1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* 26 * 27 * (C) Copyright IBM Corp. 1999 All Rights Reserved. 28 * Copyright 1997 The Open Group Research Institute. All rights reserved. 29 */ 30 31 package sun.security.krb5.internal.ccache; 32 33 import sun.security.krb5.*; 34 import sun.security.krb5.internal.*; 35 36 public class Credentials { 37 38 PrincipalName cname; 39 PrincipalName sname; 40 EncryptionKey key; 41 KerberosTime authtime; 42 KerberosTime starttime;//optional 43 KerberosTime endtime; 44 KerberosTime renewTill; //optional 45 HostAddresses caddr; //optional; for proxied tickets only 46 AuthorizationData authorizationData; //optional, not being actually used 47 public boolean isEncInSKey; // true if ticket is encrypted in another ticket's skey 48 TicketFlags flags; 49 Ticket ticket; 50 Ticket secondTicket; //optional 51 private boolean DEBUG = Krb5.DEBUG; 52 Credentials( PrincipalName new_cname, PrincipalName new_sname, EncryptionKey new_key, KerberosTime new_authtime, KerberosTime new_starttime, KerberosTime new_endtime, KerberosTime new_renewTill, boolean new_isEncInSKey, TicketFlags new_flags, HostAddresses new_caddr, AuthorizationData new_authData, Ticket new_ticket, Ticket new_secondTicket)53 public Credentials( 54 PrincipalName new_cname, 55 PrincipalName new_sname, 56 EncryptionKey new_key, 57 KerberosTime new_authtime, 58 KerberosTime new_starttime, 59 KerberosTime new_endtime, 60 KerberosTime new_renewTill, 61 boolean new_isEncInSKey, 62 TicketFlags new_flags, 63 HostAddresses new_caddr, 64 AuthorizationData new_authData, 65 Ticket new_ticket, 66 Ticket new_secondTicket) { 67 cname = (PrincipalName) new_cname.clone(); 68 sname = (PrincipalName) new_sname.clone(); 69 key = (EncryptionKey) new_key.clone(); 70 71 authtime = new_authtime; 72 starttime = new_starttime; 73 endtime = new_endtime; 74 renewTill = new_renewTill; 75 76 if (new_caddr != null) { 77 caddr = (HostAddresses) new_caddr.clone(); 78 } 79 if (new_authData != null) { 80 authorizationData = (AuthorizationData) new_authData.clone(); 81 } 82 83 isEncInSKey = new_isEncInSKey; 84 flags = (TicketFlags) new_flags.clone(); 85 ticket = (Ticket) (new_ticket.clone()); 86 if (new_secondTicket != null) { 87 secondTicket = (Ticket) new_secondTicket.clone(); 88 } 89 } 90 Credentials( KDCRep kdcRep, Ticket new_secondTicket, AuthorizationData new_authorizationData, boolean new_isEncInSKey)91 public Credentials( 92 KDCRep kdcRep, 93 Ticket new_secondTicket, 94 AuthorizationData new_authorizationData, 95 boolean new_isEncInSKey) { 96 if (kdcRep.encKDCRepPart == null) //can't store while encrypted 97 { 98 return; 99 } 100 cname = (PrincipalName) kdcRep.cname.clone(); 101 ticket = (Ticket) kdcRep.ticket.clone(); 102 key = (EncryptionKey) kdcRep.encKDCRepPart.key.clone(); 103 flags = (TicketFlags) kdcRep.encKDCRepPart.flags.clone(); 104 authtime = kdcRep.encKDCRepPart.authtime; 105 starttime = kdcRep.encKDCRepPart.starttime; 106 endtime = kdcRep.encKDCRepPart.endtime; 107 renewTill = kdcRep.encKDCRepPart.renewTill; 108 109 sname = (PrincipalName) kdcRep.encKDCRepPart.sname.clone(); 110 caddr = (HostAddresses) kdcRep.encKDCRepPart.caddr.clone(); 111 secondTicket = (Ticket) new_secondTicket.clone(); 112 authorizationData = 113 (AuthorizationData) new_authorizationData.clone(); 114 isEncInSKey = new_isEncInSKey; 115 } 116 Credentials(KDCRep kdcRep)117 public Credentials(KDCRep kdcRep) { 118 this(kdcRep, null); 119 } 120 Credentials(KDCRep kdcRep, Ticket new_ticket)121 public Credentials(KDCRep kdcRep, Ticket new_ticket) { 122 sname = (PrincipalName) kdcRep.encKDCRepPart.sname.clone(); 123 cname = (PrincipalName) kdcRep.cname.clone(); 124 key = (EncryptionKey) kdcRep.encKDCRepPart.key.clone(); 125 authtime = kdcRep.encKDCRepPart.authtime; 126 starttime = kdcRep.encKDCRepPart.starttime; 127 endtime = kdcRep.encKDCRepPart.endtime; 128 renewTill = kdcRep.encKDCRepPart.renewTill; 129 // if (kdcRep.msgType == Krb5.KRB_AS_REP) { 130 // isEncInSKey = false; 131 // secondTicket = null; 132 // } 133 flags = kdcRep.encKDCRepPart.flags; 134 if (kdcRep.encKDCRepPart.caddr != null) { 135 caddr = (HostAddresses) kdcRep.encKDCRepPart.caddr.clone(); 136 } else { 137 caddr = null; 138 } 139 ticket = (Ticket) kdcRep.ticket.clone(); 140 if (new_ticket != null) { 141 secondTicket = (Ticket) new_ticket.clone(); 142 isEncInSKey = true; 143 } else { 144 secondTicket = null; 145 isEncInSKey = false; 146 } 147 } 148 149 /** 150 * Checks if this credential is expired 151 */ isValid()152 public boolean isValid() { 153 boolean valid = true; 154 if (endtime.getTime() < System.currentTimeMillis()) { 155 valid = false; 156 } else if (starttime != null) { 157 if (starttime.getTime() > System.currentTimeMillis()) { 158 valid = false; 159 } 160 } else { 161 if (authtime.getTime() > System.currentTimeMillis()) { 162 valid = false; 163 } 164 } 165 return valid; 166 } 167 getServicePrincipal()168 public PrincipalName getServicePrincipal() throws RealmException { 169 return sname; 170 } 171 setKrbCreds()172 public sun.security.krb5.Credentials setKrbCreds() { 173 // Note: We will not pass authorizationData to s.s.k.Credentials. The 174 // field in that class will be passed to Krb5Context as the return 175 // value of ExtendedGSSContext.inquireSecContext(KRB5_GET_AUTHZ_DATA), 176 // which is documented as the authData in the service ticket. That 177 // is on the acceptor side. 178 // 179 // This class is for the initiator side. Also, authdata inside a ccache 180 // is most likely to be the one in Authenticator in PA-TGS-REQ encoded 181 // in TGS-REQ, therefore only stored with a service ticket. Currently 182 // in Java, we only reads TGTs. 183 return new sun.security.krb5.Credentials(ticket, 184 cname, sname, key, flags, authtime, starttime, endtime, renewTill, caddr); 185 } 186 getStartTime()187 public KerberosTime getStartTime() { 188 return starttime; 189 } 190 getAuthTime()191 public KerberosTime getAuthTime() { 192 return authtime; 193 } 194 getEndTime()195 public KerberosTime getEndTime() { 196 return endtime; 197 } 198 getRenewTill()199 public KerberosTime getRenewTill() { 200 return renewTill; 201 } 202 getTicketFlags()203 public TicketFlags getTicketFlags() { 204 return flags; 205 } 206 getEType()207 public int getEType() { 208 return key.getEType(); 209 } 210 getTktEType()211 public int getTktEType() { 212 return ticket.encPart.getEType(); 213 } 214 } 215