/* * Copyright ( c ) 2008 , 2022 , Oracle and / or its affiliates . All rights reserved . * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER . * * This code is free software ; you can redistribute it and / or modify it * under the terms of the GNU General Public License version 2 only , as * published by the Free Software Foundation . * * This code is distributed in the hope that it will be useful , but WITHOUT * ANY WARRANTY ; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE . See the GNU General Public License * version 2 for more details ( a copy is included in the LICENSE file that * accompanied this code ) . * * You should have received a copy of the GNU General Public License version * 2 along with this work ; if not , write to the Free Software Foundation , * Inc . , 51 Franklin St , Fifth Floor , Boston , MA 02110 - 1301 USA . * * Please contact Oracle , 500 Oracle Parkway , Redwood Shores , CA 94065 USA * or visit www . oracle . com if you need additional information or have any * questions . import com.sun.security.auth.module.Krb5LoginModule;import java.io.IOException;import java.lang.reflect.InvocationTargetException;import java.lang.reflect.Method;import java.util.Arrays;import java.util.HashMap;import java.util.Map;import javax.security.auth.Subject;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.NameCallback;import javax.security.auth.callback.PasswordCallback;import javax.security.auth.callback.UnsupportedCallbackException;import javax.security.auth.kerberos.KerberosKey;import javax.security.auth.kerberos.KerberosTicket;import javax.security.auth.login.LoginContext;import org.ietf.jgss.GSSContext;import org.ietf.jgss.GSSCredential;import org.ietf.jgss.GSSException;import org.ietf.jgss.GSSManager;import org.ietf.jgss.GSSName;import org.ietf.jgss.MessageProp;import org.ietf.jgss.Oid;import sun.security.jgss.krb5.Krb5Util;import sun.security.krb5.Credentials;import sun.security.krb5.internal.ccache.CredentialsCache;import java.io.ByteArrayInputStream;import java.io.ByteArrayOutputStream;import java.security.Principal;import java.util.Set;import java.util.concurrent.Callable;import java.util.concurrent.CompletionException;/** * Context of a JGSS subject , encapsulating Subject and GSSContext . * * Three " constructors " , which acquire the ( private ) credentials and fill * it into the Subject : * * 1 . static fromJAAS ( ) : Creates a Context using a JAAS login config entry * 2 . static fromUserPass ( ) : Creates a Context using a username and a password * 3 . delegated ( ) : A new context which uses the delegated credentials from a * previously established acceptor Context * * Two context initiators , which create the GSSContext object inside : * * 1 . startAsClient ( ) * 2 . startAsServer ( ) * * Privileged action : * doAs ( ) : Performs an action in the name of the Subject * * Handshake process : * static handShake ( initiator , acceptor ) * * A four - phase typical data communication which includes all four GSS * actions ( wrap , unwrap , getMic and veryfyMiC ) : * static transmit ( message , from , to ) public class Context {private Subject s;private GSSContext x;private String name;private GSSCredential cred; // see static method delegated(). static boolean usingStream = false ;private Context() {}/** * Using the delegated credentials from a previous acceptor public Context delegated() throws Exception {new Context();try {new Callable<GSSCredential>() {public GSSCredential call() throws Exception {if (cred == null && x.getCredDelegState() ||null && !x.getCredDelegState()) {throw new Exception("getCredDelegState not match" );return cred;catch (CompletionException ce) {throw (Exception) ce.getCause();" as " + out.cred.getName().toString();return out;/** * No JAAS login at all , can be used to test JGSS without JAAS public static Context fromThinAir() throws Exception {new Context();new Subject();return out;/** * Logins with a JAAS login config entry name public static Context fromJAAS(final String name) throws Exception {new Context();new LoginContext(name);return out;/** * Logins with username / password as a new Subject public static Context fromUserPass(char [] pass, boolean storeKey) throws Exception {return fromUserPass(new Subject(), user, pass, storeKey);/** * Logins with username / password as an existing Subject . The * same subject can be used multiple times to simulate multiple logins . public static Context fromUserPass(Subject s,char [] pass, boolean storeKey) throws Exception {new Context();new Krb5LoginModule();new HashMap<>();new HashMap<>();if (storeKey) {"storeKey" , "true" );if (pass != null ) {new CallbackHandler() {public void handle(Callback[] callbacks)throws IOException, UnsupportedCallbackException {for (Callback cb: callbacks) {if (cb instanceof NameCallback) {else if (cb instanceof PasswordCallback) {else {"doNotPrompt" , "true" );"useTicketCache" , "true" );if (user != null ) {"principal" , user);null , shared, map);return out;/** * Logins with username / keytab as an existing Subject . The * same subject can be used multiple times to simulate multiple logins . public static Context fromUserKtab(boolean storeKey) throws Exception {return fromUserKtab(new Subject(), user, ktab, storeKey);/** * Logins with username / keytab as a new subject , public static Context fromUserKtab(Subject s,boolean storeKey) throws Exception {return fromUserKtab(s, user, ktab, false , storeKey);/** * Logins with username / keytab as a client . public static Context fromUserKtabAsClient(boolean storeKey) throws Exception {return fromUserKtab(new Subject(), user, ktab, true , storeKey);private static Context fromUserKtab(Subject s,boolean isInitiator, boolean storeKey) throws Exception {new Context();new Krb5LoginModule();new HashMap<>();"isInitiator" , Boolean .toString(isInitiator));"doNotPrompt" , "true" );"useTicketCache" , "false" );"useKeyTab" , "true" );"keyTab" , ktab);"principal" , user);if (storeKey) {"storeKey" , "true" );null , null , map);return out;/** * Starts as a client * @ param target communication peer * @ param mech GSS mech * @ throws java . lang . Exception public void startAsClient(final String target, final Oid mech) throws Exception {new Action() {public byte [] run(Context me, byte [] dummy) throws Exception {'@' ) < 0 ?null ) :return null ;null );/** * Starts as a server * @ param mech GSS mech * @ throws java . lang . Exception public void startAsServer(final Oid mech) throws Exception {null , mech, false );public void startAsServer(final String name, final Oid mech) throws Exception {false );/** * Starts as a server with the specified service name * @ param name the service name * @ param mech GSS mech * @ throws java . lang . Exception public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception {new Action() {public byte [] run(Context me, byte [] dummy) throws Exception {null ? null :'@' ) < 0 ?null ) :return null ;null );/** * Accesses the internal GSSContext object . Currently it ' s used for - - * * 1 . calling requestXXX ( ) before handshake * 2 . accessing source name * * Note : If the application needs to do any privileged call on this * object , please use doAs ( ) . Otherwise , it can be done directly . The * methods listed above are all non - privileged calls . * * @ return the GSSContext object public GSSContext x() {return x;/** * Accesses the internal subject . * @ return the subject public Subject s() {return s;/** * Returns the cred inside , if there is one public GSSCredential cred() {return cred;/** * Disposes the GSSContext within * @ throws org . ietf . jgss . GSSException public void dispose() throws GSSException {/** * Does something using the Subject inside * @ param action the action * @ param in the input byte * @ return the output byte * @ throws java . lang . Exception public byte [] doAs(final Action action, final byte [] in) throws Exception {try {return Subject.callAs(s, new Callable<byte []>() {public byte [] call() throws Exception {return action.run(Context.this , in);catch (CompletionException ce) {throw (Exception) ce.getCause();/** * Prints status of GSSContext and Subject * @ throws java . lang . Exception public void status() throws Exception {"STATUS OF " + name.toUpperCase());if (x != null ) {new StringBuffer();if (x.getAnonymityState()) {"anon, " );if (x.getConfState()) {"conf, " );if (x.getCredDelegState()) {"deleg, " );if (x.getIntegState()) {"integ, " );if (x.getMutualAuthState()) {"mutual, " );if (x.getReplayDetState()) {"rep det, " );if (x.getSequenceDetState()) {"seq det, " );" Context status of " + name + ": " + sb.toString());if (x.isProtReady() || x.isEstablished()) {" " + x.getSrcName() + " -> " + x.getTargName());if (s != null ) {"====== START SUBJECT CONTENT =====" );for (Principal p : s.getPrincipals()) {" Principal: " + p);for (Object o : s.getPublicCredentials()) {" " + o.getClass());" " + o);"====== Private Credentials Set ======" );for (Object o : s.getPrivateCredentials()) {" " + o.getClass());if (o instanceof KerberosTicket) {" " + kt.getServer() + " for " + kt.getClient());else if (o instanceof KerberosKey) {" " + kk.getKeyType() + " " + kk.getVersionNumber() + " " + kk.getAlgorithm() + " " );for (byte b : kk.getEncoded()) {"%02X" , b & 0 xff);else if (o instanceof Map) {for (Object k : map.keySet()) {" " + k + ": " + map.get(k));else {" " + o);"====== END SUBJECT CONTENT =====" );public void xstatus() throws Exception {" Extended context status:" );if (x != null ) {try {Class <?> clazz = Class .forName("com.sun.security.jgss.ExtendedGSSContext" );if (clazz.isAssignableFrom(x.getClass())) {if (clazz.getMethod("getDelegPolicyState" ).invoke(x) == Boolean .TRUE ) {" deleg policy" );if (x.isEstablished()) {Class <?> inqType = Class .forName("com.sun.security.jgss.InquireType" );"inquireSecContext" , inqType);for (Object o : inqType.getEnumConstants()) {" " + o + ":" );try {" " + inqMethod.invoke(x, o));catch (Exception e) {catch (ClassNotFoundException cnfe) {" -- ExtendedGSSContext not available" );if (cred != null ) {try {Class <?> clazz2 = Class .forName("com.sun.security.jgss.ExtendedGSSCredential" );if (!clazz2.isAssignableFrom(cred.getClass())) {throw new Exception("cred is not extended" );catch (ClassNotFoundException cnfe) {" -- ExtendedGSSCredential not available" );public byte [] wrap(byte [] t, final boolean privacy)throws Exception {return doAs(new Action() {public byte [] run(Context me, byte [] input) throws Exception {"wrap %s privacy from %s: " , privacy?"with" :"without" , me.name);new MessageProp(0 , privacy);byte [] out;if (usingStream) {new ByteArrayOutputStream();new ByteArrayInputStream(input), os, p1);else {0 , input.length, p1);if ((x.getConfState() && privacy) != p1.getPrivacy()) {throw new Exception("unexpected privacy status" );return out;public byte [] unwrap(byte [] t, final boolean privacyExpected)throws Exception {return doAs(new Action() {public byte [] run(Context me, byte [] input) throws Exception {"unwrap from %s" , me.name);new MessageProp(0 , true );byte [] bytes;if (usingStream) {new ByteArrayOutputStream();new ByteArrayInputStream(input), os, p1);else {0 , input.length, p1);if (p1.getPrivacy() != privacyExpected) {throw new Exception("Unexpected privacy: " + p1.getPrivacy());return bytes;public byte [] getMic(byte [] t) throws Exception {return doAs(new Action() {public byte [] run(Context me, byte [] input) throws Exception {new MessageProp(0 , true );byte [] bytes;new MessageProp(0 , true );"getMic from %s: " , me.name);if (usingStream) {new ByteArrayOutputStream();new ByteArrayInputStream(input), os, p1);else {0 , input.length, p1);return bytes;public void verifyMic(byte [] t, final byte [] msg) throws Exception {new Action() {public byte [] run(Context me, byte [] input) throws Exception {new MessageProp(0 , true );"verifyMic from %s: " , me.name);if (usingStream) {new ByteArrayInputStream(input),new ByteArrayInputStream(msg), p1);else {0 , input.length,0 , msg.length,if (p1.isUnseqToken() || p1.isOldToken()throw new Exception("Wrong sequence number detected" );return null ;/** * Transmits a message from one Context to another . The sender wraps the * message and sends it to the receiver . The receiver unwraps it , creates * a MIC of the clear text and sends it back to the sender . The sender * verifies the MIC against the message sent earlier . * @ param message the message * @ param s1 the sender * @ param s2 the receiver * @ throws java . lang . Exception If anything goes wrong static public void transmit(String message, final Context s1,final Context s2) throws Exception {/** * Transmits a message from one Context to another . The sender wraps the * message and sends it to the receiver . The receiver unwraps it , creates * a MIC of the clear text and sends it back to the sender . The sender * verifies the MIC against the message sent earlier . * @ param messageBytes the message * @ param s1 the sender * @ param s2 the receiver * @ throws java . lang . Exception If anything goes wrong static public void transmit(byte [] messageBytes, final Context s1,final Context s2) throws Exception {"-------------------- TRANSMIT from %s to %s------------------------\n" ,byte [] wrapped = s1.wrap(messageBytes, true );byte [] unwrapped = s2.unwrap(wrapped, s2.x.getConfState());if (!Arrays.equals(messageBytes, unwrapped)) {throw new Exception("wrap/unwrap mismatch" );byte [] mic = s2.getMic(unwrapped);/** * Returns a string description of a MessageProp object * @ param prop the object * @ return the description static public String printProp(MessageProp prop) {new StringBuffer();"MessagePop: " );"QOP=" + prop.getQOP() + ", " );"privacy, " :"" );"dup, " :"" );"gap, " :"" );"old, " :"" );"unseq, " :"" );if (prop.getMinorStatus() != 0 ) {"(" + prop.getMinorStatus()+")" );return sb.toString();public Context impersonate(final String someone) throws Exception {try {new Callable<GSSCredential>() {public GSSCredential call() throws Exception {if (Context.this .cred == null ) {this .cred = m.createCredential(GSSCredential.INITIATE_ONLY);return (GSSCredential)Class .forName("com.sun.security.jgss.ExtendedGSSCredential" )"impersonate" , GSSName.class )this .cred, other);new Context();" as " + out.cred.getName().toString();return out;catch (CompletionException ce) {if (e instanceof InvocationTargetException) {throw (Exception)((InvocationTargetException) e).getTargetException();else {throw e;public byte [] take(final byte [] in) throws Exception {return doAs(new Action() {public byte [] run(Context me, byte [] input) throws Exception {if (me.x.isEstablished()) {" side established" );if (input != null ) {throw new Exception("Context established but " +"still receive token at " + name);return null ;else {if (me.x.isInitiator()) {" call initSecContext" );return me.x.initSecContext(input, 0 , input.length);else {" call acceptSecContext" );return me.x.acceptSecContext(input, 0 , input.length);/** * Saves the tickets to a ccache file . * * @ param file pathname of the ccache file * @ return true if created , false otherwise . public boolean ccache(String file) throws Exception {class );if (tickets != null && !tickets.isEmpty()) {null ;for (KerberosTicket t : tickets) {if (cc == null ) {if (cc != null ) {return true ;return false ;/** * Handshake ( security context establishment process ) between two Contexts * @ param c the initiator * @ param s the acceptor * @ throws java . lang . Exception static public void handshake(final Context c, final Context s) throws Exception {byte [] t = new byte [0 ];while (true ) {if (t != null || !c.x.isEstablished()) t = c.take(t);if (t != null || !s.x.isEstablished()) t = s.take(t);if (c.x.isEstablished() && s.x.isEstablished()) break ;
Messung V0.5 in Prozent C=85 H=91 G=87
¤ Dauer der Verarbeitung: 0.15 Sekunden
(vorverarbeitet am 2026-06-10)
¤ *© Formatika GbR, Deutschland
