1 /* 2 * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 /* 27 * 28 * (C) Copyright IBM Corp. 1999 All Rights Reserved. 29 * Copyright 1997 The Open Group Research Institute. All rights reserved. 30 */ 31 32 package sun.security.krb5; 33 34 import sun.security.krb5.internal.Krb5; 35 import sun.security.util.*; 36 import java.io.IOException; 37 import java.util.StringTokenizer; 38 import java.util.Vector; 39 import java.util.Stack; 40 import java.util.EmptyStackException; 41 import sun.security.krb5.internal.util.KerberosString; 42 43 /** 44 * Implements the ASN.1 Realm type. 45 * 46 * <xmp> 47 * Realm ::= GeneralString 48 * </xmp> 49 */ 50 public class Realm implements Cloneable { 51 private String realm; 52 private static boolean DEBUG = Krb5.DEBUG; 53 54 private Realm() { 55 } 56 57 public Realm(String name) throws RealmException { 58 realm = parseRealm(name); 59 } 60 61 public Object clone() { 62 Realm new_realm = new Realm(); 63 if (realm != null) { 64 new_realm.realm = new String(realm); 65 } 66 return new_realm; 67 } 68 69 public boolean equals(Object obj) { 70 if (this == obj) { 71 return true; 72 } 73 74 if (!(obj instanceof Realm)) { 75 return false; 76 } 77 78 Realm that = (Realm)obj; 79 if (this.realm != null && that.realm != null ) { 80 return this.realm.equals(that.realm); 81 } else { 82 return (this.realm == null && that.realm == null); 83 } 84 } 85 86 public int hashCode() { 87 int result = 17 ; 88 89 if( realm != null ) { 90 result = 37 * result + realm.hashCode(); 91 } 92 93 return result; 94 } 95 96 /** 97 * Constructs a Realm object. 98 * @param encoding a Der-encoded data. 99 * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. 100 * @exception IOException if an I/O error occurs while reading encoded data. 101 * @exception RealmException if an error occurs while parsing a Realm object. 102 */ 103 public Realm(DerValue encoding) 104 throws Asn1Exception, RealmException, IOException { 105 if (encoding == null) { 106 throw new IllegalArgumentException("encoding can not be null"); 107 } 108 realm = new KerberosString(encoding).toString(); 109 if (realm == null || realm.length() == 0) 110 throw new RealmException(Krb5.REALM_NULL); 111 if (!isValidRealmString(realm)) 112 throw new RealmException(Krb5.REALM_ILLCHAR); 113 } 114 115 public String toString() { 116 return realm; 117 } 118 119 public static String parseRealmAtSeparator(String name) 120 throws RealmException { 121 if (name == null) { 122 throw new IllegalArgumentException 123 ("null input name is not allowed"); 124 } 125 String temp = new String(name); 126 String result = null; 127 int i = 0; 128 while (i < temp.length()) { 129 if (temp.charAt(i) == PrincipalName.NAME_REALM_SEPARATOR) { 130 if (i == 0 || temp.charAt(i - 1) != '\\') { 131 if (i + 1 < temp.length()) 132 result = temp.substring(i + 1, temp.length()); 133 break; 134 } 135 } 136 i++; 137 } 138 if (result != null) { 139 if (result.length() == 0) 140 throw new RealmException(Krb5.REALM_NULL); 141 if (!isValidRealmString(result)) 142 throw new RealmException(Krb5.REALM_ILLCHAR); 143 } 144 return result; 145 } 146 147 public static String parseRealmComponent(String name) { 148 if (name == null) { 149 throw new IllegalArgumentException 150 ("null input name is not allowed"); 151 } 152 String temp = new String(name); 153 String result = null; 154 int i = 0; 155 while (i < temp.length()) { 156 if (temp.charAt(i) == PrincipalName.REALM_COMPONENT_SEPARATOR) { 157 if (i == 0 || temp.charAt(i - 1) != '\\') { 158 if (i + 1 < temp.length()) 159 result = temp.substring(i + 1, temp.length()); 160 break; 161 } 162 } 163 i++; 164 } 165 return result; 166 } 167 168 protected static String parseRealm(String name) throws RealmException { 169 String result = parseRealmAtSeparator(name); 170 if (result == null) 171 result = name; 172 if (result == null || result.length() == 0) 173 throw new RealmException(Krb5.REALM_NULL); 174 if (!isValidRealmString(result)) 175 throw new RealmException(Krb5.REALM_ILLCHAR); 176 return result; 177 } 178 179 // This is protected because the definition of a realm 180 // string is fixed 181 protected static boolean isValidRealmString(String name) { 182 if (name == null) 183 return false; 184 if (name.length() == 0) 185 return false; 186 for (int i = 0; i < name.length(); i++) { 187 if (name.charAt(i) == '/' || 188 name.charAt(i) == ':' || 189 name.charAt(i) == '\0') { 190 return false; 191 } 192 } 193 return true; 194 } 195 196 /** 197 * Encodes a Realm object. 198 * @return the byte array of encoded KrbCredInfo object. 199 * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. 200 * @exception IOException if an I/O error occurs while reading encoded data. 201 * 202 */ 203 public byte[] asn1Encode() throws Asn1Exception, IOException { 204 DerOutputStream out = new DerOutputStream(); 205 out.putDerValue(new KerberosString(this.realm).toDerValue()); 206 return out.toByteArray(); 207 } 208 209 210 /** 211 * Parse (unmarshal) a realm from a DER input stream. This form 212 * parsing might be used when expanding a value which is part of 213 * a constructed sequence and uses explicitly tagged type. 214 * 215 * @exception Asn1Exception on error. 216 * @param data the Der input stream value, which contains one or more marshaled value. 217 * @param explicitTag tag number. 218 * @param optional indicate if this data field is optional 219 * @return an instance of Realm. 220 * 221 */ 222 public static Realm parse(DerInputStream data, byte explicitTag, boolean optional) throws Asn1Exception, IOException, RealmException { 223 if ((optional) && (((byte)data.peekByte() & (byte)0x1F) != explicitTag)) { 224 return null; 225 } 226 DerValue der = data.getDerValue(); 227 if (explicitTag != (der.getTag() & (byte)0x1F)) { 228 throw new Asn1Exception(Krb5.ASN1_BAD_ID); 229 } else { 230 DerValue subDer = der.getData().getDerValue(); 231 return new Realm(subDer); 232 } 233 } 234 235 /* 236 * First leg of realms parsing. Used by getRealmsList. 237 */ 238 private static String[] doInitialParse(String cRealm, String sRealm) 239 throws KrbException { 240 if (cRealm == null || sRealm == null){ 241 throw new KrbException(Krb5.API_INVALID_ARG); 242 } 243 if (DEBUG) { 244 System.out.println(">>> Realm doInitialParse: cRealm=[" 245 + cRealm + "], sRealm=[" +sRealm + "]"); 246 } 247 if (cRealm.equals(sRealm)) { 248 String[] retList = null; 249 retList = new String[1]; 250 retList[0] = new String(cRealm); 251 252 if (DEBUG) { 253 System.out.println(">>> Realm doInitialParse: " 254 + retList[0]); 255 } 256 return retList; 257 } 258 return null; 259 } 260 261 /** 262 * Returns an array of realms that may be traversed to obtain 263 * a TGT from the initiating realm cRealm to the target realm 264 * sRealm. 265 * <br> 266 * There may be an arbitrary number of intermediate realms 267 * between cRealm and sRealm. The realms may be organized 268 * organized hierarchically, or the paths between them may be 269 * specified in the [capaths] stanza of the caller's 270 * Kerberos configuration file. The configuration file is consulted 271 * first. Then a hirarchical organization is assumed if no realms 272 * are found in the configuration file. 273 * <br> 274 * The returned list, if not null, contains cRealm as the first 275 * entry. sRealm is not included unless it is mistakenly listed 276 * in the configuration file as an intermediary realm. 277 * 278 * @param cRealm the initiating realm 279 * @param sRealm the target realm 280 * @returns array of realms 281 * @thows KrbException 282 */ 283 public static String[] getRealmsList(String cRealm, String sRealm) 284 throws KrbException { 285 String[] retList = doInitialParse(cRealm, sRealm); 286 if (retList != null && retList.length != 0) { 287 return retList; 288 } 289 /* 290 * Try [capaths]. 291 */ 292 retList = parseCapaths(cRealm, sRealm); 293 if (retList != null && retList.length != 0) { 294 return retList; 295 } 296 /* 297 * Now assume the realms are organized hierarchically. 298 */ 299 retList = parseHierarchy(cRealm, sRealm); 300 return retList; 301 } 302 303 /** 304 * Parses the [capaths] stanza of the configuration file 305 * for a list of realms to traverse 306 * to obtain credentials from the initiating realm cRealm to 307 * the target realm sRealm. 308 * @param cRealm the initiating realm 309 * @param sRealm the target realm 310 * @returns array of realms 311 * @ throws KrbException 312 */ 313 314 /* 315 * parseCapaths works for a capaths organized such that 316 * for a given client realm C there is a tag C that 317 * contains subtags Ci ... Cn that completely define intermediate 318 * realms from C to target T. For example: 319 * 320 * [capaths] 321 * TIVOLI.COM = { 322 * IBM.COM = IBM_LDAPCENTRAL.COM MOONLITE.ORG 323 * IBM_LDAPCENTRAL.COM = LDAPCENTRAL.NET 324 * LDAPCENTRAL.NET = . 325 * } 326 * 327 * The tag TIVOLI.COM contains subtags IBM.COM, IBM_LDAPCENTRAL.COM 328 * and LDAPCENTRAL.NET that completely define the path from TIVOLI.COM 329 * to IBM.COM (TIVOLI.COM->LADAPCENTRAL.NET->IBM_LDAPCENTRAL.COM->IBM 330 * or TIVOLI.COM->MOONLITE.ORG->IBM.COM). 331 * 332 * A direct path is assumed for an intermediary whose entry is not 333 * "closed" by a "." In the above example, TIVOLI.COM is assumed 334 * to have a direct path to MOONLITE.ORG and MOONLITE.COM 335 * in turn to IBM.COM. 336 */ 337 338 private static String[] parseCapaths(String cRealm, String sRealm) throws KrbException { 339 String[] retList = null; 340 341 Config cfg = null; 342 try { 343 cfg = Config.getInstance(); 344 } catch (Exception exc) { 345 if (DEBUG) { 346 System.out.println ("Configuration information can not be " + 347 "obtained " + exc.getMessage()); 348 } 349 return null; 350 } 351 352 String intermediaries = cfg.getDefault(sRealm, cRealm); 353 354 if (intermediaries == null) { 355 if (DEBUG) { 356 System.out.println(">>> Realm parseCapaths: no cfg entry"); 357 } 358 return null; 359 } 360 361 String tempTarget = null, tempRealm = null; 362 Stack<String> iStack = new Stack<>(); 363 364 /* 365 * I don't expect any more than a handful of intermediaries. 366 */ 367 Vector<String> tempList = new Vector<>(8, 8); 368 369 /* 370 * The initiator at first location. 371 */ 372 tempList.add(cRealm); 373 374 int count = 0; // For debug only 375 if (DEBUG) { 376 tempTarget = sRealm; 377 } 378 379 out: do { 380 if (DEBUG) { 381 count++; 382 System.out.println(">>> Realm parseCapaths: loop " + 383 count + ": target=" + tempTarget); 384 } 385 386 if (intermediaries != null && 387 !intermediaries.equals(PrincipalName.REALM_COMPONENT_SEPARATOR_STR)) 388 { 389 if (DEBUG) { 390 System.out.println(">>> Realm parseCapaths: loop " + 391 count + ": intermediaries=[" + 392 intermediaries + "]"); 393 } 394 395 /* 396 * We have one or more space-separated intermediary realms. 397 * Stack them. A null is always added between intermedies of 398 * different targets. When this null is popped, it means none 399 * of the intermedies for this target is useful (because of 400 * infinite loop), the target is then removed from the partial 401 * tempList, and the next possible intermediary is tried. 402 */ 403 iStack.push(null); 404 String[] ints = intermediaries.split("\\s+"); 405 for (int i = ints.length-1; i>=0; i--) 406 { 407 tempRealm = ints[i]; 408 if (tempRealm.equals(PrincipalName.REALM_COMPONENT_SEPARATOR_STR)) { 409 break out; 410 } 411 if (!tempList.contains(tempRealm)) { 412 iStack.push(tempRealm); 413 if (DEBUG) { 414 System.out.println(">>> Realm parseCapaths: loop " + 415 count + 416 ": pushed realm on to stack: " + 417 tempRealm); 418 } 419 } else if (DEBUG) { 420 System.out.println(">>> Realm parseCapaths: loop " + 421 count + 422 ": ignoring realm: [" + 423 tempRealm + "]"); 424 } 425 } 426 } else { 427 if (DEBUG) { 428 System.out.println(">>> Realm parseCapaths: loop " + 429 count + 430 ": no intermediaries"); 431 } 432 break; 433 } 434 435 /* 436 * Get next intermediary realm from the stack 437 */ 438 439 try { 440 while ((tempTarget = iStack.pop()) == null) { 441 tempList.removeElementAt(tempList.size()-1); 442 if (DEBUG) { 443 System.out.println(">>> Realm parseCapaths: backtrack, remove tail"); 444 } 445 } 446 } catch (EmptyStackException exc) { 447 tempTarget = null; 448 } 449 450 if (tempTarget == null) { 451 /* 452 * No more intermediaries. We're done. 453 */ 454 break; 455 } 456 457 tempList.add(tempTarget); 458 459 if (DEBUG) { 460 System.out.println(">>> Realm parseCapaths: loop " + count + 461 ": added intermediary to list: " + 462 tempTarget); 463 } 464 465 intermediaries = cfg.getDefault(tempTarget, cRealm); 466 467 } while (true); 468 469 retList = new String[tempList.size()]; 470 try { 471 retList = tempList.toArray(retList); 472 } catch (ArrayStoreException exc) { 473 retList = null; 474 } 475 476 if (DEBUG && retList != null) { 477 for (int i = 0; i < retList.length; i++) { 478 System.out.println(">>> Realm parseCapaths [" + i + 479 "]=" + retList[i]); 480 } 481 } 482 483 return retList; 484 } 485 486 /** 487 * Build a list of realm that can be traversed 488 * to obtain credentials from the initiating realm cRealm 489 * for a service in the target realm sRealm. 490 * @param cRealm the initiating realm 491 * @param sRealm the target realm 492 * @returns array of realms 493 * @throws KrbException 494 */ 495 private static String[] parseHierarchy(String cRealm, String sRealm) 496 throws KrbException 497 { 498 String[] retList = null; 499 500 // Parse the components and determine common part, if any. 501 502 String[] cComponents = null; 503 String[] sComponents = null; 504 505 StringTokenizer strTok = 506 new StringTokenizer(cRealm, 507 PrincipalName.REALM_COMPONENT_SEPARATOR_STR); 508 509 // Parse cRealm 510 511 int cCount = strTok.countTokens(); 512 cComponents = new String[cCount]; 513 514 for (cCount = 0; strTok.hasMoreTokens(); cCount++) { 515 cComponents[cCount] = strTok.nextToken(); 516 } 517 518 if (DEBUG) { 519 System.out.println(">>> Realm parseHierarchy: cRealm has " + 520 cCount + " components:"); 521 int j = 0; 522 while (j < cCount) { 523 System.out.println(">>> Realm parseHierarchy: " + 524 "cComponents["+j+"]=" + cComponents[j++]); 525 } 526 } 527 528 // Parse sRealm 529 530 strTok = new StringTokenizer(sRealm, 531 PrincipalName.REALM_COMPONENT_SEPARATOR_STR); 532 533 int sCount = strTok.countTokens(); 534 sComponents = new String[sCount]; 535 536 for (sCount = 0; strTok.hasMoreTokens(); sCount++) { 537 sComponents[sCount] = strTok.nextToken(); 538 } 539 540 if (DEBUG) { 541 System.out.println(">>> Realm parseHierarchy: sRealm has " + 542 sCount + " components:"); 543 int j = 0; 544 while (j < sCount) { 545 System.out.println(">>> Realm parseHierarchy: sComponents["+j+ 546 "]=" + sComponents[j++]); 547 } 548 } 549 550 // Determine common components, if any. 551 552 int commonComponents = 0; 553 554 //while (sCount > 0 && cCount > 0 && 555 // sComponents[--sCount].equals(cComponents[--cCount])) 556 557 for (sCount--, cCount--; sCount >=0 && cCount >= 0 && 558 sComponents[sCount].equals(cComponents[cCount]); 559 sCount--, cCount--) { 560 commonComponents++; 561 } 562 563 int cCommonStart = -1; 564 int sCommonStart = -1; 565 566 int links = 0; 567 568 if (commonComponents > 0) { 569 sCommonStart = sCount+1; 570 cCommonStart = cCount+1; 571 572 // components from common to ancestors 573 links += sCommonStart; 574 links += cCommonStart; 575 } else { 576 links++; 577 } 578 579 if (DEBUG) { 580 if (commonComponents > 0) { 581 System.out.println(">>> Realm parseHierarchy: " + 582 commonComponents + " common component" + 583 (commonComponents > 1 ? "s" : " ")); 584 585 System.out.println(">>> Realm parseHierarchy: common part " 586 + 587 "in cRealm (starts at index " + 588 cCommonStart + ")"); 589 System.out.println(">>> Realm parseHierarchy: common part in sRealm (starts at index " + 590 sCommonStart + ")"); 591 592 593 String commonPart = substring(cRealm, cCommonStart); 594 System.out.println(">>> Realm parseHierarchy: common part in cRealm=" + 595 commonPart); 596 597 commonPart = substring(sRealm, sCommonStart); 598 System.out.println(">>> Realm parseHierarchy: common part in sRealm=" + 599 commonPart); 600 601 } else 602 System.out.println(">>> Realm parseHierarchy: no common part"); 603 } 604 605 if (DEBUG) { 606 System.out.println(">>> Realm parseHierarchy: total links=" + links); 607 } 608 609 retList = new String[links]; 610 611 retList[0] = new String(cRealm); 612 613 if (DEBUG) { 614 System.out.println(">>> Realm parseHierarchy A: retList[0]=" + 615 retList[0]); 616 } 617 618 // For an initiator realm A.B.C.D.COM, 619 // build a list krbtgt/B.C.D.COM@A.B.C.D.COM up to the common part, 620 // ie the issuer realm is the immediate descendant 621 // of the target realm. 622 623 String cTemp = null, sTemp = null; 624 int i; 625 for (i = 1, cCount = 0; i < links && cCount < cCommonStart; cCount++) { 626 sTemp = substring(cRealm, cCount+1); 627 //cTemp = substring(cRealm, cCount); 628 retList[i++] = new String(sTemp); 629 630 if (DEBUG) { 631 System.out.println(">>> Realm parseHierarchy B: retList[" + 632 (i-1) +"]="+retList[i-1]); 633 } 634 } 635 636 637 for (sCount = sCommonStart; i < links && sCount - 1 > 0; sCount--) { 638 sTemp = substring(sRealm, sCount-1); 639 //cTemp = substring(sRealm, sCount); 640 retList[i++] = new String(sTemp); 641 if (DEBUG) { 642 System.out.println(">>> Realm parseHierarchy D: retList[" + 643 (i-1) +"]="+retList[i-1]); 644 } 645 } 646 647 return retList; 648 } 649 650 private static String substring(String realm, int componentIndex) 651 { 652 int i = 0 , j = 0, len = realm.length(); 653 654 while(i < len && j != componentIndex) { 655 if (realm.charAt(i++) != PrincipalName.REALM_COMPONENT_SEPARATOR) 656 continue; 657 j++; 658 } 659 660 return realm.substring(i); 661 } 662 663 static int getRandIndex(int arraySize) { 664 return (int)(Math.random() * 16384.0) % arraySize; 665 } 666 667 static void printNames(String[] names) { 668 if (names == null || names.length == 0) 669 return; 670 671 int len = names.length; 672 int i = 0; 673 System.out.println("List length = " + len); 674 while (i < names.length) { 675 System.out.println("["+ i +"]=" + names[i]); 676 i++; 677 } 678 } 679 680 }