提交 b226215c 编写于 作者: A andrew

8229951: Better Ticket Granting Services

Reviewed-by: mbalao
上级 4bb32bc1
...@@ -69,6 +69,7 @@ public class Checksum { ...@@ -69,6 +69,7 @@ public class Checksum {
// draft-brezak-win2k-krb-rc4-hmac-04.txt // draft-brezak-win2k-krb-rc4-hmac-04.txt
public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138; public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138;
// default checksum type, -1 if not set
static int CKSUMTYPE_DEFAULT; static int CKSUMTYPE_DEFAULT;
static int SAFECKSUMTYPE_DEFAULT; static int SAFECKSUMTYPE_DEFAULT;
...@@ -83,26 +84,19 @@ public class Checksum { ...@@ -83,26 +84,19 @@ public class Checksum {
try { try {
cfg = Config.getInstance(); cfg = Config.getInstance();
temp = cfg.get("libdefaults", "default_checksum"); temp = cfg.get("libdefaults", "default_checksum");
if (temp != null) if (temp != null) {
{
CKSUMTYPE_DEFAULT = Config.getType(temp); CKSUMTYPE_DEFAULT = Config.getType(temp);
} else { } else {
/* CKSUMTYPE_DEFAULT = -1;
* If the default checksum is not
* specified in the configuration we
* set it to RSA_MD5. We follow the MIT and
* SEAM implementation.
*/
CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5;
} }
} catch (Exception exc) { } catch (Exception exc) {
if (DEBUG) { if (DEBUG) {
System.out.println("Exception in getting default checksum "+ System.out.println("Exception in getting default checksum "+
"value from the configuration " + "value from the configuration. " +
"Setting default checksum to be RSA-MD5"); "No default checksum set.");
exc.printStackTrace(); exc.printStackTrace();
} }
CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5; CKSUMTYPE_DEFAULT = -1;
} }
...@@ -112,117 +106,100 @@ public class Checksum { ...@@ -112,117 +106,100 @@ public class Checksum {
{ {
SAFECKSUMTYPE_DEFAULT = Config.getType(temp); SAFECKSUMTYPE_DEFAULT = Config.getType(temp);
} else { } else {
SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES; SAFECKSUMTYPE_DEFAULT = -1;
} }
} catch (Exception exc) { } catch (Exception exc) {
if (DEBUG) { if (DEBUG) {
System.out.println("Exception in getting safe default " + System.out.println("Exception in getting safe default " +
"checksum value " + "checksum value " +
"from the configuration Setting " + "from the configuration Setting. " +
"safe default checksum to be RSA-MD5"); "No safe default checksum set.");
exc.printStackTrace(); exc.printStackTrace();
} }
SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES; SAFECKSUMTYPE_DEFAULT = -1;
} }
} }
/** /**
* Constructs a new Checksum using the raw data and type. * Constructs a new Checksum using the raw data and type.
*
* This constructor is only used by Authenticator Checksum
* {@link sun.security.jgss.krb5.InitialToken.OverloadedChecksum}
* where the checksum type must be 0x8003
* (see https://tools.ietf.org/html/rfc4121#section-4.1.1)
* and checksum field/value is used to convey service flags,
* channel bindings, and optional delegation information.
* This special type does NOT have a {@link CksumType} and has its
* own calculating and verification rules. It does has the same
* ASN.1 encoding though.
*
* @data the byte array of checksum. * @data the byte array of checksum.
* @new_cksumType the type of checksum. * @new_cksumType the type of checksum.
*
*/ */
// used in InitialToken
public Checksum(byte[] data, int new_cksumType) { public Checksum(byte[] data, int new_cksumType) {
cksumType = new_cksumType; cksumType = new_cksumType;
checksum = data; checksum = data;
} }
/** /**
* Constructs a new Checksum by calculating the checksum over the data * Constructs a new Checksum by calculating over the data using
* using specified checksum type. * the specified checksum type. If the checksum is unkeyed, key
* @new_cksumType the type of checksum. * and usage are ignored.
* @data the data that needs to be performed a checksum calculation on. *
*/ * @param new_cksumType the type of checksum. If set to -1, the
public Checksum(int new_cksumType, byte[] data) * {@linkplain EType#checksumType() mandatory checksum type}
throws KdcErrException, KrbCryptoException { * for the encryption type of {@code key} will be used
* @param data the data that needs to be performed a checksum calculation on
cksumType = new_cksumType; * @param key the key used by a keyed checksum
CksumType cksumEngine = CksumType.getInstance(cksumType); * @param usage the usage used by a keyed checksum
if (!cksumEngine.isSafe()) {
checksum = cksumEngine.calculateChecksum(data, data.length);
} else {
throw new KdcErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
}
}
/**
* Constructs a new Checksum by calculating the keyed checksum
* over the data using specified checksum type.
* @new_cksumType the type of checksum.
* @data the data that needs to be performed a checksum calculation on.
*/ */
// KrbSafe, KrbTgsReq
public Checksum(int new_cksumType, byte[] data, public Checksum(int new_cksumType, byte[] data,
EncryptionKey key, int usage) EncryptionKey key, int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException { throws KdcErrException, KrbApErrException, KrbCryptoException {
if (new_cksumType == -1) {
cksumType = EType.getInstance(key.getEType()).checksumType();
} else {
cksumType = new_cksumType; cksumType = new_cksumType;
CksumType cksumEngine = CksumType.getInstance(cksumType); }
if (!cksumEngine.isSafe()) checksum = CksumType.getInstance(cksumType).calculateChecksum(
throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM); data, data.length, key.getBytes(), usage);
checksum =
cksumEngine.calculateKeyedChecksum(data,
data.length,
key.getBytes(),
usage);
} }
/** /**
* Verifies the keyed checksum over the data passed in. * Verifies the keyed checksum over the data passed in.
*/ */
public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, int usage)
int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException { throws KdcErrException, KrbApErrException, KrbCryptoException {
CksumType cksumEngine = CksumType.getInstance(cksumType); CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe()) if (!cksumEngine.isKeyed()) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM); throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
return cksumEngine.verifyKeyedChecksum(data,
data.length,
key.getBytes(),
checksum,
usage);
}
// =============== ATTENTION! Use with care ==================
// According to https://tools.ietf.org/html/rfc3961#section-6.1,
// An unkeyed checksum should only be used "in limited circumstances
// where the lack of a key does not provide a window for an attack,
// preferably as part of an encrypted message".
public boolean verifyAnyChecksum(byte[] data, EncryptionKey key,
int usage)
throws KdcErrException, KrbCryptoException {
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe()) {
return cksumEngine.verifyChecksum(data, checksum);
} else { } else {
return cksumEngine.verifyKeyedChecksum(data, return cksumEngine.verifyChecksum(
data.length, data, data.length, key.getBytes(), checksum, usage);
key.getBytes(),
checksum,
usage);
} }
} }
/*
public Checksum(byte[] data) throws KdcErrException, KrbCryptoException { /**
this(Checksum.CKSUMTYPE_DEFAULT, data); * Verifies the checksum over the data passed in. The checksum might
} * be a keyed or not.
*
* =============== ATTENTION! Use with care ==================
* According to https://tools.ietf.org/html/rfc3961#section-6.1,
* An unkeyed checksum should only be used "in limited circumstances
* where the lack of a key does not provide a window for an attack,
* preferably as part of an encrypted message".
*/ */
public boolean verifyAnyChecksum(byte[] data, EncryptionKey key, int usage)
throws KdcErrException, KrbCryptoException {
return CksumType.getInstance(cksumType).verifyChecksum(
data, data.length, key.getBytes(), checksum, usage);
}
boolean isEqual(Checksum cksum) throws KdcErrException { boolean isEqual(Checksum cksum) throws KdcErrException {
if (cksumType != cksum.cksumType) if (cksumType != cksum.cksumType) {
return false; return false;
CksumType cksumEngine = CksumType.getInstance(cksumType); }
return CksumType.isChecksumEqual(checksum, cksum.checksum); return CksumType.isChecksumEqual(checksum, cksum.checksum);
} }
......
...@@ -320,26 +320,8 @@ public class KrbTgsReq { ...@@ -320,26 +320,8 @@ public class KrbTgsReq {
byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ); byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ);
// if the checksum type is one of the keyed checksum types, // if the checksum type is one of the keyed checksum types,
// use session key. // use session key.
Checksum cksum; Checksum cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,
switch (Checksum.CKSUMTYPE_DEFAULT) {
case Checksum.CKSUMTYPE_RSA_MD4_DES:
case Checksum.CKSUMTYPE_DES_MAC:
case Checksum.CKSUMTYPE_DES_MAC_K:
case Checksum.CKSUMTYPE_RSA_MD4_DES_K:
case Checksum.CKSUMTYPE_RSA_MD5_DES:
case Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD:
case Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR:
case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128:
case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256:
cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,
KeyUsage.KU_PA_TGS_REQ_CKSUM); KeyUsage.KU_PA_TGS_REQ_CKSUM);
break;
case Checksum.CKSUMTYPE_CRC32:
case Checksum.CKSUMTYPE_RSA_MD4:
case Checksum.CKSUMTYPE_RSA_MD5:
default:
cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp);
}
// Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR // Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR
......
/* /*
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -133,6 +133,7 @@ public class PAForUserEnc { ...@@ -133,6 +133,7 @@ public class PAForUserEnc {
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), name.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), name.getRealm().asn1Encode());
try { try {
// MS-SFU 2.2.1: use hmac-md5 checksum regardless of key type
Checksum cks = new Checksum( Checksum cks = new Checksum(
Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR, Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR,
getS4UByteArray(), getS4UByteArray(),
......
/* /*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -31,10 +31,7 @@ ...@@ -31,10 +31,7 @@
package sun.security.krb5.internal.crypto; package sun.security.krb5.internal.crypto;
import sun.security.krb5.Config;
import sun.security.krb5.Checksum; import sun.security.krb5.Checksum;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.KrbException;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
...@@ -81,6 +78,7 @@ public abstract class CksumType { ...@@ -81,6 +78,7 @@ public abstract class CksumType {
cksumTypeName = cksumTypeName =
"sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType"; "sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType";
break; break;
case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256: case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256:
cksumType = new HmacSha1Aes256CksumType(); cksumType = new HmacSha1Aes256CksumType();
cksumTypeName = cksumTypeName =
...@@ -117,32 +115,11 @@ public abstract class CksumType { ...@@ -117,32 +115,11 @@ public abstract class CksumType {
return cksumType; return cksumType;
} }
/**
* Returns default checksum type.
*/
public static CksumType getInstance() throws KdcErrException {
// this method provided for Kerberos applications.
int cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default
try {
Config c = Config.getInstance();
if ((cksumType = (Config.getType(c.get("libdefaults",
"ap_req_checksum_type")))) == - 1) {
if ((cksumType = Config.getType(c.get("libdefaults",
"checksum_type"))) == -1) {
cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default
}
}
} catch (KrbException e) {
}
return getInstance(cksumType);
}
public abstract int confounderSize(); public abstract int confounderSize();
public abstract int cksumType(); public abstract int cksumType();
public abstract boolean isSafe(); public abstract boolean isKeyed();
public abstract int cksumSize(); public abstract int cksumSize();
...@@ -150,18 +127,12 @@ public abstract class CksumType { ...@@ -150,18 +127,12 @@ public abstract class CksumType {
public abstract int keySize(); public abstract int keySize();
public abstract byte[] calculateChecksum(byte[] data, int size) // Note: key and usage will be ignored for an unkeyed checksum.
throws KrbCryptoException; public abstract byte[] calculateChecksum(byte[] data, int size,
public abstract byte[] calculateKeyedChecksum(byte[] data, int size,
byte[] key, int usage) throws KrbCryptoException; byte[] key, int usage) throws KrbCryptoException;
public boolean verifyChecksum(byte[] data, byte[] checksum) // Note: key and usage will be ignored for an unkeyed checksum.
throws KrbCryptoException { public abstract boolean verifyChecksum(byte[] data, int size,
throw new UnsupportedOperationException("Not supported");
}
public abstract boolean verifyKeyedChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException; byte[] key, byte[] checksum, int usage) throws KrbCryptoException;
public static boolean isChecksumEqual(byte[] cksum1, byte[] cksum2) { public static boolean isChecksumEqual(byte[] cksum1, byte[] cksum2) {
......
...@@ -32,7 +32,6 @@ package sun.security.krb5.internal.crypto; ...@@ -32,7 +32,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.*; import sun.security.krb5.*;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import java.util.zip.CRC32;
public class Crc32CksumType extends CksumType { public class Crc32CksumType extends CksumType {
...@@ -47,7 +46,7 @@ public class Crc32CksumType extends CksumType { ...@@ -47,7 +46,7 @@ public class Crc32CksumType extends CksumType {
return Checksum.CKSUMTYPE_CRC32; return Checksum.CKSUMTYPE_CRC32;
} }
public boolean isSafe() { public boolean isKeyed() {
return false; return false;
} }
...@@ -63,18 +62,15 @@ public class Crc32CksumType extends CksumType { ...@@ -63,18 +62,15 @@ public class Crc32CksumType extends CksumType {
return 0; return 0;
} }
public byte[] calculateChecksum(byte[] data, int size) { public byte[] calculateChecksum(byte[] data, int size,
return crc32.byte2crc32sum_bytes(data, size);
}
public byte[] calculateKeyedChecksum(byte[] data, int size,
byte[] key, int usage) { byte[] key, int usage) {
return null; return crc32.byte2crc32sum_bytes(data, size);
} }
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) { byte[] key, byte[] checksum, int usage) {
return false; return CksumType.isChecksumEqual(checksum,
crc32.byte2crc32sum_bytes(data));
} }
public static byte[] int2quad(long input) { public static byte[] int2quad(long input) {
......
...@@ -53,7 +53,7 @@ public class DesCbcCrcEType extends DesCbcEType { ...@@ -53,7 +53,7 @@ public class DesCbcCrcEType extends DesCbcEType {
} }
public int checksumType() { public int checksumType() {
return Checksum.CKSUMTYPE_CRC32; return Checksum.CKSUMTYPE_RSA_MD5;
} }
public int checksumSize() { public int checksumSize() {
......
...@@ -49,7 +49,7 @@ public class DesMacCksumType extends CksumType { ...@@ -49,7 +49,7 @@ public class DesMacCksumType extends CksumType {
return Checksum.CKSUMTYPE_DES_MAC; return Checksum.CKSUMTYPE_DES_MAC;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -65,10 +65,6 @@ public class DesMacCksumType extends CksumType { ...@@ -65,10 +65,6 @@ public class DesMacCksumType extends CksumType {
return 8; return 8;
} }
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/** /**
* Calculates keyed checksum. * Calculates keyed checksum.
* @param data the data used to generate the checksum. * @param data the data used to generate the checksum.
...@@ -78,7 +74,7 @@ public class DesMacCksumType extends CksumType { ...@@ -78,7 +74,7 @@ public class DesMacCksumType extends CksumType {
* *
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
byte[] new_data = new byte[size + confounderSize()]; byte[] new_data = new byte[size + confounderSize()];
byte[] conf = Confounder.bytes(confounderSize()); byte[] conf = Confounder.bytes(confounderSize());
...@@ -130,7 +126,7 @@ public class DesMacCksumType extends CksumType { ...@@ -130,7 +126,7 @@ public class DesMacCksumType extends CksumType {
* *
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
byte[] cksum = decryptKeyedChecksum(checksum, key); byte[] cksum = decryptKeyedChecksum(checksum, key);
......
...@@ -48,7 +48,7 @@ public class DesMacKCksumType extends CksumType { ...@@ -48,7 +48,7 @@ public class DesMacKCksumType extends CksumType {
return Checksum.CKSUMTYPE_DES_MAC_K; return Checksum.CKSUMTYPE_DES_MAC_K;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -64,10 +64,6 @@ public class DesMacKCksumType extends CksumType { ...@@ -64,10 +64,6 @@ public class DesMacKCksumType extends CksumType {
return 8; return 8;
} }
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/** /**
* Calculates keyed checksum. * Calculates keyed checksum.
* @param data the data used to generate the checksum. * @param data the data used to generate the checksum.
...@@ -77,7 +73,7 @@ public class DesMacKCksumType extends CksumType { ...@@ -77,7 +73,7 @@ public class DesMacKCksumType extends CksumType {
* *
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
//check for weak keys //check for weak keys
try { try {
...@@ -93,9 +89,9 @@ public class DesMacKCksumType extends CksumType { ...@@ -93,9 +89,9 @@ public class DesMacKCksumType extends CksumType {
return cksum; return cksum;
} }
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
byte[] new_cksum = calculateKeyedChecksum(data, data.length, key, usage); byte[] new_cksum = calculateChecksum(data, data.length, key, usage);
return isChecksumEqual(checksum, new_cksum); return isChecksumEqual(checksum, new_cksum);
} }
......
/* /*
* Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; ...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum; import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
/** /**
...@@ -51,7 +49,7 @@ public class HmacMd5ArcFourCksumType extends CksumType { ...@@ -51,7 +49,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR; return Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -67,10 +65,6 @@ public class HmacMd5ArcFourCksumType extends CksumType { ...@@ -67,10 +65,6 @@ public class HmacMd5ArcFourCksumType extends CksumType {
return 16; // bytes return 16; // bytes
} }
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/** /**
* Calculates keyed checksum. * Calculates keyed checksum.
* @param data the data used to generate the checksum. * @param data the data used to generate the checksum.
...@@ -78,7 +72,7 @@ public class HmacMd5ArcFourCksumType extends CksumType { ...@@ -78,7 +72,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
* @param key the key used to encrypt the checksum. * @param key the key used to encrypt the checksum.
* @return keyed checksum. * @return keyed checksum.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
try { try {
...@@ -98,7 +92,7 @@ public class HmacMd5ArcFourCksumType extends CksumType { ...@@ -98,7 +92,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
* @param checksum * @param checksum
* @return true if verification is successful. * @return true if verification is successful.
*/ */
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try { try {
......
/* /*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; ...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum; import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
/* /*
...@@ -51,7 +49,7 @@ public class HmacSha1Aes128CksumType extends CksumType { ...@@ -51,7 +49,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128; return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -67,10 +65,6 @@ public class HmacSha1Aes128CksumType extends CksumType { ...@@ -67,10 +65,6 @@ public class HmacSha1Aes128CksumType extends CksumType {
return 16; // bytes return 16; // bytes
} }
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/** /**
* Calculates keyed checksum. * Calculates keyed checksum.
* @param data the data used to generate the checksum. * @param data the data used to generate the checksum.
...@@ -78,7 +72,7 @@ public class HmacSha1Aes128CksumType extends CksumType { ...@@ -78,7 +72,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
* @param key the key used to encrypt the checksum. * @param key the key used to encrypt the checksum.
* @return keyed checksum. * @return keyed checksum.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
try { try {
...@@ -98,7 +92,7 @@ public class HmacSha1Aes128CksumType extends CksumType { ...@@ -98,7 +92,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
* @param checksum * @param checksum
* @return true if verification is successful. * @return true if verification is successful.
*/ */
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try { try {
......
/* /*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; ...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum; import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
/* /*
...@@ -51,7 +49,7 @@ public class HmacSha1Aes256CksumType extends CksumType { ...@@ -51,7 +49,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256; return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -67,10 +65,6 @@ public class HmacSha1Aes256CksumType extends CksumType { ...@@ -67,10 +65,6 @@ public class HmacSha1Aes256CksumType extends CksumType {
return 32; // bytes return 32; // bytes
} }
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/** /**
* Calculates keyed checksum. * Calculates keyed checksum.
* @param data the data used to generate the checksum. * @param data the data used to generate the checksum.
...@@ -78,7 +72,7 @@ public class HmacSha1Aes256CksumType extends CksumType { ...@@ -78,7 +72,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
* @param key the key used to encrypt the checksum. * @param key the key used to encrypt the checksum.
* @return keyed checksum. * @return keyed checksum.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
try { try {
...@@ -98,7 +92,7 @@ public class HmacSha1Aes256CksumType extends CksumType { ...@@ -98,7 +92,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
* @param checksum * @param checksum
* @return true if verification is successful. * @return true if verification is successful.
*/ */
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try { try {
......
/* /*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; ...@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum; import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
public class HmacSha1Des3KdCksumType extends CksumType { public class HmacSha1Des3KdCksumType extends CksumType {
...@@ -45,7 +43,7 @@ public class HmacSha1Des3KdCksumType extends CksumType { ...@@ -45,7 +43,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD; return Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -61,10 +59,6 @@ public class HmacSha1Des3KdCksumType extends CksumType { ...@@ -61,10 +59,6 @@ public class HmacSha1Des3KdCksumType extends CksumType {
return 24; // bytes return 24; // bytes
} }
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/** /**
* Calculates keyed checksum. * Calculates keyed checksum.
* @param data the data used to generate the checksum. * @param data the data used to generate the checksum.
...@@ -72,7 +66,7 @@ public class HmacSha1Des3KdCksumType extends CksumType { ...@@ -72,7 +66,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
* @param key the key used to encrypt the checksum. * @param key the key used to encrypt the checksum.
* @return keyed checksum. * @return keyed checksum.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
try { try {
...@@ -92,7 +86,7 @@ public class HmacSha1Des3KdCksumType extends CksumType { ...@@ -92,7 +86,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
* @param checksum * @param checksum
* @return true if verification is successful. * @return true if verification is successful.
*/ */
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try { try {
......
...@@ -33,8 +33,6 @@ import sun.security.krb5.Checksum; ...@@ -33,8 +33,6 @@ import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.Provider;
import java.security.Security;
public final class RsaMd5CksumType extends CksumType { public final class RsaMd5CksumType extends CksumType {
...@@ -49,7 +47,7 @@ public final class RsaMd5CksumType extends CksumType { ...@@ -49,7 +47,7 @@ public final class RsaMd5CksumType extends CksumType {
return Checksum.CKSUMTYPE_RSA_MD5; return Checksum.CKSUMTYPE_RSA_MD5;
} }
public boolean isSafe() { public boolean isKeyed() {
return false; return false;
} }
...@@ -74,7 +72,8 @@ public final class RsaMd5CksumType extends CksumType { ...@@ -74,7 +72,8 @@ public final class RsaMd5CksumType extends CksumType {
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{ public byte[] calculateChecksum(byte[] data, int size,
byte[] key, int usage) throws KrbCryptoException{
MessageDigest md5; MessageDigest md5;
byte[] result = null; byte[] result = null;
try { try {
...@@ -91,18 +90,9 @@ public final class RsaMd5CksumType extends CksumType { ...@@ -91,18 +90,9 @@ public final class RsaMd5CksumType extends CksumType {
return result; return result;
} }
public byte[] calculateKeyedChecksum(byte[] data, int size,
byte[] key, int usage) throws KrbCryptoException {
return null;
}
public boolean verifyKeyedChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
return false;
}
@Override @Override
public boolean verifyChecksum(byte[] data, byte[] checksum) public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage)
throws KrbCryptoException { throws KrbCryptoException {
try { try {
byte[] calculated = MessageDigest.getInstance("MD5").digest(data); byte[] calculated = MessageDigest.getInstance("MD5").digest(data);
......
...@@ -33,12 +33,8 @@ import sun.security.krb5.Checksum; ...@@ -33,12 +33,8 @@ import sun.security.krb5.Checksum;
import sun.security.krb5.Confounder; import sun.security.krb5.Confounder;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.DESKeySpec; import javax.crypto.spec.DESKeySpec;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.Provider;
import java.security.Security;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
public final class RsaMd5DesCksumType extends CksumType { public final class RsaMd5DesCksumType extends CksumType {
...@@ -54,7 +50,7 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -54,7 +50,7 @@ public final class RsaMd5DesCksumType extends CksumType {
return Checksum.CKSUMTYPE_RSA_MD5_DES; return Checksum.CKSUMTYPE_RSA_MD5_DES;
} }
public boolean isSafe() { public boolean isKeyed() {
return true; return true;
} }
...@@ -79,7 +75,7 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -79,7 +75,7 @@ public final class RsaMd5DesCksumType extends CksumType {
* *
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException { int usage) throws KrbCryptoException {
//prepend confounder //prepend confounder
byte[] new_data = new byte[size + confounderSize()]; byte[] new_data = new byte[size + confounderSize()];
...@@ -88,7 +84,7 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -88,7 +84,7 @@ public final class RsaMd5DesCksumType extends CksumType {
System.arraycopy(data, 0, new_data, confounderSize(), size); System.arraycopy(data, 0, new_data, confounderSize(), size);
//calculate md5 cksum //calculate md5 cksum
byte[] mdc_cksum = calculateChecksum(new_data, new_data.length); byte[] mdc_cksum = calculateRawChecksum(new_data, new_data.length);
byte[] cksum = new byte[cksumSize()]; byte[] cksum = new byte[cksumSize()];
System.arraycopy(conf, 0, cksum, 0, confounderSize()); System.arraycopy(conf, 0, cksum, 0, confounderSize());
System.arraycopy(mdc_cksum, 0, cksum, confounderSize(), System.arraycopy(mdc_cksum, 0, cksum, confounderSize(),
...@@ -125,7 +121,7 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -125,7 +121,7 @@ public final class RsaMd5DesCksumType extends CksumType {
* *
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public boolean verifyKeyedChecksum(byte[] data, int size, public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
//decrypt checksum //decrypt checksum
byte[] cksum = decryptKeyedChecksum(checksum, key); byte[] cksum = decryptKeyedChecksum(checksum, key);
...@@ -135,7 +131,7 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -135,7 +131,7 @@ public final class RsaMd5DesCksumType extends CksumType {
System.arraycopy(cksum, 0, new_data, 0, confounderSize()); System.arraycopy(cksum, 0, new_data, 0, confounderSize());
System.arraycopy(data, 0, new_data, confounderSize(), size); System.arraycopy(data, 0, new_data, confounderSize(), size);
byte[] new_cksum = calculateChecksum(new_data, new_data.length); byte[] new_cksum = calculateRawChecksum(new_data, new_data.length);
//extract original cksum value //extract original cksum value
byte[] orig_cksum = new byte[cksumSize() - confounderSize()]; byte[] orig_cksum = new byte[cksumSize() - confounderSize()];
System.arraycopy(cksum, confounderSize(), orig_cksum, 0, System.arraycopy(cksum, confounderSize(), orig_cksum, 0,
...@@ -181,7 +177,7 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -181,7 +177,7 @@ public final class RsaMd5DesCksumType extends CksumType {
* *
* @modified by Yanni Zhang, 12/08/99. * @modified by Yanni Zhang, 12/08/99.
*/ */
public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{ private byte[] calculateRawChecksum(byte[] data, int size) throws KrbCryptoException{
MessageDigest md5; MessageDigest md5;
byte[] result = null; byte[] result = null;
try { try {
...@@ -197,5 +193,4 @@ public final class RsaMd5DesCksumType extends CksumType { ...@@ -197,5 +193,4 @@ public final class RsaMd5DesCksumType extends CksumType {
} }
return result; return result;
} }
} }
...@@ -726,7 +726,7 @@ public class KDC { ...@@ -726,7 +726,7 @@ public class KDC {
* @return the key * @return the key
* @throws sun.security.krb5.KrbException for unknown/unsupported etype * @throws sun.security.krb5.KrbException for unknown/unsupported etype
*/ */
private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server) EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
throws KrbException { throws KrbException {
try { try {
// Do not call EncryptionKey.acquireSecretKeys(), otherwise // Do not call EncryptionKey.acquireSecretKeys(), otherwise
...@@ -797,7 +797,7 @@ public class KDC { ...@@ -797,7 +797,7 @@ public class KDC {
int e2 = eTypes[0]; // etype for outgoing session key int e2 = eTypes[0]; // etype for outgoing session key
int e3 = eTypes[0]; // etype for outgoing ticket int e3 = eTypes[0]; // etype for outgoing ticket
PAData[] pas = KDCReqDotPAData(tgsReq); PAData[] pas = tgsReq.pAData;
Ticket tkt = null; Ticket tkt = null;
EncTicketPart etp = null; EncTicketPart etp = null;
...@@ -828,7 +828,6 @@ public class KDC { ...@@ -828,7 +828,6 @@ public class KDC {
for (PAData pa: pas) { for (PAData pa: pas) {
if (pa.getType() == Krb5.PA_TGS_REQ) { if (pa.getType() == Krb5.PA_TGS_REQ) {
APReq apReq = new APReq(pa.getValue()); APReq apReq = new APReq(pa.getValue());
EncryptedData ed = apReq.authenticator;
tkt = apReq.ticket; tkt = apReq.ticket;
int te = tkt.encPart.getEType(); int te = tkt.encPart.getEType();
EncryptionKey kkey = keyForUser(tkt.sname, te, true); EncryptionKey kkey = keyForUser(tkt.sname, te, true);
...@@ -1282,7 +1281,7 @@ public class KDC { ...@@ -1282,7 +1281,7 @@ public class KDC {
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray())); outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
} }
PAData[] inPAs = KDCReqDotPAData(asReq); PAData[] inPAs = asReq.pAData;
List<PAData> enc_outPAs = new ArrayList<>(); List<PAData> enc_outPAs = new ArrayList<>();
byte[] paEncTimestamp = null; byte[] paEncTimestamp = null;
...@@ -2100,7 +2099,6 @@ public class KDC { ...@@ -2100,7 +2099,6 @@ public class KDC {
} }
// Calling private methods thru reflections // Calling private methods thru reflections
private static final Field getPADataField;
private static final Field getEType; private static final Field getEType;
private static final Constructor<EncryptedData> ctorEncryptedData; private static final Constructor<EncryptedData> ctorEncryptedData;
private static final Method stringToKey; private static final Method stringToKey;
...@@ -2110,8 +2108,6 @@ public class KDC { ...@@ -2110,8 +2108,6 @@ public class KDC {
try { try {
ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class); ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class);
ctorEncryptedData.setAccessible(true); ctorEncryptedData.setAccessible(true);
getPADataField = KDCReq.class.getDeclaredField("pAData");
getPADataField.setAccessible(true);
getEType = KDCReqBody.class.getDeclaredField("eType"); getEType = KDCReqBody.class.getDeclaredField("eType");
getEType.setAccessible(true); getEType.setAccessible(true);
stringToKey = EncryptionKey.class.getDeclaredMethod( stringToKey = EncryptionKey.class.getDeclaredMethod(
...@@ -2133,13 +2129,6 @@ public class KDC { ...@@ -2133,13 +2129,6 @@ public class KDC {
throw new AssertionError(e); throw new AssertionError(e);
} }
} }
private static PAData[] KDCReqDotPAData(KDCReq req) {
try {
return (PAData[])getPADataField.get(req);
} catch (Exception e) {
throw new AssertionError(e);
}
}
private static int[] KDCReqBodyDotEType(KDCReqBody body) { private static int[] KDCReqBodyDotEType(KDCReqBody body) {
try { try {
return (int[]) getEType.get(body); return (int[]) getEType.get(body);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册