1 /* 2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package javax.security.auth.kerberos; 27 28 import java.io.*; 29 import java.util.Date; 30 import java.util.Arrays; 31 import java.net.InetAddress; 32 import javax.crypto.SecretKey; 33 import javax.security.auth.Refreshable; 34 import javax.security.auth.Destroyable; 35 import javax.security.auth.RefreshFailedException; 36 import javax.security.auth.DestroyFailedException; 37 import sun.misc.HexDumpEncoder; 38 39 /** 40 * This class encapsulates a Kerberos ticket and associated 41 * information as viewed from the client's point of view. It captures all 42 * information that the Key Distribution Center (KDC) sends to the client 43 * in the reply message KDC-REP defined in the Kerberos Protocol 44 * Specification (<a href=http://www.ietf.org/rfc/rfc4120.txt>RFC 4120</a>). 45 * <p> 46 * All Kerberos JAAS login modules that authenticate a user to a KDC should 47 * use this class. Where available, the login module might even read this 48 * information from a ticket cache in the operating system instead of 49 * directly communicating with the KDC. During the commit phase of the JAAS 50 * authentication process, the JAAS login module should instantiate this 51 * class and store the instance in the private credential set of a 52 * {@link javax.security.auth.Subject Subject}.<p> 53 * 54 * It might be necessary for the application to be granted a 55 * {@link javax.security.auth.PrivateCredentialPermission 56 * PrivateCredentialPermission} if it needs to access a KerberosTicket 57 * instance from a Subject. This permission is not needed when the 58 * application depends on the default JGSS Kerberos mechanism to access the 59 * KerberosTicket. In that case, however, the application will need an 60 * appropriate 61 * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. 62 * <p> 63 * Note that this class is applicable to both ticket granting tickets and 64 * other regular service tickets. A ticket granting ticket is just a 65 * special case of a more generalized service ticket. 66 * 67 * @see javax.security.auth.Subject 68 * @see javax.security.auth.PrivateCredentialPermission 69 * @see javax.security.auth.login.LoginContext 70 * @see org.ietf.jgss.GSSCredential 71 * @see org.ietf.jgss.GSSManager 72 * 73 * @author Mayank Upadhyay 74 * @since 1.4 75 */ 76 public class KerberosTicket implements Destroyable, Refreshable, 77 java.io.Serializable { 78 79 private static final long serialVersionUID = 7395334370157380539L; 80 81 // XXX Make these flag indices public 82 private static final int FORWARDABLE_TICKET_FLAG = 1; 83 private static final int FORWARDED_TICKET_FLAG = 2; 84 private static final int PROXIABLE_TICKET_FLAG = 3; 85 private static final int PROXY_TICKET_FLAG = 4; 86 private static final int POSTDATED_TICKET_FLAG = 6; 87 private static final int RENEWABLE_TICKET_FLAG = 8; 88 private static final int INITIAL_TICKET_FLAG = 9; 89 90 private static final int NUM_FLAGS = 32; 91 92 /** 93 * 94 * ASN.1 DER Encoding of the Ticket as defined in the 95 * Kerberos Protocol Specification RFC4120. 96 * 97 * @serial 98 */ 99 100 private byte[] asn1Encoding; 101 102 /** 103 *{@code KeyImpl} is serialized by writing out the ASN1 Encoded bytes 104 * of the encryption key. The ASN1 encoding is defined in RFC4120 and as 105 * follows: 106 * <pre> 107 * EncryptionKey ::= SEQUENCE { 108 * keytype [0] Int32 -- actually encryption type --, 109 * keyvalue [1] OCTET STRING 110 * } 111 * </pre> 112 * 113 * @serial 114 */ 115 116 private KeyImpl sessionKey; 117 118 /** 119 * 120 * Ticket Flags as defined in the Kerberos Protocol Specification RFC4120. 121 * 122 * @serial 123 */ 124 125 private boolean[] flags; 126 127 /** 128 * 129 * Time of initial authentication 130 * 131 * @serial 132 */ 133 134 private Date authTime; 135 136 /** 137 * 138 * Time after which the ticket is valid. 139 * @serial 140 */ 141 private Date startTime; 142 143 /** 144 * 145 * Time after which the ticket will not be honored. (its expiration time). 146 * 147 * @serial 148 */ 149 150 private Date endTime; 151 152 /** 153 * 154 * For renewable Tickets it indicates the maximum endtime that may be 155 * included in a renewal. It can be thought of as the absolute expiration 156 * time for the ticket, including all renewals. This field may be null 157 * for tickets that are not renewable. 158 * 159 * @serial 160 */ 161 162 private Date renewTill; 163 164 /** 165 * 166 * Client that owns the service ticket 167 * 168 * @serial 169 */ 170 171 private KerberosPrincipal client; 172 173 /** 174 * 175 * The service for which the ticket was issued. 176 * 177 * @serial 178 */ 179 180 private KerberosPrincipal server; 181 182 /** 183 * 184 * The addresses from where the ticket may be used by the client. 185 * This field may be null when the ticket is usable from any address. 186 * 187 * @serial 188 */ 189 190 191 private InetAddress[] clientAddresses; 192 193 private transient boolean destroyed = false; 194 195 /** 196 * Constructs a KerberosTicket using credentials information that a 197 * client either receives from a KDC or reads from a cache. 198 * 199 * @param asn1Encoding the ASN.1 encoding of the ticket as defined by 200 * the Kerberos protocol specification. 201 * @param client the client that owns this service 202 * ticket 203 * @param server the service that this ticket is for 204 * @param sessionKey the raw bytes for the session key that must be 205 * used to encrypt the authenticator that will be sent to the server 206 * @param keyType the key type for the session key as defined by the 207 * Kerberos protocol specification. 208 * @param flags the ticket flags. Each element in this array indicates 209 * the value for the corresponding bit in the ASN.1 BitString that 210 * represents the ticket flags. If the number of elements in this array 211 * is less than the number of flags used by the Kerberos protocol, 212 * then the missing flags will be filled in with false. 213 * @param authTime the time of initial authentication for the client 214 * @param startTime the time after which the ticket will be valid. This 215 * may be null in which case the value of authTime is treated as the 216 * startTime. 217 * @param endTime the time after which the ticket will no longer be 218 * valid 219 * @param renewTill an absolute expiration time for the ticket, 220 * including all renewal that might be possible. This field may be null 221 * for tickets that are not renewable. 222 * @param clientAddresses the addresses from where the ticket may be 223 * used by the client. This field may be null when the ticket is usable 224 * from any address. 225 */ 226 public KerberosTicket(byte[] asn1Encoding, 227 KerberosPrincipal client, 228 KerberosPrincipal server, 229 byte[] sessionKey, 230 int keyType, 231 boolean[] flags, 232 Date authTime, 233 Date startTime, 234 Date endTime, 235 Date renewTill, 236 InetAddress[] clientAddresses) { 237 238 init(asn1Encoding, client, server, sessionKey, keyType, flags, 239 authTime, startTime, endTime, renewTill, clientAddresses); 240 } 241 242 private void init(byte[] asn1Encoding, 243 KerberosPrincipal client, 244 KerberosPrincipal server, 245 byte[] sessionKey, 246 int keyType, 247 boolean[] flags, 248 Date authTime, 249 Date startTime, 250 Date endTime, 251 Date renewTill, 252 InetAddress[] clientAddresses) { 253 if (sessionKey == null) { 254 throw new IllegalArgumentException("Session key for ticket" 255 + " cannot be null"); 256 } 257 init(asn1Encoding, client, server, 258 new KeyImpl(sessionKey, keyType), flags, authTime, 259 startTime, endTime, renewTill, clientAddresses); 260 } 261 262 private void init(byte[] asn1Encoding, 263 KerberosPrincipal client, 264 KerberosPrincipal server, 265 KeyImpl sessionKey, 266 boolean[] flags, 267 Date authTime, 268 Date startTime, 269 Date endTime, 270 Date renewTill, 271 InetAddress[] clientAddresses) { 272 if (asn1Encoding == null) { 273 throw new IllegalArgumentException("ASN.1 encoding of ticket" 274 + " cannot be null"); 275 } 276 this.asn1Encoding = asn1Encoding.clone(); 277 278 if (client == null) { 279 throw new IllegalArgumentException("Client name in ticket" 280 + " cannot be null"); 281 } 282 this.client = client; 283 284 if (server == null) { 285 throw new IllegalArgumentException("Server name in ticket" 286 + " cannot be null"); 287 } 288 this.server = server; 289 290 // Caller needs to make sure `sessionKey` will not be null 291 this.sessionKey = sessionKey; 292 293 if (flags != null) { 294 if (flags.length >= NUM_FLAGS) { 295 this.flags = flags.clone(); 296 } else { 297 this.flags = new boolean[NUM_FLAGS]; 298 // Fill in whatever we have 299 for (int i = 0; i < flags.length; i++) { 300 this.flags[i] = flags[i]; 301 } 302 } 303 } else { 304 this.flags = new boolean[NUM_FLAGS]; 305 } 306 307 if (this.flags[RENEWABLE_TICKET_FLAG]) { 308 if (renewTill == null) { 309 throw new IllegalArgumentException("The renewable period " 310 + "end time cannot be null for renewable tickets."); 311 } 312 this.renewTill = new Date(renewTill.getTime()); 313 } 314 315 if (authTime != null) { 316 this.authTime = new Date(authTime.getTime()); 317 } 318 if (startTime != null) { 319 this.startTime = new Date(startTime.getTime()); 320 } else { 321 this.startTime = this.authTime; 322 } 323 324 if (endTime == null) { 325 throw new IllegalArgumentException("End time for ticket validity" 326 + " cannot be null"); 327 } 328 this.endTime = new Date(endTime.getTime()); 329 330 if (clientAddresses != null) { 331 this.clientAddresses = clientAddresses.clone(); 332 } 333 } 334 335 /** 336 * Returns the client principal associated with this ticket. 337 * 338 * @return the client principal. 339 */ 340 public final KerberosPrincipal getClient() { 341 return client; 342 } 343 344 /** 345 * Returns the service principal associated with this ticket. 346 * 347 * @return the service principal. 348 */ 349 public final KerberosPrincipal getServer() { 350 return server; 351 } 352 353 /** 354 * Returns the session key associated with this ticket. The return value 355 * is always a {@link EncryptionKey} object. 356 * 357 * @return the session key. 358 */ 359 public final SecretKey getSessionKey() { 360 if (destroyed) { 361 throw new IllegalStateException("This ticket is no longer valid"); 362 } 363 return new EncryptionKey( 364 sessionKey.getEncoded(), sessionKey.getKeyType()); 365 } 366 367 /** 368 * Returns the key type of the session key associated with this 369 * ticket as defined by the Kerberos Protocol Specification. 370 * 371 * @return the key type of the session key associated with this 372 * ticket. 373 * 374 * @see #getSessionKey() 375 */ 376 public final int getSessionKeyType() { 377 if (destroyed) { 378 throw new IllegalStateException("This ticket is no longer valid"); 379 } 380 return sessionKey.getKeyType(); 381 } 382 383 /** 384 * Determines if this ticket is forwardable. 385 * 386 * @return true if this ticket is forwardable, false if not. 387 */ 388 public final boolean isForwardable() { 389 return flags[FORWARDABLE_TICKET_FLAG]; 390 } 391 392 /** 393 * Determines if this ticket had been forwarded or was issued based on 394 * authentication involving a forwarded ticket-granting ticket. 395 * 396 * @return true if this ticket had been forwarded or was issued based on 397 * authentication involving a forwarded ticket-granting ticket, 398 * false otherwise. 399 */ 400 public final boolean isForwarded() { 401 return flags[FORWARDED_TICKET_FLAG]; 402 } 403 404 /** 405 * Determines if this ticket is proxiable. 406 * 407 * @return true if this ticket is proxiable, false if not. 408 */ 409 public final boolean isProxiable() { 410 return flags[PROXIABLE_TICKET_FLAG]; 411 } 412 413 /** 414 * Determines is this ticket is a proxy-ticket. 415 * 416 * @return true if this ticket is a proxy-ticket, false if not. 417 */ 418 public final boolean isProxy() { 419 return flags[PROXY_TICKET_FLAG]; 420 } 421 422 423 /** 424 * Determines is this ticket is post-dated. 425 * 426 * @return true if this ticket is post-dated, false if not. 427 */ 428 public final boolean isPostdated() { 429 return flags[POSTDATED_TICKET_FLAG]; 430 } 431 432 /** 433 * Determines is this ticket is renewable. If so, the {@link #refresh() 434 * refresh} method can be called, assuming the validity period for 435 * renewing is not already over. 436 * 437 * @return true if this ticket is renewable, false if not. 438 */ 439 public final boolean isRenewable() { 440 return flags[RENEWABLE_TICKET_FLAG]; 441 } 442 443 /** 444 * Determines if this ticket was issued using the Kerberos AS-Exchange 445 * protocol, and not issued based on some ticket-granting ticket. 446 * 447 * @return true if this ticket was issued using the Kerberos AS-Exchange 448 * protocol, false if not. 449 */ 450 public final boolean isInitial() { 451 return flags[INITIAL_TICKET_FLAG]; 452 } 453 454 /** 455 * Returns the flags associated with this ticket. Each element in the 456 * returned array indicates the value for the corresponding bit in the 457 * ASN.1 BitString that represents the ticket flags. 458 * 459 * @return the flags associated with this ticket. 460 */ 461 public final boolean[] getFlags() { 462 return (flags == null? null: flags.clone()); 463 } 464 465 /** 466 * Returns the time that the client was authenticated. 467 * 468 * @return the time that the client was authenticated 469 * or null if not set. 470 */ 471 public final java.util.Date getAuthTime() { 472 return (authTime == null) ? null : (Date)authTime.clone(); 473 } 474 475 /** 476 * Returns the start time for this ticket's validity period. 477 * 478 * @return the start time for this ticket's validity period 479 * or null if not set. 480 */ 481 public final java.util.Date getStartTime() { 482 return (startTime == null) ? null : (Date)startTime.clone(); 483 } 484 485 /** 486 * Returns the expiration time for this ticket's validity period. 487 * 488 * @return the expiration time for this ticket's validity period. 489 */ 490 public final java.util.Date getEndTime() { 491 return (Date) endTime.clone(); 492 } 493 494 /** 495 * Returns the latest expiration time for this ticket, including all 496 * renewals. This will return a null value for non-renewable tickets. 497 * 498 * @return the latest expiration time for this ticket. 499 */ 500 public final java.util.Date getRenewTill() { 501 return (renewTill == null) ? null: (Date)renewTill.clone(); 502 } 503 504 /** 505 * Returns a list of addresses from where the ticket can be used. 506 * 507 * @return ths list of addresses or null, if the field was not 508 * provided. 509 */ 510 public final java.net.InetAddress[] getClientAddresses() { 511 return (clientAddresses == null) ? null: clientAddresses.clone(); 512 } 513 514 /** 515 * Returns an ASN.1 encoding of the entire ticket. 516 * 517 * @return an ASN.1 encoding of the entire ticket. 518 */ 519 public final byte[] getEncoded() { 520 if (destroyed) { 521 throw new IllegalStateException("This ticket is no longer valid"); 522 } 523 return asn1Encoding.clone(); 524 } 525 526 /** Determines if this ticket is still current. */ 527 public boolean isCurrent() { 528 return (System.currentTimeMillis() <= getEndTime().getTime()); 529 } 530 531 /** 532 * Extends the validity period of this ticket. The ticket will contain 533 * a new session key if the refresh operation succeeds. The refresh 534 * operation will fail if the ticket is not renewable or the latest 535 * allowable renew time has passed. Any other error returned by the 536 * KDC will also cause this method to fail. 537 * 538 * Note: This method is not synchronized with the the accessor 539 * methods of this object. Hence callers need to be aware of multiple 540 * threads that might access this and try to renew it at the same 541 * time. 542 * 543 * @throws RefreshFailedException if the ticket is not renewable, or 544 * the latest allowable renew time has passed, or the KDC returns some 545 * error. 546 * 547 * @see #isRenewable() 548 * @see #getRenewTill() 549 */ 550 public void refresh() throws RefreshFailedException { 551 552 if (destroyed) { 553 throw new RefreshFailedException("A destroyed ticket " 554 + "cannot be renewd."); 555 } 556 if (!isRenewable()) { 557 throw new RefreshFailedException("This ticket is not renewable"); 558 } 559 if (System.currentTimeMillis() > getRenewTill().getTime()) { 560 throw new RefreshFailedException("This ticket is past " 561 + "its last renewal time."); 562 } 563 Throwable e = null; 564 sun.security.krb5.Credentials krb5Creds = null; 565 566 try { 567 krb5Creds = new sun.security.krb5.Credentials(asn1Encoding, 568 client.toString(), 569 server.toString(), 570 sessionKey.getEncoded(), 571 sessionKey.getKeyType(), 572 flags, 573 authTime, 574 startTime, 575 endTime, 576 renewTill, 577 clientAddresses); 578 krb5Creds = krb5Creds.renew(); 579 } catch (sun.security.krb5.KrbException krbException) { 580 e = krbException; 581 } catch (java.io.IOException ioException) { 582 e = ioException; 583 } 584 585 if (e != null) { 586 RefreshFailedException rfException 587 = new RefreshFailedException("Failed to renew Kerberos Ticket " 588 + "for client " + client 589 + " and server " + server 590 + " - " + e.getMessage()); 591 rfException.initCause(e); 592 throw rfException; 593 } 594 595 /* 596 * In case multiple threads try to refresh it at the same time. 597 */ 598 synchronized (this) { 599 try { 600 this.destroy(); 601 } catch (DestroyFailedException dfException) { 602 // Squelch it since we don't care about the old ticket. 603 } 604 init(krb5Creds.getEncoded(), 605 new KerberosPrincipal(krb5Creds.getClient().getName()), 606 new KerberosPrincipal(krb5Creds.getServer().getName(), 607 KerberosPrincipal.KRB_NT_SRV_INST), 608 krb5Creds.getSessionKey().getBytes(), 609 krb5Creds.getSessionKey().getEType(), 610 krb5Creds.getFlags(), 611 krb5Creds.getAuthTime(), 612 krb5Creds.getStartTime(), 613 krb5Creds.getEndTime(), 614 krb5Creds.getRenewTill(), 615 krb5Creds.getClientAddresses()); 616 destroyed = false; 617 } 618 } 619 620 /** 621 * Destroys the ticket and destroys any sensitive information stored in 622 * it. 623 */ 624 public void destroy() throws DestroyFailedException { 625 if (!destroyed) { 626 Arrays.fill(asn1Encoding, (byte) 0); 627 client = null; 628 server = null; 629 sessionKey.destroy(); 630 flags = null; 631 authTime = null; 632 startTime = null; 633 endTime = null; 634 renewTill = null; 635 clientAddresses = null; 636 destroyed = true; 637 } 638 } 639 640 /** 641 * Determines if this ticket has been destroyed. 642 */ 643 public boolean isDestroyed() { 644 return destroyed; 645 } 646 647 public String toString() { 648 if (destroyed) { 649 return "Destroyed KerberosTicket"; 650 } 651 StringBuilder caddrString = new StringBuilder(); 652 if (clientAddresses != null) { 653 for (int i = 0; i < clientAddresses.length; i++) { 654 caddrString.append("clientAddresses[" + i + "] = " + 655 clientAddresses[i].toString()); 656 } 657 } 658 return ("Ticket (hex) = " + "\n" + 659 (new HexDumpEncoder()).encodeBuffer(asn1Encoding) + "\n" + 660 "Client Principal = " + client.toString() + "\n" + 661 "Server Principal = " + server.toString() + "\n" + 662 "Session Key = " + sessionKey.toString() + "\n" + 663 "Forwardable Ticket " + flags[FORWARDABLE_TICKET_FLAG] + "\n" + 664 "Forwarded Ticket " + flags[FORWARDED_TICKET_FLAG] + "\n" + 665 "Proxiable Ticket " + flags[PROXIABLE_TICKET_FLAG] + "\n" + 666 "Proxy Ticket " + flags[PROXY_TICKET_FLAG] + "\n" + 667 "Postdated Ticket " + flags[POSTDATED_TICKET_FLAG] + "\n" + 668 "Renewable Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" + 669 "Initial Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" + 670 "Auth Time = " + String.valueOf(authTime) + "\n" + 671 "Start Time = " + String.valueOf(startTime) + "\n" + 672 "End Time = " + endTime.toString() + "\n" + 673 "Renew Till = " + String.valueOf(renewTill) + "\n" + 674 "Client Addresses " + 675 (clientAddresses == null ? " Null " : caddrString.toString() + 676 "\n")); 677 } 678 679 /** 680 * Returns a hashcode for this KerberosTicket. 681 * 682 * @return a hashCode() for the {@code KerberosTicket} 683 * @since 1.6 684 */ 685 public int hashCode() { 686 int result = 17; 687 if (isDestroyed()) { 688 return result; 689 } 690 result = result * 37 + Arrays.hashCode(getEncoded()); 691 result = result * 37 + endTime.hashCode(); 692 result = result * 37 + client.hashCode(); 693 result = result * 37 + server.hashCode(); 694 result = result * 37 + sessionKey.hashCode(); 695 696 // authTime may be null 697 if (authTime != null) { 698 result = result * 37 + authTime.hashCode(); 699 } 700 701 // startTime may be null 702 if (startTime != null) { 703 result = result * 37 + startTime.hashCode(); 704 } 705 706 // renewTill may be null 707 if (renewTill != null) { 708 result = result * 37 + renewTill.hashCode(); 709 } 710 711 // clientAddress may be null, the array's hashCode is 0 712 result = result * 37 + Arrays.hashCode(clientAddresses); 713 return result * 37 + Arrays.hashCode(flags); 714 } 715 716 /** 717 * Compares the specified Object with this KerberosTicket for equality. 718 * Returns true if the given object is also a 719 * {@code KerberosTicket} and the two 720 * {@code KerberosTicket} instances are equivalent. 721 * 722 * @param other the Object to compare to 723 * @return true if the specified object is equal to this KerberosTicket, 724 * false otherwise. NOTE: Returns false if either of the KerberosTicket 725 * objects has been destroyed. 726 * @since 1.6 727 */ 728 public boolean equals(Object other) { 729 730 if (other == this) { 731 return true; 732 } 733 734 if (! (other instanceof KerberosTicket)) { 735 return false; 736 } 737 738 KerberosTicket otherTicket = ((KerberosTicket) other); 739 if (isDestroyed() || otherTicket.isDestroyed()) { 740 return false; 741 } 742 743 if (!Arrays.equals(getEncoded(), otherTicket.getEncoded()) || 744 !endTime.equals(otherTicket.getEndTime()) || 745 !server.equals(otherTicket.getServer()) || 746 !client.equals(otherTicket.getClient()) || 747 !sessionKey.equals(otherTicket.sessionKey) || 748 !Arrays.equals(clientAddresses, otherTicket.getClientAddresses()) || 749 !Arrays.equals(flags, otherTicket.getFlags())) { 750 return false; 751 } 752 753 // authTime may be null 754 if (authTime == null) { 755 if (otherTicket.getAuthTime() != null) { 756 return false; 757 } 758 } else { 759 if (!authTime.equals(otherTicket.getAuthTime())) { 760 return false; 761 } 762 } 763 764 // startTime may be null 765 if (startTime == null) { 766 if (otherTicket.getStartTime() != null) { 767 return false; 768 } 769 } else { 770 if (!startTime.equals(otherTicket.getStartTime())) { 771 return false; 772 } 773 } 774 775 if (renewTill == null) { 776 if (otherTicket.getRenewTill() != null) { 777 return false; 778 } 779 } else { 780 if (!renewTill.equals(otherTicket.getRenewTill())) { 781 return false; 782 } 783 } 784 785 return true; 786 } 787 788 private void readObject(ObjectInputStream s) 789 throws IOException, ClassNotFoundException { 790 s.defaultReadObject(); 791 if (sessionKey == null) { 792 throw new InvalidObjectException("Session key cannot be null"); 793 } 794 try { 795 init(asn1Encoding, client, server, sessionKey, 796 flags, authTime, startTime, endTime, 797 renewTill, clientAddresses); 798 } catch (IllegalArgumentException iae) { 799 throw (InvalidObjectException) 800 new InvalidObjectException(iae.getMessage()).initCause(iae); 801 } 802 } 803 }