/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
public static ApRep readRep( byte[] buf, EncryptionKey key, long allowableClockSkew, ApReq apReq, InetAddress initiator ) throws KrbException { ApRep apRep = KrbCodec.decode( buf, ApRep.class ); if ( apRep.getPvno() != KrbConstant.KRB_V5 ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_BADVERSION ); } if ( !apRep.getMsgType().equals( KrbMessageType.AP_REP ) ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MSG_TYPE ); } try { ApRequest.validate( key, apReq, initiator, allowableClockSkew * 1000 ); } catch (KrbException e) { // XXX: The checksum verification fails, but we can continue, so just log the error logger.debug("Ap Request validation error: code={}, message={}", e.getKrbErrorCode(), e.getMessage(), e ); } EncAPRepPart encRepPart = EncryptionUtil.unseal( apRep.getEncryptedEncPart(), key, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class ); apRep.setEncRepPart( encRepPart ); ApRequest.unsealAuthenticator( key, apReq ); EncAPRepPart encAPRepPart = apRep.getEncRepPart(); Authenticator authenticator = apReq.getAuthenticator(); if ( !encAPRepPart.getCtime().equals( authenticator.getCtime() ) || encAPRepPart.getCusec() != authenticator.getCusec() ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MODIFIED ); } return apRep; }