1 /* 2 * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 #import "sun_security_krb5_Credentials.h" 27 #import <Kerberos/Kerberos.h> 28 #import <string.h> 29 #import <time.h> 30 31 #include "jni_util.h" 32 33 /* 34 * Based largely on klist.c, 35 * 36 * Created by Scott Kovatch on 8/12/04. 37 * 38 * See http://www.opensource.apple.com/darwinsource/10.3.3/Kerberos-47/KerberosClients/klist/Sources/klist.c 39 40 */ 41 42 /* 43 * Statics for this module 44 */ 45 46 static jclass derValueClass = NULL; 47 static jclass ticketClass = NULL; 48 static jclass principalNameClass = NULL; 49 static jclass encryptionKeyClass = NULL; 50 static jclass ticketFlagsClass = NULL; 51 static jclass kerberosTimeClass = NULL; 52 static jclass javaLangStringClass = NULL; 53 static jclass javaLangIntegerClass = NULL; 54 static jclass hostAddressClass = NULL; 55 static jclass hostAddressesClass = NULL; 56 57 static jmethodID derValueConstructor = 0; 58 static jmethodID ticketConstructor = 0; 59 static jmethodID principalNameConstructor = 0; 60 static jmethodID encryptionKeyConstructor = 0; 61 static jmethodID ticketFlagsConstructor = 0; 62 static jmethodID kerberosTimeConstructor = 0; 63 static jmethodID krbcredsConstructor = 0; 64 static jmethodID integerConstructor = 0; 65 static jmethodID hostAddressConstructor = 0; 66 static jmethodID hostAddressesConstructor = 0; 67 68 /* 69 * Function prototypes for internal routines 70 */ 71 72 static jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket); 73 static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName); 74 static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey); 75 static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags); 76 static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime); 77 static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime); 78 79 static void printiferr (errcode_t err, const char *format, ...); 80 81 static jclass FindClass(JNIEnv *env, char *className) 82 { 83 jclass cls = (*env)->FindClass(env, className); 84 85 if (cls == NULL) { 86 printf("Couldn't find %s\n", className); 87 return NULL; 88 } 89 90 jobject returnValue = (*env)->NewWeakGlobalRef(env,cls); 91 return returnValue; 92 } 93 /* 94 * Class: sun_security_krb5_KrbCreds 95 * Method: JNI_OnLoad 96 */ 97 JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *jvm, void *reserved) 98 { 99 JNIEnv *env; 100 101 if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_4)) { 102 return JNI_EVERSION; /* JNI version not supported */ 103 } 104 105 ticketClass = FindClass(env, "sun/security/krb5/internal/Ticket"); 106 if (ticketClass == NULL) return JNI_ERR; 107 108 principalNameClass = FindClass(env, "sun/security/krb5/PrincipalName"); 109 if (principalNameClass == NULL) return JNI_ERR; 110 111 derValueClass = FindClass(env, "sun/security/util/DerValue"); 112 if (derValueClass == NULL) return JNI_ERR; 113 114 encryptionKeyClass = FindClass(env, "sun/security/krb5/EncryptionKey"); 115 if (encryptionKeyClass == NULL) return JNI_ERR; 116 117 ticketFlagsClass = FindClass(env,"sun/security/krb5/internal/TicketFlags"); 118 if (ticketFlagsClass == NULL) return JNI_ERR; 119 120 kerberosTimeClass = FindClass(env,"sun/security/krb5/internal/KerberosTime"); 121 if (kerberosTimeClass == NULL) return JNI_ERR; 122 123 javaLangStringClass = FindClass(env,"java/lang/String"); 124 if (javaLangStringClass == NULL) return JNI_ERR; 125 126 javaLangIntegerClass = FindClass(env,"java/lang/Integer"); 127 if (javaLangIntegerClass == NULL) return JNI_ERR; 128 129 hostAddressClass = FindClass(env,"sun/security/krb5/internal/HostAddress"); 130 if (hostAddressClass == NULL) return JNI_ERR; 131 132 hostAddressesClass = FindClass(env,"sun/security/krb5/internal/HostAddresses"); 133 if (hostAddressesClass == NULL) return JNI_ERR; 134 135 derValueConstructor = (*env)->GetMethodID(env, derValueClass, "<init>", "([B)V"); 136 if (derValueConstructor == 0) { 137 printf("Couldn't find DerValue constructor\n"); 138 return JNI_ERR; 139 } 140 141 ticketConstructor = (*env)->GetMethodID(env, ticketClass, "<init>", "(Lsun/security/util/DerValue;)V"); 142 if (ticketConstructor == 0) { 143 printf("Couldn't find Ticket constructor\n"); 144 return JNI_ERR; 145 } 146 147 principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, "<init>", "(Ljava/lang/String;I)V"); 148 if (principalNameConstructor == 0) { 149 printf("Couldn't find PrincipalName constructor\n"); 150 return JNI_ERR; 151 } 152 153 encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass, "<init>", "(I[B)V"); 154 if (encryptionKeyConstructor == 0) { 155 printf("Couldn't find EncryptionKey constructor\n"); 156 return JNI_ERR; 157 } 158 159 ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass, "<init>", "(I[B)V"); 160 if (ticketFlagsConstructor == 0) { 161 printf("Couldn't find TicketFlags constructor\n"); 162 return JNI_ERR; 163 } 164 165 kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass, "<init>", "(J)V"); 166 if (kerberosTimeConstructor == 0) { 167 printf("Couldn't find KerberosTime constructor\n"); 168 return JNI_ERR; 169 } 170 171 integerConstructor = (*env)->GetMethodID(env, javaLangIntegerClass, "<init>", "(I)V"); 172 if (integerConstructor == 0) { 173 printf("Couldn't find Integer constructor\n"); 174 return JNI_ERR; 175 } 176 177 hostAddressConstructor = (*env)->GetMethodID(env, hostAddressClass, "<init>", "(I[B)V"); 178 if (hostAddressConstructor == 0) { 179 printf("Couldn't find HostAddress constructor\n"); 180 return JNI_ERR; 181 } 182 183 hostAddressesConstructor = (*env)->GetMethodID(env, hostAddressesClass, "<init>", "([Lsun/security/krb5/internal/HostAddress;)V"); 184 if (hostAddressesConstructor == 0) { 185 printf("Couldn't find HostAddresses constructor\n"); 186 return JNI_ERR; 187 } 188 189 return JNI_VERSION_1_2; 190 } 191 192 /* 193 * Class: sun_security_jgss_KrbCreds 194 * Method: JNI_OnUnload 195 */ 196 JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *jvm, void *reserved) 197 { 198 JNIEnv *env; 199 200 if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) { 201 return; /* Nothing else we can do */ 202 } 203 204 if (ticketClass != NULL) { 205 (*env)->DeleteWeakGlobalRef(env,ticketClass); 206 } 207 if (derValueClass != NULL) { 208 (*env)->DeleteWeakGlobalRef(env,derValueClass); 209 } 210 if (principalNameClass != NULL) { 211 (*env)->DeleteWeakGlobalRef(env,principalNameClass); 212 } 213 if (encryptionKeyClass != NULL) { 214 (*env)->DeleteWeakGlobalRef(env,encryptionKeyClass); 215 } 216 if (ticketFlagsClass != NULL) { 217 (*env)->DeleteWeakGlobalRef(env,ticketFlagsClass); 218 } 219 if (kerberosTimeClass != NULL) { 220 (*env)->DeleteWeakGlobalRef(env,kerberosTimeClass); 221 } 222 if (javaLangStringClass != NULL) { 223 (*env)->DeleteWeakGlobalRef(env,javaLangStringClass); 224 } 225 if (javaLangIntegerClass != NULL) { 226 (*env)->DeleteWeakGlobalRef(env,javaLangIntegerClass); 227 } 228 if (hostAddressClass != NULL) { 229 (*env)->DeleteWeakGlobalRef(env,hostAddressClass); 230 } 231 if (hostAddressesClass != NULL) { 232 (*env)->DeleteWeakGlobalRef(env,hostAddressesClass); 233 } 234 235 } 236 237 int isIn(krb5_enctype e, int n, jint* etypes) 238 { 239 int i; 240 for (i=0; i<n; i++) { 241 if (e == etypes[i]) return 1; 242 } 243 return 0; 244 } 245 246 /* 247 * Class: sun_security_krb5_Credentials 248 * Method: acquireDefaultNativeCreds 249 * Signature: ([I])Lsun/security/krb5/Credentials; 250 */ 251 JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds 252 (JNIEnv *env, jclass krbcredsClass, jintArray jetypes) 253 { 254 jobject krbCreds = NULL; 255 krb5_error_code err = 0; 256 krb5_ccache ccache = NULL; 257 krb5_cc_cursor cursor = NULL; 258 krb5_creds creds; 259 krb5_flags flags = 0; 260 krb5_context kcontext = NULL; 261 262 int netypes; 263 jint *etypes = NULL; 264 265 /* Initialize the Kerberos 5 context */ 266 err = krb5_init_context (&kcontext); 267 268 if (!err) { 269 err = krb5_cc_default (kcontext, &ccache); 270 } 271 272 if (!err) { 273 err = krb5_cc_set_flags (kcontext, ccache, flags); /* turn off OPENCLOSE */ 274 } 275 276 if (!err) { 277 err = krb5_cc_start_seq_get (kcontext, ccache, &cursor); 278 } 279 280 netypes = (*env)->GetArrayLength(env, jetypes); 281 etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL); 282 283 if (etypes != NULL && !err) { 284 while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) { 285 char *serverName = NULL; 286 287 if (!err) { 288 err = krb5_unparse_name (kcontext, creds.server, &serverName); 289 printiferr (err, "while unparsing server name"); 290 } 291 292 if (!err) { 293 char* slash = strchr(serverName, '/'); 294 char* at = strchr(serverName, '@'); 295 // Make sure the server's name is krbtgt/REALM@REALM, the etype 296 // is supported, and the ticket has not expired 297 if (slash && at && 298 strncmp (serverName, "krbtgt", slash-serverName) == 0 && 299 // the ablove line shows at must be after slash 300 strncmp (slash+1, at+1, at-slash-1) == 0 && 301 isIn (creds.keyblock.enctype, netypes, etypes) && 302 creds.times.endtime > time(0)) { 303 jobject ticket, clientPrincipal, targetPrincipal, encryptionKey; 304 jobject ticketFlags, startTime, endTime; 305 jobject authTime, renewTillTime, hostAddresses; 306 307 ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL; 308 ticketFlags = startTime = endTime = NULL; 309 authTime = renewTillTime = hostAddresses = NULL; 310 311 // For the default credentials we're only interested in the krbtgt server. 312 clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client); 313 if (clientPrincipal == NULL) goto cleanup; 314 315 targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server); 316 if (targetPrincipal == NULL) goto cleanup; 317 318 // Build a sun/security/krb5/internal/Ticket 319 ticket = BuildTicket(env, &creds.ticket); 320 if (ticket == NULL) goto cleanup; 321 322 // Get the encryption key 323 encryptionKey = BuildEncryptionKey(env, &creds.keyblock); 324 if (encryptionKey == NULL) goto cleanup; 325 326 // and the ticket flags 327 ticketFlags = BuildTicketFlags(env, creds.ticket_flags); 328 if (ticketFlags == NULL) goto cleanup; 329 330 // Get the timestamps out. 331 startTime = BuildKerberosTime(env, creds.times.starttime); 332 if (startTime == NULL) goto cleanup; 333 334 authTime = BuildKerberosTime(env, creds.times.authtime); 335 if (authTime == NULL) goto cleanup; 336 337 endTime = BuildKerberosTime(env, creds.times.endtime); 338 if (endTime == NULL) goto cleanup; 339 340 renewTillTime = BuildKerberosTime(env, creds.times.renew_till); 341 if (renewTillTime == NULL) goto cleanup; 342 343 // Create the addresses object. 344 hostAddresses = BuildAddressList(env, creds.addresses); 345 346 if (krbcredsConstructor == 0) { 347 krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>", 348 "(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V"); 349 if (krbcredsConstructor == 0) { 350 printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n"); 351 break; 352 } 353 } 354 355 // and now go build a KrbCreds object 356 krbCreds = (*env)->NewObject( 357 env, 358 krbcredsClass, 359 krbcredsConstructor, 360 ticket, 361 clientPrincipal, 362 targetPrincipal, 363 encryptionKey, 364 ticketFlags, 365 authTime, 366 startTime, 367 endTime, 368 renewTillTime, 369 hostAddresses); 370 cleanup: 371 if (ticket) (*env)->DeleteLocalRef(env, ticket); 372 if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal); 373 if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal); 374 if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey); 375 if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags); 376 if (authTime) (*env)->DeleteLocalRef(env, authTime); 377 if (startTime) (*env)->DeleteLocalRef(env, startTime); 378 if (endTime) (*env)->DeleteLocalRef(env, endTime); 379 if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime); 380 if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses); 381 382 // Stop if there is an exception or we already found the initial TGT 383 if ((*env)->ExceptionCheck(env) || krbCreds) { 384 break; 385 } 386 } 387 } 388 389 if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); } 390 391 krb5_free_cred_contents (kcontext, &creds); 392 } 393 394 if (err == KRB5_CC_END) { err = 0; } 395 printiferr (err, "while retrieving a ticket"); 396 } 397 398 if (!err) { 399 err = krb5_cc_end_seq_get (kcontext, ccache, &cursor); 400 printiferr (err, "while finishing ticket retrieval"); 401 } 402 403 if (!err) { 404 flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */ 405 err = krb5_cc_set_flags (kcontext, ccache, flags); 406 printiferr (err, "while finishing ticket retrieval"); 407 } 408 409 if (etypes != NULL) { 410 (*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0); 411 } 412 413 krb5_free_context (kcontext); 414 return krbCreds; 415 } 416 417 418 #pragma mark - 419 420 jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket) 421 { 422 /* To build a Ticket, we first need to build a DerValue out of the EncodedTicket. 423 * But before we can do that, we need to make a byte array out of the ET. 424 */ 425 426 jobject derValue, ticket; 427 jbyteArray ary; 428 429 ary = (*env)->NewByteArray(env, encodedTicket->length); 430 if ((*env)->ExceptionCheck(env)) { 431 return (jobject) NULL; 432 } 433 434 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, encodedTicket->length, (jbyte *)encodedTicket->data); 435 if ((*env)->ExceptionCheck(env)) { 436 (*env)->DeleteLocalRef(env, ary); 437 return (jobject) NULL; 438 } 439 440 derValue = (*env)->NewObject(env, derValueClass, derValueConstructor, ary); 441 if ((*env)->ExceptionCheck(env)) { 442 (*env)->DeleteLocalRef(env, ary); 443 return (jobject) NULL; 444 } 445 446 (*env)->DeleteLocalRef(env, ary); 447 ticket = (*env)->NewObject(env, ticketClass, ticketConstructor, derValue); 448 if ((*env)->ExceptionCheck(env)) { 449 (*env)->DeleteLocalRef(env, derValue); 450 return (jobject) NULL; 451 } 452 (*env)->DeleteLocalRef(env, derValue); 453 return ticket; 454 } 455 456 jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName) { 457 // Get the full principal string. 458 char *principalString = NULL; 459 jobject principal = NULL; 460 int err = krb5_unparse_name (kcontext, principalName, &principalString); 461 462 if (!err) { 463 // Make a PrincipalName from the full string and the type. Let the PrincipalName class parse it out. 464 jstring principalStringObj = (*env)->NewStringUTF(env, principalString); 465 if (principalStringObj == NULL) { 466 if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); } 467 return (jobject) NULL; 468 } 469 principal = (*env)->NewObject(env, principalNameClass, principalNameConstructor, principalStringObj, principalName->type); 470 if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); } 471 (*env)->DeleteLocalRef(env, principalStringObj); 472 } 473 474 return principal; 475 } 476 477 jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey) { 478 // First, need to build a byte array 479 jbyteArray ary; 480 jobject encryptionKey = NULL; 481 482 ary = (*env)->NewByteArray(env,cryptoKey->length); 483 484 if (ary == NULL) { 485 return (jobject) NULL; 486 } 487 488 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->length, (jbyte *)cryptoKey->contents); 489 if (!(*env)->ExceptionCheck(env)) { 490 encryptionKey = (*env)->NewObject(env, encryptionKeyClass, encryptionKeyConstructor, cryptoKey->enctype, ary); 491 } 492 493 (*env)->DeleteLocalRef(env, ary); 494 return encryptionKey; 495 } 496 497 jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags) { 498 jobject ticketFlags = NULL; 499 jbyteArray ary; 500 501 /* 502 * Convert the bytes to network byte order before copying 503 * them to a Java byte array. 504 */ 505 unsigned long nlflags = htonl(flags); 506 507 ary = (*env)->NewByteArray(env, sizeof(flags)); 508 509 if (ary == NULL) { 510 return (jobject) NULL; 511 } 512 513 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(flags), (jbyte *)&nlflags); 514 515 if (!(*env)->ExceptionCheck(env)) { 516 ticketFlags = (*env)->NewObject(env, ticketFlagsClass, ticketFlagsConstructor, sizeof(flags)*8, ary); 517 } 518 519 (*env)->DeleteLocalRef(env, ary); 520 return ticketFlags; 521 } 522 523 jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime) { 524 jlong time = kerbtime; 525 526 // Kerberos time is in seconds, but the KerberosTime class assumes milliseconds, so multiply by 1000. 527 time *= 1000; 528 return (*env)->NewObject(env, kerberosTimeClass, kerberosTimeConstructor, time); 529 } 530 531 jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) { 532 533 if (addresses == NULL) { 534 return NULL; 535 } 536 537 int addressCount = 0; 538 539 // See how many we have. 540 krb5_address **p = addresses; 541 542 while (*p != 0) { 543 addressCount++; 544 p++; 545 } 546 547 jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL); 548 549 if (address_list == NULL) { 550 return (jobject) NULL; 551 } 552 553 // Create a new HostAddress object for each address block. 554 // First, reset the iterator. 555 p = addresses; 556 jsize index = 0; 557 while (*p != 0) { 558 krb5_address *currAddress = *p; 559 560 // HostAddres needs a byte array of the host data. 561 jbyteArray ary = (*env)->NewByteArray(env, currAddress->length); 562 563 if (ary == NULL) return NULL; 564 565 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, currAddress->length, (jbyte *)currAddress->contents); 566 jobject address = (*env)->NewObject(env, hostAddressClass, hostAddressConstructor, currAddress->length, ary); 567 568 (*env)->DeleteLocalRef(env, ary); 569 570 if (address == NULL) { 571 return (jobject) NULL; 572 } 573 // Add the HostAddress to the arrray. 574 (*env)->SetObjectArrayElement(env, address_list, index, address); 575 576 if ((*env)->ExceptionCheck(env)) { 577 return (jobject) NULL; 578 } 579 580 index++; 581 p++; 582 } 583 584 return address_list; 585 } 586 587 #pragma mark - Utility methods - 588 589 static void printiferr (errcode_t err, const char *format, ...) 590 { 591 if (err) { 592 va_list pvar; 593 594 va_start (pvar, format); 595 com_err_va ("ticketParser:", err, format, pvar); 596 va_end (pvar); 597 } 598 } 599