1 /* 2 * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 #import "sun_security_krb5_Credentials.h" 27 #import <Kerberos/Kerberos.h> 28 #import <string.h> 29 #import <time.h> 30 31 /* 32 * Based largely on klist.c, 33 * 34 * Created by Scott Kovatch on 8/12/04. 35 * 36 * See http://www.opensource.apple.com/darwinsource/10.3.3/Kerberos-47/KerberosClients/klist/Sources/klist.c 37 38 */ 39 40 /* 41 * Statics for this module 42 */ 43 44 static jclass derValueClass = NULL; 45 static jclass ticketClass = NULL; 46 static jclass principalNameClass = NULL; 47 static jclass encryptionKeyClass = NULL; 48 static jclass ticketFlagsClass = NULL; 49 static jclass kerberosTimeClass = NULL; 50 static jclass javaLangStringClass = NULL; 51 static jclass javaLangIntegerClass = NULL; 52 static jclass hostAddressClass = NULL; 53 static jclass hostAddressesClass = NULL; 54 55 static jmethodID derValueConstructor = 0; 56 static jmethodID ticketConstructor = 0; 57 static jmethodID principalNameConstructor = 0; 58 static jmethodID encryptionKeyConstructor = 0; 59 static jmethodID ticketFlagsConstructor = 0; 60 static jmethodID kerberosTimeConstructor = 0; 61 static jmethodID krbcredsConstructor = 0; 62 static jmethodID integerConstructor = 0; 63 static jmethodID hostAddressConstructor = 0; 64 static jmethodID hostAddressesConstructor = 0; 65 66 /* 67 * Function prototypes for internal routines 68 */ 69 70 static jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket); 71 static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName); 72 static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey); 73 static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags); 74 static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime); 75 static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime); 76 77 static void printiferr (errcode_t err, const char *format, ...); 78 79 static jclass FindClass(JNIEnv *env, char *className) 80 { 81 jclass cls = (*env)->FindClass(env, className); 82 83 if (cls == NULL) { 84 printf("Couldn't find %s\n", className); 85 return NULL; 86 } 87 88 jobject returnValue = (*env)->NewWeakGlobalRef(env,cls); 89 return returnValue; 90 } 91 /* 92 * Class: sun_security_krb5_KrbCreds 93 * Method: JNI_OnLoad 94 */ 95 JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *jvm, void *reserved) 96 { 97 JNIEnv *env; 98 99 if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_4)) { 100 return JNI_EVERSION; /* JNI version not supported */ 101 } 102 103 ticketClass = FindClass(env, "sun/security/krb5/internal/Ticket"); 104 if (ticketClass == NULL) return JNI_ERR; 105 106 principalNameClass = FindClass(env, "sun/security/krb5/PrincipalName"); 107 if (principalNameClass == NULL) return JNI_ERR; 108 109 derValueClass = FindClass(env, "sun/security/util/DerValue"); 110 if (derValueClass == NULL) return JNI_ERR; 111 112 encryptionKeyClass = FindClass(env, "sun/security/krb5/EncryptionKey"); 113 if (encryptionKeyClass == NULL) return JNI_ERR; 114 115 ticketFlagsClass = FindClass(env,"sun/security/krb5/internal/TicketFlags"); 116 if (ticketFlagsClass == NULL) return JNI_ERR; 117 118 kerberosTimeClass = FindClass(env,"sun/security/krb5/internal/KerberosTime"); 119 if (kerberosTimeClass == NULL) return JNI_ERR; 120 121 javaLangStringClass = FindClass(env,"java/lang/String"); 122 if (javaLangStringClass == NULL) return JNI_ERR; 123 124 javaLangIntegerClass = FindClass(env,"java/lang/Integer"); 125 if (javaLangIntegerClass == NULL) return JNI_ERR; 126 127 hostAddressClass = FindClass(env,"sun/security/krb5/internal/HostAddress"); 128 if (hostAddressClass == NULL) return JNI_ERR; 129 130 hostAddressesClass = FindClass(env,"sun/security/krb5/internal/HostAddresses"); 131 if (hostAddressesClass == NULL) return JNI_ERR; 132 133 derValueConstructor = (*env)->GetMethodID(env, derValueClass, "<init>", "([B)V"); 134 if (derValueConstructor == 0) { 135 printf("Couldn't find DerValue constructor\n"); 136 return JNI_ERR; 137 } 138 139 ticketConstructor = (*env)->GetMethodID(env, ticketClass, "<init>", "(Lsun/security/util/DerValue;)V"); 140 if (ticketConstructor == 0) { 141 printf("Couldn't find Ticket constructor\n"); 142 return JNI_ERR; 143 } 144 145 principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, "<init>", "(Ljava/lang/String;I)V"); 146 if (principalNameConstructor == 0) { 147 printf("Couldn't find PrincipalName constructor\n"); 148 return JNI_ERR; 149 } 150 151 encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass, "<init>", "(I[B)V"); 152 if (encryptionKeyConstructor == 0) { 153 printf("Couldn't find EncryptionKey constructor\n"); 154 return JNI_ERR; 155 } 156 157 ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass, "<init>", "(I[B)V"); 158 if (ticketFlagsConstructor == 0) { 159 printf("Couldn't find TicketFlags constructor\n"); 160 return JNI_ERR; 161 } 162 163 kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass, "<init>", "(J)V"); 164 if (kerberosTimeConstructor == 0) { 165 printf("Couldn't find KerberosTime constructor\n"); 166 return JNI_ERR; 167 } 168 169 integerConstructor = (*env)->GetMethodID(env, javaLangIntegerClass, "<init>", "(I)V"); 170 if (integerConstructor == 0) { 171 printf("Couldn't find Integer constructor\n"); 172 return JNI_ERR; 173 } 174 175 hostAddressConstructor = (*env)->GetMethodID(env, hostAddressClass, "<init>", "(I[B)V"); 176 if (hostAddressConstructor == 0) { 177 printf("Couldn't find HostAddress constructor\n"); 178 return JNI_ERR; 179 } 180 181 hostAddressesConstructor = (*env)->GetMethodID(env, hostAddressesClass, "<init>", "([Lsun/security/krb5/internal/HostAddress;)V"); 182 if (hostAddressesConstructor == 0) { 183 printf("Couldn't find HostAddresses constructor\n"); 184 return JNI_ERR; 185 } 186 187 return JNI_VERSION_1_2; 188 } 189 190 /* 191 * Class: sun_security_jgss_KrbCreds 192 * Method: JNI_OnUnload 193 */ 194 JNIEXPORT void JNICALL JNI_OnUnload(JavaVM *jvm, void *reserved) 195 { 196 JNIEnv *env; 197 198 if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) { 199 return; /* Nothing else we can do */ 200 } 201 202 if (ticketClass != NULL) { 203 (*env)->DeleteWeakGlobalRef(env,ticketClass); 204 } 205 if (derValueClass != NULL) { 206 (*env)->DeleteWeakGlobalRef(env,derValueClass); 207 } 208 if (principalNameClass != NULL) { 209 (*env)->DeleteWeakGlobalRef(env,principalNameClass); 210 } 211 if (encryptionKeyClass != NULL) { 212 (*env)->DeleteWeakGlobalRef(env,encryptionKeyClass); 213 } 214 if (ticketFlagsClass != NULL) { 215 (*env)->DeleteWeakGlobalRef(env,ticketFlagsClass); 216 } 217 if (kerberosTimeClass != NULL) { 218 (*env)->DeleteWeakGlobalRef(env,kerberosTimeClass); 219 } 220 if (javaLangStringClass != NULL) { 221 (*env)->DeleteWeakGlobalRef(env,javaLangStringClass); 222 } 223 if (javaLangIntegerClass != NULL) { 224 (*env)->DeleteWeakGlobalRef(env,javaLangIntegerClass); 225 } 226 if (hostAddressClass != NULL) { 227 (*env)->DeleteWeakGlobalRef(env,hostAddressClass); 228 } 229 if (hostAddressesClass != NULL) { 230 (*env)->DeleteWeakGlobalRef(env,hostAddressesClass); 231 } 232 233 } 234 235 int isIn(krb5_enctype e, int n, jint* etypes) 236 { 237 int i; 238 for (i=0; i<n; i++) { 239 if (e == etypes[i]) return 1; 240 } 241 return 0; 242 } 243 244 /* 245 * Class: sun_security_krb5_Credentials 246 * Method: acquireDefaultNativeCreds 247 * Signature: ([I])Lsun/security/krb5/Credentials; 248 */ 249 JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds 250 (JNIEnv *env, jclass krbcredsClass, jintArray jetypes) 251 { 252 jobject krbCreds = NULL; 253 krb5_error_code err = 0; 254 krb5_ccache ccache = NULL; 255 krb5_cc_cursor cursor = NULL; 256 krb5_creds creds; 257 krb5_flags flags = 0; 258 krb5_context kcontext = NULL; 259 260 int netypes; 261 jint *etypes = NULL; 262 263 /* Initialize the Kerberos 5 context */ 264 err = krb5_init_context (&kcontext); 265 266 if (!err) { 267 err = krb5_cc_default (kcontext, &ccache); 268 } 269 270 if (!err) { 271 err = krb5_cc_set_flags (kcontext, ccache, flags); /* turn off OPENCLOSE */ 272 } 273 274 if (!err) { 275 err = krb5_cc_start_seq_get (kcontext, ccache, &cursor); 276 } 277 278 netypes = (*env)->GetArrayLength(env, jetypes); 279 etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL); 280 281 if (etypes != NULL && !err) { 282 while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) { 283 char *serverName = NULL; 284 285 if (!err) { 286 err = krb5_unparse_name (kcontext, creds.server, &serverName); 287 printiferr (err, "while unparsing server name"); 288 } 289 290 if (!err) { 291 char* slash = strchr(serverName, '/'); 292 char* at = strchr(serverName, '@'); 293 // Make sure the server's name is krbtgt/REALM@REALM, the etype 294 // is supported, and the ticket has not expired 295 if (slash && at && 296 strncmp (serverName, "krbtgt", slash-serverName) == 0 && 297 // the ablove line shows at must be after slash 298 strncmp (slash+1, at+1, at-slash-1) == 0 && 299 isIn (creds.keyblock.enctype, netypes, etypes) && 300 creds.times.endtime > time(0)) { 301 jobject ticket, clientPrincipal, targetPrincipal, encryptionKey; 302 jobject ticketFlags, startTime, endTime; 303 jobject authTime, renewTillTime, hostAddresses; 304 305 ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL; 306 ticketFlags = startTime = endTime = NULL; 307 authTime = renewTillTime = hostAddresses = NULL; 308 309 // For the default credentials we're only interested in the krbtgt server. 310 clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client); 311 if (clientPrincipal == NULL) goto cleanup; 312 313 targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server); 314 if (targetPrincipal == NULL) goto cleanup; 315 316 // Build a sun/security/krb5/internal/Ticket 317 ticket = BuildTicket(env, &creds.ticket); 318 if (ticket == NULL) goto cleanup; 319 320 // Get the encryption key 321 encryptionKey = BuildEncryptionKey(env, &creds.keyblock); 322 if (encryptionKey == NULL) goto cleanup; 323 324 // and the ticket flags 325 ticketFlags = BuildTicketFlags(env, creds.ticket_flags); 326 if (ticketFlags == NULL) goto cleanup; 327 328 // Get the timestamps out. 329 startTime = BuildKerberosTime(env, creds.times.starttime); 330 if (startTime == NULL) goto cleanup; 331 332 authTime = BuildKerberosTime(env, creds.times.authtime); 333 if (authTime == NULL) goto cleanup; 334 335 endTime = BuildKerberosTime(env, creds.times.endtime); 336 if (endTime == NULL) goto cleanup; 337 338 renewTillTime = BuildKerberosTime(env, creds.times.renew_till); 339 if (renewTillTime == NULL) goto cleanup; 340 341 // Create the addresses object. 342 hostAddresses = BuildAddressList(env, creds.addresses); 343 344 if (krbcredsConstructor == 0) { 345 krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>", 346 "(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V"); 347 if (krbcredsConstructor == 0) { 348 printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n"); 349 break; 350 } 351 } 352 353 // and now go build a KrbCreds object 354 krbCreds = (*env)->NewObject( 355 env, 356 krbcredsClass, 357 krbcredsConstructor, 358 ticket, 359 clientPrincipal, 360 targetPrincipal, 361 encryptionKey, 362 ticketFlags, 363 authTime, 364 startTime, 365 endTime, 366 renewTillTime, 367 hostAddresses); 368 cleanup: 369 if (ticket) (*env)->DeleteLocalRef(env, ticket); 370 if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal); 371 if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal); 372 if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey); 373 if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags); 374 if (authTime) (*env)->DeleteLocalRef(env, authTime); 375 if (startTime) (*env)->DeleteLocalRef(env, startTime); 376 if (endTime) (*env)->DeleteLocalRef(env, endTime); 377 if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime); 378 if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses); 379 380 // Stop if there is an exception or we already found the initial TGT 381 if ((*env)->ExceptionCheck(env) || krbCreds) { 382 break; 383 } 384 } 385 } 386 387 if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); } 388 389 krb5_free_cred_contents (kcontext, &creds); 390 } 391 392 if (err == KRB5_CC_END) { err = 0; } 393 printiferr (err, "while retrieving a ticket"); 394 } 395 396 if (!err) { 397 err = krb5_cc_end_seq_get (kcontext, ccache, &cursor); 398 printiferr (err, "while finishing ticket retrieval"); 399 } 400 401 if (!err) { 402 flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */ 403 err = krb5_cc_set_flags (kcontext, ccache, flags); 404 printiferr (err, "while finishing ticket retrieval"); 405 } 406 407 if (etypes != NULL) { 408 (*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0); 409 } 410 411 krb5_free_context (kcontext); 412 return krbCreds; 413 } 414 415 416 #pragma mark - 417 418 jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket) 419 { 420 /* To build a Ticket, we first need to build a DerValue out of the EncodedTicket. 421 * But before we can do that, we need to make a byte array out of the ET. 422 */ 423 424 jobject derValue, ticket; 425 jbyteArray ary; 426 427 ary = (*env)->NewByteArray(env, encodedTicket->length); 428 if ((*env)->ExceptionCheck(env)) { 429 return (jobject) NULL; 430 } 431 432 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, encodedTicket->length, (jbyte *)encodedTicket->data); 433 if ((*env)->ExceptionCheck(env)) { 434 (*env)->DeleteLocalRef(env, ary); 435 return (jobject) NULL; 436 } 437 438 derValue = (*env)->NewObject(env, derValueClass, derValueConstructor, ary); 439 if ((*env)->ExceptionCheck(env)) { 440 (*env)->DeleteLocalRef(env, ary); 441 return (jobject) NULL; 442 } 443 444 (*env)->DeleteLocalRef(env, ary); 445 ticket = (*env)->NewObject(env, ticketClass, ticketConstructor, derValue); 446 if ((*env)->ExceptionCheck(env)) { 447 (*env)->DeleteLocalRef(env, derValue); 448 return (jobject) NULL; 449 } 450 (*env)->DeleteLocalRef(env, derValue); 451 return ticket; 452 } 453 454 jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName) { 455 // Get the full principal string. 456 char *principalString = NULL; 457 jobject principal = NULL; 458 int err = krb5_unparse_name (kcontext, principalName, &principalString); 459 460 if (!err) { 461 // Make a PrincipalName from the full string and the type. Let the PrincipalName class parse it out. 462 jstring principalStringObj = (*env)->NewStringUTF(env, principalString); 463 if (principalStringObj == NULL) { 464 if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); } 465 return (jobject) NULL; 466 } 467 principal = (*env)->NewObject(env, principalNameClass, principalNameConstructor, principalStringObj, principalName->type); 468 if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); } 469 (*env)->DeleteLocalRef(env, principalStringObj); 470 } 471 472 return principal; 473 } 474 475 jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey) { 476 // First, need to build a byte array 477 jbyteArray ary; 478 jobject encryptionKey = NULL; 479 480 ary = (*env)->NewByteArray(env,cryptoKey->length); 481 482 if (ary == NULL) { 483 return (jobject) NULL; 484 } 485 486 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->length, (jbyte *)cryptoKey->contents); 487 if (!(*env)->ExceptionCheck(env)) { 488 encryptionKey = (*env)->NewObject(env, encryptionKeyClass, encryptionKeyConstructor, cryptoKey->enctype, ary); 489 } 490 491 (*env)->DeleteLocalRef(env, ary); 492 return encryptionKey; 493 } 494 495 jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags) { 496 jobject ticketFlags = NULL; 497 jbyteArray ary; 498 499 /* 500 * Convert the bytes to network byte order before copying 501 * them to a Java byte array. 502 */ 503 unsigned long nlflags = htonl(flags); 504 505 ary = (*env)->NewByteArray(env, sizeof(flags)); 506 507 if (ary == NULL) { 508 return (jobject) NULL; 509 } 510 511 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(flags), (jbyte *)&nlflags); 512 513 if (!(*env)->ExceptionCheck(env)) { 514 ticketFlags = (*env)->NewObject(env, ticketFlagsClass, ticketFlagsConstructor, sizeof(flags)*8, ary); 515 } 516 517 (*env)->DeleteLocalRef(env, ary); 518 return ticketFlags; 519 } 520 521 jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime) { 522 jlong time = kerbtime; 523 524 // Kerberos time is in seconds, but the KerberosTime class assumes milliseconds, so multiply by 1000. 525 time *= 1000; 526 return (*env)->NewObject(env, kerberosTimeClass, kerberosTimeConstructor, time); 527 } 528 529 jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) { 530 531 if (addresses == NULL) { 532 return NULL; 533 } 534 535 int addressCount = 0; 536 537 // See how many we have. 538 krb5_address **p = addresses; 539 540 while (*p != 0) { 541 addressCount++; 542 p++; 543 } 544 545 jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL); 546 547 if (address_list == NULL) { 548 return (jobject) NULL; 549 } 550 551 // Create a new HostAddress object for each address block. 552 // First, reset the iterator. 553 p = addresses; 554 jsize index = 0; 555 while (*p != 0) { 556 krb5_address *currAddress = *p; 557 558 // HostAddres needs a byte array of the host data. 559 jbyteArray ary = (*env)->NewByteArray(env, currAddress->length); 560 561 if (ary == NULL) return NULL; 562 563 (*env)->SetByteArrayRegion(env, ary, (jsize) 0, currAddress->length, (jbyte *)currAddress->contents); 564 jobject address = (*env)->NewObject(env, hostAddressClass, hostAddressConstructor, currAddress->length, ary); 565 566 (*env)->DeleteLocalRef(env, ary); 567 568 if (address == NULL) { 569 return (jobject) NULL; 570 } 571 // Add the HostAddress to the arrray. 572 (*env)->SetObjectArrayElement(env, address_list, index, address); 573 574 if ((*env)->ExceptionCheck(env)) { 575 return (jobject) NULL; 576 } 577 578 index++; 579 p++; 580 } 581 582 return address_list; 583 } 584 585 #pragma mark - Utility methods - 586 587 static void printiferr (errcode_t err, const char *format, ...) 588 { 589 if (err) { 590 va_list pvar; 591 592 va_start (pvar, format); 593 com_err_va ("ticketParser:", err, format, pvar); 594 va_end (pvar); 595 } 596 } 597