1 /* 2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.jgss.krb5; 27 28 import org.ietf.jgss.*; 29 import java.io.InputStream; 30 import java.io.IOException; 31 import java.security.AccessController; 32 33 import sun.security.action.GetBooleanAction; 34 import sun.security.krb5.*; 35 36 class AcceptSecContextToken extends InitialToken { 37 38 private KrbApRep apRep = null; 39 40 /** 41 * Creates an AcceptSecContextToken for the context acceptor to send to 42 * the context initiator. 43 */ AcceptSecContextToken(Krb5Context context, KrbApReq apReq)44 public AcceptSecContextToken(Krb5Context context, 45 KrbApReq apReq) 46 throws KrbException, IOException, GSSException { 47 48 boolean useSubkey = AccessController.doPrivileged( 49 new GetBooleanAction("sun.security.krb5.acceptor.subkey")); 50 51 boolean useSequenceNumber = true; 52 53 EncryptionKey subKey = null; 54 if (useSubkey) { 55 subKey = new EncryptionKey(apReq.getCreds().getSessionKey()); 56 context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey); 57 } 58 apRep = new KrbApRep(apReq, useSequenceNumber, subKey); 59 60 context.resetMySequenceNumber(apRep.getSeqNumber().intValue()); 61 62 /* 63 * Note: The acceptor side context key was set when the 64 * InitSecContextToken was received. 65 */ 66 } 67 68 /** 69 * Creates an AcceptSecContextToken at the context initiator's side 70 * using the bytes received from the acceptor. 71 */ AcceptSecContextToken(Krb5Context context, Credentials serviceCreds, KrbApReq apReq, InputStream is)72 public AcceptSecContextToken(Krb5Context context, 73 Credentials serviceCreds, KrbApReq apReq, 74 InputStream is) 75 throws IOException, GSSException, KrbException { 76 77 int tokenId = ((is.read()<<8) | is.read()); 78 79 if (tokenId != Krb5Token.AP_REP_ID) 80 throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, 81 "AP_REP token id does not match!"); 82 83 byte[] apRepBytes = 84 new sun.security.util.DerValue(is).toByteArray(); 85 86 KrbApRep apRep = new KrbApRep(apRepBytes, serviceCreds, apReq); 87 88 /* 89 * Allow the context acceptor to set a subkey if desired, even 90 * though our context acceptor will not do so. 91 */ 92 EncryptionKey subKey = apRep.getSubKey(); 93 if (subKey != null) { 94 context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey); 95 /* 96 System.out.println("\n\nSub-Session key from AP-REP is: " + 97 getHexBytes(subKey.getBytes()) + "\n"); 98 */ 99 } 100 101 Integer apRepSeqNumber = apRep.getSeqNumber(); 102 int peerSeqNumber = (apRepSeqNumber != null ? 103 apRepSeqNumber.intValue() : 104 0); 105 context.resetPeerSequenceNumber(peerSeqNumber); 106 } 107 encode()108 public final byte[] encode() throws IOException { 109 byte[] apRepBytes = apRep.getMessage(); 110 byte[] retVal = new byte[2 + apRepBytes.length]; 111 writeInt(Krb5Token.AP_REP_ID, retVal, 0); 112 System.arraycopy(apRepBytes, 0, retVal, 2, apRepBytes.length); 113 return retVal; 114 } 115 } 116