public static boolean verifyKdcSan(String hostname, PrincipalName kdcPrincipal, List<Certificate> certificates) throws KrbException { if (hostname == null) { LOG.info("No pkinit_kdc_hostname values found in config file"); } else { LOG.info("pkinit_kdc_hostname values found in config file"); } try { List<PrincipalName> princs = cryptoRetrieveCertSans(certificates); if (princs != null) { for (PrincipalName princ : princs) { LOG.info("PKINIT client found id-pkinit-san in KDC cert: " + princ.getName()); } LOG.info("Checking pkinit sans."); if (princs.contains(kdcPrincipal)) { LOG.info("pkinit san match found"); return true; } else { LOG.info("no pkinit san match found"); return false; } } else { return false; } } catch (KrbException e) { String errMessage = "PKINIT client failed to decode SANs in KDC cert." + e; LOG.error(errMessage); throw new KrbException(KrbErrorCode.KDC_NAME_MISMATCH, errMessage); } }
public static List<PrincipalName> cryptoRetrieveCertSans(List<Certificate> certificates) throws KrbException { if (certificates.size() == 0) { LOG.info("no certificate!"); return null; } return cryptoRetrieveX509Sans(certificates); }
private byte[] signAuthPack(AuthPack authPack) throws KrbException { String oid = PkinitPlgCryptoContext.getIdPkinitAuthDataOID(); byte[] signedDataBytes = PkinitCrypto.eContentInfoCreate( KrbCodec.encode(authPack), oid); return signedDataBytes; }
PkinitCrypto.verifyCmsSignedData( CmsMessageType.CMS_SIGN_SERVER, signedData); PkinitCrypto.validateChain(certificates, x509Certificate); } catch (Exception e) { throw new KrbException(KrbErrorCode.KDC_ERR_INVALID_CERTIFICATE, e); kdcRequest.getContext().getConfig().getKdcRealm()); boolean validSan = PkinitCrypto.verifyKdcSan( kdcRequest.getContext().getConfig().getPkinitKdcHostName(), kdcPrincipal, certificates); BigInteger g = client.getDhParam().getG(); DHPublicKey dhPublicKey = PkinitCrypto.createDHPublicKey(p, g, y);
PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData); if (publicKeyInfo.getSubjectPubKey() != null) { dhParameter = authPack.getClientPublicValue().getAlgorithm().getParametersAs(DhParameter.class); PkinitCrypto.serverCheckDH(pkinitContext.pluginOpts, pkinitContext.cryptoctx, dhParameter); BigInteger g = dhParameter.getG(); DHPublicKey dhPublicKey = PkinitCrypto.createDHPublicKey(p, g, y);
public AlgorithmIdentifiers createSupportedCMSTypes() throws KrbException { AlgorithmIdentifiers cmsAlgorithms = new AlgorithmIdentifiers(); AlgorithmIdentifier des3Alg = new AlgorithmIdentifier(); /* krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };*/ String content = "0x06 08 2A 86 48 86 F7 0D 03 07"; Asn1ObjectIdentifier des3Oid = PkinitCrypto.createOid(content); des3Alg.setAlgorithm(des3Oid.getValue()); cmsAlgorithms.add(des3Alg); return cmsAlgorithms; }
Certificate certificate = PkinitCrypto.changeToCertificate(x509Certificate); CertificateChoices certificateChoices = new CertificateChoices(); certificateChoices.setCertificate(certificate); signedDataBytes = PkinitCrypto.cmsSignedDataCreate(KrbCodec.encode(kdcDhKeyInfo), oid, 3, null, certificateSet, null, null);
/** * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @throws KrbException e */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.getDhMinBits()) { String errMsg = "client sent dh params with " + dhPrimeBits + "bits, we require " + pluginOpts.getDhMinBits(); LOG.error(errMsg); throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg); } if (!checkDHWellknown(cryptoctx, dhParameter, dhPrimeBits)) { throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED); } }
/** * Check DH wellknown * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @param dhPrimeBits The dh prime bits * @return boolean * @throws KrbException e */ public static boolean checkDHWellknown(PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter, int dhPrimeBits) throws KrbException { boolean valid = false; switch (dhPrimeBits) { case 1024: /* Oakley MODP group 2 */ case 2048: /* Oakley MODP group 14 */ case 4096: /* Oakley MODP group 16 */ valid = pkinitCheckDhParams(cryptoctx.createDHParameterSpec(dhPrimeBits), dhParameter); break; default: break; } return valid; }
PkinitCrypto.verifyCmsSignedData( CmsMessageType.CMS_SIGN_SERVER, signedData); PkinitCrypto.validateChain(certificates, x509Certificate); } catch (Exception e) { throw new KrbException(KrbErrorCode.KDC_ERR_INVALID_CERTIFICATE, e); kdcRequest.getContext().getConfig().getKdcRealm()); boolean validSan = PkinitCrypto.verifyKdcSan( kdcRequest.getContext().getConfig().getPkinitKdcHostName(), kdcPrincipal, certificates); BigInteger g = client.getDhParam().getG(); DHPublicKey dhPublicKey = PkinitCrypto.createDHPublicKey(p, g, y);
PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData); if (publicKeyInfo.getSubjectPubKey() != null) { dhParameter = authPack.getClientPublicValue().getAlgorithm().getParametersAs(DhParameter.class); PkinitCrypto.serverCheckDH(pkinitContext.pluginOpts, pkinitContext.cryptoctx, dhParameter); BigInteger g = dhParameter.getG(); DHPublicKey dhPublicKey = PkinitCrypto.createDHPublicKey(p, g, y);
public AlgorithmIdentifiers createSupportedCMSTypes() throws KrbException { AlgorithmIdentifiers cmsAlgorithms = new AlgorithmIdentifiers(); AlgorithmIdentifier des3Alg = new AlgorithmIdentifier(); /* krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };*/ String content = "0x06 08 2A 86 48 86 F7 0D 03 07"; Asn1ObjectIdentifier des3Oid = PkinitCrypto.createOid(content); des3Alg.setAlgorithm(des3Oid.getValue()); cmsAlgorithms.add(des3Alg); return cmsAlgorithms; }
Certificate certificate = PkinitCrypto.changeToCertificate(x509Certificate); CertificateChoices certificateChoices = new CertificateChoices(); certificateChoices.setCertificate(certificate); signedDataBytes = PkinitCrypto.cmsSignedDataCreate(KrbCodec.encode(kdcDhKeyInfo), oid, 3, null, certificateSet, null, null);
/** * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @throws KrbException e */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.getDhMinBits()) { String errMsg = "client sent dh params with " + dhPrimeBits + "bits, we require " + pluginOpts.getDhMinBits(); LOG.error(errMsg); throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg); } if (!checkDHWellknown(cryptoctx, dhParameter, dhPrimeBits)) { throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED); } }
/** * Check DH wellknown * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @param dhPrimeBits The dh prime bits * @return boolean * @throws KrbException e */ public static boolean checkDHWellknown(PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter, int dhPrimeBits) throws KrbException { boolean valid = false; switch (dhPrimeBits) { case 1024: /* Oakley MODP group 2 */ case 2048: /* Oakley MODP group 14 */ case 4096: /* Oakley MODP group 16 */ valid = pkinitCheckDhParams(cryptoctx.createDHParameterSpec(dhPrimeBits), dhParameter); break; default: break; } return valid; }
Asn1ObjectIdentifier dhOid = PkinitCrypto.createOid(content); AlgorithmIdentifier dhAlg = new AlgorithmIdentifier(); dhAlg.setAlgorithm(dhOid.getValue());
private byte[] signAuthPack(AuthPack authPack) throws KrbException { String oid = PkinitPlgCryptoContext.getIdPkinitAuthDataOID(); byte[] signedDataBytes = PkinitCrypto.eContentInfoCreate( KrbCodec.encode(authPack), oid); return signedDataBytes; }
public static List<PrincipalName> cryptoRetrieveCertSans(List<Certificate> certificates) throws KrbException { if (certificates.size() == 0) { LOG.info("no certificate!"); return null; } return cryptoRetrieveX509Sans(certificates); }
public static boolean verifyKdcSan(String hostname, PrincipalName kdcPrincipal, List<Certificate> certificates) throws KrbException { if (hostname == null) { LOG.info("No pkinit_kdc_hostname values found in config file"); } else { LOG.info("pkinit_kdc_hostname values found in config file"); } try { List<PrincipalName> princs = cryptoRetrieveCertSans(certificates); if (princs != null) { for (PrincipalName princ : princs) { LOG.info("PKINIT client found id-pkinit-san in KDC cert: " + princ.getName()); } LOG.info("Checking pkinit sans."); if (princs.contains(kdcPrincipal)) { LOG.info("pkinit san match found"); return true; } else { LOG.info("no pkinit san match found"); return false; } } else { return false; } } catch (KrbException e) { String errMessage = "PKINIT client failed to decode SANs in KDC cert." + e; LOG.error(errMessage); throw new KrbException(KrbErrorCode.KDC_NAME_MISMATCH, errMessage); } }
Asn1ObjectIdentifier dhOid = PkinitCrypto.createOid(content); AlgorithmIdentifier dhAlg = new AlgorithmIdentifier(); dhAlg.setAlgorithm(dhOid.getValue());