archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8279842: HTTPS Channel Binding support for Java GSS/Kerberos

Browse source 
Co-authored-by: Weijun Wang <weijun.wang@oracle.com>
Reviewed-by: dfuchs, weijun, darcy
This commit is contained in:
Michael McMahon 2022-02-01 07:26:59 +00:00
parent 0e70d4504c
commit de3113b998
11 changed files with 587 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/java.base/share/classes/java/net/doc-files/net-properties.html
View file

@ -214,6 +214,22 @@ of proxies.</P>
property is defined, then its value will be used as the domain
name.</P>
</OL>
<LI><P><B>{@systemProperty jdk.https.negotiate.cbt}</B> (default: &lt;never&gt;)<BR>
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos
or the Negotiate authentication scheme using Kerberos are employed over HTTPS with
{@code HttpsURLConnection}. There are three possible settings:</P>
<OL>
<LI><P>"never". This is also the default value if the property is not set. In this case,
CBTs are never sent.</P>
<LI><P>"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.</P>
<LI><P>"domain:&lt;comma separated domain list&gt;" Each domain in the list specifies destination
host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com,
or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches
all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations
that don't match one of the list entries</P>
</OL>
<P>The channel binding tokens generated are of the type "tls-server-end-point" as defined in
RFC 5929.</P>
</UL>
<P>All these properties are checked only once at startup.</P>
<a id="AddressCache"></a>

34
src/java.base/share/classes/sun/net/www/http/HttpClient.java
View file

@ -144,12 +144,27 @@ public class HttpClient extends NetworkClient {
// Traffic capture tool, if configured. See HttpCapture class for info
private HttpCapture capture = null;
/* "jdk.https.negotiate.cbt" property can be set to "always" (always sent), "never" (never sent) or
* "domain:a,c.d,*.e.f" (sent to host a, or c.d or to the domain e.f and any of its subdomains). This is
* a comma separated list of arbitrary length with no white-space allowed.
* If enabled (for a particular destination) then Negotiate/SPNEGO authentication requests will include
* a channel binding token for the destination server. The default behavior and setting for the
* property is "never"
*/
private static final String spnegoCBT;
private static final PlatformLogger logger = HttpURLConnection.getHttpLogger();
private static void logFinest(String msg) {
if (logger.isLoggable(PlatformLogger.Level.FINEST)) {
logger.finest(msg);
}
}
private static void logError(String msg) {
if (logger.isLoggable(PlatformLogger.Level.SEVERE)) {
logger.severe(msg);
}
}
protected volatile String authenticatorKey;
@ -165,6 +180,18 @@ public class HttpClient extends NetworkClient {
return keepAliveTimeout;
}
static String normalizeCBT(String s) {
if (s == null || s.equals("never")) {
return "never";
}
if (s.equals("always") || s.startsWith("domain:")) {
return s;
} else {
logError("Unexpected value for \"jdk.https.negotiate.cbt\" system property");
return "never";
}
}
static {
Properties props = GetPropertyAction.privilegedGetProperties();
String keepAlive = props.getProperty("http.keepAlive");
@ -172,6 +199,9 @@ public class HttpClient extends NetworkClient {
String cacheNTLM = props.getProperty("jdk.ntlm.cache");
String cacheSPNEGO = props.getProperty("jdk.spnego.cache");
String s = props.getProperty("jdk.https.negotiate.cbt");
spnegoCBT = normalizeCBT(s);
if (keepAlive != null) {
keepAliveProp = Boolean.parseBoolean(keepAlive);
} else {
@ -206,6 +236,10 @@ public class HttpClient extends NetworkClient {
}
public String getSpnegoCBT() {
return spnegoCBT;
}
protected HttpClient() {
}

15
src/java.base/share/classes/sun/net/www/protocol/http/HttpCallerInfo.java
View file

@ -29,6 +29,7 @@ import java.net.Authenticator;
import java.net.Authenticator.RequestorType;
import java.net.InetAddress;
import java.net.URL;
import java.security.cert.X509Certificate;
/**
* Used in HTTP/Negotiate, to feed HTTP request info into JGSS as a HttpCaller,
@ -51,6 +52,9 @@ public final class HttpCallerInfo {
public final InetAddress addr;
public final RequestorType authType;
public final Authenticator authenticator;
// Used to obtain server cert for SPNEGO CBT.
// May be null in which case CBT is not set
public final X509Certificate serverCert;
/**
* Create a schemed object based on an un-schemed one.
@ -65,13 +69,19 @@ public final class HttpCallerInfo {
this.authType = old.authType;
this.scheme = scheme;
this.authenticator = old.authenticator;
this.serverCert = old.serverCert;
}
/**
* Constructor an un-schemed object for site access.
*/
public HttpCallerInfo(URL url, Authenticator a) {
this(url, null, a);
}
public HttpCallerInfo(URL url, X509Certificate serverCert, Authenticator a) {
this.url= url;
this.serverCert= serverCert;
prompt = "";
host = url.getHost();
@ -100,9 +110,14 @@ public final class HttpCallerInfo {
* Constructor an un-schemed object for proxy access.
*/
public HttpCallerInfo(URL url, String host, int port, Authenticator a) {
this(url, host, port, null, a);
}
public HttpCallerInfo(URL url, String host, int port, X509Certificate serverCert, Authenticator a) {
this.url= url;
this.host = host;
this.port = port;
this.serverCert = serverCert;
prompt = "";
addr = null;
protocol = url.getProtocol();

21
src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
View file

@ -1739,7 +1739,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
AuthenticationHeader authhdr = new AuthenticationHeader (
"Proxy-Authenticate",
responses,
new HttpCallerInfo(url,
getHttpCallerInfo(url,
http.getProxyHostUsed(),
http.getProxyPortUsed(),
authenticator),
@ -1814,7 +1814,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
srvHdr = new AuthenticationHeader (
"WWW-Authenticate", responses,
new HttpCallerInfo(url, authenticator),
getHttpCallerInfo(url, authenticator),
dontUseNegotiate
);
@ -2210,7 +2210,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
AuthenticationHeader authhdr = new AuthenticationHeader(
"Proxy-Authenticate",
responses,
new HttpCallerInfo(url,
getHttpCallerInfo(url,
http.getProxyHostUsed(),
http.getProxyPortUsed(),
authenticator),
@ -2279,6 +2279,21 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
responses.reset();
}
/**
* Overridden in https to also include the server certificate
*/
protected HttpCallerInfo getHttpCallerInfo(URL url, String proxy, int port,
Authenticator authenticator) {
return new HttpCallerInfo(url, proxy, port, authenticator);
}
/**
* Overridden in https to also include the server certificate
*/
protected HttpCallerInfo getHttpCallerInfo(URL url, Authenticator authenticator) {
return new HttpCallerInfo(url, authenticator);
}
static String connectRequestURI(URL url) {
String host = url.getHost();
int port = url.getPort();

73
src/java.base/share/classes/sun/net/www/protocol/https/AbstractDelegateHttpsURLConnection.java
View file

@ -1,4 +1,4 @@
/*
/**
* Copyright (c) 2001, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@ -25,10 +25,13 @@
package sun.net.www.protocol.https;
import java.net.Authenticator;
import java.net.URL;
import java.net.Proxy;
import java.net.SecureCacheResponse;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
@ -36,6 +39,7 @@ import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLPeerUnverifiedException;
import sun.net.www.http.*;
import sun.net.www.protocol.http.HttpURLConnection;
import sun.net.www.protocol.http.HttpCallerInfo;
/**
* HTTPS URL connection support.
@ -309,4 +313,71 @@ public abstract class AbstractDelegateHttpsURLConnection extends
return ((HttpsClient)http).getSSLSession();
}
/*
* If no SSL Session available or if the system config does not allow it
* don't use the extended caller info (the server cert).
* Otherwise return true to include the server cert
*/
private boolean useExtendedCallerInfo(URL url) {
HttpsClient https = (HttpsClient)http;
if (https.getSSLSession() == null) {
return false;
}
String prop = http.getSpnegoCBT();
if (prop.equals("never")) {
return false;
}
String target = url.getHost();
if (prop.startsWith("domain:")) {
String[] domains = prop.substring(7).split(",");
for (String domain : domains) {
if (target.equals(domain)) {
return true;
}
if (domain.startsWith("*.") && target.endsWith(domain.substring(1))) {
return true;
}
}
return false;
}
return true;
}
@Override
protected HttpCallerInfo getHttpCallerInfo(URL url, String proxy, int port,
Authenticator authenticator)
{
if (!useExtendedCallerInfo(url)) {
return super.getHttpCallerInfo(url, proxy, port, authenticator);
}
HttpsClient https = (HttpsClient)http;
try {
Certificate[] certs = https.getServerCertificates();
if (certs[0] instanceof X509Certificate x509Cert) {
return new HttpCallerInfo(url, proxy, port, x509Cert, authenticator);
}
} catch (SSLPeerUnverifiedException e) {
// ignore
}
return super.getHttpCallerInfo(url, proxy, port, authenticator);
}
@Override
protected HttpCallerInfo getHttpCallerInfo(URL url, Authenticator authenticator)
{
if (!useExtendedCallerInfo(url)) {
return super.getHttpCallerInfo(url, authenticator);
}
HttpsClient https = (HttpsClient)http;
try {
Certificate[] certs = https.getServerCertificates();
if (certs[0] instanceof X509Certificate x509Cert) {
return new HttpCallerInfo(url, x509Cert, authenticator);
}
} catch (SSLPeerUnverifiedException e) {
// ignore
}
return super.getHttpCallerInfo(url, authenticator);
}
}

60
src/java.base/share/classes/sun/security/util/ChannelBindingException.java Normal file
View file

@ -0,0 +1,60 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import java.security.GeneralSecurityException;
/**
* Thrown by TlsChannelBinding if an error occurs
*/
public class ChannelBindingException extends GeneralSecurityException {
@java.io.Serial
private static final long serialVersionUID = -5021387249782788460L;
/**
* Constructs a ChannelBindingException with no detail message. A detail
* message is a String that describes this particular exception.
*/
public ChannelBindingException() {
super();
}
/**
* Constructs a ChannelBindingException with a detail message and
* specified cause.
*/
public ChannelBindingException(String msg, Exception e) {
super(msg, e);
}
/**
* Constructs a ChannelBindingException with a detail message
*/
public ChannelBindingException(String msg) {
super(msg);
}
}

136
src/java.base/share/classes/sun/security/util/TlsChannelBinding.java Normal file
View file

@ -0,0 +1,136 @@
/*
* Copyright (c) 2020, Azul Systems, Inc. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Hashtable;
/**
* This class implements the Channel Binding for TLS as defined in
* <a href="https://www.ietf.org/rfc/rfc5929.txt">
* Channel Bindings for TLS</a>
*
* Format of the Channel Binding data is also defined in
* <a href="https://www.ietf.org/rfc/rfc5056.txt">
* On the Use of Channel Bindings to Secure Channels</a>
* section 2.1.
*
*/
public class TlsChannelBinding {
public enum TlsChannelBindingType {
/**
* Channel binding on the basis of TLS Finished message.
* TLS_UNIQUE is defined by RFC 5929 but is not supported
* by the current LDAP stack.
*/
TLS_UNIQUE("tls-unique"),
/**
* Channel binding on the basis of TLS server certificate.
*/
TLS_SERVER_END_POINT("tls-server-end-point");
public String getName() {
return name;
}
private final String name;
TlsChannelBindingType(String name) {
this.name = name;
}
}
/**
* Parse given value to see if it is a recognized and supported channel binding type
*
* @param cbType
* @return TLS Channel Binding type or null if given string is null
* @throws ChannelBindingException
*/
public static TlsChannelBindingType parseType(String cbType) throws ChannelBindingException {
if (cbType != null) {
if (cbType.equals(TlsChannelBindingType.TLS_SERVER_END_POINT.getName())) {
return TlsChannelBindingType.TLS_SERVER_END_POINT;
} else {
throw new ChannelBindingException("Illegal value for channel binding type: " + cbType);
}
}
return null;
}
private final TlsChannelBindingType cbType;
private final byte[] cbData;
/**
* Construct tls-server-end-point Channel Binding data
* @param serverCertificate
* @throws ChannelBindingException
*/
public static TlsChannelBinding create(X509Certificate serverCertificate) throws ChannelBindingException {
try {
final byte[] prefix =
TlsChannelBindingType.TLS_SERVER_END_POINT.getName().concat(":").getBytes();
String hashAlg = serverCertificate.getSigAlgName().
replace("SHA", "SHA-").toUpperCase();
int ind = hashAlg.indexOf("WITH");
if (ind > 0) {
hashAlg = hashAlg.substring(0, ind);
if (hashAlg.equals("MD5") || hashAlg.equals("SHA-1")) {
hashAlg = "SHA-256";
}
} else {
hashAlg = "SHA-256";
}
MessageDigest md = MessageDigest.getInstance(hashAlg);
byte[] hash = md.digest(serverCertificate.getEncoded());
byte[] cbData = Arrays.copyOf(prefix, prefix.length + hash.length );
System.arraycopy(hash, 0, cbData, prefix.length, hash.length);
return new TlsChannelBinding(TlsChannelBindingType.TLS_SERVER_END_POINT, cbData);
} catch (NoSuchAlgorithmException | CertificateEncodingException e) {
throw new ChannelBindingException("Cannot create TLS channel binding data", e);
}
}
private TlsChannelBinding(TlsChannelBindingType cbType, byte[] cbData) {
this.cbType = cbType;
this.cbData = cbData;
}
public TlsChannelBindingType getType() {
return cbType;
}
public byte[] getData() {
return cbData;
}
}