| /* |
| * Copyright (c) 2001, 2021, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| /* |
| * |
| * (C) Copyright IBM Corp. 1999 All Rights Reserved. |
| * Copyright 1997 The Open Group Research Institute. All rights reserved. |
| */ |
| |
| package sun.security.krb5.internal; |
| |
| import sun.security.krb5.*; |
| import sun.security.util.DerValue; |
| |
| import java.io.IOException; |
| import java.util.LinkedList; |
| import java.util.List; |
| |
| /** |
| * This class is a utility that contains much of the TGS-Exchange |
| * protocol. It is used by ../Credentials.java for service ticket |
| * acquisition in both the normal and the x-realm case. |
| */ |
| public class CredentialsUtil { |
| |
| private static boolean DEBUG = sun.security.krb5.internal.Krb5.DEBUG; |
| |
| private static enum S4U2Type { |
| NONE, SELF, PROXY |
| } |
| |
| /** |
| * Used by a middle server to acquire credentials on behalf of a |
| * user to itself using the S4U2self extension. |
| * @param user the user to impersonate |
| * @param ccreds the TGT of the middle service |
| * @return the new creds (cname=user, sname=middle) |
| */ |
| public static Credentials acquireS4U2selfCreds(PrincipalName user, |
| Credentials ccreds) throws KrbException, IOException { |
| if (!ccreds.isForwardable()) { |
| throw new KrbException("S4U2self needs a FORWARDABLE ticket"); |
| } |
| PrincipalName sname = ccreds.getClient(); |
| String uRealm = user.getRealmString(); |
| String localRealm = ccreds.getClient().getRealmString(); |
| if (!uRealm.equals(localRealm)) { |
| // Referrals will be required because the middle service |
| // and the user impersonated are on different realms. |
| if (Config.DISABLE_REFERRALS) { |
| throw new KrbException("Cross-realm S4U2Self request not" + |
| " possible when referrals are disabled."); |
| } |
| if (ccreds.getClientAlias() != null) { |
| // If the name was canonicalized, the user pick |
| // has preference. This gives the possibility of |
| // using FQDNs that KDCs may use to return referrals. |
| // I.e.: a SVC/host.realm-2.com@REALM-1.COM name |
| // may be used by REALM-1.COM KDC to return a |
| // referral to REALM-2.COM. |
| sname = ccreds.getClientAlias(); |
| } |
| sname = new PrincipalName(sname.getNameType(), |
| sname.getNameStrings(), new Realm(uRealm)); |
| } |
| Credentials creds = serviceCreds( |
| KDCOptions.with(KDCOptions.FORWARDABLE), |
| ccreds, ccreds.getClient(), sname, user, |
| null, new PAData[] { |
| new PAData(Krb5.PA_FOR_USER, |
| new PAForUserEnc(user, |
| ccreds.getSessionKey()).asn1Encode()), |
| new PAData(Krb5.PA_PAC_OPTIONS, |
| new PaPacOptions() |
| .setResourceBasedConstrainedDelegation(true) |
| .setClaims(true) |
| .asn1Encode()) |
| }, S4U2Type.SELF); |
| if (!creds.getClient().equals(user)) { |
| throw new KrbException("S4U2self request not honored by KDC"); |
| } |
| if (!creds.isForwardable()) { |
| throw new KrbException("S4U2self ticket must be FORWARDABLE"); |
| } |
| return creds; |
| } |
| |
| /** |
| * Used by a middle server to acquire a service ticket to a backend |
| * server using the S4U2proxy extension. |
| * @param backend the name of the backend service |
| * @param second the client's service ticket to the middle server |
| * @param ccreds the TGT of the middle server |
| * @return the creds (cname=client, sname=backend) |
| */ |
| public static Credentials acquireS4U2proxyCreds( |
| String backend, Ticket second, |
| PrincipalName client, Credentials ccreds) |
| throws KrbException, IOException { |
| PrincipalName backendPrincipal = new PrincipalName(backend); |
| String backendRealm = backendPrincipal.getRealmString(); |
| String localRealm = ccreds.getClient().getRealmString(); |
| if (!backendRealm.equals(localRealm)) { |
| // The middle service and the backend service are on |
| // different realms, so referrals will be required. |
| if (Config.DISABLE_REFERRALS) { |
| throw new KrbException("Cross-realm S4U2Proxy request not" + |
| " possible when referrals are disabled."); |
| } |
| backendPrincipal = new PrincipalName( |
| backendPrincipal.getNameType(), |
| backendPrincipal.getNameStrings(), |
| new Realm(localRealm)); |
| } |
| Credentials creds = serviceCreds(KDCOptions.with( |
| KDCOptions.CNAME_IN_ADDL_TKT, KDCOptions.FORWARDABLE), |
| ccreds, ccreds.getClient(), backendPrincipal, null, |
| new Ticket[] {second}, new PAData[] { |
| new PAData(Krb5.PA_PAC_OPTIONS, |
| new PaPacOptions() |
| .setResourceBasedConstrainedDelegation(true) |
| .setClaims(true) |
| .asn1Encode()) |
| }, S4U2Type.PROXY); |
| if (!creds.getClient().equals(client)) { |
| throw new KrbException("S4U2proxy request not honored by KDC"); |
| } |
| return creds; |
| } |
| |
| /** |
| * Acquires credentials for a specified service using initial |
| * credential. When the service has a different realm from the initial |
| * credential, we do cross-realm authentication - first, we use the |
| * current credential to get a cross-realm credential from the local KDC, |
| * then use that cross-realm credential to request service credential |
| * from the foreign KDC. |
| * |
| * @param service the name of service principal |
| * @param ccreds client's initial credential |
| */ |
| public static Credentials acquireServiceCreds( |
| String service, Credentials ccreds) |
| throws KrbException, IOException { |
| PrincipalName sname = new PrincipalName(service, |
| PrincipalName.KRB_NT_UNKNOWN); |
| return serviceCreds(sname, ccreds); |
| } |
| |
| /** |
| * Gets a TGT to another realm |
| * @param localRealm this realm |
| * @param serviceRealm the other realm, cannot equals to localRealm |
| * @param ccreds TGT in this realm |
| * @param okAsDelegate an [out] argument to receive the okAsDelegate |
| * property. True only if all realms allow delegation. |
| * @return the TGT for the other realm, null if cannot find a path |
| * @throws KrbException if something goes wrong |
| */ |
| private static Credentials getTGTforRealm(String localRealm, |
| String serviceRealm, Credentials ccreds, boolean[] okAsDelegate) |
| throws KrbException { |
| |
| // Get a list of realms to traverse |
| String[] realms = Realm.getRealmsList(localRealm, serviceRealm); |
| |
| int i = 0, k = 0; |
| Credentials cTgt = null, newTgt = null, theTgt = null; |
| PrincipalName tempService = null; |
| String newTgtRealm = null; |
| |
| okAsDelegate[0] = true; |
| for (cTgt = ccreds, i = 0; i < realms.length;) { |
| tempService = PrincipalName.tgsService(serviceRealm, realms[i]); |
| |
| if (DEBUG) { |
| System.out.println( |
| ">>> Credentials acquireServiceCreds: main loop: [" |
| + i +"] tempService=" + tempService); |
| } |
| |
| try { |
| newTgt = serviceCreds(tempService, cTgt); |
| } catch (Exception exc) { |
| newTgt = null; |
| } |
| |
| if (newTgt == null) { |
| if (DEBUG) { |
| System.out.println(">>> Credentials acquireServiceCreds: " |
| + "no tgt; searching thru capath"); |
| } |
| |
| /* |
| * No tgt found. Let's go thru the realms list one by one. |
| */ |
| for (newTgt = null, k = i+1; |
| newTgt == null && k < realms.length; k++) { |
| tempService = PrincipalName.tgsService(realms[k], realms[i]); |
| if (DEBUG) { |
| System.out.println( |
| ">>> Credentials acquireServiceCreds: " |
| + "inner loop: [" + k |
| + "] tempService=" + tempService); |
| } |
| try { |
| newTgt = serviceCreds(tempService, cTgt); |
| } catch (Exception exc) { |
| newTgt = null; |
| } |
| } |
| } // Ends 'if (newTgt == null)' |
| |
| if (newTgt == null) { |
| if (DEBUG) { |
| System.out.println(">>> Credentials acquireServiceCreds: " |
| + "no tgt; cannot get creds"); |
| } |
| break; |
| } |
| |
| /* |
| * We have a tgt. It may or may not be for the target. |
| * If it's for the target realm, we're done looking for a tgt. |
| */ |
| newTgtRealm = newTgt.getServer().getInstanceComponent(); |
| if (okAsDelegate[0] && !newTgt.checkDelegate()) { |
| if (DEBUG) { |
| System.out.println(">>> Credentials acquireServiceCreds: " + |
| "global OK-AS-DELEGATE turned off at " + |
| newTgt.getServer()); |
| } |
| okAsDelegate[0] = false; |
| } |
| |
| if (DEBUG) { |
| System.out.println(">>> Credentials acquireServiceCreds: " |
| + "got tgt"); |
| } |
| |
| if (newTgtRealm.equals(serviceRealm)) { |
| /* We got the right tgt */ |
| theTgt = newTgt; |
| break; |
| } |
| |
| /* |
| * The new tgt is not for the target realm. |
| * See if the realm of the new tgt is in the list of realms |
| * and continue looking from there. |
| */ |
| for (k = i+1; k < realms.length; k++) { |
| if (newTgtRealm.equals(realms[k])) { |
| break; |
| } |
| } |
| |
| if (k < realms.length) { |
| /* |
| * (re)set the counter so we start looking |
| * from the realm we just obtained a tgt for. |
| */ |
| i = k; |
| cTgt = newTgt; |
| |
| if (DEBUG) { |
| System.out.println(">>> Credentials acquireServiceCreds: " |
| + "continuing with main loop counter reset to " + i); |
| } |
| continue; |
| } |
| else { |
| /* |
| * The new tgt's realm is not in the hierarchy of realms. |
| * It's probably not safe to get a tgt from |
| * a tgs that is outside the known list of realms. |
| * Give up now. |
| */ |
| break; |
| } |
| } // Ends outermost/main 'for' loop |
| |
| return theTgt; |
| } |
| |
| /* |
| * This method does the real job to request the service credential. |
| */ |
| private static Credentials serviceCreds( |
| PrincipalName service, Credentials ccreds) |
| throws KrbException, IOException { |
| return serviceCreds(new KDCOptions(), ccreds, |
| ccreds.getClient(), service, null, null, |
| null, S4U2Type.NONE); |
| } |
| |
| /* |
| * Obtains credentials for a service (TGS). |
| * Cross-realm referrals are handled if enabled. A fallback scheme |
| * without cross-realm referrals supports is used in case of server |
| * error to maintain backward compatibility. |
| */ |
| private static Credentials serviceCreds( |
| KDCOptions options, Credentials asCreds, |
| PrincipalName cname, PrincipalName sname, |
| PrincipalName user, Ticket[] additionalTickets, |
| PAData[] extraPAs, S4U2Type s4u2Type) |
| throws KrbException, IOException { |
| if (!Config.DISABLE_REFERRALS) { |
| try { |
| return serviceCredsReferrals(options, asCreds, cname, sname, |
| s4u2Type, user, additionalTickets, extraPAs); |
| } catch (KrbException e) { |
| // Server may raise an error if CANONICALIZE is true. |
| // Try CANONICALIZE false. |
| } |
| } |
| return serviceCredsSingle(options, asCreds, cname, |
| asCreds.getClientAlias(), sname, sname, s4u2Type, |
| user, additionalTickets, extraPAs); |
| } |
| |
| /* |
| * Obtains credentials for a service (TGS). |
| * May handle and follow cross-realm referrals as defined by RFC 6806. |
| */ |
| private static Credentials serviceCredsReferrals( |
| KDCOptions options, Credentials asCreds, |
| PrincipalName cname, PrincipalName sname, |
| S4U2Type s4u2Type, PrincipalName user, |
| Ticket[] additionalTickets, PAData[] extraPAs) |
| throws KrbException, IOException { |
| options = new KDCOptions(options.toBooleanArray()); |
| options.set(KDCOptions.CANONICALIZE, true); |
| PrincipalName cSname = sname; |
| PrincipalName refSname = sname; // May change with referrals |
| Credentials creds = null; |
| boolean isReferral = false; |
| List<String> referrals = new LinkedList<>(); |
| PrincipalName clientAlias = asCreds.getClientAlias(); |
| while (referrals.size() <= Config.MAX_REFERRALS) { |
| ReferralsCache.ReferralCacheEntry ref = |
| ReferralsCache.get(cname, sname, user, |
| additionalTickets, refSname.getRealmString()); |
| String toRealm = null; |
| if (ref == null) { |
| creds = serviceCredsSingle(options, asCreds, cname, |
| clientAlias, refSname, cSname, s4u2Type, |
| user, additionalTickets, extraPAs); |
| PrincipalName server = creds.getServer(); |
| if (!refSname.equals(server)) { |
| String[] serverNameStrings = server.getNameStrings(); |
| if (serverNameStrings.length == 2 && |
| serverNameStrings[0].equals( |
| PrincipalName.TGS_DEFAULT_SRV_NAME) && |
| !refSname.getRealmAsString().equals( |
| serverNameStrings[1])) { |
| // Server Name (sname) has the following format: |
| // krbtgt/TO-REALM.COM@FROM-REALM.COM |
| ReferralsCache.put(cname, sname, user, |
| additionalTickets, server.getRealmString(), |
| serverNameStrings[1], creds); |
| toRealm = serverNameStrings[1]; |
| isReferral = true; |
| } |
| } |
| } else { |
| creds = ref.getCreds(); |
| toRealm = ref.getToRealm(); |
| isReferral = true; |
| } |
| if (isReferral) { |
| if (s4u2Type == S4U2Type.PROXY) { |
| Credentials[] credsInOut = |
| new Credentials[] {creds, null}; |
| toRealm = handleS4U2ProxyReferral(asCreds, |
| credsInOut, sname); |
| creds = credsInOut[0]; |
| if (additionalTickets == null || |
| additionalTickets.length == 0 || |
| credsInOut[1] == null) { |
| throw new KrbException("Additional tickets expected" + |
| " for S4U2Proxy."); |
| } |
| additionalTickets[0] = credsInOut[1].getTicket(); |
| } else if (s4u2Type == S4U2Type.SELF) { |
| handleS4U2SelfReferral(extraPAs, user, creds); |
| } |
| if (referrals.contains(toRealm)) { |
| // Referrals loop detected |
| return null; |
| } |
| asCreds = creds; |
| refSname = new PrincipalName(refSname.getNameString(), |
| refSname.getNameType(), toRealm); |
| referrals.add(toRealm); |
| isReferral = false; |
| continue; |
| } |
| break; |
| } |
| return creds; |
| } |
| |
| /* |
| * Obtains credentials for a service (TGS). |
| * If the service realm is different than the one in the TGT, a new TGT for |
| * the service realm is obtained first (see getTGTforRealm call). This is |
| * not expected when following cross-realm referrals because the referral |
| * TGT realm matches the service realm. |
| */ |
| private static Credentials serviceCredsSingle( |
| KDCOptions options, Credentials asCreds, |
| PrincipalName cname, PrincipalName clientAlias, |
| PrincipalName refSname, PrincipalName sname, |
| S4U2Type s4u2Type, PrincipalName user, |
| Ticket[] additionalTickets, PAData[] extraPAs) |
| throws KrbException, IOException { |
| Credentials theCreds = null; |
| boolean[] okAsDelegate = new boolean[]{true}; |
| String[] serverAsCredsNames = asCreds.getServer().getNameStrings(); |
| String tgtRealm = serverAsCredsNames[1]; |
| String serviceRealm = refSname.getRealmString(); |
| if (!serviceRealm.equals(tgtRealm)) { |
| // This is a cross-realm service request |
| if (DEBUG) { |
| System.out.println(">>> serviceCredsSingle:" + |
| " cross-realm authentication"); |
| System.out.println(">>> serviceCredsSingle:" + |
| " obtaining credentials from " + tgtRealm + |
| " to " + serviceRealm); |
| } |
| Credentials newTgt = getTGTforRealm(tgtRealm, serviceRealm, |
| asCreds, okAsDelegate); |
| if (newTgt == null) { |
| throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED, |
| "No service creds"); |
| } |
| if (DEBUG) { |
| System.out.println(">>> Cross-realm TGT Credentials" + |
| " serviceCredsSingle: "); |
| Credentials.printDebug(newTgt); |
| } |
| if (s4u2Type == S4U2Type.SELF) { |
| handleS4U2SelfReferral(extraPAs, user, newTgt); |
| } |
| asCreds = newTgt; |
| cname = asCreds.getClient(); |
| } else if (DEBUG) { |
| System.out.println(">>> Credentials serviceCredsSingle:" + |
| " same realm"); |
| } |
| KrbTgsReq req = new KrbTgsReq(options, asCreds, cname, clientAlias, |
| refSname, sname, additionalTickets, extraPAs); |
| theCreds = req.sendAndGetCreds(); |
| if (theCreds != null) { |
| if (DEBUG) { |
| System.out.println(">>> TGS credentials serviceCredsSingle:"); |
| Credentials.printDebug(theCreds); |
| } |
| if (!okAsDelegate[0]) { |
| theCreds.resetDelegate(); |
| } |
| } |
| return theCreds; |
| } |
| |
| /** |
| * PA-FOR-USER may need to be regenerated if credentials |
| * change. This may happen when obtaining a TGT for a |
| * different realm or when using a referral TGT. |
| */ |
| private static void handleS4U2SelfReferral(PAData[] pas, |
| PrincipalName user, Credentials newCreds) |
| throws Asn1Exception, KrbException, IOException { |
| if (DEBUG) { |
| System.out.println(">>> Handling S4U2Self referral"); |
| } |
| for (int i = 0; i < pas.length; i++) { |
| PAData pa = pas[i]; |
| if (pa.getType() == Krb5.PA_FOR_USER) { |
| pas[i] = new PAData(Krb5.PA_FOR_USER, |
| new PAForUserEnc(user, |
| newCreds.getSessionKey()).asn1Encode()); |
| break; |
| } |
| } |
| } |
| |
| /** |
| * This method is called after receiving the first realm referral for |
| * a S4U2Proxy request. The credentials and tickets needed for the |
| * final S4U2Proxy request (in the referrals chain) are returned. |
| * |
| * Referrals are handled as described by MS-SFU (section 3.1.5.2.2 |
| * Receives Referral). |
| * |
| * @param asCreds middle service credentials used for the first S4U2Proxy |
| * request |
| * @param credsInOut (in/out parameter): |
| * * input: first S4U2Proxy referral TGT received, null |
| * * output: referral TGT for final S4U2Proxy service request, |
| * client referral TGT for final S4U2Proxy service request |
| * (to be sent as additional-ticket) |
| * @param sname the backend service name |
| * @param additionalTickets (out parameter): the additional ticket for the |
| * last S4U2Proxy request is returned |
| * @return the backend realm for the last S4U2Proxy request |
| */ |
| private static String handleS4U2ProxyReferral(Credentials asCreds, |
| Credentials[] credsInOut, PrincipalName sname) |
| throws KrbException, IOException { |
| if (DEBUG) { |
| System.out.println(">>> Handling S4U2Proxy referral"); |
| } |
| Credentials refTGT = null; |
| // Get a credential for the middle service to the backend so we know |
| // the backend realm, as described in MS-SFU (section 3.1.5.2.2). |
| Credentials middleSvcCredsInBackendRealm = |
| serviceCreds(sname, asCreds); |
| String backendRealm = |
| middleSvcCredsInBackendRealm.getServer().getRealmString(); |
| String toRealm = credsInOut[0].getServer().getNameStrings()[1]; |
| if (!toRealm.equals(backendRealm)) { |
| // More than 1 hop. Follow the referrals chain and obtain a |
| // TGT for the backend realm. |
| refTGT = getTGTforRealm(toRealm, backendRealm, credsInOut[0], |
| new boolean[1]); |
| } else { |
| // There was only 1 hop. The referral TGT received is already |
| // for the backend realm. |
| refTGT = credsInOut[0]; |
| } |
| credsInOut[0] = getTGTforRealm(asCreds.getClient().getRealmString(), |
| backendRealm, asCreds, new boolean[1]); |
| credsInOut[1] = refTGT; |
| return backendRealm; |
| } |
| } |
