1. /*

  2.  * @(#)KerberosTicket.java	1.16 04/06/02

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.   

  8. package javax.security.auth.kerberos;

  9. 

  10. import java.io.*;

  11. import java.util.Date;

  12. import java.util.Arrays;

  13. import java.net.InetAddress;

  14. import javax.crypto.SecretKey;

  15. import javax.security.auth.Refreshable;

  16. import javax.security.auth.Destroyable;

  17. import javax.security.auth.RefreshFailedException;

  18. import javax.security.auth.DestroyFailedException;

  19. import sun.misc.HexDumpEncoder;

  20. import sun.security.krb5.EncryptionKey;

  21. import sun.security.krb5.Asn1Exception;

  22. import sun.security.util.*;

  23. 

  24. /**

  25.  * This class encapsulates a Kerberos ticket and associated

  26.  * information as viewed from the client's point of view. It captures all

  27.  * information that the Key Distribution Center (KDC) sends to the client

  28.  * in the reply message KDC-REP defined in the Kerberos Protocol

  29.  * Specification (<a href=http://www.ietf.org/rfc/rfc1510.txt>RFC 1510</a>).

  30.  * <p>

  31.  * All Kerberos JAAS login modules that authenticate a user to a KDC should

  32.  * use this class. Where available, the login module might even read this 

  33.  * information from a ticket cache in the operating system instead of

  34.  * directly communicating with the KDC. During the commit phase of the JAAS

  35.  * authentication process, the JAAS login module should instantiate this

  36.  * class and store the instance in the private credential set of a

  37.  * {@link javax.security.auth.Subject Subject}.<p>

  38.  *

  39.  * It might be necessary for the application to be granted a

  40.  * {@link javax.security.auth.PrivateCredentialPermission 

  41.  * PrivateCredentialPermission} if it needs to access a KerberosTicket

  42.  * instance from a Subject. This permission is not needed when the

  43.  * application depends on the default JGSS Kerberos mechanism to access the

  44.  * KerberosTicket. In that case, however, the application will need an

  45.  * appropriate

  46.  * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.

  47.  * <p>

  48.  * Note that this class is applicable to both ticket granting tickets and

  49.  * other regular service tickets. A ticket granting ticket is just a

  50.  * special case of a more generalized service ticket.

  51.  *

  52.  * @see javax.security.auth.Subject

  53.  * @see javax.security.auth.PrivateCredentialPermission

  54.  * @see javax.security.auth.login.LoginContext

  55.  * @see org.ietf.jgss.GSSCredential

  56.  * @see org.ietf.jgss.GSSManager

  57.  * 

  58.  * @author Mayank Upadhyay

  59.  * @version 1.16, 06/02/04

  60.  * @since 1.4

  61.  */

  62. public class KerberosTicket implements Destroyable, Refreshable,

  63. 	 java.io.Serializable {

  64. 

  65.     private static final long serialVersionUID = 7395334370157380539L;

  66. 

  67.     // TBD: Make these flag indices public

  68.     private static final int FORWARDABLE_TICKET_FLAG = 1;

  69.     private static final int FORWARDED_TICKET_FLAG   = 2;

  70.     private static final int PROXIABLE_TICKET_FLAG   = 3;

  71.     private static final int PROXY_TICKET_FLAG       = 4;

  72.     private static final int POSTDATED_TICKET_FLAG   = 6;

  73.     private static final int RENEWABLE_TICKET_FLAG   = 8;

  74.     private static final int INITIAL_TICKET_FLAG     = 9;

  75. 

  76.     private static final int NUM_FLAGS = 32;

  77. 

  78.     /**

  79.      * 

  80.      * ASN.1 DER Encoding of the Ticket as defined in the 

  81.      * Kerberos Protocol Specification RFC1510.

  82.      *

  83.      * @serial

  84.      */

  85. 

  86.     private byte[] asn1Encoding;

  87. 

  88.     /**

  89.      *<code>KeyImpl</code> is serialized by writing out the ASN1 Encoded bytes 

  90.      * of the encryption key. The ASN1 encoding is defined in RFC1510 and as

  91.      * follows:

  92.      * <pre>		

  93.      *			EncryptionKey ::=   SEQUENCE {

  94.      *				keytype[0]    INTEGER,

  95.      *				keyvalue[1]   OCTET STRING    	

  96.      *				}

  97.      * </pre>

  98.      *

  99.      * @serial

  100.      */

  101. 

  102.     private KeyImpl sessionKey;

  103. 

  104.     /**

  105.      * 

  106.      * Ticket Flags as defined in the Kerberos Protocol Specification RFC1510.

  107.      *

  108.      * @serial

  109.      */

  110. 

  111.     private boolean[] flags;

  112. 

  113.     /**

  114.      * 

  115.      * Time of initial authentication 

  116.      *

  117.      * @serial

  118.      */

  119. 

  120.     private Date authTime;

  121. 

  122.     /**

  123.      * 

  124.      * Time after which the ticket is valid.

  125.      * @serial

  126.      */

  127.     private Date startTime;

  128. 

  129.     /**

  130.      * 

  131.      * Time after which the ticket will not be honored. (its expiration time).

  132.      *

  133.      * @serial

  134.      */

  135. 

  136.     private Date endTime;

  137. 

  138.     /**

  139.      * 

  140.      * For renewable Tickets it indicates the maximum endtime that may be 

  141.      * included in a renewal. It can be thought of as the absolute expiration 

  142.      * time for the ticket, including all renewals. This field may be null

  143.      * for tickets that are not renewable.

  144.      *

  145.      * @serial

  146.      */

  147. 

  148.     private Date renewTill;

  149. 

  150.     /**

  151.      * 

  152.      * Client that owns the service ticket

  153.      * 

  154.      * @serial

  155.      */

  156. 

  157.     private KerberosPrincipal client;

  158. 

  159.     /**

  160.      * 

  161.      * The service for which the ticket was issued.

  162.      * 

  163.      * @serial

  164.      */

  165. 

  166.     private KerberosPrincipal server;

  167. 	

  168.     /**

  169.      * 

  170.      * The addresses from where the ticket may be used by the client. 

  171.      * This field may be null when the ticket is usable from any address.

  172.      *

  173.      * @serial

  174.      */

  175. 

  176. 

  177.     private InetAddress[] clientAddresses;

  178. 

  179.     private transient boolean destroyed = false;

  180. 

  181.     /**

  182.      * Constructs a KerberosTicket using credentials information that a

  183.      * client either receives from a KDC or reads from a cache.

  184.      *

  185.      * @param asn1Encoding the ASN.1 encoding of the ticket as defined by

  186.      * the Kerberos protocol specification.

  187.      * @param client the client that owns this service

  188.      * ticket

  189.      * @param server the service that this ticket is for

  190.      * @param sessionKey the raw bytes for the session key that must be

  191.      * used to encrypt the authenticator that will be sent to the server

  192.      * @param keyType the key type for the session key as defined by the

  193.      * Kerberos protocol specification.

  194.      * @param flags the ticket flags. Each element in this array indicates

  195.      * the value for the corresponding bit in the ASN.1 BitString that

  196.      * represents the ticket flags. If the number of elements in this array 

  197.      * is less than the number of flags used by the Kerberos protocol,

  198.      * then the missing flags will be filled in with false.

  199.      * @param authTime the time of initial authentication for the client

  200.      * @param startTime the time after which the ticket will be valid. This 

  201.      * may be null in which case the value of authTime is treated as the

  202.      * startTime.

  203.      * @param endTime the time after which the ticket will no longer be

  204.      * valid

  205.      * @param renewTill an absolute expiration time for the ticket,

  206.      * including all renewal that might be possible. This field may be null 

  207.      * for tickets that are not renewable.

  208.      * @param clientAddresses the addresses from where the ticket may be

  209.      * used by the client. This field may be null when the ticket is usable 

  210.      * from any address.

  211.      */

  212.     public KerberosTicket(byte[] asn1Encoding, 

  213. 			 KerberosPrincipal client,

  214. 			 KerberosPrincipal server,

  215. 			 byte[] sessionKey,

  216. 			 int keyType,

  217. 			 boolean[] flags,

  218. 			 Date authTime,

  219. 			 Date startTime,

  220. 			 Date endTime,

  221. 			 Date renewTill,

  222. 			 InetAddress[] clientAddresses) {

  223.        

  224. 	init(asn1Encoding, client, server, sessionKey, keyType, flags,

  225. 	    authTime, startTime, endTime, renewTill, clientAddresses);

  226.     }

  227.     

  228.     private void init(byte[] asn1Encoding, 

  229. 			 KerberosPrincipal client,

  230. 			 KerberosPrincipal server,

  231. 			 byte[] sessionKey,

  232. 			 int keyType,

  233. 			 boolean[] flags,

  234. 			 Date authTime,

  235. 			 Date startTime,

  236. 			 Date endTime,

  237. 			 Date renewTill,

  238. 			 InetAddress[] clientAddresses) {

  239. 

  240. 	if (asn1Encoding == null)

  241. 	   throw new IllegalArgumentException("ASN.1 encoding of ticket"

  242. 					      + " cannot be null");

  243. 	this.asn1Encoding = asn1Encoding.clone();

  244. 

  245. 	if (client == null)

  246. 	   throw new IllegalArgumentException("Client name in ticket"

  247. 					      + " cannot be null");

  248. 	this.client = client;

  249. 

  250. 	if (server == null)

  251. 	   throw new IllegalArgumentException("Server name in ticket"

  252. 					      + " cannot be null");

  253. 	this.server = server;

  254. 

  255. 	if (sessionKey == null)

  256. 	   throw new IllegalArgumentException("Session key for ticket"

  257. 					      + " cannot be null");

  258. 	this.sessionKey = new KeyImpl(sessionKey, keyType);

  259. 

  260. 	if (flags != null) {

  261. 	   if (flags.length >= NUM_FLAGS)

  262. 		this.flags = (boolean[]) flags.clone();

  263. 	   else {

  264. 		this.flags = new boolean[NUM_FLAGS];

  265. 		// Fill in whatever we have

  266. 		for (int i = 0; i < flags.length; i++)

  267. 		    this.flags[i] = flags[i];

  268. 	   }

  269. 	} else

  270. 	   this.flags = new boolean[NUM_FLAGS];

  271. 

  272. 	if (this.flags[RENEWABLE_TICKET_FLAG]) {

  273. 	   if (renewTill == null)

  274. 		throw new IllegalArgumentException("The renewable period "

  275. 		       + "end time cannot be null for renewable tickets.");

  276. 

  277. 	   this.renewTill = renewTill;

  278. 	}

  279. 

  280. 	if (authTime == null)

  281. 	   throw new IllegalArgumentException("Authentication time of ticket"

  282. 					      + " cannot be null");

  283. 	this.authTime = authTime;

  284. 

  285. 	this.startTime = (startTime != null? startTime: authTime);

  286. 

  287. 	if (endTime == null)

  288. 	   throw new IllegalArgumentException("End time for ticket validity"

  289. 					      + " cannot be null");

  290. 	this.endTime = endTime;

  291. 

  292. 	if (clientAddresses != null)

  293. 	   this.clientAddresses = (InetAddress[]) clientAddresses.clone();

  294.     }

  295. 

  296.     /**

  297.      * Returns the client principal associated with this ticket.

  298.      *

  299.      * @return the client principal.

  300.      */

  301.     public final KerberosPrincipal getClient() {

  302. 	return client;

  303.     }

  304.     

  305.     /**

  306.      * Returns the service principal associated with this ticket.

  307.      *

  308.      * @return the service principal.

  309.      */

  310.     public final KerberosPrincipal getServer() {

  311. 	return server;

  312.     }

  313.     

  314.     /**

  315.      * Returns the session key associated with this ticket.

  316.      *

  317.      * @return the session key.

  318.      */

  319.     public final SecretKey getSessionKey() {

  320. 	if (destroyed)

  321. 	    throw new IllegalStateException("This ticket is no longer valid");

  322. 	return sessionKey;

  323.     }

  324. 

  325.     /**

  326.      * Returns the key type of the session key associated with this

  327.      * ticket as defined by the Kerberos Protocol Specification.

  328.      *

  329.      * @return the key type of the session key associated with this

  330.      * ticket.

  331.      *

  332.      * @see #getSessionKey()

  333.      */

  334.     public final int getSessionKeyType() {

  335. 	if (destroyed)

  336. 	    throw new IllegalStateException("This ticket is no longer valid");

  337. 	return sessionKey.getKeyType();

  338.     }

  339. 

  340.     /** 

  341.      * Determines if this ticket is forwardable.

  342.      *

  343.      * @return true if this ticket is forwardable, false if not.

  344.      */

  345.     public final boolean isForwardable() {

  346. 	return flags[FORWARDABLE_TICKET_FLAG];

  347.     }

  348. 

  349.     /** 

  350.      * Determines if this ticket had been forwarded or was issued based on

  351.      * authentication involving a forwarded ticket-granting ticket.

  352.      *

  353.      * @return true if this ticket had been forwarded or was issued based on

  354.      * authentication involving a forwarded ticket-granting ticket,

  355.      * false otherwise.

  356.      */

  357.     public final boolean isForwarded() {

  358. 	return flags[FORWARDED_TICKET_FLAG];

  359.     }

  360. 

  361.     /** 

  362.      * Determines if this ticket is proxiable.

  363.      *

  364.      * @return true if this ticket is proxiable, false if not.

  365.      */

  366.     public final boolean isProxiable() {

  367. 	return flags[PROXIABLE_TICKET_FLAG];

  368.     }

  369. 

  370.     /** 

  371.      * Determines is this ticket is a proxy-ticket.

  372.      *

  373.      * @return true if this ticket is a proxy-ticket, false if not.

  374.      */

  375.     public final boolean isProxy() {

  376. 	return flags[PROXY_TICKET_FLAG];

  377.     }

  378. 

  379. 

  380.     /** 

  381.      * Determines is this ticket is post-dated.

  382.      *

  383.      * @return true if this ticket is post-dated, false if not.

  384.      */

  385.     public final boolean isPostdated() {

  386. 	return flags[POSTDATED_TICKET_FLAG];

  387.     }

  388. 

  389.     /** 

  390.      * Determines is this ticket is renewable. If so, the {@link #refresh() 

  391.      * refresh} method can be called, assuming the validity period for

  392.      * renewing is not already over.

  393.      *

  394.      * @return true if this ticket is renewable, false if not.

  395.      */

  396.     public final boolean isRenewable() {

  397. 	return flags[RENEWABLE_TICKET_FLAG];

  398.     }

  399. 

  400.     /** 

  401.      * Determines if this ticket was issued using the Kerberos AS-Exchange

  402.      * protocol, and not issued based on some ticket-granting ticket.

  403.      *

  404.      * @return true if this ticket was issued using the Kerberos AS-Exchange

  405.      * protocol, false if not.

  406.      */

  407.     public final boolean isInitial() {

  408. 	return flags[INITIAL_TICKET_FLAG];

  409.     }

  410. 

  411.     /**

  412.      * Returns the flags associated with this ticket. Each element in the

  413.      * returned array indicates the value for the corresponding bit in the

  414.      * ASN.1 BitString that represents the ticket flags.

  415.      *

  416.      * @return the flags associated with this ticket.

  417.      */

  418.     public final boolean[]  getFlags() {

  419. 	return (flags == null? null: (boolean[]) flags.clone());

  420.     }

  421. 

  422.     /**

  423.      * Returns the time that the client was authenticated.

  424.      *

  425.      * @return the time that the client was authenticated.

  426.      */

  427.     public final java.util.Date getAuthTime() {

  428. 	return (authTime == null) ? null : new Date(authTime.getTime());

  429.     }

  430. 

  431.     /**

  432.      * Returns the start time for this ticket's validity period.

  433.      *

  434.      * @return the start time for this ticket's validity period.

  435.      */

  436.     public final java.util.Date getStartTime() {

  437. 	return (startTime == null) ? null : new Date(startTime.getTime());

  438.     }

  439. 

  440.     /**

  441.      * Returns the expiration time for this ticket's validity period.

  442.      *

  443.      * @return the expiration time for this ticket's validity period.

  444.      */

  445.     public final java.util.Date getEndTime() {

  446. 	return (endTime == null) ? null : new Date(endTime.getTime());

  447.     }

  448. 

  449.     /**

  450.      * Returns the latest expiration time for this ticket, including all

  451.      * renewals. This will return a null value for non-renewable tickets.

  452.      *

  453.      * @return the latest expiration time for this ticket.

  454.      */

  455.     public final java.util.Date getRenewTill() {

  456. 	return (renewTill == null) ? null: new Date(renewTill.getTime());

  457.     }

  458.     

  459.     /**

  460.      * Returns a list of addresses from where the ticket can be used.

  461.      * 

  462.      * @return ths list of addresses or null, if the field was not

  463.      * provided.

  464.      */

  465.     public final java.net.InetAddress[] getClientAddresses() {

  466. 	return (clientAddresses == null? 

  467. 		null: (InetAddress[]) clientAddresses.clone());

  468.     }

  469. 

  470.     /**

  471.      * Returns an ASN.1 encoding of the entire ticket.

  472.      *

  473.      * @return an ASN.1 encoding of the entire ticket.

  474.      */

  475.     public final byte[] getEncoded() {

  476. 	if (destroyed)

  477. 	    throw new IllegalStateException("This ticket is no longer valid");

  478. 	return (byte[]) asn1Encoding.clone();

  479.     }

  480. 

  481.     /** Determines if this ticket is still current.  */

  482.     public boolean isCurrent() {

  483. 	return (System.currentTimeMillis() <= getEndTime().getTime());

  484.     }

  485. 

  486.     /**

  487.      * Extends the validity period of this ticket. The ticket will contain

  488.      * a new session key if the refresh operation succeeds. The refresh

  489.      * operation will fail if the ticket is not renewable or the latest

  490.      * allowable renew time has passed. Any other error returned by the

  491.      * KDC will also cause this method to fail.

  492.      *

  493.      * Note: This method is not synchronized with the the accessor

  494.      * methods of this object. Hence callers need to be aware of multiple

  495.      * threads that might access this and try to renew it at the same

  496.      * time.

  497.      *

  498.      * @throws RefreshFailedException if the ticket is not renewable, or

  499.      * the latest allowable renew time has passed, or the KDC returns some

  500.      * error.

  501.      *

  502.      * @see #isRenewable()

  503.      * @see #getRenewTill()

  504.      */

  505.     public void refresh() throws RefreshFailedException {

  506. 

  507. 	if (destroyed)

  508. 	    throw new RefreshFailedException("A destroyed ticket "

  509. 					     + "cannot be renewd.");

  510. 

  511. 	if (!isRenewable())

  512. 	    throw new RefreshFailedException("This ticket is not renewable");

  513. 

  514. 	if (System.currentTimeMillis() > getRenewTill().getTime())

  515. 	    throw new RefreshFailedException("This ticket is past "

  516. 					     + "its last renewal time.");

  517. 	Throwable e = null;

  518. 	sun.security.krb5.Credentials krb5Creds = null;

  519. 

  520. 	try {

  521. 	    krb5Creds = new sun.security.krb5.Credentials(asn1Encoding,

  522. 						    client.toString(),

  523. 						    server.toString(),

  524. 						    sessionKey.getEncoded(),

  525. 						    sessionKey.getKeyType(),

  526. 						    flags,

  527. 						    authTime,

  528. 						    startTime,

  529. 						    endTime,

  530. 						    renewTill,

  531. 						    clientAddresses);

  532. 	    krb5Creds = krb5Creds.renew();

  533. 	} catch (sun.security.krb5.KrbException krbException) {

  534. 	    e = krbException;

  535. 	} catch (java.io.IOException ioException) {

  536. 	    e = ioException;

  537. 	}

  538. 

  539. 	if (e != null) {

  540. 	    RefreshFailedException rfException

  541. 		= new RefreshFailedException("Failed to renew Kerberos Ticket "

  542. 					     + "for client " + client 

  543. 					     + " and server " + server

  544. 					     + " - " + e.getMessage());

  545. 	    rfException.initCause(e);

  546. 	    throw rfException;

  547. 	}

  548. 

  549. 	/*

  550. 	 * In case multiple threads try to refresh it at the same time.

  551. 	 */

  552. 	synchronized (this) {

  553. 	    try {

  554. 		this.destroy();

  555. 	    } catch (DestroyFailedException dfException) {

  556. 		// Squelch it since we don't care about the old ticket.

  557. 	    }

  558. 	    init(krb5Creds.getEncoded(),

  559. 		 new KerberosPrincipal(krb5Creds.getClient().getName()),

  560. 		 new KerberosPrincipal(krb5Creds.getServer().getName()),

  561. 		 krb5Creds.getSessionKey().getBytes(), 

  562. 		 krb5Creds.getSessionKey().getEType(), 

  563. 		 krb5Creds.getFlags(), 

  564. 		 krb5Creds.getAuthTime(), 

  565. 		 krb5Creds.getStartTime(), 

  566. 		 krb5Creds.getEndTime(), 

  567. 		 krb5Creds.getRenewTill(), 

  568. 		 krb5Creds.getClientAddresses());

  569. 	    destroyed = false;

  570. 	}

  571.     }

  572. 

  573.     /**

  574.      * Destroys the ticket and destroys any sensitive information stored in

  575.      * it.

  576.      */

  577.     public void destroy() throws DestroyFailedException {

  578. 	if (!destroyed) {

  579. 	    Arrays.fill(asn1Encoding, (byte) 0);

  580. 	    client = null;

  581. 	    server = null;

  582. 	    sessionKey.destroy();

  583. 	    flags = null;

  584. 	    authTime = null;

  585. 	    startTime = null;

  586. 	    endTime = null;

  587. 	    renewTill = null;

  588. 	    clientAddresses = null;

  589. 	    destroyed = true;

  590. 	}

  591.     }

  592. 

  593.     /** 

  594.      * Determines if this ticket has been destroyed.

  595.      */

  596.     public boolean isDestroyed() {

  597. 	return destroyed;

  598.     }

  599. 

  600.     public String toString() {

  601. 	if (destroyed)

  602. 	    throw new IllegalStateException("This ticket is no longer valid");

  603. 	StringBuffer caddrBuf = new StringBuffer();

  604. 	if (clientAddresses != null) {

  605. 	    for (int i = 0; i < clientAddresses.length; i++) {

  606. 		caddrBuf.append("clientAddresses[" + i + "] = " + 

  607. 				 clientAddresses[i].toString());

  608. 	    }

  609. 	}

  610. 	return ("Ticket (hex) = " + "\n" +

  611. 		 (new HexDumpEncoder()).encode(asn1Encoding) + "\n" +

  612. 		"Client Principal = " + client.toString() + "\n" +

  613. 		"Server Principal = " + server.toString() + "\n" +

  614. 		"Session Key = " + sessionKey.toString() + "\n" +

  615. 		"Forwardable Ticket " + flags[FORWARDABLE_TICKET_FLAG] + "\n" +

  616. 		"Forwarded Ticket " + flags[FORWARDED_TICKET_FLAG] + "\n" +

  617. 	        "Proxiable Ticket " + flags[PROXIABLE_TICKET_FLAG] + "\n" +

  618. 	        "Proxy Ticket " + flags[PROXY_TICKET_FLAG] + "\n" +

  619. 	        "Postdated Ticket " + flags[POSTDATED_TICKET_FLAG] + "\n" +

  620. 	        "Renewable Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" +

  621. 	        "Initial Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" +

  622. 		"Auth Time = " + authTime.toString() + "\n" +

  623. 		"Start Time = " + startTime.toString() + "\n" +

  624. 		"End Time = " + endTime.toString() + "\n" +

  625. 		"Renew Till = " +

  626. 		  (renewTill == null ? "Null " : renewTill.toString()) + "\n" +

  627. 		"Client Addresses " +

  628. 		(clientAddresses == null ? " Null " : caddrBuf.toString() +

  629. 		"\n"));

  630.     }

  631. 

  632. }