private static void generateTicket( TicketGrantingContext tgsContext ) throws KerberosException,
InvalidTicketException
{
KdcReq request = tgsContext.getRequest();
Ticket tgt = tgsContext.getTgt();
Authenticator authenticator = tgsContext.getAuthenticator();
CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
KerberosPrincipal ticketPrincipal = KerberosUtils.getKerberosPrincipal(
request.getKdcReqBody().getSName(), request.getKdcReqBody().getRealm() );
EncryptionType encryptionType = tgsContext.getEncryptionType();
EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );
KerberosConfig config = tgsContext.getConfig();
tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();
EncTicketPart newTicketPart = new EncTicketPart();
newTicketPart.setClientAddresses( tgt.getEncTicketPart().getClientAddresses() );
processFlags( config, request, tgt, newTicketPart );
EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType() );
newTicketPart.setKey( sessionKey );
newTicketPart.setCName( tgt.getEncTicketPart().getCName() );
newTicketPart.setCRealm( tgt.getEncTicketPart().getCRealm() );
if ( request.getKdcReqBody().getEncAuthorizationData() != null )
{
byte[] authorizationData = cipherTextHandler.decrypt( authenticator.getSubKey(), request.getKdcReqBody()
.getEncAuthorizationData(), KeyUsage.TGS_REQ_KDC_REQ_BODY_AUTHZ_DATA_ENC_WITH_TGS_SESS_KEY );
AuthorizationData authData = KerberosDecoder.decodeAuthorizationData( authorizationData );
authData.addEntry( tgt.getEncTicketPart().getAuthorizationData().getCurrentAD() );
newTicketPart.setAuthorizationData( authData );
}
processTransited( newTicketPart, tgt );
processTimes( config, request, newTicketPart, tgt );
if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
{
Ticket[] additionalTkts = tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();
if( additionalTkts == null || additionalTkts.length == 0 )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
Ticket additionalTgt = additionalTkts[0];
// reject if it is not a TGT
if( !additionalTgt.getEncTicketPart().getFlags().isInitial() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
serverKey = additionalTgt.getEncTicketPart().getKey();
/*
* if (server not specified) then
* server = req.second_ticket.client;
* endif
*
* if ((req.second_ticket is not a TGT) or
* (req.second_ticket.client != server)) then
* error_out(KDC_ERR_POLICY);
* endif
*
* new_tkt.enc-part := encrypt OCTET STRING using etype_for_key(second-ticket.key), second-ticket.key;
*/
//throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart, KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData );
newTicket.setEncTicketPart( newTicketPart );
newTicket.setRealm( request.getKdcReqBody().getRealm() );
tgsContext.setNewTicket( newTicket );
}