1 /*
2 * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 /*
27 *
28 * (C) Copyright IBM Corp. 1999 All Rights Reserved.
29 * Copyright 1997 The Open Group Research Institute. All rights reserved.
30 */
31
32 package sun.security.krb5;
33
34 import sun.security.krb5.internal.*;
35 import sun.security.krb5.internal.crypto.Nonce;
36 import sun.security.krb5.internal.crypto.KeyUsage;
37 import java.io.IOException;
38 import java.time.Instant;
39
40 /**
41 * This class encapsulates the KRB-AS-REQ message that the client
42 * sends to the KDC.
43 */
44 public class KrbAsReq {
45 private ASReq asReqMessg;
46
47 private boolean DEBUG = Krb5.DEBUG;
48
49 /**
50 * Constructs an AS-REQ message.
51 */
52 // Can be null? has default?
53 public KrbAsReq(EncryptionKey pakey, // ok
54 KDCOptions options, // ok, new KDCOptions()
55 PrincipalName cname, // NO and must have realm
56 PrincipalName sname, // ok, krgtgt@CREALM
57 KerberosTime from, // ok
58 KerberosTime till, // ok, will use
59 KerberosTime rtime, // ok
60 int[] eTypes, // NO
61 HostAddresses addresses // ok
62 )
63 throws KrbException, IOException {
64
65 if (options == null) {
66 options = new KDCOptions();
67 }
68 // check if they are valid arguments. The optional fields should be
69 // consistent with settings in KDCOptions. Mar 17 2000
70 if (options.get(KDCOptions.FORWARDED) ||
71 options.get(KDCOptions.PROXY) ||
72 options.get(KDCOptions.ENC_TKT_IN_SKEY) ||
73 options.get(KDCOptions.RENEW) ||
74 options.get(KDCOptions.VALIDATE)) {
75 // this option is only specified in a request to the
76 // ticket-granting server
77 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
78 }
79 if (options.get(KDCOptions.POSTDATED)) {
80 // if (from == null)
81 // throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
82 } else {
83 if (from != null) from = null;
84 }
85
86 PAData[] paData = null;
87 if (pakey != null) {
88 PAEncTSEnc ts = new PAEncTSEnc();
89 byte[] temp = ts.asn1Encode();
90 EncryptedData encTs = new EncryptedData(pakey, temp,
91 KeyUsage.KU_PA_ENC_TS);
92 paData = new PAData[1];
93 paData[0] = new PAData( Krb5.PA_ENC_TIMESTAMP,
94 encTs.asn1Encode());
95 }
96
97 if (cname.getRealm() == null) {
98 throw new RealmException(Krb5.REALM_NULL,
99 "default realm not specified ");
100 }
101
102 if (DEBUG) {
103 System.out.println(">>> KrbAsReq creating message");
104 }
105
106 Config cfg = Config.getInstance();
107
108 // check to use addresses in tickets
109 if (addresses == null && cfg.useAddresses()) {
110 addresses = HostAddresses.getLocalAddresses();
111 }
112
113 if (sname == null) {
114 String realm = cname.getRealmAsString();
115 sname = PrincipalName.tgsService(realm, realm);
116 }
117
118 if (till == null) {
119 String d = cfg.get("libdefaults", "ticket_lifetime");
120 if (d != null) {
121 till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
122 } else {
123 till = new KerberosTime(0); // Choose KDC maximum allowed
124 }
125 }
126
127 if (rtime == null) {
128 String d = cfg.get("libdefaults", "renew_lifetime");
129 if (d != null) {
130 rtime = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
131 }
132 }
133
134 if (rtime != null) {
135 options.set(KDCOptions.RENEWABLE, true);
136 if (till.greaterThan(rtime)) {
137 rtime = till;
138 }
139 }
140
141 // enc-authorization-data and additional-tickets never in AS-REQ
142 KDCReqBody kdc_req_body = new KDCReqBody(options,
143 cname,
144 sname,
145 from,
146 till,
147 rtime,
148 Nonce.value(),
149 eTypes,
150 addresses,
151 null,
152 null);
153
154 asReqMessg = new ASReq(
155 paData,
156 kdc_req_body);
157 }
158
159 byte[] encoding() throws IOException, Asn1Exception {
160 return asReqMessg.asn1Encode();
161 }
162
163 // Used by KrbAsRep to validate AS-REP
164 ASReq getMessage() {
165 return asReqMessg;
166 }
167 }