directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: DIRKRB-568 Using RFC 4121 tokens in KerbyContext. Contributed by Wei.
Date Fri, 13 May 2016 07:50:35 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/gssapi eed1dbcaf -> 6e34327e2


DIRKRB-568 Using RFC 4121 tokens in KerbyContext. Contributed by Wei.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/6e34327e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/6e34327e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/6e34327e

Branch: refs/heads/gssapi
Commit: 6e34327e253f5b2f924a8e191c574d8f5ba3e674
Parents: eed1dbc
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Fri May 13 15:55:59 2016 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Fri May 13 15:55:59 2016 +0800

----------------------------------------------------------------------
 .../kerby/kerberos/kerb/request/ApRequest.java  | 11 ++-
 .../kerberos/kerb/gssapi/KerbyMechFactory.java  |  9 +-
 .../kerberos/kerb/gssapi/krb5/KerbyContext.java | 96 ++++++++++++++++++--
 3 files changed, 98 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/6e34327e/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 096b0de..44f5b47 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -89,8 +89,11 @@ public class ApRequest {
         authenticator.setAuthenticatorVno(5);
         authenticator.setCname(clientPrincipal);
         authenticator.setCrealm(sgtTicket.getRealm());
-        authenticator.setCtime(KerberosTime.now());
-        authenticator.setCusec(0);
+        long millis = System.currentTimeMillis();
+        int usec = (int) (millis % 1000) * 1000;
+        millis -= millis % 1000;
+        authenticator.setCtime(new KerberosTime(millis));
+        authenticator.setCusec(usec);
         authenticator.setSubKey(sgtTicket.getSessionKey());
 
         return authenticator;
@@ -138,13 +141,13 @@ public class ApRequest {
         }
 
         if (timeSkew != 0) {
-            if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+            if (!authenticator.getCtime().isInClockSkew(timeSkew)) {
                 throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
             }
 
             KerberosTime now = KerberosTime.now();
             KerberosTime startTime = tktEncPart.getStartTime();
-            if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew))
{
+            if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew))
{
                 throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
             }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/6e34327e/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
index a897c29..adacb27 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -20,6 +20,7 @@
 package org.apache.kerby.kerberos.kerb.gssapi;
 
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
@@ -90,9 +91,7 @@ public class KerbyMechFactory implements MechanismFactory {
         if (myInitiatorCred == null) {
             myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
         }
-        return null;
-        //For convenience of making patch, return null instead of introduce in KerbyContext
-        //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred,
lifetime);
+        return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred,
lifetime);
     }
 
     public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
@@ -101,13 +100,13 @@ public class KerbyMechFactory implements MechanismFactory {
             myAcceptorCred = getCredentialElement(null, 0,
                     GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
         }
-        return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
+        return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
     }
 
     // Reconstruct from previously exported context
     public GSSContextSpi getMechanismContext(byte[] exportedContext)
             throws GSSException {
-        return null; //return new KerbyContext(caller, exportedContext);
+       return new KerbyContext(caller, exportedContext);
     }
 
     public GSSCredentialSpi getCredentialElement(GSSNameSpi name,

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/6e34327e/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index b450cc9..1496cac 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -424,7 +424,8 @@ public class KerbyContext implements GSSContextSpi {
         }
 
         try {
-            ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5
* 60 * 1000);
+            ApRequest.validate(serverKey, apReq,
+                    channelBinding == null ? null : channelBinding.getInitiatorAddress(),
5 * 60 * 1000);
         } catch (KrbException e) {
             throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed:
" + e.getMessage());
         }
@@ -476,7 +477,20 @@ public class KerbyContext implements GSSContextSpi {
         if (ctxState != STATE_ESTABLISHED) {
             throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
         }
-        throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method");  // TODO:
to be implemented
+
+        int len;
+        byte[] inBuf;
+        try {
+            len = is.available();
+            inBuf = new byte[len];
+            is.read(inBuf);
+        } catch (IOException e) {
+            throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:"
+ e.getMessage());
+        }
+        if (gssEncryptor.isV2()) {
+            WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+            token.wrap(os);
+        }
     }
 
     public byte[] wrap(byte[] inBuf, int offset, int len,
@@ -484,12 +498,24 @@ public class KerbyContext implements GSSContextSpi {
         if (ctxState != STATE_ESTABLISHED) {
             throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
         }
-        return null; // TODO: to be implemented
+        byte[] ret = null;
+        if (gssEncryptor.isV2()) {
+            WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+            ret = token.wrap();
+        }
+        return ret;
     }
 
     public void unwrap(InputStream is, OutputStream os,
                        MessageProp msgProp) throws GSSException {
-        throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method");  // TODO:
to be implemented
+        if (ctxState != STATE_ESTABLISHED) {
+            throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+        }
+
+        if (gssEncryptor.isV2()) {
+            WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
+            token.unwrap(os);
+        }
     }
 
     public byte[] unwrap(byte[] inBuf, int offset, int len,
@@ -497,30 +523,82 @@ public class KerbyContext implements GSSContextSpi {
         if (ctxState != STATE_ESTABLISHED) {
             throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
         }
-        return null; // TODO: to be implemented
+
+        byte[] ret = null;
+        if (gssEncryptor.isV2()) {
+            WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+            ret = token.unwrap();
+        }
+        return ret;
     }
 
     public void getMIC(InputStream is, OutputStream os,
-                       MessageProp msgProp)
-            throws GSSException {
+                       MessageProp msgProp) throws GSSException {
+        if (ctxState != STATE_ESTABLISHED) {
+            throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+        }
+
+        try {
+            int len = is.available();
+            byte[] inMsg = new byte[len];
+            is.read(inMsg);
+            if (gssEncryptor.isV2()) {
+                MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
+                token.getMic(os);
+            }
+        } catch (IOException e) {
+            throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in
getMIC:" + e.getMessage());
+        }
     }
 
     public byte[] getMIC(byte[] inMsg, int offset, int len,
                          MessageProp msgProp) throws GSSException {
-        return null; // TODO: to be implemented
+        if (ctxState != STATE_ESTABLISHED) {
+            throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+        }
+
+        byte[] ret = null;
+        if (gssEncryptor.isV2()) {
+            MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
+            ret = token.getMic();
+        }
+        return ret;
     }
 
     public void verifyMIC(InputStream is, InputStream msgStr,
                           MessageProp msgProp) throws GSSException {
+        if (ctxState != STATE_ESTABLISHED) {
+            throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+        }
+
+        try {
+            int tokLen = is.available();
+            byte[] inTok = new byte[tokLen];
+            int msgLen = msgStr.available();
+            byte[] inMsg = new byte[msgLen];
+
+           verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
+        } catch (IOException e) {
+            throw new GSSException(GSSException.FAILURE, -1,
+                    "Error when get user data in verifyMIC:" + e.getMessage());
+        }
     }
 
     public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
                           byte[] inMsg, int msgOffset, int msgLen,
                           MessageProp msgProp) throws GSSException {
+        if (ctxState != STATE_ESTABLISHED) {
+            throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+        }
+
+        if (gssEncryptor.isV2()) {
+            MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
+            token.verify(inMsg, msgOffset, msgLen);
+        }
     }
 
     public byte[] export() throws GSSException {
-        throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+        throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
     }
 
     public void dispose() throws GSSException {


Mime
View raw message