private static void generateTicket( TicketGrantingContext tgsContext ) throws KerberosException, InvalidTicketException
{
KdcReq request = tgsContext.getRequest();
Ticket tgt = tgsContext.getTgt();
Authenticator authenticator = tgsContext.getAuthenticator();
CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
KerberosPrincipal ticketPrincipal = KerberosUtils.getKerberosPrincipal(
request.getKdcReqBody().getSName(), request.getKdcReqBody().getRealm() );
EncryptionType encryptionType = tgsContext.getEncryptionType();
EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );
KdcServer config = tgsContext.getConfig();
EncTicketPart newTicketPart = new EncTicketPart();
newTicketPart.setClientAddresses( tgt.getEncTicketPart().getClientAddresses() );
processFlags( config, request, tgt, newTicketPart );
EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType() );
newTicketPart.setKey( sessionKey );
newTicketPart.setCName( tgt.getEncTicketPart().getCName() );
newTicketPart.setCRealm( tgt.getEncTicketPart().getCRealm() );
if ( request.getKdcReqBody().getEncAuthorizationData() != null )
{
byte[] authorizationData = cipherTextHandler.decrypt( authenticator.getSubKey(), request.getKdcReqBody().getEncAuthorizationData(), KeyUsage.TGS_REQ_KDC_REQ_BODY_AUTHZ_DATA_ENC_WITH_TGS_SESS_KEY );
AuthorizationData authData = KerberosDecoder.decodeAuthorizationData( authorizationData );
authData.addEntry( tgt.getEncTicketPart().getAuthorizationData().getCurrentAD() );
newTicketPart.setAuthorizationData( authData );
}
processTransited( newTicketPart, tgt );
processTimes( config, request, newTicketPart, tgt );
if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
{
/*
* if (server not specified) then
* server = req.second_ticket.client;
* endif
*
* if ((req.second_ticket is not a TGT) or
* (req.second_ticket.client != server)) then
* error_out(KDC_ERR_POLICY);
* endif
*
* new_tkt.enc-part := encrypt OCTET STRING using etype_for_key(second-ticket.key), second-ticket.key;
*/
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
else
{
EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart, KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData );
newTicket.setEncTicketPart( newTicketPart );
newTicket.setRealm( request.getKdcReqBody().getRealm() );
tgsContext.setNewTicket( newTicket );
}
}