private ApReq makeApReq() throws KrbException { ApReq apReq = new ApReq(); Authenticator authenticator = makeAuthenticator(); EncryptionKey sessionKey = ticket.getSessionKey(); EncryptedData authnData = EncryptionUtil.seal(authenticator, sessionKey, KeyUsage.TGS_REQ_AUTH); apReq.setEncryptedAuthenticator(authnData); apReq.setAuthenticator(authenticator); apReq.setTicket(ticket.getTicket()); ApOptions apOptions = new ApOptions(); apReq.setApOptions(apOptions); return apReq; }
@Benchmark @Fork(1) @Warmup(iterations = 5) public void decodeWithKerby() throws Exception { ApReq apReq = new ApReq(); apReq.decode(apreqToken.duplicate()); String serverName = apReq.getTicket().getSname().toString(); if (serverName == null) { throw new RuntimeException("Decoding test failed"); } } }
public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException { EncryptedData authData = apReq.getEncryptedAuthenticator(); Authenticator authenticator = EncryptionUtil.unseal(authData, encKey, KeyUsage.AP_REQ_AUTH, Authenticator.class); apReq.setAuthenticator(authenticator); } }
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
apReq = new ApReq(); apReq.decode(token); } catch (IOException e) { throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage()); int kvno = apReq.getTicket().getEncryptedEncPart().getKvno(); int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue(); EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart(); Authenticator auth = apReq.getAuthenticator(); EncryptionKey subKey = auth.getSubKey();
ApReq apReq = KrbCodec.decode(paDataEntry.getPaDataValue(), ApReq.class); if (apReq.getPvno() != KrbConstant.KRB_V5) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION); if (apReq.getMsgType() != KrbMessageType.AP_REQ) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE); tgtTicket = apReq.getTicket(); EncryptionKey tgsKey; EncryptionType encType = tgtTicket.getEncryptedEncPart().getEType(); Authenticator authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class); apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
Ticket ticket = apReq.getTicket(); EncryptionType encType = ticket.getEncryptedEncPart().getEType(); EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType); authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), encKey, KeyUsage.AP_REQ_AUTH, Authenticator.class); } catch (KrbException e) {
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
ApReq apReq = apRequest.getApReq(); assertThat(apReq.getPvno()).isEqualTo(5); assertThat(apReq.getMsgType()).isEqualTo(KrbMessageType.AP_REQ); assertThat(apReq.getAuthenticator().getCname()).isEqualTo(tgt.getClientPrincipal()); assertThat(apReq.getAuthenticator().getCrealm()).isEqualTo(tgt.getRealm());
public static KrbMessage decodeMessage(ByteBuffer buffer) throws IOException { Asn1ParseResult parsingResult = Asn1.parse(buffer); Tag tag = parsingResult.tag(); KrbMessage msg; KrbMessageType msgType = KrbMessageType.fromValue(tag.tagNo()); if (msgType == KrbMessageType.TGS_REQ) { msg = new TgsReq(); } else if (msgType == KrbMessageType.AS_REP) { msg = new AsRep(); } else if (msgType == KrbMessageType.AS_REQ) { msg = new AsReq(); } else if (msgType == KrbMessageType.TGS_REP) { msg = new TgsRep(); } else if (msgType == KrbMessageType.AP_REQ) { msg = new ApReq(); } else if (msgType == KrbMessageType.AP_REP) { msg = new ApReq(); } else if (msgType == KrbMessageType.KRB_ERROR) { msg = new KrbError(); } else { throw new IOException("To be supported krb message type with tag: " + tag); } msg.decode(parsingResult); return msg; }
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
ApReq apReq = KrbCodec.decode(paDataEntry.getPaDataValue(), ApReq.class); if (apReq.getPvno() != KrbConstant.KRB_V5) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION); if (apReq.getMsgType() != KrbMessageType.AP_REQ) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE); tgtTicket = apReq.getTicket(); EncryptionKey tgsKey; EncryptionType encType = tgtTicket.getEncryptedEncPart().getEType(); Authenticator authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class); apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
Ticket ticket = apReq.getTicket(); EncryptionType encType = ticket.getEncryptedEncPart().getEType(); EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType); authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), encKey, KeyUsage.AP_REQ_AUTH, Authenticator.class); } catch (KrbException e) {
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
public static KrbMessage decodeMessage(ByteBuffer buffer) throws IOException { Asn1ParseResult parsingResult = Asn1.parse(buffer); Tag tag = parsingResult.tag(); KrbMessage msg; KrbMessageType msgType = KrbMessageType.fromValue(tag.tagNo()); if (msgType == KrbMessageType.TGS_REQ) { msg = new TgsReq(); } else if (msgType == KrbMessageType.AS_REP) { msg = new AsRep(); } else if (msgType == KrbMessageType.AS_REQ) { msg = new AsReq(); } else if (msgType == KrbMessageType.TGS_REP) { msg = new TgsRep(); } else if (msgType == KrbMessageType.AP_REQ) { msg = new ApReq(); } else if (msgType == KrbMessageType.AP_REP) { msg = new ApReq(); } else if (msgType == KrbMessageType.KRB_ERROR) { msg = new KrbError(); } else { throw new IOException("To be supported krb message type with tag: " + tag); } msg.decode(parsingResult); return msg; }
private ApReq makeApReq() throws KrbException { ApReq apReq = new ApReq(); Authenticator authenticator = makeAuthenticator(); EncryptionKey sessionKey = ticket.getSessionKey(); EncryptedData authnData = EncryptionUtil.seal(authenticator, sessionKey, KeyUsage.TGS_REQ_AUTH); apReq.setEncryptedAuthenticator(authnData); apReq.setAuthenticator(authenticator); apReq.setTicket(ticket.getTicket()); ApOptions apOptions = new ApOptions(); apReq.setApOptions(apOptions); return apReq; }
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException { EncryptedData authData = apReq.getEncryptedAuthenticator(); Authenticator authenticator = EncryptionUtil.unseal(authData, encKey, KeyUsage.AP_REQ_AUTH, Authenticator.class); apReq.setAuthenticator(authenticator); } }
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
private ApReq makeApReq(EncryptionKey subKey, Credential credential) throws KrbException { ApReq apReq = new ApReq(); ApOptions apOptions = new ApOptions(); apReq.setApOptions(apOptions); Ticket ticket = credential.getTicket(); apReq.setTicket(ticket); Authenticator authenticator = makeAuthenticator(credential, subKey); apReq.setAuthenticator(authenticator); EncryptedData authnData = EncryptionUtil.seal(authenticator, credential.getKey(), KeyUsage.AP_REQ_AUTH); apReq.setEncryptedAuthenticator(authnData); return apReq; }