/* * Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ #import "sun_security_krb5_Credentials.h" #import /* * Based largely on klist.c, * * Created by Scott Kovatch on 8/12/04. * * See http://www.opensource.apple.com/darwinsource/10.3.3/Kerberos-47/KerberosClients/klist/Sources/klist.c */ /* * Statics for this module */ static jclass derValueClass = NULL; static jclass ticketClass = NULL; static jclass principalNameClass = NULL; static jclass encryptionKeyClass = NULL; static jclass ticketFlagsClass = NULL; static jclass kerberosTimeClass = NULL; static jclass javaLangStringClass = NULL; static jclass javaLangIntegerClass = NULL; static jclass hostAddressClass = NULL; static jclass hostAddressesClass = NULL; static jmethodID derValueConstructor = 0; static jmethodID ticketConstructor = 0; static jmethodID principalNameConstructor = 0; static jmethodID encryptionKeyConstructor = 0; static jmethodID ticketFlagsConstructor = 0; static jmethodID kerberosTimeConstructor = 0; static jmethodID krbcredsConstructor = 0; static jmethodID integerConstructor = 0; static jmethodID hostAddressConstructor = 0; static jmethodID hostAddressesConstructor = 0; /* * Function prototypes for internal routines */ static jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket); static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName); static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey); static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags); static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime); static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime); static void printiferr (errcode_t err, const char *format, ...); static jclass FindClass(JNIEnv *env, char *className) { jclass cls = (*env)->FindClass(env, className); if (cls == NULL) { printf("Couldn't find %s\n", className); return NULL; } #ifdef DEBUG printf("Found %s\n", className); #endif /* DEBUG */ jobject returnValue = (*env)->NewWeakGlobalRef(env,cls); return returnValue; } /* * Class: sun_security_krb5_KrbCreds * Method: JNI_OnLoad */ JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *jvm, void *reserved) { JNIEnv *env; if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_4)) { return JNI_EVERSION; /* JNI version not supported */ } ticketClass = FindClass(env, "sun/security/krb5/internal/Ticket"); if (ticketClass == NULL) return JNI_ERR; principalNameClass = FindClass(env, "sun/security/krb5/PrincipalName"); if (principalNameClass == NULL) return JNI_ERR; derValueClass = FindClass(env, "sun/security/util/DerValue"); if (derValueClass == NULL) return JNI_ERR; encryptionKeyClass = FindClass(env, "sun/security/krb5/EncryptionKey"); if (encryptionKeyClass == NULL) return JNI_ERR; ticketFlagsClass = FindClass(env,"sun/security/krb5/internal/TicketFlags"); if (ticketFlagsClass == NULL) return JNI_ERR; kerberosTimeClass = FindClass(env,"sun/security/krb5/internal/KerberosTime"); if (kerberosTimeClass == NULL) return JNI_ERR; javaLangStringClass = FindClass(env,"java/lang/String"); if (javaLangStringClass == NULL) return JNI_ERR; javaLangIntegerClass = FindClass(env,"java/lang/Integer"); if (javaLangIntegerClass == NULL) return JNI_ERR; hostAddressClass = FindClass(env,"sun/security/krb5/internal/HostAddress"); if (hostAddressClass == NULL) return JNI_ERR; hostAddressesClass = FindClass(env,"sun/security/krb5/internal/HostAddresses"); if (hostAddressesClass == NULL) return JNI_ERR; derValueConstructor = (*env)->GetMethodID(env, derValueClass, "", "([B)V"); if (derValueConstructor == 0) { printf("Couldn't find DerValue constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found DerValue constructor\n"); #endif /* DEBUG */ ticketConstructor = (*env)->GetMethodID(env, ticketClass, "", "(Lsun/security/util/DerValue;)V"); if (ticketConstructor == 0) { printf("Couldn't find Ticket constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found Ticket constructor\n"); #endif /* DEBUG */ principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, "", "(Ljava/lang/String;I)V"); if (principalNameConstructor == 0) { printf("Couldn't find PrincipalName constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found PrincipalName constructor\n"); #endif /* DEBUG */ encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass, "", "(I[B)V"); if (encryptionKeyConstructor == 0) { printf("Couldn't find EncryptionKey constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found EncryptionKey constructor\n"); #endif /* DEBUG */ ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass, "", "(I[B)V"); if (ticketFlagsConstructor == 0) { printf("Couldn't find TicketFlags constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found TicketFlags constructor\n"); #endif /* DEBUG */ kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass, "", "(J)V"); if (kerberosTimeConstructor == 0) { printf("Couldn't find KerberosTime constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found KerberosTime constructor\n"); #endif /* DEBUG */ integerConstructor = (*env)->GetMethodID(env, javaLangIntegerClass, "", "(I)V"); if (integerConstructor == 0) { printf("Couldn't find Integer constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found Integer constructor\n"); #endif /* DEBUG */ hostAddressConstructor = (*env)->GetMethodID(env, hostAddressClass, "", "(I[B)V"); if (hostAddressConstructor == 0) { printf("Couldn't find HostAddress constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found HostAddress constructor\n"); #endif /* DEBUG */ hostAddressesConstructor = (*env)->GetMethodID(env, hostAddressesClass, "", "([Lsun/security/krb5/internal/HostAddress;)V"); if (hostAddressesConstructor == 0) { printf("Couldn't find HostAddresses constructor\n"); return JNI_ERR; } #ifdef DEBUG printf("Found HostAddresses constructor\n"); #endif /* DEBUG */ #ifdef DEBUG printf("Finished OnLoad processing\n"); #endif /* DEBUG */ return JNI_VERSION_1_2; } /* * Class: sun_security_jgss_KrbCreds * Method: JNI_OnUnload */ JNIEXPORT void JNICALL JNI_OnUnload(JavaVM *jvm, void *reserved) { JNIEnv *env; if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) { return; /* Nothing else we can do */ } if (ticketClass != NULL) { (*env)->DeleteWeakGlobalRef(env,ticketClass); } if (derValueClass != NULL) { (*env)->DeleteWeakGlobalRef(env,derValueClass); } if (principalNameClass != NULL) { (*env)->DeleteWeakGlobalRef(env,principalNameClass); } if (encryptionKeyClass != NULL) { (*env)->DeleteWeakGlobalRef(env,encryptionKeyClass); } if (ticketFlagsClass != NULL) { (*env)->DeleteWeakGlobalRef(env,ticketFlagsClass); } if (kerberosTimeClass != NULL) { (*env)->DeleteWeakGlobalRef(env,kerberosTimeClass); } if (javaLangStringClass != NULL) { (*env)->DeleteWeakGlobalRef(env,javaLangStringClass); } if (javaLangIntegerClass != NULL) { (*env)->DeleteWeakGlobalRef(env,javaLangIntegerClass); } if (hostAddressClass != NULL) { (*env)->DeleteWeakGlobalRef(env,hostAddressClass); } if (hostAddressesClass != NULL) { (*env)->DeleteWeakGlobalRef(env,hostAddressesClass); } } int isIn(krb5_enctype e, int n, jint* etypes) { int i; for (i=0; iGetArrayLength(env, jetypes); etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL); if (etypes != NULL && !err) { while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) { char *serverName = NULL; if (!err) { err = krb5_unparse_name (kcontext, creds.server, &serverName); printiferr (err, "while unparsing server name"); } if (!err) { char* slash = strchr(serverName, '/'); char* at = strchr(serverName, '@'); // Make sure the server's name is krbtgt/REALM@REALM, the etype // is supported, and the ticket has not expired if (slash && at && strncmp (serverName, "krbtgt", slash-serverName) == 0 && // the ablove line shows at must be after slash strncmp (slash+1, at+1, at-slash-1) == 0 && isIn (creds.keyblock.enctype, netypes, etypes) && creds.times.endtime > time(0)) { jobject ticket, clientPrincipal, targetPrincipal, encryptionKey; jobject ticketFlags, startTime, endTime; jobject authTime, renewTillTime, hostAddresses; ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL; ticketFlags = startTime = endTime = NULL; authTime = renewTillTime = hostAddresses = NULL; // For the default credentials we're only interested in the krbtgt server. clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client); if (clientPrincipal == NULL) goto cleanup; targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server); if (targetPrincipal == NULL) goto cleanup; // Build a sun/security/krb5/internal/Ticket ticket = BuildTicket(env, &creds.ticket); if (ticket == NULL) goto cleanup; // Get the encryption key encryptionKey = BuildEncryptionKey(env, &creds.keyblock); if (encryptionKey == NULL) goto cleanup; // and the ticket flags ticketFlags = BuildTicketFlags(env, creds.ticket_flags); if (ticketFlags == NULL) goto cleanup; // Get the timestamps out. startTime = BuildKerberosTime(env, creds.times.starttime); if (startTime == NULL) goto cleanup; authTime = BuildKerberosTime(env, creds.times.authtime); if (authTime == NULL) goto cleanup; endTime = BuildKerberosTime(env, creds.times.endtime); if (endTime == NULL) goto cleanup; renewTillTime = BuildKerberosTime(env, creds.times.renew_till); if (renewTillTime == NULL) goto cleanup; // Create the addresses object. hostAddresses = BuildAddressList(env, creds.addresses); if (krbcredsConstructor == 0) { krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "", "(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V"); if (krbcredsConstructor == 0) { printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n"); break; } } // and now go build a KrbCreds object krbCreds = (*env)->NewObject( env, krbcredsClass, krbcredsConstructor, ticket, clientPrincipal, NULL, targetPrincipal, NULL, encryptionKey, ticketFlags, authTime, startTime, endTime, renewTillTime, hostAddresses); cleanup: if (ticket) (*env)->DeleteLocalRef(env, ticket); if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal); if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal); if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey); if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags); if (authTime) (*env)->DeleteLocalRef(env, authTime); if (startTime) (*env)->DeleteLocalRef(env, startTime); if (endTime) (*env)->DeleteLocalRef(env, endTime); if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime); if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses); // Stop if there is an exception or we already found the initial TGT if ((*env)->ExceptionCheck(env) || krbCreds) { break; } } } if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); } krb5_free_cred_contents (kcontext, &creds); } if (err == KRB5_CC_END) { err = 0; } printiferr (err, "while retrieving a ticket"); } if (!err) { err = krb5_cc_end_seq_get (kcontext, ccache, &cursor); printiferr (err, "while finishing ticket retrieval"); } outer_cleanup: if (!err) { flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */ err = krb5_cc_set_flags (kcontext, ccache, flags); printiferr (err, "while finishing ticket retrieval"); } if (etypes != NULL) { (*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0); } krb5_free_context (kcontext); return krbCreds; } #pragma mark - jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket) { /* To build a Ticket, we first need to build a DerValue out of the EncodedTicket. * But before we can do that, we need to make a byte array out of the ET. */ jobject derValue, ticket; jbyteArray ary; ary = (*env)->NewByteArray(env, encodedTicket->length); if ((*env)->ExceptionCheck(env)) { return (jobject) NULL; } (*env)->SetByteArrayRegion(env, ary, (jsize) 0, encodedTicket->length, (jbyte *)encodedTicket->data); if ((*env)->ExceptionCheck(env)) { (*env)->DeleteLocalRef(env, ary); return (jobject) NULL; } derValue = (*env)->NewObject(env, derValueClass, derValueConstructor, ary); if ((*env)->ExceptionCheck(env)) { (*env)->DeleteLocalRef(env, ary); return (jobject) NULL; } (*env)->DeleteLocalRef(env, ary); ticket = (*env)->NewObject(env, ticketClass, ticketConstructor, derValue); if ((*env)->ExceptionCheck(env)) { (*env)->DeleteLocalRef(env, derValue); return (jobject) NULL; } (*env)->DeleteLocalRef(env, derValue); return ticket; } jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName) { // Get the full principal string. char *principalString = NULL; jobject principal = NULL; int err = krb5_unparse_name (kcontext, principalName, &principalString); if (!err) { // Make a PrincipalName from the full string and the type. Let the PrincipalName class parse it out. jstring principalStringObj = (*env)->NewStringUTF(env, principalString); if (principalStringObj == NULL) { if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); } return (jobject) NULL; } principal = (*env)->NewObject(env, principalNameClass, principalNameConstructor, principalStringObj, principalName->type); if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); } (*env)->DeleteLocalRef(env, principalStringObj); } return principal; } jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey) { // First, need to build a byte array jbyteArray ary; jobject encryptionKey = NULL; ary = (*env)->NewByteArray(env,cryptoKey->length); if (ary == NULL) { return (jobject) NULL; } (*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->length, (jbyte *)cryptoKey->contents); if (!(*env)->ExceptionCheck(env)) { encryptionKey = (*env)->NewObject(env, encryptionKeyClass, encryptionKeyConstructor, cryptoKey->enctype, ary); } (*env)->DeleteLocalRef(env, ary); return encryptionKey; } jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags) { jobject ticketFlags = NULL; jbyteArray ary; /* * Convert the bytes to network byte order before copying * them to a Java byte array. */ unsigned long nlflags = htonl(flags); ary = (*env)->NewByteArray(env, sizeof(flags)); if (ary == NULL) { return (jobject) NULL; } (*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(flags), (jbyte *)&nlflags); if (!(*env)->ExceptionCheck(env)) { ticketFlags = (*env)->NewObject(env, ticketFlagsClass, ticketFlagsConstructor, sizeof(flags)*8, ary); } (*env)->DeleteLocalRef(env, ary); return ticketFlags; } jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime) { jlong time = kerbtime; // Kerberos time is in seconds, but the KerberosTime class assumes milliseconds, so multiply by 1000. time *= 1000; return (*env)->NewObject(env, kerberosTimeClass, kerberosTimeConstructor, time); } jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) { if (addresses == NULL) { return NULL; } int addressCount = 0; // See how many we have. krb5_address **p = addresses; while (*p != 0) { addressCount++; p++; } jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL); if (address_list == NULL) { return (jobject) NULL; } // Create a new HostAddress object for each address block. // First, reset the iterator. p = addresses; jsize index = 0; while (*p != 0) { krb5_address *currAddress = *p; // HostAddres needs a byte array of the host data. jbyteArray ary = (*env)->NewByteArray(env, currAddress->length); if (ary == NULL) return NULL; (*env)->SetByteArrayRegion(env, ary, (jsize) 0, currAddress->length, (jbyte *)currAddress->contents); jobject address = (*env)->NewObject(env, hostAddressClass, hostAddressConstructor, currAddress->length, ary); (*env)->DeleteLocalRef(env, ary); if (address == NULL) { return (jobject) NULL; } // Add the HostAddress to the arrray. (*env)->SetObjectArrayElement(env, address_list, index, address); if ((*env)->ExceptionCheck(env)) { return (jobject) NULL; } index++; p++; } return address_list; } #pragma mark - Utility methods - static void printiferr (errcode_t err, const char *format, ...) { if (err) { va_list pvar; va_start (pvar, format); com_err_va ("ticketParser:", err, format, pvar); va_end (pvar); } }