1 /*
2  * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.  Oracle designates this
8  * particular file as subject to the "Classpath" exception as provided
9  * by Oracle in the LICENSE file that accompanied this code.
10  *
11  * This code is distributed in the hope that it will be useful, but WITHOUT
12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14  * version 2 for more details (a copy is included in the LICENSE file that
15  * accompanied this code).
16  *
17  * You should have received a copy of the GNU General Public License version
18  * 2 along with this work; if not, write to the Free Software Foundation,
19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20  *
21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22  * or visit www.oracle.com if you need additional information or have any
23  * questions.
24  */
25 package sun.security.jgss.wrapper;
26 
27 import org.ietf.jgss.*;
28 import java.security.Provider;
29 import sun.security.jgss.GSSUtil;
30 import sun.security.jgss.spi.GSSCredentialSpi;
31 import sun.security.jgss.spi.GSSNameSpi;
32 
33 /**
34  * This class is essentially a wrapper class for the gss_cred_id_t
35  * structure of the native GSS library.
36  * @author Valerie Peng
37  * @since 1.6
38  */
39 public class GSSCredElement implements GSSCredentialSpi {
40 
41     private int usage;
42     long pCred; // Pointer to the gss_cred_id_t structure
43     private GSSNameElement name = null;
44     private GSSLibStub cStub;
45 
46     // Perform the necessary ServicePermission check on this cred
doServicePermCheck()47     void doServicePermCheck() throws GSSException {
48         if (GSSUtil.isKerberosMech(cStub.getMech())) {
49             if (System.getSecurityManager() != null) {
50                 if (isInitiatorCredential()) {
51                     String tgsName = Krb5Util.getTGSName(name);
52                     Krb5Util.checkServicePermission(tgsName, "initiate");
53                 }
54                 if (isAcceptorCredential() &&
55                     name != GSSNameElement.DEF_ACCEPTOR) {
56                     String krbName = name.getKrbName();
57                     Krb5Util.checkServicePermission(krbName, "accept");
58                 }
59             }
60         }
61     }
62 
63     // Construct delegation cred using the actual context mech and srcName
GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech)64     GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech)
65         throws GSSException {
66         pCred = pCredentials;
67         cStub = GSSLibStub.getInstance(mech);
68         usage = GSSCredential.INITIATE_ONLY;
69         name = srcName;
70     }
71 
GSSCredElement(GSSNameElement name, int lifetime, int usage, GSSLibStub stub)72     GSSCredElement(GSSNameElement name, int lifetime, int usage,
73                    GSSLibStub stub) throws GSSException {
74         cStub = stub;
75         this.usage = usage;
76 
77         if (name != null) { // Could be GSSNameElement.DEF_ACCEPTOR
78             this.name = name;
79             doServicePermCheck();
80             pCred = cStub.acquireCred(this.name.pName, lifetime, usage);
81         } else {
82             pCred = cStub.acquireCred(0, lifetime, usage);
83             this.name = new GSSNameElement(cStub.getCredName(pCred), cStub);
84             doServicePermCheck();
85         }
86     }
87 
getProvider()88     public Provider getProvider() {
89         return SunNativeProvider.INSTANCE;
90     }
91 
dispose()92     public void dispose() throws GSSException {
93         name = null;
94         if (pCred != 0) {
95             pCred = cStub.releaseCred(pCred);
96         }
97     }
98 
getName()99     public GSSNameElement getName() throws GSSException {
100         return (name == GSSNameElement.DEF_ACCEPTOR ?
101             null : name);
102     }
103 
getInitLifetime()104     public int getInitLifetime() throws GSSException {
105         if (isInitiatorCredential()) {
106             return cStub.getCredTime(pCred);
107         } else return 0;
108     }
109 
getAcceptLifetime()110     public int getAcceptLifetime() throws GSSException {
111         if (isAcceptorCredential()) {
112             return cStub.getCredTime(pCred);
113         } else return 0;
114     }
115 
isInitiatorCredential()116     public boolean isInitiatorCredential() {
117         return (usage != GSSCredential.ACCEPT_ONLY);
118     }
119 
isAcceptorCredential()120     public boolean isAcceptorCredential() {
121         return (usage != GSSCredential.INITIATE_ONLY);
122     }
123 
getMechanism()124     public Oid getMechanism() {
125         return cStub.getMech();
126     }
127 
toString()128     public String toString() {
129         // No hex bytes available for native impl
130         return "N/A";
131     }
132 
133     @SuppressWarnings("deprecation")
finalize()134     protected void finalize() throws Throwable {
135         dispose();
136     }
137 
138     @Override
impersonate(GSSNameSpi name)139     public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
140         throw new GSSException(GSSException.FAILURE, -1,
141                 "Not supported yet");
142     }
143 }
144