6821190: more InquireType values for ExtendedGSSContext

Reviewed-by: valeriep

6821190: more InquireType values for ExtendedGSSContext
Reviewed-by: valeriep
4eb3d578 · weijun · 14c23c06 · 4eb3d578 · 4eb3d578 · 4eb3d578
10 changed file
--- a/src/share/classes/com/sun/security/jgss/AuthorizationDataEntry.java
+++ b/src/share/classes/com/sun/security/jgss/AuthorizationDataEntry.java
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package com.sun.security.jgss;
+
+/**
+ * Kerberos 5 AuthorizationData entry.
+ */
+final public class AuthorizationDataEntry {
+
+    private final int type;
+    private final byte[] data;
+
+    /**
+     * Create an AuthorizationDataEntry object.
+     * @param type the ad-type
+     * @param data the ad-data, a copy of the data will be saved
+     * inside the object.
+     */
+    public AuthorizationDataEntry(int type, byte[] data) {
+        this.type = type;
+        this.data = data.clone();
+    }
+
+    /**
+     * Get the ad-type field.
+     * @return ad-type
+     */
+    public int getType() {
+        return type;
+    }
+
+    /**
+     * Get a copy of the ad-data field.
+     * @return ad-data
+     */
+    public byte[] getData() {
+        return data.clone();
+    }
+
+    public String toString() {
+        return "AuthorizationDataEntry: type="+type+", data=" +
+                data.length + " bytes:\n" +
+                new sun.misc.HexDumpEncoder().encode(data);
+    }
+}
--- a/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
+++ b/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
@@ -39,6 +39,11 @@ public interface ExtendedGSSContext extends GSSContext {
     * For each supported attribute type, the type for the output are
     * defined below.
     * <ol>
+     * <li>{@code KRB5_GET_TKT_FLAGS}:
+     * the returned object is a boolean array for the service ticket flags,
+     * which is long enough to contain all true bits. This means if
+     * the user wants to get the <em>n</em>'th bit but the length of the
+     * returned array is less than <em>n</em>, it is regarded as false.
     * <li>{@code KRB5_GET_SESSION_KEY}:
     * the returned object is an instance of {@link java.security.Key},
     * which has the following properties:
@@ -48,6 +53,13 @@ public interface ExtendedGSSContext extends GSSContext {
     *    <li>Format: "RAW"
     *    <li>Encoded form: the raw key bytes, not in any ASN.1 encoding
     *    </ul>
+     * <li>{@code KRB5_GET_AUTHZ_DATA}:
+     * the returned object is an array of
+     * {@link com.sun.security.jgss.AuthorizationDataEntry}, or null if the
+     * optional field is missing in the service ticket.
+     * <li>{@code KRB5_GET_AUTHTIME}:
+     * the returned object is a String object in the standard KerberosTime
+     * format defined in RFC 4120 5.2.3
     * </ol>
     *
     * If there is a security manager, an {@link InquireSecContextPermission}

--- a/src/share/classes/com/sun/security/jgss/InquireType.java
+++ b/src/share/classes/com/sun/security/jgss/InquireType.java
@@ -32,7 +32,23 @@ package com.sun.security.jgss;
 public enum InquireType {
    /**
     * Attribute type for retrieving the session key of an
-     * established security context.
+     * established Kerberos 5 security context.
     */
-    KRB5_GET_SESSION_KEY
+    KRB5_GET_SESSION_KEY,
+    /**
+     * Attribute type for retrieving the service ticket flags of an
+     * established Kerberos 5 security context.
+     */
+    KRB5_GET_TKT_FLAGS,
+    /**
+     * Attribute type for retrieving the authorization data in the
+     * service ticket of an established Kerberos 5 security context.
+     * Only supported on the acceptor side.
+     */
+    KRB5_GET_AUTHZ_DATA,
+    /**
+     * Attribute type for retrieving the authtime in the service ticket
+     * of an established Kerberos 5 security context.
+     */
+    KRB5_GET_AUTHTIME
 }
--- a/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
+++ b/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -25,12 +25,14 @@

 package sun.security.jgss.krb5;

+import com.sun.security.jgss.AuthorizationDataEntry;
 import org.ietf.jgss.*;
 import java.io.InputStream;
-import java.io.OutputStream;
 import java.io.IOException;
 import sun.security.krb5.*;
 import java.net.InetAddress;
+import sun.security.krb5.internal.AuthorizationData;
+import sun.security.krb5.internal.KerberosTime;

 class InitSecContextToken extends InitialToken {

@@ -59,6 +61,9 @@ class InitSecContextToken extends InitialToken {

        Checksum checksum = gssChecksum.getChecksum();

+        context.setTktFlags(serviceTicket.getFlags());
+        context.setAuthTime(
+                new KerberosTime(serviceTicket.getAuthTime()).toString());
        apReq = new KrbApReq(serviceTicket,
                             mutualRequired,
                             useSubkey,
@@ -143,6 +148,21 @@ class InitSecContextToken extends InitialToken {
            // Use the same sequence number as the peer
            // (Behaviour exhibited by the Windows SSPI server)
            context.resetMySequenceNumber(peerSeqNumber);
+        context.setAuthTime(
+                new KerberosTime(apReq.getCreds().getAuthTime()).toString());
+        context.setTktFlags(apReq.getCreds().getFlags());
+        AuthorizationData ad = apReq.getCreds().getAuthzData();
+        if (ad == null) {
+            context.setAuthzData(null);
+        } else {
+            AuthorizationDataEntry[] authzData =
+                    new AuthorizationDataEntry[ad.count()];
+            for (int i=0; i<ad.count(); i++) {
+                authzData[i] = new AuthorizationDataEntry(
+                        ad.item(i).adType, ad.item(i).adData);
+            }
+            context.setAuthzData(authzData);
+        }
    }

    public final KrbApReq getKrbApReq() {

--- a/src/share/classes/sun/security/jgss/krb5/Krb5Context.java
+++ b/src/share/classes/sun/security/jgss/krb5/Krb5Context.java
@@ -1290,7 +1290,7 @@ class Krb5Context implements GSSContextSpi {
     * The session key returned by inquireSecContext(KRB5_INQ_SSPI_SESSION_KEY)
     */
    static class KerberosSessionKey implements Key {
-        private EncryptionKey key;
+        private final EncryptionKey key;

        KerberosSessionKey(EncryptionKey key) {
            this.key = key;
@@ -1320,19 +1320,46 @@ class Krb5Context implements GSSContextSpi {

    /**
     * Return the mechanism-specific attribute associated with {@code type}.
-     * Only KRB5_GET_SESSION_KEY is supported now.
     */
    public Object inquireSecContext(InquireType type)
            throws GSSException {
-        if (type == InquireType.KRB5_GET_SESSION_KEY) {
-            if (key == null) {
-                throw new GSSException(GSSException.NO_CONTEXT, -1,
-                        "Session key not established.");
-            } else {
+        if (!isEstablished()) {
+             throw new GSSException(GSSException.NO_CONTEXT, -1,
+                     "Security context not established.");
+        }
+        switch (type) {
+            case KRB5_GET_SESSION_KEY:
                return new KerberosSessionKey(key);
-            }
+            case KRB5_GET_TKT_FLAGS:
+                return tktFlags.clone();
+            case KRB5_GET_AUTHZ_DATA:
+                if (isInitiator()) {
+                    throw new GSSException(GSSException.UNAVAILABLE, -1,
+                            "AuthzData not available on initiator side.");
+                } else {
+                    return (authzData==null)?null:authzData.clone();
+                }
+            case KRB5_GET_AUTHTIME:
+                return authTime;
        }
        throw new GSSException(GSSException.UNAVAILABLE, -1,
                "Inquire type not supported.");
    }
+
+    // Helpers for inquireSecContext
+    private boolean[] tktFlags;
+    private String authTime;
+    private com.sun.security.jgss.AuthorizationDataEntry[] authzData;
+
+    public void setTktFlags(boolean[] tktFlags) {
+        this.tktFlags = tktFlags;
+    }
+
+    public void setAuthTime(String authTime) {
+        this.authTime = authTime;
+    }
+
+    public void setAuthzData(com.sun.security.jgss.AuthorizationDataEntry[] authzData) {
+        this.authzData = authzData;
+    }
 }
--- a/src/share/classes/sun/security/krb5/Credentials.java
+++ b/src/share/classes/sun/security/krb5/Credentials.java
 /*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -63,12 +63,29 @@ public class Credentials {
    KerberosTime renewTill;
    HostAddresses cAddr;
    EncryptionKey serviceKey;
+    AuthorizationData authzData;
    private static boolean DEBUG = Krb5.DEBUG;
    private static CredentialsCache cache;
    static boolean alreadyLoaded = false;
    private static boolean alreadyTried = false;
    private static native Credentials acquireDefaultNativeCreds();

+    public Credentials(Ticket new_ticket,
+                       PrincipalName new_client,
+                       PrincipalName new_server,
+                       EncryptionKey new_key,
+                       TicketFlags new_flags,
+                       KerberosTime authTime,
+                       KerberosTime new_startTime,
+                       KerberosTime new_endTime,
+                       KerberosTime renewTill,
+                       HostAddresses cAddr,
+                       AuthorizationData authzData) {
+        this(new_ticket, new_client, new_server, new_key, new_flags,
+                authTime, new_startTime, new_endTime, renewTill, cAddr);
+        this.authzData = authzData;
+    }
+
    public Credentials(Ticket new_ticket,
                       PrincipalName new_client,
                       PrincipalName new_server,
@@ -213,6 +230,9 @@ public class Credentials {
        return flags;
    }

+    public AuthorizationData getAuthzData() {
+        return authzData;
+    }
    /**
     * Checks if the service ticket returned by the KDC has the OK-AS-DELEGATE
     * flag set

--- a/src/share/classes/sun/security/krb5/KrbApReq.java
+++ b/src/share/classes/sun/security/krb5/KrbApReq.java
 /*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -356,12 +356,13 @@ public class KrbApReq {
                                authenticator.cname,
                                apReqMessg.ticket.sname,
                                enc_ticketPart.key,
-                                null,
+                                enc_ticketPart.flags,
                                enc_ticketPart.authtime,
                                enc_ticketPart.starttime,
                                enc_ticketPart.endtime,
                                enc_ticketPart.renewTill,
-                                enc_ticketPart.caddr);
+                                enc_ticketPart.caddr,
+                                enc_ticketPart.authorizationData);
        if (DEBUG) {
            System.out.println(">>> KrbApReq: authenticate succeed.");
        }

--- a/src/share/classes/sun/security/krb5/internal/AuthorizationData.java
+++ b/src/share/classes/sun/security/krb5/internal/AuthorizationData.java
@@ -174,4 +174,12 @@ public class AuthorizationData implements Cloneable {
        }
        return retVal;
    }
+
+    public int count() {
+        return entry.length;
+    }
+
+    public AuthorizationDataEntry item(int i) {
+        return (AuthorizationDataEntry)entry[i].clone();
+    }
 }
--- a/src/share/classes/sun/security/tools/PolicyTool.java
+++ b/src/share/classes/sun/security/tools/PolicyTool.java
@@ -3962,7 +3962,10 @@ class InqSecContextPerm extends Perm {
    super("InquireSecContextPermission",
        "com.sun.security.jgss.InquireSecContextPermission",
        new String[]    {
-                "KRB5_GET_SESSION_KEY"
+                "KRB5_GET_SESSION_KEY",
+                "KRB5_GET_TKT_FLAGS",
+                "KRB5_GET_AUTHZ_DATA",
+                "KRB5_GET_AUTHTIME"
                },
        null);
    }

--- a/test/sun/security/krb5/auto/Context.java
+++ b/test/sun/security/krb5/auto/Context.java
@@ -41,6 +41,7 @@ import org.ietf.jgss.MessageProp;
 import org.ietf.jgss.Oid;
 import com.sun.security.jgss.ExtendedGSSContext;
 import com.sun.security.jgss.InquireType;
+import com.sun.security.jgss.AuthorizationDataEntry;

 /**
 * Context of a JGSS subject, encapsulating Subject and GSSContext.
@@ -288,6 +289,23 @@ public class Context {
                    throw new Exception("Session key cannot be null");
                }
                System.out.println("Session key is: " + k);
+                boolean[] flags = (boolean[])ex.inquireSecContext(
+                        InquireType.KRB5_GET_TKT_FLAGS);
+                if (flags == null) {
+                    throw new Exception("Ticket flags cannot be null");
+                }
+                System.out.println("Ticket flags is: " + Arrays.toString(flags));
+                String authTime = (String)ex.inquireSecContext(
+                        InquireType.KRB5_GET_AUTHTIME);
+                if (authTime == null) {
+                    throw new Exception("Auth time cannot be null");
+                }
+                System.out.println("AuthTime is: " + authTime);
+                if (!x.isInitiator()) {
+                    AuthorizationDataEntry[] ad = (AuthorizationDataEntry[])ex.inquireSecContext(
+                            InquireType.KRB5_GET_AUTHZ_DATA);
+                    System.out.println("AuthzData is: " + Arrays.toString(ad));
+                }
            }
        }
    }