DIRKRB-520 - Fix FindBugs issues
diff --git a/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java b/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
index 0436e66..2a56d2a 100644
--- a/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
+++ b/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kdc.identitybackend;
@@ -303,7 +303,7 @@
return name;
}
- class MyWatcher implements Watcher {
+ private static class MyWatcher implements Watcher {
/**
* This will watch all the kdb update event so that it's timely synced.
diff --git a/kerby-common/kerby-util/src/main/java/org/apache/kerby/KOptions.java b/kerby-common/kerby-util/src/main/java/org/apache/kerby/KOptions.java
index ce27e37..d564f43 100644
--- a/kerby-common/kerby-util/src/main/java/org/apache/kerby/KOptions.java
+++ b/kerby-common/kerby-util/src/main/java/org/apache/kerby/KOptions.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby;
@@ -98,19 +98,19 @@
if (matcherColon.matches()) {
String[] durations = strValue.split(":");
if (durations.length == 1) {
- duration = Integer.valueOf(durations[0]);
+ duration = Integer.parseInt(durations[0]);
} else if (durations.length == 2) {
- duration = Integer.valueOf(durations[0]) * 3600 + Integer.valueOf(durations[1]) * 60;
+ duration = Integer.parseInt(durations[0]) * 3600 + Integer.parseInt(durations[1]) * 60;
} else {
- duration = Integer.valueOf(durations[0]) * 3600 + Integer.valueOf(durations[1]) * 60;
- duration += Integer.valueOf(durations[2]);
+ duration = Integer.parseInt(durations[0]) * 3600 + Integer.parseInt(durations[1]) * 60;
+ duration += Integer.parseInt(durations[2]);
}
} else if (matcherWord.matches()) {
int[] durations = new int[4];
for (int i = 0; i < 4; i++) {
String durationMatch = matcherWord.group(i + 1);
if (durationMatch != null) {
- durations[i] = Integer.valueOf(durationMatch);
+ durations[i] = Integer.parseInt(durationMatch);
}
}
duration = durations[0] * 86400 + durations[1] * 3600 + durations[2] * 60 + durations[3];
diff --git a/kerby-common/kerby-util/src/main/java/org/apache/kerby/util/Util.java b/kerby-common/kerby-util/src/main/java/org/apache/kerby/util/Util.java
index f633f22..2d55e21 100644
--- a/kerby-common/kerby-util/src/main/java/org/apache/kerby/util/Util.java
+++ b/kerby-common/kerby-util/src/main/java/org/apache/kerby/util/Util.java
@@ -39,6 +39,7 @@
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.security.KeyStore;
import java.security.KeyStoreException;
@@ -408,7 +409,7 @@
System.out.println("--------- test 2 ----------");
s = "line1\n\rline2\n\rline3\n\r\n\r";
- in = new ByteArrayInputStream(s.getBytes());
+ in = new ByteArrayInputStream(s.getBytes(StandardCharsets.UTF_8));
readLine = new ByteArrayReadLine(in);
line = readLine.next();
while (line != null) {
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
index 472fecd..b8b4c4e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.java
@@ -317,6 +317,7 @@
krbClient.init();
} catch (KrbException | IOException e) {
LOG.error("KrbClient init failed. " + e.toString());
+ throw new RuntimeException("KrbClient init failed", e);
}
KrbTokenClient tokenClient = new KrbTokenClient(krbClient);
@@ -336,9 +337,7 @@
LOG.error("Failed to make tgtCache. " + e.toString());
}
try {
- if (krbClient != null) {
- krbClient.storeTicket(tgtTicket, cCache);
- }
+ krbClient.storeTicket(tgtTicket, cCache);
} catch (KrbException e) {
LOG.error("Failed to store tgtTicket to " + cCache.getName());
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
index 43792db..30b0a1b 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
@@ -28,7 +28,28 @@
*/
public class PkinitContext {
- public PkinitPlgCryptoContext cryptoctx = new PkinitPlgCryptoContext();
- public PluginOpts pluginOpts = new PluginOpts();
- public IdentityOpts identityOpts = new IdentityOpts();
+ private PkinitPlgCryptoContext cryptoctx = new PkinitPlgCryptoContext();
+ private PluginOpts pluginOpts = new PluginOpts();
+ private IdentityOpts identityOpts = new IdentityOpts();
+
+ public PkinitPlgCryptoContext getCryptoctx() {
+ return cryptoctx;
+ }
+ public void setCryptoctx(PkinitPlgCryptoContext cryptoctx) {
+ this.cryptoctx = cryptoctx;
+ }
+ public PluginOpts getPluginOpts() {
+ return pluginOpts;
+ }
+ public void setPluginOpts(PluginOpts pluginOpts) {
+ this.pluginOpts = pluginOpts;
+ }
+ public IdentityOpts getIdentityOpts() {
+ return identityOpts;
+ }
+ public void setIdentityOpts(IdentityOpts identityOpts) {
+ this.identityOpts = identityOpts;
+ }
+
+
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index f16d51d..54c0b8a 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -14,7 +14,7 @@
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
+ * under the License.
*
*/
package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
@@ -43,7 +43,7 @@
import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
-import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdenity;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdentity;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
@@ -105,7 +105,7 @@
public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
PkinitRequestContext reqCtx = new PkinitRequestContext();
- reqCtx.updateRequestOpts(pkinitContext.pluginOpts);
+ reqCtx.updateRequestOpts(pkinitContext.getPluginOpts());
return reqCtx;
}
@@ -118,8 +118,7 @@
PluginRequestContext requestContext,
KOptions options) {
if (options.contains(PkinitOption.X509_IDENTITY)) {
- pkinitContext.identityOpts.identity =
- options.getStringOption(PkinitOption.X509_IDENTITY);
+ pkinitContext.getIdentityOpts().setIdentity(options.getStringOption(PkinitOption.X509_IDENTITY));
}
if (options.contains(PkinitOption.X509_ANCHORS)) {
@@ -131,12 +130,11 @@
} else {
anchors = Arrays.asList(anchorsString);
}
- pkinitContext.identityOpts.anchors.addAll(anchors);
+ pkinitContext.getIdentityOpts().getAnchors().addAll(anchors);
}
if (options.contains(PkinitOption.USING_RSA)) {
- pkinitContext.pluginOpts.usingRsa =
- options.getBooleanOption(PkinitOption.USING_RSA, true);
+ pkinitContext.getPluginOpts().setUsingRsa(options.getBooleanOption(PkinitOption.USING_RSA, true));
}
}
@@ -149,9 +147,9 @@
PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
- if (!reqCtx.identityInitialized) {
- PkinitIdenity.initialize(reqCtx.identityOpts, kdcRequest.getClientPrincipal());
- reqCtx.identityInitialized = true;
+ if (!reqCtx.isIdentityInitialized()) {
+ PkinitIdentity.initialize(reqCtx.getIdentityOpts(), kdcRequest.getClientPrincipal());
+ reqCtx.setIdentityInitialized(true);
}
// Might have questions asking for password to access the private key
@@ -237,22 +235,20 @@
private PaPkAsReq makePaPkAsReq(KdcRequest kdcRequest,
PkinitRequestContext reqCtx,
int cusec, KerberosTime ctime, int nonce, CheckSum checkSum) throws KrbException {
- KdcRequest kdc = kdcRequest;
-
LOG.info("Making the PK_AS_REQ.");
PaPkAsReq paPkAsReq = new PaPkAsReq();
AuthPack authPack = new AuthPack();
PkAuthenticator pkAuthen = new PkAuthenticator();
- boolean usingRsa = pkinitContext.pluginOpts.usingRsa;
- reqCtx.paType = PaDataType.PK_AS_REQ;
+ boolean usingRsa = pkinitContext.getPluginOpts().isUsingRsa();
+ reqCtx.setPaType(PaDataType.PK_AS_REQ);
pkAuthen.setCusec(cusec);
pkAuthen.setCtime(ctime);
pkAuthen.setNonce(nonce);
pkAuthen.setPaChecksum(checkSum.getChecksum());
authPack.setPkAuthenticator(pkAuthen);
- authPack.setsupportedCmsTypes(pkinitContext.pluginOpts.createSupportedCMSTypes());
+ authPack.setsupportedCmsTypes(pkinitContext.getPluginOpts().createSupportedCMSTypes());
if (!usingRsa) {
// DH case
@@ -305,7 +301,7 @@
// authPack.setClientPublicValue(null);
}
- TrustedCertifiers trustedCertifiers = pkinitContext.pluginOpts.createTrustedCertifiers();
+ TrustedCertifiers trustedCertifiers = pkinitContext.getPluginOpts().createTrustedCertifiers();
paPkAsReq.setTrustedCertifiers(trustedCertifiers);
// byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
@@ -358,7 +354,7 @@
X509Certificate x509Certificate = null;
try {
- List<java.security.cert.Certificate> certs =
+ List<java.security.cert.Certificate> certs =
CertificateHelper.loadCerts(anchorFileName);
if (certs != null && !certs.isEmpty()) {
x509Certificate = (X509Certificate) certs.iterator().next();
@@ -366,12 +362,12 @@
} catch (KrbException e) {
LOG.error("Fail to load certs from archor file. " + e);
}
-
+
if (x509Certificate == null) {
LOG.error("Failed to load PKINIT anchor");
throw new KrbException("Failed to load PKINIT anchor");
}
-
+
CertificateSet certificateSet = signedData.getCertificates();
if (certificateSet == null || certificateSet.getElements().isEmpty()) {
throw new KrbException("No PKINIT Certs");
@@ -381,7 +377,7 @@
for (CertificateChoices certificateChoices : certificateChoicesList) {
certificates.add(certificateChoices.getCertificate());
}
-
+
try {
PkinitCrypto.validateChain(certificates, x509Certificate);
} catch (Exception e) {
@@ -448,7 +444,7 @@
PaData outPadata) {
PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
- if (reqCtx.paType != preauthType && errPadata == null) {
+ if (reqCtx.getPaType() != preauthType && errPadata == null) {
return false;
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
index 4fd72b8..78a0772 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
@@ -27,21 +27,18 @@
public class PkinitRequestContext implements PluginRequestContext {
- public PkinitRequestOpts requestOpts = new PkinitRequestOpts();
- public IdentityOpts identityOpts = new IdentityOpts();
- public boolean doIdentityMatching;
- public PaDataType paType;
- public boolean rfc6112Kdc;
- public boolean identityInitialized;
- public boolean identityPrompted;
+ private PkinitRequestOpts requestOpts = new PkinitRequestOpts();
+ private IdentityOpts identityOpts = new IdentityOpts();
+ private PaDataType paType;
+ private boolean identityInitialized;
private DiffieHellmanClient dhClient;
-
+
public void updateRequestOpts(PluginOpts pluginOpts) {
- requestOpts.requireEku = pluginOpts.requireEku;
- requestOpts.acceptSecondaryEku = pluginOpts.acceptSecondaryEku;
- requestOpts.allowUpn = pluginOpts.allowUpn;
- requestOpts.usingRsa = pluginOpts.usingRsa;
- requestOpts.requireCrlChecking = pluginOpts.requireCrlChecking;
+ requestOpts.setRequireEku(pluginOpts.isRequireEku());
+ requestOpts.setAcceptSecondaryEku(pluginOpts.isAcceptSecondaryEku());
+ requestOpts.setAllowUpn(pluginOpts.isAllowUpn());
+ requestOpts.setUsingRsa(pluginOpts.isUsingRsa());
+ requestOpts.setRequireCrlChecking(pluginOpts.isRequireCrlChecking());
}
public void setDhClient(DiffieHellmanClient client) {
@@ -51,4 +48,28 @@
public DiffieHellmanClient getDhClient() {
return this.dhClient;
}
+
+ public boolean isIdentityInitialized() {
+ return identityInitialized;
+ }
+
+ public void setIdentityInitialized(boolean identityInitialized) {
+ this.identityInitialized = identityInitialized;
+ }
+
+ public IdentityOpts getIdentityOpts() {
+ return identityOpts;
+ }
+
+ public void setIdentityOpts(IdentityOpts identityOpts) {
+ this.identityOpts = identityOpts;
+ }
+
+ public PaDataType getPaType() {
+ return paType;
+ }
+
+ public void setPaType(PaDataType paType) {
+ this.paType = paType;
+ }
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
index 9796f78..2592d2b 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
@@ -24,17 +24,73 @@
// From MIT Krb5 _pkinit_plg_opts
// require EKU checking (default is true)
- public boolean requireEku = true;
+ private boolean requireEku = true;
// accept secondary EKU (default is false)
- public boolean acceptSecondaryEku = false;
+ private boolean acceptSecondaryEku = false;
// allow UPN-SAN instead of pkinit-SAN
- public boolean allowUpn = true;
+ private boolean allowUpn = true;
// selects DH or RSA based pkinit
- public boolean usingRsa = false;
+ private boolean usingRsa = false;
// require CRL for a CA (default is false)
- public boolean requireCrlChecking = false;
+ private boolean requireCrlChecking = false;
// initial request DH modulus size (default=1024)
- public int dhSize = 1024;
+ private int dhSize = 1024;
- public boolean requireHostnameMatch = true;
+ private boolean requireHostnameMatch = true;
+
+ public boolean isRequireEku() {
+ return requireEku;
+ }
+
+ public void setRequireEku(boolean requireEku) {
+ this.requireEku = requireEku;
+ }
+
+ public boolean isAcceptSecondaryEku() {
+ return acceptSecondaryEku;
+ }
+
+ public void setAcceptSecondaryEku(boolean acceptSecondaryEku) {
+ this.acceptSecondaryEku = acceptSecondaryEku;
+ }
+
+ public boolean isAllowUpn() {
+ return allowUpn;
+ }
+
+ public void setAllowUpn(boolean allowUpn) {
+ this.allowUpn = allowUpn;
+ }
+
+ public boolean isUsingRsa() {
+ return usingRsa;
+ }
+
+ public void setUsingRsa(boolean usingRsa) {
+ this.usingRsa = usingRsa;
+ }
+
+ public boolean isRequireCrlChecking() {
+ return requireCrlChecking;
+ }
+
+ public void setRequireCrlChecking(boolean requireCrlChecking) {
+ this.requireCrlChecking = requireCrlChecking;
+ }
+
+ public int getDhSize() {
+ return dhSize;
+ }
+
+ public void setDhSize(int dhSize) {
+ this.dhSize = dhSize;
+ }
+
+ public boolean isRequireHostnameMatch() {
+ return requireHostnameMatch;
+ }
+
+ public void setRequireHostnameMatch(boolean requireHostnameMatch) {
+ this.requireHostnameMatch = requireHostnameMatch;
+ }
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
index 637ec59..65b09cd 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.client.preauth.token;
@@ -23,6 +23,19 @@
public class TokenContext {
- public boolean usingIdToken = true;
- public AuthToken token = null;
+ private boolean usingIdToken = true;
+ private AuthToken token = null;
+
+ public boolean isUsingIdToken() {
+ return usingIdToken;
+ }
+ public void setUsingIdToken(boolean usingIdToken) {
+ this.usingIdToken = usingIdToken;
+ }
+ public AuthToken getToken() {
+ return token;
+ }
+ public void setToken(AuthToken token) {
+ this.token = token;
+ }
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
index 20bac36..ebd547d 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -99,16 +99,14 @@
PluginRequestContext requestContext,
KOptions options) {
- tokenContext.usingIdToken = options.getBooleanOption(TokenOption.USE_TOKEN, false);
- if (tokenContext.usingIdToken) {
+ tokenContext.setUsingIdToken(options.getBooleanOption(TokenOption.USE_TOKEN, false));
+ if (tokenContext.isUsingIdToken()) {
if (options.contains(TokenOption.USER_ID_TOKEN)) {
- tokenContext.token =
- (AuthToken) options.getOptionValue(TokenOption.USER_ID_TOKEN);
+ tokenContext.setToken((AuthToken) options.getOptionValue(TokenOption.USER_ID_TOKEN));
}
} else {
if (options.contains(TokenOption.USER_AC_TOKEN)) {
- tokenContext.token =
- (AuthToken) options.getOptionValue(TokenOption.USER_AC_TOKEN);
+ tokenContext.setToken((AuthToken) options.getOptionValue(TokenOption.USER_AC_TOKEN));
}
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
index c9b20bd..7a3cfa4 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.client.preauth.token;
@@ -24,9 +24,34 @@
public class TokenRequestContext implements PluginRequestContext {
- public boolean doIdentityMatching;
- public PaDataType paType;
- public boolean identityInitialized;
- public boolean identityPrompted;
-
+ private boolean doIdentityMatching;
+ private PaDataType paType;
+ private boolean identityInitialized;
+ private boolean identityPrompted;
+
+ public boolean isDoIdentityMatching() {
+ return doIdentityMatching;
+ }
+ public void setDoIdentityMatching(boolean doIdentityMatching) {
+ this.doIdentityMatching = doIdentityMatching;
+ }
+ public PaDataType getPaType() {
+ return paType;
+ }
+ public void setPaType(PaDataType paType) {
+ this.paType = paType;
+ }
+ public boolean isIdentityInitialized() {
+ return identityInitialized;
+ }
+ public void setIdentityInitialized(boolean identityInitialized) {
+ this.identityInitialized = identityInitialized;
+ }
+ public boolean isIdentityPrompted() {
+ return identityPrompted;
+ }
+ public void setIdentityPrompted(boolean identityPrompted) {
+ this.identityPrompted = identityPrompted;
+ }
+
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/IdentityOpts.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/IdentityOpts.java
index a4c573e..ff900b4 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/IdentityOpts.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/IdentityOpts.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
@@ -27,20 +27,105 @@
*/
public class IdentityOpts {
- public String identity;
- public List<String> altIdentities = new ArrayList<String>(1);
- public List<String> anchors = new ArrayList<String>(4);
- public List<String> intermediates = new ArrayList<String>(2);
- public List<String> crls = new ArrayList<String>(2);
- public String ocsp;
- public IdentityType idType;
- public String certFile;
- public String keyFile;
+ private String identity;
+ private List<String> altIdentities = new ArrayList<String>(1);
+ private List<String> anchors = new ArrayList<String>(4);
+ private List<String> intermediates = new ArrayList<String>(2);
+ private List<String> crls = new ArrayList<String>(2);
+ private String ocsp;
+ private IdentityType idType;
+ private String certFile;
+ private String keyFile;
// PKCS11
- public String p11ModuleName;
- public int slotid;
- public String tokenLabel;
- public String certId;
- public String certLabel;
+ private String p11ModuleName;
+ private int slotid;
+ private String tokenLabel;
+ private String certId;
+ private String certLabel;
+
+ public String getIdentity() {
+ return identity;
+ }
+ public void setIdentity(String identity) {
+ this.identity = identity;
+ }
+ public List<String> getAltIdentities() {
+ return altIdentities;
+ }
+ public void setAltIdentities(List<String> altIdentities) {
+ this.altIdentities = altIdentities;
+ }
+ public List<String> getAnchors() {
+ return anchors;
+ }
+ public void setAnchors(List<String> anchors) {
+ this.anchors = anchors;
+ }
+ public List<String> getIntermediates() {
+ return intermediates;
+ }
+ public void setIntermediates(List<String> intermediates) {
+ this.intermediates = intermediates;
+ }
+ public List<String> getCrls() {
+ return crls;
+ }
+ public void setCrls(List<String> crls) {
+ this.crls = crls;
+ }
+ public String getOcsp() {
+ return ocsp;
+ }
+ public void setOcsp(String ocsp) {
+ this.ocsp = ocsp;
+ }
+ public IdentityType getIdType() {
+ return idType;
+ }
+ public void setIdType(IdentityType idType) {
+ this.idType = idType;
+ }
+ public String getCertFile() {
+ return certFile;
+ }
+ public void setCertFile(String certFile) {
+ this.certFile = certFile;
+ }
+ public String getKeyFile() {
+ return keyFile;
+ }
+ public void setKeyFile(String keyFile) {
+ this.keyFile = keyFile;
+ }
+ public String getP11ModuleName() {
+ return p11ModuleName;
+ }
+ public void setP11ModuleName(String p11ModuleName) {
+ this.p11ModuleName = p11ModuleName;
+ }
+ public int getSlotid() {
+ return slotid;
+ }
+ public void setSlotid(int slotid) {
+ this.slotid = slotid;
+ }
+ public String getTokenLabel() {
+ return tokenLabel;
+ }
+ public void setTokenLabel(String tokenLabel) {
+ this.tokenLabel = tokenLabel;
+ }
+ public String getCertId() {
+ return certId;
+ }
+ public void setCertId(String certId) {
+ this.certId = certId;
+ }
+ public String getCertLabel() {
+ return certLabel;
+ }
+ public void setCertLabel(String certLabel) {
+ this.certLabel = certLabel;
+ }
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
index c9f3cad..877d83f 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -122,9 +122,9 @@
DhParameter dhParameter) throws KrbException {
/* KDC SHOULD check to see if the key parameters satisfy its policy */
int dhPrimeBits = dhParameter.getP().bitLength();
- if (dhPrimeBits < pluginOpts.dhMinBits) {
+ if (dhPrimeBits < pluginOpts.getDhMinBits()) {
String errMsg = "client sent dh params with " + dhPrimeBits
- + "bits, we require " + pluginOpts.dhMinBits;
+ + "bits, we require " + pluginOpts.getDhMinBits();
LOG.error(errMsg);
throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, errMsg);
}
@@ -336,25 +336,25 @@
* @throws NoSuchAlgorithmException e
* @throws InvalidAlgorithmParameterException e
* @throws CertPathValidatorException e
- * @throws IOException
+ * @throws IOException
*/
public static void validateChain(List<Certificate> certificateList, X509Certificate anchor)
throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException,
InvalidAlgorithmParameterException, CertPathValidatorException, IOException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-
+
// Convert into a list of X509Certificates
List<X509Certificate> certsList = new ArrayList<>(certificateList.size());
for (Certificate cert : certificateList) {
- X509Certificate parsedCert =
+ X509Certificate parsedCert =
(X509Certificate) certificateFactory.generateCertificate(
new ByteArrayInputStream(cert.encode()));
certsList.add(parsedCert);
}
-
+
CertPath certPath = certificateFactory.generateCertPath(certsList);
-
+
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
TrustAnchor trustAnchor = new TrustAnchor(anchor, null);
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitIdenity.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitIdentity.java
similarity index 91%
rename from kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitIdenity.java
rename to kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitIdentity.java
index b862820..f356f5c 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitIdenity.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitIdentity.java
@@ -6,23 +6,23 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
@SuppressWarnings("PMD")
-public class PkinitIdenity {
+public class PkinitIdentity {
public static void processIdentityOption(IdentityOpts identityOpts, String value) {
IdentityType idType = IdentityType.NONE;
@@ -46,7 +46,7 @@
idType = IdentityType.FILE;
}
- identityOpts.idType = idType;
+ identityOpts.setIdType(idType);
switch (idType) {
case ENVVAR:
processIdentityOption(identityOpts, System.getenv(residual));
@@ -61,7 +61,7 @@
parsePkcs12Option(identityOpts, residual);
break;
case DIR:
- identityOpts.certFile = residual;
+ identityOpts.setCertFile(residual);
break;
default:
break;
@@ -77,13 +77,13 @@
keyName = parts[1];
}
- identityOpts.certFile = certName;
- identityOpts.keyFile = keyName;
+ identityOpts.setCertFile(certName);
+ identityOpts.setKeyFile(keyName);
}
public static void parsePkcs12Option(IdentityOpts identityOpts, String residual) {
- identityOpts.certFile = residual;
- identityOpts.keyFile = residual;
+ identityOpts.setCertFile(residual);
+ identityOpts.setKeyFile(residual);
}
public static void parsePkcs11Option(IdentityOpts identityOpts, String residual) {
@@ -91,7 +91,7 @@
}
public static void loadCerts(IdentityOpts identityOpts, PrincipalName principal) {
- switch (identityOpts.idType) {
+ switch (identityOpts.getIdType()) {
case FILE:
loadCertsFromFile(identityOpts, principal);
break;
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
index 2d92519..be5dd9c 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
@@ -22,7 +22,6 @@
import javax.crypto.spec.DHParameterSpec;
import java.math.BigInteger;
-import java.security.cert.X509Certificate;
/*
* Ref. _pkinit_plg_crypto_context in
@@ -32,13 +31,13 @@
private static final String ID_PKINIT_DHKEYDATA = "1.3.6.1.5.2.3.2";
private static final String ID_PKINIT_RKEYDATA = "1.3.6.1.5.2.3.3";
- /* available trusted ca certs */
- public X509Certificate trustedCAs;
- /* available intermediate ca certs */
- public X509Certificate intermediateCAs;
- /* available crls */
- public X509Certificate revoked;
-
+ /* available trusted ca certs
+ private X509Certificate trustedCAs;
+ /* available intermediate ca certs
+ private X509Certificate intermediateCAs;
+ /* available crls
+ private X509Certificate revoked;
+ */
/*
* http://www.ietf.org/rfc/rfc2409.txt
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
index 458e2c4..2341506 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
@@ -31,18 +31,18 @@
public class PluginOpts {
// require EKU checking (default is true)
- public boolean requireEku = true;
+ private boolean requireEku = true;
// accept secondary EKU (default is false)
- public boolean acceptSecondaryEku = false;
+ private boolean acceptSecondaryEku = false;
// allow UPN-SAN instead of pkinit-SAN
- public boolean allowUpn = true;
+ private boolean allowUpn = true;
// selects DH or RSA based pkinit
- public boolean usingRsa = false;
+ private boolean usingRsa = false;
// require CRL for a CA (default is false)
- public boolean requireCrlChecking = false;
+ private boolean requireCrlChecking = false;
// the size of the Diffie-Hellman key the client will attempt to use.
// The acceptable values are 1024, 2048, and 4096. The default is 1024.
- public int dhMinBits = 1024;
+ private int dhMinBits = 1024;
public AlgorithmIdentifiers createSupportedCMSTypes() throws KrbException {
AlgorithmIdentifiers cmsAlgorithms = new AlgorithmIdentifiers();
@@ -67,4 +67,52 @@
public byte[] createIssuerAndSerial() {
return null;
}
+
+ public boolean isRequireEku() {
+ return requireEku;
+ }
+
+ public void setRequireEku(boolean requireEku) {
+ this.requireEku = requireEku;
+ }
+
+ public boolean isAcceptSecondaryEku() {
+ return acceptSecondaryEku;
+ }
+
+ public void setAcceptSecondaryEku(boolean acceptSecondaryEku) {
+ this.acceptSecondaryEku = acceptSecondaryEku;
+ }
+
+ public boolean isAllowUpn() {
+ return allowUpn;
+ }
+
+ public void setAllowUpn(boolean allowUpn) {
+ this.allowUpn = allowUpn;
+ }
+
+ public boolean isUsingRsa() {
+ return usingRsa;
+ }
+
+ public void setUsingRsa(boolean usingRsa) {
+ this.usingRsa = usingRsa;
+ }
+
+ public boolean isRequireCrlChecking() {
+ return requireCrlChecking;
+ }
+
+ public void setRequireCrlChecking(boolean requireCrlChecking) {
+ this.requireCrlChecking = requireCrlChecking;
+ }
+
+ public int getDhMinBits() {
+ return dhMinBits;
+ }
+
+ public void setDhMinBits(int dhMinBits) {
+ this.dhMinBits = dhMinBits;
+ }
}
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index 5e91950..a2d5e68 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -93,7 +93,7 @@
tmp.realm = kdcContext.getKdcRealm();
String pkinitIdentity = kdcContext.getConfig().getPkinitIdentity();
- tmp.identityOpts.identity = pkinitIdentity;
+ tmp.identityOpts.setIdentity(pkinitIdentity);
pkinitContexts.put(kdcContext.getKdcRealm(), tmp);
}
@@ -245,7 +245,7 @@
// Set the DH shared key as the client key
kdcRequest.setClientKey(secretKey);
- String identity = pkinitContext.identityOpts.identity;
+ String identity = pkinitContext.identityOpts.getIdentity();
PaPkAsRep paPkAsRep = makePaPkAsRep(serverPubKey, identity);
PaDataEntry paDataEntry = makeEntry(paPkAsRep);
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenRequestContext.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenRequestContext.java
index f902a7d..79a690d 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenRequestContext.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenRequestContext.java
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.kerby.kerberos.kerb.server.preauth.token;
@@ -24,9 +24,35 @@
public class TokenRequestContext implements PluginRequestContext {
- public boolean doIdentityMatching;
- public PaDataType paType;
- public boolean identityInitialized;
- public boolean identityPrompted;
-
+ private boolean doIdentityMatching;
+ private PaDataType paType;
+ private boolean identityInitialized;
+ private boolean identityPrompted;
+
+ public boolean isDoIdentityMatching() {
+ return doIdentityMatching;
+ }
+ public void setDoIdentityMatching(boolean doIdentityMatching) {
+ this.doIdentityMatching = doIdentityMatching;
+ }
+ public PaDataType getPaType() {
+ return paType;
+ }
+ public void setPaType(PaDataType paType) {
+ this.paType = paType;
+ }
+ public boolean isIdentityInitialized() {
+ return identityInitialized;
+ }
+ public void setIdentityInitialized(boolean identityInitialized) {
+ this.identityInitialized = identityInitialized;
+ }
+ public boolean isIdentityPrompted() {
+ return identityPrompted;
+ }
+ public void setIdentityPrompted(boolean identityPrompted) {
+ this.identityPrompted = identityPrompted;
+ }
+
+
}
