diff options
| author | andrew <unknown> | 2020-01-12 06:47:40 +0000 |
|---|---|---|
| committer | bell-sw <liberica@bell-sw.com> | 2020-01-19 09:13:20 +0300 |
| commit | 3ee862eeeca41d752942020f32c110cbc8e95241 (patch) | |
| tree | 8828f2880e9d740139b6cc79b66d2baf44512b01 | |
| parent | f57375e50070b88fb6c80ea3ca84f0870292e496 (diff) | |
| download | jdk8u_jdk-3ee862eeeca41d752942020f32c110cbc8e95241.tar.gz | |
8229951: Better Ticket Granting Services
Reviewed-by: mbalao
15 files changed, 119 insertions, 250 deletions
diff --git a/src/share/classes/sun/security/krb5/Checksum.java b/src/share/classes/sun/security/krb5/Checksum.java index f0fa577fc1..92a5de8d58 100644 --- a/src/share/classes/sun/security/krb5/Checksum.java +++ b/src/share/classes/sun/security/krb5/Checksum.java @@ -69,6 +69,7 @@ public class Checksum { // draft-brezak-win2k-krb-rc4-hmac-04.txt public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138; + // default checksum type, -1 if not set static int CKSUMTYPE_DEFAULT; static int SAFECKSUMTYPE_DEFAULT; @@ -83,26 +84,19 @@ public class Checksum { try { cfg = Config.getInstance(); temp = cfg.get("libdefaults", "default_checksum"); - if (temp != null) - { - CKSUMTYPE_DEFAULT = Config.getType(temp); - } else { - /* - * If the default checksum is not - * specified in the configuration we - * set it to RSA_MD5. We follow the MIT and - * SEAM implementation. - */ - CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5; - } + if (temp != null) { + CKSUMTYPE_DEFAULT = Config.getType(temp); + } else { + CKSUMTYPE_DEFAULT = -1; + } } catch (Exception exc) { if (DEBUG) { System.out.println("Exception in getting default checksum "+ - "value from the configuration " + - "Setting default checksum to be RSA-MD5"); + "value from the configuration. " + + "No default checksum set."); exc.printStackTrace(); } - CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5; + CKSUMTYPE_DEFAULT = -1; } @@ -112,117 +106,100 @@ public class Checksum { { SAFECKSUMTYPE_DEFAULT = Config.getType(temp); } else { - SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES; + SAFECKSUMTYPE_DEFAULT = -1; } } catch (Exception exc) { if (DEBUG) { System.out.println("Exception in getting safe default " + "checksum value " + - "from the configuration Setting " + - "safe default checksum to be RSA-MD5"); + "from the configuration Setting. " + + "No safe default checksum set."); exc.printStackTrace(); } - SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES; + SAFECKSUMTYPE_DEFAULT = -1; } } /** * Constructs a new Checksum using the raw data and type. + * + * This constructor is only used by Authenticator Checksum + * {@link sun.security.jgss.krb5.InitialToken.OverloadedChecksum} + * where the checksum type must be 0x8003 + * (see https://tools.ietf.org/html/rfc4121#section-4.1.1) + * and checksum field/value is used to convey service flags, + * channel bindings, and optional delegation information. + * This special type does NOT have a {@link CksumType} and has its + * own calculating and verification rules. It does has the same + * ASN.1 encoding though. + * * @data the byte array of checksum. * @new_cksumType the type of checksum. - * */ - // used in InitialToken public Checksum(byte[] data, int new_cksumType) { cksumType = new_cksumType; checksum = data; } /** - * Constructs a new Checksum by calculating the checksum over the data - * using specified checksum type. - * @new_cksumType the type of checksum. - * @data the data that needs to be performed a checksum calculation on. + * Constructs a new Checksum by calculating over the data using + * the specified checksum type. If the checksum is unkeyed, key + * and usage are ignored. + * + * @param new_cksumType the type of checksum. If set to -1, the + * {@linkplain EType#checksumType() mandatory checksum type} + * for the encryption type of {@code key} will be used + * @param data the data that needs to be performed a checksum calculation on + * @param key the key used by a keyed checksum + * @param usage the usage used by a keyed checksum */ - public Checksum(int new_cksumType, byte[] data) - throws KdcErrException, KrbCryptoException { - - cksumType = new_cksumType; - CksumType cksumEngine = CksumType.getInstance(cksumType); - if (!cksumEngine.isSafe()) { - checksum = cksumEngine.calculateChecksum(data, data.length); + public Checksum(int new_cksumType, byte[] data, + EncryptionKey key, int usage) + throws KdcErrException, KrbApErrException, KrbCryptoException { + if (new_cksumType == -1) { + cksumType = EType.getInstance(key.getEType()).checksumType(); } else { - throw new KdcErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM); + cksumType = new_cksumType; } - } - - /** - * Constructs a new Checksum by calculating the keyed checksum - * over the data using specified checksum type. - * @new_cksumType the type of checksum. - * @data the data that needs to be performed a checksum calculation on. - */ - // KrbSafe, KrbTgsReq - public Checksum(int new_cksumType, byte[] data, - EncryptionKey key, int usage) - throws KdcErrException, KrbApErrException, KrbCryptoException { - cksumType = new_cksumType; - CksumType cksumEngine = CksumType.getInstance(cksumType); - if (!cksumEngine.isSafe()) - throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM); - checksum = - cksumEngine.calculateKeyedChecksum(data, - data.length, - key.getBytes(), - usage); + checksum = CksumType.getInstance(cksumType).calculateChecksum( + data, data.length, key.getBytes(), usage); } /** * Verifies the keyed checksum over the data passed in. */ - public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, - int usage) - throws KdcErrException, KrbApErrException, KrbCryptoException { + public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, int usage) + throws KdcErrException, KrbApErrException, KrbCryptoException { CksumType cksumEngine = CksumType.getInstance(cksumType); - if (!cksumEngine.isSafe()) + if (!cksumEngine.isKeyed()) { throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM); - return cksumEngine.verifyKeyedChecksum(data, - data.length, - key.getBytes(), - checksum, - usage); - } - - // =============== ATTENTION! Use with care ================== - // According to https://tools.ietf.org/html/rfc3961#section-6.1, - // An unkeyed checksum should only be used "in limited circumstances - // where the lack of a key does not provide a window for an attack, - // preferably as part of an encrypted message". - public boolean verifyAnyChecksum(byte[] data, EncryptionKey key, - int usage) - throws KdcErrException, KrbCryptoException { - CksumType cksumEngine = CksumType.getInstance(cksumType); - if (!cksumEngine.isSafe()) { - return cksumEngine.verifyChecksum(data, checksum); } else { - return cksumEngine.verifyKeyedChecksum(data, - data.length, - key.getBytes(), - checksum, - usage); + return cksumEngine.verifyChecksum( + data, data.length, key.getBytes(), checksum, usage); } } - /* - public Checksum(byte[] data) throws KdcErrException, KrbCryptoException { - this(Checksum.CKSUMTYPE_DEFAULT, data); + + /** + * Verifies the checksum over the data passed in. The checksum might + * be a keyed or not. + * + * =============== ATTENTION! Use with care ================== + * According to https://tools.ietf.org/html/rfc3961#section-6.1, + * An unkeyed checksum should only be used "in limited circumstances + * where the lack of a key does not provide a window for an attack, + * preferably as part of an encrypted message". + */ + public boolean verifyAnyChecksum(byte[] data, EncryptionKey key, int usage) + throws KdcErrException, KrbCryptoException { + return CksumType.getInstance(cksumType).verifyChecksum( + data, data.length, key.getBytes(), checksum, usage); } - */ boolean isEqual(Checksum cksum) throws KdcErrException { - if (cksumType != cksum.cksumType) + if (cksumType != cksum.cksumType) { return false; - CksumType cksumEngine = CksumType.getInstance(cksumType); + } return CksumType.isChecksumEqual(checksum, cksum.checksum); } diff --git a/src/share/classes/sun/security/krb5/KrbTgsReq.java b/src/share/classes/sun/security/krb5/KrbTgsReq.java index d8621eb5a8..151f68b3cd 100644 --- a/src/share/classes/sun/security/krb5/KrbTgsReq.java +++ b/src/share/classes/sun/security/krb5/KrbTgsReq.java @@ -320,26 +320,8 @@ public class KrbTgsReq { byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ); // if the checksum type is one of the keyed checksum types, // use session key. - Checksum cksum; - switch (Checksum.CKSUMTYPE_DEFAULT) { - case Checksum.CKSUMTYPE_RSA_MD4_DES: - case Checksum.CKSUMTYPE_DES_MAC: - case Checksum.CKSUMTYPE_DES_MAC_K: - case Checksum.CKSUMTYPE_RSA_MD4_DES_K: - case Checksum.CKSUMTYPE_RSA_MD5_DES: - case Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD: - case Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR: - case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128: - case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256: - cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key, + Checksum cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key, KeyUsage.KU_PA_TGS_REQ_CKSUM); - break; - case Checksum.CKSUMTYPE_CRC32: - case Checksum.CKSUMTYPE_RSA_MD4: - case Checksum.CKSUMTYPE_RSA_MD5: - default: - cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp); - } // Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR diff --git a/src/share/classes/sun/security/krb5/internal/PAForUserEnc.java b/src/share/classes/sun/security/krb5/internal/PAForUserEnc.java index 42c9caaedb..a1952ffee5 100644 --- a/src/share/classes/sun/security/krb5/internal/PAForUserEnc.java +++ b/src/share/classes/sun/security/krb5/internal/PAForUserEnc.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -133,6 +133,7 @@ public class PAForUserEnc { bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), name.getRealm().asn1Encode()); try { + // MS-SFU 2.2.1: use hmac-md5 checksum regardless of key type Checksum cks = new Checksum( Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR, getS4UByteArray(), diff --git a/src/share/classes/sun/security/krb5/internal/crypto/CksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/CksumType.java index 4e912ce80a..b7b06a99d1 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/CksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/CksumType.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,10 +31,7 @@ package sun.security.krb5.internal.crypto; -import sun.security.krb5.Config; import sun.security.krb5.Checksum; -import sun.security.krb5.EncryptedData; -import sun.security.krb5.KrbException; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; @@ -81,6 +78,7 @@ public abstract class CksumType { cksumTypeName = "sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType"; break; + case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256: cksumType = new HmacSha1Aes256CksumType(); cksumTypeName = @@ -117,32 +115,11 @@ public abstract class CksumType { return cksumType; } - - /** - * Returns default checksum type. - */ - public static CksumType getInstance() throws KdcErrException { - // this method provided for Kerberos applications. - int cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default - try { - Config c = Config.getInstance(); - if ((cksumType = (Config.getType(c.get("libdefaults", - "ap_req_checksum_type")))) == - 1) { - if ((cksumType = Config.getType(c.get("libdefaults", - "checksum_type"))) == -1) { - cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default - } - } - } catch (KrbException e) { - } - return getInstance(cksumType); - } - public abstract int confounderSize(); public abstract int cksumType(); - public abstract boolean isSafe(); + public abstract boolean isKeyed(); public abstract int cksumSize(); @@ -150,18 +127,12 @@ public abstract class CksumType { public abstract int keySize(); - public abstract byte[] calculateChecksum(byte[] data, int size) - throws KrbCryptoException; - - public abstract byte[] calculateKeyedChecksum(byte[] data, int size, + // Note: key and usage will be ignored for an unkeyed checksum. + public abstract byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException; - public boolean verifyChecksum(byte[] data, byte[] checksum) - throws KrbCryptoException { - throw new UnsupportedOperationException("Not supported"); - } - - public abstract boolean verifyKeyedChecksum(byte[] data, int size, + // Note: key and usage will be ignored for an unkeyed checksum. + public abstract boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException; public static boolean isChecksumEqual(byte[] cksum1, byte[] cksum2) { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/Crc32CksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/Crc32CksumType.java index b1aa0ab8fb..151e2daaa7 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/Crc32CksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/Crc32CksumType.java @@ -32,7 +32,6 @@ package sun.security.krb5.internal.crypto; import sun.security.krb5.*; import sun.security.krb5.internal.*; -import java.util.zip.CRC32; public class Crc32CksumType extends CksumType { @@ -47,7 +46,7 @@ public class Crc32CksumType extends CksumType { return Checksum.CKSUMTYPE_CRC32; } - public boolean isSafe() { + public boolean isKeyed() { return false; } @@ -63,18 +62,15 @@ public class Crc32CksumType extends CksumType { return 0; } - public byte[] calculateChecksum(byte[] data, int size) { + public byte[] calculateChecksum(byte[] data, int size, + byte[] key, int usage) { return crc32.byte2crc32sum_bytes(data, size); } - public byte[] calculateKeyedChecksum(byte[] data, int size, - byte[] key, int usage) { - return null; - } - - public boolean verifyKeyedChecksum(byte[] data, int size, - byte[] key, byte[] checksum, int usage) { - return false; + public boolean verifyChecksum(byte[] data, int size, + byte[] key, byte[] checksum, int usage) { + return CksumType.isChecksumEqual(checksum, + crc32.byte2crc32sum_bytes(data)); } public static byte[] int2quad(long input) { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/DesCbcCrcEType.java b/src/share/classes/sun/security/krb5/internal/crypto/DesCbcCrcEType.java index 08d9d555e3..e930d6a7f1 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/DesCbcCrcEType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/DesCbcCrcEType.java @@ -53,7 +53,7 @@ public class DesCbcCrcEType extends DesCbcEType { } public int checksumType() { - return Checksum.CKSUMTYPE_CRC32; + return Checksum.CKSUMTYPE_RSA_MD5; } public int checksumSize() { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/DesMacCksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/DesMacCksumType.java index 3c3842f59d..2e11a20426 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/DesMacCksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/DesMacCksumType.java @@ -49,7 +49,7 @@ public class DesMacCksumType extends CksumType { return Checksum.CKSUMTYPE_DES_MAC; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -65,10 +65,6 @@ public class DesMacCksumType extends CksumType { return 8; } - public byte[] calculateChecksum(byte[] data, int size) { - return null; - } - /** * Calculates keyed checksum. * @param data the data used to generate the checksum. @@ -78,7 +74,7 @@ public class DesMacCksumType extends CksumType { * * @modified by Yanni Zhang, 12/08/99. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { byte[] new_data = new byte[size + confounderSize()]; byte[] conf = Confounder.bytes(confounderSize()); @@ -130,7 +126,7 @@ public class DesMacCksumType extends CksumType { * * @modified by Yanni Zhang, 12/08/99. */ - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { byte[] cksum = decryptKeyedChecksum(checksum, key); diff --git a/src/share/classes/sun/security/krb5/internal/crypto/DesMacKCksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/DesMacKCksumType.java index 805f931e72..4f706fb8c4 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/DesMacKCksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/DesMacKCksumType.java @@ -48,7 +48,7 @@ public class DesMacKCksumType extends CksumType { return Checksum.CKSUMTYPE_DES_MAC_K; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -64,10 +64,6 @@ public class DesMacKCksumType extends CksumType { return 8; } - public byte[] calculateChecksum(byte[] data, int size) { - return null; - } - /** * Calculates keyed checksum. * @param data the data used to generate the checksum. @@ -77,7 +73,7 @@ public class DesMacKCksumType extends CksumType { * * @modified by Yanni Zhang, 12/08/99. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { //check for weak keys try { @@ -93,9 +89,9 @@ public class DesMacKCksumType extends CksumType { return cksum; } - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { - byte[] new_cksum = calculateKeyedChecksum(data, data.length, key, usage); + byte[] new_cksum = calculateChecksum(data, data.length, key, usage); return isChecksumEqual(checksum, new_cksum); } diff --git a/src/share/classes/sun/security/krb5/internal/crypto/HmacMd5ArcFourCksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/HmacMd5ArcFourCksumType.java index 4a233dd803..41388ec87d 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/HmacMd5ArcFourCksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/HmacMd5ArcFourCksumType.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; import sun.security.krb5.Checksum; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; -import javax.crypto.spec.DESKeySpec; -import java.security.InvalidKeyException; import java.security.GeneralSecurityException; /** @@ -51,7 +49,7 @@ public class HmacMd5ArcFourCksumType extends CksumType { return Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -67,10 +65,6 @@ public class HmacMd5ArcFourCksumType extends CksumType { return 16; // bytes } - public byte[] calculateChecksum(byte[] data, int size) { - return null; - } - /** * Calculates keyed checksum. * @param data the data used to generate the checksum. @@ -78,7 +72,7 @@ public class HmacMd5ArcFourCksumType extends CksumType { * @param key the key used to encrypt the checksum. * @return keyed checksum. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { try { @@ -98,7 +92,7 @@ public class HmacMd5ArcFourCksumType extends CksumType { * @param checksum * @return true if verification is successful. */ - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { try { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes128CksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes128CksumType.java index ba31b575dc..a16941ca05 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes128CksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes128CksumType.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; import sun.security.krb5.Checksum; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; -import javax.crypto.spec.DESKeySpec; -import java.security.InvalidKeyException; import java.security.GeneralSecurityException; /* @@ -51,7 +49,7 @@ public class HmacSha1Aes128CksumType extends CksumType { return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -67,10 +65,6 @@ public class HmacSha1Aes128CksumType extends CksumType { return 16; // bytes } - public byte[] calculateChecksum(byte[] data, int size) { - return null; - } - /** * Calculates keyed checksum. * @param data the data used to generate the checksum. @@ -78,7 +72,7 @@ public class HmacSha1Aes128CksumType extends CksumType { * @param key the key used to encrypt the checksum. * @return keyed checksum. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { try { @@ -98,7 +92,7 @@ public class HmacSha1Aes128CksumType extends CksumType { * @param checksum * @return true if verification is successful. */ - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { try { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes256CksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes256CksumType.java index d9f213b072..9ce9347cc6 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes256CksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes256CksumType.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; import sun.security.krb5.Checksum; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; -import javax.crypto.spec.DESKeySpec; -import java.security.InvalidKeyException; import java.security.GeneralSecurityException; /* @@ -51,7 +49,7 @@ public class HmacSha1Aes256CksumType extends CksumType { return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -67,10 +65,6 @@ public class HmacSha1Aes256CksumType extends CksumType { return 32; // bytes } - public byte[] calculateChecksum(byte[] data, int size) { - return null; - } - /** * Calculates keyed checksum. * @param data the data used to generate the checksum. @@ -78,7 +72,7 @@ public class HmacSha1Aes256CksumType extends CksumType { * @param key the key used to encrypt the checksum. * @return keyed checksum. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { try { @@ -98,7 +92,7 @@ public class HmacSha1Aes256CksumType extends CksumType { * @param checksum * @return true if verification is successful. */ - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { try { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Des3KdCksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Des3KdCksumType.java index 9547ea00ae..81e44205ea 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Des3KdCksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Des3KdCksumType.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto; import sun.security.krb5.Checksum; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; -import javax.crypto.spec.DESKeySpec; -import java.security.InvalidKeyException; import java.security.GeneralSecurityException; public class HmacSha1Des3KdCksumType extends CksumType { @@ -45,7 +43,7 @@ public class HmacSha1Des3KdCksumType extends CksumType { return Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -61,10 +59,6 @@ public class HmacSha1Des3KdCksumType extends CksumType { return 24; // bytes } - public byte[] calculateChecksum(byte[] data, int size) { - return null; - } - /** * Calculates keyed checksum. * @param data the data used to generate the checksum. @@ -72,7 +66,7 @@ public class HmacSha1Des3KdCksumType extends CksumType { * @param key the key used to encrypt the checksum. * @return keyed checksum. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { try { @@ -92,7 +86,7 @@ public class HmacSha1Des3KdCksumType extends CksumType { * @param checksum * @return true if verification is successful. */ - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { try { diff --git a/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5CksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5CksumType.java index 8a4d324524..e0c4429d7e 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5CksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5CksumType.java @@ -33,8 +33,6 @@ import sun.security.krb5.Checksum; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; import java.security.MessageDigest; -import java.security.Provider; -import java.security.Security; public final class RsaMd5CksumType extends CksumType { @@ -49,7 +47,7 @@ public final class RsaMd5CksumType extends CksumType { return Checksum.CKSUMTYPE_RSA_MD5; } - public boolean isSafe() { + public boolean isKeyed() { return false; } @@ -74,7 +72,8 @@ public final class RsaMd5CksumType extends CksumType { * @modified by Yanni Zhang, 12/08/99. */ - public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{ + public byte[] calculateChecksum(byte[] data, int size, + byte[] key, int usage) throws KrbCryptoException{ MessageDigest md5; byte[] result = null; try { @@ -91,18 +90,9 @@ public final class RsaMd5CksumType extends CksumType { return result; } - public byte[] calculateKeyedChecksum(byte[] data, int size, - byte[] key, int usage) throws KrbCryptoException { - return null; - } - - public boolean verifyKeyedChecksum(byte[] data, int size, - byte[] key, byte[] checksum, int usage) throws KrbCryptoException { - return false; - } - @Override - public boolean verifyChecksum(byte[] data, byte[] checksum) + public boolean verifyChecksum(byte[] data, int size, + byte[] key, byte[] checksum, int usage) throws KrbCryptoException { try { byte[] calculated = MessageDigest.getInstance("MD5").digest(data); diff --git a/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5DesCksumType.java b/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5DesCksumType.java index c4c5383316..0d55aed045 100644 --- a/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5DesCksumType.java +++ b/src/share/classes/sun/security/krb5/internal/crypto/RsaMd5DesCksumType.java @@ -33,12 +33,8 @@ import sun.security.krb5.Checksum; import sun.security.krb5.Confounder; import sun.security.krb5.KrbCryptoException; import sun.security.krb5.internal.*; -import javax.crypto.Cipher; -import javax.crypto.SecretKey; import javax.crypto.spec.DESKeySpec; import java.security.MessageDigest; -import java.security.Provider; -import java.security.Security; import java.security.InvalidKeyException; public final class RsaMd5DesCksumType extends CksumType { @@ -54,7 +50,7 @@ public final class RsaMd5DesCksumType extends CksumType { return Checksum.CKSUMTYPE_RSA_MD5_DES; } - public boolean isSafe() { + public boolean isKeyed() { return true; } @@ -79,7 +75,7 @@ public final class RsaMd5DesCksumType extends CksumType { * * @modified by Yanni Zhang, 12/08/99. */ - public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key, + public byte[] calculateChecksum(byte[] data, int size, byte[] key, int usage) throws KrbCryptoException { //prepend confounder byte[] new_data = new byte[size + confounderSize()]; @@ -88,7 +84,7 @@ public final class RsaMd5DesCksumType extends CksumType { System.arraycopy(data, 0, new_data, confounderSize(), size); //calculate md5 cksum - byte[] mdc_cksum = calculateChecksum(new_data, new_data.length); + byte[] mdc_cksum = calculateRawChecksum(new_data, new_data.length); byte[] cksum = new byte[cksumSize()]; System.arraycopy(conf, 0, cksum, 0, confounderSize()); System.arraycopy(mdc_cksum, 0, cksum, confounderSize(), @@ -125,7 +121,7 @@ public final class RsaMd5DesCksumType extends CksumType { * * @modified by Yanni Zhang, 12/08/99. */ - public boolean verifyKeyedChecksum(byte[] data, int size, + public boolean verifyChecksum(byte[] data, int size, byte[] key, byte[] checksum, int usage) throws KrbCryptoException { //decrypt checksum byte[] cksum = decryptKeyedChecksum(checksum, key); @@ -135,7 +131,7 @@ public final class RsaMd5DesCksumType extends CksumType { System.arraycopy(cksum, 0, new_data, 0, confounderSize()); System.arraycopy(data, 0, new_data, confounderSize(), size); - byte[] new_cksum = calculateChecksum(new_data, new_data.length); + byte[] new_cksum = calculateRawChecksum(new_data, new_data.length); //extract original cksum value byte[] orig_cksum = new byte[cksumSize() - confounderSize()]; System.arraycopy(cksum, confounderSize(), orig_cksum, 0, @@ -181,7 +177,7 @@ public final class RsaMd5DesCksumType extends CksumType { * * @modified by Yanni Zhang, 12/08/99. */ - public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{ + private byte[] calculateRawChecksum(byte[] data, int size) throws KrbCryptoException{ MessageDigest md5; byte[] result = null; try { @@ -197,5 +193,4 @@ public final class RsaMd5DesCksumType extends CksumType { } return result; } - } diff --git a/test/sun/security/krb5/auto/KDC.java b/test/sun/security/krb5/auto/KDC.java index 9e9cd977bb..6d25837b15 100644 --- a/test/sun/security/krb5/auto/KDC.java +++ b/test/sun/security/krb5/auto/KDC.java @@ -726,7 +726,7 @@ public class KDC { * @return the key * @throws sun.security.krb5.KrbException for unknown/unsupported etype */ - private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server) + EncryptionKey keyForUser(PrincipalName p, int etype, boolean server) throws KrbException { try { // Do not call EncryptionKey.acquireSecretKeys(), otherwise @@ -797,7 +797,7 @@ public class KDC { int e2 = eTypes[0]; // etype for outgoing session key int e3 = eTypes[0]; // etype for outgoing ticket - PAData[] pas = KDCReqDotPAData(tgsReq); + PAData[] pas = tgsReq.pAData; Ticket tkt = null; EncTicketPart etp = null; @@ -828,7 +828,6 @@ public class KDC { for (PAData pa: pas) { if (pa.getType() == Krb5.PA_TGS_REQ) { APReq apReq = new APReq(pa.getValue()); - EncryptedData ed = apReq.authenticator; tkt = apReq.ticket; int te = tkt.encPart.getEType(); EncryptionKey kkey = keyForUser(tkt.sname, te, true); @@ -1282,7 +1281,7 @@ public class KDC { outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray())); } - PAData[] inPAs = KDCReqDotPAData(asReq); + PAData[] inPAs = asReq.pAData; List<PAData> enc_outPAs = new ArrayList<>(); byte[] paEncTimestamp = null; @@ -2100,7 +2099,6 @@ public class KDC { } // Calling private methods thru reflections - private static final Field getPADataField; private static final Field getEType; private static final Constructor<EncryptedData> ctorEncryptedData; private static final Method stringToKey; @@ -2110,8 +2108,6 @@ public class KDC { try { ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class); ctorEncryptedData.setAccessible(true); - getPADataField = KDCReq.class.getDeclaredField("pAData"); - getPADataField.setAccessible(true); getEType = KDCReqBody.class.getDeclaredField("eType"); getEType.setAccessible(true); stringToKey = EncryptionKey.class.getDeclaredMethod( @@ -2133,13 +2129,6 @@ public class KDC { throw new AssertionError(e); } } - private static PAData[] KDCReqDotPAData(KDCReq req) { - try { - return (PAData[])getPADataField.get(req); - } catch (Exception e) { - throw new AssertionError(e); - } - } private static int[] KDCReqBodyDotEType(KDCReqBody body) { try { return (int[]) getEType.get(body); |