From b0b89f8f4148832e3ca168b207f5552d03f935da Mon Sep 17 00:00:00 2001 From: weijun Date: Wed, 11 Jul 2012 17:10:34 +0800 Subject: [PATCH] 6966259: Make PrincipalName and Realm immutable Reviewed-by: xuelei --- .../auth/kerberos/KerberosPrincipal.java | 33 +- .../security/jgss/krb5/Krb5NameElement.java | 6 +- .../sun/security/krb5/Credentials.java | 3 +- .../classes/sun/security/krb5/KrbApReq.java | 14 +- .../sun/security/krb5/KrbAppMessage.java | 3 +- .../classes/sun/security/krb5/KrbAsRep.java | 3 +- .../classes/sun/security/krb5/KrbAsReq.java | 7 +- .../sun/security/krb5/KrbAsReqBuilder.java | 3 - .../classes/sun/security/krb5/KrbCred.java | 11 +- .../sun/security/krb5/KrbException.java | 4 + .../classes/sun/security/krb5/KrbKdcRep.java | 18 +- .../classes/sun/security/krb5/KrbPriv.java | 9 +- .../classes/sun/security/krb5/KrbSafe.java | 9 +- .../classes/sun/security/krb5/KrbTgsRep.java | 6 +- .../classes/sun/security/krb5/KrbTgsReq.java | 5 - .../sun/security/krb5/PrincipalName.java | 354 +++++++++--------- .../classes/sun/security/krb5/Realm.java | 47 +-- .../sun/security/krb5/RealmException.java | 3 + .../sun/security/krb5/ServiceName.java | 57 --- .../sun/security/krb5/internal/ASRep.java | 3 +- .../security/krb5/internal/Authenticator.java | 9 +- .../krb5/internal/CredentialsUtil.java | 27 +- .../security/krb5/internal/EncASRepPart.java | 2 - .../security/krb5/internal/EncKDCRepPart.java | 9 +- .../security/krb5/internal/EncTGSRepPart.java | 2 - .../security/krb5/internal/EncTicketPart.java | 9 +- .../sun/security/krb5/internal/KDCRep.java | 9 +- .../security/krb5/internal/KDCReqBody.java | 23 +- .../sun/security/krb5/internal/KRBError.java | 34 +- .../security/krb5/internal/KrbCredInfo.java | 29 +- .../sun/security/krb5/internal/TGSRep.java | 3 +- .../sun/security/krb5/internal/Ticket.java | 10 +- .../internal/ccache/CCacheInputStream.java | 15 +- .../krb5/internal/ccache/Credentials.java | 25 -- .../internal/ccache/CredentialsCache.java | 4 +- .../internal/ccache/FileCredentialsCache.java | 20 +- .../ccache/MemoryCredentialsCache.java | 2 +- .../krb5/internal/ktab/KeyTabInputStream.java | 3 +- .../krb5/KerberosClientKeyExchangeImpl.java | 6 +- .../security/krb5/internal/tools/Kinit.java | 4 +- .../krb5/internal/tools/KinitOptions.java | 45 +-- .../security/krb5/internal/tools/Ktab.java | 6 - .../native/sun/security/krb5/NativeCreds.c | 18 +- test/sun/security/krb5/ServiceNameClone.java | 41 -- test/sun/security/krb5/auto/KDC.java | 25 +- test/sun/security/krb5/name/Constructors.java | 135 +++++++ test/sun/security/krb5/name/empty.conf | 2 + test/sun/security/krb5/name/krb5.conf | 10 + 48 files changed, 480 insertions(+), 645 deletions(-) delete mode 100644 src/share/classes/sun/security/krb5/ServiceName.java delete mode 100644 test/sun/security/krb5/ServiceNameClone.java create mode 100644 test/sun/security/krb5/name/Constructors.java create mode 100644 test/sun/security/krb5/name/empty.conf create mode 100644 test/sun/security/krb5/name/krb5.conf diff --git a/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java b/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java index 99d6593d9..cd4266bf6 100644 --- a/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java +++ b/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java @@ -26,7 +26,6 @@ package javax.security.auth.kerberos; import java.io.*; -import sun.security.krb5.Asn1Exception; import sun.security.krb5.KrbException; import sun.security.krb5.PrincipalName; import sun.security.krb5.Realm; @@ -81,14 +80,12 @@ public final class KerberosPrincipal public static final int KRB_NT_UID = 5; - private transient String fullName; private transient String realm; private transient int nameType; - private static final char NAME_REALM_SEPARATOR = '@'; /** * Constructs a KerberosPrincipal from the provided string input. The @@ -233,41 +230,35 @@ public final class KerberosPrincipal * realm in their DER-encoded form as specified in Section 5.2.2 of * RFC4120. */ - private void writeObject(ObjectOutputStream oos) - throws IOException { + throws IOException { - PrincipalName krb5Principal = null; + PrincipalName krb5Principal; try { - krb5Principal = new PrincipalName(fullName,nameType); + krb5Principal = new PrincipalName(fullName, nameType); oos.writeObject(krb5Principal.asn1Encode()); oos.writeObject(krb5Principal.getRealm().asn1Encode()); } catch (Exception e) { - IOException ioe = new IOException(e.getMessage()); - ioe.initCause(e); - throw ioe; + throw new IOException(e); } } /** * Reads this object from a stream (i.e., deserializes it) */ - private void readObject(ObjectInputStream ois) - throws IOException, ClassNotFoundException { + throws IOException, ClassNotFoundException { byte[] asn1EncPrincipal = (byte [])ois.readObject(); byte[] encRealm = (byte [])ois.readObject(); try { - PrincipalName krb5Principal = new PrincipalName(new - DerValue(asn1EncPrincipal)); - realm = (new Realm(new DerValue(encRealm))).toString(); - fullName = krb5Principal.toString() + NAME_REALM_SEPARATOR + - realm.toString(); + Realm realmObject = new Realm(new DerValue(encRealm)); + PrincipalName krb5Principal = new PrincipalName( + new DerValue(asn1EncPrincipal), realmObject); + realm = realmObject.toString(); + fullName = krb5Principal.toString(); nameType = krb5Principal.getNameType(); } catch (Exception e) { - IOException ioe = new IOException(e.getMessage()); - ioe.initCause(e); - throw ioe; + throw new IOException(e); } } @@ -288,9 +279,7 @@ public final class KerberosPrincipal * RFC4120. * * @return the name type. - * */ - public int getNameType() { return nameType; } diff --git a/src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java b/src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java index 1fb1bb0e6..e8b167659 100644 --- a/src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java +++ b/src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java @@ -27,10 +27,8 @@ package sun.security.jgss.krb5; import org.ietf.jgss.*; import sun.security.jgss.spi.*; -import javax.security.auth.kerberos.*; import sun.security.krb5.PrincipalName; import sun.security.krb5.KrbException; -import sun.security.krb5.ServiceName; import java.io.UnsupportedEncodingException; import java.net.InetAddress; import java.net.UnknownHostException; @@ -119,8 +117,8 @@ public class Krb5NameElement hostName = components[1]; String principal = getHostBasedInstance(service, hostName); - principalName = new ServiceName(principal, - PrincipalName.KRB_NT_SRV_HST); + principalName = new PrincipalName(principal, + PrincipalName.KRB_NT_SRV_HST); } } diff --git a/src/share/classes/sun/security/krb5/Credentials.java b/src/share/classes/sun/security/krb5/Credentials.java index 1451910c5..bdb8f7c10 100644 --- a/src/share/classes/sun/security/krb5/Credentials.java +++ b/src/share/classes/sun/security/krb5/Credentials.java @@ -464,8 +464,7 @@ public class Credentials { System.out.println(">>> DEBUG: ----Credentials----"); System.out.println("\tclient: " + c.client.toString()); System.out.println("\tserver: " + c.server.toString()); - System.out.println("\tticket: realm: " + c.ticket.realm.toString()); - System.out.println("\t sname: " + c.ticket.sname.toString()); + System.out.println("\tticket: sname: " + c.ticket.sname.toString()); if (c.startTime != null) { System.out.println("\tstartTime: " + c.startTime.getTime()); } diff --git a/src/share/classes/sun/security/krb5/KrbApReq.java b/src/share/classes/sun/security/krb5/KrbApReq.java index 4854cd3d8..52d62c83b 100644 --- a/src/share/classes/sun/security/krb5/KrbApReq.java +++ b/src/share/classes/sun/security/krb5/KrbApReq.java @@ -179,7 +179,6 @@ public class KrbApReq { KrbApReq(APOptions apOptions, Ticket ticket, EncryptionKey key, - Realm crealm, PrincipalName cname, Checksum cksum, KerberosTime ctime, @@ -189,7 +188,7 @@ public class KrbApReq { throws Asn1Exception, IOException, KdcErrException, KrbCryptoException { - init(apOptions, ticket, key, crealm, cname, + init(apOptions, ticket, key, cname, cksum, ctime, subKey, seqNumber, authorizationData, KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR); @@ -208,7 +207,6 @@ public class KrbApReq { init(options, tgs_creds.ticket, tgs_creds.key, - tgs_creds.client.getRealm(), tgs_creds.client, cksum, ctime, @@ -221,7 +219,6 @@ public class KrbApReq { private void init(APOptions apOptions, Ticket ticket, EncryptionKey key, - Realm crealm, PrincipalName cname, Checksum cksum, KerberosTime ctime, @@ -232,7 +229,7 @@ public class KrbApReq { throws Asn1Exception, IOException, KdcErrException, KrbCryptoException { - createMessage(apOptions, ticket, key, crealm, cname, + createMessage(apOptions, ticket, key, cname, cksum, ctime, subKey, seqNumber, authorizationData, usage); obuf = apReqMessg.asn1Encode(); @@ -289,9 +286,6 @@ public class KrbApReq { ctime = authenticator.ctime; cusec = authenticator.cusec; authenticator.ctime.setMicroSeconds(authenticator.cusec); - authenticator.cname.setRealm(authenticator.crealm); - apReqMessg.ticket.sname.setRealm(apReqMessg.ticket.realm); - enc_ticketPart.cname.setRealm(enc_ticketPart.crealm); if (!authenticator.cname.equals(enc_ticketPart.cname)) throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH); @@ -457,7 +451,6 @@ public class KrbApReq { private void createMessage(APOptions apOptions, Ticket ticket, EncryptionKey key, - Realm crealm, PrincipalName cname, Checksum cksum, KerberosTime ctime, @@ -474,8 +467,7 @@ public class KrbApReq { seqno = new Integer(seqNumber.current()); authenticator = - new Authenticator(crealm, - cname, + new Authenticator(cname, cksum, ctime.getMicroSeconds(), ctime, diff --git a/src/share/classes/sun/security/krb5/KrbAppMessage.java b/src/share/classes/sun/security/krb5/KrbAppMessage.java index 32c4e3b68..cf19cf982 100644 --- a/src/share/classes/sun/security/krb5/KrbAppMessage.java +++ b/src/share/classes/sun/security/krb5/KrbAppMessage.java @@ -48,8 +48,7 @@ abstract class KrbAppMessage { HostAddress rAddress, boolean timestampRequired, boolean seqNumberRequired, - PrincipalName packetPrincipal, - Realm packetRealm) + PrincipalName packetPrincipal) throws KrbApErrException { if (!Krb5.AP_EMPTY_ADDRESSES_ALLOWED || sAddress != null) { diff --git a/src/share/classes/sun/security/krb5/KrbAsRep.java b/src/share/classes/sun/security/krb5/KrbAsRep.java index c2b0df30d..4c7b9a7bd 100644 --- a/src/share/classes/sun/security/krb5/KrbAsRep.java +++ b/src/share/classes/sun/security/krb5/KrbAsRep.java @@ -152,11 +152,10 @@ class KrbAsRep extends KrbKdcRep { DerValue encoding = new DerValue(enc_as_rep_part); EncASRepPart enc_part = new EncASRepPart(encoding); - rep.ticket.sname.setRealm(rep.ticket.realm); rep.encKDCRepPart = enc_part; ASReq req = asReq.getMessage(); - check(req, rep); + check(true, req, rep); creds = new Credentials( rep.ticket, diff --git a/src/share/classes/sun/security/krb5/KrbAsReq.java b/src/share/classes/sun/security/krb5/KrbAsReq.java index 1c2dfdf94..95d2b0d32 100644 --- a/src/share/classes/sun/security/krb5/KrbAsReq.java +++ b/src/share/classes/sun/security/krb5/KrbAsReq.java @@ -115,10 +115,8 @@ public class KrbAsReq { } if (sname == null) { - sname = new PrincipalName("krbtgt" + - PrincipalName.NAME_COMPONENT_SEPARATOR + - cname.getRealmAsString(), - PrincipalName.KRB_NT_SRV_INST); + String realm = cname.getRealmAsString(); + sname = PrincipalName.tgsService(realm, realm); } if (till == null) { @@ -128,7 +126,6 @@ public class KrbAsReq { // enc-authorization-data and additional-tickets never in AS-REQ KDCReqBody kdc_req_body = new KDCReqBody(options, cname, - cname.getRealm(), sname, from, till, diff --git a/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java b/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java index 23b4dd84f..ece8dff29 100644 --- a/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java +++ b/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java @@ -99,9 +99,6 @@ public final class KrbAsReqBuilder { // Called by other constructors private void init(PrincipalName cname) throws KrbException { - if (cname.getRealm() == null) { - cname.setRealm(Config.getInstance().getDefaultRealm()); - } this.cname = cname; state = State.INIT; } diff --git a/src/share/classes/sun/security/krb5/KrbCred.java b/src/share/classes/sun/security/krb5/KrbCred.java index e263640e9..7e2c645ee 100644 --- a/src/share/classes/sun/security/krb5/KrbCred.java +++ b/src/share/classes/sun/security/krb5/KrbCred.java @@ -96,12 +96,11 @@ public class KrbCred { PrincipalName princ = delegatedCreds.getClient(); Realm realm = princ.getRealm(); PrincipalName tgService = delegatedCreds.getServer(); - Realm tgsRealm = tgService.getRealm(); - KrbCredInfo credInfo = new KrbCredInfo(sessionKey, realm, + KrbCredInfo credInfo = new KrbCredInfo(sessionKey, princ, delegatedCreds.flags, delegatedCreds.authTime, delegatedCreds.startTime, delegatedCreds.endTime, - delegatedCreds.renewTill, tgsRealm, tgService, + delegatedCreds.renewTill, tgService, delegatedCreds.cAddr); timeStamp = new KerberosTime(KerberosTime.NOW); @@ -138,19 +137,13 @@ public class KrbCred { KrbCredInfo credInfo = encPart.ticketInfo[0]; EncryptionKey credInfoKey = credInfo.key; - Realm prealm = credInfo.prealm; - // XXX PrincipalName can store realm + principalname or - // just principal name. PrincipalName pname = credInfo.pname; - pname.setRealm(prealm); TicketFlags flags = credInfo.flags; KerberosTime authtime = credInfo.authtime; KerberosTime starttime = credInfo.starttime; KerberosTime endtime = credInfo.endtime; KerberosTime renewTill = credInfo.renewTill; - Realm srealm = credInfo.srealm; PrincipalName sname = credInfo.sname; - sname.setRealm(srealm); HostAddresses caddr = credInfo.caddr; if (DEBUG) { diff --git a/src/share/classes/sun/security/krb5/KrbException.java b/src/share/classes/sun/security/krb5/KrbException.java index 5a0b0e730..28cff004b 100644 --- a/src/share/classes/sun/security/krb5/KrbException.java +++ b/src/share/classes/sun/security/krb5/KrbException.java @@ -45,6 +45,10 @@ public class KrbException extends Exception { super(s); } + public KrbException(Throwable cause) { + super(cause); + } + public KrbException(int i) { returnCode = i; } diff --git a/src/share/classes/sun/security/krb5/KrbKdcRep.java b/src/share/classes/sun/security/krb5/KrbKdcRep.java index 78ed1f7f2..1100aadf5 100644 --- a/src/share/classes/sun/security/krb5/KrbKdcRep.java +++ b/src/share/classes/sun/security/krb5/KrbKdcRep.java @@ -35,28 +35,17 @@ import sun.security.krb5.internal.*; abstract class KrbKdcRep { static void check( + boolean isAsReq, KDCReq req, KDCRep rep ) throws KrbApErrException { - if (!req.reqBody.cname.equalsWithoutRealm(rep.cname)) { + if (isAsReq && !req.reqBody.cname.equals(rep.cname)) { rep.encKDCRepPart.key.destroy(); throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); } - /**** XXX - if (!req.reqBody.crealm.equals(rep.crealm)) { - rep.encKDCRepPart.key.destroy(); - throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); - } - *****/ - - if (!req.reqBody.sname.equalsWithoutRealm(rep.encKDCRepPart.sname)) { - rep.encKDCRepPart.key.destroy(); - throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); - } - - if (!req.reqBody.crealm.equals(rep.encKDCRepPart.srealm)) { + if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) { rep.encKDCRepPart.key.destroy(); throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); } @@ -73,7 +62,6 @@ abstract class KrbKdcRep { throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); } - for (int i = 1; i < 6; i++) { if (req.reqBody.kdcOptions.get(i) != rep.encKDCRepPart.flags.get(i)) { diff --git a/src/share/classes/sun/security/krb5/KrbPriv.java b/src/share/classes/sun/security/krb5/KrbPriv.java index bac278884..dc2cc0d69 100644 --- a/src/share/classes/sun/security/krb5/KrbPriv.java +++ b/src/share/classes/sun/security/krb5/KrbPriv.java @@ -89,8 +89,7 @@ class KrbPriv extends KrbAppMessage { raddr, timestampRequired, seqNumberRequired, - creds.client, - creds.client.getRealm() + creds.client ); } @@ -151,8 +150,7 @@ class KrbPriv extends KrbAppMessage { HostAddress rAddress, boolean timestampRequired, boolean seqNumberRequired, - PrincipalName cname, - Realm crealm + PrincipalName cname ) throws Asn1Exception, KdcErrException, KrbApErrException, IOException, KrbCryptoException { @@ -172,8 +170,7 @@ class KrbPriv extends KrbAppMessage { rAddress, timestampRequired, seqNumberRequired, - cname, - crealm + cname ); return enc_part.userData; diff --git a/src/share/classes/sun/security/krb5/KrbSafe.java b/src/share/classes/sun/security/krb5/KrbSafe.java index addb5c1be..18c52f361 100644 --- a/src/share/classes/sun/security/krb5/KrbSafe.java +++ b/src/share/classes/sun/security/krb5/KrbSafe.java @@ -90,8 +90,7 @@ class KrbSafe extends KrbAppMessage { raddr, timestampRequired, seqNumberRequired, - creds.client, - creds.client.getRealm() + creds.client ); } @@ -154,8 +153,7 @@ class KrbSafe extends KrbAppMessage { HostAddress rAddress, boolean timestampRequired, boolean seqNumberRequired, - PrincipalName cname, - Realm crealm + PrincipalName cname ) throws Asn1Exception, KdcErrException, KrbApErrException, IOException, KrbCryptoException { @@ -177,8 +175,7 @@ class KrbSafe extends KrbAppMessage { rAddress, timestampRequired, seqNumberRequired, - cname, - crealm + cname ); return krb_safe.safeBody.userData; diff --git a/src/share/classes/sun/security/krb5/KrbTgsRep.java b/src/share/classes/sun/security/krb5/KrbTgsRep.java index 5812894de..27fd55611 100644 --- a/src/share/classes/sun/security/krb5/KrbTgsRep.java +++ b/src/share/classes/sun/security/krb5/KrbTgsRep.java @@ -82,12 +82,11 @@ public class KrbTgsRep extends KrbKdcRep { byte[] enc_tgs_rep_part = rep.encPart.reset(enc_tgs_rep_bytes); ref = new DerValue(enc_tgs_rep_part); EncTGSRepPart enc_part = new EncTGSRepPart(ref); - rep.ticket.sname.setRealm(rep.ticket.realm); rep.encKDCRepPart = enc_part; - check(req, rep); + check(false, req, rep); - creds = new Credentials(rep.ticket, + this.creds = new Credentials(rep.ticket, req.reqBody.cname, rep.ticket.sname, enc_part.key, @@ -99,7 +98,6 @@ public class KrbTgsRep extends KrbKdcRep { enc_part.caddr ); this.rep = rep; - this.creds = creds; this.secondTicket = tgsReq.getSecondTicket(); } diff --git a/src/share/classes/sun/security/krb5/KrbTgsReq.java b/src/share/classes/sun/security/krb5/KrbTgsReq.java index 1021a7b10..c154ccb7c 100644 --- a/src/share/classes/sun/security/krb5/KrbTgsReq.java +++ b/src/share/classes/sun/security/krb5/KrbTgsReq.java @@ -148,7 +148,6 @@ public class KrbTgsReq { asCreds.key, ctime, princName, - princName.getRealm(), servName, from, till, @@ -214,7 +213,6 @@ public class KrbTgsReq { EncryptionKey key, KerberosTime ctime, PrincipalName cname, - Realm crealm, PrincipalName sname, KerberosTime from, KerberosTime till, @@ -273,8 +271,6 @@ public class KrbTgsReq { KDCReqBody reqBody = new KDCReqBody( kdc_options, cname, - // crealm, - sname.getRealm(), // TO sname, from, req_till, @@ -315,7 +311,6 @@ public class KrbTgsReq { new APOptions(), ticket, key, - crealm, cname, cksum, ctime, diff --git a/src/share/classes/sun/security/krb5/PrincipalName.java b/src/share/classes/sun/security/krb5/PrincipalName.java index d03e2fe30..2a1e47537 100644 --- a/src/share/classes/sun/security/krb5/PrincipalName.java +++ b/src/share/classes/sun/security/krb5/PrincipalName.java @@ -38,15 +38,25 @@ import java.util.Vector; import java.util.Locale; import java.io.IOException; import java.math.BigInteger; +import java.util.Arrays; import sun.security.krb5.internal.ccache.CCacheOutputStream; import sun.security.krb5.internal.util.KerberosString; /** - * This class encapsulates a Kerberos principal. + * Implements the ASN.1 PrincipalName type and its realm in a single class. + * + * Realm ::= KerberosString + * + * PrincipalName ::= SEQUENCE { + * name-type [0] Int32, + * name-string [1] SEQUENCE OF KerberosString + * } + * + * This class is immutable. + * @see Realm */ -public class PrincipalName - implements Cloneable { +public class PrincipalName implements Cloneable { //name types @@ -80,8 +90,6 @@ public class PrincipalName */ public static final int KRB_NT_UID = 5; - - /** * TGS Name */ @@ -96,98 +104,109 @@ public class PrincipalName public static final String NAME_REALM_SEPARATOR_STR = "@"; public static final String REALM_COMPONENT_SEPARATOR_STR = "."; - private int nameType; - private String[] nameStrings; // Principal names don't mutate often + // Instance fields. + + /** + * The name type, from PrincipalName's name-type field. + */ + private final int nameType; + + /** + * The name strings, from PrincipalName's name-strings field. This field + * must be neither null nor empty. Each entry of it must also be neither + * null nor empty. Make sure to clone the field when it's passed in or out. + */ + private final String[] nameStrings; + + /** + * The realm this principal belongs to. + */ + private final Realm nameRealm; // not null + + // cached default salt, not used in clone + private transient String salt = null; - private Realm nameRealm; // optional; a null realm means use default - // Note: the nameRealm is not included in the default ASN.1 encoding + // There are 3 basic constructors. All other constructors must call them. + // All basic constructors must call validateNameStrings. + // 1. From name components + // 2. From name + // 3. From DER encoding - // cached salt, might be changed by KDC info, not used in clone - private String salt = null; + /** + * Creates a PrincipalName. + */ + public PrincipalName(int nameType, String[] nameStrings, Realm nameRealm) { + if (nameRealm == null) { + throw new IllegalArgumentException("Null realm not allowed"); + } + validateNameStrings(nameStrings); + this.nameType = nameType; + this.nameStrings = nameStrings.clone(); + this.nameRealm = nameRealm; + } - protected PrincipalName() { + // This method is called by Windows NativeCred.c + public PrincipalName(String[] nameParts, String realm) throws RealmException { + this(KRB_NT_UNKNOWN, nameParts, new Realm(realm)); } public PrincipalName(String[] nameParts, int type) - throws IllegalArgumentException, IOException { - if (nameParts == null) { - throw new IllegalArgumentException("Null input not allowed"); - } - nameStrings = new String[nameParts.length]; - System.arraycopy(nameParts, 0, nameStrings, 0, nameParts.length); - nameType = type; - nameRealm = null; + throws IllegalArgumentException, RealmException { + this(type, nameParts, Realm.getDefault()); } - public PrincipalName(String[] nameParts) throws IOException { - this(nameParts, KRB_NT_UNKNOWN); + // Validate a nameStrings argument + private static void validateNameStrings(String[] ns) { + if (ns == null) { + throw new IllegalArgumentException("Null nameStrings not allowed"); + } + if (ns.length == 0) { + throw new IllegalArgumentException("Empty nameStrings not allowed"); + } + for (String s: ns) { + if (s == null) { + throw new IllegalArgumentException("Null nameString not allowed"); + } + if (s.isEmpty()) { + throw new IllegalArgumentException("Empty nameString not allowed"); + } + } } public Object clone() { try { PrincipalName pName = (PrincipalName) super.clone(); - // Re-assign mutable fields - if (nameStrings != null) { - pName.nameStrings = nameStrings.clone(); - } - if (nameRealm != null) { - pName.nameRealm = (Realm)nameRealm.clone(); - } + UNSAFE.putObject(this, NAME_STRINGS_OFFSET, nameStrings.clone()); return pName; } catch (CloneNotSupportedException ex) { throw new AssertionError("Should never happen"); } } - /* - * Added to workaround a bug where the equals method that takes a - * PrincipalName is not being called but Object.equals(Object) is - * being called. - */ - public boolean equals(Object o) { - if (o instanceof PrincipalName) - return equals((PrincipalName)o); - else - return false; - } - - public boolean equals(PrincipalName other) { - - - if (!equalsWithoutRealm(other)) { - return false; - } - - if ((nameRealm != null && other.nameRealm == null) || - (nameRealm == null && other.nameRealm != null)) { - return false; - } - - if (nameRealm != null && other.nameRealm != null) { - if (!nameRealm.equals(other.nameRealm)) { - return false; - } + private static final long NAME_STRINGS_OFFSET; + private static final sun.misc.Unsafe UNSAFE; + static { + try { + sun.misc.Unsafe unsafe = sun.misc.Unsafe.getUnsafe(); + NAME_STRINGS_OFFSET = unsafe.objectFieldOffset( + PrincipalName.class.getDeclaredField("nameStrings")); + UNSAFE = unsafe; + } catch (ReflectiveOperationException e) { + throw new Error(e); } - - return true; } - boolean equalsWithoutRealm(PrincipalName other) { - - if ((nameStrings != null && other.nameStrings == null) || - (nameStrings == null && other.nameStrings != null)) - return false; - - if (nameStrings != null && other.nameStrings != null) { - if (nameStrings.length != other.nameStrings.length) - return false; - for (int i = 0; i < nameStrings.length; i++) - if (!nameStrings[i].equals(other.nameStrings[i])) - return false; + @Override + public boolean equals(Object o) { + if (this == o) { + return true; } - - return true; - + if (o instanceof PrincipalName) { + PrincipalName other = (PrincipalName)o; + return nameRealm.equals(other.nameRealm) && + Arrays.equals(nameStrings, other.nameStrings); + } + return false; } /** @@ -208,20 +227,23 @@ public class PrincipalName * http://www.ietf.org/rfc/rfc4120.txt. * * @param encoding a Der-encoded data. + * @param realm the realm for this name * @exception Asn1Exception if an error occurs while decoding * an ASN1 encoded data. * @exception Asn1Exception if there is an ASN1 encoding error * @exception IOException if an I/O error occurs * @exception IllegalArgumentException if encoding is null * reading encoded data. - * */ - public PrincipalName(DerValue encoding) - throws Asn1Exception, IOException { - nameRealm = null; + public PrincipalName(DerValue encoding, Realm realm) + throws Asn1Exception, IOException { + if (realm == null) { + throw new IllegalArgumentException("Null realm not allowed"); + } + nameRealm = realm; DerValue der; if (encoding == null) { - throw new IllegalArgumentException("Null input not allowed"); + throw new IllegalArgumentException("Null encoding not allowed"); } if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); @@ -243,14 +265,12 @@ public class PrincipalName DerValue subSubDer; while(subDer.getData().available() > 0) { subSubDer = subDer.getData().getDerValue(); - v.addElement(new KerberosString(subSubDer).toString()); - } - if (v.size() > 0) { - nameStrings = new String[v.size()]; - v.copyInto(nameStrings); - } else { - nameStrings = new String[] {""}; + String namePart = new KerberosString(subSubDer).toString(); + v.addElement(namePart); } + nameStrings = new String[v.size()]; + v.copyInto(nameStrings); + validateNameStrings(nameStrings); } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } @@ -267,32 +287,35 @@ public class PrincipalName * more marshaled value. * @param explicitTag tag number. * @param optional indicate if this data field is optional - * @return an instance of PrincipalName. - * + * @param realm the realm for the name + * @return an instance of PrincipalName, or null if the + * field is optional and missing. */ public static PrincipalName parse(DerInputStream data, byte explicitTag, boolean - optional) - throws Asn1Exception, IOException { + optional, + Realm realm) + throws Asn1Exception, IOException, RealmException { if ((optional) && (((byte)data.peekByte() & (byte)0x1F) != explicitTag)) return null; DerValue der = data.getDerValue(); - if (explicitTag != (der.getTag() & (byte)0x1F)) + if (explicitTag != (der.getTag() & (byte)0x1F)) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); - else { + } else { DerValue subDer = der.getData().getDerValue(); - return new PrincipalName(subDer); + if (realm == null) { + realm = Realm.getDefault(); + } + return new PrincipalName(subDer, realm); } } - // This is protected because the definition of a principal - // string is fixed // XXX Error checkin consistent with MIT krb5_parse_name // Code repetition, realm parsed again by class Realm - protected static String[] parseName(String name) { + private static String[] parseName(String name) { Vector tempStrings = new Vector<>(); String temp = name; @@ -312,13 +335,13 @@ public class PrincipalName continue; } else { - if (componentStart < i) { + if (componentStart <= i) { component = temp.substring(componentStart, i); tempStrings.addElement(component); } componentStart = i + 1; } - } else + } else { if (temp.charAt(i) == NAME_REALM_SEPARATOR) { /* * If this separator is escaped then don't treat it @@ -337,11 +360,11 @@ public class PrincipalName break; } } + } i++; } - if (i == temp.length()) - if (componentStart < i) { + if (i == temp.length()) { component = temp.substring(componentStart, i); tempStrings.addElement(component); } @@ -351,30 +374,26 @@ public class PrincipalName return result; } - public PrincipalName(String name, int type) - throws RealmException { + /** + * Constructs a PrincipalName from a string. + * @param name the name + * @param type the type + * @param realm the realm, null if not known. Note that when realm is not + * null, it will be always used even if there is a realm part in name. When + * realm is null, will read realm part from name, or try to map a realm + * (for KRB_NT_SRV_HST), or use the default realm, or fail + * @throws RealmException + */ + public PrincipalName(String name, int type, String realm) + throws RealmException { if (name == null) { throw new IllegalArgumentException("Null name not allowed"); } String[] nameParts = parseName(name); - Realm tempRealm = null; - String realmString = Realm.parseRealmAtSeparator(name); - - if (realmString == null) { - try { - Config config = Config.getInstance(); - realmString = config.getDefaultRealm(); - } catch (KrbException e) { - RealmException re = - new RealmException(e.getMessage()); - re.initCause(e); - throw re; - } + validateNameStrings(nameParts); + if (realm == null) { + realm = Realm.parseRealmAtSeparator(name); } - - if (realmString != null) - tempRealm = new Realm(realmString); - switch (type) { case KRB_NT_SRV_HST: if (nameParts.length >= 2) { @@ -401,18 +420,22 @@ public class PrincipalName } nameStrings = nameParts; nameType = type; + + if (realm != null) { + nameRealm = new Realm(realm); + } else { // We will try to get realm name from the mapping in // the configuration. If it is not specified // we will use the default realm. This nametype does // not allow a realm to be specified. The name string must of // the form service@host and this is internally changed into // service/host by Kerberos - - String mapRealm = mapHostToRealm(nameParts[1]); - if (mapRealm != null) { - nameRealm = new Realm(mapRealm); - } else { - nameRealm = tempRealm; + String mapRealm = mapHostToRealm(nameParts[1]); + if (mapRealm != null) { + nameRealm = new Realm(mapRealm); + } else { + nameRealm = Realm.getDefault(); + } } break; case KRB_NT_UNKNOWN: @@ -422,20 +445,34 @@ public class PrincipalName case KRB_NT_UID: nameStrings = nameParts; nameType = type; - nameRealm = tempRealm; + if (realm != null) { + nameRealm = new Realm(realm); + } else { + nameRealm = Realm.getDefault(); + } break; default: throw new IllegalArgumentException("Illegal name type"); } } + public PrincipalName(String name, int type) throws RealmException { + this(name, type, (String)null); + } + public PrincipalName(String name) throws RealmException { this(name, KRB_NT_UNKNOWN); } public PrincipalName(String name, String realm) throws RealmException { - this(name, KRB_NT_UNKNOWN); - nameRealm = new Realm(realm); + this(name, KRB_NT_UNKNOWN, realm); + } + + public static PrincipalName tgsService(String r1, String r2) + throws KrbException { + return new PrincipalName(PrincipalName.KRB_NT_SRV_INST, + new String[] {PrincipalName.TGS_DEFAULT_SRV_NAME, r1}, + new Realm(r2)); } public String getRealmAsString() { @@ -475,29 +512,17 @@ public class PrincipalName } public String getRealmString() { - if (nameRealm != null) - return nameRealm.toString(); - return null; + return nameRealm.toString(); } public Realm getRealm() { return nameRealm; } - public void setRealm(Realm new_nameRealm) throws RealmException { - nameRealm = new_nameRealm; - } - - public void setRealm(String realmsString) throws RealmException { - nameRealm = new Realm(realmsString); - } - public String getSalt() { if (salt == null) { StringBuffer salt = new StringBuffer(); - if (nameRealm != null) { - salt.append(nameRealm.toString()); - } + salt.append(nameRealm.toString()); for (int i = 0; i < nameStrings.length; i++) { salt.append(nameStrings[i]); } @@ -513,11 +538,8 @@ public class PrincipalName str.append("/"); str.append(nameStrings[i]); } - if (nameRealm != null) { - str.append("@"); - str.append(nameRealm.toString()); - } - + str.append("@"); + str.append(nameRealm.toString()); return str.toString(); } @@ -532,7 +554,8 @@ public class PrincipalName } /** - * Encodes a PrincipalName object. + * Encodes a PrincipalName object. Note that only the type and + * names are encoded. To encode the realm, call getRealm().asn1Encode(). * @return the byte array of the encoded PrncipalName object. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. @@ -597,12 +620,10 @@ public class PrincipalName public void writePrincipal(CCacheOutputStream cos) throws IOException { cos.write32(nameType); cos.write32(nameStrings.length); - if (nameRealm != null) { - byte[] realmBytes = null; - realmBytes = nameRealm.toString().getBytes(); - cos.write32(realmBytes.length); - cos.write(realmBytes, 0, realmBytes.length); - } + byte[] realmBytes = null; + realmBytes = nameRealm.toString().getBytes(); + cos.write32(realmBytes.length); + cos.write(realmBytes, 0, realmBytes.length); byte[] bytes = null; for (int i = 0; i < nameStrings.length; i++) { bytes = nameStrings[i].getBytes(); @@ -611,31 +632,6 @@ public class PrincipalName } } - /** - * Creates a KRB_NT_SRV_INST name from the supplied - * name components and realm. - * @param primary the primary component of the name - * @param instance the instance component of the name - * @param realm the realm - * @throws KrbException - */ - protected PrincipalName(String primary, String instance, String realm, - int type) - throws KrbException { - - if (type != KRB_NT_SRV_INST) { - throw new KrbException(Krb5.KRB_ERR_GENERIC, "Bad name type"); - } - - String[] nParts = new String[2]; - nParts[0] = primary; - nParts[1] = instance; - - this.nameStrings = nParts; - this.nameRealm = new Realm(realm); - this.nameType = type; - } - /** * Returns the instance component of a name. * In a multi-component name such as a KRB_NT_SRV_INST diff --git a/src/share/classes/sun/security/krb5/Realm.java b/src/share/classes/sun/security/krb5/Realm.java index f148f8680..bfb43e757 100644 --- a/src/share/classes/sun/security/krb5/Realm.java +++ b/src/share/classes/sun/security/krb5/Realm.java @@ -46,24 +46,29 @@ import sun.security.krb5.internal.util.KerberosString; * * Realm ::= GeneralString * + * This class is immutable. */ public class Realm implements Cloneable { - private String realm; + private final String realm; // not null nor empty private static boolean DEBUG = Krb5.DEBUG; - private Realm() { - } - public Realm(String name) throws RealmException { realm = parseRealm(name); } - public Object clone() { - Realm new_realm = new Realm(); - if (realm != null) { - new_realm.realm = new String(realm); + public static Realm getDefault() throws RealmException { + try { + return new Realm(Config.getInstance().getDefaultRealm()); + } catch (RealmException re) { + throw re; + } catch (KrbException ke) { + throw new RealmException(ke); } - return new_realm; + } + + // Immutable class, no need to clone + public Object clone() { + return this; } public boolean equals(Object obj) { @@ -76,21 +81,11 @@ public class Realm implements Cloneable { } Realm that = (Realm)obj; - if (this.realm != null && that.realm != null ) { - return this.realm.equals(that.realm); - } else { - return (this.realm == null && that.realm == null); - } + return this.realm.equals(that.realm); } public int hashCode() { - int result = 17 ; - - if( realm != null ) { - result = 37 * result + realm.hashCode(); - } - - return result; + return realm.hashCode(); } /** @@ -116,6 +111,7 @@ public class Realm implements Cloneable { return realm; } + // Extract realm from a string like dummy@REALM public static String parseRealmAtSeparator(String name) throws RealmException { if (name == null) { @@ -128,8 +124,12 @@ public class Realm implements Cloneable { while (i < temp.length()) { if (temp.charAt(i) == PrincipalName.NAME_REALM_SEPARATOR) { if (i == 0 || temp.charAt(i - 1) != '\\') { - if (i + 1 < temp.length()) + if (i + 1 < temp.length()) { result = temp.substring(i + 1, temp.length()); + } else { + throw new IllegalArgumentException + ("empty realm part not allowed"); + } break; } } @@ -219,7 +219,8 @@ public class Realm implements Cloneable { * @return an instance of Realm. * */ - public static Realm parse(DerInputStream data, byte explicitTag, boolean optional) throws Asn1Exception, IOException, RealmException { + public static Realm parse(DerInputStream data, byte explicitTag, boolean optional) + throws Asn1Exception, IOException, RealmException { if ((optional) && (((byte)data.peekByte() & (byte)0x1F) != explicitTag)) { return null; } diff --git a/src/share/classes/sun/security/krb5/RealmException.java b/src/share/classes/sun/security/krb5/RealmException.java index ccd7a2302..13c6caed6 100644 --- a/src/share/classes/sun/security/krb5/RealmException.java +++ b/src/share/classes/sun/security/krb5/RealmException.java @@ -47,4 +47,7 @@ public class RealmException extends KrbException { super(i,s); } + public RealmException(Throwable cause) { + super(cause); + } } diff --git a/src/share/classes/sun/security/krb5/ServiceName.java b/src/share/classes/sun/security/krb5/ServiceName.java deleted file mode 100644 index 7bbaff2c9..000000000 --- a/src/share/classes/sun/security/krb5/ServiceName.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * - * (C) Copyright IBM Corp. 1999 All Rights Reserved. - * Copyright 1997 The Open Group Research Institute. All rights reserved. - */ - -package sun.security.krb5; - -import java.net.InetAddress; -import java.net.UnknownHostException; - -public class ServiceName extends PrincipalName { - - public ServiceName(String name, int type) throws RealmException { - super(name, type); - - } - public ServiceName(String name) throws RealmException { - this(name, PrincipalName.KRB_NT_UNKNOWN); - } - - public ServiceName(String name, String realm) throws RealmException { - this(name, PrincipalName.KRB_NT_UNKNOWN); - setRealm(realm); - } - - public ServiceName (String service, String instance, String realm) - throws KrbException - { - super(service, instance, realm, PrincipalName.KRB_NT_SRV_INST); - } - -} diff --git a/src/share/classes/sun/security/krb5/internal/ASRep.java b/src/share/classes/sun/security/krb5/internal/ASRep.java index fd4d8cea0..063d2cc42 100644 --- a/src/share/classes/sun/security/krb5/internal/ASRep.java +++ b/src/share/classes/sun/security/krb5/internal/ASRep.java @@ -42,11 +42,10 @@ public class ASRep extends KDCRep { public ASRep( PAData[] new_pAData, - Realm new_crealm, PrincipalName new_cname, Ticket new_ticket, EncryptedData new_encPart) throws IOException { - super(new_pAData, new_crealm, new_cname, new_ticket, + super(new_pAData, new_cname, new_ticket, new_encPart, Krb5.KRB_AS_REP); } diff --git a/src/share/classes/sun/security/krb5/internal/Authenticator.java b/src/share/classes/sun/security/krb5/internal/Authenticator.java index 67f70387a..622013553 100644 --- a/src/share/classes/sun/security/krb5/internal/Authenticator.java +++ b/src/share/classes/sun/security/krb5/internal/Authenticator.java @@ -61,7 +61,6 @@ import java.math.BigInteger; public class Authenticator { public int authenticator_vno; - public Realm crealm; public PrincipalName cname; Checksum cksum; //optional public int cusec; @@ -71,7 +70,6 @@ public class Authenticator { public AuthorizationData authorizationData; //optional public Authenticator( - Realm new_crealm, PrincipalName new_cname, Checksum new_cksum, int new_cusec, @@ -80,7 +78,6 @@ public class Authenticator { Integer new_seqNumber, AuthorizationData new_authorizationData) { authenticator_vno = Krb5.AUTHNETICATOR_VNO; - crealm = new_crealm; cname = new_cname; cksum = new_cksum; cusec = new_cusec; @@ -131,8 +128,8 @@ public class Authenticator { if (authenticator_vno != 5) { throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION); } - crealm = Realm.parse(der.getData(), (byte) 0x01, false); - cname = PrincipalName.parse(der.getData(), (byte) 0x02, false); + Realm crealm = Realm.parse(der.getData(), (byte) 0x01, false); + cname = PrincipalName.parse(der.getData(), (byte) 0x02, false, crealm); cksum = Checksum.parse(der.getData(), (byte) 0x03, true); subDer = der.getData().getDerValue(); if ((subDer.getTag() & (byte) 0x1F) == 0x04) { @@ -180,7 +177,7 @@ public class Authenticator { DerOutputStream temp = new DerOutputStream(); temp.putInteger(BigInteger.valueOf(authenticator_vno)); v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp.toByteArray())); - v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), crealm.asn1Encode())); + v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), cname.getRealm().asn1Encode())); v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cname.asn1Encode())); if (cksum != null) { v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cksum.asn1Encode())); diff --git a/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java b/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java index 3b3dacb30..cb059ab22 100644 --- a/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java +++ b/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java @@ -72,23 +72,9 @@ rs. public static Credentials acquireServiceCreds( String service, Credentials ccreds) throws KrbException, IOException { - ServiceName sname = new ServiceName(service); + PrincipalName sname = new PrincipalName(service); String serviceRealm = sname.getRealmString(); String localRealm = ccreds.getClient().getRealmString(); - String defaultRealm = Config.getInstance().getDefaultRealm(); - - if (localRealm == null) { - PrincipalName temp = null; - if ((temp = ccreds.getServer()) != null) - localRealm = temp.getRealmString(); - } - if (localRealm == null) { - localRealm = defaultRealm; - } - if (serviceRealm == null) { - serviceRealm = localRealm; - sname.setRealm(serviceRealm); - } /* if (!localRealm.equalsIgnoreCase(serviceRealm)) { //do cross-realm auth entication @@ -128,13 +114,12 @@ rs. int i = 0, k = 0; Credentials cTgt = null, newTgt = null, theTgt = null; - ServiceName tempService = null; + PrincipalName tempService = null; String realm = null, newTgtRealm = null, theTgtRealm = null; for (cTgt = ccreds, i = 0; i < realms.length;) { - tempService = new ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME, - serviceRealm, realms[i]); + tempService = PrincipalName.tgsService(serviceRealm, realms[i]); if (DEBUG) { @@ -164,9 +149,7 @@ rs. newTgt == null && k > i; k--) { - tempService = new ServiceName( - PrincipalName.TGS_DEFAULT_SRV_NAME, - realms[k], realms[i]); + tempService = PrincipalName.tgsService(realms[k], realms[i]); if (DEBUG) { System.out.println(">>> Credentials acquireServiceCreds: inner loop: [" + k +"] tempService=" + tempService); @@ -306,7 +289,7 @@ rs. * This method does the real job to request the service credential. */ private static Credentials serviceCreds( - ServiceName service, Credentials ccreds) + PrincipalName service, Credentials ccreds) throws KrbException, IOException { return new KrbTgsReq(ccreds, service).sendAndGetCreds(); } diff --git a/src/share/classes/sun/security/krb5/internal/EncASRepPart.java b/src/share/classes/sun/security/krb5/internal/EncASRepPart.java index 7a8f34467..7e5d037de 100644 --- a/src/share/classes/sun/security/krb5/internal/EncASRepPart.java +++ b/src/share/classes/sun/security/krb5/internal/EncASRepPart.java @@ -46,7 +46,6 @@ public class EncASRepPart extends EncKDCRepPart { KerberosTime new_starttime, KerberosTime new_endtime, KerberosTime new_renewTill, - Realm new_srealm, PrincipalName new_sname, HostAddresses new_caddr) { super( @@ -59,7 +58,6 @@ public class EncASRepPart extends EncKDCRepPart { new_starttime, new_endtime, new_renewTill, - new_srealm, new_sname, new_caddr, Krb5.KRB_ENC_AS_REP_PART diff --git a/src/share/classes/sun/security/krb5/internal/EncKDCRepPart.java b/src/share/classes/sun/security/krb5/internal/EncKDCRepPart.java index 244af0e64..943869d60 100644 --- a/src/share/classes/sun/security/krb5/internal/EncKDCRepPart.java +++ b/src/share/classes/sun/security/krb5/internal/EncKDCRepPart.java @@ -74,7 +74,6 @@ public class EncKDCRepPart { public KerberosTime starttime; //optional public KerberosTime endtime; public KerberosTime renewTill; //optional - public Realm srealm; public PrincipalName sname; public HostAddresses caddr; //optional public int msgType; //not included in sequence @@ -89,7 +88,6 @@ public class EncKDCRepPart { KerberosTime new_starttime, KerberosTime new_endtime, KerberosTime new_renewTill, - Realm new_srealm, PrincipalName new_sname, HostAddresses new_caddr, int new_msgType) { @@ -102,7 +100,6 @@ public class EncKDCRepPart { starttime = new_starttime; endtime = new_endtime; renewTill = new_renewTill; - srealm = new_srealm; sname = new_sname; caddr = new_caddr; msgType = new_msgType; @@ -158,8 +155,8 @@ public class EncKDCRepPart { starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true); endtime = KerberosTime.parse(der.getData(), (byte) 0x07, false); renewTill = KerberosTime.parse(der.getData(), (byte) 0x08, true); - srealm = Realm.parse(der.getData(), (byte) 0x09, false); - sname = PrincipalName.parse(der.getData(), (byte) 0x0A, false); + Realm srealm = Realm.parse(der.getData(), (byte) 0x09, false); + sname = PrincipalName.parse(der.getData(), (byte) 0x0A, false, srealm); if (der.getData().available() > 0) { caddr = HostAddresses.parse(der.getData(), (byte) 0x0B, true); } @@ -206,7 +203,7 @@ public class EncKDCRepPart { true, (byte) 0x08), renewTill.asn1Encode()); } bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, - true, (byte) 0x09), srealm.asn1Encode()); + true, (byte) 0x09), sname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x0A), sname.asn1Encode()); if (caddr != null) { diff --git a/src/share/classes/sun/security/krb5/internal/EncTGSRepPart.java b/src/share/classes/sun/security/krb5/internal/EncTGSRepPart.java index 8770bc45a..cdca881eb 100644 --- a/src/share/classes/sun/security/krb5/internal/EncTGSRepPart.java +++ b/src/share/classes/sun/security/krb5/internal/EncTGSRepPart.java @@ -45,7 +45,6 @@ public class EncTGSRepPart extends EncKDCRepPart { KerberosTime new_starttime, KerberosTime new_endtime, KerberosTime new_renewTill, - Realm new_srealm, PrincipalName new_sname, HostAddresses new_caddr) { super( @@ -58,7 +57,6 @@ public class EncTGSRepPart extends EncKDCRepPart { new_starttime, new_endtime, new_renewTill, - new_srealm, new_sname, new_caddr, Krb5.KRB_ENC_TGS_REP_PART); diff --git a/src/share/classes/sun/security/krb5/internal/EncTicketPart.java b/src/share/classes/sun/security/krb5/internal/EncTicketPart.java index 240e2d1f5..3b43f6062 100644 --- a/src/share/classes/sun/security/krb5/internal/EncTicketPart.java +++ b/src/share/classes/sun/security/krb5/internal/EncTicketPart.java @@ -65,7 +65,6 @@ public class EncTicketPart { public TicketFlags flags; public EncryptionKey key; - public Realm crealm; public PrincipalName cname; public TransitedEncoding transited; public KerberosTime authtime; @@ -78,7 +77,6 @@ public class EncTicketPart { public EncTicketPart( TicketFlags new_flags, EncryptionKey new_key, - Realm new_crealm, PrincipalName new_cname, TransitedEncoding new_transited, KerberosTime new_authtime, @@ -89,7 +87,6 @@ public class EncTicketPart { AuthorizationData new_authorizationData) { flags = new_flags; key = new_key; - crealm = new_crealm; cname = new_cname; transited = new_transited; authtime = new_authtime; @@ -151,8 +148,8 @@ public class EncTicketPart { } flags = TicketFlags.parse(der.getData(), (byte) 0x00, false); key = EncryptionKey.parse(der.getData(), (byte) 0x01, false); - crealm = Realm.parse(der.getData(), (byte) 0x02, false); - cname = PrincipalName.parse(der.getData(), (byte) 0x03, false); + Realm crealm = Realm.parse(der.getData(), (byte) 0x02, false); + cname = PrincipalName.parse(der.getData(), (byte) 0x03, false, crealm); transited = TransitedEncoding.parse(der.getData(), (byte) 0x04, false); authtime = KerberosTime.parse(der.getData(), (byte) 0x05, false); starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true); @@ -186,7 +183,7 @@ public class EncTicketPart { bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), key.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, - true, (byte) 0x02), crealm.asn1Encode()); + true, (byte) 0x02), cname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cname.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, diff --git a/src/share/classes/sun/security/krb5/internal/KDCRep.java b/src/share/classes/sun/security/krb5/internal/KDCRep.java index 5ff8da2e3..5c4ca1e8f 100644 --- a/src/share/classes/sun/security/krb5/internal/KDCRep.java +++ b/src/share/classes/sun/security/krb5/internal/KDCRep.java @@ -61,7 +61,6 @@ import java.math.BigInteger; */ public class KDCRep { - public Realm crealm; public PrincipalName cname; public Ticket ticket; public EncryptedData encPart; @@ -73,7 +72,6 @@ public class KDCRep { public KDCRep( PAData[] new_pAData, - Realm new_crealm, PrincipalName new_cname, Ticket new_ticket, EncryptedData new_encPart, @@ -90,7 +88,6 @@ public class KDCRep { } } } - crealm = new_crealm; cname = new_cname; ticket = new_ticket; encPart = new_encPart; @@ -174,8 +171,8 @@ public class KDCRep { } else { pAData = null; } - crealm = Realm.parse(der.getData(), (byte) 0x03, false); - cname = PrincipalName.parse(der.getData(), (byte) 0x04, false); + Realm crealm = Realm.parse(der.getData(), (byte) 0x03, false); + cname = PrincipalName.parse(der.getData(), (byte) 0x04, false, crealm); ticket = Ticket.parse(der.getData(), (byte) 0x05, false); encPart = EncryptedData.parse(der.getData(), (byte) 0x06, false); if (der.getData().available() > 0) { @@ -212,7 +209,7 @@ public class KDCRep { true, (byte) 0x02), temp); } bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, - true, (byte) 0x03), crealm.asn1Encode()); + true, (byte) 0x03), cname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x04), cname.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, diff --git a/src/share/classes/sun/security/krb5/internal/KDCReqBody.java b/src/share/classes/sun/security/krb5/internal/KDCReqBody.java index a23d45288..83178b6cc 100644 --- a/src/share/classes/sun/security/krb5/internal/KDCReqBody.java +++ b/src/share/classes/sun/security/krb5/internal/KDCReqBody.java @@ -72,7 +72,6 @@ import java.math.BigInteger; public class KDCReqBody { public KDCOptions kdcOptions; public PrincipalName cname; //optional in ASReq only - public Realm crealm; public PrincipalName sname; //optional public KerberosTime from; //optional public KerberosTime till; @@ -87,7 +86,6 @@ public class KDCReqBody { public KDCReqBody( KDCOptions new_kdcOptions, PrincipalName new_cname, //optional in ASReq only - Realm new_crealm, PrincipalName new_sname, //optional KerberosTime new_from, //optional KerberosTime new_till, @@ -100,7 +98,6 @@ public class KDCReqBody { ) throws IOException { kdcOptions = new_kdcOptions; cname = new_cname; - crealm = new_crealm; sname = new_sname; from = new_from; till = new_till; @@ -142,12 +139,22 @@ public class KDCReqBody { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } kdcOptions = KDCOptions.parse(encoding.getData(), (byte)0x00, false); - cname = PrincipalName.parse(encoding.getData(), (byte)0x01, true); + + // cname only appears in AS-REQ and it shares the realm field with + // sname. This is the only place where realm comes after the name. + // We first give cname a fake realm and reassign it the correct + // realm after the realm field is read. + cname = PrincipalName.parse(encoding.getData(), (byte)0x01, true, + new Realm("PLACEHOLDER")); if ((msgType != Krb5.KRB_AS_REQ) && (cname != null)) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } - crealm = Realm.parse(encoding.getData(), (byte)0x02, false); - sname = PrincipalName.parse(encoding.getData(), (byte)0x03, true); + Realm realm = Realm.parse(encoding.getData(), (byte)0x02, false); + if (cname != null) { + cname = new PrincipalName( + cname.getNameType(), cname.getNameStrings(), realm); + } + sname = PrincipalName.parse(encoding.getData(), (byte)0x03, true, realm); from = KerberosTime.parse(encoding.getData(), (byte)0x04, true); till = KerberosTime.parse(encoding.getData(), (byte)0x05, false); rtime = KerberosTime.parse(encoding.getData(), (byte)0x06, true); @@ -223,9 +230,11 @@ public class KDCReqBody { v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), cname.asn1Encode())); } } - v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x02), crealm.asn1Encode())); if (sname != null) { + v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x02), sname.getRealm().asn1Encode())); v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x03), sname.asn1Encode())); + } else if (cname != null) { + v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x02), cname.getRealm().asn1Encode())); } if (from != null) { v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x04), from.asn1Encode())); diff --git a/src/share/classes/sun/security/krb5/internal/KRBError.java b/src/share/classes/sun/security/krb5/internal/KRBError.java index a8b117ebc..f22719a2f 100644 --- a/src/share/classes/sun/security/krb5/internal/KRBError.java +++ b/src/share/classes/sun/security/krb5/internal/KRBError.java @@ -90,9 +90,7 @@ public class KRBError implements java.io.Serializable { private KerberosTime sTime; private Integer suSec; private int errorCode; - private Realm crealm; //optional private PrincipalName cname; //optional - private Realm realm; private PrincipalName sname; private String eText; //optional private byte[] eData; //optional @@ -128,9 +126,7 @@ public class KRBError implements java.io.Serializable { KerberosTime new_sTime, Integer new_suSec, int new_errorCode, - Realm new_crealm, PrincipalName new_cname, - Realm new_realm, PrincipalName new_sname, String new_eText, byte[] new_eData @@ -142,9 +138,7 @@ public class KRBError implements java.io.Serializable { sTime = new_sTime; suSec = new_suSec; errorCode = new_errorCode; - crealm = new_crealm; cname = new_cname; - realm = new_realm; sname = new_sname; eText = new_eText; eData = new_eData; @@ -159,9 +153,7 @@ public class KRBError implements java.io.Serializable { KerberosTime new_sTime, Integer new_suSec, int new_errorCode, - Realm new_crealm, PrincipalName new_cname, - Realm new_realm, PrincipalName new_sname, String new_eText, byte[] new_eData, @@ -174,9 +166,7 @@ public class KRBError implements java.io.Serializable { sTime = new_sTime; suSec = new_suSec; errorCode = new_errorCode; - crealm = new_crealm; cname = new_cname; - realm = new_realm; sname = new_sname; eText = new_eText; eData = new_eData; @@ -359,10 +349,10 @@ public class KRBError implements java.io.Serializable { errorCode = subDer.getData().getBigInteger().intValue(); } else throw new Asn1Exception(Krb5.ASN1_BAD_ID); - crealm = Realm.parse(der.getData(), (byte)0x07, true); - cname = PrincipalName.parse(der.getData(), (byte)0x08, true); - realm = Realm.parse(der.getData(), (byte)0x09, false); - sname = PrincipalName.parse(der.getData(), (byte)0x0A, false); + Realm crealm = Realm.parse(der.getData(), (byte)0x07, true); + cname = PrincipalName.parse(der.getData(), (byte)0x08, true, crealm); + Realm realm = Realm.parse(der.getData(), (byte)0x09, false); + sname = PrincipalName.parse(der.getData(), (byte)0x0A, false, realm); eText = null; eData = null; eCksum = null; @@ -403,15 +393,9 @@ public class KRBError implements java.io.Serializable { System.out.println("\t suSec is " + suSec); System.out.println("\t error code is " + errorCode); System.out.println("\t error Message is " + Krb5.getErrorMessage(errorCode)); - if (crealm != null) { - System.out.println("\t crealm is " + crealm.toString()); - } if (cname != null) { System.out.println("\t cname is " + cname.toString()); } - if (realm != null) { - System.out.println("\t realm is " + realm.toString()); - } if (sname != null) { System.out.println("\t sname is " + sname.toString()); } @@ -458,14 +442,12 @@ public class KRBError implements java.io.Serializable { temp.putInteger(BigInteger.valueOf(errorCode)); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x06), temp); - if (crealm != null) { - bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x07), crealm.asn1Encode()); - } if (cname != null) { + bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x07), cname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x08), cname.asn1Encode()); } - bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x09), realm.asn1Encode()); + bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x09), sname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x0A), sname.asn1Encode()); if (eText != null) { @@ -506,9 +488,7 @@ public class KRBError implements java.io.Serializable { isEqual(sTime, other.sTime) && isEqual(suSec, other.suSec) && errorCode == other.errorCode && - isEqual(crealm, other.crealm) && isEqual(cname, other.cname) && - isEqual(realm, other.realm) && isEqual(sname, other.sname) && isEqual(eText, other.eText) && java.util.Arrays.equals(eData, other.eData) && @@ -528,9 +508,7 @@ public class KRBError implements java.io.Serializable { if (sTime != null) result = 37 * result + sTime.hashCode(); if (suSec != null) result = 37 * result + suSec.hashCode(); result = 37 * result + errorCode; - if (crealm != null) result = 37 * result + crealm.hashCode(); if (cname != null) result = 37 * result + cname.hashCode(); - if (realm != null) result = 37 * result + realm.hashCode(); if (sname != null) result = 37 * result + sname.hashCode(); if (eText != null) result = 37 * result + eText.hashCode(); result = 37 * result + Arrays.hashCode(eData); diff --git a/src/share/classes/sun/security/krb5/internal/KrbCredInfo.java b/src/share/classes/sun/security/krb5/internal/KrbCredInfo.java index 63ebe03d3..4acf451cc 100644 --- a/src/share/classes/sun/security/krb5/internal/KrbCredInfo.java +++ b/src/share/classes/sun/security/krb5/internal/KrbCredInfo.java @@ -63,14 +63,12 @@ import java.io.IOException; public class KrbCredInfo { public EncryptionKey key; - public Realm prealm; //optional public PrincipalName pname; //optional public TicketFlags flags; //optional public KerberosTime authtime; //optional public KerberosTime starttime; //optional public KerberosTime endtime; //optional public KerberosTime renewTill; //optional - public Realm srealm; //optional public PrincipalName sname; //optional public HostAddresses caddr; //optional @@ -79,26 +77,22 @@ public class KrbCredInfo { public KrbCredInfo( EncryptionKey new_key, - Realm new_prealm, PrincipalName new_pname, TicketFlags new_flags, KerberosTime new_authtime, KerberosTime new_starttime, KerberosTime new_endtime, KerberosTime new_renewTill, - Realm new_srealm, PrincipalName new_sname, HostAddresses new_caddr ) { key = new_key; - prealm = new_prealm; pname = new_pname; flags = new_flags; authtime = new_authtime; starttime = new_starttime; endtime = new_endtime; renewTill = new_renewTill; - srealm = new_srealm; sname = new_sname; caddr = new_caddr; } @@ -115,21 +109,20 @@ public class KrbCredInfo { if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } - prealm = null; pname = null; flags = null; authtime = null; starttime = null; endtime = null; renewTill = null; - srealm = null; sname = null; caddr = null; key = EncryptionKey.parse(encoding.getData(), (byte)0x00, false); + Realm prealm = null, srealm = null; if (encoding.getData().available() > 0) prealm = Realm.parse(encoding.getData(), (byte)0x01, true); if (encoding.getData().available() > 0) - pname = PrincipalName.parse(encoding.getData(), (byte)0x02, true); + pname = PrincipalName.parse(encoding.getData(), (byte)0x02, true, prealm); if (encoding.getData().available() > 0) flags = TicketFlags.parse(encoding.getData(), (byte)0x03, true); if (encoding.getData().available() > 0) @@ -143,7 +136,7 @@ public class KrbCredInfo { if (encoding.getData().available() > 0) srealm = Realm.parse(encoding.getData(), (byte)0x08, true); if (encoding.getData().available() > 0) - sname = PrincipalName.parse(encoding.getData(), (byte)0x09, true); + sname = PrincipalName.parse(encoding.getData(), (byte)0x09, true, srealm); if (encoding.getData().available() > 0) caddr = HostAddresses.parse(encoding.getData(), (byte)0x0A, true); if (encoding.getData().available() > 0) @@ -159,10 +152,10 @@ public class KrbCredInfo { public byte[] asn1Encode() throws Asn1Exception, IOException { Vector v = new Vector<>(); v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x00), key.asn1Encode())); - if (prealm != null) - v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), prealm.asn1Encode())); - if (pname != null) + if (pname != null) { + v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), pname.getRealm().asn1Encode())); v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x02), pname.asn1Encode())); + } if (flags != null) v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x03), flags.asn1Encode())); if (authtime != null) @@ -173,10 +166,10 @@ public class KrbCredInfo { v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x06), endtime.asn1Encode())); if (renewTill != null) v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x07), renewTill.asn1Encode())); - if (srealm != null) - v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x08), srealm.asn1Encode())); - if (sname != null) + if (sname != null) { + v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x08), sname.getRealm().asn1Encode())); v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x09), sname.asn1Encode())); + } if (caddr != null) v.addElement(new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x0A), caddr.asn1Encode())); DerValue der[] = new DerValue[v.size()]; @@ -190,8 +183,6 @@ public class KrbCredInfo { KrbCredInfo kcred = new KrbCredInfo(); kcred.key = (EncryptionKey)key.clone(); // optional fields - if (prealm != null) - kcred.prealm = (Realm)prealm.clone(); if (pname != null) kcred.pname = (PrincipalName)pname.clone(); if (flags != null) @@ -204,8 +195,6 @@ public class KrbCredInfo { kcred.endtime = (KerberosTime)endtime.clone(); if (renewTill != null) kcred.renewTill = (KerberosTime)renewTill.clone(); - if (srealm != null) - kcred.srealm = (Realm)srealm.clone(); if (sname != null) kcred.sname = (PrincipalName)sname.clone(); if (caddr != null) diff --git a/src/share/classes/sun/security/krb5/internal/TGSRep.java b/src/share/classes/sun/security/krb5/internal/TGSRep.java index 62bb06ed1..3defc39ad 100644 --- a/src/share/classes/sun/security/krb5/internal/TGSRep.java +++ b/src/share/classes/sun/security/krb5/internal/TGSRep.java @@ -42,12 +42,11 @@ public class TGSRep extends KDCRep { public TGSRep( PAData[] new_pAData, - Realm new_crealm, PrincipalName new_cname, Ticket new_ticket, EncryptedData new_encPart ) throws IOException { - super(new_pAData, new_crealm, new_cname, new_ticket, + super(new_pAData, new_cname, new_ticket, new_encPart, Krb5.KRB_TGS_REP); } diff --git a/src/share/classes/sun/security/krb5/internal/Ticket.java b/src/share/classes/sun/security/krb5/internal/Ticket.java index cadb334d0..0f1c3d9af 100644 --- a/src/share/classes/sun/security/krb5/internal/Ticket.java +++ b/src/share/classes/sun/security/krb5/internal/Ticket.java @@ -60,7 +60,6 @@ import java.math.BigInteger; public class Ticket implements Cloneable { public int tkt_vno; - public Realm realm; public PrincipalName sname; public EncryptedData encPart; @@ -69,7 +68,6 @@ public class Ticket implements Cloneable { public Object clone() { Ticket new_ticket = new Ticket(); - new_ticket.realm = (Realm)realm.clone(); new_ticket.sname = (PrincipalName)sname.clone(); new_ticket.encPart = (EncryptedData)encPart.clone(); new_ticket.tkt_vno = tkt_vno; @@ -77,12 +75,10 @@ public class Ticket implements Cloneable { } public Ticket( - Realm new_realm, PrincipalName new_sname, EncryptedData new_encPart ) { tkt_vno = Krb5.TICKET_VNO; - realm = new_realm; sname = new_sname; encPart = new_encPart; } @@ -123,8 +119,8 @@ public class Ticket implements Cloneable { tkt_vno = subDer.getData().getBigInteger().intValue(); if (tkt_vno != Krb5.TICKET_VNO) throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION); - realm = Realm.parse(der.getData(), (byte)0x01, false); - sname = PrincipalName.parse(der.getData(), (byte)0x02, false); + Realm srealm = Realm.parse(der.getData(), (byte)0x01, false); + sname = PrincipalName.parse(der.getData(), (byte)0x02, false, srealm); encPart = EncryptedData.parse(der.getData(), (byte)0x03, false); if (der.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID); @@ -142,7 +138,7 @@ public class Ticket implements Cloneable { DerValue der[] = new DerValue[4]; temp.putInteger(BigInteger.valueOf(tkt_vno)); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x00), temp); - bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), realm.asn1Encode()); + bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), sname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x02), sname.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x03), encPart.asn1Encode()); temp = new DerOutputStream(); diff --git a/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java b/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java index ef7088f37..2f35f894c 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java @@ -114,7 +114,6 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC // made public for KinitOptions to call directly public PrincipalName readPrincipal(int version) throws IOException, RealmException { int type, length, namelength, kret; - PrincipalName p; String[] pname = null; String realm; /* Read principal type */ @@ -144,11 +143,13 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC realm = result[0]; pname = new String[length]; System.arraycopy(result, 1, pname, 0, length); - p = new PrincipalName(pname, type); - p.setRealm(realm); + return new PrincipalName(type, pname, new Realm(realm)); + } + try { + return new PrincipalName(result, type); + } catch (RealmException re) { + return null; } - else p = new PrincipalName(result, type); - return p; } /* @@ -342,10 +343,10 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC Credentials readCred(int version) throws IOException,RealmException, KrbApErrException, Asn1Exception { PrincipalName cpname = readPrincipal(version); if (DEBUG) - System.out.println(">>>DEBUG client principal is " + cpname.toString()); + System.out.println(">>>DEBUG client principal is " + cpname); PrincipalName spname = readPrincipal(version); if (DEBUG) - System.out.println(">>>DEBUG server principal is " + spname.toString()); + System.out.println(">>>DEBUG server principal is " + spname); EncryptionKey key = readKey(version); if (DEBUG) System.out.println(">>>DEBUG key type: " + key.getEType()); diff --git a/src/share/classes/sun/security/krb5/internal/ccache/Credentials.java b/src/share/classes/sun/security/krb5/internal/ccache/Credentials.java index e040788c6..f27a1588e 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/Credentials.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/Credentials.java @@ -36,9 +36,7 @@ import sun.security.krb5.internal.*; public class Credentials { PrincipalName cname; - Realm crealm; PrincipalName sname; - Realm srealm; EncryptionKey key; KerberosTime authtime; KerberosTime starttime;//optional @@ -67,15 +65,7 @@ public class Credentials { Ticket new_ticket, Ticket new_secondTicket) { cname = (PrincipalName) new_cname.clone(); - if (new_cname.getRealm() != null) { - crealm = (Realm) new_cname.getRealm().clone(); - } - sname = (PrincipalName) new_sname.clone(); - if (new_sname.getRealm() != null) { - srealm = (Realm) new_sname.getRealm().clone(); - } - key = (EncryptionKey) new_key.clone(); authtime = (KerberosTime) new_authtime.clone(); @@ -110,7 +100,6 @@ public class Credentials { { return; } - crealm = (Realm) kdcRep.crealm.clone(); cname = (PrincipalName) kdcRep.cname.clone(); ticket = (Ticket) kdcRep.ticket.clone(); key = (EncryptionKey) kdcRep.encKDCRepPart.key.clone(); @@ -123,7 +112,6 @@ public class Credentials { if (kdcRep.encKDCRepPart.renewTill != null) { renewTill = (KerberosTime) kdcRep.encKDCRepPart.renewTill.clone(); } - srealm = (Realm) kdcRep.encKDCRepPart.srealm.clone(); sname = (PrincipalName) kdcRep.encKDCRepPart.sname.clone(); caddr = (HostAddresses) kdcRep.encKDCRepPart.caddr.clone(); secondTicket = (Ticket) new_secondTicket.clone(); @@ -138,17 +126,7 @@ public class Credentials { public Credentials(KDCRep kdcRep, Ticket new_ticket) { sname = (PrincipalName) kdcRep.encKDCRepPart.sname.clone(); - srealm = (Realm) kdcRep.encKDCRepPart.srealm.clone(); - try { - sname.setRealm(srealm); - } catch (RealmException e) { - } cname = (PrincipalName) kdcRep.cname.clone(); - crealm = (Realm) kdcRep.crealm.clone(); - try { - cname.setRealm(crealm); - } catch (RealmException e) { - } key = (EncryptionKey) kdcRep.encKDCRepPart.key.clone(); authtime = (KerberosTime) kdcRep.encKDCRepPart.authtime.clone(); if (kdcRep.encKDCRepPart.starttime != null) { @@ -202,9 +180,6 @@ public class Credentials { } public PrincipalName getServicePrincipal() throws RealmException { - if (sname.getRealm() == null) { - sname.setRealm(srealm); - } return sname; } diff --git a/src/share/classes/sun/security/krb5/internal/ccache/CredentialsCache.java b/src/share/classes/sun/security/krb5/internal/ccache/CredentialsCache.java index 3d0511071..8c61ed395 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/CredentialsCache.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/CredentialsCache.java @@ -120,6 +120,6 @@ public abstract class CredentialsCache { public abstract void save() throws IOException, KrbException; public abstract Credentials[] getCredsList(); public abstract Credentials getDefaultCreds(); - public abstract Credentials getCreds(PrincipalName sname, Realm srealm) ; - public abstract Credentials getCreds(LoginOptions options, PrincipalName sname, Realm srealm) ; + public abstract Credentials getCreds(PrincipalName sname); + public abstract Credentials getCreds(LoginOptions options, PrincipalName sname); } diff --git a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java index 803d0ae14..c985887a1 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java @@ -59,7 +59,6 @@ public class FileCredentialsCache extends CredentialsCache public int version; public Tag tag; // optional public PrincipalName primaryPrincipal; - public Realm primaryRealm; private Vector credentialsList; private static String dir; private static boolean DEBUG = Krb5.DEBUG; @@ -79,7 +78,6 @@ public class FileCredentialsCache extends CredentialsCache } if (principal != null) { fcc.primaryPrincipal = principal; - fcc.primaryRealm = principal.getRealm(); } fcc.load(cacheName); return fcc; @@ -153,7 +151,6 @@ public class FileCredentialsCache extends CredentialsCache synchronized void init(PrincipalName principal, String name) throws IOException, KrbException { primaryPrincipal = principal; - primaryRealm = principal.getRealm(); CCacheOutputStream cos = new CCacheOutputStream(new FileOutputStream(name)); version = KRB5_FCC_FVNO_3; @@ -183,7 +180,6 @@ public class FileCredentialsCache extends CredentialsCache } } else primaryPrincipal = p; - primaryRealm = primaryPrincipal.getRealm(); credentialsList = new Vector (); while (cis.available() > 0) { Credentials cred = cis.readCred(version); @@ -291,18 +287,16 @@ public class FileCredentialsCache extends CredentialsCache } - public Credentials getCreds(LoginOptions options, - PrincipalName sname, Realm srealm) { + public Credentials getCreds(LoginOptions options, PrincipalName sname) { if (options == null) { - return getCreds(sname, srealm); + return getCreds(sname); } else { Credentials[] list = getCredsList(); if (list == null) { return null; } else { for (int i = 0; i < list.length; i++) { - if (sname.match(list[i].sname) && - (srealm.toString().equals(list[i].srealm.toString()))) { + if (sname.match(list[i].sname)) { if (list[i].flags.match(options)) { return list[i]; } @@ -317,16 +311,14 @@ public class FileCredentialsCache extends CredentialsCache /** * Gets a credentials for a specified service. * @param sname service principal name. - * @param srealm the realm that the service belongs to. */ - public Credentials getCreds(PrincipalName sname, Realm srealm) { + public Credentials getCreds(PrincipalName sname) { Credentials[] list = getCredsList(); if (list == null) { return null; } else { for (int i = 0; i < list.length; i++) { - if (sname.match(list[i].sname) && - (srealm.toString().equals(list[i].srealm.toString()))) { + if (sname.match(list[i].sname)) { return list[i]; } } @@ -343,7 +335,7 @@ public class FileCredentialsCache extends CredentialsCache if (list[i].sname.toString().startsWith("krbtgt")) { String[] nameStrings = list[i].sname.getNameStrings(); // find the TGT for the current realm krbtgt/realm@realm - if (nameStrings[1].equals(list[i].srealm.toString())) { + if (nameStrings[1].equals(list[i].sname.getRealm().toString())) { return list[i]; } } diff --git a/src/share/classes/sun/security/krb5/internal/ccache/MemoryCredentialsCache.java b/src/share/classes/sun/security/krb5/internal/ccache/MemoryCredentialsCache.java index c01260a61..2f1f37926 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/MemoryCredentialsCache.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/MemoryCredentialsCache.java @@ -64,7 +64,7 @@ public abstract class MemoryCredentialsCache extends CredentialsCache { public abstract Credentials[] getCredsList(); - public abstract Credentials getCreds(PrincipalName sname, Realm srealm) ; + public abstract Credentials getCreds(PrincipalName sname) ; public abstract PrincipalName getPrimaryPrincipal(); diff --git a/src/share/classes/sun/security/krb5/internal/ktab/KeyTabInputStream.java b/src/share/classes/sun/security/krb5/internal/ktab/KeyTabInputStream.java index a0bbd1eb6..5f4224249 100644 --- a/src/share/classes/sun/security/krb5/internal/ktab/KeyTabInputStream.java +++ b/src/share/classes/sun/security/krb5/internal/ktab/KeyTabInputStream.java @@ -83,8 +83,7 @@ public class KeyTabInputStream extends KrbDataInputStream implements KeyTabConst } int nameType = read(4); index -= 4; - PrincipalName service = new PrincipalName(nameParts, nameType); - service.setRealm(realm); + PrincipalName service = new PrincipalName(nameType, nameParts, realm); KerberosTime timeStamp = readTimeStamp(); int keyVersion = read() & 0xff; diff --git a/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java b/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java index 7e220bc06..cde473fcf 100644 --- a/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java +++ b/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java @@ -163,7 +163,7 @@ public final class KerberosClientKeyExchangeImpl EncryptedData encPart = t.encPart; PrincipalName ticketSname = t.sname; - Realm ticketRealm = t.realm; + Realm ticketRealm = t.sname.getRealm(); String serverPrincipal = serverKeys[0].getPrincipal().getName(); @@ -175,8 +175,7 @@ public final class KerberosClientKeyExchangeImpl */ // Check that ticket Sname matches serverPrincipal - String ticketPrinc = ticketSname.toString().concat("@" + - ticketRealm.toString()); + String ticketPrinc = ticketSname.toString(); if (!ticketPrinc.equals(serverPrincipal)) { if (debug != null && Debug.isOn("handshake")) System.out.println("Service principal in Ticket does not" @@ -224,7 +223,6 @@ public final class KerberosClientKeyExchangeImpl if (debug != null && Debug.isOn("handshake")) { System.out.println("server principal: " + serverPrincipal); - System.out.println("realm: " + encTicketPart.crealm.toString()); System.out.println("cname: " + encTicketPart.cname.toString()); } } catch (IOException e) { diff --git a/src/windows/classes/sun/security/krb5/internal/tools/Kinit.java b/src/windows/classes/sun/security/krb5/internal/tools/Kinit.java index 41354c88a..eb7486845 100644 --- a/src/windows/classes/sun/security/krb5/internal/tools/Kinit.java +++ b/src/windows/classes/sun/security/krb5/internal/tools/Kinit.java @@ -206,9 +206,7 @@ public class Kinit { System.out.println(">>> Kinit realm name is " + realm); } - PrincipalName sname = new PrincipalName("krbtgt" + "/" + realm, - PrincipalName.KRB_NT_SRV_INST); - sname.setRealm(realm); + PrincipalName sname = PrincipalName.tgsService(realm, realm); builder.setTarget(sname); if (DEBUG) { diff --git a/src/windows/classes/sun/security/krb5/internal/tools/KinitOptions.java b/src/windows/classes/sun/security/krb5/internal/tools/KinitOptions.java index 05b674bf9..abde927cd 100644 --- a/src/windows/classes/sun/security/krb5/internal/tools/KinitOptions.java +++ b/src/windows/classes/sun/security/krb5/internal/tools/KinitOptions.java @@ -146,15 +146,6 @@ class KinitOptions { "Principal name: " + p + e.getMessage()); } - if (principal.getRealm() == null) { - String realm = - Config.getInstance().getDefault("default_realm", - "libdefaults"); - if (realm != null) { - principal.setRealm(realm); - } else throw new IllegalArgumentException("invalid " + - "Realm name"); - } } else if (this.password == null) { // Have already processed a Principal, this must be a password password = args[i].toCharArray(); @@ -175,16 +166,6 @@ class KinitOptions { } PrincipalName getDefaultPrincipal() { - String cname; - String realm = null; - try { - realm = Config.getInstance().getDefaultRealm(); - } catch (KrbException e) { - System.out.println ("Can not get default realm " + - e.getMessage()); - e.printStackTrace(); - return null; - } // get default principal name from the cachename if it is // available. @@ -204,10 +185,6 @@ class KinitOptions { } PrincipalName p = cis.readPrincipal(version); cis.close(); - String temp = p.getRealmString(); - if (temp == null) { - p.setRealm(realm); - } if (DEBUG) { System.out.println(">>>KinitOptions principal name from "+ "the cache is :" + p); @@ -230,19 +207,15 @@ class KinitOptions { System.out.println(">>>KinitOptions default username is :" + username); } - if (realm != null) { - try { - PrincipalName p = new PrincipalName(username); - if (p.getRealm() == null) - p.setRealm(realm); - return p; - } catch (RealmException e) { - // ignore exception , return null - if (DEBUG) { - System.out.println ("Exception in getting principal " + - "name " + e.getMessage()); - e.printStackTrace(); - } + try { + PrincipalName p = new PrincipalName(username); + return p; + } catch (RealmException e) { + // ignore exception , return null + if (DEBUG) { + System.out.println ("Exception in getting principal " + + "name " + e.getMessage()); + e.printStackTrace(); } } return null; diff --git a/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java b/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java index fe29462ad..9feacdf4d 100644 --- a/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java +++ b/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java @@ -273,9 +273,6 @@ public class Ktab { PrincipalName pname = null; try { pname = new PrincipalName(principal); - if (pname.getRealm() == null) { - pname.setRealm(Config.getInstance().getDefaultRealm()); - } } catch (KrbException e) { System.err.println("Failed to add " + principal + " to keytab."); @@ -382,9 +379,6 @@ public class Ktab { PrincipalName pname = null; try { pname = new PrincipalName(principal); - if (pname.getRealm() == null) { - pname.setRealm(Config.getInstance().getDefaultRealm()); - } if (!forced) { String answer; BufferedReader cis = diff --git a/src/windows/native/sun/security/krb5/NativeCreds.c b/src/windows/native/sun/security/krb5/NativeCreds.c index 91ed2cb84..72e5d5acb 100644 --- a/src/windows/native/sun/security/krb5/NativeCreds.c +++ b/src/windows/native/sun/security/krb5/NativeCreds.c @@ -67,7 +67,6 @@ jmethodID encryptionKeyConstructor = 0; jmethodID ticketFlagsConstructor = 0; jmethodID kerberosTimeConstructor = 0; jmethodID krbcredsConstructor = 0; -jmethodID setRealmMethod = 0; /* * Function prototypes for internal routines @@ -279,7 +278,7 @@ JNIEXPORT jint JNICALL JNI_OnLoad( } principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, - "", "([Ljava/lang/String;)V"); + "", "([Ljava/lang/String;Ljava/lang/String;)V"); if (principalNameConstructor == 0) { printf("LSA: Couldn't find PrincipalName constructor\n"); return JNI_ERR; @@ -318,14 +317,6 @@ JNIEXPORT jint JNICALL JNI_OnLoad( printf("LSA: Found KerberosTime constructor\n"); } - // load the setRealm method in PrincipalName - setRealmMethod = (*env)->GetMethodID(env, principalNameClass, - "setRealm", "(Ljava/lang/String;)V"); - if (setRealmMethod == 0) { - printf("LSA: Couldn't find setRealm in PrincipalName\n"); - return JNI_ERR; - } - if (native_debug) { printf("LSA: Finished OnLoad processing\n"); } @@ -952,13 +943,12 @@ jobject BuildPrincipal(JNIEnv *env, PKERB_EXTERNAL_NAME principalName, // Do I have to worry about storage reclamation here? } - principal = (*env)->NewObject(env, principalNameClass, - principalNameConstructor, stringArray); - // now set the realm in the principal realmLen = (ULONG)wcslen((PWCHAR)realm); realmStr = (*env)->NewString(env, (PWCHAR)realm, (USHORT)realmLen); - (*env)->CallVoidMethod(env, principal, setRealmMethod, realmStr); + + principal = (*env)->NewObject(env, principalNameClass, + principalNameConstructor, stringArray, realmStr); // free local resources LocalFree(realm); diff --git a/test/sun/security/krb5/ServiceNameClone.java b/test/sun/security/krb5/ServiceNameClone.java deleted file mode 100644 index 81b3b0385..000000000 --- a/test/sun/security/krb5/ServiceNameClone.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -/* - * @test - * @bug 6856069 - * @summary PrincipalName.clone() does not invoke super.clone() - */ - -import sun.security.krb5.ServiceName; - -public class ServiceNameClone { - public static void main(String[] args) throws Exception { - ServiceName sn = new ServiceName("me@HERE"); - if (sn.clone().getClass() != ServiceName.class) { - throw new Exception("ServiceName's clone is not a ServiceName"); - } - if (!sn.clone().equals(sn)) { - throw new Exception("ServiceName's clone changed"); - } - } -} diff --git a/test/sun/security/krb5/auto/KDC.java b/test/sun/security/krb5/auto/KDC.java index 05efabdcb..716e2fa0e 100644 --- a/test/sun/security/krb5/auto/KDC.java +++ b/test/sun/security/krb5/auto/KDC.java @@ -606,9 +606,8 @@ public class KDC { TGSReq tgsReq = new TGSReq(in); PrincipalName service = tgsReq.reqBody.sname; if (options.containsKey(KDC.Option.RESP_NT)) { - service = new PrincipalName(service.getNameStrings(), - (int)options.get(KDC.Option.RESP_NT)); - service.setRealm(service.getRealm()); + service = new PrincipalName((int)options.get(KDC.Option.RESP_NT), + service.getNameStrings(), service.getRealm()); } try { System.out.println(realm + "> " + tgsReq.reqBody.cname + @@ -632,7 +631,6 @@ public class KDC { EncryptedData ed = apReq.authenticator; tkt = apReq.ticket; int te = tkt.encPart.getEType(); - tkt.sname.setRealm(tkt.realm); EncryptionKey kkey = keyForUser(tkt.sname, te, true); byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET); DerInputStream derIn = new DerInputStream(bb); @@ -693,7 +691,6 @@ public class KDC { EncTicketPart enc = new EncTicketPart( tFlags, key, - etp.crealm, etp.cname, new TransitedEncoding(1, new byte[0]), // TODO new KerberosTime(new Date()), @@ -709,7 +706,6 @@ public class KDC { throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO } Ticket t = new Ticket( - body.crealm, service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) ); @@ -725,7 +721,6 @@ public class KDC { new KerberosTime(new Date()), body.from, till, body.rtime, - body.crealm, service, body.addresses != null // always set caddr ? body.addresses @@ -734,7 +729,6 @@ public class KDC { ); EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY); TGSRep tgsRep = new TGSRep(null, - etp.crealm, etp.cname, t, edata); @@ -756,8 +750,8 @@ public class KDC { new KerberosTime(new Date()), 0, ke.returnCode(), - body.crealm, body.cname, - new Realm(getRealm()), service, + body.cname, + service, KrbException.errorMessage(ke.returnCode()), null); } @@ -780,7 +774,6 @@ public class KDC { if (options.containsKey(KDC.Option.RESP_NT)) { service = new PrincipalName(service.getNameStrings(), (int)options.get(KDC.Option.RESP_NT)); - service.setRealm(service.getRealm()); } try { System.out.println(realm + "> " + asReq.reqBody.cname + @@ -788,7 +781,6 @@ public class KDC { service); KDCReqBody body = asReq.reqBody; - body.cname.setRealm(getRealm()); eTypes = KDCReqBodyDotEType(body); int eType = eTypes[0]; @@ -971,7 +963,6 @@ public class KDC { EncTicketPart enc = new EncTicketPart( tFlags, key, - body.crealm, body.cname, new TransitedEncoding(1, new byte[0]), new KerberosTime(new Date()), @@ -980,7 +971,6 @@ public class KDC { body.addresses, null); Ticket t = new Ticket( - body.crealm, service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) ); @@ -996,14 +986,12 @@ public class KDC { new KerberosTime(new Date()), body.from, till, body.rtime, - body.crealm, service, body.addresses ); EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART); ASRep asRep = new ASRep( outPAs.toArray(new PAData[outPAs.size()]), - body.crealm, body.cname, t, edata); @@ -1024,7 +1012,6 @@ public class KDC { asRep.encKDCRepPart = enc_part; sun.security.krb5.internal.ccache.Credentials credentials = new sun.security.krb5.internal.ccache.Credentials(asRep); - asReq.reqBody.cname.setRealm(getRealm()); CredentialsCache cache = CredentialsCache.create(asReq.reqBody.cname, ccache); if (cache == null) { @@ -1059,8 +1046,8 @@ public class KDC { new KerberosTime(new Date()), 0, ke.returnCode(), - body.crealm, body.cname, - new Realm(getRealm()), service, + body.cname, + service, KrbException.errorMessage(ke.returnCode()), eData); } diff --git a/test/sun/security/krb5/name/Constructors.java b/test/sun/security/krb5/name/Constructors.java new file mode 100644 index 000000000..71243e71c --- /dev/null +++ b/test/sun/security/krb5/name/Constructors.java @@ -0,0 +1,135 @@ +/* + * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +/* + * @test + * @bug 6966259 + * @summary Make PrincipalName and Realm immutable + * @run main/othervm Constructors + */ + +import java.util.Arrays; +import sun.security.krb5.*; + +public class Constructors { + public static void main(String[] args) throws Exception { + + int type; + boolean testNoDefaultDomain; + + // Part 1: on format + + // Good ones + type = PrincipalName.KRB_NT_UNKNOWN; + checkName("a", type, "R", "R", "a"); + checkName("a@R2", type, "R", "R", "a"); + checkName("a/b", type, "R", "R", "a", "b"); + checkName("a/b@R2", type, "R", "R", "a", "b"); + checkName("a/b/c", type, "R", "R", "a", "b", "c"); + checkName("a/b/c@R2", type, "R", "R", "a", "b", "c"); + // Weird ones + checkName("a\\/b", type, "R", "R", "a/b"); + checkName("a\\/b\\/c", type, "R", "R", "a/b/c"); + checkName("a\\/b\\@R2", type, "R", "R", "a/b@R2"); + // Bad ones + checkName("a", type, "", null); + checkName("a/", type, "R", null); + checkName("/a", type, "R", null); + checkName("a//b", type, "R", null); + checkName("a@", type, null, null); + type = PrincipalName.KRB_NT_SRV_HST; + + // Part 2: on realm choices + + // When there is no default realm + System.setProperty("java.security.krb5.conf", + System.getProperty("test.src", ".") + "/empty.conf"); + Config.refresh(); + + // A Windows client login to AD always has a default realm + try { + Realm r = Realm.getDefault(); + System.out.println("testNoDefaultDomain = false. Realm is " + r); + testNoDefaultDomain = false; + } catch (RealmException re) { + // Great. This is what we expected + testNoDefaultDomain = true; + } + + if (testNoDefaultDomain) { + type = PrincipalName.KRB_NT_UNKNOWN; + checkName("a", type, "R1", "R1", "a"); // arg + checkName("a@R1", type, null, "R1", "a"); // or r in name + checkName("a@R2", type, "R1", "R1", "a"); // arg over r + checkName("a", type, null, null); // fail if none + checkName("a/b@R1", type, null, "R1", "a", "b"); + type = PrincipalName.KRB_NT_SRV_HST; + // Let's pray "b.h" won't be canonicalized + checkName("a/b.h", type, "R1", "R1", "a", "b.h"); // arg + checkName("a/b.h@R1", type, null, "R1", "a", "b.h"); // or r in name + checkName("a/b.h@R1", type, "R2", "R2", "a", "b.h"); // arg over r + checkName("a/b.h", type, null, null); // fail if none + } + + // When there is default realm + System.setProperty("java.security.krb5.conf", + System.getProperty("test.src", ".") + "/krb5.conf"); + Config.refresh(); + + type = PrincipalName.KRB_NT_UNKNOWN; + checkName("a", type, "R1", "R1", "a"); // arg + checkName("a@R1", type, null, "R1", "a"); // or r in name + checkName("a@R2", type, "R1", "R1", "a"); // arg over r + checkName("a", type, null, "R", "a"); // default + checkName("a/b", type, null, "R", "a", "b"); + type = PrincipalName.KRB_NT_SRV_HST; + checkName("a/b.h3", type, "R1", "R1", "a", "b.h3"); // arg + checkName("a/b.h@R1", type, null, "R1", "a", "b.h"); // or r in name + checkName("a/b.h3@R2", type, "R1", "R1", "a", "b.h3"); // arg over r + checkName("a/b.h2", type, "R1", "R1", "a", "b.h2"); // arg over map + checkName("a/b.h2@R1", type, null, "R1", "a", "b.h2"); // r over map + checkName("a/b.h2", type, null, "R2", "a", "b.h2"); // map + checkName("a/b.h", type, null, "R", "a", "b.h"); // default + } + + // Check if the creation matches the expected output. + // Note: realm == null means creation failure + static void checkName(String n, int t, String s, + String realm, String... parts) + throws Exception { + PrincipalName pn = null; + try { + pn = new PrincipalName(n, t, s); + } catch (Exception e) { + if (realm == null) { + return; // This is expected + } else { + throw e; + } + } + if (!pn.getRealmAsString().equals(realm) + || !Arrays.equals(pn.getNameStrings(), parts)) { + throw new Exception(pn.toString() + " vs " + + Arrays.toString(parts) + "@" + realm); + } + } +} diff --git a/test/sun/security/krb5/name/empty.conf b/test/sun/security/krb5/name/empty.conf new file mode 100644 index 000000000..e11f6e345 --- /dev/null +++ b/test/sun/security/krb5/name/empty.conf @@ -0,0 +1,2 @@ +[libdefaults] +dns_fallback = false diff --git a/test/sun/security/krb5/name/krb5.conf b/test/sun/security/krb5/name/krb5.conf new file mode 100644 index 000000000..e9c340549 --- /dev/null +++ b/test/sun/security/krb5/name/krb5.conf @@ -0,0 +1,10 @@ +[libdefaults] +default_realm = R + +[realms] +R = { + kdc = kdc +} + +[domain_realm] +.h2 = R2 -- GitLab