/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
public static ApRep readRep( byte[] buf, EncryptionKey key, long allowableClockSkew, ApReq apReq, InetAddress initiator ) throws KrbException { ApRep apRep = KrbCodec.decode( buf, ApRep.class ); if ( apRep.getPvno() != KrbConstant.KRB_V5 ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_BADVERSION ); } if ( !apRep.getMsgType().equals( KrbMessageType.AP_REP ) ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MSG_TYPE ); } try { ApRequest.validate( key, apReq, initiator, allowableClockSkew * 1000 ); } catch (KrbException e) { // XXX: The checksum verification fails, but we can continue, so just log the error logger.debug("Ap Request validation error: code={}, message={}", e.getKrbErrorCode(), e.getMessage(), e ); } EncAPRepPart encRepPart = EncryptionUtil.unseal( apRep.getEncryptedEncPart(), key, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class ); apRep.setEncRepPart( encRepPart ); ApRequest.unsealAuthenticator( key, apReq ); EncAPRepPart encAPRepPart = apRep.getEncRepPart(); Authenticator authenticator = apReq.getAuthenticator(); if ( !encAPRepPart.getCtime().equals( authenticator.getCtime() ) || encAPRepPart.getCusec() != authenticator.getCusec() ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MODIFIED ); } return apRep; }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
if (!authenticator.getCtime().isInClockSkew( getKdcContext().getConfig().getAllowableClockSkew() * 1000)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
if (!authenticator.getCtime().isInClockSkew( getKdcContext().getConfig().getAllowableClockSkew() * 1000)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);