sun.security.krb5.EncryptionKey Java Examples

The following examples show how to use sun.security.krb5.EncryptionKey. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KrbSafe.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
public KrbSafe(byte[] userData,
               Credentials creds,
               EncryptionKey subKey,
               KerberosTime timestamp,
               SeqNumber seqNumber,
               HostAddress saddr,
               HostAddress raddr
               )  throws KrbException, IOException {
    EncryptionKey reqKey = null;
    if (subKey != null)
        reqKey = subKey;
    else
        reqKey = creds.key;

    obuf = mk_safe(userData,
                   reqKey,
                   timestamp,
                   seqNumber,
                   saddr,
                   raddr
                   );
}
 
Example #2
Source File: KerberosPreMasterSecret.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Constructor used by client to generate premaster secret.
 *
 * Client randomly creates a pre-master secret and encrypts it
 * using the Kerberos session key; only the server can decrypt
 * it, using the session key available in the service ticket.
 *
 * @param protocolVersion used to set preMaster[0,1]
 * @param generator random number generator for generating premaster secret
 * @param sessionKey Kerberos session key for encrypting premaster secret
 */
KerberosPreMasterSecret(ProtocolVersion protocolVersion,
        SecureRandom generator, EncryptionKey sessionKey) throws IOException {

    if (sessionKey.getEType() ==
            EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
        throw new IOException(
                "session keys with des3-cbc-hmac-sha1-kd encryption type " +
                        "are not supported for TLS Kerberos cipher suites");
    }

    this.protocolVersion = protocolVersion;
    preMaster = generatePreMaster(generator, protocolVersion);

    // Encrypt premaster secret
    try {
        EncryptedData eData = new EncryptedData(sessionKey, preMaster,
                KeyUsage.KU_UNKNOWN);
        encrypted = eData.getBytes();  // not ASN.1 encoded.

    } catch (KrbException e) {
        throw (SSLKeyException)new SSLKeyException
                ("Kerberos premaster secret error").initCause(e);
    }
}
 
Example #3
Source File: Krb5Util.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static KerberosTicket credsToTicket(Credentials serviceCreds) {
    EncryptionKey sessionKey =  serviceCreds.getSessionKey();
    return new KerberosTicket(
        serviceCreds.getEncoded(),
        new KerberosPrincipal(serviceCreds.getClient().getName()),
        new KerberosPrincipal(serviceCreds.getServer().getName(),
                            KerberosPrincipal.KRB_NT_SRV_INST),
        sessionKey.getBytes(),
        sessionKey.getEType(),
        serviceCreds.getFlags(),
        serviceCreds.getAuthTime(),
        serviceCreds.getStartTime(),
        serviceCreds.getEndTime(),
        serviceCreds.getRenewTill(),
        serviceCreds.getClientAddresses());
}
 
Example #4
Source File: EncKDCRepPart.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
public EncKDCRepPart(
        EncryptionKey new_key,
        LastReq new_lastReq,
        int new_nonce,
        KerberosTime new_keyExpiration,
        TicketFlags new_flags,
        KerberosTime new_authtime,
        KerberosTime new_starttime,
        KerberosTime new_endtime,
        KerberosTime new_renewTill,
        PrincipalName new_sname,
        HostAddresses new_caddr,
        int new_msgType) {
    key = new_key;
    lastReq = new_lastReq;
    nonce = new_nonce;
    keyExpiration = new_keyExpiration;
    flags = new_flags;
    authtime = new_authtime;
    starttime = new_starttime;
    endtime = new_endtime;
    renewTill = new_renewTill;
    sname = new_sname;
    caddr = new_caddr;
    msgType = new_msgType;
}
 
Example #5
Source File: ServiceCreds.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 
Example #6
Source File: ServiceCreds.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 
Example #7
Source File: KerberosPreMasterSecret.java    From dragonwell8_jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Constructor used by client to generate premaster secret.
 *
 * Client randomly creates a pre-master secret and encrypts it
 * using the Kerberos session key; only the server can decrypt
 * it, using the session key available in the service ticket.
 *
 * @param protocolVersion used to set preMaster[0,1]
 * @param generator random number generator for generating premaster secret
 * @param sessionKey Kerberos session key for encrypting premaster secret
 */
KerberosPreMasterSecret(ProtocolVersion protocolVersion,
    SecureRandom generator, EncryptionKey sessionKey) throws IOException {

    if (sessionKey.getEType() ==
        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
        throw new IOException(
           "session keys with des3-cbc-hmac-sha1-kd encryption type " +
           "are not supported for TLS Kerberos cipher suites");
    }

    this.protocolVersion = protocolVersion;
    preMaster = generatePreMaster(generator, protocolVersion);

    // Encrypt premaster secret
    try {
        EncryptedData eData = new EncryptedData(sessionKey, preMaster,
            KeyUsage.KU_UNKNOWN);
        encrypted = eData.getBytes();  // not ASN.1 encoded.

    } catch (KrbException e) {
        throw (SSLKeyException)new SSLKeyException
            ("Kerberos premaster secret error").initCause(e);
    }
}
 
Example #8
Source File: ServiceCreds.java    From dragonwell8_jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 
Example #9
Source File: KerberosClientKeyExchangeImpl.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Creates an instance of KerberosClientKeyExchange consisting of the
 * Kerberos service ticket, authenticator and encrypted premaster secret.
 * Called by client handshaker.
 *
 * @param serverName name of server with which to do handshake;
 *             this is used to get the Kerberos service ticket
 * @param protocolVersion Maximum version supported by client (i.e,
 *          version it requested in client hello)
 * @param rand random number generator to use for generating pre-master
 *          secret
 */
@Override
public void init(String serverName,
    AccessControlContext acc, ProtocolVersion protocolVersion,
    SecureRandom rand) throws IOException {

     // Get service ticket
     KerberosTicket ticket = getServiceTicket(serverName, acc);
     encodedTicket = ticket.getEncoded();

     // Record the Kerberos principals
     peerPrincipal = ticket.getServer();
     localPrincipal = ticket.getClient();

     // Optional authenticator, encrypted using session key,
     // currently ignored

     // Generate premaster secret and encrypt it using session key
     EncryptionKey sessionKey = new EncryptionKey(
                                    ticket.getSessionKeyType(),
                                    ticket.getSessionKey().getEncoded());

     preMaster = new KerberosPreMasterSecret(protocolVersion,
         rand, sessionKey);
}
 
Example #10
Source File: KerberosPreMasterSecret.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Constructor used by client to generate premaster secret.
 *
 * Client randomly creates a pre-master secret and encrypts it
 * using the Kerberos session key; only the server can decrypt
 * it, using the session key available in the service ticket.
 *
 * @param protocolVersion used to set preMaster[0,1]
 * @param generator random number generator for generating premaster secret
 * @param sessionKey Kerberos session key for encrypting premaster secret
 */
KerberosPreMasterSecret(ProtocolVersion protocolVersion,
    SecureRandom generator, EncryptionKey sessionKey) throws IOException {

    if (sessionKey.getEType() ==
        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
        throw new IOException(
           "session keys with des3-cbc-hmac-sha1-kd encryption type " +
           "are not supported for TLS Kerberos cipher suites");
    }

    this.protocolVersion = protocolVersion;
    preMaster = generatePreMaster(generator, protocolVersion);

    // Encrypt premaster secret
    try {
        EncryptedData eData = new EncryptedData(sessionKey, preMaster,
            KeyUsage.KU_UNKNOWN);
        encrypted = eData.getBytes();  // not ASN.1 encoded.

    } catch (KrbException e) {
        throw (SSLKeyException)new SSLKeyException
            ("Kerberos premaster secret error").initCause(e);
    }
}
 
Example #11
Source File: KrbSafe.java    From dragonwell8_jdk with GNU General Public License v2.0 6 votes vote down vote up
public KrbSafe(byte[] userData,
               Credentials creds,
               EncryptionKey subKey,
               KerberosTime timestamp,
               SeqNumber seqNumber,
               HostAddress saddr,
               HostAddress raddr
               )  throws KrbException, IOException {
    EncryptionKey reqKey = null;
    if (subKey != null)
        reqKey = subKey;
    else
        reqKey = creds.key;

    obuf = mk_safe(userData,
                   reqKey,
                   timestamp,
                   seqNumber,
                   saddr,
                   raddr
                   );
}
 
Example #12
Source File: KrbSafe.java    From openjdk-8-source with GNU General Public License v2.0 6 votes vote down vote up
public KrbSafe(byte[] userData,
               Credentials creds,
               EncryptionKey subKey,
               KerberosTime timestamp,
               SeqNumber seqNumber,
               HostAddress saddr,
               HostAddress raddr
               )  throws KrbException, IOException {
    EncryptionKey reqKey = null;
    if (subKey != null)
        reqKey = subKey;
    else
        reqKey = creds.key;

    obuf = mk_safe(userData,
                   reqKey,
                   timestamp,
                   seqNumber,
                   saddr,
                   raddr
                   );
}
 
Example #13
Source File: KerberosClientKeyExchangeImpl.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Creates an instance of KerberosClientKeyExchange consisting of the
 * Kerberos service ticket, authenticator and encrypted premaster secret.
 * Called by client handshaker.
 *
 * @param serverName name of server with which to do handshake;
 *             this is used to get the Kerberos service ticket
 * @param protocolVersion Maximum version supported by client (i.e,
 *          version it requested in client hello)
 * @param rand random number generator to use for generating pre-master
 *          secret
 */
@Override
public void init(String serverName,
    AccessControlContext acc, ProtocolVersion protocolVersion,
    SecureRandom rand) throws IOException {

     // Get service ticket
     KerberosTicket ticket = getServiceTicket(serverName, acc);
     encodedTicket = ticket.getEncoded();

     // Record the Kerberos principals
     peerPrincipal = ticket.getServer();
     localPrincipal = ticket.getClient();

     // Optional authenticator, encrypted using session key,
     // currently ignored

     // Generate premaster secret and encrypt it using session key
     EncryptionKey sessionKey = new EncryptionKey(
                                    ticket.getSessionKeyType(),
                                    ticket.getSessionKey().getEncoded());

     preMaster = new KerberosPreMasterSecret(protocolVersion,
         rand, sessionKey);
}
 
Example #14
Source File: ServiceCreds.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 
Example #15
Source File: ServiceCreds.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 
Example #16
Source File: EncKDCRepPart.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
public EncKDCRepPart(
        EncryptionKey new_key,
        LastReq new_lastReq,
        int new_nonce,
        KerberosTime new_keyExpiration,
        TicketFlags new_flags,
        KerberosTime new_authtime,
        KerberosTime new_starttime,
        KerberosTime new_endtime,
        KerberosTime new_renewTill,
        PrincipalName new_sname,
        HostAddresses new_caddr,
        int new_msgType) {
    key = new_key;
    lastReq = new_lastReq;
    nonce = new_nonce;
    keyExpiration = new_keyExpiration;
    flags = new_flags;
    authtime = new_authtime;
    starttime = new_starttime;
    endtime = new_endtime;
    renewTill = new_renewTill;
    sname = new_sname;
    caddr = new_caddr;
    msgType = new_msgType;
}
 
Example #17
Source File: Krb5Util.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static KerberosTicket credsToTicket(Credentials serviceCreds) {
    EncryptionKey sessionKey =  serviceCreds.getSessionKey();
    return new KerberosTicket(
        serviceCreds.getEncoded(),
        new KerberosPrincipal(serviceCreds.getClient().getName()),
        new KerberosPrincipal(serviceCreds.getServer().getName(),
                            KerberosPrincipal.KRB_NT_SRV_INST),
        sessionKey.getBytes(),
        sessionKey.getEType(),
        serviceCreds.getFlags(),
        serviceCreds.getAuthTime(),
        serviceCreds.getStartTime(),
        serviceCreds.getEndTime(),
        serviceCreds.getRenewTill(),
        serviceCreds.getClientAddresses());
}
 
Example #18
Source File: EncKDCRepPart.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public EncKDCRepPart(
        EncryptionKey new_key,
        LastReq new_lastReq,
        int new_nonce,
        KerberosTime new_keyExpiration,
        TicketFlags new_flags,
        KerberosTime new_authtime,
        KerberosTime new_starttime,
        KerberosTime new_endtime,
        KerberosTime new_renewTill,
        PrincipalName new_sname,
        HostAddresses new_caddr,
        int new_msgType) {
    key = new_key;
    lastReq = new_lastReq;
    nonce = new_nonce;
    keyExpiration = new_keyExpiration;
    flags = new_flags;
    authtime = new_authtime;
    starttime = new_starttime;
    endtime = new_endtime;
    renewTill = new_renewTill;
    sname = new_sname;
    caddr = new_caddr;
    msgType = new_msgType;
}
 
Example #19
Source File: Krb5Util.java    From openjdk-8-source with GNU General Public License v2.0 6 votes vote down vote up
public static KerberosTicket credsToTicket(Credentials serviceCreds) {
    EncryptionKey sessionKey =  serviceCreds.getSessionKey();
    return new KerberosTicket(
        serviceCreds.getEncoded(),
        new KerberosPrincipal(serviceCreds.getClient().getName()),
        new KerberosPrincipal(serviceCreds.getServer().getName(),
                            KerberosPrincipal.KRB_NT_SRV_INST),
        sessionKey.getBytes(),
        sessionKey.getEType(),
        serviceCreds.getFlags(),
        serviceCreds.getAuthTime(),
        serviceCreds.getStartTime(),
        serviceCreds.getEndTime(),
        serviceCreds.getRenewTill(),
        serviceCreds.getClientAddresses());
}
 
Example #20
Source File: KerberosClientKeyExchangeImpl.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Creates an instance of KerberosClientKeyExchange consisting of the
 * Kerberos service ticket, authenticator and encrypted premaster secret.
 * Called by client handshaker.
 *
 * @param serverName name of server with which to do handshake;
 *             this is used to get the Kerberos service ticket
 * @param protocolVersion Maximum version supported by client (i.e,
 *          version it requested in client hello)
 * @param rand random number generator to use for generating pre-master
 *          secret
 */
@Override
public void init(String serverName,
    AccessControlContext acc, ProtocolVersion protocolVersion,
    SecureRandom rand) throws IOException {

     // Get service ticket
     KerberosTicket ticket = getServiceTicket(serverName, acc);
     encodedTicket = ticket.getEncoded();

     // Record the Kerberos principals
     peerPrincipal = ticket.getServer();
     localPrincipal = ticket.getClient();

     // Optional authenticator, encrypted using session key,
     // currently ignored

     // Generate premaster secret and encrypt it using session key
     EncryptionKey sessionKey = new EncryptionKey(
                                    ticket.getSessionKeyType(),
                                    ticket.getSessionKey().getEncoded());

     preMaster = new KerberosPreMasterSecret(protocolVersion,
         rand, sessionKey);
}
 
Example #21
Source File: EncKDCRepPart.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
public EncKDCRepPart(
        EncryptionKey new_key,
        LastReq new_lastReq,
        int new_nonce,
        KerberosTime new_keyExpiration,
        TicketFlags new_flags,
        KerberosTime new_authtime,
        KerberosTime new_starttime,
        KerberosTime new_endtime,
        KerberosTime new_renewTill,
        PrincipalName new_sname,
        HostAddresses new_caddr,
        int new_msgType) {
    key = new_key;
    lastReq = new_lastReq;
    nonce = new_nonce;
    keyExpiration = new_keyExpiration;
    flags = new_flags;
    authtime = new_authtime;
    starttime = new_starttime;
    endtime = new_endtime;
    renewTill = new_renewTill;
    sname = new_sname;
    caddr = new_caddr;
    msgType = new_msgType;
}
 
Example #22
Source File: KerberosClientKeyExchangeImpl.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Creates an instance of KerberosClientKeyExchange consisting of the
 * Kerberos service ticket, authenticator and encrypted premaster secret.
 * Called by client handshaker.
 *
 * @param serverName name of server with which to do handshake;
 *             this is used to get the Kerberos service ticket
 * @param protocolVersion Maximum version supported by client (i.e,
 *          version it requested in client hello)
 * @param rand random number generator to use for generating pre-master
 *          secret
 */
@Override
public void init(String serverName,
    AccessControlContext acc, ProtocolVersion protocolVersion,
    SecureRandom rand) throws IOException {

     // Get service ticket
     KerberosTicket ticket = getServiceTicket(serverName, acc);
     encodedTicket = ticket.getEncoded();

     // Record the Kerberos principals
     peerPrincipal = ticket.getServer();
     localPrincipal = ticket.getClient();

     // Optional authenticator, encrypted using session key,
     // currently ignored

     // Generate premaster secret and encrypt it using session key
     EncryptionKey sessionKey = new EncryptionKey(
                                    ticket.getSessionKeyType(),
                                    ticket.getSessionKey().getEncoded());

     preMaster = new KerberosPreMasterSecret(protocolVersion,
         rand, sessionKey);
}
 
Example #23
Source File: EncKDCRepPart.java    From jdk8u-dev-jdk with GNU General Public License v2.0 6 votes vote down vote up
public EncKDCRepPart(
        EncryptionKey new_key,
        LastReq new_lastReq,
        int new_nonce,
        KerberosTime new_keyExpiration,
        TicketFlags new_flags,
        KerberosTime new_authtime,
        KerberosTime new_starttime,
        KerberosTime new_endtime,
        KerberosTime new_renewTill,
        PrincipalName new_sname,
        HostAddresses new_caddr,
        int new_msgType) {
    key = new_key;
    lastReq = new_lastReq;
    nonce = new_nonce;
    keyExpiration = new_keyExpiration;
    flags = new_flags;
    authtime = new_authtime;
    starttime = new_starttime;
    endtime = new_endtime;
    renewTill = new_renewTill;
    sname = new_sname;
    caddr = new_caddr;
    msgType = new_msgType;
}
 
Example #24
Source File: KrbSafe.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
public KrbSafe(byte[] userData,
               Credentials creds,
               EncryptionKey subKey,
               KerberosTime timestamp,
               SeqNumber seqNumber,
               HostAddress saddr,
               HostAddress raddr
               )  throws KrbException, IOException {
    EncryptionKey reqKey = null;
    if (subKey != null)
        reqKey = subKey;
    else
        reqKey = creds.key;

    obuf = mk_safe(userData,
                   reqKey,
                   timestamp,
                   seqNumber,
                   saddr,
                   raddr
                   );
}
 
Example #25
Source File: KerberosPreMasterSecret.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Constructor used by client to generate premaster secret.
 *
 * Client randomly creates a pre-master secret and encrypts it
 * using the Kerberos session key; only the server can decrypt
 * it, using the session key available in the service ticket.
 *
 * @param protocolVersion used to set preMaster[0,1]
 * @param generator random number generator for generating premaster secret
 * @param sessionKey Kerberos session key for encrypting premaster secret
 */
KerberosPreMasterSecret(ProtocolVersion protocolVersion,
    SecureRandom generator, EncryptionKey sessionKey) throws IOException {

    if (sessionKey.getEType() ==
        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
        throw new IOException(
           "session keys with des3-cbc-hmac-sha1-kd encryption type " +
           "are not supported for TLS Kerberos cipher suites");
    }

    this.protocolVersion = protocolVersion;
    preMaster = generatePreMaster(generator, protocolVersion);

    // Encrypt premaster secret
    try {
        EncryptedData eData = new EncryptedData(sessionKey, preMaster,
            KeyUsage.KU_UNKNOWN);
        encrypted = eData.getBytes();  // not ASN.1 encoded.

    } catch (KrbException e) {
        throw (SSLKeyException)new SSLKeyException
            ("Kerberos premaster secret error").initCause(e);
    }
}
 
Example #26
Source File: KrbSafe.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
public KrbSafe(byte[] userData,
               Credentials creds,
               EncryptionKey subKey,
               KerberosTime timestamp,
               SeqNumber seqNumber,
               HostAddress saddr,
               HostAddress raddr
               )  throws KrbException, IOException {
    EncryptionKey reqKey = null;
    if (subKey != null)
        reqKey = subKey;
    else
        reqKey = creds.key;

    obuf = mk_safe(userData,
                   reqKey,
                   timestamp,
                   seqNumber,
                   saddr,
                   raddr
                   );
}
 
Example #27
Source File: KeyImpl.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructs a KeyImpl from a password.
 *
 * @param principal the principal from which to derive the salt
 * @param password the password that should be used to compute the
 * key.
 * @param algorithm the name for the algorithm that this key wil be
 * used for. This parameter may be null in which case "DES" will be
 * assumed.
 */
public KeyImpl(KerberosPrincipal principal,
               char[] password,
               String algorithm) {

    try {
        PrincipalName princ = new PrincipalName(principal.getName());
        EncryptionKey key =
            new EncryptionKey(password, princ.getSalt(), algorithm);
        this.keyBytes = key.getBytes();
        this.keyType = key.getEType();
    } catch (KrbException e) {
        throw new IllegalArgumentException(e.getMessage());
    }
}
 
Example #28
Source File: KeyImpl.java    From openjdk-8-source with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructs a KeyImpl from a password.
 *
 * @param principal the principal from which to derive the salt
 * @param password the password that should be used to compute the
 * key.
 * @param algorithm the name for the algorithm that this key wil be
 * used for. This parameter may be null in which case "DES" will be
 * assumed.
 */
public KeyImpl(KerberosPrincipal principal,
               char[] password,
               String algorithm) {

    try {
        PrincipalName princ = new PrincipalName(principal.getName());
        EncryptionKey key =
            new EncryptionKey(password, princ.getSalt(), algorithm);
        this.keyBytes = key.getBytes();
        this.keyType = key.getEType();
    } catch (KrbException e) {
        throw new IllegalArgumentException(e.getMessage());
    }
}
 
Example #29
Source File: KrbSafe.java    From jdk8u60 with GNU General Public License v2.0 5 votes vote down vote up
private byte[] rd_safe(KRBSafe krb_safe,
EncryptionKey key,
SeqNumber seqNumber,
HostAddress sAddress,
HostAddress rAddress,
boolean timestampRequired,
boolean seqNumberRequired,
PrincipalName cname
) throws Asn1Exception, KdcErrException,
KrbApErrException, IOException, KrbCryptoException {

    byte[] temp = krb_safe.safeBody.asn1Encode();

    if (!krb_safe.cksum.verifyKeyedChecksum(temp, key,
        KeyUsage.KU_KRB_SAFE_CKSUM)) {
            throw new KrbApErrException(
                Krb5.KRB_AP_ERR_MODIFIED);
    }

    check(krb_safe.safeBody.timestamp,
          krb_safe.safeBody.usec,
          krb_safe.safeBody.seqNumber,
          krb_safe.safeBody.sAddress,
          krb_safe.safeBody.rAddress,
          seqNumber,
          sAddress,
          rAddress,
          timestampRequired,
          seqNumberRequired,
          cname
          );

    return krb_safe.safeBody.userData;
}
 
Example #30
Source File: KrbSafe.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
public KrbSafe(byte[] msg,
               Credentials creds,
               EncryptionKey subKey,
               SeqNumber seqNumber,
               HostAddress saddr,
               HostAddress raddr,
               boolean timestampRequired,
               boolean seqNumberRequired
               )  throws KrbException, IOException {

    KRBSafe krb_safe = new KRBSafe(msg);

    EncryptionKey reqKey = null;
    if (subKey != null)
        reqKey = subKey;
    else
        reqKey = creds.key;

    userData = rd_safe(
                       krb_safe,
                       reqKey,
                       seqNumber,
                       saddr,
                       raddr,
                       timestampRequired,
                       seqNumberRequired,
                       creds.client
                       );
}