1 /* 2 * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 /* 27 * 28 * (C) Copyright IBM Corp. 1999 All Rights Reserved. 29 * Copyright 1997 The Open Group Research Institute. All rights reserved. 30 */ 31 32 package sun.security.krb5; 33 34 import sun.security.krb5.internal.*; 35 import sun.security.krb5.internal.crypto.Nonce; 36 import sun.security.krb5.internal.crypto.KeyUsage; 37 import java.io.IOException; 38 import java.time.Instant; 39 40 /** 41 * This class encapsulates the KRB-AS-REQ message that the client 42 * sends to the KDC. 43 */ 44 public class KrbAsReq { 45 private ASReq asReqMessg; 46 47 private boolean DEBUG = Krb5.DEBUG; 48 49 /** 50 * Constructs an AS-REQ message. 51 */ 52 // Can be null? has default? 53 public KrbAsReq(EncryptionKey pakey, // ok 54 KDCOptions options, // ok, new KDCOptions() 55 PrincipalName cname, // NO and must have realm 56 PrincipalName sname, // ok, krgtgt@CREALM 57 KerberosTime from, // ok 58 KerberosTime till, // ok, will use 59 KerberosTime rtime, // ok 60 int[] eTypes, // NO 61 HostAddresses addresses // ok 62 ) 63 throws KrbException, IOException { 64 65 if (options == null) { 66 options = new KDCOptions(); 67 } 68 // check if they are valid arguments. The optional fields should be 69 // consistent with settings in KDCOptions. Mar 17 2000 70 if (options.get(KDCOptions.FORWARDED) || 71 options.get(KDCOptions.PROXY) || 72 options.get(KDCOptions.ENC_TKT_IN_SKEY) || 73 options.get(KDCOptions.RENEW) || 74 options.get(KDCOptions.VALIDATE)) { 75 // this option is only specified in a request to the 76 // ticket-granting server 77 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); 78 } 79 if (options.get(KDCOptions.POSTDATED)) { 80 // if (from == null) 81 // throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); 82 } else { 83 if (from != null) from = null; 84 } 85 86 PAData[] paData = null; 87 if (pakey != null) { 88 PAEncTSEnc ts = new PAEncTSEnc(); 89 byte[] temp = ts.asn1Encode(); 90 EncryptedData encTs = new EncryptedData(pakey, temp, 91 KeyUsage.KU_PA_ENC_TS); 92 paData = new PAData[1]; 93 paData[0] = new PAData( Krb5.PA_ENC_TIMESTAMP, 94 encTs.asn1Encode()); 95 } 96 97 if (cname.getRealm() == null) { 98 throw new RealmException(Krb5.REALM_NULL, 99 "default realm not specified "); 100 } 101 102 if (DEBUG) { 103 System.out.println(">>> KrbAsReq creating message"); 104 } 105 106 Config cfg = Config.getInstance(); 107 108 // check to use addresses in tickets 109 if (addresses == null && cfg.useAddresses()) { 110 addresses = HostAddresses.getLocalAddresses(); 111 } 112 113 if (sname == null) { 114 String realm = cname.getRealmAsString(); 115 sname = PrincipalName.tgsService(realm, realm); 116 } 117 118 if (till == null) { 119 String d = cfg.get("libdefaults", "ticket_lifetime"); 120 if (d != null) { 121 till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d))); 122 } else { 123 till = new KerberosTime(0); // Choose KDC maximum allowed 124 } 125 } 126 127 if (rtime == null) { 128 String d = cfg.get("libdefaults", "renew_lifetime"); 129 if (d != null) { 130 rtime = new KerberosTime(Instant.now().plusSeconds(Config.duration(d))); 131 } 132 } 133 134 if (rtime != null) { 135 options.set(KDCOptions.RENEWABLE, true); 136 if (till.greaterThan(rtime)) { 137 rtime = till; 138 } 139 } 140 141 // enc-authorization-data and additional-tickets never in AS-REQ 142 KDCReqBody kdc_req_body = new KDCReqBody(options, 143 cname, 144 sname, 145 from, 146 till, 147 rtime, 148 Nonce.value(), 149 eTypes, 150 addresses, 151 null, 152 null); 153 154 asReqMessg = new ASReq( 155 paData, 156 kdc_req_body); 157 } 158 159 byte[] encoding() throws IOException, Asn1Exception { 160 return asReqMessg.asn1Encode(); 161 } 162 163 // Used by KrbAsRep to validate AS-REP 164 ASReq getMessage() { 165 return asReqMessg; 166 } 167 }