Fixed two problems found during testing with new encryption types:
o TGS GetSessionKey would throw ClassCastException.
o Introduced key usage to auth header verification. Issue affected TGT auth header and service ticket auth header verification, eg Change Password.
git-svn-id: https://svn.apache.org/repos/asf/directory/apacheds/branches/kerberos-encryption-types@540005 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java b/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
index 18ce3b4..f170d65 100644
--- a/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
+++ b/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
@@ -62,12 +62,13 @@
* @param emptyAddressesAllowed
* @param clientAddress
* @param lockBox
+ * @param authenticatorKeyUsage
* @return The authenticator.
* @throws KerberosException
*/
public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
- CipherTextHandler lockBox ) throws KerberosException
+ CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage ) throws KerberosException
{
if ( authHeader.getProtocolVersionNumber() != 5 )
{
@@ -111,7 +112,7 @@
ticket.setEncTicketPart( encPart );
Authenticator authenticator = ( Authenticator ) lockBox.unseal( Authenticator.class, ticket.getSessionKey(),
- authHeader.getEncPart(), KeyUsage.NUMBER11 );
+ authHeader.getEncPart(), authenticatorKeyUsage );
if ( !authenticator.getClientPrincipal().getName().equals( ticket.getClientPrincipal().getName() ) )
{
diff --git a/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java b/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java
index 030dc63..411d866 100644
--- a/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java
+++ b/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java
@@ -24,6 +24,7 @@
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
@@ -59,7 +60,7 @@
CipherTextHandler cipherTextHandler = changepwContext.getCipherTextHandler();
Authenticator authenticator = verifyAuthHeader( authHeader, ticket, serverKey, clockSkew, replayCache,
- emptyAddressesAllowed, clientAddress, cipherTextHandler );
+ emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER11 );
changepwContext.setAuthenticator( authenticator );
diff --git a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java
index f9e9178..943bfc1 100644
--- a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java
+++ b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java
@@ -20,7 +20,6 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
-import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -39,8 +38,8 @@
public void execute( NextCommand next, IoSession session, Object message ) throws Exception
{
- AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
- authContext.setSessionKey( RandomKeyFactory.getRandomKey( authContext.getEncryptionType() ) );
+ TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
+ tgsContext.setSessionKey( RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType() ) );
next.execute( session, message );
}
diff --git a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
index df96224..10725bf 100644
--- a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
+++ b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
@@ -24,6 +24,7 @@
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
@@ -56,7 +57,7 @@
CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
- emptyAddressesAllowed, clientAddress, cipherTextHandler );
+ emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER7 );
tgsContext.setAuthenticator( authenticator );