1. /*

  2.  * @(#)KerberosTicket.java	1.13 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.   

  8. package javax.security.auth.kerberos;

  9. 

  10. import java.io.*;

  11. import java.util.Date;

  12. import java.util.Arrays;

  13. import java.net.InetAddress;

  14. import javax.crypto.SecretKey;

  15. import javax.security.auth.Refreshable;

  16. import javax.security.auth.Destroyable;

  17. import javax.security.auth.RefreshFailedException;

  18. import javax.security.auth.DestroyFailedException;

  19. import sun.misc.HexDumpEncoder;

  20. import sun.security.krb5.EncryptionKey;

  21. import sun.security.krb5.Asn1Exception;

  22. import sun.security.util.*;

  23. 

  24. /**

  25.  * This class encapsulates a Kerberos ticket and associated

  26.  * information as viewed from the client's point of view. It captures all

  27.  * information that the Key Distribution Center (KDC) sends to the client

  28.  * in the reply message KDC-REP defined in the Kerberos Protocol

  29.  * Specification (<a href=http://www.ietf.org/rfc/rfc1510.txt>RFC 1510</a>).

  30.  * <p>

  31.  * All Kerberos JAAS login modules that authenticate a user to a KDC should

  32.  * use this class. Where available, the login module might even read this 

  33.  * information from a ticket cache in the operating system instead of

  34.  * directly communicating with the KDC. During the commit phase of the JAAS

  35.  * authentication process, the JAAS login module should instantiate this

  36.  * class and store the instance in the private credential set of a

  37.  * {@link javax.security.auth.Subject Subject}.<p>

  38.  *

  39.  * It might be necessary for the application to be granted a

  40.  * {@link javax.security.auth.PrivateCredentialPermission 

  41.  * PrivateCredentialPermission} if it needs to access a KerberosTicket

  42.  * instance from a Subject. This permission is not needed when the

  43.  * application depends on the default JGSS Kerberos mechanism to access the

  44.  * KerberosTicket. In that case, however, the application will need an

  45.  * appropriate

  46.  * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.

  47.  * <p>

  48.  * Note that this class is applicable to both ticket granting tickets and

  49.  * other regular service tickets. A ticket granting ticket is just a

  50.  * special case of a more generalized service ticket.

  51.  *

  52.  * @see javax.security.auth.Subject

  53.  * @see javax.security.auth.PrivateCredentialPermission

  54.  * @see javax.security.auth.login.LoginContext

  55.  * @see org.ietf.jgss.GSSCredential

  56.  * @see org.ietf.jgss.GSSManager

  57.  * 

  58.  * @author Mayank Upadhyay

  59.  * @version 1.13, 01/23/03

  60.  * @since 1.4

  61.  */

  62. public class KerberosTicket implements Destroyable, Refreshable,

  63. 	 java.io.Serializable {

  64. 

  65.     // TBD: Make these flag indices public

  66.     private static int FORWARDABLE_TICKET_FLAG = 1;

  67.     private static int FORWARDED_TICKET_FLAG   = 2;

  68.     private static int PROXIABLE_TICKET_FLAG   = 3;

  69.     private static int PROXY_TICKET_FLAG       = 4;

  70.     private static int POSTDATED_TICKET_FLAG   = 6;

  71.     private static int RENEWABLE_TICKET_FLAG   = 8;

  72.     private static int INITIAL_TICKET_FLAG     = 9;

  73. 

  74.     private static int NUM_FLAGS = 32;

  75. 

  76.     /**

  77.      * 

  78.      * ASN.1 DER Encoding of the Ticket as defined in the 

  79.      * Kerberos Protocol Specification RFC1510.

  80.      *

  81.      * @serial

  82.      */

  83. 

  84.     private byte[] asn1Encoding;

  85. 

  86.    /**

  87.     *<code>KeyImpl</code> is serialized by writing out the ASN1 Encoded bytes 

  88.     * of the encryption key. The ASN1 encoding is defined in RFC1510 and as

  89.     * follows:

  90.     * <pre>		

  91.     *			EncryptionKey ::=   SEQUENCE {

  92.     *				keytype[0]    INTEGER,

  93.     *				keyvalue[1]   OCTET STRING    	

  94.     *				}

  95.     * </pre>

  96.     *

  97.     * @serial

  98.     */

  99. 

  100.     private KeyImpl sessionKey;

  101. 

  102.     /**

  103.      * 

  104.      * Ticket Flags as defined in the Kerberos Protocol Specification RFC1510.

  105. 

  106.      * @serial

  107.      */

  108. 

  109.     private boolean[] flags;

  110. 

  111.     /**

  112.      * 

  113.      * Time of initial authentication 

  114.      *

  115.      * @serial

  116.      */

  117. 

  118.     private Date authTime;

  119. 

  120.     /**

  121.      * 

  122.      * Time after which the ticket is valid.

  123.      * @serial

  124.      */

  125.     private Date startTime;

  126. 

  127.     /**

  128.      * 

  129.      * Time after which the ticket will not be honored. (its expiration time).

  130.      *

  131.      * @serial

  132.      */

  133. 

  134.     private Date endTime;

  135. 

  136.     /**

  137.      * 

  138.      * For renewable Tickets it indicates the maximum endtime that may be 

  139.      * included in a renewal. It can be thought of as the absolute expiration 

  140.      * time for the ticket, including all renewals. This field may be null

  141.      * for tickets that are not renewable.

  142.      *

  143.      * @serial

  144.      */

  145. 

  146.     private Date renewTill;

  147. 

  148.     /**

  149.      * 

  150.      * Client that owns the service ticket

  151.      * 

  152.      * @serial

  153.      */

  154. 

  155.     private KerberosPrincipal client;

  156. 

  157.     /**

  158.      * 

  159.      * The service for which the ticket was issued.

  160.      * 

  161.      * @serial

  162.      */

  163. 

  164.     private KerberosPrincipal server;

  165. 	

  166.     /**

  167.      * 

  168.      * The addresses from where the ticket may be used by the client. 

  169.      * This field may be null when the ticket is usable from any address.

  170.      *

  171.      * @serial

  172.      */

  173. 

  174. 

  175.     private InetAddress[] clientAddresses;

  176. 

  177.     private transient boolean destroyed = false;

  178. 

  179.     /**

  180.      * Constructs a KerberosTicket using credentials information that a

  181.      * client either receives from a KDC or reads from a cache.

  182.      *

  183.      * @param asn1Encoding the ASN.1 encoding of the ticket as defined by

  184.      * the Kerberos protocol specification.

  185.      * @param client the client that owns this service

  186.      * ticket

  187.      * @param server the service that this ticket is for

  188.      * @param sessionKey the raw bytes for the session key that must be

  189.      * used to encrypt the authenticator that will be sent to the server

  190.      * @param keyType the key type for the session key as defined by the

  191.      * Kerberos protocol specification.

  192.      * @param flags the ticket flags. Each element in this array indicates

  193.      * the value for the corresponding bit in the ASN.1 BitString that

  194.      * represents the ticket flags. If the number of elements in this array 

  195.      * is less than the number of flags used by the Kerberos protocol,

  196.      * then the missing flags will be filled in with false.

  197.      * @param authTime the time of initial authentication for the client

  198.      * @param startTime the time after which the ticket will be valid. This 

  199.      * may be null in which case the value of authTime is treated as the

  200.      * startTime.

  201.      * @param endTime the time after which the ticket will no longer be

  202.      * valid

  203.      * @param renewTill an absolute expiration time for the ticket,

  204.      * including all renewal that might be possible. This field may be null 

  205.      * for tickets that are not renewable.

  206.      * @param clientAddresses the addresses from where the ticket may be

  207.      * used by the client. This field may be null when the ticket is usable 

  208.      * from any address.

  209.      */

  210.    public KerberosTicket(byte[] asn1Encoding, 

  211. 			 KerberosPrincipal client,

  212. 			 KerberosPrincipal server,

  213. 			 byte[] sessionKey,

  214. 			 int keyType,

  215. 			 boolean[] flags,

  216. 			 Date authTime,

  217. 			 Date startTime,

  218. 			 Date endTime,

  219. 			 Date renewTill,

  220. 			 InetAddress[] clientAddresses) {

  221.        

  222.        init(asn1Encoding, client, server, sessionKey, keyType, flags,

  223. 	    authTime, startTime, endTime, renewTill, clientAddresses);

  224.    }

  225.     

  226.     private void init(byte[] asn1Encoding, 

  227. 			 KerberosPrincipal client,

  228. 			 KerberosPrincipal server,

  229. 			 byte[] sessionKey,

  230. 			 int keyType,

  231. 			 boolean[] flags,

  232. 			 Date authTime,

  233. 			 Date startTime,

  234. 			 Date endTime,

  235. 			 Date renewTill,

  236. 			 InetAddress[] clientAddresses) {

  237. 

  238.        if (asn1Encoding == null)

  239. 	   throw new IllegalArgumentException("ASN.1 encoding of ticket"

  240. 					      + " cannot be null");

  241.        this.asn1Encoding = asn1Encoding;

  242. 

  243.        if (client == null)

  244. 	   throw new IllegalArgumentException("Client name in ticket"

  245. 					      + " cannot be null");

  246.        this.client = client;

  247. 

  248.        if (server == null)

  249. 	   throw new IllegalArgumentException("Server name in ticket"

  250. 					      + " cannot be null");

  251.        this.server = server;

  252. 

  253.        if (sessionKey == null)

  254. 	   throw new IllegalArgumentException("Session key for ticket"

  255. 					      + " cannot be null");

  256.        this.sessionKey = new KeyImpl(sessionKey, keyType);

  257. 

  258.        if (flags != null) {

  259. 	   if (flags.length >= NUM_FLAGS)

  260. 	       this.flags = (boolean[]) flags.clone();

  261. 	   else {

  262. 	       this.flags = new boolean[NUM_FLAGS];

  263. 	       // Fill in whatever we have

  264. 	       for (int i = 0; i < flags.length; i++)

  265. 		   this.flags[i] = flags[i];

  266. 	   }

  267.        } else

  268. 	   this.flags = new boolean[NUM_FLAGS];

  269. 

  270.        if (flags[RENEWABLE_TICKET_FLAG]) {

  271. 	   if (renewTill == null)

  272. 	       throw new IllegalArgumentException("The renewable period "

  273. 		       + "end time cannot be null for renewable tickets.");

  274. 

  275. 	   this.renewTill = renewTill;

  276.        }

  277. 

  278.        if (authTime == null)

  279. 	   throw new IllegalArgumentException("Authentication time of ticket"

  280. 					      + " cannot be null");

  281.        this.authTime = authTime;

  282. 

  283.        this.startTime = (startTime != null? startTime: authTime);

  284. 

  285.        if (endTime == null)

  286. 	   throw new IllegalArgumentException("End time for ticket validity"

  287. 					      + " cannot be null");

  288.        this.endTime = endTime;

  289. 

  290.        if (clientAddresses != null)

  291. 	   this.clientAddresses = (InetAddress[]) clientAddresses.clone();

  292.    }

  293. 

  294.     /**

  295.      * Returns the client principal associated with this ticket.

  296.      *

  297.      * @return the client principal.

  298.      */

  299.     public final KerberosPrincipal getClient() {

  300. 	return client;

  301.     }

  302.     

  303.     /**

  304.      * Returns the service principal associated with this ticket.

  305.      *

  306.      * @return the service principal.

  307.      */

  308.     public final KerberosPrincipal getServer() {

  309. 	return server;

  310.     }

  311.     

  312.     /**

  313.      * Returns the session key associated with this ticket.

  314.      *

  315.      * @return the session key.

  316.      */

  317.     public final SecretKey getSessionKey() {

  318. 	if (destroyed)

  319. 	    throw new IllegalStateException("This ticket is no longer valid");

  320. 	return sessionKey;

  321.     }

  322. 

  323.     /**

  324.      * Returns the key type of the session key associated with this

  325.      * ticket as defined by the Kerberos Protocol Specification.

  326.      *

  327.      * @return the key type of the session key associated with this

  328.      * ticket.

  329.      *

  330.      * @see #getSessionKey()

  331.      */

  332.     public final int getSessionKeyType() {

  333. 	if (destroyed)

  334. 	    throw new IllegalStateException("This ticket is no longer valid");

  335. 	return sessionKey.getKeyType();

  336.     }

  337. 

  338.     /** Determines if this ticket is forwardable.

  339.      *

  340.      * @return true if this ticket is forwardable, false if not.

  341.      */

  342.     public final boolean isForwardable() {

  343. 	return flags[FORWARDABLE_TICKET_FLAG];

  344.     }

  345. 

  346.     /** 

  347.      * Determines if this ticket had been forwarded or was issued based on

  348.      * authentication involving a forwarded ticket-granting ticket.

  349.      *

  350.      * @return true if this ticket had been forwarded or was issued based on

  351.      * authentication involving a forwarded ticket-granting ticket,

  352.      * false otherwise.

  353.      */

  354.     public final boolean isForwarded() {

  355. 	return flags[FORWARDED_TICKET_FLAG];

  356.     }

  357. 

  358.     /** Determines if this ticket is proxiable.

  359.      *

  360.      * @return true if this ticket is proxiable, false if not.

  361.      */

  362.     public final boolean isProxiable() {

  363. 	return flags[PROXIABLE_TICKET_FLAG];

  364.     }

  365. 

  366.     /** Determines is this ticket is a proxy-ticket.

  367.      *

  368.      * @return true if this ticket is a proxy-ticket, false if not.

  369.      */

  370.     public final boolean isProxy() {

  371. 	return flags[PROXY_TICKET_FLAG];

  372.     }

  373. 

  374. 

  375.     /** Determines is this ticket is post-dated.

  376.      *

  377.      * @return true if this ticket is post-dated, false if not.

  378.      */

  379.     public final boolean isPostdated() {

  380. 	return flags[POSTDATED_TICKET_FLAG];

  381.     }

  382. 

  383.     /** 

  384.      * Determines is this ticket is renewable. If so, the {@link #refresh() 

  385.      * refresh} method can be called, assuming the validity period for

  386.      * renewing is not already over.

  387.      *

  388.      * @return true if this ticket is renewable, false if not.

  389.      */

  390.     public final boolean isRenewable() {

  391. 	return flags[RENEWABLE_TICKET_FLAG];

  392.     }

  393. 

  394.     /** 

  395.      * Determines if this ticket was issued using the Kerberos AS-Exchange

  396.      * protocol, and not issued based on some ticket-granting ticket.

  397.      *

  398.      * @return true if this ticket was issued using the Kerberos AS-Exchange

  399.      * protocol, false if not.

  400.      */

  401.     public final boolean isInitial() {

  402. 	return flags[INITIAL_TICKET_FLAG];

  403.     }

  404. 

  405.     /**

  406.      * Returns the flags associated with this ticket. Each element in the

  407.      * returned array indicates the value for the corresponding bit in the

  408.      * ASN.1 BitString that represents the ticket flags.

  409.      *

  410.      * @return the flags associated with this ticket.

  411.      */

  412.     public final boolean[]  getFlags() {

  413. 	return (flags == null? null: (boolean[]) flags.clone());

  414.     }

  415. 

  416.     /**

  417.      * Returns the time that the client was authenticated.

  418.      *

  419.      * @return the time that the client was authenticated.

  420.      */

  421.     public final java.util.Date getAuthTime() {

  422. 	return authTime;

  423.     }

  424. 

  425.     /**

  426.      * Returns the start time for this ticket's validity period.

  427.      *

  428.      * @return the start time for this ticket's validity period.

  429.      */

  430.     public final java.util.Date getStartTime() {

  431. 	return startTime;

  432.     }

  433. 

  434.     /**

  435.      * Returns the expiration time for this ticket's validity period.

  436.      *

  437.      * @return the expiration time for this ticket's validity period.

  438.      */

  439.     public final java.util.Date getEndTime() {

  440. 	return endTime;

  441.     }

  442. 

  443.     /**

  444.      * Returns the latest expiration time for this ticket, including all

  445.      * renewals. This will return a null value for non-renewable tickets.

  446.      *

  447.      * @return the latest expiration time for this ticket.

  448.      */

  449.     public final java.util.Date getRenewTill() {

  450. 	return renewTill;

  451.     }

  452.     

  453.     /**

  454.      * Returns a list of addresses from where the ticket can be used.

  455.      * 

  456.      * @return ths list of addresses or null, if the field was not

  457.      * provided.

  458.      */

  459.     public final java.net.InetAddress[] getClientAddresses() {

  460. 	return (clientAddresses == null? 

  461. 		null: (InetAddress[]) clientAddresses.clone());

  462.     }

  463. 

  464.     /**

  465.      * Returns an ASN.1 encoding of the entire ticket.

  466.      *

  467.      * @return an ASN.1 encoding of the entire ticket.

  468.      */

  469.     public final byte[] getEncoded() {

  470. 	if (destroyed)

  471. 	    throw new IllegalStateException("This ticket is no longer valid");

  472. 	return (byte[]) asn1Encoding.clone();

  473.     }

  474. 

  475.     /** Determines if this ticket is still current.  */

  476.     public boolean isCurrent() {

  477. 	return (System.currentTimeMillis() <= getEndTime().getTime());

  478.     }

  479. 

  480.     /**

  481.      * Extends the validity period of this ticket. The ticket will contain

  482.      * a new session key if the refresh operation succeeds. The refresh

  483.      * operation will fail if the ticket is not renewable or the latest

  484.      * allowable renew time has passed. Any other error returned by the

  485.      * KDC will also cause this method to fail.

  486.      *

  487.      * Note: This method is not synchronized with the the accessor

  488.      * methods of this object. Hence callers need to be aware of multiple

  489.      * threads that might access this and try to renew it at the same

  490.      * time.

  491.      *

  492.      * @throws RefreshFailedException if the ticket is not renewable, or

  493.      * the latest allowable renew time has passed, or the KDC returns some

  494.      * error.

  495.      *

  496.      * @see #isRenewable()

  497.      * @see #getRenewTill()

  498.      */

  499.     public void refresh() throws RefreshFailedException {

  500. 

  501. 	if (destroyed)

  502. 	    throw new RefreshFailedException("A destroyed ticket "

  503. 					     + "cannot be renewd.");

  504. 

  505. 	if (!isRenewable())

  506. 	    throw new RefreshFailedException("This ticket is not renewable");

  507. 

  508. 	if (System.currentTimeMillis() > getRenewTill().getTime())

  509. 	    throw new RefreshFailedException("This ticket is past "

  510. 					     + "its last renewal time.");

  511. 	Throwable e = null;

  512. 	sun.security.krb5.Credentials krb5Creds = null;

  513. 

  514. 	try {

  515. 	    krb5Creds = new sun.security.krb5.Credentials(asn1Encoding,

  516. 						    client.toString(),

  517. 						    server.toString(),

  518. 						    sessionKey.getEncoded(),

  519. 						    sessionKey.getKeyType(),

  520. 						    flags,

  521. 						    authTime,

  522. 						    startTime,

  523. 						    endTime,

  524. 						    renewTill,

  525. 						    clientAddresses);

  526. 	    krb5Creds = krb5Creds.renew();

  527. 	} catch (sun.security.krb5.KrbException krbException) {

  528. 	    e = krbException;

  529. 	} catch (java.io.IOException ioException) {

  530. 	    e = ioException;

  531. 	}

  532. 

  533. 	if (e != null) {

  534. 	    RefreshFailedException rfException

  535. 		= new RefreshFailedException("Failed to renew Kerberos Ticket "

  536. 					     + "for client " + client 

  537. 					     + " and server " + server

  538. 					     + " - " + e.getMessage());

  539. 	    rfException.initCause(e);

  540. 	    throw rfException;

  541. 	}

  542. 

  543. 	/*

  544. 	 * In case multiple threads try to refresh it at the same time.

  545. 	 */

  546. 	synchronized (this) {

  547. 	    try {

  548. 		this.destroy();

  549. 	    } catch (DestroyFailedException dfException) {

  550. 		// Squelch it since we don't care about the old ticket.

  551. 	    }

  552. 	    init(krb5Creds.getEncoded(),

  553. 		 new KerberosPrincipal(krb5Creds.getClient().getName()),

  554. 		 new KerberosPrincipal(krb5Creds.getServer().getName()),

  555. 		 krb5Creds.getSessionKey().getBytes(), 

  556. 		 krb5Creds.getSessionKey().getEType(), 

  557. 		 krb5Creds.getFlags(), 

  558. 		 krb5Creds.getAuthTime(), 

  559. 		 krb5Creds.getStartTime(), 

  560. 		 krb5Creds.getEndTime(), 

  561. 		 krb5Creds.getRenewTill(), 

  562. 		 krb5Creds.getClientAddresses());

  563. 	    destroyed = false;

  564. 	}

  565.     }

  566. 

  567.     /**

  568.      * Destroys the ticket and destroys any sensitive information stored in

  569.      * it.

  570.      */

  571.     public void destroy() throws DestroyFailedException {

  572. 	if (!destroyed) {

  573. 	    Arrays.fill(asn1Encoding, (byte) 0);

  574. 	    client = null;

  575. 	    server = null;

  576. 	    sessionKey.destroy();

  577. 	    flags = null;

  578. 	    authTime = null;

  579. 	    startTime = null;

  580. 	    endTime = null;

  581. 	    renewTill = null;

  582. 	    clientAddresses = null;

  583. 	    destroyed = true;

  584. 	}

  585.     }

  586. 

  587.     /** Determines if this ticket has been destroyed.*/

  588.     public boolean isDestroyed() {

  589. 	return destroyed;

  590.     }

  591. 

  592.     public String toString() {

  593. 

  594. 	if (destroyed)

  595. 	    throw new IllegalStateException("This ticket is no longer valid");

  596. 	StringBuffer caddrBuf = new StringBuffer();

  597. 	if (clientAddresses != null) {

  598. 	    for (int i =0;i < clientAddresses.length; i++) {

  599. 		caddrBuf.append("clientAddresses[" + i + "] = " + 

  600. 				 clientAddresses[i].toString());

  601. 	    }

  602. 	}

  603. 	return ("Ticket (hex) = " + "\n" +

  604. 		 (new HexDumpEncoder()).encode(asn1Encoding) + "\n" +

  605. 		"Client Principal = " + client.toString() + "\n" +

  606. 		"Server Principal = " + server.toString() + "\n" +

  607. 		"Session Key = " + sessionKey.toString() + "\n" +

  608. 		"Forwardable Ticket " + flags[FORWARDABLE_TICKET_FLAG] + "\n" +

  609. 		"Forwarded Ticket " + flags[FORWARDED_TICKET_FLAG] + "\n" +

  610. 	        "Proxiable Ticket " + flags[PROXIABLE_TICKET_FLAG] + "\n" +

  611. 	        "Proxy Ticket " + flags[PROXY_TICKET_FLAG] + "\n" +

  612. 	        "Postdated Ticket " + flags[POSTDATED_TICKET_FLAG] + "\n" +

  613. 	        "Renewable Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" +

  614. 	        "Initial Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" +

  615. 		"Auth Time = " + authTime.toString() + "\n" +

  616. 		"Start Time = " + startTime.toString() + "\n" +

  617. 		"End Time = " + endTime.toString() + "\n" +

  618. 		"Renew Till = " + 

  619. 		  (renewTill == null ? "Null " :renewTill.toString()) + "\n" +

  620. 		"Client Addresses " + 

  621. 		(clientAddresses == null ? " Null ":caddrBuf.toString() + "\n")

  622. 		); 

  623.     }

  624. 

  625. }