All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl Maven / Gradle / Ivy

There is a newer version: 3.0.4
Show newest version
/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.wss4j.common.kerberos;

import org.apache.directory.shared.kerberos.codec.KerberosDecoder;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.components.EncTicketPart;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.apache.directory.shared.kerberos.messages.ApReq;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.Iterator;
import java.util.Set;

public class KerberosTokenDecoderImpl implements KerberosTokenDecoder {

    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";

    private byte[] serviceTicket;
    private Subject subject;

    private boolean decoded = false;
    private EncTicketPart encTicketPart;

    /**
     * Clear all internal information
     */
    public void clear() {
        serviceTicket = null;
        subject = null;
        decoded = false;
        encTicketPart = null;
    }

    /**
     * Set the AP-REQ Kerberos Token
     *
     * @param token the AP-REQ Kerberos Token
     */
    public void setToken(byte[] token) {
        serviceTicket = token;
    }

    /**
     * Set the Subject
     *
     * @param subject the Subject
     */
    public void setSubject(Subject subject) {
        this.subject = subject;
    }

    /**
     * Get the session key from the token
     *
     * @return the session key from the token
     */
    public byte[] getSessionKey() throws KerberosTokenDecoderException {
        if (!decoded) {
            decodeServiceTicket();
        }
        if (encTicketPart != null && encTicketPart.getKey() != null) {
            return encTicketPart.getKey().getKeyValue();
        }
        return null;
    }

    /**
     * Get the client principal name from the decoded service ticket.
     *
     * @return the client principal name
     */
    public String getClientPrincipalName() throws KerberosTokenDecoderException {
        if (!decoded) {
            decodeServiceTicket();
        }
        return encTicketPart.getCName().toString();
    }

    // Decode the service ticket.
    private synchronized void decodeServiceTicket() throws KerberosTokenDecoderException {
        parseServiceTicket(serviceTicket);
        decoded = true;
    }

    // Parses the service ticket (GSS AP-REQ token)
    private void parseServiceTicket(byte[] ticket) throws KerberosTokenDecoderException {
        try {
            // I didn't find a better way how to parse this Kerberos Message...
            org.bouncycastle.asn1.ASN1InputStream asn1InputStream =
                    new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(ticket));
            org.bouncycastle.asn1.DERApplicationSpecific derToken =
                    (org.bouncycastle.asn1.DERApplicationSpecific) asn1InputStream.readObject();
            if (derToken == null || !derToken.isConstructed()) {
                asn1InputStream.close();
                throw new KerberosTokenDecoderException("invalid kerberos token");
            }
            asn1InputStream.close();

            asn1InputStream = new org.bouncycastle.asn1.ASN1InputStream(new ByteArrayInputStream(derToken.getContents()));
            org.bouncycastle.asn1.ASN1ObjectIdentifier kerberosOid =
                    (org.bouncycastle.asn1.ASN1ObjectIdentifier) asn1InputStream.readObject();
            if (!kerberosOid.getId().equals(KERBEROS_OID)) {
                asn1InputStream.close();
                throw new KerberosTokenDecoderException("invalid kerberos token");
            }

            int readLowByte = asn1InputStream.read() & 0xff;
            int readHighByte = asn1InputStream.read() & 0xff;
            int read = (readHighByte << 8) + readLowByte; //NOPMD
            if (read != 0x01) {
                throw new KerberosTokenDecoderException("invalid kerberos token");
            }

            ApReq applicationRequest =
                KerberosDecoder.decodeApReq(toByteArray(asn1InputStream));

            final int encryptionType = applicationRequest.getTicket().getEncPart().getEType().getValue();
            KerberosKey kerberosKey = getKrbKey(subject, encryptionType);

            EncryptionKey encryptionKey =
                    new EncryptionKey(EncryptionType.getTypeByValue(encryptionType), kerberosKey.getEncoded());

            CipherTextHandler cipherTextHandler = new CipherTextHandler();
            byte[] dec = cipherTextHandler.decrypt(
                         encryptionKey, applicationRequest.getTicket().getEncPart(),
                                                      KeyUsage.getTypeByOrdinal(2));

            this.encTicketPart = KerberosDecoder.decodeEncTicketPart(dec);
        } catch (KerberosException | IOException e) {
            throw new KerberosTokenDecoderException(e);
        }
    }

    private KerberosKey getKrbKey(Subject sub, int keyType) {
        Set creds = sub.getPrivateCredentials(Object.class);
        for (Iterator i = creds.iterator(); i.hasNext();) {
            Object cred = i.next();
            if (cred instanceof KerberosKey) {
                KerberosKey key = (KerberosKey) cred;
                if (key.getKeyType() == keyType) {
                    return (KerberosKey) cred;
                }
            }
        }
        return null;
    }

    private static byte[] toByteArray(InputStream inputStream) throws IOException {
        try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
            int read;
            byte[] buf = new byte[1024];
            while ((read = inputStream.read(buf)) != -1) {
                byteArrayOutputStream.write(buf, 0, read);
            }
            return byteArrayOutputStream.toByteArray();
        }
    }
}