1 /*
2 * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 #import "sun_security_krb5_Credentials.h"
27 #import <Kerberos/Kerberos.h>
28 #import <string.h>
29 #import <time.h>
30
31 #include "jni_util.h"
32
33 /*
34 * Based largely on klist.c,
35 *
36 * Created by Scott Kovatch on 8/12/04.
37 *
38 * See http://www.opensource.apple.com/darwinsource/10.3.3/Kerberos-47/KerberosClients/klist/Sources/klist.c
39
40 */
41
42 /*
43 * Statics for this module
44 */
45
46 static jclass derValueClass = NULL;
47 static jclass ticketClass = NULL;
48 static jclass principalNameClass = NULL;
49 static jclass encryptionKeyClass = NULL;
50 static jclass ticketFlagsClass = NULL;
51 static jclass kerberosTimeClass = NULL;
52 static jclass javaLangStringClass = NULL;
53 static jclass javaLangIntegerClass = NULL;
54 static jclass hostAddressClass = NULL;
55 static jclass hostAddressesClass = NULL;
56
57 static jmethodID derValueConstructor = 0;
58 static jmethodID ticketConstructor = 0;
59 static jmethodID principalNameConstructor = 0;
60 static jmethodID encryptionKeyConstructor = 0;
61 static jmethodID ticketFlagsConstructor = 0;
62 static jmethodID kerberosTimeConstructor = 0;
63 static jmethodID krbcredsConstructor = 0;
64 static jmethodID integerConstructor = 0;
65 static jmethodID hostAddressConstructor = 0;
66 static jmethodID hostAddressesConstructor = 0;
67
68 /*
69 * Function prototypes for internal routines
70 */
71
72 static jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket);
73 static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName);
74 static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey);
75 static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags);
76 static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime);
77 static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime);
78
79 static void printiferr (errcode_t err, const char *format, ...);
80
81 static jclass FindClass(JNIEnv *env, char *className)
82 {
83 jclass cls = (*env)->FindClass(env, className);
84
85 if (cls == NULL) {
86 printf("Couldn't find %s\n", className);
87 return NULL;
88 }
89
90 jobject returnValue = (*env)->NewWeakGlobalRef(env,cls);
91 return returnValue;
92 }
93 /*
94 * Class: sun_security_krb5_KrbCreds
95 * Method: JNI_OnLoad
96 */
97 JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *jvm, void *reserved)
98 {
99 JNIEnv *env;
100
101 if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_4)) {
102 return JNI_EVERSION; /* JNI version not supported */
103 }
104
105 ticketClass = FindClass(env, "sun/security/krb5/internal/Ticket");
106 if (ticketClass == NULL) return JNI_ERR;
107
108 principalNameClass = FindClass(env, "sun/security/krb5/PrincipalName");
109 if (principalNameClass == NULL) return JNI_ERR;
110
111 derValueClass = FindClass(env, "sun/security/util/DerValue");
112 if (derValueClass == NULL) return JNI_ERR;
113
114 encryptionKeyClass = FindClass(env, "sun/security/krb5/EncryptionKey");
115 if (encryptionKeyClass == NULL) return JNI_ERR;
116
117 ticketFlagsClass = FindClass(env,"sun/security/krb5/internal/TicketFlags");
118 if (ticketFlagsClass == NULL) return JNI_ERR;
119
120 kerberosTimeClass = FindClass(env,"sun/security/krb5/internal/KerberosTime");
121 if (kerberosTimeClass == NULL) return JNI_ERR;
122
123 javaLangStringClass = FindClass(env,"java/lang/String");
124 if (javaLangStringClass == NULL) return JNI_ERR;
125
126 javaLangIntegerClass = FindClass(env,"java/lang/Integer");
127 if (javaLangIntegerClass == NULL) return JNI_ERR;
128
129 hostAddressClass = FindClass(env,"sun/security/krb5/internal/HostAddress");
130 if (hostAddressClass == NULL) return JNI_ERR;
131
132 hostAddressesClass = FindClass(env,"sun/security/krb5/internal/HostAddresses");
133 if (hostAddressesClass == NULL) return JNI_ERR;
134
135 derValueConstructor = (*env)->GetMethodID(env, derValueClass, "<init>", "([B)V");
136 if (derValueConstructor == 0) {
137 printf("Couldn't find DerValue constructor\n");
138 return JNI_ERR;
139 }
140
141 ticketConstructor = (*env)->GetMethodID(env, ticketClass, "<init>", "(Lsun/security/util/DerValue;)V");
142 if (ticketConstructor == 0) {
143 printf("Couldn't find Ticket constructor\n");
144 return JNI_ERR;
145 }
146
147 principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, "<init>", "(Ljava/lang/String;I)V");
148 if (principalNameConstructor == 0) {
149 printf("Couldn't find PrincipalName constructor\n");
150 return JNI_ERR;
151 }
152
153 encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass, "<init>", "(I[B)V");
154 if (encryptionKeyConstructor == 0) {
155 printf("Couldn't find EncryptionKey constructor\n");
156 return JNI_ERR;
157 }
158
159 ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass, "<init>", "(I[B)V");
160 if (ticketFlagsConstructor == 0) {
161 printf("Couldn't find TicketFlags constructor\n");
162 return JNI_ERR;
163 }
164
165 kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass, "<init>", "(J)V");
166 if (kerberosTimeConstructor == 0) {
167 printf("Couldn't find KerberosTime constructor\n");
168 return JNI_ERR;
169 }
170
171 integerConstructor = (*env)->GetMethodID(env, javaLangIntegerClass, "<init>", "(I)V");
172 if (integerConstructor == 0) {
173 printf("Couldn't find Integer constructor\n");
174 return JNI_ERR;
175 }
176
177 hostAddressConstructor = (*env)->GetMethodID(env, hostAddressClass, "<init>", "(I[B)V");
178 if (hostAddressConstructor == 0) {
179 printf("Couldn't find HostAddress constructor\n");
180 return JNI_ERR;
181 }
182
183 hostAddressesConstructor = (*env)->GetMethodID(env, hostAddressesClass, "<init>", "([Lsun/security/krb5/internal/HostAddress;)V");
184 if (hostAddressesConstructor == 0) {
185 printf("Couldn't find HostAddresses constructor\n");
186 return JNI_ERR;
187 }
188
189 return JNI_VERSION_1_2;
190 }
191
192 /*
193 * Class: sun_security_jgss_KrbCreds
194 * Method: JNI_OnUnload
195 */
196 JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *jvm, void *reserved)
197 {
198 JNIEnv *env;
199
200 if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) {
201 return; /* Nothing else we can do */
202 }
203
204 if (ticketClass != NULL) {
205 (*env)->DeleteWeakGlobalRef(env,ticketClass);
206 }
207 if (derValueClass != NULL) {
208 (*env)->DeleteWeakGlobalRef(env,derValueClass);
209 }
210 if (principalNameClass != NULL) {
211 (*env)->DeleteWeakGlobalRef(env,principalNameClass);
212 }
213 if (encryptionKeyClass != NULL) {
214 (*env)->DeleteWeakGlobalRef(env,encryptionKeyClass);
215 }
216 if (ticketFlagsClass != NULL) {
217 (*env)->DeleteWeakGlobalRef(env,ticketFlagsClass);
218 }
219 if (kerberosTimeClass != NULL) {
220 (*env)->DeleteWeakGlobalRef(env,kerberosTimeClass);
221 }
222 if (javaLangStringClass != NULL) {
223 (*env)->DeleteWeakGlobalRef(env,javaLangStringClass);
224 }
225 if (javaLangIntegerClass != NULL) {
226 (*env)->DeleteWeakGlobalRef(env,javaLangIntegerClass);
227 }
228 if (hostAddressClass != NULL) {
229 (*env)->DeleteWeakGlobalRef(env,hostAddressClass);
230 }
231 if (hostAddressesClass != NULL) {
232 (*env)->DeleteWeakGlobalRef(env,hostAddressesClass);
233 }
234
235 }
236
237 int isIn(krb5_enctype e, int n, jint* etypes)
238 {
239 int i;
240 for (i=0; i<n; i++) {
241 if (e == etypes[i]) return 1;
242 }
243 return 0;
244 }
245
246 /*
247 * Class: sun_security_krb5_Credentials
248 * Method: acquireDefaultNativeCreds
249 * Signature: ([I])Lsun/security/krb5/Credentials;
250 */
251 JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds
252 (JNIEnv *env, jclass krbcredsClass, jintArray jetypes)
253 {
254 jobject krbCreds = NULL;
255 krb5_error_code err = 0;
256 krb5_ccache ccache = NULL;
257 krb5_cc_cursor cursor = NULL;
258 krb5_creds creds;
259 krb5_flags flags = 0;
260 krb5_context kcontext = NULL;
261
262 int netypes;
263 jint *etypes = NULL;
264
265 /* Initialize the Kerberos 5 context */
266 err = krb5_init_context (&kcontext);
267
268 if (!err) {
269 err = krb5_cc_default (kcontext, &ccache);
270 }
271
272 if (!err) {
273 err = krb5_cc_set_flags (kcontext, ccache, flags); /* turn off OPENCLOSE */
274 }
275
276 if (!err) {
277 err = krb5_cc_start_seq_get (kcontext, ccache, &cursor);
278 }
279
280 netypes = (*env)->GetArrayLength(env, jetypes);
281 etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL);
282
283 if (etypes != NULL && !err) {
284 while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {
285 char *serverName = NULL;
286
287 if (!err) {
288 err = krb5_unparse_name (kcontext, creds.server, &serverName);
289 printiferr (err, "while unparsing server name");
290 }
291
292 if (!err) {
293 char* slash = strchr(serverName, '/');
294 char* at = strchr(serverName, '@');
295 // Make sure the server's name is krbtgt/REALM@REALM, the etype
296 // is supported, and the ticket has not expired
297 if (slash && at &&
298 strncmp (serverName, "krbtgt", slash-serverName) == 0 &&
299 // the ablove line shows at must be after slash
300 strncmp (slash+1, at+1, at-slash-1) == 0 &&
301 isIn (creds.keyblock.enctype, netypes, etypes) &&
302 creds.times.endtime > time(0)) {
303 jobject ticket, clientPrincipal, targetPrincipal, encryptionKey;
304 jobject ticketFlags, startTime, endTime;
305 jobject authTime, renewTillTime, hostAddresses;
306
307 ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL;
308 ticketFlags = startTime = endTime = NULL;
309 authTime = renewTillTime = hostAddresses = NULL;
310
311 // For the default credentials we're only interested in the krbtgt server.
312 clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client);
313 if (clientPrincipal == NULL) goto cleanup;
314
315 targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server);
316 if (targetPrincipal == NULL) goto cleanup;
317
318 // Build a sun/security/krb5/internal/Ticket
319 ticket = BuildTicket(env, &creds.ticket);
320 if (ticket == NULL) goto cleanup;
321
322 // Get the encryption key
323 encryptionKey = BuildEncryptionKey(env, &creds.keyblock);
324 if (encryptionKey == NULL) goto cleanup;
325
326 // and the ticket flags
327 ticketFlags = BuildTicketFlags(env, creds.ticket_flags);
328 if (ticketFlags == NULL) goto cleanup;
329
330 // Get the timestamps out.
331 startTime = BuildKerberosTime(env, creds.times.starttime);
332 if (startTime == NULL) goto cleanup;
333
334 authTime = BuildKerberosTime(env, creds.times.authtime);
335 if (authTime == NULL) goto cleanup;
336
337 endTime = BuildKerberosTime(env, creds.times.endtime);
338 if (endTime == NULL) goto cleanup;
339
340 renewTillTime = BuildKerberosTime(env, creds.times.renew_till);
341 if (renewTillTime == NULL) goto cleanup;
342
343 // Create the addresses object.
344 hostAddresses = BuildAddressList(env, creds.addresses);
345
346 if (krbcredsConstructor == 0) {
347 krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",
348 "(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V");
349 if (krbcredsConstructor == 0) {
350 printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n");
351 break;
352 }
353 }
354
355 // and now go build a KrbCreds object
356 krbCreds = (*env)->NewObject(
357 env,
358 krbcredsClass,
359 krbcredsConstructor,
360 ticket,
361 clientPrincipal,
362 targetPrincipal,
363 encryptionKey,
364 ticketFlags,
365 authTime,
366 startTime,
367 endTime,
368 renewTillTime,
369 hostAddresses);
370 cleanup:
371 if (ticket) (*env)->DeleteLocalRef(env, ticket);
372 if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal);
373 if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal);
374 if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey);
375 if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags);
376 if (authTime) (*env)->DeleteLocalRef(env, authTime);
377 if (startTime) (*env)->DeleteLocalRef(env, startTime);
378 if (endTime) (*env)->DeleteLocalRef(env, endTime);
379 if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime);
380 if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses);
381
382 // Stop if there is an exception or we already found the initial TGT
383 if ((*env)->ExceptionCheck(env) || krbCreds) {
384 break;
385 }
386 }
387 }
388
389 if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); }
390
391 krb5_free_cred_contents (kcontext, &creds);
392 }
393
394 if (err == KRB5_CC_END) { err = 0; }
395 printiferr (err, "while retrieving a ticket");
396 }
397
398 if (!err) {
399 err = krb5_cc_end_seq_get (kcontext, ccache, &cursor);
400 printiferr (err, "while finishing ticket retrieval");
401 }
402
403 if (!err) {
404 flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */
405 err = krb5_cc_set_flags (kcontext, ccache, flags);
406 printiferr (err, "while finishing ticket retrieval");
407 }
408
409 if (etypes != NULL) {
410 (*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0);
411 }
412
413 krb5_free_context (kcontext);
414 return krbCreds;
415 }
416
417
418 #pragma mark -
419
420 jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket)
421 {
422 /* To build a Ticket, we first need to build a DerValue out of the EncodedTicket.
423 * But before we can do that, we need to make a byte array out of the ET.
424 */
425
426 jobject derValue, ticket;
427 jbyteArray ary;
428
429 ary = (*env)->NewByteArray(env, encodedTicket->length);
430 if ((*env)->ExceptionCheck(env)) {
431 return (jobject) NULL;
432 }
433
434 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, encodedTicket->length, (jbyte *)encodedTicket->data);
435 if ((*env)->ExceptionCheck(env)) {
436 (*env)->DeleteLocalRef(env, ary);
437 return (jobject) NULL;
438 }
439
440 derValue = (*env)->NewObject(env, derValueClass, derValueConstructor, ary);
441 if ((*env)->ExceptionCheck(env)) {
442 (*env)->DeleteLocalRef(env, ary);
443 return (jobject) NULL;
444 }
445
446 (*env)->DeleteLocalRef(env, ary);
447 ticket = (*env)->NewObject(env, ticketClass, ticketConstructor, derValue);
448 if ((*env)->ExceptionCheck(env)) {
449 (*env)->DeleteLocalRef(env, derValue);
450 return (jobject) NULL;
451 }
452 (*env)->DeleteLocalRef(env, derValue);
453 return ticket;
454 }
455
456 jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName) {
457 // Get the full principal string.
458 char *principalString = NULL;
459 jobject principal = NULL;
460 int err = krb5_unparse_name (kcontext, principalName, &principalString);
461
462 if (!err) {
463 // Make a PrincipalName from the full string and the type. Let the PrincipalName class parse it out.
464 jstring principalStringObj = (*env)->NewStringUTF(env, principalString);
465 if (principalStringObj == NULL) {
466 if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); }
467 return (jobject) NULL;
468 }
469 principal = (*env)->NewObject(env, principalNameClass, principalNameConstructor, principalStringObj, principalName->type);
470 if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); }
471 (*env)->DeleteLocalRef(env, principalStringObj);
472 }
473
474 return principal;
475 }
476
477 jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey) {
478 // First, need to build a byte array
479 jbyteArray ary;
480 jobject encryptionKey = NULL;
481
482 ary = (*env)->NewByteArray(env,cryptoKey->length);
483
484 if (ary == NULL) {
485 return (jobject) NULL;
486 }
487
488 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->length, (jbyte *)cryptoKey->contents);
489 if (!(*env)->ExceptionCheck(env)) {
490 encryptionKey = (*env)->NewObject(env, encryptionKeyClass, encryptionKeyConstructor, cryptoKey->enctype, ary);
491 }
492
493 (*env)->DeleteLocalRef(env, ary);
494 return encryptionKey;
495 }
496
497 jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags) {
498 jobject ticketFlags = NULL;
499 jbyteArray ary;
500
501 /*
502 * Convert the bytes to network byte order before copying
503 * them to a Java byte array.
504 */
505 unsigned long nlflags = htonl(flags);
506
507 ary = (*env)->NewByteArray(env, sizeof(flags));
508
509 if (ary == NULL) {
510 return (jobject) NULL;
511 }
512
513 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(flags), (jbyte *)&nlflags);
514
515 if (!(*env)->ExceptionCheck(env)) {
516 ticketFlags = (*env)->NewObject(env, ticketFlagsClass, ticketFlagsConstructor, sizeof(flags)*8, ary);
517 }
518
519 (*env)->DeleteLocalRef(env, ary);
520 return ticketFlags;
521 }
522
523 jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime) {
524 jlong time = kerbtime;
525
526 // Kerberos time is in seconds, but the KerberosTime class assumes milliseconds, so multiply by 1000.
527 time *= 1000;
528 return (*env)->NewObject(env, kerberosTimeClass, kerberosTimeConstructor, time);
529 }
530
531 jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) {
532
533 if (addresses == NULL) {
534 return NULL;
535 }
536
537 int addressCount = 0;
538
539 // See how many we have.
540 krb5_address **p = addresses;
541
542 while (*p != 0) {
543 addressCount++;
544 p++;
545 }
546
547 jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL);
548
549 if (address_list == NULL) {
550 return (jobject) NULL;
551 }
552
553 // Create a new HostAddress object for each address block.
554 // First, reset the iterator.
555 p = addresses;
556 jsize index = 0;
557 while (*p != 0) {
558 krb5_address *currAddress = *p;
559
560 // HostAddres needs a byte array of the host data.
561 jbyteArray ary = (*env)->NewByteArray(env, currAddress->length);
562
563 if (ary == NULL) return NULL;
564
565 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, currAddress->length, (jbyte *)currAddress->contents);
566 jobject address = (*env)->NewObject(env, hostAddressClass, hostAddressConstructor, currAddress->length, ary);
567
568 (*env)->DeleteLocalRef(env, ary);
569
570 if (address == NULL) {
571 return (jobject) NULL;
572 }
573 // Add the HostAddress to the arrray.
574 (*env)->SetObjectArrayElement(env, address_list, index, address);
575
576 if ((*env)->ExceptionCheck(env)) {
577 return (jobject) NULL;
578 }
579
580 index++;
581 p++;
582 }
583
584 return address_list;
585 }
586
587 #pragma mark - Utility methods -
588
589 static void printiferr (errcode_t err, const char *format, ...)
590 {
591 if (err) {
592 va_list pvar;
593
594 va_start (pvar, format);
595 com_err_va ("ticketParser:", err, format, pvar);
596 va_end (pvar);
597 }
598 }
599