Merge remote-tracking branch 'asf/trunk' into kadmin-remote
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 3620f23..df4af89 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -350,17 +350,28 @@
PkinitCrypto.verifyCmsSignedData(
CmsMessageType.CMS_SIGN_SERVER, signedData);
+ if (kdcRequest.getContext().getConfig().getPkinitAnchors().isEmpty()) {
+ LOG.error("No PKINIT anchors specified");
+ throw new KrbException("No PKINIT anchors specified");
+ }
String anchorFileName = kdcRequest.getContext().getConfig().getPkinitAnchors().get(0);
X509Certificate x509Certificate = null;
try {
- x509Certificate = (X509Certificate) CertificateHelper.loadCerts(
- anchorFileName).iterator().next();
+ List<java.security.cert.Certificate> certs =
+ CertificateHelper.loadCerts(anchorFileName);
+ if (certs != null && !certs.isEmpty()) {
+ x509Certificate = (X509Certificate) certs.iterator().next();
+ }
} catch (KrbException e) {
e.printStackTrace();
}
- Certificate archorCertificate = PkinitCrypto.changeToCertificate(x509Certificate);
-
+
+ if (x509Certificate == null) {
+ LOG.error("Failed to load PKINIT anchor");
+ throw new KrbException("Failed to load PKINIT anchor");
+ }
+
CertificateSet certificateSet = signedData.getCertificates();
List<Certificate> certificates = new ArrayList<>();
if (certificateSet != null) {
@@ -370,7 +381,7 @@
}
}
try {
- PkinitCrypto.validateChain(certificates, archorCertificate);
+ PkinitCrypto.validateChain(certificates, x509Certificate);
} catch (Exception e) {
throw new KrbException(KrbErrorCode.KDC_ERR_INVALID_CERTIFICATE, e);
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
index db96ed6..53096d4 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
@@ -21,6 +21,7 @@
import org.apache.kerby.kerberos.kerb.KrbException;
+import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
@@ -35,12 +36,19 @@
public static List<Certificate> loadCerts(String filename) throws KrbException {
+
+ File file = new File(filename);
InputStream res = null;
- try {
- res = new FileInputStream(filename);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
+ if (file.isFile()) {
+ try {
+ res = new FileInputStream(file);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ }
+ } else {
+ res = CertificateHelper.class.getClassLoader().getResourceAsStream(filename);
}
+
return loadCerts(res);
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
index cc09a37..63e3e44 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -18,6 +18,33 @@
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.crypto.interfaces.DHPublicKey;
+import javax.crypto.spec.DHParameterSpec;
+import javax.crypto.spec.DHPublicKeySpec;
+
import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.cms.type.CertificateSet;
import org.apache.kerby.cms.type.DigestAlgorithmIdentifiers;
@@ -36,25 +63,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.crypto.interfaces.DHPublicKey;
-import javax.crypto.spec.DHParameterSpec;
-import javax.crypto.spec.DHPublicKeySpec;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* Ref. pkinit_crypto_openssl.c in MIT krb5 project.
*/
@@ -329,16 +337,25 @@
* @throws NoSuchAlgorithmException e
* @throws InvalidAlgorithmParameterException e
* @throws CertPathValidatorException e
+ * @throws IOException
*/
- public static void validateChain(List<Certificate> certificateList, Certificate anchor)
+ public static void validateChain(List<Certificate> certificateList, X509Certificate anchor)
throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertPathValidatorException {
+ InvalidAlgorithmParameterException, CertPathValidatorException, IOException {
- //TODO
- /*
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
- CertPath certPath = certificateFactory.generatertPath(certificateList);
-
+
+ // Convert into a list of X509Certificates
+ List<X509Certificate> certsList = new ArrayList<>(certificateList.size());
+ for (Certificate cert : certificateList) {
+ X509Certificate parsedCert =
+ (X509Certificate) certificateFactory.generateCertificate(
+ new ByteArrayInputStream(cert.encode()));
+ certsList.add(parsedCert);
+ }
+
+ CertPath certPath = certificateFactory.generateCertPath(certsList);
+
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
TrustAnchor trustAnchor = new TrustAnchor(anchor, null);
@@ -347,7 +364,6 @@
parameters.setRevocationEnabled(false);
cpv.validate(certPath, parameters);
- */
}
/**
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index f0080c9..0e4867d 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -302,32 +302,36 @@
private PaPkAsRep makePaPkAsRep(DHPublicKey severPubKey, String identityString) throws KrbException {
- List<String> identityList = Arrays.asList(identityString.split(","));
-
List<X509Certificate> certificates = new ArrayList<>();
- for (String identity : identityList) {
- File file = new File(identity);
- try (Scanner scanner = new Scanner(file, "UTF-8")) {
- String found = scanner.findInLine("CERTIFICATE");
-
- if (found != null) {
- InputStream res = null;
- try {
- res = new FileInputStream(identity);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
+ if (identityString != null) {
+ List<String> identityList = Arrays.asList(identityString.split(","));
+ for (String identity : identityList) {
+ File file = new File(identity);
+ try (Scanner scanner = new Scanner(file, "UTF-8")) {
+ String found = scanner.findInLine("CERTIFICATE");
+
+ if (found != null) {
+ InputStream res = null;
+ try {
+ res = new FileInputStream(identity);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ }
+ X509Certificate certificate = null;
+ try {
+ certificate = (X509Certificate) CertificateHelper.loadCerts(res).iterator().next();
+ } catch (KrbException e) {
+ e.printStackTrace();
+ }
+ certificates.add(certificate);
+ res.close();
}
- X509Certificate certificate = null;
- try {
- certificate = (X509Certificate) CertificateHelper.loadCerts(res).iterator().next();
- } catch (KrbException e) {
- e.printStackTrace();
- }
- certificates.add(certificate);
+ } catch (IOException e) {
+ e.getMessage();
}
- } catch (FileNotFoundException e) {
- e.getMessage();
}
+ } else {
+ LOG.warn("No PKINIT identity keys specified");
}
PaPkAsRep paPkAsRep = new PaPkAsRep();
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index 7cb7dbb..37e89bb 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -82,15 +82,15 @@
} else {
clientEntry = getEntry(clientPrincipal.getName());
}
- if (isAnonymous()) {
- clientEntry.setPrincipal(new PrincipalName(clientPrincipal.getName(), NameType.NT_WELLKNOWN));
- }
-
if (clientEntry == null) {
LOG.warn("Can't get the client entry.");
throw new KrbException(KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN);
}
+ if (isAnonymous()) {
+ clientEntry.setPrincipal(new PrincipalName(clientPrincipal.getName(), NameType.NT_WELLKNOWN));
+ }
+
setClientEntry(clientEntry);
for (EncryptionType encType : request.getReqBody().getEtypes()) {