/** * Check parameters against a well-known DH group * * @param dh1 The DHParameterSpec * @param dh2 The DhParameter */ public static boolean pkinitCheckDhParams(DHParameterSpec dh1, DhParameter dh2) { if (!dh1.getP().equals(dh2.getP())) { LOG.error("p is not well-known group dhparameter"); return false; } if (!dh1.getG().equals(dh2.getG())) { LOG.error("bad g dhparameter"); return false; } LOG.info("Good dhparams", dh1.getP().bitLength()); return true; }
/** * Check parameters against a well-known DH group * * @param dh1 The DHParameterSpec * @param dh2 The DhParameter */ public static boolean pkinitCheckDhParams(DHParameterSpec dh1, DhParameter dh2) { if (!dh1.getP().equals(dh2.getP())) { LOG.error("p is not well-known group dhparameter"); return false; } if (!dh1.getG().equals(dh2.getG())) { LOG.error("bad g dhparameter"); return false; } LOG.info("Good dhparams", dh1.getP().bitLength()); return true; }
/** * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @throws KrbException e */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.getDhMinBits()) { String errMsg = "client sent dh params with " + dhPrimeBits + "bits, we require " + pluginOpts.getDhMinBits(); LOG.error(errMsg); throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg); } if (!checkDHWellknown(cryptoctx, dhParameter, dhPrimeBits)) { throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED); } }
/** * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext * @param dhParameter The DhParameter * @throws KrbException e */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.getDhMinBits()) { String errMsg = "client sent dh params with " + dhPrimeBits + "bits, we require " + pluginOpts.getDhMinBits(); LOG.error(errMsg); throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg); } if (!checkDHWellknown(cryptoctx, dhParameter, dhPrimeBits)) { throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED); } }
Asn1Integer clientPubKey = KrbCodec.decode(clientSubjectPubKey, Asn1Integer.class); BigInteger y = clientPubKey.getValue(); BigInteger p = dhParameter.getP(); BigInteger g = dhParameter.getG();
Asn1Integer clientPubKey = KrbCodec.decode(clientSubjectPubKey, Asn1Integer.class); BigInteger y = clientPubKey.getValue(); BigInteger p = dhParameter.getP(); BigInteger g = dhParameter.getG();