Encrypted ticket and removed clear when JDBC is closed

Author: julesyan

src/main/java/com/ibm/as400/access/AS400.java

@@ -389,23 +389,19 @@ public class AS400 implements Serializable, AutoCloseable
     private boolean forcePrompt_ = false;
     private int validateSignonTimeOut_ = 0;
 
-    private byte[] kerbTicket_;
+    private transient CredentialVault kerbTicket_;
 
     // Prefix used to indicate that the password contains a base64-encoded Kerberos token.
     public static final String KERBEROS_PREFIX = "_KERBEROSAUTH_";
     public static final char[] KERBEROS_PREFIX_CHARS = KERBEROS_PREFIX.toCharArray();
 
     private void setKerbTicket(byte[] ticket) {
-        this.kerbTicket_ = ticket.clone();
-    }
-
-    private byte[] getKerbTicket() {
-        return this.kerbTicket_;
+        this.kerbTicket_ = new PasswordVault(ticket);
     }
 
     public void clearKerbTicket() {
-        if (this.kerbTicket_ != null)
-            CredentialVault.clearArray(kerbTicket_);
+        if (!this.kerbTicket_.isEmpty())
+            this.kerbTicket_.empty();
     }
 
     // Determines if the password contains a Kerberos token
@@ -1851,8 +1847,8 @@ private synchronized void chooseImpl()
         }
 
         // If kerbTicket_ has been set, make sure the impl knows about it.
-        if (kerbTicket_ != null)
-            impl_.setKerbTicket(kerbTicket_);
+        if (!kerbTicket_.isEmpty())
+            impl_.setKerbTicket(kerbTicket_.getClearCredential());
 
         if (!propertiesFrozen_)
         {
@@ -5506,9 +5502,9 @@ synchronized void signon(boolean keepConnection) throws AS400SecurityException,
                     // Try for Kerberos.
                     byte[] newBytes = null;
 
-                    if (kerbTicket_ != null && kerbTicket_.length > 0) {
+                    if (!kerbTicket_.isEmpty() && kerbTicket_.getClearCredential().length > 0) {
                         if (Trace.traceOn_) Trace.log(Trace.DIAGNOSTIC, "Using injected Kerberos ticket.");
-                        newBytes = kerbTicket_.clone();
+                        newBytes = kerbTicket_.getClearCredential();
                     } else {
                         // Fall back to generating the token normally
                         newBytes = (gssCredential_ == null)

src/main/java/com/ibm/as400/access/AS400ImplProxy.java

@@ -371,7 +371,7 @@ public SignonInfo skipSignon(String systemName, boolean systemNameLocal, String
 
 
     private int bidiStringType = BidiStringType.DEFAULT;
-    private byte[] kerbTicket_;
+    private CredentialVault kerbTicket_;
 
     /**
      * Sets bidi string type of the connection. 
@@ -408,11 +408,7 @@ public void setAdditionalAuthenticationFactor(char[] additionalAuthFactor) {
 
     @Override
     public void setKerbTicket(byte[] ticket) {
-        this.kerbTicket_ = ticket;
-    }
-
-    private byte[] getKerbTicket() {
-        return this.kerbTicket_;
+        this.kerbTicket_ = new PasswordVault(ticket);
     }
 
 }

src/main/java/com/ibm/as400/access/AS400ImplRemote.java

@@ -189,7 +189,7 @@ public class AS400ImplRemote implements AS400Impl
   private static final String CLASSNAME = "com.ibm.as400.access.AS400ImplRemote";
 
   // GSS Token, for Kerberos.
-  private byte[] kerbTicket_;
+  private CredentialVault kerbTicket_;
 
   static {
       if (Trace.traceOn_)
@@ -669,8 +669,8 @@ public int createUserHandle() throws AS400SecurityException, IOException
               try
               {
                 byte[] authenticationBytes;
-                if (this.kerbTicket_ != null){
-                    authenticationBytes = this.kerbTicket_;
+                if (!this.kerbTicket_.isEmpty()){
+                    authenticationBytes = this.kerbTicket_.getClearCredential();
                 } else {
                     authenticationBytes = (gssCredential_ == null) 
                           ? TokenManager.getGSSToken(systemName_, gssName_)
@@ -1023,8 +1023,8 @@ public void generateProfileToken(ProfileTokenCredential profileToken, String use
               case AS400.AUTHENTICATION_SCHEME_GSS_TOKEN:
                   try
                   {
-                    if (this.kerbTicket_ != null){
-                        authenticationBytes = this.kerbTicket_;
+                    if (!this.kerbTicket_.isEmpty()){
+                        authenticationBytes = this.kerbTicket_.getClearCredential();
                     } else {
                         authenticationBytes = (gssCredential_ == null) 
                             ? TokenManager.getGSSToken(systemName_, gssName) 
@@ -1849,8 +1849,8 @@ byte[] getPassword(byte[] clientSeed, byte[] serverSeed) throws AS400SecurityExc
       if (credType == AS400.AUTHENTICATION_SCHEME_GSS_TOKEN)
       {
           try {
-            if (kerbTicket_ != null)
-                return kerbTicket_;
+            if (!kerbTicket_.isEmpty())
+                return kerbTicket_.getClearCredential();
               return (gssCredential_ == null) 
                     ? TokenManager.getGSSToken(systemName_, gssName_)
                     : TokenManager2.getGSSToken(systemName_, gssCredential_);
@@ -2229,8 +2229,8 @@ private byte[] getDdmEncryptedPassword(byte[] sharedPrivateKey, byte[] serverSee
       if (credType == AS400.AUTHENTICATION_SCHEME_GSS_TOKEN)
       {
           try {
-            if (kerbTicket_ != null)
-                return kerbTicket_;
+            if (!kerbTicket_.isEmpty())
+                return kerbTicket_.getClearCredential();
               return (gssCredential_ == null) 
                 ? TokenManager.getGSSToken(systemName_, gssName_)
                 : TokenManager2.getGSSToken(systemName_, gssCredential_);
@@ -5420,11 +5420,7 @@ public String getLocalIPAddress() {
 
     @Override
     public void setKerbTicket(byte[] ticket) {
-        this.kerbTicket_ = ticket;
-    }
-
-    private byte[] getKerbTicket() {
-        return this.kerbTicket_;
+        this.kerbTicket_ = new PasswordVault(ticket);
     }
 
 }

src/main/java/com/ibm/as400/access/AS400JDBCConnectionImpl.java

@@ -592,10 +592,6 @@ public void close ()
 
 
             as400_.disconnectServer (server_);
-            // Clear the sensitive auth token via the public AS400 object
-            if (as400PublicClassObj_ != null) {
-                as400PublicClassObj_.clearKerbTicket();
-            }
 
             server_ = null;
         }