View Javadoc
1   /*
2    * Copyright 2024 Michael Osipov
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package net.sf.michaelo.tomcat.pac;
17  
18  import java.security.Key;
19  import java.security.SignatureException;
20  
21  /**
22   * An interface for pluggable PAC signature verifier implementations for {@link PacSignatureData}.
23   * <p>
24   * The specification of Kerberos checksum (calculation) is available at
25   * <ul>
26   * <li><a href="https://datatracker.ietf.org/doc/html/rfc4120#section-4">RFC 4120, section 4</a></li>
27   * <li><a href="https://www.rfc-editor.org/rfc/rfc4757.html#section-4">RFC 4757, section 4</a></li>
28   * <li><a href="https://datatracker.ietf.org/doc/html/rfc3961">RFC 3961</a></li>
29   * <li><a href="https://www.rfc-editor.org/rfc/rfc3962.html">RFC 9362</a></li>
30   * </ul>
31   */
32  public interface PacSignatureVerifier {
33  
34  	/* Key usage as per:
35  	 * - https://github.com/krb5/krb5-assignments/blob/master/key-usage
36  	 * - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/a194aa34-81bd-46a0-a931-2e05b87d1098
37  	 */
38  	int KU_KERB_NON_KERB_CKSUM_SALT = 17;
39  
40  	/**
41  	 * Verifies the signature on the supplied data with an array of suitable Kerberos keys.
42  	 *
43  	 * @param signatureData
44  	 *            the PAC signature data to be verified
45  	 * @param data
46  	 *            the data to be verififed
47  	 * @param keys
48  	 *            an array of keys to calculate the signature
49  	 * @throws NullPointerException
50  	 *             if any argument is null
51  	 * @throws IllegalArgumentException
52  	 *             if any array is empty
53  	 * @throws IllegalArgumentException
54  	 *             if no key algorithm matches the {@link PacSignatureData.SignatureType#getEType()
55  	 *             signature encryption type}
56  	 * @throws SignatureException
57  	 *             if signature cannot be verified
58  	 */
59  	void verify(PacSignatureData signatureData, byte[] data, Key[] keys) throws SignatureException;
60  
61  }