sun.security.jgss.krb5.Krb5Util Java Examples

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq, cname);
}
 

/**
 * Saves the tickets to a ccache file.
 *
 * @param file pathname of the ccache file
 * @return true if created, false otherwise.
 */
public boolean ccache(String file) throws Exception {
    Set<KerberosTicket> tickets
            = s.getPrivateCredentials(KerberosTicket.class);
    if (tickets != null && !tickets.isEmpty()) {
        CredentialsCache cc = null;
        for (KerberosTicket t : tickets) {
            Credentials cred = Krb5Util.ticketToCreds(t);
            if (cc == null) {
                cc = CredentialsCache.create(cred.getClient(), file);
            }
            cc.update(cred.toCCacheCreds());
        }
        if (cc != null) {
            cc.save();
            return true;
        }
    }
    return false;
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

private static KerberosTicket getKerberosTicket ( KerberosPrincipal principal, String password, Long expire ) throws Exception {
    PrincipalName principalName = convertPrincipal(principal);
    KrbAsReqBuilder builder = new KrbAsReqBuilder(principalName, password != null ? password.toCharArray() : new char[0]);

    if ( expire != null ) {
        System.out.println("Request expires " + expire);
        KerberosTime till = new KerberosTime(expire);
        Field tillF = builder.getClass().getDeclaredField("till");
        tillF.setAccessible(true);
        tillF.set(builder, till);
    }

    Credentials creds = builder.action().getCreds();
    builder.destroy();

    KerberosTicket ticket = Krb5Util.credsToTicket(creds);
    System.out.println("Ends " + ticket.getEndTime().getTime());
    return ticket;
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq, cname);
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Saves the tickets to a ccache file.
 *
 * @param file pathname of the ccache file
 * @return true if created, false otherwise.
 */
public boolean ccache(String file) throws Exception {
    Set<KerberosTicket> tickets
            = s.getPrivateCredentials(KerberosTicket.class);
    if (tickets != null && !tickets.isEmpty()) {
        CredentialsCache cc = null;
        for (KerberosTicket t : tickets) {
            Credentials cred = Krb5Util.ticketToCreds(t);
            if (cc == null) {
                cc = CredentialsCache.create(cred.getClient(), file);
            }
            cc.update(cred.toCCacheCreds());
        }
        if (cc != null) {
            cc.save();
            return true;
        }
    }
    return false;
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

private static KerberosTicket getKerberosTicket ( KerberosPrincipal principal, String password, Long expire ) throws Exception {
    PrincipalName principalName = convertPrincipal(principal);
    KrbAsReqBuilder builder = new KrbAsReqBuilder(principalName, password != null ? password.toCharArray() : new char[0]);

    if ( expire != null ) {
        System.out.println("Request expires " + expire);
        KerberosTime till = new KerberosTime(expire);
        Field tillF = builder.getClass().getDeclaredField("till");
        tillF.setAccessible(true);
        tillF.set(builder, till);
    }

    Credentials creds = builder.action().getCreds();
    builder.destroy();

    KerberosTicket ticket = Krb5Util.credsToTicket(creds);
    System.out.println("Ends " + ticket.getEndTime().getTime());
    return ticket;
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Saves the tickets to a ccache file.
 *
 * @param file pathname of the ccache file
 * @return true if created, false otherwise.
 */
public boolean ccache(String file) throws Exception {
    Set<KerberosTicket> tickets
            = s.getPrivateCredentials(KerberosTicket.class);
    if (tickets != null && !tickets.isEmpty()) {
        CredentialsCache cc = null;
        for (KerberosTicket t : tickets) {
            Credentials cred = Krb5Util.ticketToCreds(t);
            if (cc == null) {
                cc = CredentialsCache.create(cred.getClient(), file);
            }
            cc.update(cred.toCCacheCreds());
        }
        if (cc != null) {
            cc.save();
            return true;
        }
    }
    return false;
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq, cname);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Saves the tickets to a ccache file.
 *
 * @param file pathname of the ccache file
 * @return true if created, false otherwise.
 */
public boolean ccache(String file) throws Exception {
    Set<KerberosTicket> tickets
            = s.getPrivateCredentials(KerberosTicket.class);
    if (tickets != null && !tickets.isEmpty()) {
        CredentialsCache cc = null;
        for (KerberosTicket t : tickets) {
            Credentials cred = Krb5Util.ticketToCreds(t);
            if (cc == null) {
                cc = CredentialsCache.create(cred.getClient(), file);
            }
            cc.update(cred.toCCacheCreds());
        }
        if (cc != null) {
            cc.save();
            return true;
        }
    }
    return false;
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq, cname);
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Called by KrbAsReqBuilder to resolve a AS-REP message using a keytab.
 * @param ktab the keytab, not null
 * @param asReq the original AS-REQ sent, used to validate AS-REP
 * @param cname the user principal name, used to locate keys in ktab
 */
void decryptUsingKeyTab(KeyTab ktab, KrbAsReq asReq, PrincipalName cname)
        throws KrbException, Asn1Exception, IOException {
    EncryptionKey dkey = null;
    int encPartKeyType = rep.encPart.getEType();
    Integer encPartKvno = rep.encPart.kvno;
        try {
            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno,
                    Krb5Util.keysFromJavaxKeyTab(ktab, cname));
        } catch (KrbException ke) {
            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
                // Fallback to no kvno. In some cases, keytab is generated
                // not by sysadmin but Java's ktab command
                dkey = EncryptionKey.findKey(encPartKeyType,
                        Krb5Util.keysFromJavaxKeyTab(ktab, cname));
            }
        }
        if (dkey == null) {
            throw new KrbException(Krb5.API_INVALID_ARG,
                "Cannot find key for type/kvno to decrypt AS REP - " +
                EType.toString(encPartKeyType) + "/" + encPartKvno);
        }
    decrypt(dkey, asReq);
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key) throws KrbException, IOException {
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    return new KrbAsReq(key,
        options,
        cname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses);
}
 

/**
 * Build a KrbAsReq object from all info fed above. Normally this method
 * will be called twice: initial AS-REQ and second with pakey
 * @param key null (initial AS-REQ) or pakey (with preauth)
 * @return the KrbAsReq object
 * @throws KrbException
 * @throws IOException
 */
private KrbAsReq build(EncryptionKey key, ReferralsState referralsState)
        throws KrbException, IOException {
    PAData[] extraPAs = null;
    int[] eTypes;
    if (password != null) {
        eTypes = EType.getDefaults("default_tkt_enctypes");
    } else {
        EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
        eTypes = EType.getDefaults("default_tkt_enctypes",
                ks);
        for (EncryptionKey k: ks) k.destroy();
    }
    options = (options == null) ? new KDCOptions() : options;
    if (referralsState.isEnabled()) {
        options.set(KDCOptions.CANONICALIZE, true);
        extraPAs = new PAData[]{ new PAData(Krb5.PA_REQ_ENC_PA_REP,
                new byte[]{}) };
    } else {
        options.set(KDCOptions.CANONICALIZE, false);
    }
    return new KrbAsReq(key,
        options,
        refCname,
        sname,
        from,
        till,
        rtime,
        eTypes,
        addresses,
        extraPAs);
}
 

@Override
public Object getServiceCreds(AccessControlContext acc)
        throws LoginException {
    ServiceCreds serviceCreds =
        Krb5Util.getServiceCreds(GSSCaller.CALLER_SSL_SERVER, null, acc);
    return serviceCreds;
}
 

@Override
public Object getServiceCreds(AccessControlContext acc)
        throws LoginException {
    ServiceCreds serviceCreds =
        Krb5Util.getServiceCreds(GSSCaller.CALLER_SSL_SERVER, null, acc);
    return serviceCreds;
}