You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ha...@apache.org on 2015/02/09 16:02:47 UTC
directory-kerberos git commit: DIRKRB-146 Test for encrypted data in
Kerberos message (with some mistakes) .
Repository: directory-kerberos
Updated Branches:
refs/heads/test-enc-message [created] a98444f2a
DIRKRB-146 Test for encrypted data in Kerberos message (with some mistakes) .
Project: http://git-wip-us.apache.org/repos/asf/directory-kerberos/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerberos/commit/a98444f2
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerberos/tree/a98444f2
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerberos/diff/a98444f2
Branch: refs/heads/test-enc-message
Commit: a98444f2afd0ed9225f4e11d47d32e4380ed4e17
Parents: 02ea20f
Author: Lin <li...@foxmail.com>
Authored: Mon Feb 9 22:59:12 2015 +0800
Committer: Lin <li...@foxmail.com>
Committed: Mon Feb 9 22:59:12 2015 +0800
----------------------------------------------------------------------
kerby-kerb/kerb-core-test/pom.xml | 5 ++
.../kerberos/kerb/codec/test/CodecTestUtil.java | 33 ------------
.../kerb/codec/test/TestAsRepCodec.java | 51 +++++++++++++------
.../kerb/codec/test/TestAsReqCodec.java | 36 +++++++------
.../kerb/codec/test/TestTgsRepCodec.java | 53 ++++++++++++++------
.../kerb/codec/test/TestTgsReqCodec.java | 8 ++-
6 files changed, 104 insertions(+), 82 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/a98444f2/kerby-kerb/kerb-core-test/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core-test/pom.xml b/kerby-kerb/kerb-core-test/pom.xml
index dc79b28..9dab396 100644
--- a/kerby-kerb/kerb-core-test/pom.xml
+++ b/kerby-kerb/kerb-core-test/pom.xml
@@ -34,6 +34,11 @@
</dependency>
<dependency>
<groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
<artifactId>kerb-core</artifactId>
<version>${project.version}</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/a98444f2/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/CodecTestUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/CodecTestUtil.java b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/CodecTestUtil.java
deleted file mode 100644
index 2657093..0000000
--- a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/CodecTestUtil.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.codec.test;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-public class CodecTestUtil {
- /*package*/
- static byte[] readBinaryFile(String path) throws IOException {
- InputStream is = CodecTestUtil.class.getResourceAsStream(path);
- byte[] bytes = new byte[is.available()];
- is.read(bytes);
- return bytes;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/a98444f2/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsRepCodec.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsRepCodec.java b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsRepCodec.java
index a4592cd..5fbf139 100644
--- a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsRepCodec.java
+++ b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsRepCodec.java
@@ -19,15 +19,17 @@
*/
package org.apache.kerby.kerberos.kerb.codec.test;
-import org.apache.kerby.kerberos.kerb.spec.common.KrbMessageType;
-import org.apache.kerby.kerberos.kerb.spec.common.NameType;
-import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.keytab.Keytab;
+import org.apache.kerby.kerberos.kerb.spec.common.*;
import org.apache.kerby.kerberos.kerb.spec.kdc.AsRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncKdcRepPart;
import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
import org.junit.Test;
-import java.io.IOException;
import java.nio.ByteBuffer;
+import java.util.List;
import static org.assertj.core.api.Assertions.assertThat;
@@ -35,11 +37,11 @@ import static org.assertj.core.api.Assertions.assertThat;
* Test AsRep message using a real 'correct' network packet captured from MS-AD to detective programming errors
* and compatibility issues particularly regarding Kerberos crypto.
*/
-public class TestAsRepCodec {
+public class TestAsRepCodec extends TestMessageCodec {
@Test
- public void test() throws IOException {
- byte[] bytes = CodecTestUtil.readBinaryFile("/asrep.token");
+ public void test() throws Exception {
+ byte[] bytes = readBinaryFile("/asrep.token");
ByteBuffer asRepToken = ByteBuffer.wrap(bytes);
AsRep asRep = new AsRep();
@@ -60,13 +62,34 @@ public class TestAsRepCodec {
assertThat(sName.getNameType()).isEqualTo(NameType.NT_SRV_INST);
assertThat(sName.getNameStrings()).hasSize(2)
.contains("krbtgt", "DENYDC.COM");
- //FIXME
- //EncTicketPart encTicketPart = ticket.getEncPart();
- //assertThat(encTicketPart.getKey().getKvno()).isEqualTo(2);
- //assertThat(encTicketPart.getKey().getKeyType().getValue()).isEqualTo(0x0017);
- //EncKdcRepPart encKdcRepPart = asRep.getEncPart();
- //assertThat(encKdcRepPart.getKey().getKeyType().getValue()).isEqualTo(0x0017);
- //assertThat(encKdcRepPart.getKey().getKvno()).isEqualTo(7);
+ //test for encrypted data
+ Keytab keytab = getDefaultKeytab();
+ cName.setRealm(asRep.getCrealm());
+ EncryptionKey key = keytab.getKey(cName, EncryptionType.ARCFOUR_HMAC);
+ EncKdcRepPart encKdcRepPart = EncryptionUtil.unseal(asRep.getEncryptedEncPart(), key,
+ KeyUsage.AS_REP_ENCPART, EncAsRepPart.class);
+
+ List<LastReqEntry> lastReqEntries = encKdcRepPart.getLastReq().getElements();
+ assertThat(lastReqEntries).hasSize(1);
+ LastReqEntry entry = lastReqEntries.get(0);
+ assertThat(entry.getLrType()).isEqualTo(LastReqType.NONE);
+ assertThat(entry.getLrValue().getTime()).isEqualTo(parseDateByDefaultFormat("20050816094134"));
+
+ assertThat(encKdcRepPart.getNonce()).isEqualTo(854491315);
+ assertThat(encKdcRepPart.getKeyExpiration().getTime())
+ .isEqualTo(parseDateByDefaultFormat("20370914024805"));
+ byte[] ticketFlags = new byte[]{64, -32, 0, 0};
+ assertThat(encKdcRepPart.getFlags().getValue()).isEqualTo(ticketFlags);
+ assertThat(encKdcRepPart.getAuthTime().getTime()).isEqualTo(parseDateByDefaultFormat("20050816094134"));
+ assertThat(encKdcRepPart.getStartTime().getTime()).isEqualTo(parseDateByDefaultFormat("20050816094134"));
+ assertThat(encKdcRepPart.getEndTime().getTime()).isEqualTo(parseDateByDefaultFormat("20050816194134"));
+ assertThat(encKdcRepPart.getRenewTill().getTime()).isEqualTo(parseDateByDefaultFormat("20050817050000"));
+ assertThat(encKdcRepPart.getSrealm()).isEqualTo("DENYDC.COM");
+
+ PrincipalName encSName = encKdcRepPart.getSname();
+ assertThat(encSName.getName()).isEqualTo("krbtgt/DENYDC.COM");
+ assertThat(encSName.getNameType()).isEqualTo(NameType.NT_SRV_INST);
+ assertThat(encSName.getNameStrings()).hasSize(2).contains("krbtgt").contains("DENYDC.COM");
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/a98444f2/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsReqCodec.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsReqCodec.java b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsReqCodec.java
index 3ed67e7..81763bc 100644
--- a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsReqCodec.java
+++ b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestAsReqCodec.java
@@ -27,14 +27,8 @@ import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
import org.junit.Test;
-import java.io.IOException;
import java.nio.ByteBuffer;
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
-import java.util.Arrays;
-import java.util.Date;
-import java.util.List;
-import java.util.SimpleTimeZone;
+import java.util.*;
import static org.assertj.core.api.Assertions.assertThat;
@@ -42,11 +36,11 @@ import static org.assertj.core.api.Assertions.assertThat;
* Test AsReq message using a real 'correct' network packet captured from MS-AD to detective programming errors
* and compatibility issues particularly regarding Kerberos crypto.
*/
-public class TestAsReqCodec {
+public class TestAsReqCodec extends TestMessageCodec{
@Test
- public void test() throws IOException, ParseException {
- byte[] bytes = CodecTestUtil.readBinaryFile("/asreq.token");
+ public void test() throws Exception {
+ byte[] bytes = readBinaryFile("/asreq.token");
ByteBuffer asReqToken = ByteBuffer.wrap(bytes);
AsReq asReq = new AsReq();
@@ -58,7 +52,8 @@ public class TestAsReqCodec {
PaData paData = asReq.getPaData();
PaDataEntry encTimestampEntry = paData.findEntry(PaDataType.ENC_TIMESTAMP);
assertThat(encTimestampEntry.getPaDataType()).isEqualTo(PaDataType.ENC_TIMESTAMP);
- assertThat(encTimestampEntry.getPaDataValue()).isEqualTo(Arrays.copyOfRange(bytes, 33, 96));
+ //assertThat(encTimestampEntry.getPaDataValue()).isEqualTo(Arrays.copyOfRange(bytes, 33, 96));
+
PaDataEntry pacRequestEntry = paData.findEntry(PaDataType.PAC_REQUEST);
assertThat(pacRequestEntry.getPaDataType()).isEqualTo(PaDataType.PAC_REQUEST);
assertThat(pacRequestEntry.getPaDataValue()).isEqualTo(Arrays.copyOfRange(bytes, 108, 115));
@@ -75,11 +70,9 @@ public class TestAsReqCodec {
assertThat(sName.getNameStrings()).hasSize(2)
.contains("krbtgt", "DENYDC");
- SimpleDateFormat sdf = new SimpleDateFormat("yyyyMMddHHmmss");
- sdf.setTimeZone(new SimpleTimeZone(0, "Z"));
- Date date = sdf.parse("20370913024805");
- assertThat(body.getTill().getTime()).isEqualTo(date.getTime());
- assertThat(body.getRtime().getTime()).isEqualTo(date.getTime());
+ long dataTime = parseDateByDefaultFormat("20370913024805");
+ assertThat(body.getTill().getTime()).isEqualTo(dataTime);
+ assertThat(body.getRtime().getTime()).isEqualTo(dataTime);
assertThat(body.getNonce()).isEqualTo(197451134);
@@ -96,5 +89,16 @@ public class TestAsReqCodec {
List<HostAddress> hostAddress = body.getAddresses().getElements();
assertThat(hostAddress).hasSize(1);
assertThat(hostAddress.get(0).getAddrType()).isEqualTo(HostAddrType.ADDRTYPE_NETBIOS);
+
+ //test for encrypted data
+ /*Keytab keytab = getDefaultKeytab();
+ PrincipalName name = new PrincipalName("u5@DENYDC.COM");
+ EncryptionKey timestampEncKey = keytab.getKey(name, EncryptionType.ARCFOUR_HMAC);
+ EncryptedData timestampEncData = KrbCodec.decode(encTimestampEntry.getPaDataValue(), EncryptedData.class);
+ PaEncTsEnc timestamp = EncryptionUtil.unseal(timestampEncData, timestampEncKey,
+ KeyUsage.AS_REQ_PA_ENC_TS, PaEncTsEnc.class);
+ assertThat(timestamp.getAllTime().getTime())
+ .isEqualTo(parseDateByDefaultFormat("20050816094029"));
+ assertThat(timestamp.getPaUsec()).isEqualTo(536026);*/
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/a98444f2/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsRepCodec.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsRepCodec.java b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsRepCodec.java
index 57eaec0..696228b 100644
--- a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsRepCodec.java
+++ b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsRepCodec.java
@@ -19,26 +19,26 @@
*/
package org.apache.kerby.kerberos.kerb.codec.test;
-import org.apache.kerby.kerberos.kerb.spec.common.KrbMessageType;
-import org.apache.kerby.kerberos.kerb.spec.common.NameType;
-import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.keytab.Keytab;
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncTgsRepPart;
import org.apache.kerby.kerberos.kerb.spec.kdc.TgsRep;
import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
import org.junit.Test;
-import java.io.IOException;
-
import static org.assertj.core.api.Assertions.assertThat;
/**
* Test TgsRep message using a real 'correct' network packet captured from MS-AD to detective programming errors
* and compatibility issues particularly regarding Kerberos crypto.
*/
-public class TestTgsRepCodec {
+public class TestTgsRepCodec extends TestMessageCodec{
@Test
- public void test() throws IOException {
- byte[] bytes = CodecTestUtil.readBinaryFile("/tgsrep.token");
+ public void test() throws Exception {
+ byte[] bytes = readBinaryFile("/tgsrep.token");
TgsRep tgsRep = new TgsRep();
tgsRep.decode(bytes);
@@ -57,12 +57,37 @@ public class TestTgsRepCodec {
assertThat(sName.getNameType()).isEqualTo(NameType.NT_SRV_HST);
assertThat(sName.getNameStrings()).hasSize(2)
.contains("host", "xp1.denydc.com");
- //FIXME
- //EncTicketPart encTicketPart = ticket.getEncPart();
- //assertThat(encTicketPart.getKey().getKeyType().getValue()).isEqualTo(23);
- //assertThat(encTicketPart.getKey().getKvno()).isEqualTo(2);
- //EncKdcRepPart encKdcRepPart = tgsRep.getEncPart();
- //assertThat(encKdcRepPart.getKey().getKeyType().getValue()).isEqualTo(3);
+ //test for encrypted data
+ Keytab keytab = getDefaultKeytab();
+ cName.setRealm(tgsRep.getCrealm());
+ EncryptionKey key = keytab.getKey(cName, EncryptionType.DES_CBC_MD5);
+ EncKdcRepPart encKdcRepPart = EncryptionUtil.unseal(tgsRep.getEncryptedEncPart(), key,
+ KeyUsage.TGS_REP_ENCPART_SESSKEY, EncTgsRepPart.class);
+
+ LastReq lastReq = encKdcRepPart.getLastReq();
+ assertThat(lastReq.getElements()).hasSize(1);
+ LastReqEntry lastReqEntry = lastReq.getElements().iterator().next();
+ assertThat(lastReqEntry.getLrType()).isEqualTo(LastReqType.NONE);
+ assertThat(lastReqEntry.getLrValue().getTime()).isEqualTo(parseDateByDefaultFormat("20050816094029"));
+
+ assertThat(encKdcRepPart.getNonce()).isEqualTo(197296424);
+
+ byte[] ticketFlags = new byte[]{64, -96, 0, 0};
+ assertThat(encKdcRepPart.getFlags().getValue()).isEqualTo(ticketFlags);
+
+ assertThat(encKdcRepPart.getAuthTime().getTime()).isEqualTo(parseDateByDefaultFormat("20050816094029"));
+ assertThat(encKdcRepPart.getStartTime().getTime()).isEqualTo(parseDateByDefaultFormat("20050816094029"));
+ assertThat(encKdcRepPart.getEndTime().getTime()).isEqualTo(parseDateByDefaultFormat("20050816194029"));
+ assertThat(encKdcRepPart.getRenewTill().getTime()).isEqualTo(parseDateByDefaultFormat("20050823094029"));
+
+ assertThat(encKdcRepPart.getSrealm()).isEqualTo("DENYDC.COM");
+
+ PrincipalName encSName = encKdcRepPart.getSname();
+ assertThat(encSName.getName()).isEqualTo("host/xp1.denydc.com");
+ assertThat(encSName.getNameType()).isEqualTo(NameType.NT_SRV_HST);
+ assertThat(encSName.getNameStrings()).hasSize(2)
+ .contains("host")
+ .contains("xp1.denydc.com");
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/a98444f2/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsReqCodec.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsReqCodec.java b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsReqCodec.java
index 5334eb5..97fe102 100644
--- a/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsReqCodec.java
+++ b/kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/test/TestTgsReqCodec.java
@@ -30,8 +30,6 @@ import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
import org.junit.Test;
-import java.io.IOException;
-import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List;
@@ -43,11 +41,11 @@ import static org.assertj.core.api.Assertions.assertThat;
* Test TgsReq message using a real 'correct' network packet captured from MS-AD to detective programming errors
* and compatibility issues particularly regarding Kerberos crypto.
*/
-public class TestTgsReqCodec {
+public class TestTgsReqCodec extends TestMessageCodec{
@Test
- public void test() throws IOException, ParseException {
- byte[] bytes = CodecTestUtil.readBinaryFile("/tgsreq.token");
+ public void test() throws Exception {
+ byte[] bytes = readBinaryFile("/tgsreq.token");
TgsReq tgsReq = new TgsReq();
tgsReq.decode(bytes);