View Javadoc

1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  
21  package org.apache.directory.server.kerberos.shared.crypto.encryption;
22  
23  
24  import java.io.IOException;
25  import java.util.Collections;
26  import java.util.HashMap;
27  import java.util.Map;
28  
29  import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
30  import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
31  import org.apache.directory.server.kerberos.shared.io.decoder.AuthenticatorDecoder;
32  import org.apache.directory.server.kerberos.shared.io.decoder.AuthorizationDataDecoder;
33  import org.apache.directory.server.kerberos.shared.io.decoder.Decoder;
34  import org.apache.directory.server.kerberos.shared.io.decoder.DecoderFactory;
35  import org.apache.directory.server.kerberos.shared.io.decoder.EncApRepPartDecoder;
36  import org.apache.directory.server.kerberos.shared.io.decoder.EncKdcRepPartDecoder;
37  import org.apache.directory.server.kerberos.shared.io.decoder.EncKrbPrivPartDecoder;
38  import org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder;
39  import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedTimestampDecoder;
40  import org.apache.directory.server.kerberos.shared.io.encoder.AuthenticatorEncoder;
41  import org.apache.directory.server.kerberos.shared.io.encoder.EncApRepPartEncoder;
42  import org.apache.directory.server.kerberos.shared.io.encoder.EncAsRepPartEncoder;
43  import org.apache.directory.server.kerberos.shared.io.encoder.EncKrbPrivPartEncoder;
44  import org.apache.directory.server.kerberos.shared.io.encoder.EncTgsRepPartEncoder;
45  import org.apache.directory.server.kerberos.shared.io.encoder.EncTicketPartEncoder;
46  import org.apache.directory.server.kerberos.shared.io.encoder.Encoder;
47  import org.apache.directory.server.kerberos.shared.io.encoder.EncoderFactory;
48  import org.apache.directory.server.kerberos.shared.io.encoder.EncryptedTimestampEncoder;
49  import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
50  import org.apache.directory.server.kerberos.shared.messages.Encodable;
51  import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
52  import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
53  import org.apache.directory.server.kerberos.shared.messages.components.EncApRepPart;
54  import org.apache.directory.server.kerberos.shared.messages.components.EncKdcRepPart;
55  import org.apache.directory.server.kerberos.shared.messages.components.EncKrbPrivPart;
56  import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
57  import org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData;
58  import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
59  import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
60  import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
61  
62  
63  /**
64   * A Hashed Adapter encapsulating ASN.1 encoders and decoders and cipher text engines to
65   * perform seal() and unseal() operations.  A seal() operation performs an encode and an
66   * encrypt, while an unseal() operation performs a decrypt and a decode.
67   * 
68   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
69   * @version $Rev: 548929 $, $Date: 2007-06-20 06:28:46 +0200 (Mi, 20 Jun 2007) $
70   */
71  public class CipherTextHandler
72  {
73      /** a map of the default encodable class names to the encoder class names */
74      private static final Map DEFAULT_ENCODERS;
75      /** a map of the default encodable class names to the decoder class names */
76      private static final Map DEFAULT_DECODERS;
77      /** a map of the default encryption types to the encryption engine class names */
78      private static final Map DEFAULT_CIPHERS;
79  
80      static
81      {
82          Map<Class, Class> map = new HashMap<Class, Class>();
83  
84          map.put( EncryptedTimeStamp.class, EncryptedTimestampEncoder.class );
85          map.put( EncTicketPart.class, EncTicketPartEncoder.class );
86          map.put( AuthenticationReply.class, EncAsRepPartEncoder.class );
87          map.put( TicketGrantReply.class, EncTgsRepPartEncoder.class );
88          map.put( EncKrbPrivPart.class, EncKrbPrivPartEncoder.class );
89          map.put( EncApRepPart.class, EncApRepPartEncoder.class );
90          map.put( Authenticator.class, AuthenticatorEncoder.class );
91  
92          DEFAULT_ENCODERS = Collections.unmodifiableMap( map );
93      }
94  
95      static
96      {
97          Map<Class, Class> map = new HashMap<Class, Class>();
98  
99          map.put( EncTicketPart.class, EncTicketPartDecoder.class );
100         map.put( Authenticator.class, AuthenticatorDecoder.class );
101         map.put( EncryptedTimeStamp.class, EncryptedTimestampDecoder.class );
102         map.put( AuthorizationData.class, AuthorizationDataDecoder.class );
103         map.put( EncKrbPrivPart.class, EncKrbPrivPartDecoder.class );
104         map.put( EncApRepPart.class, EncApRepPartDecoder.class );
105         map.put( EncKdcRepPart.class, EncKdcRepPartDecoder.class );
106 
107         DEFAULT_DECODERS = Collections.unmodifiableMap( map );
108     }
109 
110     static
111     {
112         Map<EncryptionType, Class> map = new HashMap<EncryptionType, Class>();
113 
114         map.put( EncryptionType.DES_CBC_MD5, DesCbcMd5Encryption.class );
115         map.put( EncryptionType.DES3_CBC_SHA1_KD, Des3CbcSha1KdEncryption.class );
116         map.put( EncryptionType.AES128_CTS_HMAC_SHA1_96, Aes128CtsSha1Encryption.class );
117         map.put( EncryptionType.AES256_CTS_HMAC_SHA1_96, Aes256CtsSha1Encryption.class );
118         map.put( EncryptionType.RC4_HMAC, ArcFourHmacMd5Encryption.class );
119 
120         DEFAULT_CIPHERS = Collections.unmodifiableMap( map );
121     }
122 
123 
124     /**
125      * Performs an encode and an encrypt.
126      *
127      * @param key The key to use for encrypting.
128      * @param encodable The Kerberos object to encode.
129      * @param usage The key usage.
130      * @return The Kerberos EncryptedData.
131      * @throws KerberosException
132      */
133     public EncryptedData seal( EncryptionKey key, Encodable encodable, KeyUsage usage ) throws KerberosException
134     {
135         try
136         {
137             return encrypt( key, encode( encodable ), usage );
138         }
139         catch ( IOException ioe )
140         {
141             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
142         }
143         catch ( ClassCastException cce )
144         {
145             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
146         }
147     }
148 
149 
150     /**
151      * Perform a decrypt and a decode.
152      *
153      * @param hint The class the encrypted data is expected to contain.
154      * @param key The key to use for decryption.
155      * @param data The data to decrypt.
156      * @param usage The key usage.
157      * @return The Kerberos object resulting from a successful decrypt and decode.
158      * @throws KerberosException
159      */
160     public Encodable unseal( Class hint, EncryptionKey key, EncryptedData data, KeyUsage usage )
161         throws KerberosException
162     {
163         try
164         {
165             return decode( hint, decrypt( key, data, usage ) );
166         }
167         catch ( IOException ioe )
168         {
169             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
170         }
171         catch ( ClassCastException cce )
172         {
173             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
174         }
175     }
176 
177 
178     private EncryptedData encrypt( EncryptionKey key, byte[] plainText, KeyUsage usage ) throws KerberosException
179     {
180         EncryptionEngine engine = getEngine( key );
181 
182         return engine.getEncryptedData( key, plainText, usage );
183     }
184 
185 
186     private byte[] decrypt( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
187     {
188         EncryptionEngine engine = getEngine( key );
189 
190         return engine.getDecryptedData( key, data, usage );
191     }
192 
193 
194     private byte[] encode( Encodable encodable ) throws IOException
195     {
196         Class encodableClass = encodable.getClass();
197 
198         Class clazz = ( Class ) DEFAULT_ENCODERS.get( encodableClass );
199 
200         if ( clazz == null )
201         {
202             throw new IOException( "Encoder unavailable for " + encodableClass );
203         }
204 
205         EncoderFactory factory = null;
206 
207         try
208         {
209             factory = ( EncoderFactory ) clazz.newInstance();
210         }
211         catch ( IllegalAccessException iae )
212         {
213             throw new IOException( "Error accessing encoder for " + encodableClass );
214         }
215         catch ( InstantiationException ie )
216         {
217             throw new IOException( "Error instantiating encoder for " + encodableClass );
218         }
219 
220         Encoder encoder = factory.getEncoder();
221 
222         return encoder.encode( encodable );
223     }
224 
225 
226     private Encodable decode( Class encodable, byte[] plainText ) throws IOException
227     {
228         Class clazz = ( Class ) DEFAULT_DECODERS.get( encodable );
229 
230         if ( clazz == null )
231         {
232             throw new IOException( "Decoder unavailable for " + encodable );
233         }
234 
235         DecoderFactory factory = null;
236 
237         try
238         {
239             factory = ( DecoderFactory ) clazz.newInstance();
240         }
241         catch ( IllegalAccessException iae )
242         {
243             throw new IOException( "Error accessing decoder for " + encodable );
244         }
245         catch ( InstantiationException ie )
246         {
247             throw new IOException( "Error instantiating decoder for " + encodable );
248         }
249 
250         Decoder decoder = factory.getDecoder();
251 
252         return decoder.decode( plainText );
253     }
254 
255 
256     private EncryptionEngine getEngine( EncryptionKey key ) throws KerberosException
257     {
258         EncryptionType encryptionType = key.getKeyType();
259 
260         Class clazz = ( Class ) DEFAULT_CIPHERS.get( encryptionType );
261 
262         if ( clazz == null )
263         {
264             throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
265         }
266 
267         try
268         {
269             return ( EncryptionEngine ) clazz.newInstance();
270         }
271         catch ( IllegalAccessException iae )
272         {
273             throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP, iae );
274         }
275         catch ( InstantiationException ie )
276         {
277             throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP, ie );
278         }
279     }
280 }