, on output, the applied values
* @exception GSSException may be thrown * @exception GSSException may be thrown
* @see MessageInfo
* @see unwrap * @see unwrap
*/ */
public void wrap(InputStream is, OutputStream os, MessageProp msgProp) public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
@ -315,7 +315,6 @@ public interface GSSContextSpi {
* @param msgProp will contain the applied qop and confidentiality * @param msgProp will contain the applied qop and confidentiality
* of the input token and any informatory status values * of the input token and any informatory status values
* @exception GSSException may be thrown * @exception GSSException may be thrown
* @see MessageInfo
* @see wrap * @see wrap
*/ */
public void unwrap(InputStream is, OutputStream os, public void unwrap(InputStream is, OutputStream os,
@ -403,4 +402,15 @@ public interface GSSContextSpi {
* @exception GSSException may be thrown * @exception GSSException may be thrown
*/ */
public void dispose() throws GSSException; public void dispose() throws GSSException;
/**
* Return the mechanism-specific attribute associated with (@code type}.
*
* @param type the type of the attribute requested
* @return the attribute
* @throws GSSException see {@link ExtendedGSSContext#inquireSecContext}
* for details
*/
public Object inquireSecContext(InquireType type)
throws GSSException;
} }

View File

@ -25,10 +25,10 @@
package sun.security.jgss.spnego; package sun.security.jgss.spnego;
import com.sun.security.jgss.ExtendedGSSContext;
import com.sun.security.jgss.InquireType;
import java.io.*; import java.io.*;
import java.security.Provider; import java.security.Provider;
import java.util.List;
import java.util.ArrayList;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.jgss.*; import sun.security.jgss.*;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
@ -1185,4 +1185,22 @@ public class SpNegoContext implements GSSContextSpi {
return ("Unknown state " + state); return ("Unknown state " + state);
} }
} }
/**
* Retrieve attribute of the context for {@code type}.
*/
public Object inquireSecContext(InquireType type)
throws GSSException {
if (mechContext == null) {
throw new GSSException(GSSException.NO_CONTEXT, -1,
"Underlying mech not established.");
}
if (mechContext instanceof ExtendedGSSContext) {
return ((ExtendedGSSContext)mechContext).inquireSecContext(type);
} else {
throw new GSSException(GSSException.BAD_MECH, -1,
"inquireSecContext not supported by underlying mech.");
}
}
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2005-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -36,6 +36,7 @@ import sun.security.util.ObjectIdentifier;
import sun.security.jgss.spnego.NegTokenInit; import sun.security.jgss.spnego.NegTokenInit;
import sun.security.jgss.spnego.NegTokenTarg; import sun.security.jgss.spnego.NegTokenTarg;
import javax.security.auth.kerberos.DelegationPermission; import javax.security.auth.kerberos.DelegationPermission;
import com.sun.security.jgss.InquireType;
import java.io.*; import java.io.*;
@ -615,4 +616,10 @@ class NativeGSSContext implements GSSContextSpi {
protected void finalize() throws Throwable { protected void finalize() throws Throwable {
dispose(); dispose();
} }
public Object inquireSecContext(InquireType type)
throws GSSException {
throw new GSSException(GSSException.UNAVAILABLE, -1,
"Inquire type not supported.");
}
} }

View File

@ -1,5 +1,5 @@
/* /*
* Portions Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved. * Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -63,12 +63,29 @@ public class Credentials {
KerberosTime renewTill; KerberosTime renewTill;
HostAddresses cAddr; HostAddresses cAddr;
EncryptionKey serviceKey; EncryptionKey serviceKey;
AuthorizationData authzData;
private static boolean DEBUG = Krb5.DEBUG; private static boolean DEBUG = Krb5.DEBUG;
private static CredentialsCache cache; private static CredentialsCache cache;
static boolean alreadyLoaded = false; static boolean alreadyLoaded = false;
private static boolean alreadyTried = false; private static boolean alreadyTried = false;
private static native Credentials acquireDefaultNativeCreds(); private static native Credentials acquireDefaultNativeCreds();
public Credentials(Ticket new_ticket,
PrincipalName new_client,
PrincipalName new_server,
EncryptionKey new_key,
TicketFlags new_flags,
KerberosTime authTime,
KerberosTime new_startTime,
KerberosTime new_endTime,
KerberosTime renewTill,
HostAddresses cAddr,
AuthorizationData authzData) {
this(new_ticket, new_client, new_server, new_key, new_flags,
authTime, new_startTime, new_endTime, renewTill, cAddr);
this.authzData = authzData;
}
public Credentials(Ticket new_ticket, public Credentials(Ticket new_ticket,
PrincipalName new_client, PrincipalName new_client,
PrincipalName new_server, PrincipalName new_server,
@ -213,6 +230,9 @@ public class Credentials {
return flags; return flags;
} }
public AuthorizationData getAuthzData() {
return authzData;
}
/** /**
* Checks if the service ticket returned by the KDC has the OK-AS-DELEGATE * Checks if the service ticket returned by the KDC has the OK-AS-DELEGATE
* flag set * flag set

View File

@ -1,5 +1,5 @@
/* /*
* Portions Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved. * Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -356,12 +356,13 @@ public class KrbApReq {
authenticator.cname, authenticator.cname,
apReqMessg.ticket.sname, apReqMessg.ticket.sname,
enc_ticketPart.key, enc_ticketPart.key,
null, enc_ticketPart.flags,
enc_ticketPart.authtime, enc_ticketPart.authtime,
enc_ticketPart.starttime, enc_ticketPart.starttime,
enc_ticketPart.endtime, enc_ticketPart.endtime,
enc_ticketPart.renewTill, enc_ticketPart.renewTill,
enc_ticketPart.caddr); enc_ticketPart.caddr,
enc_ticketPart.authorizationData);
if (DEBUG) { if (DEBUG) {
System.out.println(">>> KrbApReq: authenticate succeed."); System.out.println(">>> KrbApReq: authenticate succeed.");
} }

View File

@ -174,4 +174,12 @@ public class AuthorizationData implements Cloneable {
} }
return retVal; return retVal;
} }
public int count() {
return entry.length;
}
public AuthorizationDataEntry item(int i) {
return (AuthorizationDataEntry)entry[i].clone();
}
} }

View File

@ -412,6 +412,16 @@ public class JarSigner {
} }
storetype = KeyStoreUtil.niceStoreTypeName(storetype); storetype = KeyStoreUtil.niceStoreTypeName(storetype);
try {
if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
new File(jarfile).getCanonicalPath())) {
signedjar = null;
}
} catch (IOException ioe) {
// File system error?
// Just ignore it.
}
if (P11KEYSTORE.equalsIgnoreCase(storetype) || if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
KeyStoreUtil.isWindowsKeyStore(storetype)) { KeyStoreUtil.isWindowsKeyStore(storetype)) {
token = true; token = true;

View File

@ -880,41 +880,41 @@ public final class KeyTool {
// might not work properly, since -gencert is slow // might not work properly, since -gencert is slow
// and there's no data in the pipe at the beginning. // and there's no data in the pipe at the beginning.
ByteArrayOutputStream bout = new ByteArrayOutputStream(); ByteArrayOutputStream bout = new ByteArrayOutputStream();
byte[] b = new byte[4096];
while (true) {
int len = inStream.read(b);
if (len < 0) break;
bout.write(b, 0, len);
}
inStream = new ByteArrayInputStream(bout.toByteArray());
try { try {
String importAlias = (alias!=null)?alias:keyAlias; byte[] b = new byte[4096];
if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) { while (true) {
kssave = installReply(importAlias, inStream); int len = inStream.read(b);
if (kssave) { if (len < 0) break;
System.err.println(rb.getString bout.write(b, 0, len);
("Certificate reply was installed in keystore"));
} else {
System.err.println(rb.getString
("Certificate reply was not installed in keystore"));
}
} else if (!keyStore.containsAlias(importAlias) ||
keyStore.entryInstanceOf(importAlias,
KeyStore.TrustedCertificateEntry.class)) {
kssave = addTrustedCert(importAlias, inStream);
if (kssave) {
System.err.println(rb.getString
("Certificate was added to keystore"));
} else {
System.err.println(rb.getString
("Certificate was not added to keystore"));
}
} }
} finally { } finally {
if (inStream != System.in) { if (inStream != System.in) {
inStream.close(); inStream.close();
} }
} }
inStream = new ByteArrayInputStream(bout.toByteArray());
String importAlias = (alias!=null)?alias:keyAlias;
if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) {
kssave = installReply(importAlias, inStream);
if (kssave) {
System.err.println(rb.getString
("Certificate reply was installed in keystore"));
} else {
System.err.println(rb.getString
("Certificate reply was not installed in keystore"));
}
} else if (!keyStore.containsAlias(importAlias) ||
keyStore.entryInstanceOf(importAlias,
KeyStore.TrustedCertificateEntry.class)) {
kssave = addTrustedCert(importAlias, inStream);
if (kssave) {
System.err.println(rb.getString
("Certificate was added to keystore"));
} else {
System.err.println(rb.getString
("Certificate was not added to keystore"));
}
}
} else if (command == IMPORTKEYSTORE) { } else if (command == IMPORTKEYSTORE) {
doImportKeyStore(); doImportKeyStore();
kssave = true; kssave = true;

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1997-2008 Sun Microsystems, Inc. All Rights Reserved. * Copyright 1997-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -35,21 +35,16 @@ import java.net.MalformedURLException;
import java.lang.reflect.*; import java.lang.reflect.*;
import java.text.Collator; import java.text.Collator;
import java.text.MessageFormat; import java.text.MessageFormat;
import sun.misc.BASE64Decoder;
import sun.security.provider.PolicyParser.PermissionEntry;
import sun.security.util.PropertyExpander; import sun.security.util.PropertyExpander;
import sun.security.util.PropertyExpander.ExpandException; import sun.security.util.PropertyExpander.ExpandException;
import java.awt.*; import java.awt.*;
import java.awt.event.*; import java.awt.event.*;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.*; import java.security.*;
import sun.security.provider.*; import sun.security.provider.*;
import sun.security.util.PolicyUtil; import sun.security.util.PolicyUtil;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import java.util.HashSet;
/** /**
* PolicyTool may be used by users and administrators to configure the * PolicyTool may be used by users and administrators to configure the
@ -1459,6 +1454,7 @@ class ToolDialog extends Dialog {
PERM_ARRAY.add(new AWTPerm()); PERM_ARRAY.add(new AWTPerm());
PERM_ARRAY.add(new DelegationPerm()); PERM_ARRAY.add(new DelegationPerm());
PERM_ARRAY.add(new FilePerm()); PERM_ARRAY.add(new FilePerm());
PERM_ARRAY.add(new InqSecContextPerm());
PERM_ARRAY.add(new LogPerm()); PERM_ARRAY.add(new LogPerm());
PERM_ARRAY.add(new MgmtPerm()); PERM_ARRAY.add(new MgmtPerm());
PERM_ARRAY.add(new MBeanPerm()); PERM_ARRAY.add(new MBeanPerm());
@ -3961,6 +3957,20 @@ class FilePerm extends Perm {
} }
} }
class InqSecContextPerm extends Perm {
public InqSecContextPerm() {
super("InquireSecContextPermission",
"com.sun.security.jgss.InquireSecContextPermission",
new String[] {
"KRB5_GET_SESSION_KEY",
"KRB5_GET_TKT_FLAGS",
"KRB5_GET_AUTHZ_DATA",
"KRB5_GET_AUTHTIME"
},
null);
}
}
class LogPerm extends Perm { class LogPerm extends Perm {
public LogPerm() { public LogPerm() {
super("LoggingPermission", super("LoggingPermission",

View File

@ -541,7 +541,7 @@ Java_sun_nio_ch_Net_shutdown(JNIEnv *env, jclass cl, jobject fdo, jint jhow)
{ {
int how = (jhow == sun_nio_ch_Net_SHUT_RD) ? SHUT_RD : int how = (jhow == sun_nio_ch_Net_SHUT_RD) ? SHUT_RD :
(jhow == sun_nio_ch_Net_SHUT_WR) ? SHUT_WR : SHUT_RDWR; (jhow == sun_nio_ch_Net_SHUT_WR) ? SHUT_WR : SHUT_RDWR;
if (shutdown(fdval(env, fdo), how) < 0) if ((shutdown(fdval(env, fdo), how) < 0) && (errno != ENOTCONN))
handleSocketError(env, errno); handleSocketError(env, errno);
} }

View File

@ -0,0 +1,50 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
* @bug 6710360
* @summary export Kerberos session key to applications
*/
import com.sun.security.jgss.InquireSecContextPermission;
public class InquireSecContextPermissionCheck {
public static void main(String[] args) throws Exception {
InquireSecContextPermission p0, p1;
p0 = new InquireSecContextPermission(
"KRB5_GET_SESSION_KEY");
p1 = new InquireSecContextPermission("*");
if (!p1.implies(p0) || !p1.implies(p1) || !p0.implies(p0)) {
throw new Exception("Check failed");
}
if (p0.implies(p1)) {
throw new Exception("This is bad");
}
}
}

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -22,26 +22,65 @@
*/ */
/* @test /* @test
* @bug 4618960 * @bug 4618960 4516760
* @summary Test isInputShutdown * @summary Test shutdownXXX and isInputShutdown
* @library ..
*/ */
import java.io.IOException;
import java.net.*; import java.net.*;
import java.nio.*; import java.nio.ByteBuffer;
import java.nio.channels.*; import java.nio.channels.*;
public class Shutdown { public class Shutdown {
public static void main(String args[]) throws Exception { /**
InetSocketAddress sa = new InetSocketAddress( * Accept a connection, and close it immediately causing a hard reset.
InetAddress.getByName(TestUtil.HOST), 23); */
SocketChannel sc = SocketChannel.open(sa); static void acceptAndReset(ServerSocketChannel ssc) throws IOException {
boolean before = sc.socket().isInputShutdown(); SocketChannel peer = ssc.accept();
sc.socket().shutdownInput(); try {
boolean after = sc.socket().isInputShutdown(); peer.setOption(StandardSocketOption.SO_LINGER, 0);
sc.close(); peer.configureBlocking(false);
if (before || !after) peer.write(ByteBuffer.wrap(new byte[128*1024]));
throw new Exception("Test failed"); } finally {
peer.close();
}
}
public static void main(String[] args) throws Exception {
ServerSocketChannel ssc = ServerSocketChannel.open()
.bind(new InetSocketAddress(0));
try {
InetAddress lh = InetAddress.getLocalHost();
int port = ((InetSocketAddress)(ssc.getLocalAddress())).getPort();
SocketAddress remote = new InetSocketAddress(lh, port);
// Test SocketChannel shutdownXXX
SocketChannel sc;
sc = SocketChannel.open(remote);
try {
acceptAndReset(ssc);
sc.shutdownInput();
sc.shutdownOutput();
} finally {
sc.close();
}
// Test Socket adapter shutdownXXX and isShutdownInput
sc = SocketChannel.open(remote);
try {
acceptAndReset(ssc);
boolean before = sc.socket().isInputShutdown();
sc.socket().shutdownInput();
boolean after = sc.socket().isInputShutdown();
if (before || !after)
throw new RuntimeException("Before and after test failed");
sc.socket().shutdownOutput();
} finally {
sc.close();
}
} finally {
ssc.close();
}
} }
} }

View File

@ -22,13 +22,14 @@
*/ */
/* @test /* @test
* @bug 4313887 6838333 * @bug 4313887 6838333 6865748
* @summary Unit test for java.nio.file.Files for miscellenous cases not * @summary Unit test for java.nio.file.Files for miscellenous cases not
* covered by other tests * covered by other tests
* @library .. * @library ..
*/ */
import java.nio.file.*; import java.nio.file.*;
import java.nio.file.attribute.Attributes;
import java.io.IOException; import java.io.IOException;
import java.util.*; import java.util.*;
@ -113,5 +114,29 @@ public class Misc {
npeExpected(); npeExpected();
} catch (NullPointerException e) { } catch (NullPointerException e) {
} }
SimpleFileVisitor<Path> visitor = new SimpleFileVisitor<Path>() { };
boolean ranTheGauntlet = false;
try { visitor.preVisitDirectory(null);
} catch (NullPointerException x0) {
try { visitor.preVisitDirectoryFailed(null, new IOException());
} catch (NullPointerException x1) {
try { visitor.preVisitDirectoryFailed(dir, null);
} catch (NullPointerException x2) {
try { visitor.visitFile(null, Attributes.readBasicFileAttributes(Paths.get(".")));
} catch (NullPointerException x3) {
try { visitor.visitFile(dir, null);
} catch (NullPointerException x4) {
try { visitor.visitFileFailed(null, new IOException());
} catch (NullPointerException x5) {
try { visitor.visitFileFailed(dir, null);
} catch (NullPointerException x6) {
try { visitor.postVisitDirectory(null, new IOException());
} catch (NullPointerException x7) {
// if we get here then all visit* methods threw NPE as expected
ranTheGauntlet = true;
}}}}}}}}
if (!ranTheGauntlet)
throw new RuntimeException("A visit method did not throw NPE");
} }
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2008-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -22,6 +22,7 @@
*/ */
import com.sun.security.auth.module.Krb5LoginModule; import com.sun.security.auth.module.Krb5LoginModule;
import java.security.Key;
import java.security.PrivilegedActionException; import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction; import java.security.PrivilegedExceptionAction;
import java.util.Arrays; import java.util.Arrays;
@ -38,6 +39,9 @@ import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName; import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp; import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid; import org.ietf.jgss.Oid;
import com.sun.security.jgss.ExtendedGSSContext;
import com.sun.security.jgss.InquireType;
import com.sun.security.jgss.AuthorizationDataEntry;
/** /**
* Context of a JGSS subject, encapsulating Subject and GSSContext. * Context of a JGSS subject, encapsulating Subject and GSSContext.
@ -276,6 +280,34 @@ public class Context {
} }
} }
} }
if (x != null && x instanceof ExtendedGSSContext) {
if (x.isEstablished()) {
ExtendedGSSContext ex = (ExtendedGSSContext)x;
Key k = (Key)ex.inquireSecContext(
InquireType.KRB5_GET_SESSION_KEY);
if (k == null) {
throw new Exception("Session key cannot be null");
}
System.out.println("Session key is: " + k);
boolean[] flags = (boolean[])ex.inquireSecContext(
InquireType.KRB5_GET_TKT_FLAGS);
if (flags == null) {
throw new Exception("Ticket flags cannot be null");
}
System.out.println("Ticket flags is: " + Arrays.toString(flags));
String authTime = (String)ex.inquireSecContext(
InquireType.KRB5_GET_AUTHTIME);
if (authTime == null) {
throw new Exception("Auth time cannot be null");
}
System.out.println("AuthTime is: " + authTime);
if (!x.isInitiator()) {
AuthorizationDataEntry[] ad = (AuthorizationDataEntry[])ex.inquireSecContext(
InquireType.KRB5_GET_AUTHZ_DATA);
System.out.println("AuthzData is: " + Arrays.toString(ad));
}
}
}
} }
/** /**

View File

@ -0,0 +1,61 @@
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
# @test
# @bug 6866479
# @summary libzip.so caused JVM to crash when running jarsigner
#
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* | CYGWIN* )
SIGNEDJAR=EM.jar
FS="\\"
;;
* )
SIGNEDJAR=em.jar
FS="/"
;;
esac
KS=samename.jks
JFILE=em.jar
KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
JAR=$TESTJAVA${FS}bin${FS}jar
JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
rm $KS $JFILE $SIGNEDJAR
echo A > A
$JAR cvf $JFILE A
$KT -alias a -dname CN=a -keyalg rsa -genkey -validity 300
$JARSIGNER -keystore $KS -storepass changeit -signedjar $SIGNEDJAR $JFILE a