Source code

001/*
002 *  Licensed to the Apache Software Foundation (ASF) under one
003 *  or more contributor license agreements.  See the NOTICE file
004 *  distributed with this work for additional information
005 *  regarding copyright ownership.  The ASF licenses this file
006 *  to you under the Apache License, Version 2.0 (the
007 *  "License"); you may not use this file except in compliance
008 *  with the License.  You may obtain a copy of the License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 *  Unless required by applicable law or agreed to in writing,
013 *  software distributed under the License is distributed on an
014 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 *  KIND, either express or implied.  See the License for the
016 *  specific language governing permissions and limitations
017 *  under the License.
018 *
019 */
020package org.apache.directory.server.kerberos.shared.crypto.checksum;
021
022
023import java.util.Collections;
024import java.util.EnumMap;
025import java.util.Map;
026
027import org.apache.directory.server.kerberos.shared.crypto.encryption.Aes128CtsSha1Encryption;
028import org.apache.directory.server.kerberos.shared.crypto.encryption.Aes256CtsSha1Encryption;
029import org.apache.directory.server.kerberos.shared.crypto.encryption.Des3CbcSha1KdEncryption;
030import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
031import org.apache.directory.shared.kerberos.components.Checksum;
032import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
033import org.apache.directory.shared.kerberos.exceptions.ErrorType;
034import org.apache.directory.shared.kerberos.exceptions.KerberosException;
035
036
037/**
038 * A Hashed Adapter encapsulating checksum engines for performing integrity checks.
039 *
040 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
041 */
042public class ChecksumHandler
043{
044    /** A map of the default encodable class names to the encoder class names. */
045    private static final Map<ChecksumType, Class<?>> DEFAULT_CHECKSUMS;
046
047    static
048    {
049        EnumMap<ChecksumType, Class<?>> map = new EnumMap<>( ChecksumType.class );
050
051        map.put( ChecksumType.HMAC_MD5, HmacMd5Checksum.class );
052        map.put( ChecksumType.HMAC_SHA1_96_AES128, Aes128CtsSha1Encryption.class );
053        map.put( ChecksumType.HMAC_SHA1_96_AES256, Aes256CtsSha1Encryption.class );
054        map.put( ChecksumType.HMAC_SHA1_DES3_KD, Des3CbcSha1KdEncryption.class );
055        map.put( ChecksumType.RSA_MD5, RsaMd5Checksum.class );
056
057        DEFAULT_CHECKSUMS = Collections.unmodifiableMap( map );
058    }
059
060
061    /**
062     * Calculate a checksum based on raw bytes and an (optional) key for keyed checksums.
063     *
064     * @param checksumType The type of checksum to use
065     * @param bytes The data
066     * @param key The key
067     * @param usage The key usage 
068     * @return The computed {@link Checksum}.
069     * @throws KerberosException If the checksum can't be cmputed
070     */
071    public Checksum calculateChecksum( ChecksumType checksumType, byte[] bytes, byte[] key, KeyUsage usage )
072        throws KerberosException
073    {
074        if ( !DEFAULT_CHECKSUMS.containsKey( checksumType ) )
075        {
076            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
077        }
078
079        ChecksumEngine digester = getEngine( checksumType );
080        return new Checksum( checksumType, digester.calculateChecksum( bytes, key, usage ) );
081    }
082
083
084    /**
085     * Verify a checksum by providing the raw bytes and an (optional) key for keyed checksums.
086     *
087     * @param checksum The checksum to verify
088     * @param bytes The data
089     * @param key The key
090     * @param usage The key usage 
091     * @throws KerberosException If the verification failed
092     */
093    public void verifyChecksum( Checksum checksum, byte[] bytes, byte[] key, KeyUsage usage ) throws KerberosException
094    {
095        if ( checksum == null )
096        {
097            throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
098        }
099
100        if ( !DEFAULT_CHECKSUMS.containsKey( checksum.getChecksumType() ) )
101        {
102            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
103        }
104
105        ChecksumType checksumType = checksum.getChecksumType();
106        ChecksumEngine digester = getEngine( checksumType );
107        Checksum newChecksum = new Checksum( checksumType, digester.calculateChecksum( bytes, key, usage ) );
108
109        if ( !newChecksum.equals( checksum ) )
110        {
111            throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
112        }
113    }
114
115
116    private ChecksumEngine getEngine( ChecksumType checksumType ) throws KerberosException
117    {
118        Class<?> clazz = DEFAULT_CHECKSUMS.get( checksumType );
119
120        if ( clazz == null )
121        {
122            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
123        }
124
125        try
126        {
127            return ( ChecksumEngine ) clazz.newInstance();
128        }
129        catch ( IllegalAccessException iae )
130        {
131            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP, iae );
132        }
133        catch ( InstantiationException ie )
134        {
135            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP, ie );
136        }
137    }
138}