1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* 26 * 27 * (C) Copyright IBM Corp. 1999 All Rights Reserved. 28 * Copyright 1997 The Open Group Research Institute. All rights reserved. 29 */ 30 31 package sun.security.krb5.internal.ccache; 32 33 import sun.security.krb5.*; 34 import sun.security.krb5.internal.*; 35 36 public class Credentials { 37 38 PrincipalName cname; 39 PrincipalName sname; 40 EncryptionKey key; 41 KerberosTime authtime; 42 KerberosTime starttime;//optional 43 KerberosTime endtime; 44 KerberosTime renewTill; //optional 45 HostAddresses caddr; //optional; for proxied tickets only 46 AuthorizationData authorizationData; //optional, not being actually used 47 public boolean isEncInSKey; // true if ticket is encrypted in another ticket's skey 48 TicketFlags flags; 49 Ticket ticket; 50 Ticket secondTicket; //optional 51 Credentials( PrincipalName new_cname, PrincipalName new_sname, EncryptionKey new_key, KerberosTime new_authtime, KerberosTime new_starttime, KerberosTime new_endtime, KerberosTime new_renewTill, boolean new_isEncInSKey, TicketFlags new_flags, HostAddresses new_caddr, AuthorizationData new_authData, Ticket new_ticket, Ticket new_secondTicket)52 public Credentials( 53 PrincipalName new_cname, 54 PrincipalName new_sname, 55 EncryptionKey new_key, 56 KerberosTime new_authtime, 57 KerberosTime new_starttime, 58 KerberosTime new_endtime, 59 KerberosTime new_renewTill, 60 boolean new_isEncInSKey, 61 TicketFlags new_flags, 62 HostAddresses new_caddr, 63 AuthorizationData new_authData, 64 Ticket new_ticket, 65 Ticket new_secondTicket) { 66 cname = (PrincipalName) new_cname.clone(); 67 sname = (PrincipalName) new_sname.clone(); 68 key = (EncryptionKey) new_key.clone(); 69 70 authtime = new_authtime; 71 starttime = new_starttime; 72 endtime = new_endtime; 73 renewTill = new_renewTill; 74 75 if (new_caddr != null) { 76 caddr = (HostAddresses) new_caddr.clone(); 77 } 78 if (new_authData != null) { 79 authorizationData = (AuthorizationData) new_authData.clone(); 80 } 81 82 isEncInSKey = new_isEncInSKey; 83 flags = (TicketFlags) new_flags.clone(); 84 ticket = (Ticket) (new_ticket.clone()); 85 if (new_secondTicket != null) { 86 secondTicket = (Ticket) new_secondTicket.clone(); 87 } 88 } 89 Credentials( KDCRep kdcRep, Ticket new_secondTicket, AuthorizationData new_authorizationData, boolean new_isEncInSKey)90 public Credentials( 91 KDCRep kdcRep, 92 Ticket new_secondTicket, 93 AuthorizationData new_authorizationData, 94 boolean new_isEncInSKey) { 95 if (kdcRep.encKDCRepPart == null) //can't store while encrypted 96 { 97 return; 98 } 99 cname = (PrincipalName) kdcRep.cname.clone(); 100 ticket = (Ticket) kdcRep.ticket.clone(); 101 key = (EncryptionKey) kdcRep.encKDCRepPart.key.clone(); 102 flags = (TicketFlags) kdcRep.encKDCRepPart.flags.clone(); 103 authtime = kdcRep.encKDCRepPart.authtime; 104 starttime = kdcRep.encKDCRepPart.starttime; 105 endtime = kdcRep.encKDCRepPart.endtime; 106 renewTill = kdcRep.encKDCRepPart.renewTill; 107 108 sname = (PrincipalName) kdcRep.encKDCRepPart.sname.clone(); 109 caddr = (HostAddresses) kdcRep.encKDCRepPart.caddr.clone(); 110 secondTicket = (Ticket) new_secondTicket.clone(); 111 authorizationData = 112 (AuthorizationData) new_authorizationData.clone(); 113 isEncInSKey = new_isEncInSKey; 114 } 115 Credentials(KDCRep kdcRep)116 public Credentials(KDCRep kdcRep) { 117 this(kdcRep, null); 118 } 119 Credentials(KDCRep kdcRep, Ticket new_ticket)120 public Credentials(KDCRep kdcRep, Ticket new_ticket) { 121 sname = (PrincipalName) kdcRep.encKDCRepPart.sname.clone(); 122 cname = (PrincipalName) kdcRep.cname.clone(); 123 key = (EncryptionKey) kdcRep.encKDCRepPart.key.clone(); 124 authtime = kdcRep.encKDCRepPart.authtime; 125 starttime = kdcRep.encKDCRepPart.starttime; 126 endtime = kdcRep.encKDCRepPart.endtime; 127 renewTill = kdcRep.encKDCRepPart.renewTill; 128 // if (kdcRep.msgType == Krb5.KRB_AS_REP) { 129 // isEncInSKey = false; 130 // secondTicket = null; 131 // } 132 flags = kdcRep.encKDCRepPart.flags; 133 if (kdcRep.encKDCRepPart.caddr != null) { 134 caddr = (HostAddresses) kdcRep.encKDCRepPart.caddr.clone(); 135 } else { 136 caddr = null; 137 } 138 ticket = (Ticket) kdcRep.ticket.clone(); 139 if (new_ticket != null) { 140 secondTicket = (Ticket) new_ticket.clone(); 141 isEncInSKey = true; 142 } else { 143 secondTicket = null; 144 isEncInSKey = false; 145 } 146 } 147 148 /** 149 * Checks if this credential is expired 150 */ isValid()151 public boolean isValid() { 152 boolean valid = true; 153 if (endtime.getTime() < System.currentTimeMillis()) { 154 valid = false; 155 } else if (starttime != null) { 156 if (starttime.getTime() > System.currentTimeMillis()) { 157 valid = false; 158 } 159 } else { 160 if (authtime.getTime() > System.currentTimeMillis()) { 161 valid = false; 162 } 163 } 164 return valid; 165 } 166 getServicePrincipal()167 public PrincipalName getServicePrincipal() throws RealmException { 168 return sname; 169 } 170 getTicket()171 public Ticket getTicket() throws RealmException { 172 return ticket; 173 } 174 getServicePrincipal2()175 public PrincipalName getServicePrincipal2() throws RealmException { 176 return secondTicket == null ? null : secondTicket.sname; 177 } 178 getClientPrincipal()179 public PrincipalName getClientPrincipal() throws RealmException { 180 return cname; 181 } 182 setKrbCreds()183 public sun.security.krb5.Credentials setKrbCreds() { 184 // Note: We will not pass authorizationData to s.s.k.Credentials. The 185 // field in that class will be passed to Krb5Context as the return 186 // value of ExtendedGSSContext.inquireSecContext(KRB5_GET_AUTHZ_DATA), 187 // which is documented as the authData in the service ticket. That 188 // is on the acceptor side. 189 // 190 // This class is for the initiator side. Also, authdata inside a ccache 191 // is most likely to be the one in Authenticator in PA-TGS-REQ encoded 192 // in TGS-REQ, therefore only stored with a service ticket. Currently 193 // in Java, we only reads TGTs. 194 return new sun.security.krb5.Credentials(ticket, cname, null, sname, 195 null, key, flags, authtime, starttime, endtime, renewTill, 196 caddr); 197 } 198 getStartTime()199 public KerberosTime getStartTime() { 200 return starttime; 201 } 202 getAuthTime()203 public KerberosTime getAuthTime() { 204 return authtime; 205 } 206 getEndTime()207 public KerberosTime getEndTime() { 208 return endtime; 209 } 210 getRenewTill()211 public KerberosTime getRenewTill() { 212 return renewTill; 213 } 214 getTicketFlags()215 public TicketFlags getTicketFlags() { 216 return flags; 217 } 218 getEType()219 public int getEType() { 220 return key.getEType(); 221 } 222 getKey()223 public EncryptionKey getKey() { 224 return key; 225 } 226 getTktEType()227 public int getTktEType() { 228 return ticket.encPart.getEType(); 229 } 230 getTktEType2()231 public int getTktEType2() { 232 return (secondTicket == null) ? 0 : secondTicket.encPart.getEType(); 233 } 234 } 235