1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 package org.apache.directory.server.kerberos.shared.crypto.encryption;
22
23
24 import java.io.IOException;
25 import java.util.Collections;
26 import java.util.HashMap;
27 import java.util.Map;
28
29 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
30 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
31 import org.apache.directory.server.kerberos.shared.io.decoder.AuthenticatorDecoder;
32 import org.apache.directory.server.kerberos.shared.io.decoder.AuthorizationDataDecoder;
33 import org.apache.directory.server.kerberos.shared.io.decoder.Decoder;
34 import org.apache.directory.server.kerberos.shared.io.decoder.DecoderFactory;
35 import org.apache.directory.server.kerberos.shared.io.decoder.EncApRepPartDecoder;
36 import org.apache.directory.server.kerberos.shared.io.decoder.EncKdcRepPartDecoder;
37 import org.apache.directory.server.kerberos.shared.io.decoder.EncKrbPrivPartDecoder;
38 import org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder;
39 import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedTimestampDecoder;
40 import org.apache.directory.server.kerberos.shared.io.encoder.AuthenticatorEncoder;
41 import org.apache.directory.server.kerberos.shared.io.encoder.EncApRepPartEncoder;
42 import org.apache.directory.server.kerberos.shared.io.encoder.EncAsRepPartEncoder;
43 import org.apache.directory.server.kerberos.shared.io.encoder.EncKrbPrivPartEncoder;
44 import org.apache.directory.server.kerberos.shared.io.encoder.EncTgsRepPartEncoder;
45 import org.apache.directory.server.kerberos.shared.io.encoder.EncTicketPartEncoder;
46 import org.apache.directory.server.kerberos.shared.io.encoder.Encoder;
47 import org.apache.directory.server.kerberos.shared.io.encoder.EncoderFactory;
48 import org.apache.directory.server.kerberos.shared.io.encoder.EncryptedTimestampEncoder;
49 import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
50 import org.apache.directory.server.kerberos.shared.messages.Encodable;
51 import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
52 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
53 import org.apache.directory.server.kerberos.shared.messages.components.EncApRepPart;
54 import org.apache.directory.server.kerberos.shared.messages.components.EncKdcRepPart;
55 import org.apache.directory.server.kerberos.shared.messages.components.EncKrbPrivPart;
56 import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
57 import org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData;
58 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
59 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
60 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
61
62
63
64
65
66
67
68
69
70
71 public class CipherTextHandler
72 {
73
74 private static final Map DEFAULT_ENCODERS;
75
76 private static final Map DEFAULT_DECODERS;
77
78 private static final Map DEFAULT_CIPHERS;
79
80 static
81 {
82 Map<Class, Class> map = new HashMap<Class, Class>();
83
84 map.put( EncryptedTimeStamp.class, EncryptedTimestampEncoder.class );
85 map.put( EncTicketPart.class, EncTicketPartEncoder.class );
86 map.put( AuthenticationReply.class, EncAsRepPartEncoder.class );
87 map.put( TicketGrantReply.class, EncTgsRepPartEncoder.class );
88 map.put( EncKrbPrivPart.class, EncKrbPrivPartEncoder.class );
89 map.put( EncApRepPart.class, EncApRepPartEncoder.class );
90 map.put( Authenticator.class, AuthenticatorEncoder.class );
91
92 DEFAULT_ENCODERS = Collections.unmodifiableMap( map );
93 }
94
95 static
96 {
97 Map<Class, Class> map = new HashMap<Class, Class>();
98
99 map.put( EncTicketPart.class, EncTicketPartDecoder.class );
100 map.put( Authenticator.class, AuthenticatorDecoder.class );
101 map.put( EncryptedTimeStamp.class, EncryptedTimestampDecoder.class );
102 map.put( AuthorizationData.class, AuthorizationDataDecoder.class );
103 map.put( EncKrbPrivPart.class, EncKrbPrivPartDecoder.class );
104 map.put( EncApRepPart.class, EncApRepPartDecoder.class );
105 map.put( EncKdcRepPart.class, EncKdcRepPartDecoder.class );
106
107 DEFAULT_DECODERS = Collections.unmodifiableMap( map );
108 }
109
110 static
111 {
112 Map<EncryptionType, Class> map = new HashMap<EncryptionType, Class>();
113
114 map.put( EncryptionType.DES_CBC_MD5, DesCbcMd5Encryption.class );
115 map.put( EncryptionType.DES3_CBC_SHA1_KD, Des3CbcSha1KdEncryption.class );
116 map.put( EncryptionType.AES128_CTS_HMAC_SHA1_96, Aes128CtsSha1Encryption.class );
117 map.put( EncryptionType.AES256_CTS_HMAC_SHA1_96, Aes256CtsSha1Encryption.class );
118 map.put( EncryptionType.RC4_HMAC, ArcFourHmacMd5Encryption.class );
119
120 DEFAULT_CIPHERS = Collections.unmodifiableMap( map );
121 }
122
123
124
125
126
127
128
129
130
131
132
133 public EncryptedData seal( EncryptionKey key, Encodable encodable, KeyUsage usage ) throws KerberosException
134 {
135 try
136 {
137 return encrypt( key, encode( encodable ), usage );
138 }
139 catch ( IOException ioe )
140 {
141 throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
142 }
143 catch ( ClassCastException cce )
144 {
145 throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
146 }
147 }
148
149
150
151
152
153
154
155
156
157
158
159
160 public Encodable unseal( Class hint, EncryptionKey key, EncryptedData data, KeyUsage usage )
161 throws KerberosException
162 {
163 try
164 {
165 return decode( hint, decrypt( key, data, usage ) );
166 }
167 catch ( IOException ioe )
168 {
169 throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
170 }
171 catch ( ClassCastException cce )
172 {
173 throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
174 }
175 }
176
177
178 private EncryptedData encrypt( EncryptionKey key, byte[] plainText, KeyUsage usage ) throws KerberosException
179 {
180 EncryptionEngine engine = getEngine( key );
181
182 return engine.getEncryptedData( key, plainText, usage );
183 }
184
185
186 private byte[] decrypt( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
187 {
188 EncryptionEngine engine = getEngine( key );
189
190 return engine.getDecryptedData( key, data, usage );
191 }
192
193
194 private byte[] encode( Encodable encodable ) throws IOException
195 {
196 Class encodableClass = encodable.getClass();
197
198 Class clazz = ( Class ) DEFAULT_ENCODERS.get( encodableClass );
199
200 if ( clazz == null )
201 {
202 throw new IOException( "Encoder unavailable for " + encodableClass );
203 }
204
205 EncoderFactory factory = null;
206
207 try
208 {
209 factory = ( EncoderFactory ) clazz.newInstance();
210 }
211 catch ( IllegalAccessException iae )
212 {
213 throw new IOException( "Error accessing encoder for " + encodableClass );
214 }
215 catch ( InstantiationException ie )
216 {
217 throw new IOException( "Error instantiating encoder for " + encodableClass );
218 }
219
220 Encoder encoder = factory.getEncoder();
221
222 return encoder.encode( encodable );
223 }
224
225
226 private Encodable decode( Class encodable, byte[] plainText ) throws IOException
227 {
228 Class clazz = ( Class ) DEFAULT_DECODERS.get( encodable );
229
230 if ( clazz == null )
231 {
232 throw new IOException( "Decoder unavailable for " + encodable );
233 }
234
235 DecoderFactory factory = null;
236
237 try
238 {
239 factory = ( DecoderFactory ) clazz.newInstance();
240 }
241 catch ( IllegalAccessException iae )
242 {
243 throw new IOException( "Error accessing decoder for " + encodable );
244 }
245 catch ( InstantiationException ie )
246 {
247 throw new IOException( "Error instantiating decoder for " + encodable );
248 }
249
250 Decoder decoder = factory.getDecoder();
251
252 return decoder.decode( plainText );
253 }
254
255
256 private EncryptionEngine getEngine( EncryptionKey key ) throws KerberosException
257 {
258 EncryptionType encryptionType = key.getKeyType();
259
260 Class clazz = ( Class ) DEFAULT_CIPHERS.get( encryptionType );
261
262 if ( clazz == null )
263 {
264 throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
265 }
266
267 try
268 {
269 return ( EncryptionEngine ) clazz.newInstance();
270 }
271 catch ( IllegalAccessException iae )
272 {
273 throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP, iae );
274 }
275 catch ( InstantiationException ie )
276 {
277 throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP, ie );
278 }
279 }
280 }