1 /*
2  * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.  Oracle designates this
8  * particular file as subject to the "Classpath" exception as provided
9  * by Oracle in the LICENSE file that accompanied this code.
10  *
11  * This code is distributed in the hope that it will be useful, but WITHOUT
12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14  * version 2 for more details (a copy is included in the LICENSE file that
15  * accompanied this code).
16  *
17  * You should have received a copy of the GNU General Public License version
18  * 2 along with this work; if not, write to the Free Software Foundation,
19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20  *
21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22  * or visit www.oracle.com if you need additional information or have any
23  * questions.
24  */
25 
26 package sun.security.jgss.krb5;
27 
28 import org.ietf.jgss.*;
29 import java.io.InputStream;
30 import java.io.IOException;
31 import java.security.AccessController;
32 
33 import sun.security.action.GetBooleanAction;
34 import sun.security.krb5.*;
35 
36 class AcceptSecContextToken extends InitialToken {
37 
38     private KrbApRep apRep = null;
39 
40     /**
41      * Creates an AcceptSecContextToken for the context acceptor to send to
42      * the context initiator.
43      */
AcceptSecContextToken(Krb5Context context, KrbApReq apReq)44     public AcceptSecContextToken(Krb5Context context,
45                                  KrbApReq apReq)
46         throws KrbException, IOException, GSSException {
47 
48         boolean useSubkey = AccessController.doPrivileged(
49                 new GetBooleanAction("sun.security.krb5.acceptor.subkey"));
50 
51         boolean useSequenceNumber = true;
52 
53         EncryptionKey subKey = null;
54         if (useSubkey) {
55             subKey = new EncryptionKey(apReq.getCreds().getSessionKey());
56             context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey);
57         }
58         apRep = new KrbApRep(apReq, useSequenceNumber, subKey);
59 
60         context.resetMySequenceNumber(apRep.getSeqNumber().intValue());
61 
62         /*
63          * Note: The acceptor side context key was set when the
64          * InitSecContextToken was received.
65          */
66     }
67 
68     /**
69      * Creates an AcceptSecContextToken at the context initiator's side
70      * using the bytes received from  the acceptor.
71      */
AcceptSecContextToken(Krb5Context context, Credentials serviceCreds, KrbApReq apReq, InputStream is)72     public AcceptSecContextToken(Krb5Context context,
73                                  Credentials serviceCreds, KrbApReq apReq,
74                                  InputStream is)
75         throws IOException, GSSException, KrbException  {
76 
77         int tokenId = ((is.read()<<8) | is.read());
78 
79         if (tokenId != Krb5Token.AP_REP_ID)
80             throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
81                                    "AP_REP token id does not match!");
82 
83         byte[] apRepBytes =
84             new sun.security.util.DerValue(is).toByteArray();
85 
86         KrbApRep apRep = new KrbApRep(apRepBytes, serviceCreds, apReq);
87 
88         /*
89          * Allow the context acceptor to set a subkey if desired, even
90          * though our context acceptor will not do so.
91          */
92         EncryptionKey subKey = apRep.getSubKey();
93         if (subKey != null) {
94             context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey);
95             /*
96             System.out.println("\n\nSub-Session key from AP-REP is: " +
97                                getHexBytes(subKey.getBytes()) + "\n");
98             */
99         }
100 
101         Integer apRepSeqNumber = apRep.getSeqNumber();
102         int peerSeqNumber = (apRepSeqNumber != null ?
103                              apRepSeqNumber.intValue() :
104                              0);
105         context.resetPeerSequenceNumber(peerSeqNumber);
106     }
107 
encode()108     public final byte[] encode() throws IOException {
109         byte[] apRepBytes = apRep.getMessage();
110         byte[] retVal = new byte[2 + apRepBytes.length];
111         writeInt(Krb5Token.AP_REP_ID, retVal, 0);
112         System.arraycopy(apRepBytes, 0, retVal, 2, apRepBytes.length);
113         return retVal;
114     }
115 }
116