/** * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @throws KrbException e */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.getDhMinBits()) { String errMsg = "client sent dh params with " + dhPrimeBits + "bits, we require " + pluginOpts.getDhMinBits(); LOG.error(errMsg); throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg); } if (!checkDHWellknown(cryptoctx, dhParameter, dhPrimeBits)) { throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED); } }
public void updateRequestOpts(PluginOpts pluginOpts) { requestOpts.setRequireEku(pluginOpts.isRequireEku()); requestOpts.setAcceptSecondaryEku(pluginOpts.isAcceptSecondaryEku()); requestOpts.setAllowUpn(pluginOpts.isAllowUpn()); requestOpts.setUsingRsa(pluginOpts.isUsingRsa()); requestOpts.setRequireCrlChecking(pluginOpts.isRequireCrlChecking()); }
PkAuthenticator pkAuthen = new PkAuthenticator(); boolean usingRsa = pkinitContext.getPluginOpts().isUsingRsa(); reqCtx.setPaType(PaDataType.PK_AS_REQ); pkAuthen.setPaChecksum(checkSum.getChecksum()); authPack.setPkAuthenticator(pkAuthen); authPack.setsupportedCmsTypes(pkinitContext.getPluginOpts().createSupportedCMSTypes()); TrustedCertifiers trustedCertifiers = pkinitContext.getPluginOpts().createTrustedCertifiers(); paPkAsReq.setTrustedCertifiers(trustedCertifiers);
/** * {@inheritDoc} */ @Override public void setPreauthOptions(KdcRequest kdcRequest, PluginRequestContext requestContext, KOptions options) { if (options.contains(PkinitOption.X509_IDENTITY)) { pkinitContext.getIdentityOpts().setIdentity(options.getStringOption(PkinitOption.X509_IDENTITY)); } if (options.contains(PkinitOption.X509_ANCHORS)) { String anchorsString = options.getStringOption(PkinitOption.X509_ANCHORS); List<String> anchors; if (anchorsString == null) { anchors = kdcRequest.getContext().getConfig().getPkinitAnchors(); } else { anchors = Arrays.asList(anchorsString); } pkinitContext.getIdentityOpts().getAnchors().addAll(anchors); } if (options.contains(PkinitOption.USING_RSA)) { pkinitContext.getPluginOpts().setUsingRsa(options.getBooleanOption(PkinitOption.USING_RSA, true)); } }
PkAuthenticator pkAuthen = new PkAuthenticator(); boolean usingRsa = pkinitContext.getPluginOpts().isUsingRsa(); reqCtx.setPaType(PaDataType.PK_AS_REQ); pkAuthen.setPaChecksum(checkSum.getChecksum()); authPack.setPkAuthenticator(pkAuthen); authPack.setsupportedCmsTypes(pkinitContext.getPluginOpts().createSupportedCMSTypes()); TrustedCertifiers trustedCertifiers = pkinitContext.getPluginOpts().createTrustedCertifiers(); paPkAsReq.setTrustedCertifiers(trustedCertifiers);
/** * {@inheritDoc} */ @Override public void setPreauthOptions(KdcRequest kdcRequest, PluginRequestContext requestContext, KOptions options) { if (options.contains(PkinitOption.X509_IDENTITY)) { pkinitContext.getIdentityOpts().setIdentity(options.getStringOption(PkinitOption.X509_IDENTITY)); } if (options.contains(PkinitOption.X509_ANCHORS)) { String anchorsString = options.getStringOption(PkinitOption.X509_ANCHORS); List<String> anchors; if (anchorsString == null) { anchors = kdcRequest.getContext().getConfig().getPkinitAnchors(); } else { anchors = Arrays.asList(anchorsString); } pkinitContext.getIdentityOpts().getAnchors().addAll(anchors); } if (options.contains(PkinitOption.USING_RSA)) { pkinitContext.getPluginOpts().setUsingRsa(options.getBooleanOption(PkinitOption.USING_RSA, true)); } }
public void updateRequestOpts(PluginOpts pluginOpts) { requestOpts.setRequireEku(pluginOpts.isRequireEku()); requestOpts.setAcceptSecondaryEku(pluginOpts.isAcceptSecondaryEku()); requestOpts.setAllowUpn(pluginOpts.isAllowUpn()); requestOpts.setUsingRsa(pluginOpts.isUsingRsa()); requestOpts.setRequireCrlChecking(pluginOpts.isRequireCrlChecking()); }
/** * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @throws KrbException e */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.getDhMinBits()) { String errMsg = "client sent dh params with " + dhPrimeBits + "bits, we require " + pluginOpts.getDhMinBits(); LOG.error(errMsg); throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg); } if (!checkDHWellknown(cryptoctx, dhParameter, dhPrimeBits)) { throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED); } }