/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
/** * Validation for KRB_AP_REP message * @param encKey key used to encrypt encrypted part of KRB_AP_REP message * @param apRep KRB_AP_REP message received * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server * @throws KrbException */ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException { EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class); apRep.setEncRepPart(encPart); if (apReqSent != null) { Authenticator auth = apReqSent.getAuthenticator(); if (!encPart.getCtime().equals(auth.getCtime()) || encPart.getCusec() != auth.getCusec()) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL); } } } }
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
assertThat(apReq.getAuthenticator().getCname()).isEqualTo(tgt.getClientPrincipal()); assertThat(apReq.getAuthenticator().getCrealm()).isEqualTo(tgt.getRealm());
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException { Ticket ticket = apReq.getTicket(); if (encKey == null) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY); } EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class); ticket.setEncPart(encPart); unsealAuthenticator(encPart.getKey(), apReq); Authenticator authenticator = apReq.getAuthenticator(); if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH); } }
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
Authenticator auth = apReq.getAuthenticator(); EncryptionKey subKey = auth.getSubKey();
private ApRep makeApRep() throws KrbException { ApRep apRep = new ApRep(); EncAPRepPart encAPRepPart = new EncAPRepPart(); Authenticator auth = apReq.getAuthenticator(); // This field contains the current time on the client's host. encAPRepPart.setCtime(auth.getCtime()); // This field contains the microsecond part of the client's timestamp. encAPRepPart.setCusec(auth.getCusec()); encAPRepPart.setSubkey(auth.getSubKey()); encAPRepPart.setSeqNumber(0); apRep.setEncRepPart(encAPRepPart); EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART); apRep.setEncryptedEncPart(encPart); return apRep; }
public static ApRep readRep( byte[] buf, EncryptionKey key, long allowableClockSkew, ApReq apReq, InetAddress initiator ) throws KrbException { ApRep apRep = KrbCodec.decode( buf, ApRep.class ); if ( apRep.getPvno() != KrbConstant.KRB_V5 ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_BADVERSION ); } if ( !apRep.getMsgType().equals( KrbMessageType.AP_REP ) ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MSG_TYPE ); } try { ApRequest.validate( key, apReq, initiator, allowableClockSkew * 1000 ); } catch (KrbException e) { // XXX: The checksum verification fails, but we can continue, so just log the error logger.debug("Ap Request validation error: code={}, message={}", e.getKrbErrorCode(), e.getMessage(), e ); } EncAPRepPart encRepPart = EncryptionUtil.unseal( apRep.getEncryptedEncPart(), key, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class ); apRep.setEncRepPart( encRepPart ); ApRequest.unsealAuthenticator( key, apReq ); EncAPRepPart encAPRepPart = apRep.getEncRepPart(); Authenticator authenticator = apReq.getAuthenticator(); if ( !encAPRepPart.getCtime().equals( authenticator.getCtime() ) || encAPRepPart.getCusec() != authenticator.getCusec() ) { throw new KrbException( KrbErrorCode.KRB_AP_ERR_MODIFIED ); } return apRep; }
private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException { EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart(); TicketFlags ticketFlags = encKdcRepPart.getFlags(); setTicketFlags(ticketFlags); setAuthTime(encKdcRepPart.getAuthTime().toString()); Authenticator auth; try { auth = apRequest.getApReq().getAuthenticator(); } catch (KrbException e) { throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator"); } setMySequenceNumber(auth.getSeqNumber()); EncryptionKey subKey = auth.getSubKey(); if (subKey != null) { setSessionKey(subKey, GssContext.INITIATOR_SUBKEY); } else { setSessionKey(sgt.getSessionKey(), GssContext.SESSION_KEY); } if (!getMutualAuthState()) { setPeerSequenceNumber(0); } }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }
public static void validate(EncryptionKey encKey, ApReq apReq, InetAddress initiator, long timeSkew) throws KrbException { validate(encKey, apReq); Ticket ticket = apReq.getTicket(); EncTicketPart tktEncPart = ticket.getEncPart(); Authenticator authenticator = apReq.getAuthenticator(); if (initiator != null) { HostAddresses clientAddrs = tktEncPart.getClientAddresses(); if (clientAddrs != null && !clientAddrs.contains(initiator)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR); } } if (timeSkew != 0) { if (!authenticator.getCtime().isInClockSkew(timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW); } KerberosTime now = KerberosTime.now(); KerberosTime startTime = tktEncPart.getStartTime(); if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV); } if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) { throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED); } } }