KDC.java 65.1 KB
Newer Older
W
weijun 已提交
1
/*
2
 * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved.
W
weijun 已提交
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
19 20 21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
W
weijun 已提交
22 23 24 25 26 27 28 29 30
 */

import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.net.*;
import java.io.*;
import java.lang.reflect.Method;
import java.security.SecureRandom;
31 32 33 34
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
W
weijun 已提交
35 36
import java.util.*;
import java.util.concurrent.*;
37

W
weijun 已提交
38 39
import sun.net.spi.nameservice.NameService;
import sun.net.spi.nameservice.NameServiceDescriptor;
W
weijun 已提交
40 41
import sun.security.krb5.*;
import sun.security.krb5.internal.*;
42
import sun.security.krb5.internal.ccache.CredentialsCache;
W
weijun 已提交
43 44 45 46 47
import sun.security.krb5.internal.crypto.KeyUsage;
import sun.security.krb5.internal.ktab.KeyTab;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
48 49
import java.util.regex.Matcher;
import java.util.regex.Pattern;
W
weijun 已提交
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

/**
 * A KDC server.
 * <p>
 * Features:
 * <ol>
 * <li> Supports TCP and UDP
 * <li> Supports AS-REQ and TGS-REQ
 * <li> Principal db and other settings hard coded in application
 * <li> Options, say, request preauth or not
 * </ol>
 * Side effects:
 * <ol>
 * <li> The Sun-internal class <code>sun.security.krb5.Config</code> is a
 * singleton and initialized according to Kerberos settings (krb5.conf and
 * java.security.krb5.* system properties). This means once it's initialized
 * it will not automatically notice any changes to these settings (or file
 * changes of krb5.conf). The KDC class normally does not touch these
 * settings (except for the <code>writeKtab()</code> method). However, to make
 * sure nothing ever goes wrong, if you want to make any changes to these
 * settings after calling a KDC method, call <code>Config.refresh()</code> to
 * make sure your changes are reflected in the <code>Config</code> object.
 * </ol>
W
weijun 已提交
73 74 75 76
 * System properties recognized:
 * <ul>
 * <li>test.kdc.save.ccache
 * </ul>
W
weijun 已提交
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
 * Issues and TODOs:
 * <ol>
 * <li> Generates krb5.conf to be used on another machine, currently the kdc is
 * always localhost
 * <li> More options to KDC, say, error output, say, response nonce !=
 * request nonce
 * </ol>
 * Note: This program uses internal krb5 classes (including reflection to
 * access private fields and methods).
 * <p>
 * Usages:
 * <p>
 * 1. Init and start the KDC:
 * <pre>
 * KDC kdc = KDC.create("REALM.NAME", port, isDaemon);
 * KDC kdc = KDC.create("REALM.NAME");
 * </pre>
 * Here, <code>port</code> is the UDP and TCP port number the KDC server
 * listens on. If zero, a random port is chosen, which you can use getPort()
 * later to retrieve the value.
 * <p>
 * If <code>isDaemon</code> is true, the KDC worker threads will be daemons.
 * <p>
 * The shortcut <code>KDC.create("REALM.NAME")</code> has port=0 and
 * isDaemon=false, and is commonly used in an embedded KDC.
 * <p>
 * 2. Adding users:
 * <pre>
 * kdc.addPrincipal(String principal_name, char[] password);
 * kdc.addPrincipalRandKey(String principal_name);
 * </pre>
 * A service principal's name should look like "host/f.q.d.n". The second form
 * generates a random key. To expose this key, call <code>writeKtab()</code> to
 * save the keys into a keytab file.
 * <p>
 * Note that you need to add the principal name krbtgt/REALM.NAME yourself.
 * <p>
 * Note that you can safely add a principal at any time after the KDC is
 * started and before a user requests info on this principal.
 * <p>
 * 3. Other public methods:
 * <ul>
 * <li> <code>getPort</code>: Returns the port number the KDC uses
 * <li> <code>getRealm</code>: Returns the realm name
 * <li> <code>writeKtab</code>: Writes all principals' keys into a keytab file
 * <li> <code>saveConfig</code>: Saves a krb5.conf file to access this KDC
 * <li> <code>setOption</code>: Sets various options
 * </ul>
 * Read the javadoc for details. Lazy developer can use <code>OneKDC</code>
 * directly.
 */
public class KDC {

    // Under the hood.

132 133 134
    public static final int DEFAULT_LIFETIME = 39600;
    public static final int DEFAULT_RENEWTIME = 86400;

W
weijun 已提交
135 136
    // The random generator to generate random keys (including session keys)
    private static SecureRandom secureRandom = new SecureRandom();
137 138 139 140

    // Principal db. principal -> pass. A case-insensitive TreeMap is used
    // so that even if the client provides a name with different case, the KDC
    // can still locate the principal and give back correct salt.
141
    private TreeMap<String,char[]> passwords = new TreeMap<>
142 143
            (String.CASE_INSENSITIVE_ORDER);

144 145 146 147 148 149 150 151
    // Alias for referrals.
    private TreeMap<String,KDC> aliasReferrals = new TreeMap<>
            (String.CASE_INSENSITIVE_ORDER);

    // Alias for local resolution.
    private TreeMap<String,PrincipalName> alias2Principals = new TreeMap<>
            (String.CASE_INSENSITIVE_ORDER);

W
weijun 已提交
152 153
    // Realm name
    private String realm;
W
weijun 已提交
154 155
    // KDC
    private String kdc;
W
weijun 已提交
156 157
    // Service port number
    private int port;
W
weijun 已提交
158
    // The request/response job queue
159
    private BlockingQueue<Job> q = new ArrayBlockingQueue<>(100);
W
weijun 已提交
160
    // Options
161
    private Map<Option,Object> options = new HashMap<>();
162 163
    // Realm-specific krb5.conf settings
    private List<String> conf = new ArrayList<>();
W
weijun 已提交
164

165
    private Thread thread1, thread2, thread3;
166 167 168
    private volatile boolean udpConsumerReady = false;
    private volatile boolean tcpConsumerReady = false;
    private volatile boolean dispatcherReady = false;
169 170 171
    DatagramSocket u1 = null;
    ServerSocket t1 = null;

172 173
    public static enum KtabMode { APPEND, EXISTING };

W
weijun 已提交
174 175 176 177 178 179 180 181
    /**
     * Option names, to be expanded forever.
     */
    public static enum Option {
        /**
         * Whether pre-authentication is required. Default Boolean.TRUE
         */
        PREAUTH_REQUIRED,
182
        /**
183
         * Only issue TGT in RC4
184 185
         */
        ONLY_RC4_TGT,
186
        /**
187
         * Use RC4 as the first in preauth
188
         */
189 190 191 192 193
        RC4_FIRST_PREAUTH,
        /**
         * Use only one preauth, so that some keys are not easy to generate
         */
        ONLY_ONE_PREAUTH,
194 195 196 197
        /**
         * Set all name-type to a value in response
         */
        RESP_NT,
198 199 200 201
        /**
         * Multiple ETYPE-INFO-ENTRY with same etype but different salt
         */
        DUP_ETYPE,
W
weijun 已提交
202 203 204 205
        /**
         * What backend server can be delegated to
         */
        OK_AS_DELEGATE,
206 207 208 209 210 211 212 213 214 215 216 217 218 219
        /**
         * Allow S4U2self, List<String> of middle servers.
         * If not set, means KDC does not understand S4U2self at all, therefore
         * would ignore any PA-FOR-USER request and send a ticket using the
         * cname of teh requestor. If set, it returns FORWARDABLE tickets to
         * a server with its name in the list
         */
        ALLOW_S4U2SELF,
        /**
         * Allow S4U2proxy, Map<String,List<String>> of middle servers to
         * backends. If not set or a backend not in a server's list,
         * Krb5.KDC_ERR_POLICY will be send for S4U2proxy request.
         */
        ALLOW_S4U2PROXY,
220 221 222 223
        /**
         * Sensitive accounts can never be delegated.
         */
        SENSITIVE_ACCOUNTS,
W
weijun 已提交
224 225
    };

226 227 228
    //static {
    //    System.setProperty("sun.net.spi.nameservice.provider.1", "ns,mock");
    //}
W
weijun 已提交
229

W
weijun 已提交
230 231 232 233
    /**
     * A standalone KDC server.
     */
    public static void main(String[] args) throws Exception {
W
weijun 已提交
234
        KDC kdc = create("RABBIT.HOLE", "kdc.rabbit.hole", 0, false);
W
weijun 已提交
235 236
        kdc.addPrincipal("dummy", "bogus".toCharArray());
        kdc.addPrincipal("foo", "bar".toCharArray());
W
weijun 已提交
237 238 239 240
        kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE");
        kdc.addPrincipalRandKey("server/host.rabbit.hole");
        kdc.addPrincipalRandKey("backend/host.rabbit.hole");
        KDC.saveConfig("krb5.conf", kdc, "forwardable = true");
W
weijun 已提交
241 242 243 244 245 246 247 248 249
    }

    /**
     * Creates and starts a KDC running as a daemon on a random port.
     * @param realm the realm name
     * @return the running KDC instance
     * @throws java.io.IOException for any socket creation error
     */
    public static KDC create(String realm) throws IOException {
W
weijun 已提交
250
        return create(realm, "kdc." + realm.toLowerCase(), 0, true);
W
weijun 已提交
251 252
    }

253 254 255 256 257 258
    public static KDC existing(String realm, String kdc, int port) {
        KDC k = new KDC(realm, kdc);
        k.port = port;
        return k;
    }

W
weijun 已提交
259 260 261 262 263 264 265 266 267
    /**
     * Creates and starts a KDC server.
     * @param realm the realm name
     * @param port the TCP and UDP port to listen to. A random port will to
     *        chosen if zero.
     * @param asDaemon if true, KDC threads will be daemons. Otherwise, not.
     * @return the running KDC instance
     * @throws java.io.IOException for any socket creation error
     */
W
weijun 已提交
268 269
    public static KDC create(String realm, String kdc, int port, boolean asDaemon) throws IOException {
        return new KDC(realm, kdc, port, asDaemon);
W
weijun 已提交
270 271 272 273 274
    }

    /**
     * Sets an option
     * @param key the option name
275
     * @param value the value
W
weijun 已提交
276 277
     */
    public void setOption(Option key, Object value) {
W
weijun 已提交
278 279 280 281 282
        if (value == null) {
            options.remove(key);
        } else {
            options.put(key, value);
        }
W
weijun 已提交
283 284 285
    }

    /**
W
weijun 已提交
286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302
     * Writes or appends keys into a keytab.
     * <p>
     * Attention: This is the most basic one of a series of methods below on
     * keytab creation or modification. All these methods reference krb5.conf
     * settings. If you need to modify krb5.conf or switch to another krb5.conf
     * later, please call <code>Config.refresh()</code> again. For example:
     * <pre>
     * kdc.writeKtab("/etc/kdc/ktab", true);  // Config is initialized,
     * System.setProperty("java.security.krb5.conf", "/home/mykrb5.conf");
     * Config.refresh();
     * </pre>
     * Inside this method there are 2 places krb5.conf is used:
     * <ol>
     * <li> (Fatal) Generating keys: EncryptionKey.acquireSecretKeys
     * <li> (Has workaround) Creating PrincipalName
     * </ol>
     * @param tab the keytab file name
W
weijun 已提交
303
     * @param append true if append, otherwise, overwrite.
W
weijun 已提交
304
     * @param names the names to write into, write all if names is empty
W
weijun 已提交
305
     */
W
weijun 已提交
306
    public void writeKtab(String tab, boolean append, String... names)
W
weijun 已提交
307 308
            throws IOException, KrbException {
        KeyTab ktab = append ? KeyTab.getInstance(tab) : KeyTab.create(tab);
W
weijun 已提交
309 310 311 312 313 314 315
        Iterable<String> entries =
                (names.length != 0) ? Arrays.asList(names): passwords.keySet();
        for (String name : entries) {
            char[] pass = passwords.get(name);
            int kvno = 0;
            if (Character.isDigit(pass[pass.length-1])) {
                kvno = pass[pass.length-1] - '0';
W
weijun 已提交
316
            }
317 318 319 320 321 322
            PrincipalName pn = new PrincipalName(name,
                        name.indexOf('/') < 0 ?
                            PrincipalName.KRB_NT_UNKNOWN :
                            PrincipalName.KRB_NT_SRV_HST);
            ktab.addEntry(pn,
                        getSalt(pn),
W
weijun 已提交
323 324 325
                        pass,
                        kvno,
                        true);
W
weijun 已提交
326 327 328 329 330 331
        }
        ktab.save();
    }

    /**
     * Writes all principals' keys from multiple KDCs into one keytab file.
W
weijun 已提交
332 333 334 335
     * @throws java.io.IOException for any file output error
     * @throws sun.security.krb5.KrbException for any realm and/or principal
     *         name error.
     */
336 337
    public static void writeMultiKtab(String tab, KDC... kdcs)
            throws IOException, KrbException {
W
weijun 已提交
338 339
        KeyTab.create(tab).save();      // Empty the old keytab
        appendMultiKtab(tab, kdcs);
W
weijun 已提交
340 341 342 343 344 345 346
    }

    /**
     * Appends all principals' keys from multiple KDCs to one keytab file.
     */
    public static void appendMultiKtab(String tab, KDC... kdcs)
            throws IOException, KrbException {
W
weijun 已提交
347 348 349
        for (KDC kdc: kdcs) {
            kdc.writeKtab(tab, true);
        }
W
weijun 已提交
350 351
    }

352 353 354 355
    /**
     * Write a ktab for this KDC.
     */
    public void writeKtab(String tab) throws IOException, KrbException {
W
weijun 已提交
356
        writeKtab(tab, false);
357 358
    }

W
weijun 已提交
359 360 361 362
    /**
     * Appends keys in this KDC to a ktab.
     */
    public void appendKtab(String tab) throws IOException, KrbException {
W
weijun 已提交
363
        writeKtab(tab, true);
W
weijun 已提交
364 365
    }

W
weijun 已提交
366 367 368 369 370 371 372
    /**
     * Adds a new principal to this realm with a given password.
     * @param user the principal's name. For a service principal, use the
     *        form of host/f.q.d.n
     * @param pass the password for the principal
     */
    public void addPrincipal(String user, char[] pass) {
W
weijun 已提交
373 374 375
        if (user.indexOf('@') < 0) {
            user = user + "@" + realm;
        }
W
weijun 已提交
376 377 378 379 380 381 382 383 384
        passwords.put(user, pass);
    }

    /**
     * Adds a new principal to this realm with a random password
     * @param user the principal's name. For a service principal, use the
     *        form of host/f.q.d.n
     */
    public void addPrincipalRandKey(String user) {
W
weijun 已提交
385
        addPrincipal(user, randomPassword());
W
weijun 已提交
386 387 388 389 390 391 392 393 394 395
    }

    /**
     * Returns the name of this realm
     * @return the name of this realm
     */
    public String getRealm() {
        return realm;
    }

W
weijun 已提交
396 397 398 399 400 401 402 403
    /**
     * Returns the name of kdc
     * @return the name of kdc
     */
    public String getKDC() {
        return kdc;
    }

404 405 406 407 408 409 410
    /**
     * Add realm-specific krb5.conf setting
     */
    public void addConf(String s) {
        conf.add(s);
    }

W
weijun 已提交
411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434
    /**
     * Writes a krb5.conf for one or more KDC that includes KDC locations for
     * each realm and the default realm name. You can also add extra strings
     * into the file. The method should be called like:
     * <pre>
     *   KDC.saveConfig("krb5.conf", kdc1, kdc2, ..., line1, line2, ...);
     * </pre>
     * Here you can provide one or more kdc# and zero or more line# arguments.
     * The line# will be put after [libdefaults] and before [realms]. Therefore
     * you can append new lines into [libdefaults] and/or create your new
     * stanzas as well. Note that a newline character will be appended to
     * each line# argument.
     * <p>
     * For example:
     * <pre>
     * KDC.saveConfig("krb5.conf", this);
     * </pre>
     * generates:
     * <pre>
     * [libdefaults]
     * default_realm = REALM.NAME
     *
     * [realms]
     *   REALM.NAME = {
W
weijun 已提交
435
     *     kdc = host:port_number
436
     *     # realm-specific settings
W
weijun 已提交
437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456
     *   }
     * </pre>
     *
     * Another example:
     * <pre>
     * KDC.saveConfig("krb5.conf", kdc1, kdc2, "forwardable = true", "",
     *         "[domain_realm]",
     *         ".kdc1.com = KDC1.NAME");
     * </pre>
     * generates:
     * <pre>
     * [libdefaults]
     * default_realm = KDC1.NAME
     * forwardable = true
     *
     * [domain_realm]
     * .kdc1.com = KDC1.NAME
     *
     * [realms]
     *   KDC1.NAME = {
W
weijun 已提交
457
     *     kdc = host:port1
W
weijun 已提交
458 459
     *   }
     *   KDC2.NAME = {
W
weijun 已提交
460
     *     kdc = host:port2
W
weijun 已提交
461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483
     *   }
     * </pre>
     * @param file the name of the file to write into
     * @param kdc the first (and default) KDC
     * @param more more KDCs or extra lines (in their appearing order) to
     * insert into the krb5.conf file. This method reads each argument's type
     * to determine what it's for. This argument can be empty.
     * @throws java.io.IOException for any file output error
     */
    public static void saveConfig(String file, KDC kdc, Object... more)
            throws IOException {
        File f = new File(file);
        StringBuffer sb = new StringBuffer();
        sb.append("[libdefaults]\ndefault_realm = ");
        sb.append(kdc.realm);
        sb.append("\n");
        for (Object o: more) {
            if (o instanceof String) {
                sb.append(o);
                sb.append("\n");
            }
        }
        sb.append("\n[realms]\n");
484
        sb.append(kdc.realmLine());
W
weijun 已提交
485 486
        for (Object o: more) {
            if (o instanceof KDC) {
487
                sb.append(((KDC)o).realmLine());
W
weijun 已提交
488 489 490 491 492 493 494 495 496 497 498 499 500 501 502
            }
        }
        FileOutputStream fos = new FileOutputStream(f);
        fos.write(sb.toString().getBytes());
        fos.close();
    }

    /**
     * Returns the service port of the KDC server.
     * @return the KDC service port
     */
    public int getPort() {
        return port;
    }

503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525
    /**
     * Register an alias name to be referred to a different KDC for
     * resolution, according to RFC 6806.
     * @param alias Alias name (i.e. user@REALM.COM).
     * @param referredKDC KDC to which the alias is referred for resolution.
     */
    public void registerAlias(String alias, KDC referredKDC) {
        aliasReferrals.remove(alias);
        aliasReferrals.put(alias, referredKDC);
    }

    /**
     * Register an alias to be resolved to a Principal Name locally,
     * according to RFC 6806.
     * @param alias Alias name (i.e. user@REALM.COM).
     * @param user Principal Name to which the alias is resolved.
     */
    public void registerAlias(String alias, String user)
            throws RealmException {
        alias2Principals.remove(alias);
        alias2Principals.put(alias, new PrincipalName(user));
    }

W
weijun 已提交
526 527 528 529 530 531
    // Private helper methods

    /**
     * Private constructor, cannot be called outside.
     * @param realm
     */
W
weijun 已提交
532
    private KDC(String realm, String kdc) {
W
weijun 已提交
533
        this.realm = realm;
W
weijun 已提交
534
        this.kdc = kdc;
W
weijun 已提交
535 536 537 538 539
    }

    /**
     * A constructor that starts the KDC service also.
     */
W
weijun 已提交
540
    protected KDC(String realm, String kdc, int port, boolean asDaemon)
W
weijun 已提交
541
            throws IOException {
W
weijun 已提交
542
        this(realm, kdc);
W
weijun 已提交
543 544 545 546 547 548 549 550
        startServer(port, asDaemon);
    }
    /**
     * Generates a 32-char random password
     * @return the password
     */
    private static char[] randomPassword() {
        char[] pass = new char[32];
W
weijun 已提交
551
        for (int i=0; i<31; i++)
W
weijun 已提交
552
            pass[i] = (char)secureRandom.nextInt();
W
weijun 已提交
553 554 555
        // The last char cannot be a number, otherwise, keyForUser()
        // believes it's a sign of kvno
        pass[31] = 'Z';
W
weijun 已提交
556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588
        return pass;
    }

    /**
     * Generates a random key for the given encryption type.
     * @param eType the encryption type
     * @return the generated key
     * @throws sun.security.krb5.KrbException for unknown/unsupported etype
     */
    private static EncryptionKey generateRandomKey(int eType)
            throws KrbException  {
        // Is 32 enough for AES256? I should have generated the keys directly
        // but different cryptos have different rules on what keys are valid.
        char[] pass = randomPassword();
        String algo;
        switch (eType) {
            case EncryptedData.ETYPE_DES_CBC_MD5: algo = "DES"; break;
            case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD: algo = "DESede"; break;
            case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96: algo = "AES128"; break;
            case EncryptedData.ETYPE_ARCFOUR_HMAC: algo = "ArcFourHMAC"; break;
            case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96: algo = "AES256"; break;
            default: algo = "DES"; break;
        }
        return new EncryptionKey(pass, "NOTHING", algo);    // Silly
    }

    /**
     * Returns the password for a given principal
     * @param p principal
     * @return the password
     * @throws sun.security.krb5.KrbException when the principal is not inside
     *         the database.
     */
W
weijun 已提交
589 590
    private char[] getPassword(PrincipalName p, boolean server)
            throws KrbException {
W
weijun 已提交
591 592 593 594 595
        String pn = p.toString();
        if (p.getRealmString() == null) {
            pn = pn + "@" + getRealm();
        }
        char[] pass = passwords.get(pn);
W
weijun 已提交
596
        if (pass == null) {
W
weijun 已提交
597 598
            throw new KrbException(server?
                Krb5.KDC_ERR_S_PRINCIPAL_UNKNOWN:
599
                Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN, pn.toString());
W
weijun 已提交
600 601 602 603 604
        }
        return pass;
    }

    /**
W
weijun 已提交
605
     * Returns the salt string for the principal.
W
weijun 已提交
606 607 608
     * @param p principal
     * @return the salt
     */
609
    protected String getSalt(PrincipalName p) {
610 611 612 613 614 615 616 617 618 619 620 621
        String pn = p.toString();
        if (p.getRealmString() == null) {
            pn = pn + "@" + getRealm();
        }
        if (passwords.containsKey(pn)) {
            try {
                // Find the principal name with correct case.
                p = new PrincipalName(passwords.ceilingEntry(pn).getKey());
            } catch (RealmException re) {
                // Won't happen
            }
        }
W
weijun 已提交
622 623 624 625
        String s = p.getRealmString();
        if (s == null) s = getRealm();
        for (String n: p.getNameStrings()) {
            s += n;
W
weijun 已提交
626
        }
W
weijun 已提交
627
        return s;
W
weijun 已提交
628 629 630 631 632 633
    }

    /**
     * Returns the key for a given principal of the given encryption type
     * @param p the principal
     * @param etype the encryption type
W
weijun 已提交
634
     * @param server looking for a server principal?
W
weijun 已提交
635 636 637
     * @return the key
     * @throws sun.security.krb5.KrbException for unknown/unsupported etype
     */
W
weijun 已提交
638 639
    private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
            throws KrbException {
W
weijun 已提交
640 641 642
        try {
            // Do not call EncryptionKey.acquireSecretKeys(), otherwise
            // the krb5.conf config file would be loaded.
643
            Integer kvno = null;
644 645 646
            // For service whose password ending with a number, use it as kvno.
            // Kvno must be postive.
            if (p.toString().indexOf('/') > 0) {
W
weijun 已提交
647
                char[] pass = getPassword(p, server);
648 649 650 651
                if (Character.isDigit(pass[pass.length-1])) {
                    kvno = pass[pass.length-1] - '0';
                }
            }
652 653
            return new EncryptionKey(EncryptionKeyDotStringToKey(
                    getPassword(p, server), getSalt(p), null, etype),
654
                    etype, kvno);
W
weijun 已提交
655 656
        } catch (KrbException ke) {
            throw ke;
W
weijun 已提交
657 658 659 660 661
        } catch (Exception e) {
            throw new RuntimeException(e);  // should not happen
        }
    }

662 663 664 665 666 667 668 669 670
    /**
     * Returns a KerberosTime.
     *
     * @param offset offset from NOW in seconds
     */
    private static KerberosTime timeAfter(int offset) {
        return new KerberosTime(new Date().getTime() + offset * 1000L);
    }

W
weijun 已提交
671 672 673 674 675 676
    /**
     * Processes an incoming request and generates a response.
     * @param in the request
     * @return the response
     * @throws java.lang.Exception for various errors
     */
677
    protected byte[] processMessage(byte[] in) throws Exception {
W
weijun 已提交
678 679 680 681 682 683 684 685 686 687 688 689
        if ((in[0] & 0x1f) == Krb5.KRB_AS_REQ)
            return processAsReq(in);
        else
            return processTgsReq(in);
    }

    /**
     * Processes a TGS_REQ and generates a TGS_REP (or KRB_ERROR)
     * @param in the request
     * @return the response
     * @throws java.lang.Exception for various errors
     */
690
    protected byte[] processTgsReq(byte[] in) throws Exception {
W
weijun 已提交
691
        TGSReq tgsReq = new TGSReq(in);
692 693
        PrincipalName service = tgsReq.reqBody.sname;
        if (options.containsKey(KDC.Option.RESP_NT)) {
694 695
            service = new PrincipalName((int)options.get(KDC.Option.RESP_NT),
                    service.getNameStrings(), service.getRealm());
696
        }
W
weijun 已提交
697 698 699
        try {
            System.out.println(realm + "> " + tgsReq.reqBody.cname +
                    " sends TGS-REQ for " +
700
                    service + ", " + tgsReq.reqBody.kdcOptions);
W
weijun 已提交
701
            KDCReqBody body = tgsReq.reqBody;
702 703 704
            int[] eTypes = KDCReqBodyDotEType(body);
            int e2 = eTypes[0];     // etype for outgoing session key
            int e3 = eTypes[0];     // etype for outgoing ticket
W
weijun 已提交
705

706
            PAData[] pas = KDCReqDotPAData(tgsReq);
W
weijun 已提交
707 708 709

            Ticket tkt = null;
            EncTicketPart etp = null;
710 711 712 713

            PrincipalName cname = null;
            boolean allowForwardable = true;

714 715 716 717 718 719 720 721 722 723 724
            if (body.kdcOptions.get(KDCOptions.CANONICALIZE)) {
                KDC referral = aliasReferrals.get(body.sname.getNameString());
                if (referral != null) {
                    service = new PrincipalName(
                            PrincipalName.TGS_DEFAULT_SRV_NAME +
                            PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
                            referral.getRealm(), PrincipalName.KRB_NT_SRV_INST,
                            this.getRealm());
                }
            }

W
weijun 已提交
725 726 727
            if (pas == null || pas.length == 0) {
                throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
            } else {
728
                PrincipalName forUserCName = null;
W
weijun 已提交
729 730 731 732 733
                for (PAData pa: pas) {
                    if (pa.getType() == Krb5.PA_TGS_REQ) {
                        APReq apReq = new APReq(pa.getValue());
                        EncryptedData ed = apReq.authenticator;
                        tkt = apReq.ticket;
734 735
                        int te = tkt.encPart.getEType();
                        EncryptionKey kkey = keyForUser(tkt.sname, te, true);
W
weijun 已提交
736 737 738 739
                        byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
                        DerInputStream derIn = new DerInputStream(bb);
                        DerValue der = derIn.getDerValue();
                        etp = new EncTicketPart(der.toByteArray());
740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761
                        // Finally, cname will be overwritten by PA-FOR-USER
                        // if it exists.
                        cname = etp.cname;
                        System.out.println(realm + "> presenting a ticket of "
                                + etp.cname + " to " + tkt.sname);
                    } else if (pa.getType() == Krb5.PA_FOR_USER) {
                        if (options.containsKey(Option.ALLOW_S4U2SELF)) {
                            PAForUserEnc p4u = new PAForUserEnc(
                                    new DerValue(pa.getValue()), null);
                            forUserCName = p4u.name;
                            System.out.println(realm + "> presenting a PA_FOR_USER "
                                    + " in the name of " + p4u.name);
                        }
                    }
                }
                if (forUserCName != null) {
                    List<String> names = (List<String>)options.get(Option.ALLOW_S4U2SELF);
                    if (!names.contains(cname.toString())) {
                        // Mimic the normal KDC behavior. When a server is not
                        // allowed to send S4U2self, do not send an error.
                        // Instead, send a ticket which is useless later.
                        allowForwardable = false;
W
weijun 已提交
762
                    }
763
                    cname = forUserCName;
W
weijun 已提交
764 765 766 767 768 769 770 771 772 773
                }
                if (tkt == null) {
                    throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
                }
            }

            // Session key for original ticket, TGT
            EncryptionKey ckey = etp.key;

            // Session key for session with the service
774
            EncryptionKey key = generateRandomKey(e2);
W
weijun 已提交
775 776 777 778 779 780 781 782 783 784

            // Check time, TODO
            KerberosTime till = body.till;
            if (till == null) {
                throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
            } else if (till.isZero()) {
                till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
            }

            boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
785 786
            if (body.kdcOptions.get(KDCOptions.FORWARDABLE)
                    && allowForwardable) {
787 788 789 790 791 792 793
                List<String> sensitives = (List<String>)
                        options.get(Option.SENSITIVE_ACCOUNTS);
                if (sensitives != null && sensitives.contains(cname.toString())) {
                    // Cannot make FORWARDABLE
                } else {
                    bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
                }
W
weijun 已提交
794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811
            }
            if (body.kdcOptions.get(KDCOptions.FORWARDED) ||
                    etp.flags.get(Krb5.TKT_OPTS_FORWARDED)) {
                bFlags[Krb5.TKT_OPTS_FORWARDED] = true;
            }
            if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
                bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
                //renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
            }
            if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
                bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
            }
            if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
                bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
            }
            if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
                bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
            }
812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842
            if (body.kdcOptions.get(KDCOptions.CNAME_IN_ADDL_TKT)) {
                if (!options.containsKey(Option.ALLOW_S4U2PROXY)) {
                    // Don't understand CNAME_IN_ADDL_TKT
                    throw new KrbException(Krb5.KDC_ERR_BADOPTION);
                } else {
                    Map<String,List<String>> map = (Map<String,List<String>>)
                            options.get(Option.ALLOW_S4U2PROXY);
                    Ticket second = KDCReqBodyDotFirstAdditionalTicket(body);
                    EncryptionKey key2 = keyForUser(second.sname, second.encPart.getEType(), true);
                    byte[] bb = second.encPart.decrypt(key2, KeyUsage.KU_TICKET);
                    DerInputStream derIn = new DerInputStream(bb);
                    DerValue der = derIn.getDerValue();
                    EncTicketPart tktEncPart = new EncTicketPart(der.toByteArray());
                    if (!tktEncPart.flags.get(Krb5.TKT_OPTS_FORWARDABLE)) {
                        //throw new KrbException(Krb5.KDC_ERR_BADOPTION);
                    }
                    PrincipalName client = tktEncPart.cname;
                    System.out.println(realm + "> and an additional ticket of "
                            + client + " to " + second.sname);
                    if (map.containsKey(cname.toString())) {
                        if (map.get(cname.toString()).contains(service.toString())) {
                            System.out.println(realm + "> S4U2proxy OK");
                        } else {
                            throw new KrbException(Krb5.KDC_ERR_BADOPTION);
                        }
                    } else {
                        throw new KrbException(Krb5.KDC_ERR_BADOPTION);
                    }
                    cname = client;
                }
            }
W
weijun 已提交
843

W
weijun 已提交
844 845 846 847
            String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE);
            if (okAsDelegate != null && (
                    okAsDelegate.isEmpty() ||
                    okAsDelegate.contains(service.getNameString()))) {
W
weijun 已提交
848 849
                bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
            }
W
weijun 已提交
850 851 852 853 854 855
            bFlags[Krb5.TKT_OPTS_INITIAL] = true;

            TicketFlags tFlags = new TicketFlags(bFlags);
            EncTicketPart enc = new EncTicketPart(
                    tFlags,
                    key,
856
                    cname,
W
weijun 已提交
857 858 859 860
                    new TransitedEncoding(1, new byte[0]),  // TODO
                    new KerberosTime(new Date()),
                    body.from,
                    till, body.rtime,
861 862 863 864
                    body.addresses != null  // always set caddr
                            ? body.addresses
                            : new HostAddresses(
                                new InetAddress[]{InetAddress.getLocalHost()}),
W
weijun 已提交
865
                    null);
866
            EncryptionKey skey = keyForUser(service, e3, true);
867 868 869
            if (skey == null) {
                throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
            }
W
weijun 已提交
870
            Ticket t = new Ticket(
R
rpatil 已提交
871 872 873
                    System.getProperty("test.kdc.diff.sname") != null ?
                        new PrincipalName("xx" + service.toString()) :
                        service,
W
weijun 已提交
874 875 876 877 878 879 880 881 882 883 884 885 886 887
                    new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
            );
            EncTGSRepPart enc_part = new EncTGSRepPart(
                    key,
                    new LastReq(new LastReqEntry[]{
                        new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000))
                    }),
                    body.getNonce(),    // TODO: detect replay
                    new KerberosTime(new Date().getTime() + 1000 * 3600 * 24),
                    // Next 5 and last MUST be same with ticket
                    tFlags,
                    new KerberosTime(new Date()),
                    body.from,
                    till, body.rtime,
888
                    service,
889 890 891
                    body.addresses != null  // always set caddr
                            ? body.addresses
                            : new HostAddresses(
892 893
                                new InetAddress[]{InetAddress.getLocalHost()}),
                    null
W
weijun 已提交
894 895 896
                    );
            EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
            TGSRep tgsRep = new TGSRep(null,
897
                    cname,
W
weijun 已提交
898 899 900
                    t,
                    edata);
            System.out.println("     Return " + tgsRep.cname
901 902
                    + " ticket for " + tgsRep.ticket.sname + ", flags "
                    + tFlags);
W
weijun 已提交
903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918

            DerOutputStream out = new DerOutputStream();
            out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
                    true, (byte)Krb5.KRB_TGS_REP), tgsRep.asn1Encode());
            return out.toByteArray();
        } catch (KrbException ke) {
            ke.printStackTrace(System.out);
            KRBError kerr = ke.getError();
            KDCReqBody body = tgsReq.reqBody;
            System.out.println("     Error " + ke.returnCode()
                    + " " +ke.returnCodeMessage());
            if (kerr == null) {
                kerr = new KRBError(null, null, null,
                        new KerberosTime(new Date()),
                        0,
                        ke.returnCode(),
919 920
                        body.cname,
                        service,
W
weijun 已提交
921 922 923 924 925 926 927 928 929 930 931 932 933
                        KrbException.errorMessage(ke.returnCode()),
                        null);
            }
            return kerr.asn1Encode();
        }
    }

    /**
     * Processes a AS_REQ and generates a AS_REP (or KRB_ERROR)
     * @param in the request
     * @return the response
     * @throws java.lang.Exception for various errors
     */
934
    protected byte[] processAsReq(byte[] in) throws Exception {
W
weijun 已提交
935
        ASReq asReq = new ASReq(in);
936
        byte[] asReqbytes = asReq.asn1Encode();
W
weijun 已提交
937
        int[] eTypes = null;
938
        List<PAData> outPAs = new ArrayList<>();
939

940 941
        PrincipalName service = asReq.reqBody.sname;
        if (options.containsKey(KDC.Option.RESP_NT)) {
942 943 944
            service = new PrincipalName((int)options.get(KDC.Option.RESP_NT),
                    service.getNameStrings(),
                    Realm.getDefault());
945
        }
W
weijun 已提交
946 947 948
        try {
            System.out.println(realm + "> " + asReq.reqBody.cname +
                    " sends AS-REQ for " +
949
                    service + ", " + asReq.reqBody.kdcOptions);
W
weijun 已提交
950 951 952

            KDCReqBody body = asReq.reqBody;

953
            eTypes = KDCReqBodyDotEType(body);
W
weijun 已提交
954 955
            int eType = eTypes[0];

956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973
            if (body.kdcOptions.get(KDCOptions.CANONICALIZE) &&
                    body.cname.getNameType() == PrincipalName.KRB_NT_ENTERPRISE) {
                PrincipalName principal = alias2Principals.get(
                        body.cname.getNameString());
                if (principal != null) {
                    body.cname = principal;
                } else {
                    KDC referral = aliasReferrals.get(body.cname.getNameString());
                    if (referral != null) {
                        body.cname = new PrincipalName(
                                PrincipalName.TGS_DEFAULT_SRV_NAME,
                                PrincipalName.KRB_NT_SRV_INST,
                                referral.getRealm());
                        throw new KrbException(Krb5.KRB_ERR_WRONG_REALM);
                    }
                }
            }

W
weijun 已提交
974
            EncryptionKey ckey = keyForUser(body.cname, eType, false);
975
            EncryptionKey skey = keyForUser(service, eType, true);
976 977 978 979 980 981 982 983 984 985 986 987 988

            if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
                int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
                boolean found = false;
                for (int i=0; i<eTypes.length; i++) {
                    if (eTypes[i] == tgtEType) {
                        found = true;
                        break;
                    }
                }
                if (!found) {
                    throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
                }
989
                skey = keyForUser(service, tgtEType, true);
990
            }
W
weijun 已提交
991 992 993 994 995 996 997 998 999 1000 1001
            if (ckey == null) {
                throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
            }
            if (skey == null) {
                throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
            }

            // Session key
            EncryptionKey key = generateRandomKey(eType);
            // Check time, TODO
            KerberosTime till = body.till;
1002
            KerberosTime rtime = body.rtime;
W
weijun 已提交
1003 1004 1005
            if (till == null) {
                throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
            } else if (till.isZero()) {
1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016
                String ttlsVal = System.getProperty("test.kdc.ttl.value");
                if (ttlsVal != null){
                    till = timeAfter(duration(ttlsVal));
                    if (till.greaterThan(timeAfter(24 * 3600)) &&
                        (System.getProperty("test.kdc.force.till") == null)) {
                        till = timeAfter(DEFAULT_LIFETIME);
                        body.kdcOptions.set(KDCOptions.RENEWABLE, true);
                    }
                } else {
                    till = timeAfter(DEFAULT_LIFETIME);
                }
W
weijun 已提交
1017
            }
1018 1019 1020 1021 1022

            if (rtime == null && body.kdcOptions.get(KDCOptions.RENEWABLE)) {
                rtime = timeAfter(DEFAULT_RENEWTIME);
            }

W
weijun 已提交
1023 1024 1025
            //body.from
            boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
            if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
1026 1027 1028 1029 1030 1031 1032
                List<String> sensitives = (List<String>)
                        options.get(Option.SENSITIVE_ACCOUNTS);
                if (sensitives != null && sensitives.contains(body.cname.toString())) {
                    // Cannot make FORWARDABLE
                } else {
                    bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
                }
W
weijun 已提交
1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048
            }
            if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
                bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
                //renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
            }
            if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
                bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
            }
            if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
                bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
            }
            if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
                bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
            }
            bFlags[Krb5.TKT_OPTS_INITIAL] = true;

1049
            // Creating PA-DATA
1050 1051 1052 1053 1054 1055 1056 1057
            DerValue[] pas2 = null, pas = null;
            if (options.containsKey(KDC.Option.DUP_ETYPE)) {
                int n = (Integer)options.get(KDC.Option.DUP_ETYPE);
                switch (n) {
                    case 1:     // customer's case in 7067974
                        pas2 = new DerValue[] {
                            new DerValue(new ETypeInfo2(1, null, null).asn1Encode()),
                            new DerValue(new ETypeInfo2(1, "", null).asn1Encode()),
1058
                            new DerValue(new ETypeInfo2(1, realm, new byte[]{1}).asn1Encode()),
1059 1060 1061 1062
                        };
                        pas = new DerValue[] {
                            new DerValue(new ETypeInfo(1, null).asn1Encode()),
                            new DerValue(new ETypeInfo(1, "").asn1Encode()),
1063
                            new DerValue(new ETypeInfo(1, realm).asn1Encode()),
1064 1065 1066 1067
                        };
                        break;
                    case 2:     // we still reject non-null s2kparams and prefer E2 over E
                        pas2 = new DerValue[] {
1068
                            new DerValue(new ETypeInfo2(1, realm, new byte[]{1}).asn1Encode()),
1069 1070 1071 1072
                            new DerValue(new ETypeInfo2(1, null, null).asn1Encode()),
                            new DerValue(new ETypeInfo2(1, "", null).asn1Encode()),
                        };
                        pas = new DerValue[] {
1073
                            new DerValue(new ETypeInfo(1, realm).asn1Encode()),
1074 1075 1076 1077 1078 1079
                            new DerValue(new ETypeInfo(1, null).asn1Encode()),
                            new DerValue(new ETypeInfo(1, "").asn1Encode()),
                        };
                        break;
                    case 3:     // but only E is wrong
                        pas = new DerValue[] {
1080
                            new DerValue(new ETypeInfo(1, realm).asn1Encode()),
1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097
                            new DerValue(new ETypeInfo(1, null).asn1Encode()),
                            new DerValue(new ETypeInfo(1, "").asn1Encode()),
                        };
                        break;
                    case 4:     // we also ignore rc4-hmac
                        pas = new DerValue[] {
                            new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()),
                            new DerValue(new ETypeInfo(1, null).asn1Encode()),
                            new DerValue(new ETypeInfo(1, "").asn1Encode()),
                        };
                        break;
                    case 5:     // "" should be wrong, but we accept it now
                                // See s.s.k.internal.PAData$SaltAndParams
                        pas = new DerValue[] {
                            new DerValue(new ETypeInfo(1, "").asn1Encode()),
                            new DerValue(new ETypeInfo(1, null).asn1Encode()),
                        };
1098 1099
                        break;
                }
1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113
            } else {
                int[] epas = eTypes;
                if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) {
                    for (int i=1; i<epas.length; i++) {
                        if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) {
                            epas[i] = epas[0];
                            epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC;
                            break;
                        }
                    };
                } else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) {
                    epas = new int[] { eTypes[0] };
                }
                pas2 = new DerValue[epas.length];
1114
                for (int i=0; i<epas.length; i++) {
1115
                    pas2[i] = new DerValue(new ETypeInfo2(
1116 1117
                            epas[i],
                            epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ?
1118 1119 1120 1121 1122 1123 1124 1125 1126 1127
                                null : getSalt(body.cname),
                            null).asn1Encode());
                }
                boolean allOld = true;
                for (int i: eTypes) {
                    if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 ||
                            i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) {
                        allOld = false;
                        break;
                    }
1128
                }
1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147
                if (allOld) {
                    pas = new DerValue[epas.length];
                    for (int i=0; i<epas.length; i++) {
                        pas[i] = new DerValue(new ETypeInfo(
                                epas[i],
                                epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ?
                                    null : getSalt(body.cname)
                                ).asn1Encode());
                    }
                }
            }

            DerOutputStream eid;
            if (pas2 != null) {
                eid = new DerOutputStream();
                eid.putSequence(pas2);
                outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray()));
            }
            if (pas != null) {
1148 1149 1150 1151 1152
                eid = new DerOutputStream();
                eid.putSequence(pas);
                outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
            }

1153
            PAData[] inPAs = KDCReqDotPAData(asReq);
1154
            List<PAData> enc_outPAs = new ArrayList<>();
1155
            if (inPAs == null || inPAs.length == 0) {
W
weijun 已提交
1156 1157 1158 1159 1160
                Object preauth = options.get(Option.PREAUTH_REQUIRED);
                if (preauth == null || preauth.equals(Boolean.TRUE)) {
                    throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
                }
            } else {
1161
                EncryptionKey pakey = null;
W
weijun 已提交
1162
                try {
1163
                    EncryptedData data = newEncryptedData(new DerValue(inPAs[0].getValue()));
1164
                    pakey = keyForUser(body.cname, data.getEType(), false);
1165
                    data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS);
W
weijun 已提交
1166 1167 1168 1169
                } catch (Exception e) {
                    throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
                }
                bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180
                for (PAData pa : inPAs) {
                    if (pa.getType() == Krb5.PA_REQ_ENC_PA_REP) {
                        Checksum ckSum = new Checksum(
                                Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128,
                                asReqbytes, ckey, KeyUsage.KU_AS_REQ);
                        enc_outPAs.add(new PAData(Krb5.PA_REQ_ENC_PA_REP,
                                ckSum.asn1Encode()));
                        bFlags[Krb5.TKT_OPTS_ENC_PA_REP] = true;
                        break;
                    }
                }
W
weijun 已提交
1181 1182 1183 1184 1185 1186 1187 1188 1189 1190
            }

            TicketFlags tFlags = new TicketFlags(bFlags);
            EncTicketPart enc = new EncTicketPart(
                    tFlags,
                    key,
                    body.cname,
                    new TransitedEncoding(1, new byte[0]),
                    new KerberosTime(new Date()),
                    body.from,
1191
                    till, rtime,
W
weijun 已提交
1192 1193 1194
                    body.addresses,
                    null);
            Ticket t = new Ticket(
1195
                    service,
W
weijun 已提交
1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208
                    new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
            );
            EncASRepPart enc_part = new EncASRepPart(
                    key,
                    new LastReq(new LastReqEntry[]{
                        new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000))
                    }),
                    body.getNonce(),    // TODO: detect replay?
                    new KerberosTime(new Date().getTime() + 1000 * 3600 * 24),
                    // Next 5 and last MUST be same with ticket
                    tFlags,
                    new KerberosTime(new Date()),
                    body.from,
1209
                    till, rtime,
1210
                    service,
1211 1212
                    body.addresses,
                    enc_outPAs.toArray(new PAData[enc_outPAs.size()])
W
weijun 已提交
1213 1214
                    );
            EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
1215 1216
            ASRep asRep = new ASRep(
                    outPAs.toArray(new PAData[outPAs.size()]),
W
weijun 已提交
1217 1218 1219 1220 1221
                    body.cname,
                    t,
                    edata);

            System.out.println("     Return " + asRep.cname
1222 1223
                    + " ticket for " + asRep.ticket.sname + ", flags "
                    + tFlags);
W
weijun 已提交
1224 1225 1226 1227

            DerOutputStream out = new DerOutputStream();
            out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
                    true, (byte)Krb5.KRB_AS_REP), asRep.asn1Encode());
1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248
            byte[] result = out.toByteArray();

            // Added feature:
            // Write the current issuing TGT into a ccache file specified
            // by the system property below.
            String ccache = System.getProperty("test.kdc.save.ccache");
            if (ccache != null) {
                asRep.encKDCRepPart = enc_part;
                sun.security.krb5.internal.ccache.Credentials credentials =
                    new sun.security.krb5.internal.ccache.Credentials(asRep);
                CredentialsCache cache =
                    CredentialsCache.create(asReq.reqBody.cname, ccache);
                if (cache == null) {
                   throw new IOException("Unable to create the cache file " +
                                         ccache);
                }
                cache.update(credentials);
                cache.save();
            }

            return result;
W
weijun 已提交
1249 1250 1251 1252 1253 1254 1255 1256 1257 1258
        } catch (KrbException ke) {
            ke.printStackTrace(System.out);
            KRBError kerr = ke.getError();
            KDCReqBody body = asReq.reqBody;
            System.out.println("     Error " + ke.returnCode()
                    + " " +ke.returnCodeMessage());
            byte[] eData = null;
            if (kerr == null) {
                if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED ||
                        ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
1259 1260 1261
                    outPAs.add(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]));
                }
                if (outPAs.size() > 0) {
W
weijun 已提交
1262
                    DerOutputStream bytes = new DerOutputStream();
1263 1264
                    for (PAData p: outPAs) {
                        bytes.write(p.asn1Encode());
W
weijun 已提交
1265 1266 1267 1268 1269 1270 1271 1272 1273
                    }
                    DerOutputStream temp = new DerOutputStream();
                    temp.write(DerValue.tag_Sequence, bytes);
                    eData = temp.toByteArray();
                }
                kerr = new KRBError(null, null, null,
                        new KerberosTime(new Date()),
                        0,
                        ke.returnCode(),
1274 1275
                        body.cname,
                        service,
W
weijun 已提交
1276 1277 1278 1279 1280 1281 1282
                        KrbException.errorMessage(ke.returnCode()),
                        eData);
            }
            return kerr.asn1Encode();
        }
    }

1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348
    /**
     * Translates a duration value into seconds.
     *
     * The format can be one of "h:m[:s]", "NdNhNmNs", and "N". See
     * http://web.mit.edu/kerberos/krb5-devel/doc/basic/date_format.html#duration
     * for definitions.
     *
     * @param s the string duration
     * @return time in seconds
     * @throw KrbException if format is illegal
     */
    public static int duration(String s) throws KrbException {

        if (s.isEmpty()) {
            throw new KrbException("Duration cannot be empty");
        }

        // N
        if (s.matches("\\d+")) {
            return Integer.parseInt(s);
        }

        // h:m[:s]
        Matcher m = Pattern.compile("(\\d+):(\\d+)(:(\\d+))?").matcher(s);
        if (m.matches()) {
            int hr = Integer.parseInt(m.group(1));
            int min = Integer.parseInt(m.group(2));
            if (min >= 60) {
                throw new KrbException("Illegal duration format " + s);
            }
            int result = hr * 3600 + min * 60;
            if (m.group(4) != null) {
                int sec = Integer.parseInt(m.group(4));
                if (sec >= 60) {
                    throw new KrbException("Illegal duration format " + s);
                }
                result += sec;
            }
            return result;
        }

        // NdNhNmNs
        // 120m allowed. Maybe 1h120m is not good, but still allowed
        m = Pattern.compile(
                    "((\\d+)d)?\\s*((\\d+)h)?\\s*((\\d+)m)?\\s*((\\d+)s)?",
                Pattern.CASE_INSENSITIVE).matcher(s);
        if (m.matches()) {
            int result = 0;
            if (m.group(2) != null) {
                result += 86400 * Integer.parseInt(m.group(2));
            }
            if (m.group(4) != null) {
                result += 3600 * Integer.parseInt(m.group(4));
            }
            if (m.group(6) != null) {
                result += 60 * Integer.parseInt(m.group(6));
            }
            if (m.group(8) != null) {
                result += Integer.parseInt(m.group(8));
            }
            return result;
        }

        throw new KrbException("Illegal duration format " + s);
    }

W
weijun 已提交
1349 1350
    /**
     * Generates a line for a KDC to put inside [realms] of krb5.conf
1351
     * @return REALM.NAME = { kdc = host:port etc }
W
weijun 已提交
1352
     */
1353 1354 1355 1356 1357 1358 1359 1360
    private String realmLine() {
        StringBuilder sb = new StringBuilder();
        sb.append(realm).append(" = {\n    kdc = ")
                .append(kdc).append(':').append(port).append('\n');
        for (String s: conf) {
            sb.append("    ").append(s).append('\n');
        }
        return sb.append("}\n").toString();
W
weijun 已提交
1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396
    }

    /**
     * Start the KDC service. This server listens on both UDP and TCP using
     * the same port number. It uses three threads to deal with requests.
     * They can be set to daemon threads if requested.
     * @param port the port number to listen to. If zero, a random available
     *  port no less than 8000 will be chosen and used.
     * @param asDaemon true if the KDC threads should be daemons
     * @throws java.io.IOException for any communication error
     */
    protected void startServer(int port, boolean asDaemon) throws IOException {
        if (port > 0) {
            u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1"));
            t1 = new ServerSocket(port);
        } else {
            while (true) {
                // Try to find a port number that's both TCP and UDP free
                try {
                    port = 8000 + new java.util.Random().nextInt(10000);
                    u1 = null;
                    u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1"));
                    t1 = new ServerSocket(port);
                    break;
                } catch (Exception e) {
                    if (u1 != null) u1.close();
                }
            }
        }
        final DatagramSocket udp = u1;
        final ServerSocket tcp = t1;
        System.out.println("Start KDC on " + port);

        this.port = port;

        // The UDP consumer
1397
        thread1 = new Thread() {
W
weijun 已提交
1398
            public void run() {
1399
                udpConsumerReady = true;
W
weijun 已提交
1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413
                while (true) {
                    try {
                        byte[] inbuf = new byte[8192];
                        DatagramPacket p = new DatagramPacket(inbuf, inbuf.length);
                        udp.receive(p);
                        System.out.println("-----------------------------------------------");
                        System.out.println(">>>>> UDP packet received");
                        q.put(new Job(processMessage(Arrays.copyOf(inbuf, p.getLength())), udp, p));
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                }
            }
        };
1414 1415
        thread1.setDaemon(asDaemon);
        thread1.start();
W
weijun 已提交
1416 1417

        // The TCP consumer
1418
        thread2 = new Thread() {
W
weijun 已提交
1419
            public void run() {
1420
                tcpConsumerReady = true;
W
weijun 已提交
1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436
                while (true) {
                    try {
                        Socket socket = tcp.accept();
                        System.out.println("-----------------------------------------------");
                        System.out.println(">>>>> TCP connection established");
                        DataInputStream in = new DataInputStream(socket.getInputStream());
                        DataOutputStream out = new DataOutputStream(socket.getOutputStream());
                        byte[] token = new byte[in.readInt()];
                        in.readFully(token);
                        q.put(new Job(processMessage(token), socket, out));
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                }
            }
        };
1437 1438
        thread2.setDaemon(asDaemon);
        thread2.start();
W
weijun 已提交
1439 1440

        // The dispatcher
1441
        thread3 = new Thread() {
W
weijun 已提交
1442
            public void run() {
1443
                dispatcherReady = true;
W
weijun 已提交
1444 1445 1446 1447 1448 1449 1450 1451
                while (true) {
                    try {
                        q.take().send();
                    } catch (Exception e) {
                    }
                }
            }
        };
1452 1453
        thread3.setDaemon(true);
        thread3.start();
1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466

        // wait for the KDC is ready
        try {
            while (!isReady()) {
                Thread.sleep(100);
            }
        } catch(InterruptedException e) {
            throw new IOException(e);
        }
    }

    boolean isReady() {
        return udpConsumerReady && tcpConsumerReady && dispatcherReady;
W
weijun 已提交
1467 1468
    }

1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479
    public void terminate() {
        try {
            thread1.stop();
            thread2.stop();
            thread3.stop();
            u1.close();
            t1.close();
        } catch (Exception e) {
            // OK
        }
    }
1480

1481
    public static KDC startKDC(final String host, final String krbConfFileName,
1482 1483 1484
            final String realm, final Map<String, String> principals,
            final String ktab, final KtabMode mode) {

1485
        KDC kdc;
1486
        try {
1487
            kdc = KDC.create(realm, host, 0, true);
1488
            kdc.setOption(KDC.Option.PREAUTH_REQUIRED, Boolean.FALSE);
1489 1490 1491
            if (krbConfFileName != null) {
                KDC.saveConfig(krbConfFileName, kdc);
            }
1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542

            // Add principals
            if (principals != null) {
                principals.forEach((name, password) -> {
                    if (password == null || password.isEmpty()) {
                        System.out.println(String.format(
                                "KDC:add a principal '%s' with a random " +
                                        "password", name));
                        kdc.addPrincipalRandKey(name);
                    } else {
                        System.out.println(String.format(
                                "KDC:add a principal '%s' with '%s' password",
                                name, password));
                        kdc.addPrincipal(name, password.toCharArray());
                    }
                });
            }

            // Create or append keys to existing keytab file
            if (ktab != null) {
                File ktabFile = new File(ktab);
                switch(mode) {
                    case APPEND:
                        if (ktabFile.exists()) {
                            System.out.println(String.format(
                                    "KDC:append keys to an exising keytab "
                                    + "file %s", ktab));
                            kdc.appendKtab(ktab);
                        } else {
                            System.out.println(String.format(
                                    "KDC:create a new keytab file %s", ktab));
                            kdc.writeKtab(ktab);
                        }
                        break;
                    case EXISTING:
                        System.out.println(String.format(
                                "KDC:use an existing keytab file %s", ktab));
                        break;
                    default:
                        throw new RuntimeException(String.format(
                                "KDC:unsupported keytab mode: %s", mode));
                }
            }

            System.out.println(String.format(
                    "KDC: started on %s:%s with '%s' realm",
                    host, kdc.getPort(), realm));
        } catch (Exception e) {
            throw new RuntimeException("KDC: unexpected exception", e);
        }

1543
        return kdc;
1544 1545
    }

W
weijun 已提交
1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590
    /**
     * Helper class to encapsulate a job in a KDC.
     */
    private static class Job {
        byte[] token;           // The received request at creation time and
                                // the response at send time
        Socket s;               // The TCP socket from where the request comes
        DataOutputStream out;   // The OutputStream of the TCP socket
        DatagramSocket s2;      // The UDP socket from where the request comes
        DatagramPacket dp;      // The incoming UDP datagram packet
        boolean useTCP;         // Whether TCP or UDP is used

        // Creates a job object for TCP
        Job(byte[] token, Socket s, DataOutputStream out) {
            useTCP = true;
            this.token = token;
            this.s = s;
            this.out = out;
        }

        // Creates a job object for UDP
        Job(byte[] token, DatagramSocket s2, DatagramPacket dp) {
            useTCP = false;
            this.token = token;
            this.s2 = s2;
            this.dp = dp;
        }

        // Sends the output back to the client
        void send() {
            try {
                if (useTCP) {
                    System.out.println(">>>>> TCP request honored");
                    out.writeInt(token.length);
                    out.write(token);
                    s.close();
                } else {
                    System.out.println(">>>>> UDP request honored");
                    s2.send(new DatagramPacket(token, token.length, dp.getAddress(), dp.getPort()));
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }
W
weijun 已提交
1591 1592

    public static class KDCNameService implements NameServiceDescriptor {
1593 1594 1595

        public static String NOT_EXISTING_HOST = "not.existing.host";

W
weijun 已提交
1596 1597 1598 1599 1600 1601
        @Override
        public NameService createNameService() throws Exception {
            NameService ns = new NameService() {
                @Override
                public InetAddress[] lookupAllHostAddr(String host)
                        throws UnknownHostException {
1602 1603 1604 1605 1606
                    // Everything is localhost except NOT_EXISTING_HOST
                    if (NOT_EXISTING_HOST.equals(host)) {
                        throw new UnknownHostException("Unknown host name: "
                                + NOT_EXISTING_HOST);
                    }
W
weijun 已提交
1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630
                    return new InetAddress[]{
                        InetAddress.getByAddress(host, new byte[]{127,0,0,1})
                    };
                }
                @Override
                public String getHostByAddr(byte[] addr)
                        throws UnknownHostException {
                    // No reverse lookup, PrincipalName use original string
                    throw new UnknownHostException();
                }
            };
            return ns;
        }

        @Override
        public String getProviderName() {
            return "mock";
        }

        @Override
        public String getType() {
            return "ns";
        }
    }
1631 1632 1633 1634 1635 1636

    // Calling private methods thru reflections
    private static final Field getPADataField;
    private static final Field getEType;
    private static final Constructor<EncryptedData> ctorEncryptedData;
    private static final Method stringToKey;
1637
    private static final Field getAddlTkt;
1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650

    static {
        try {
            ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class);
            ctorEncryptedData.setAccessible(true);
            getPADataField = KDCReq.class.getDeclaredField("pAData");
            getPADataField.setAccessible(true);
            getEType = KDCReqBody.class.getDeclaredField("eType");
            getEType.setAccessible(true);
            stringToKey = EncryptionKey.class.getDeclaredMethod(
                    "stringToKey",
                    char[].class, String.class, byte[].class, Integer.TYPE);
            stringToKey.setAccessible(true);
1651 1652
            getAddlTkt = KDCReqBody.class.getDeclaredField("additionalTickets");
            getAddlTkt.setAccessible(true);
1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665
        } catch (NoSuchFieldException nsfe) {
            throw new AssertionError(nsfe);
        } catch (NoSuchMethodException nsme) {
            throw new AssertionError(nsme);
        }
    }
    private EncryptedData newEncryptedData(DerValue der) {
        try {
            return ctorEncryptedData.newInstance(der);
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
1666
    private static PAData[] KDCReqDotPAData(KDCReq req) {
1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690
        try {
            return (PAData[])getPADataField.get(req);
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
    private static int[] KDCReqBodyDotEType(KDCReqBody body) {
        try {
            return (int[]) getEType.get(body);
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
    private static byte[] EncryptionKeyDotStringToKey(char[] password, String salt,
            byte[] s2kparams, int keyType) throws KrbCryptoException {
        try {
            return (byte[])stringToKey.invoke(
                    null, password, salt, s2kparams, keyType);
        } catch (InvocationTargetException ex) {
            throw (KrbCryptoException)ex.getCause();
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
1691 1692 1693 1694 1695 1696 1697
    private static Ticket KDCReqBodyDotFirstAdditionalTicket(KDCReqBody body) {
        try {
            return ((Ticket[])getAddlTkt.get(body))[0];
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
W
weijun 已提交
1698
}