提交 7ec8dba2 编写于 作者: O ohair

Merge

/* /*
* Copyright 2000 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -103,11 +103,12 @@ public interface GSSName { ...@@ -103,11 +103,12 @@ public interface GSSName {
* follows: service@hostname.<p> * follows: service@hostname.<p>
* *
* It represents the following Oid value:<br> * It represents the following Oid value:<br>
* <code>{ 1(iso), 3(org), 6(dod), 1(internet), 5(security), * <code>{ iso(1) member-body(2) United
* 6(nametypes), 2(gss-host-based-services) }</code> * States(840) mit(113554) infosys(1) gssapi(2) generic(1) service_name(4)
* }</code>
*/ */
public static final Oid NT_HOSTBASED_SERVICE public static final Oid NT_HOSTBASED_SERVICE
= Oid.getInstance("1.3.6.1.5.6.2"); = Oid.getInstance("1.2.840.113554.1.2.1.4");
/** /**
* Name type to indicate a named user on a local system.<p> * Name type to indicate a named user on a local system.<p>
......
/* /*
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -89,6 +89,11 @@ public class GSSManagerImpl extends GSSManager { ...@@ -89,6 +89,11 @@ public class GSSManagerImpl extends GSSManager {
Oid[] retVal = new Oid[mechs.length]; Oid[] retVal = new Oid[mechs.length];
int pos = 0; int pos = 0;
// Compatibility with RFC 2853 old NT_HOSTBASED_SERVICE value.
if (nameType.equals(GSSNameImpl.oldHostbasedServiceName)) {
nameType = GSSName.NT_HOSTBASED_SERVICE;
}
// Iterate thru all mechs in GSS // Iterate thru all mechs in GSS
for (int i = 0; i < mechs.length; i++) { for (int i = 0; i < mechs.length; i++) {
// what nametypes does this mech support? // what nametypes does this mech support?
......
/* /*
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -81,6 +81,29 @@ import sun.security.util.DerOutputStream; ...@@ -81,6 +81,29 @@ import sun.security.util.DerOutputStream;
public class GSSNameImpl implements GSSName { public class GSSNameImpl implements GSSName {
/**
* The old Oid used in RFC 2853. Now supported as
* input parameters in:
*
* 1. The four overloaded GSSManager.createName(*) methods
* 2. GSSManager.getMechsForName(Oid)
*
* Note that even if a GSSName is created with this old Oid,
* its internal name type and getStringNameType() output are
* always the new value.
*/
final static Oid oldHostbasedServiceName;
static {
Oid tmp = null;
try {
tmp = new Oid("1.3.6.1.5.6.2");
} catch (Exception e) {
// should never happen
}
oldHostbasedServiceName = tmp;
}
private GSSManagerImpl gssManager = null; private GSSManagerImpl gssManager = null;
/* /*
...@@ -134,6 +157,9 @@ public class GSSNameImpl implements GSSName { ...@@ -134,6 +157,9 @@ public class GSSNameImpl implements GSSName {
Oid mech) Oid mech)
throws GSSException { throws GSSException {
if (oldHostbasedServiceName.equals(appNameType)) {
appNameType = GSSName.NT_HOSTBASED_SERVICE;
}
if (appName == null) if (appName == null)
throw new GSSExceptionImpl(GSSException.BAD_NAME, throw new GSSExceptionImpl(GSSException.BAD_NAME,
"Cannot import null name"); "Cannot import null name");
......
/* /*
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -66,9 +66,6 @@ public class GSSUtil { ...@@ -66,9 +66,6 @@ public class GSSUtil {
public static final Oid NT_GSS_KRB5_PRINCIPAL = public static final Oid NT_GSS_KRB5_PRINCIPAL =
GSSUtil.createOid("1.2.840.113554.1.2.2.1"); GSSUtil.createOid("1.2.840.113554.1.2.2.1");
public static final Oid NT_HOSTBASED_SERVICE2 =
GSSUtil.createOid("1.2.840.113554.1.2.1.4");
private static final String DEFAULT_HANDLER = private static final String DEFAULT_HANDLER =
"auth.login.defaultCallbackHandler"; "auth.login.defaultCallbackHandler";
......
/* /*
* Copyright 2005-2006 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2005-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -55,8 +55,7 @@ public class GSSNameElement implements GSSNameSpi { ...@@ -55,8 +55,7 @@ public class GSSNameElement implements GSSNameSpi {
static final GSSNameElement DEF_ACCEPTOR = new GSSNameElement(); static final GSSNameElement DEF_ACCEPTOR = new GSSNameElement();
private static Oid getNativeNameType(Oid nameType, GSSLibStub stub) { private static Oid getNativeNameType(Oid nameType, GSSLibStub stub) {
if (GSSUtil.NT_GSS_KRB5_PRINCIPAL.equals(nameType) || if (GSSUtil.NT_GSS_KRB5_PRINCIPAL.equals(nameType)) {
GSSName.NT_HOSTBASED_SERVICE.equals(nameType)) {
Oid[] supportedNTs = null; Oid[] supportedNTs = null;
try { try {
supportedNTs = stub.inquireNamesForMech(); supportedNTs = stub.inquireNamesForMech();
...@@ -83,15 +82,9 @@ public class GSSNameElement implements GSSNameSpi { ...@@ -83,15 +82,9 @@ public class GSSNameElement implements GSSNameSpi {
if (supportedNTs[i].equals(nameType)) return nameType; if (supportedNTs[i].equals(nameType)) return nameType;
} }
// Special handling the specified name type // Special handling the specified name type
if (GSSUtil.NT_GSS_KRB5_PRINCIPAL.equals(nameType)) { SunNativeProvider.debug("Override " + nameType +
SunNativeProvider.debug("Override " + nameType + " with mechanism default(null)");
" with mechanism default(null)"); return null; // Use mechanism specific default
return null; // Use mechanism specific default
} else {
SunNativeProvider.debug("Override " + nameType +
" with " + GSSUtil.NT_HOSTBASED_SERVICE2);
return GSSUtil.NT_HOSTBASED_SERVICE2;
}
} }
} }
return nameType; return nameType;
......
/* /*
* Copyright 2003-2009 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2003-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -50,11 +50,12 @@ import sun.security.krb5.internal.EncTicketPart; ...@@ -50,11 +50,12 @@ import sun.security.krb5.internal.EncTicketPart;
import sun.security.krb5.internal.crypto.KeyUsage; import sun.security.krb5.internal.crypto.KeyUsage;
import sun.security.jgss.krb5.Krb5Util; import sun.security.jgss.krb5.Krb5Util;
import sun.security.krb5.KrbException;
import sun.security.krb5.internal.Krb5;
import sun.security.ssl.Debug; import sun.security.ssl.Debug;
import sun.security.ssl.HandshakeInStream; import sun.security.ssl.HandshakeInStream;
import sun.security.ssl.HandshakeOutStream; import sun.security.ssl.HandshakeOutStream;
import sun.security.ssl.KerberosClientKeyExchange;
import sun.security.ssl.ProtocolVersion; import sun.security.ssl.ProtocolVersion;
/** /**
...@@ -188,7 +189,14 @@ public final class KerberosClientKeyExchangeImpl ...@@ -188,7 +189,14 @@ public final class KerberosClientKeyExchangeImpl
// See if we have the right key to decrypt the ticket to get // See if we have the right key to decrypt the ticket to get
// the session key. // the session key.
int encPartKeyType = encPart.getEType(); int encPartKeyType = encPart.getEType();
KerberosKey dkey = findKey(encPartKeyType, serverKeys); Integer encPartKeyVersion = encPart.getKeyVersionNumber();
KerberosKey dkey = null;
try {
dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
} catch (KrbException ke) { // a kvno mismatch
throw new IOException(
"Cannot find key matching version number", ke);
}
if (dkey == null) { if (dkey == null) {
// %%% Should print string repr of etype // %%% Should print string repr of etype
throw new IOException( throw new IOException(
...@@ -355,12 +363,34 @@ public final class KerberosClientKeyExchangeImpl ...@@ -355,12 +363,34 @@ public final class KerberosClientKeyExchangeImpl
return localPrincipal; return localPrincipal;
} }
private static KerberosKey findKey(int etype, KerberosKey[] keys) { /**
* Determines if a kvno matches another kvno. Used in the method
* findKey(etype, version, keys). Always returns true if either input
* is null or zero, in case any side does not have kvno info available.
*
* Note: zero is included because N/A is not a legal value for kvno
* in javax.security.auth.kerberos.KerberosKey. Therefore, the info
* that the kvno is N/A might be lost when converting between
* EncryptionKey and KerberosKey.
*/
private static boolean versionMatches(Integer v1, int v2) {
if (v1 == null || v1 == 0 || v2 == 0) {
return true;
}
return v1.equals(v2);
}
private static KerberosKey findKey(int etype, Integer version,
KerberosKey[] keys) throws KrbException {
int ktype; int ktype;
boolean etypeFound = false;
for (int i = 0; i < keys.length; i++) { for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getKeyType(); ktype = keys[i].getKeyType();
if (etype == ktype) { if (etype == ktype) {
return keys[i]; etypeFound = true;
if (versionMatches(version, keys[i].getVersionNumber())) {
return keys[i];
}
} }
} }
// Key not found. // Key not found.
...@@ -370,14 +400,20 @@ public final class KerberosClientKeyExchangeImpl ...@@ -370,14 +400,20 @@ public final class KerberosClientKeyExchangeImpl
for (int i = 0; i < keys.length; i++) { for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getKeyType(); ktype = keys[i].getKeyType();
if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
ktype == EncryptedData.ETYPE_DES_CBC_MD5) { ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
return new KerberosKey(keys[i].getPrincipal(), etypeFound = true;
keys[i].getEncoded(), if (versionMatches(version, keys[i].getVersionNumber())) {
etype, return new KerberosKey(keys[i].getPrincipal(),
keys[i].getVersionNumber()); keys[i].getEncoded(),
etype,
keys[i].getVersionNumber());
}
} }
} }
} }
if (etypeFound) {
throw new KrbException(Krb5.KRB_AP_ERR_BADKEYVER);
}
return null; return null;
} }
} }
/* /*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2009-2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -23,7 +23,7 @@ ...@@ -23,7 +23,7 @@
/* /*
* @test * @test
* @bug 6894643 * @bug 6894643 6913636
* @summary Test JSSE Kerberos ciphersuite * @summary Test JSSE Kerberos ciphersuite
*/ */
import java.io.*; import java.io.*;
...@@ -32,12 +32,13 @@ import javax.net.ssl.*; ...@@ -32,12 +32,13 @@ import javax.net.ssl.*;
import java.security.Principal; import java.security.Principal;
import java.util.Date; import java.util.Date;
import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSUtil;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.ktab.KeyTab;
public class SSL { public class SSL {
private static final String KRB5_CIPHER = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA"; private static final String KRB5_CIPHER = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA";
private static final int LOOP_LIMIT = 1; private static final int LOOP_LIMIT = 1;
private static final char[] PASS = "secret".toCharArray();
private static int loopCount = 0; private static int loopCount = 0;
private static volatile String server; private static volatile String server;
private static volatile int port; private static volatile int port;
...@@ -54,12 +55,39 @@ public class SSL { ...@@ -54,12 +55,39 @@ public class SSL {
kdc.addPrincipal(OneKDC.USER, OneKDC.PASS); kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
kdc.addPrincipal("host/" + server, PASS);
KDC.saveConfig(OneKDC.KRB5_CONF, kdc); KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF); System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
// Add 3 versions of keys into keytab
KeyTab ktab = KeyTab.create(OneKDC.KTAB);
PrincipalName service = new PrincipalName(
"host/" + server, PrincipalName.KRB_NT_SRV_HST);
ktab.addEntry(service, "pass1".toCharArray(), 1);
ktab.addEntry(service, "pass2".toCharArray(), 2);
ktab.addEntry(service, "pass3".toCharArray(), 3);
ktab.save();
// and use the middle one as the real key
kdc.addPrincipal("host/" + server, "pass2".toCharArray());
// JAAS config entry name ssl
System.setProperty("java.security.auth.login.config", OneKDC.JAAS_CONF);
File f = new File(OneKDC.JAAS_CONF);
FileOutputStream fos = new FileOutputStream(f);
fos.write((
"ssl {\n" +
" com.sun.security.auth.module.Krb5LoginModule required\n" +
" principal=\"host/" + server + "\"\n" +
" useKeyTab=true\n" +
" keyTab=" + OneKDC.KTAB + "\n" +
" isInitiator=false\n" +
" storeKey=true;\n};\n"
).getBytes());
fos.close();
f.deleteOnExit();
final Context c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); final Context c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
final Context s = Context.fromUserPass("host/" + server, PASS, true); final Context s = Context.fromJAAS("ssl");
c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID); c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
......
/*
* Copyright 2010 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/*
* @test
* @bug 6895424
* @summary RFC 5653
*/
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import sun.security.jgss.GSSUtil;
public class Test5653 {
public static void main(String[] args)
throws Exception {
Oid oldOid = new Oid("1.3.6.1.5.6.2");
new OneKDC(null).writeJAASConf();
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
GSSManager m = GSSManager.getInstance();
boolean found = false;
// Test 1: the getMechsForName() method accepts it.
for (Oid tmp: m.getMechsForName(oldOid)) {
if (tmp.equals(GSSUtil.GSS_KRB5_MECH_OID)) {
found = true;
break;
}
}
if (!found) {
throw new Exception("Cannot found krb5 mech for old name type");
}
// Test 2: the createName() method accepts it.
GSSName name = m.createName("server@host.rabbit.hole", oldOid);
// Test 3: its getStringNameType() output is correct
if (!name.getStringNameType().equals(GSSName.NT_HOSTBASED_SERVICE)) {
throw new Exception("GSSName not correct name type");
}
// Test 4: everything still works.
GSSContext c1 = m.createContext(
name,
GSSUtil.GSS_KRB5_MECH_OID,
null,
GSSContext.DEFAULT_LIFETIME);
byte[] token = c1.initSecContext(new byte[0], 0, 0);
Context s;
s = Context.fromJAAS("server");
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
s.x().acceptSecContext(token, 0, token.length);
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册