1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.kerberos.sam;
21
22
23 import java.io.IOException;
24
25 import javax.security.auth.kerberos.KerberosKey;
26
27 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
28 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
29 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
30 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
31 import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
32 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
33 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
34 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
35 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
36
37
38
39
40
41
42 public class TimestampChecker implements KeyIntegrityChecker
43 {
44 private static final long FIVE_MINUTES = 300000;
45 private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();
46
47
48 public boolean checkKeyIntegrity( byte[] encryptedData, KerberosKey kerberosKey )
49 {
50 EncryptionType keyType = EncryptionType.getTypeByOrdinal( kerberosKey.getKeyType() );
51 EncryptionKey key = new EncryptionKey( keyType, kerberosKey.getEncoded() );
52
53 try
54 {
55
56
57
58
59 EncryptedData sadValue = EncryptedDataDecoder.decode( encryptedData );
60
61
62
63
64
65 EncryptedTimeStamp timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal( EncryptedTimeStamp.class,
66 key, sadValue, KeyUsage.NUMBER1 );
67
68
69
70
71
72 KerberosTime time = timestamp.getTimeStamp();
73
74 if ( time.isInClockSkew( FIVE_MINUTES ) )
75 {
76 return true;
77 }
78 }
79 catch ( IOException ioe )
80 {
81 return false;
82 }
83 catch ( KerberosException ke )
84 {
85 return false;
86 }
87 catch ( ClassCastException cce )
88 {
89 return false;
90 }
91
92 return false;
93 }
94 }