< prev index next >

src/java.security.jgss/share/classes/sun/security/krb5/KrbApReq.java

Print this page
rev 15878 : 8168518: rcache interop with krb5-1.15


 284         EncTicketPart enc_ticketPart = new EncTicketPart(temp);
 285 
 286         checkPermittedEType(enc_ticketPart.key.getEType());
 287 
 288         byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key,
 289             KeyUsage.KU_AP_REQ_AUTHENTICATOR);
 290         byte[] temp2 = apReqMessg.authenticator.reset(bytes2);
 291         authenticator = new Authenticator(temp2);
 292         ctime = authenticator.ctime;
 293         cusec = authenticator.cusec;
 294         authenticator.ctime =
 295                 authenticator.ctime.withMicroSeconds(authenticator.cusec);
 296 
 297         if (!authenticator.cname.equals(enc_ticketPart.cname)) {
 298             throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
 299         }
 300 
 301         if (!authenticator.ctime.inClockSkew())
 302             throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
 303 

 304         byte[] hash;
 305         try {
 306             hash = MessageDigest.getInstance("MD5")
 307                     .digest(apReqMessg.authenticator.cipher);
 308         } catch (NoSuchAlgorithmException ex) {
 309             throw new AssertionError("Impossible");
 310         }
 311 
 312         char[] h = new char[hash.length * 2];
 313         for (int i=0; i<hash.length; i++) {
 314             h[2*i] = hexConst[(hash[i]&0xff)>>4];
 315             h[2*i+1] = hexConst[hash[i]&0xf];
 316         }
 317         AuthTimeWithHash time = new AuthTimeWithHash(
 318                 authenticator.cname.toString(),
 319                 apReqMessg.ticket.sname.toString(),
 320                 authenticator.ctime.getSeconds(),
 321                 authenticator.cusec,

 322                 new String(h));
 323         rcache.checkAndStore(KerberosTime.now(), time);
 324 
 325         if (initiator != null) {
 326             // sender host address
 327             HostAddress sender = new HostAddress(initiator);
 328             if (enc_ticketPart.caddr != null
 329                     && !enc_ticketPart.caddr.inList(sender)) {
 330                 if (DEBUG) {
 331                     System.out.println(">>> KrbApReq: initiator is "
 332                             + sender.getInetAddress()
 333                             + ", but caddr is "
 334                             + Arrays.toString(
 335                                 enc_ticketPart.caddr.getInetAddresses()));
 336                 }
 337                 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
 338             }
 339         }
 340 
 341         // XXX check for repeated authenticator




 284         EncTicketPart enc_ticketPart = new EncTicketPart(temp);
 285 
 286         checkPermittedEType(enc_ticketPart.key.getEType());
 287 
 288         byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key,
 289             KeyUsage.KU_AP_REQ_AUTHENTICATOR);
 290         byte[] temp2 = apReqMessg.authenticator.reset(bytes2);
 291         authenticator = new Authenticator(temp2);
 292         ctime = authenticator.ctime;
 293         cusec = authenticator.cusec;
 294         authenticator.ctime =
 295                 authenticator.ctime.withMicroSeconds(authenticator.cusec);
 296 
 297         if (!authenticator.cname.equals(enc_ticketPart.cname)) {
 298             throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
 299         }
 300 
 301         if (!authenticator.ctime.inClockSkew())
 302             throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
 303 
 304         String alg = AuthTimeWithHash.DEFAULT_HASH_ALG;
 305         byte[] hash;
 306         try {
 307             hash = MessageDigest.getInstance(AuthTimeWithHash.realAlg(alg))
 308                     .digest(apReqMessg.authenticator.cipher);
 309         } catch (NoSuchAlgorithmException ex) {
 310             throw new AssertionError("Impossible");
 311         }
 312 
 313         char[] h = new char[hash.length * 2];
 314         for (int i=0; i<hash.length; i++) {
 315             h[2*i] = hexConst[(hash[i]&0xff)>>4];
 316             h[2*i+1] = hexConst[hash[i]&0xf];
 317         }
 318         AuthTimeWithHash time = new AuthTimeWithHash(
 319                 authenticator.cname.toString(),
 320                 apReqMessg.ticket.sname.toString(),
 321                 authenticator.ctime.getSeconds(),
 322                 authenticator.cusec,
 323                 alg,
 324                 new String(h));
 325         rcache.checkAndStore(KerberosTime.now(), time);
 326 
 327         if (initiator != null) {
 328             // sender host address
 329             HostAddress sender = new HostAddress(initiator);
 330             if (enc_ticketPart.caddr != null
 331                     && !enc_ticketPart.caddr.inList(sender)) {
 332                 if (DEBUG) {
 333                     System.out.println(">>> KrbApReq: initiator is "
 334                             + sender.getInetAddress()
 335                             + ", but caddr is "
 336                             + Arrays.toString(
 337                                 enc_ticketPart.caddr.getInetAddresses()));
 338                 }
 339                 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
 340             }
 341         }
 342 
 343         // XXX check for repeated authenticator


< prev index next >