org.apache.directory.shared.kerberos

Class KerberosUtils

java.lang.Object

org.apache.directory.shared.kerberos.KerberosUtils

public class KerberosUtils
extends java.lang.Object

An utility class for Kerberos.

Field Summary

Fields

Modifier and Type	Field and Description
private static java.util.Map<java.lang.String,java.lang.String>	cipherAlgoMap an order preserved map containing cipher names to the corresponding algorithm names in the descending order of strength
static java.util.List<java.lang.String>	EMPTY_PRINCIPAL_NAME An empty list of principal names
static int	NULL A constant for integer optional values
private static java.util.Set<EncryptionType>	oldEncTypes
static java.text.SimpleDateFormat	UTC_DATE_FORMAT Defines a default date format with a "yyyyMMddHHmmss'Z'" pattern
static java.util.TimeZone	UTC_TIME_ZONE

Constructor Summary

Constructors

Constructor and Description
KerberosUtils()

Method Summary

Modifier and Type	Method and Description
static java.lang.String	getAlgoNameFromEncType(EncryptionType encType)
static EncryptionType	getBestEncryptionType(java.util.Set<EncryptionType> requestedTypes, java.util.Set<EncryptionType> configuredTypes) Get the matching encryption type from the configured types, searching into the requested types.
static java.lang.String	getEncryptionTypesString(java.util.Set<EncryptionType> encryptionTypes) Build a list of encryptionTypes
static PrincipalStoreEntry	getEntry(javax.security.auth.kerberos.KerberosPrincipal principal, PrincipalStore store, ErrorType errorType) Get a PrincipalStoreEntry given a principal.
static javax.security.auth.kerberos.KerberosPrincipal	getKerberosPrincipal(PrincipalName principal, java.lang.String realm) Constructs a KerberosPrincipal from a PrincipalName and an optional realm
static java.util.List<java.lang.String>	getNames(javax.security.auth.kerberos.KerberosPrincipal principal) Parse a KerberosPrincipal instance and return the names.
static java.util.List<java.lang.String>	getNames(java.lang.String principalNames) Parse a PrincipalName and return the names.
static boolean	isKerberosString(byte[] value)
static boolean	isNewEncryptionType(EncryptionType eType) checks if the given encryption type is *new* (ref sec#3.1.3 of rfc4120)
static java.util.Set<EncryptionType>	orderEtypesByStrength(java.util.Set<EncryptionType> etypes) Order a list of EncryptionType in a decreasing strength order
static Authenticator	verifyAuthHeader(ApReq authHeader, Ticket ticket, EncryptionKey serverKey, long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, java.net.InetAddress clientAddress, CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean isValidate) Verifies an AuthHeader using guidelines from RFC 1510 section A.10., "KRB_AP_REQ verification."

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NULL

public static final int NULL

A constant for integer optional values

See Also:

Constant Field Values

EMPTY_PRINCIPAL_NAME

public static final java.util.List<java.lang.String> EMPTY_PRINCIPAL_NAME

An empty list of principal names

cipherAlgoMap

private static final java.util.Map<java.lang.String,java.lang.String> cipherAlgoMap

an order preserved map containing cipher names to the corresponding algorithm names in the descending order of strength

UTC_TIME_ZONE

public static final java.util.TimeZone UTC_TIME_ZONE

UTC_DATE_FORMAT

public static final java.text.SimpleDateFormat UTC_DATE_FORMAT

Defines a default date format with a "yyyyMMddHHmmss'Z'" pattern

oldEncTypes

private static final java.util.Set<EncryptionType> oldEncTypes

Constructor Detail

KerberosUtils

public KerberosUtils()

Method Detail

getNames

public static java.util.List<java.lang.String> getNames(javax.security.auth.kerberos.KerberosPrincipal principal)
                                                 throws java.text.ParseException

Parse a KerberosPrincipal instance and return the names. The Principal name is described in RFC 1964 :

This name type corresponds to the single-string representation of a
Kerberos name. (Within the MIT Kerberos V5 implementation, such
names are parseable with the krb5_parse_name() function.) The
elements included within this name representation are as follows,
proceeding from the beginning of the string:

(1) One or more principal name components; if more than one
principal name component is included, the components are
separated by `/`. Arbitrary octets may be included within
principal name components, with the following constraints and
special considerations:

(1a) Any occurrence of the characters `@` or `/` within a
name component must be immediately preceded by the `\`
quoting character, to prevent interpretation as a component
or realm separator.

(1b) The ASCII newline, tab, backspace, and null characters
may occur directly within the component or may be
represented, respectively, by `\n`, `\t`, `\b`, or `\0`.

(1c) If the `\` quoting character occurs outside the contexts
described in (1a) and (1b) above, the following character is
interpreted literally. As a special case, this allows the
doubled representation `\\` to represent a single occurrence
of the quoting character.

(1d) An occurrence of the `\` quoting character as the last
character of a component is illegal.

(2) Optionally, a `@` character, signifying that a realm name
immediately follows. If no realm name element is included, the
local realm name is assumed. The `/` , `:`, and null characters
may not occur within a realm name; the `@`, newline, tab, and
backspace characters may be included using the quoting
conventions described in (1a), (1b), and (1c) above.

Parameters:

principal - The principal to be parsed

Returns:

The names as a List of nameComponent

Throws:

java.text.ParseException - if the name is not valid

getNames

public static java.util.List<java.lang.String> getNames(java.lang.String principalNames)
                                                 throws java.text.ParseException

Parse a PrincipalName and return the names.

Throws:

java.text.ParseException

getKerberosPrincipal

public static javax.security.auth.kerberos.KerberosPrincipal getKerberosPrincipal(PrincipalName principal,
                                                                                  java.lang.String realm)

Constructs a KerberosPrincipal from a PrincipalName and an optional realm

Parameters:

principal - The principal name and type

realm - The optional realm

Returns:

A KerberosPrincipal

getBestEncryptionType

public static EncryptionType getBestEncryptionType(java.util.Set<EncryptionType> requestedTypes,
                                                   java.util.Set<EncryptionType> configuredTypes)

Get the matching encryption type from the configured types, searching into the requested types. We returns the first we find.

Parameters:

requestedTypes - The client encryption types

configuredTypes - The configured encryption types

Returns:

The first matching encryption type.

getEncryptionTypesString

public static java.lang.String getEncryptionTypesString(java.util.Set<EncryptionType> encryptionTypes)

Build a list of encryptionTypes

Parameters:

encryptionTypes - The encryptionTypes

Returns:

A list comma separated of the encryptionTypes

isKerberosString

public static boolean isKerberosString(byte[] value)

getAlgoNameFromEncType

public static java.lang.String getAlgoNameFromEncType(EncryptionType encType)

orderEtypesByStrength

public static java.util.Set<EncryptionType> orderEtypesByStrength(java.util.Set<EncryptionType> etypes)

Order a list of EncryptionType in a decreasing strength order

Parameters:

etypes - The ETypes to order

Returns:

A list of ordered ETypes. he strongest is on the left.

getEntry

public static PrincipalStoreEntry getEntry(javax.security.auth.kerberos.KerberosPrincipal principal,
                                           PrincipalStore store,
                                           ErrorType errorType)
                                    throws KerberosException

Get a PrincipalStoreEntry given a principal. The ErrorType is used to indicate whether any resulting error pertains to a server or client.

Throws:

KerberosException

verifyAuthHeader

public static Authenticator verifyAuthHeader(ApReq authHeader,
                                             Ticket ticket,
                                             EncryptionKey serverKey,
                                             long clockSkew,
                                             ReplayCache replayCache,
                                             boolean emptyAddressesAllowed,
                                             java.net.InetAddress clientAddress,
                                             CipherTextHandler lockBox,
                                             KeyUsage authenticatorKeyUsage,
                                             boolean isValidate)
                                      throws KerberosException

Verifies an AuthHeader using guidelines from RFC 1510 section A.10., "KRB_AP_REQ verification."

Parameters:

authHeader -

ticket -

serverKey -

clockSkew -

replayCache -

emptyAddressesAllowed -

clientAddress -

lockBox -

authenticatorKeyUsage -

isValidate -

Returns:

The authenticator.

Throws:

KerberosException

isNewEncryptionType

public static boolean isNewEncryptionType(EncryptionType eType)

checks if the given encryption type is *new* (ref sec#3.1.3 of rfc4120)

Parameters:

eType - the encryption type

Returns:

true if the encryption type is new, false otherwise