kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java - directory-server - Git at Google

 /*
  *   Copyright 2005 The Apache Software Foundation
  *
  *   Licensed under the Apache License, Version 2.0 (the "License");
  *   you may not use this file except in compliance with the License.
  *   You may obtain a copy of the License at
  *
  *       http://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing, software
  *   distributed under the License is distributed on an "AS IS" BASIS,
  *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *   See the License for the specific language governing permissions and
  *   limitations under the License.
  *
  */
 package org.apache.directory.server.kerberos.shared.service;


 import java.net.InetAddress;

 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.MessageType;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.ApOptions;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
 import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
 import org.apache.directory.server.protocol.shared.chain.impl.CommandBase;


 /*
  * Shared by TGS and Changepw
  */
 public abstract class VerifyAuthHeader extends CommandBase
 {
     // RFC 1510 A.10.  KRB_AP_REQ verification
     public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
         long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
         LockBox lockBox ) throws KerberosException
     {
         if ( authHeader.getProtocolVersionNumber() != 5 )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
         }

         if ( authHeader.getMessageType() != MessageType.KRB_AP_REQ )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
         }

         if ( authHeader.getTicket().getVersionNumber() != 5 )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
         }

         EncryptionKey ticketKey = null;

         if ( authHeader.getOption( ApOptions.USE_SESSION_KEY ) )
         {
             ticketKey = authHeader.getTicket().getSessionKey();
         }
         else
         {
             ticketKey = serverKey;
         }

         if ( ticketKey == null )
         {
             // TODO - check server key version number, skvno; requires store
             if ( false )
             {
                 throw new KerberosException( ErrorType.KRB_AP_ERR_BADKEYVER );
             }

             throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
         }

         EncTicketPart encPart = ( EncTicketPart ) lockBox.unseal( EncTicketPart.class, ticketKey, ticket.getEncPart() );
         ticket.setEncTicketPart( encPart );

         Authenticator authenticator = ( Authenticator ) lockBox.unseal( Authenticator.class, ticket.getSessionKey(),
             authHeader.getEncPart() );

         if ( !authenticator.getClientPrincipal().getName().equals( ticket.getClientPrincipal().getName() ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
         }

         if ( ticket.getClientAddresses() != null )
         {
             if ( !ticket.getClientAddresses().contains( new HostAddress( clientAddress ) ) )
             {
                 throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
             }
         }
         else
         {
             if ( !emptyAddressesAllowed )
             {
                 throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
             }
         }

         if ( replayCache.isReplay( authenticator.getClientTime(), authenticator.getClientPrincipal() ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
         }

         replayCache.save( authenticator.getClientTime(), authenticator.getClientPrincipal() );

         if ( !authenticator.getClientTime().isInClockSkew( clockSkew ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
         }

         if ( ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew( clockSkew )
             || ticket.getFlag( TicketFlags.INVALID ) )
         {
             // it hasn't yet become valid
             throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
         }

         // TODO - doesn't take into account skew
         if ( !ticket.getEndTime().greaterThan( new KerberosTime() ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
         }

         authHeader.setOption( ApOptions.MUTUAL_REQUIRED );

         return authenticator;
     }
 }
	/*
	* Copyright 2005 The Apache Software Foundation
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*
	*/
	package org.apache.directory.server.kerberos.shared.service;


	import java.net.InetAddress;

	import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
	import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
	import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
	import org.apache.directory.server.kerberos.shared.messages.MessageType;
	import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
	import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
	import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
	import org.apache.directory.server.kerberos.shared.messages.value.ApOptions;
	import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
	import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
	import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
	import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
	import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
	import org.apache.directory.server.protocol.shared.chain.impl.CommandBase;


	/*
	* Shared by TGS and Changepw
	*/
	public abstract class VerifyAuthHeader extends CommandBase
	{
	// RFC 1510 A.10. KRB_AP_REQ verification
	public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
	long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
	LockBox lockBox ) throws KerberosException
	{
	if ( authHeader.getProtocolVersionNumber() != 5 )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
	}

	if ( authHeader.getMessageType() != MessageType.KRB_AP_REQ )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
	}

	if ( authHeader.getTicket().getVersionNumber() != 5 )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
	}

	EncryptionKey ticketKey = null;

	if ( authHeader.getOption( ApOptions.USE_SESSION_KEY ) )
	{
	ticketKey = authHeader.getTicket().getSessionKey();
	}
	else
	{
	ticketKey = serverKey;
	}

	if ( ticketKey == null )
	{
	// TODO - check server key version number, skvno; requires store
	if ( false )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_BADKEYVER );
	}

	throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
	}

	EncTicketPart encPart = ( EncTicketPart ) lockBox.unseal( EncTicketPart.class, ticketKey, ticket.getEncPart() );
	ticket.setEncTicketPart( encPart );

	Authenticator authenticator = ( Authenticator ) lockBox.unseal( Authenticator.class, ticket.getSessionKey(),
	authHeader.getEncPart() );

	if ( !authenticator.getClientPrincipal().getName().equals( ticket.getClientPrincipal().getName() ) )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
	}

	if ( ticket.getClientAddresses() != null )
	{
	if ( !ticket.getClientAddresses().contains( new HostAddress( clientAddress ) ) )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
	}
	}
	else
	{
	if ( !emptyAddressesAllowed )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
	}
	}

	if ( replayCache.isReplay( authenticator.getClientTime(), authenticator.getClientPrincipal() ) )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
	}

	replayCache.save( authenticator.getClientTime(), authenticator.getClientPrincipal() );

	if ( !authenticator.getClientTime().isInClockSkew( clockSkew ) )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
	}

	if ( ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew( clockSkew )
	\|\| ticket.getFlag( TicketFlags.INVALID ) )
	{
	// it hasn't yet become valid
	throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
	}

	// TODO - doesn't take into account skew
	if ( !ticket.getEndTime().greaterThan( new KerberosTime() ) )
	{
	throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
	}

	authHeader.setOption( ApOptions.MUTUAL_REQUIRED );

	return authenticator;
	}
	}