1 /*
2  * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.  Oracle designates this
8  * particular file as subject to the "Classpath" exception as provided
9  * by Oracle in the LICENSE file that accompanied this code.
10  *
11  * This code is distributed in the hope that it will be useful, but WITHOUT
12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14  * version 2 for more details (a copy is included in the LICENSE file that
15  * accompanied this code).
16  *
17  * You should have received a copy of the GNU General Public License version
18  * 2 along with this work; if not, write to the Free Software Foundation,
19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20  *
21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22  * or visit www.oracle.com if you need additional information or have any
23  * questions.
24  */
25 package sun.security.jgss.wrapper;
26 
27 import org.ietf.jgss.*;
28 import java.security.Provider;
29 import sun.security.jgss.GSSUtil;
30 import sun.security.jgss.spi.GSSCredentialSpi;
31 import sun.security.jgss.spi.GSSNameSpi;
32 
33 /**
34  * This class is essentially a wrapper class for the gss_cred_id_t
35  * structure of the native GSS library.
36  * @author Valerie Peng
37  * @since 1.6
38  */
39 public class GSSCredElement implements GSSCredentialSpi {
40 
41     private int usage;
42     long pCred; // Pointer to the gss_cred_id_t structure
43     private GSSNameElement name = null;
44     private GSSLibStub cStub;
45 
46     // Perform the necessary ServicePermission check on this cred
doServicePermCheck()47     void doServicePermCheck() throws GSSException {
48         if (GSSUtil.isKerberosMech(cStub.getMech())) {
49             if (System.getSecurityManager() != null) {
50                 if (isInitiatorCredential()) {
51                     String tgsName = Krb5Util.getTGSName(name);
52                     Krb5Util.checkServicePermission(tgsName, "initiate");
53                 }
54                 if (isAcceptorCredential() &&
55                     name != GSSNameElement.DEF_ACCEPTOR) {
56                     String krbName = name.getKrbName();
57                     Krb5Util.checkServicePermission(krbName, "accept");
58                 }
59             }
60         }
61     }
62 
63     // Construct delegation cred using the actual context mech and srcName
64     // Warning: called by NativeUtil.c
GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech)65     GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech)
66         throws GSSException {
67         pCred = pCredentials;
68         cStub = GSSLibStub.getInstance(mech);
69         usage = GSSCredential.INITIATE_ONLY;
70         name = srcName;
71     }
72 
GSSCredElement(GSSNameElement name, int lifetime, int usage, GSSLibStub stub)73     GSSCredElement(GSSNameElement name, int lifetime, int usage,
74                    GSSLibStub stub) throws GSSException {
75         cStub = stub;
76         this.usage = usage;
77 
78         if (name != null) { // Could be GSSNameElement.DEF_ACCEPTOR
79             this.name = name;
80             doServicePermCheck();
81             pCred = cStub.acquireCred(this.name.pName, lifetime, usage);
82         } else {
83             pCred = cStub.acquireCred(0, lifetime, usage);
84             this.name = new GSSNameElement(cStub.getCredName(pCred), cStub);
85             doServicePermCheck();
86         }
87     }
88 
getProvider()89     public Provider getProvider() {
90         return SunNativeProvider.INSTANCE;
91     }
92 
dispose()93     public void dispose() throws GSSException {
94         name = null;
95         if (pCred != 0) {
96             pCred = cStub.releaseCred(pCred);
97         }
98     }
99 
getName()100     public GSSNameElement getName() throws GSSException {
101         return (name == GSSNameElement.DEF_ACCEPTOR ?
102             null : name);
103     }
104 
getInitLifetime()105     public int getInitLifetime() throws GSSException {
106         if (isInitiatorCredential()) {
107             return cStub.getCredTime(pCred);
108         } else return 0;
109     }
110 
getAcceptLifetime()111     public int getAcceptLifetime() throws GSSException {
112         if (isAcceptorCredential()) {
113             return cStub.getCredTime(pCred);
114         } else return 0;
115     }
116 
isInitiatorCredential()117     public boolean isInitiatorCredential() {
118         return (usage != GSSCredential.ACCEPT_ONLY);
119     }
120 
isAcceptorCredential()121     public boolean isAcceptorCredential() {
122         return (usage != GSSCredential.INITIATE_ONLY);
123     }
124 
getMechanism()125     public Oid getMechanism() {
126         return cStub.getMech();
127     }
128 
toString()129     public String toString() {
130         // No hex bytes available for native impl
131         return "N/A";
132     }
133 
134     @SuppressWarnings("deprecation")
finalize()135     protected void finalize() throws Throwable {
136         dispose();
137     }
138 
139     @Override
impersonate(GSSNameSpi name)140     public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
141         throw new GSSException(GSSException.FAILURE, -1,
142                 "Not supported yet");
143     }
144 }
145