274 KerberosTime getCtime() {
275 return ctime;
276 }
277
278 private TGSReq createRequest(
279 KDCOptions kdc_options,
280 Ticket ticket,
281 EncryptionKey key,
282 KerberosTime ctime,
283 PrincipalName cname,
284 PrincipalName sname,
285 KerberosTime from,
286 KerberosTime till,
287 KerberosTime rtime,
288 int[] eTypes,
289 HostAddresses addresses,
290 AuthorizationData authorizationData,
291 Ticket[] additionalTickets,
292 EncryptionKey subKey,
293 PAData extraPA)
294 throws Asn1Exception, IOException, KdcErrException, KrbApErrException,
295 UnknownHostException, KrbCryptoException {
296 KerberosTime req_till = null;
297 if (till == null) {
298 req_till = new KerberosTime(0);
299 } else {
300 req_till = till;
301 }
302
303 /*
304 * RFC 4120, Section 5.4.2.
305 * For KRB_TGS_REP, the ciphertext is encrypted in the
306 * sub-session key from the Authenticator, or if absent,
307 * the session key from the ticket-granting ticket used
308 * in the request.
309 *
310 * To support this, use tgsReqKey to remember which key to use.
311 */
312 tgsReqKey = key;
313
314 int[] req_eTypes = null;
315 if (eTypes == null) {
316 req_eTypes = EType.getDefaults("default_tgs_enctypes");
317 if (req_eTypes == null) {
318 throw new KrbCryptoException(
319 "No supported encryption types listed in default_tgs_enctypes");
320 }
321 } else {
322 req_eTypes = eTypes;
323 }
324
325 EncryptionKey reqKey = null;
326 EncryptedData encAuthorizationData = null;
327 if (authorizationData != null) {
328 byte[] ad = authorizationData.asn1Encode();
329 if (subKey != null) {
330 reqKey = subKey;
331 tgsReqKey = subKey; // Key to use to decrypt reply
332 useSubkey = true;
333 encAuthorizationData = new EncryptedData(reqKey, ad,
334 KeyUsage.KU_TGS_REQ_AUTH_DATA_SUBKEY);
335 } else
336 encAuthorizationData = new EncryptedData(key, ad,
337 KeyUsage.KU_TGS_REQ_AUTH_DATA_SESSKEY);
338 }
339
340 KDCReqBody reqBody = new KDCReqBody(
|
274 KerberosTime getCtime() {
275 return ctime;
276 }
277
278 private TGSReq createRequest(
279 KDCOptions kdc_options,
280 Ticket ticket,
281 EncryptionKey key,
282 KerberosTime ctime,
283 PrincipalName cname,
284 PrincipalName sname,
285 KerberosTime from,
286 KerberosTime till,
287 KerberosTime rtime,
288 int[] eTypes,
289 HostAddresses addresses,
290 AuthorizationData authorizationData,
291 Ticket[] additionalTickets,
292 EncryptionKey subKey,
293 PAData extraPA)
294 throws IOException, KrbException, UnknownHostException {
295 KerberosTime req_till = null;
296 if (till == null) {
297 req_till = new KerberosTime(0);
298 } else {
299 req_till = till;
300 }
301
302 /*
303 * RFC 4120, Section 5.4.2.
304 * For KRB_TGS_REP, the ciphertext is encrypted in the
305 * sub-session key from the Authenticator, or if absent,
306 * the session key from the ticket-granting ticket used
307 * in the request.
308 *
309 * To support this, use tgsReqKey to remember which key to use.
310 */
311 tgsReqKey = key;
312
313 int[] req_eTypes = null;
314 if (eTypes == null) {
315 req_eTypes = EType.getDefaults("default_tgs_enctypes");
316 } else {
317 req_eTypes = eTypes;
318 }
319
320 EncryptionKey reqKey = null;
321 EncryptedData encAuthorizationData = null;
322 if (authorizationData != null) {
323 byte[] ad = authorizationData.asn1Encode();
324 if (subKey != null) {
325 reqKey = subKey;
326 tgsReqKey = subKey; // Key to use to decrypt reply
327 useSubkey = true;
328 encAuthorizationData = new EncryptedData(reqKey, ad,
329 KeyUsage.KU_TGS_REQ_AUTH_DATA_SUBKEY);
330 } else
331 encAuthorizationData = new EncryptedData(key, ad,
332 KeyUsage.KU_TGS_REQ_AUTH_DATA_SESSKEY);
333 }
334
335 KDCReqBody reqBody = new KDCReqBody(
|