private Authenticator makeAuthenticator() throws KrbException { Authenticator authenticator = new Authenticator(); authenticator.setAuthenticatorVno(5); authenticator.setCname(clientPrincipal); authenticator.setCrealm(sgtTicket.getRealm()); long millis = System.currentTimeMillis(); int usec = (int) (millis % 1000) * 1000; millis -= millis % 1000; authenticator.setCtime(new KerberosTime(millis)); authenticator.setCusec(usec); if (flags.contains(ApOption.USE_SESSION_KEY)) { authenticator.setSubKey(sgtTicket.getSessionKey()); } return authenticator; }
encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class); if (!authenticator.getCname().equals(tgtTicket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); if (authenticator.getCrealm() != null && authenticator.getCrealm().equals(getKdcContext().getKdcRealm())) { PrincipalName clientPrincipal = authenticator.getCname(); clientPrincipal.setRealm(authenticator.getCrealm()); KrbIdentity clientEntry = getEntry(clientPrincipal.getName()); setClientEntry(clientEntry); if (!authenticator.getCtime().isInClockSkew( getKdcContext().getConfig().getAllowableClockSkew() * 1000)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); CheckSum checkSum = authenticator.getCksum(); if (checkSum != null) { byte[] reqBody;
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
/** * Creates a new instance of an Authenticator */ public Authenticator() { super(TAG, fieldInfos); // Default to Version 5 setAuthenticatorVno(KrbConstant.KRB_V5); }
private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException { EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart(); TicketFlags ticketFlags = encKdcRepPart.getFlags(); setTicketFlags(ticketFlags); setAuthTime(encKdcRepPart.getAuthTime().toString()); Authenticator auth; try { auth = apRequest.getApReq().getAuthenticator(); } catch (KrbException e) { throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator"); } setMySequenceNumber(auth.getSeqNumber()); EncryptionKey subKey = auth.getSubKey(); if (subKey != null) { setSessionKey(subKey, GssContext.INITIATOR_SUBKEY); } else { setSessionKey(sgt.getSessionKey(), GssContext.SESSION_KEY); } if (!getMutualAuthState()) { setPeerSequenceNumber(0); } }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
armorKey = FastUtil.cf2(authenticator.getSubKey(), "subkeyarmor", encKey, "ticketarmor"); } catch (KrbException e) {
encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class); if (!authenticator.getCname().equals(tgtTicket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); if (authenticator.getCrealm() != null && authenticator.getCrealm().equals(getKdcContext().getKdcRealm())) { PrincipalName clientPrincipal = authenticator.getCname(); clientPrincipal.setRealm(authenticator.getCrealm()); KrbIdentity clientEntry = getEntry(clientPrincipal.getName()); setClientEntry(clientEntry); if (!authenticator.getCtime().isInClockSkew( getKdcContext().getConfig().getAllowableClockSkew() * 1000)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); CheckSum checkSum = authenticator.getCksum(); if (checkSum != null) { byte[] reqBody;
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
/** * Creates a new instance of an Authenticator */ public Authenticator() { super(TAG, fieldInfos); // Default to Version 5 setAuthenticatorVno(KrbConstant.KRB_V5); }
EncryptionKey subKey = auth.getSubKey(); int seqNumber = auth.getSeqNumber(); setMySequenceNumber(seqNumber);
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
armorKey = FastUtil.cf2(authenticator.getSubKey(), "subkeyarmor", encKey, "ticketarmor"); } catch (KrbException e) {
private Authenticator makeAuthenticator() throws KrbException { Authenticator authenticator = new Authenticator(); authenticator.setAuthenticatorVno(5); authenticator.setCname(clientPrincipal); authenticator.setCrealm(sgtTicket.getRealm()); long millis = System.currentTimeMillis(); int usec = (int) (millis % 1000) * 1000; millis -= millis % 1000; authenticator.setCtime(new KerberosTime(millis)); authenticator.setCusec(usec); if (flags.contains(ApOption.USE_SESSION_KEY)) { authenticator.setSubKey(sgtTicket.getSessionKey()); } return authenticator; }
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
public static ApRep readRep( byte[] buf, EncryptionKey key, long allowableClockSkew, ApReq apReq, InetAddress initiator ) throws KrbException { ApRep apRep = KrbCodec.decode( buf, ApRep.class ); if ( apRep.getPvno() != KrbConstant.KRB_V5 ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_BADVERSION ); } if ( !apRep.getMsgType().equals( KrbMessageType.AP_REP ) ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MSG_TYPE ); } try { ApRequest.validate( key, apReq, initiator, allowableClockSkew * 1000 ); } catch (KrbException e) { // XXX: The checksum verification fails, but we can continue, so just log the error logger.debug("Ap Request validation error: code={}, message={}", e.getKrbErrorCode(), e.getMessage(), e ); } EncAPRepPart encRepPart = EncryptionUtil.unseal( apRep.getEncryptedEncPart(), key, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class ); apRep.setEncRepPart( encRepPart ); ApRequest.unsealAuthenticator( key, apReq ); EncAPRepPart encAPRepPart = apRep.getEncRepPart(); Authenticator authenticator = apReq.getAuthenticator(); if ( !encAPRepPart.getCtime().equals( authenticator.getCtime() ) || encAPRepPart.getCusec() != authenticator.getCusec() ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MODIFIED ); } return apRep; }