You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/01/22 22:47:58 UTC
[19/45] directory-kerberos git commit: DIRKRB-149 New layout
structure with the new name "Apache Kerby"
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
new file mode 100644
index 0000000..b7902b4
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.IdentityOpts;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PluginOpts;
+
+public class PkinitContext {
+
+ public PluginOpts pluginOpts = new PluginOpts();
+ public IdentityOpts identityOpts = new IdentityOpts();
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
new file mode 100644
index 0000000..d5a516c
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -0,0 +1,233 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin;
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.client.request.KdcRequest;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlag;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlags;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdenity;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.*;
+import org.apache.kerby.kerberos.kerb.spec.x509.SubjectPublicKeyInfo;
+
+public class PkinitPreauth extends AbstractPreauthPlugin {
+
+ private PkinitContext pkinitContext;
+
+ public PkinitPreauth() {
+ super(new PkinitPreauthMeta());
+ }
+
+ @Override
+ public void init(KrbContext context) {
+ super.init(context);
+ this.pkinitContext = new PkinitContext();
+ }
+
+ @Override
+ public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
+ PkinitRequestContext reqCtx = new PkinitRequestContext();
+
+ reqCtx.updateRequestOpts(pkinitContext.pluginOpts);
+
+ return reqCtx;
+ }
+
+ @Override
+ public void setPreauthOptions(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ KrbOptions options) {
+ if (options.contains(KrbOption.PKINIT_X509_IDENTITY)) {
+ pkinitContext.identityOpts.identity =
+ options.getStringOption(KrbOption.PKINIT_X509_IDENTITY);
+ }
+
+ if (options.contains(KrbOption.PKINIT_X509_ANCHORS)) {
+ pkinitContext.identityOpts.anchors.add(
+ options.getStringOption(KrbOption.PKINIT_X509_ANCHORS));
+ }
+
+ if (options.contains(KrbOption.PKINIT_USING_RSA)) {
+ pkinitContext.pluginOpts.usingRsa =
+ options.getBooleanOption(KrbOption.PKINIT_USING_RSA);
+ }
+
+ }
+
+ @Override
+ public void prepareQuestions(KdcRequest kdcRequest,
+ PluginRequestContext requestContext) {
+
+ PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
+
+ if (!reqCtx.identityInitialized) {
+ PkinitIdenity.initialize(reqCtx.identityOpts, kdcRequest.getClientPrincipal());
+ reqCtx.identityInitialized = true;
+ }
+
+ // Might have questions asking for password to access the private key
+ }
+
+ public void tryFirst(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ PaData outPadata) throws KrbException {
+
+ }
+
+ @Override
+ public boolean process(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ PaDataEntry inPadata,
+ PaData outPadata) throws KrbException {
+
+ PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
+ if (inPadata == null) return false;
+
+ boolean processingRequest = false;
+ switch (inPadata.getPaDataType()) {
+ case PK_AS_REQ:
+ processingRequest = true;
+ break;
+ case PK_AS_REP:
+ break;
+ }
+
+ if (processingRequest) {
+ generateRequest(reqCtx, kdcRequest, outPadata);
+ } else {
+ EncryptionType encType = kdcRequest.getEncType();
+ processReply(kdcRequest, reqCtx, inPadata, encType);
+ }
+
+ return false;
+ }
+
+ private void generateRequest(PkinitRequestContext reqCtx, KdcRequest kdcRequest,
+ PaData outPadata) {
+
+ }
+
+ private PaPkAsReq makePaPkAsReq(PkinitContext pkinitContext, PkinitRequestContext reqCtx,
+ KerberosTime ctime, int cusec, int nonce, byte[] checksum,
+ PrincipalName client, PrincipalName server) {
+
+ PaPkAsReq paPkAsReq = new PaPkAsReq();
+ AuthPack authPack = new AuthPack();
+ SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo();
+ PkAuthenticator pkAuthen = new PkAuthenticator();
+
+ boolean usingRsa = reqCtx.requestOpts.usingRsa;
+ PaDataType paType = reqCtx.paType = PaDataType.PK_AS_REQ;
+
+ pkAuthen.setCtime(ctime);
+ pkAuthen.setCusec(cusec);
+ pkAuthen.setNonce(nonce);
+ pkAuthen.setPaChecksum(checksum);
+
+ authPack.setPkAuthenticator(pkAuthen);
+ DHNonce dhNonce = new DHNonce();
+ authPack.setClientDhNonce(dhNonce);
+ authPack.setClientPublicValue(pubInfo);
+
+ authPack.setsupportedCmsTypes(pkinitContext.pluginOpts.createSupportedCMSTypes());
+
+ if (usingRsa) {
+ // DH case
+ } else {
+ authPack.setClientPublicValue(null);
+ }
+
+ byte[] signedAuthPack = signAuthPack(pkinitContext, reqCtx, authPack);
+ paPkAsReq.setSignedAuthPack(signedAuthPack);
+
+ TrustedCertifiers trustedCertifiers = pkinitContext.pluginOpts.createTrustedCertifiers();
+ paPkAsReq.setTrustedCertifiers(trustedCertifiers);
+
+ byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
+ paPkAsReq.setKdcPkId(kdcPkId);
+
+ return paPkAsReq;
+ }
+
+ private byte[] signAuthPack(PkinitContext pkinitContext,
+ PkinitRequestContext reqCtx, AuthPack authPack) {
+ return null;
+ }
+
+ private void processReply(KdcRequest kdcRequest,
+ PkinitRequestContext reqCtx,
+ PaDataEntry inPadata,
+ EncryptionType encType) {
+
+ EncryptionKey asKey = null;
+
+ // TODO
+
+ kdcRequest.setAsKey(asKey);
+ }
+
+ @Override
+ public boolean tryAgain(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ PaDataType preauthType,
+ PaData errPadata,
+ PaData outPadata) {
+
+ PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
+ if (reqCtx.paType != preauthType && errPadata == null) {
+ return false;
+ }
+
+ boolean doAgain = false;
+ for (PaDataEntry pde : errPadata.getElements()) {
+ switch (pde.getPaDataType()) {
+ // TODO
+ }
+ }
+
+ if (doAgain) {
+ generateRequest(reqCtx, kdcRequest, outPadata);
+ }
+
+ return false;
+ }
+
+ @Override
+ public PaFlags getFlags(PaDataType paType) {
+ PaFlags paFlags = new PaFlags(0);
+ paFlags.setFlag(PaFlag.PA_REAL);
+
+ return paFlags;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
new file mode 100644
index 0000000..bfbf7f2
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.IdentityOpts;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PluginOpts;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class PkinitRequestContext implements PluginRequestContext {
+
+ public PkinitRequestOpts requestOpts = new PkinitRequestOpts();
+ public IdentityOpts identityOpts = new IdentityOpts();
+ public boolean doIdentityMatching;
+ public PaDataType paType;
+ public boolean rfc6112Kdc;
+ public boolean identityInitialized;
+ public boolean identityPrompted;
+
+ public void updateRequestOpts(PluginOpts pluginOpts) {
+ requestOpts.requireEku = pluginOpts.requireEku;
+ requestOpts.acceptSecondaryEku = pluginOpts.acceptSecondaryEku;
+ requestOpts.allowUpn = pluginOpts.allowUpn;
+ requestOpts.usingRsa = pluginOpts.usingRsa;
+ requestOpts.requireCrlChecking = pluginOpts.requireCrlChecking;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
new file mode 100644
index 0000000..97e989f
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+public class PkinitRequestOpts {
+
+ // From MIT Krb5 _pkinit_plg_opts
+
+ // require EKU checking (default is true)
+ public boolean requireEku = true;
+ // accept secondary EKU (default is false)
+ public boolean acceptSecondaryEku = false;
+ // allow UPN-SAN instead of pkinit-SAN
+ public boolean allowUpn = true;
+ // selects DH or RSA based pkinit
+ public boolean usingRsa = true;
+ // require CRL for a CA (default is false)
+ public boolean requireCrlChecking = false;
+ // initial request DH modulus size (default=1024)
+ public int dhSize = 1024;
+
+ public boolean requireHostnameMatch = true;
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
new file mode 100644
index 0000000..e1696dc
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.token;
+
+import org.apache.kerby.token.KerbToken;
+
+public class TokenContext {
+
+ public boolean usingIdToken = true;
+ public KerbToken token = null;
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
new file mode 100644
index 0000000..f67ad71
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.token;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin;
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.client.request.KdcRequest;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlag;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlags;
+import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.token.KerbToken;
+
+import java.util.Collections;
+import java.util.List;
+
+public class TokenPreauth extends AbstractPreauthPlugin {
+
+ private TokenContext tokenContext;
+
+ public TokenPreauth() {
+ super(new TokenPreauthMeta());
+ }
+
+ public void init(KrbContext context) {
+ super.init(context);
+ this.tokenContext = new TokenContext();
+ }
+
+ @Override
+ public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
+ TokenRequestContext reqCtx = new TokenRequestContext();
+
+ return reqCtx;
+ }
+
+ @Override
+ public void prepareQuestions(KdcRequest kdcRequest,
+ PluginRequestContext requestContext) {
+
+ }
+
+ @Override
+ public List<EncryptionType> getEncTypes(KdcRequest kdcRequest,
+ PluginRequestContext requestContext) {
+ return Collections.emptyList();
+ }
+
+ @Override
+ public void setPreauthOptions(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ KrbOptions options) {
+
+ tokenContext.usingIdToken = options.getBooleanOption(KrbOption.TOKEN_USING_IDTOKEN);
+ if (tokenContext.usingIdToken) {
+ if (options.contains(KrbOption.TOKEN_USER_ID_TOKEN)) {
+ tokenContext.token =
+ (KerbToken) options.getOptionValue(KrbOption.TOKEN_USER_ID_TOKEN);
+ }
+ } else {
+ if (options.contains(KrbOption.TOKEN_USER_AC_TOKEN)) {
+ tokenContext.token =
+ (KerbToken) options.getOptionValue(KrbOption.TOKEN_USER_AC_TOKEN);
+ }
+ }
+
+ }
+
+ public void tryFirst(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ PaData outPadata) throws KrbException {
+
+ }
+
+ @Override
+ public boolean process(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ PaDataEntry inPadata,
+ PaData outPadata) throws KrbException {
+
+ return false;
+ }
+
+ @Override
+ public boolean tryAgain(KdcRequest kdcRequest,
+ PluginRequestContext requestContext,
+ PaDataType preauthType,
+ PaData errPadata,
+ PaData outPadata) {
+ return false;
+ }
+
+ @Override
+ public PaFlags getFlags(PaDataType paType) {
+ PaFlags paFlags = new PaFlags(0);
+ paFlags.setFlag(PaFlag.PA_REAL);
+
+ return paFlags;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
new file mode 100644
index 0000000..ca7eb87
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.token;
+
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class TokenRequestContext implements PluginRequestContext {
+
+ public boolean doIdentityMatching;
+ public PaDataType paType;
+ public boolean identityInitialized;
+ public boolean identityPrompted;
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
new file mode 100644
index 0000000..ca20e00
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
+
+import java.io.IOException;
+import java.util.List;
+
+public class AsRequest extends KdcRequest {
+
+ private PrincipalName clientPrincipal;
+ private EncryptionKey clientKey;
+
+ public AsRequest(KrbContext context) {
+ super(context);
+
+ setServerPrincipal(makeTgsPrincipal());
+ }
+
+ public PrincipalName getClientPrincipal() {
+ return clientPrincipal;
+ }
+
+ public void setClientPrincipal(PrincipalName clientPrincipal) {
+ this.clientPrincipal = clientPrincipal;
+ }
+
+ public void setClientKey(EncryptionKey clientKey) {
+ this.clientKey = clientKey;
+ }
+
+ public EncryptionKey getClientKey() throws KrbException {
+ return clientKey;
+ }
+
+ @Override
+ public void process() throws KrbException {
+ super.process();
+
+ KdcReqBody body = makeReqBody();
+
+ AsReq asReq = new AsReq();
+ asReq.setReqBody(body);
+ asReq.setPaData(getPreauthContext().getOutputPaData());
+
+ setKdcReq(asReq);
+ }
+
+ @Override
+ public void processResponse(KdcRep kdcRep) throws KrbException {
+ setKdcRep(kdcRep);
+
+ PrincipalName clientPrincipal = getKdcRep().getCname();
+ String clientRealm = getKdcRep().getCrealm();
+ clientPrincipal.setRealm(clientRealm);
+ if (! clientPrincipal.equals(getClientPrincipal())) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_NAME_MISMATCH);
+ }
+
+ byte[] decryptedData = decryptWithClientKey(getKdcRep().getEncryptedEncPart(),
+ KeyUsage.AS_REP_ENCPART);
+ EncKdcRepPart encKdcRepPart = new EncAsRepPart();
+ try {
+ encKdcRepPart.decode(decryptedData);
+ } catch (IOException e) {
+ throw new KrbException("Failed to decode EncAsRepPart", e);
+ }
+ getKdcRep().setEncPart(encKdcRepPart);
+
+ if (getChosenNonce() != encKdcRepPart.getNonce()) {
+ throw new KrbException("Nonce didn't match");
+ }
+
+ PrincipalName serverPrincipal = encKdcRepPart.getSname();
+ serverPrincipal.setRealm(encKdcRepPart.getSrealm());
+ if (! serverPrincipal.equals(getServerPrincipal())) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_SERVER_NOMATCH);
+ }
+
+ HostAddresses hostAddresses = getHostAddresses();
+ if (hostAddresses != null) {
+ List<HostAddress> requestHosts = hostAddresses.getElements();
+ if (!requestHosts.isEmpty()) {
+ List<HostAddress> responseHosts = encKdcRepPart.getCaddr().getElements();
+ for (HostAddress h : requestHosts) {
+ if (!responseHosts.contains(h)) {
+ throw new KrbException("Unexpected client host");
+ }
+ }
+ }
+ }
+ }
+
+ public TgtTicket getTicket() {
+ TgtTicket TgtTicket = new TgtTicket(getKdcRep().getTicket(),
+ (EncAsRepPart) getKdcRep().getEncPart(), getKdcRep().getCname().getName());
+ return TgtTicket;
+ }
+
+ private PrincipalName makeTgsPrincipal() {
+ return new PrincipalName(KrbConstant.TGS_PRINCIPAL + "@" + getContext().getKdcRealm());
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
new file mode 100644
index 0000000..43b2368
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class AsRequestWithCert extends AsRequest {
+
+ public static final String ANONYMOUS_PRINCIPAL = "ANONYMOUS@WELLKNOWN:ANONYMOUS";
+
+ public AsRequestWithCert(KrbContext context) {
+ super(context);
+
+ setAllowedPreauth(PaDataType.PK_AS_REQ);
+ }
+
+ @Override
+ public void process() throws KrbException {
+ throw new RuntimeException("To be implemented");
+ }
+
+ @Override
+ public KrbOptions getPreauthOptions() {
+ KrbOptions results = new KrbOptions();
+
+ KrbOptions krbOptions = getKrbOptions();
+ results.add(krbOptions.getOption(KrbOption.PKINIT_X509_CERTIFICATE));
+ results.add(krbOptions.getOption(KrbOption.PKINIT_X509_ANCHORS));
+ results.add(krbOptions.getOption(KrbOption.PKINIT_X509_PRIVATE_KEY));
+ results.add(krbOptions.getOption(KrbOption.PKINIT_X509_IDENTITY));
+ results.add(krbOptions.getOption(KrbOption.PKINIT_USING_RSA));
+
+ return results;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java
new file mode 100644
index 0000000..721ab85
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class AsRequestWithPasswd extends AsRequest {
+
+ public AsRequestWithPasswd(KrbContext context) {
+ super(context);
+
+ setAllowedPreauth(PaDataType.ENC_TIMESTAMP);
+ }
+
+ public String getPassword() {
+ return getKrbOptions().getStringOption(KrbOption.USER_PASSWD);
+ }
+
+ @Override
+ public EncryptionKey getClientKey() throws KrbException {
+ if (super.getClientKey() == null) {
+ EncryptionKey tmpKey = EncryptionHandler.string2Key(getClientPrincipal().getName(),
+ getPassword(), getChosenEncryptionType());
+ setClientKey(tmpKey);
+ }
+ return super.getClientKey();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
new file mode 100644
index 0000000..586c9ed
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class AsRequestWithToken extends AsRequest {
+
+ public AsRequestWithToken(KrbContext context) {
+ super(context);
+
+ setAllowedPreauth(PaDataType.TOKEN_REQUEST);
+ }
+
+ @Override
+ public void process() throws KrbException {
+ throw new RuntimeException("To be implemented");
+ }
+
+ @Override
+ public KrbOptions getPreauthOptions() {
+ KrbOptions results = new KrbOptions();
+
+ KrbOptions krbOptions = getKrbOptions();
+ results.add(krbOptions.getOption(KrbOption.TOKEN_USING_IDTOKEN));
+ results.add(krbOptions.getOption(KrbOption.TOKEN_USER_ID_TOKEN));
+ results.add(krbOptions.getOption(KrbOption.TOKEN_USER_AC_TOKEN));
+
+ return results;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
new file mode 100644
index 0000000..bbbadab
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -0,0 +1,358 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.client.preauth.FastContext;
+import org.apache.kerby.kerberos.kerb.client.preauth.PreauthContext;
+import org.apache.kerby.kerberos.kerb.client.preauth.PreauthHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.transport.Transport;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * A wrapper for KdcReq request
+ */
+public abstract class KdcRequest {
+ private KrbContext context;
+ private Transport transport;
+
+ private KrbOptions krbOptions;
+ private PrincipalName serverPrincipal;
+ private List<HostAddress> hostAddresses = new ArrayList<HostAddress>();
+ private KdcOptions kdcOptions = new KdcOptions();
+ private List<EncryptionType> encryptionTypes;
+ private EncryptionType chosenEncryptionType;
+ private int chosenNonce;
+ private KdcReq kdcReq;
+ private KdcRep kdcRep;
+ protected Map<String, Object> credCache;
+ private PreauthContext preauthContext;
+ private FastContext fastContext;
+ private EncryptionKey asKey;
+
+ private KrbError errorReply;
+ private boolean isRetrying;
+
+ public KdcRequest(KrbContext context) {
+ this.context = context;
+ this.isRetrying = false;
+ this.credCache = new HashMap<String, Object>();
+ this.preauthContext = context.getPreauthHandler()
+ .preparePreauthContext(this);
+ this.fastContext = new FastContext();
+ }
+
+ public void setTransport(Transport transport) {
+ this.transport = transport;
+ }
+
+ public Transport getTransport() {
+ return this.transport;
+ }
+
+ public void setKrbOptions(KrbOptions options) {
+ this.krbOptions = options;
+ }
+
+ public KrbOptions getKrbOptions() {
+ return krbOptions;
+ }
+
+ public boolean isRetrying() {
+ return isRetrying;
+ }
+
+ public void setAsKey(EncryptionKey asKey) {
+ this.asKey = asKey;
+ }
+
+ public EncryptionKey getAsKey() throws KrbException {
+ return asKey;
+ }
+
+ public void setAllowedPreauth(PaDataType paType) {
+ preauthContext.setAllowedPaType(paType);
+ }
+
+ public Map<String, Object> getCredCache() {
+ return credCache;
+ }
+
+ public void setPreauthRequired(boolean preauthRequired) {
+ preauthContext.setPreauthRequired(preauthRequired);
+ }
+
+ public PreauthContext getPreauthContext() {
+ return preauthContext;
+ }
+
+ protected void loadCredCache() {
+ // TODO
+ }
+
+ public KdcReq getKdcReq() {
+ return kdcReq;
+ }
+
+ public void setKdcReq(KdcReq kdcReq) {
+ this.kdcReq = kdcReq;
+ }
+
+ public KdcRep getKdcRep() {
+ return kdcRep;
+ }
+
+ public void setKdcRep(KdcRep kdcRep) {
+ this.kdcRep = kdcRep;
+ }
+
+ protected KdcReqBody makeReqBody() throws KrbException {
+ KdcReqBody body = new KdcReqBody();
+
+ long startTime = System.currentTimeMillis();
+ body.setFrom(new KerberosTime(startTime));
+
+ PrincipalName cName = null;
+ cName = getClientPrincipal();
+ body.setCname(cName);
+
+ body.setRealm(cName.getRealm());
+
+ PrincipalName sName = getServerPrincipal();
+ body.setSname(sName);
+
+ body.setTill(new KerberosTime(startTime + getTicketValidTime()));
+
+ int nonce = generateNonce();
+ body.setNonce(nonce);
+ setChosenNonce(nonce);
+
+ body.setKdcOptions(getKdcOptions());
+
+ HostAddresses addresses = getHostAddresses();
+ if (addresses != null) {
+ body.setAddresses(addresses);
+ }
+
+ body.setEtypes(getEncryptionTypes());
+
+ return body;
+ }
+
+ public KdcOptions getKdcOptions() {
+ return kdcOptions;
+ }
+
+ public HostAddresses getHostAddresses() {
+ HostAddresses addresses = null;
+ if (!hostAddresses.isEmpty()) {
+ addresses = new HostAddresses();
+ for(HostAddress ha : hostAddresses) {
+ addresses.addElement(ha);
+ }
+ }
+ return addresses;
+ }
+
+ public KrbContext getContext() {
+ return context;
+ }
+
+ protected byte[] decryptWithClientKey(EncryptedData data, KeyUsage usage) throws KrbException {
+ return EncryptionHandler.decrypt(data, getClientKey(), usage);
+ }
+
+ public void setContext(KrbContext context) {
+ this.context = context;
+ }
+
+ public void setHostAddresses(List<HostAddress> hostAddresses) {
+ this.hostAddresses = hostAddresses;
+ }
+
+ public void setKdcOptions(KdcOptions kdcOptions) {
+ this.kdcOptions = kdcOptions;
+ }
+
+ public abstract PrincipalName getClientPrincipal();
+
+ public PrincipalName getServerPrincipal() {
+ return serverPrincipal;
+ }
+
+ public void setServerPrincipal(PrincipalName serverPrincipal) {
+ this.serverPrincipal = serverPrincipal;
+ }
+
+ public List<EncryptionType> getEncryptionTypes() {
+ if (encryptionTypes == null) {
+ encryptionTypes = context.getConfig().getEncryptionTypes();
+ }
+ return encryptionTypes;
+ }
+
+ public void setEncryptionTypes(List<EncryptionType> encryptionTypes) {
+ this.encryptionTypes = encryptionTypes;
+ }
+
+ public EncryptionType getChosenEncryptionType() {
+ return chosenEncryptionType;
+ }
+
+ public void setChosenEncryptionType(EncryptionType chosenEncryptionType) {
+ this.chosenEncryptionType = chosenEncryptionType;
+ }
+
+ public int generateNonce() {
+ return context.generateNonce();
+ }
+
+ public int getChosenNonce() {
+ return chosenNonce;
+ }
+
+ public void setChosenNonce(int nonce) {
+ this.chosenNonce = nonce;
+ }
+
+ public abstract EncryptionKey getClientKey() throws KrbException;
+
+ public long getTicketValidTime() {
+ return context.getTicketValidTime();
+ }
+
+ public KerberosTime getTicketTillTime() {
+ long now = System.currentTimeMillis();
+ return new KerberosTime(now + KerberosTime.MINUTE * 60 * 1000);
+ }
+
+ public void addHost(String hostNameOrIpAddress) throws UnknownHostException {
+ InetAddress address = InetAddress.getByName(hostNameOrIpAddress);
+ hostAddresses.add(new HostAddress(address));
+ }
+
+ public void process() throws KrbException {
+ preauth();
+ }
+
+ public abstract void processResponse(KdcRep kdcRep) throws KrbException;
+
+ public KrbOptions getPreauthOptions() {
+ return new KrbOptions();
+ }
+
+ protected void preauth() throws KrbException {
+ loadCredCache();
+
+ List<EncryptionType> etypes = getEncryptionTypes();
+ if (etypes.isEmpty()) {
+ throw new KrbException("No encryption type is configured and available");
+ }
+ EncryptionType encryptionType = etypes.iterator().next();
+ setChosenEncryptionType(encryptionType);
+
+ getPreauthHandler().preauth(this);
+ }
+
+ protected PreauthHandler getPreauthHandler() {
+ return getContext().getPreauthHandler();
+ }
+
+ /**
+ * Indicate interest in the AS key.
+ */
+ public void needAsKey() throws KrbException {
+ EncryptionKey clientKey = getClientKey();
+ if (clientKey == null) {
+ throw new RuntimeException("Client key should be prepared or prompted at this time!");
+ }
+ setAsKey(clientKey);
+ }
+
+ /**
+ * Get the enctype expected to be used to encrypt the encrypted portion of
+ * the AS_REP packet. When handling a PREAUTH_REQUIRED error, this
+ * typically comes from etype-info2. When handling an AS reply, it is
+ * initialized from the AS reply itself.
+ */
+ public EncryptionType getEncType() {
+
+ return getChosenEncryptionType();
+ }
+
+ public void askQuestion(String question, String challenge) {
+ preauthContext.getUserResponser().askQuestion(question, challenge);
+ }
+
+ /**
+ * Get a pointer to the FAST armor key, or NULL if the client is not using FAST.
+ */
+ public EncryptionKey getArmorKey() {
+ return fastContext.armorKey;
+ }
+
+ /**
+ * Get the current time for use in a preauth response. If
+ * allow_unauth_time is true and the library has been configured to allow
+ * it, the current time will be offset using unauthenticated timestamp
+ * information received from the KDC in the preauth-required error, if one
+ * has been received. Otherwise, the timestamp in a preauth-required error
+ * will only be used if it is protected by a FAST channel. Only set
+ * allow_unauth_time if using an unauthenticated time offset would not
+ * create a security issue.
+ */
+ public KerberosTime getPreauthTime() {
+ return KerberosTime.now();
+ }
+
+ /**
+ * Get a state item from an input ccache, which may allow it
+ * to retrace the steps it took last time. The returned data string is an
+ * alias and should not be freed.
+ */
+ public Object getCacheValue(String key) {
+ return credCache.get(key);
+ }
+
+ /**
+ * Set a state item which will be recorded to an output
+ * ccache, if the calling application supplied one. Both key and data
+ * should be valid UTF-8 text.
+ */
+ public void cacheValue(String key, Object value) {
+ credCache.put(key, value);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
new file mode 100644
index 0000000..699cd67
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
@@ -0,0 +1,136 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.common.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
+import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
+
+public class TgsRequest extends KdcRequest {
+ private TgtTicket tgt;
+ private ApReq apReq;
+
+ public TgsRequest(KrbContext context, TgtTicket tgtTicket) {
+ super(context);
+ this.tgt = tgtTicket;
+
+ setAllowedPreauth(PaDataType.TGS_REQ);
+ }
+
+ public PrincipalName getClientPrincipal() {
+ return tgt.getClientPrincipal();
+ }
+
+ @Override
+ public EncryptionKey getClientKey() throws KrbException {
+ return getSessionKey();
+ }
+
+ public EncryptionKey getSessionKey() {
+ return tgt.getSessionKey();
+ }
+
+ @Override
+ protected void preauth() throws KrbException {
+ apReq = makeApReq();
+ super.preauth();
+ }
+
+ @Override
+ public void process() throws KrbException {
+ super.process();
+
+ TgsReq tgsReq = new TgsReq();
+
+ KdcReqBody tgsReqBody = makeReqBody();
+ tgsReq.setReqBody(tgsReqBody);
+ tgsReq.setPaData(getPreauthContext().getOutputPaData());
+
+ setKdcReq(tgsReq);
+ }
+
+ private ApReq makeApReq() throws KrbException {
+ ApReq apReq = new ApReq();
+
+ Authenticator authenticator = makeAuthenticator();
+ EncryptionKey sessionKey = tgt.getSessionKey();
+ EncryptedData authnData = EncryptionUtil.seal(authenticator,
+ sessionKey, KeyUsage.TGS_REQ_AUTH);
+ apReq.setEncryptedAuthenticator(authnData);
+
+ apReq.setTicket(tgt.getTicket());
+ ApOptions apOptions = new ApOptions();
+ apReq.setApOptions(apOptions);
+
+ return apReq;
+ }
+
+ private Authenticator makeAuthenticator() {
+ Authenticator authenticator = new Authenticator();
+ authenticator.setCname(getClientPrincipal());
+ authenticator.setCrealm(tgt.getRealm());
+
+ authenticator.setCtime(KerberosTime.now());
+ authenticator.setCusec(0);
+
+ EncryptionKey sessionKey = tgt.getSessionKey();
+ authenticator.setSubKey(sessionKey);
+
+ return authenticator;
+ }
+
+ @Override
+ public void processResponse(KdcRep kdcRep) throws KrbException {
+ setKdcRep(kdcRep);
+
+ TgsRep tgsRep = (TgsRep) getKdcRep();
+ EncTgsRepPart encTgsRepPart = EncryptionUtil.unseal(tgsRep.getEncryptedEncPart(),
+ getSessionKey(),
+ KeyUsage.TGS_REP_ENCPART_SESSKEY, EncTgsRepPart.class);
+
+ tgsRep.setEncPart(encTgsRepPart);
+
+ if (getChosenNonce() != encTgsRepPart.getNonce()) {
+ throw new KrbException("Nonce didn't match");
+ }
+ }
+
+ public ServiceTicket getServiceTicket() {
+ ServiceTicket serviceTkt = new ServiceTicket(getKdcRep().getTicket(),
+ (EncTgsRepPart) getKdcRep().getEncPart());
+ return serviceTkt;
+ }
+
+ public ApReq getApReq() {
+ return apReq;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf b/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf
new file mode 100644
index 0000000..d118dd1
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf
@@ -0,0 +1,25 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+[libdefaults]
+ default_realm = {0}
+ udp_preference_limit = 1
+
+[realms]
+ {0} = '{'
+ kdc = {1}:{2}
+ '}'
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff b/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff
new file mode 100644
index 0000000..bc989c3
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff
@@ -0,0 +1,46 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+dn: ou=users,dc=${0},dc=${1}
+objectClass: organizationalUnit
+objectClass: top
+ou: users
+
+dn: uid=krbtgt,ou=users,dc=${0},dc=${1}
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: KDC Service
+sn: Service
+uid: krbtgt
+userPassword: secret
+krb5PrincipalName: krbtgt/${2}.${3}@${2}.${3}
+krb5KeyVersionNumber: 0
+
+dn: uid=ldap,ou=users,dc=${0},dc=${1}
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: LDAP
+sn: Service
+uid: ldap
+userPassword: secret
+krb5PrincipalName: ldap/${4}@${2}.${3}
+krb5KeyVersionNumber: 0
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/resources/krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/resources/krb5.conf b/kerby-kerb/kerb-client/src/main/resources/krb5.conf
new file mode 100644
index 0000000..4222475
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/resources/krb5.conf
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+[libdefaults]
+ default_realm = KRB.COM
+ dns_lookup_kdc = false
+ dns_lookup_realm = false
+ allow_weak_crypto = true
+ ticket_lifetime = 86400
+ renew_lifetime = 604800
+ forwardable = true
+ permitted_enctypes = des-cbc-crc aes128-cts-hmac-sha1-96
+ clockskew = 300
+ proxiable = true
+ default_tgs_enctypes = des-cbc-crc
+ default_tkt_enctypes = des-cbc-crc
+[realms]
+# ATHENA.MIT.EDU = {
+# admin_server = KERBEROS.MIT.EDU
+# default_domain = MIT.EDU
+# v4_instance_convert = {
+# mit = mit.edu
+# lithium = lithium.lcs.mit.edu
+# }
+# }
+# ANDREW.CMU.EDU = {
+# admin_server = vice28.fs.andrew.cmu.edu
+# }
+# GNU.ORG = {
+# kdc = kerberos.gnu.org
+# kdc = kerberos-2.gnu.org
+# admin_server = kerberos.gnu.org
+# }
+[domain_realm]
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+ .media.mit.edu = MEDIA-LAB.MIT.EDU
+ media.mit.edu = MEDIA-LAB.MIT.EDU
+ .ucsc.edu = CATS.UCSC.EDU
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
new file mode 100644
index 0000000..b766c48
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client;
+
+import org.apache.kerby.config.Conf;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import org.junit.Test;
+import org.junit.Assert;
+
+
+/**
+ * Test for loading configurations form krb5.conf.
+ * krb5.conf is the configuration file in MIT Kerberos.
+ */
+public class TestKrbConfigLoad {
+
+ @Test
+ public void test() throws IOException, URISyntaxException {
+ URL confFileUrl = TestKrbConfigLoad.class.getResource("/krb5.conf");
+ File confFile = new File(confFileUrl.toURI());
+
+ KrbConfig krbConfig = new KrbConfig();
+ Conf conf = krbConfig.getConf();
+ conf.addIniConfig(confFile);
+
+ Assert.assertEquals(krbConfig.getDefaultRealm(), "KRB.COM");
+ Assert.assertFalse(krbConfig.getDnsLookUpKdc());
+ Assert.assertFalse(krbConfig.getDnsLookUpRealm());
+ Assert.assertTrue(krbConfig.getAllowWeakCrypto());
+ Assert.assertEquals(krbConfig.getTicketLifetime(), 24 * 3600);
+ Assert.assertEquals(krbConfig.getRenewLifetime(), 7 * 24 * 3600);
+ Assert.assertTrue(krbConfig.isForwardableAllowed());
+ Assert.assertEquals(krbConfig.getEncryptionTypes().size(), 2);
+ Assert.assertEquals(krbConfig.getEncryptionTypes().get(0), EncryptionType.DES_CBC_CRC);
+ Assert.assertEquals(krbConfig.getEncryptionTypes().get(1), EncryptionType.AES128_CTS_HMAC_SHA1_96);
+ Assert.assertEquals(krbConfig.getAllowableClockSkew(), 300);
+ Assert.assertTrue(krbConfig.isProxiableAllowed());
+ Assert.assertEquals(krbConfig.getDefaultTgsEnctypes().size(), 1);
+ Assert.assertEquals(krbConfig.getDefaultTgsEnctypes().get(0), EncryptionType.DES_CBC_CRC);
+ Assert.assertEquals(krbConfig.getDefaultTktEnctypes().size(), 1);
+ Assert.assertEquals(krbConfig.getDefaultTktEnctypes().get(0), EncryptionType.DES_CBC_CRC);
+
+ Assert.assertEquals(krbConfig.getDefaultLoggingLocation(), "FILE:/var/log/krb5libs.log");
+ Assert.assertEquals(krbConfig.getKdcLoggingLocation(), "FILE:/var/log/krb5kdc.log");
+ Assert.assertEquals(krbConfig.getAdminLoggingLocation(), "FILE:/var/log/kadmind.log");
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/pom.xml b/kerby-kerb/kerb-common/pom.xml
new file mode 100644
index 0000000..d21d320
--- /dev/null
+++ b/kerby-kerb/kerb-common/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerby-kerb</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>kerb-common</artifactId>
+ <name>Kerby-kerb Common</name>
+ <description>Kerby-kerb Common facilities for both client and server</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerby-config</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerby-event</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-core</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-crypto</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java
new file mode 100644
index 0000000..ee9c962
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb;
+
+public class KrbThrow {
+
+ public static KrbException out(MessageCode messageCode) throws KrbException {
+ throw new KrbException(Message.getMessage(messageCode));
+ }
+
+ public static void out(MessageCode messageCode, Exception e) throws KrbException {
+ throw new KrbException(Message.getMessage(messageCode), e);
+ }
+
+ public static void out(MessageCode messageCode, String message) throws KrbException {
+ throw new KrbException(Message.getMessage(messageCode) + ":" + message);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java
new file mode 100644
index 0000000..5712f51
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class Message {
+ private static Map<MessageCode, String> entries = new HashMap<MessageCode, String>();
+
+ public static void init() {
+
+ }
+
+ public static void define(MessageCode code, String message) {
+ entries.put(code, message);
+ }
+
+ public static String getMessage(MessageCode code) {
+ String msg = entries.get(code);
+ if (msg == null) {
+ msg = code.getCodeName();
+ }
+ return msg;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java
new file mode 100644
index 0000000..a8ada14
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb;
+
+public interface MessageCode {
+ public String getCodeName();
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
new file mode 100644
index 0000000..aa9618d
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.asn1.type.AbstractAsn1Type;
+import org.apache.kerby.asn1.type.Asn1Type;
+import org.apache.kerby.kerberos.kerb.codec.KrbCodec;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.common.KeyUsage;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class EncryptionUtil {
+
+ public static List<EncryptionKey> generateKeys(List<EncryptionType> encryptionTypes) throws KrbException {
+ List<EncryptionKey> results = new ArrayList<EncryptionKey>(encryptionTypes.size());
+ EncryptionKey encKey;
+ for (EncryptionType eType : encryptionTypes) {
+ encKey = EncryptionHandler.random2Key(eType);
+ results.add(encKey);
+ }
+
+ return results;
+ }
+
+ public static List<EncryptionKey> generateKeys(String principal, String passwd,
+ List<EncryptionType> encryptionTypes) throws KrbException {
+ List<EncryptionKey> results = new ArrayList<EncryptionKey>(encryptionTypes.size());
+ EncryptionKey encKey;
+ for (EncryptionType eType : encryptionTypes) {
+ encKey = EncryptionHandler.string2Key(principal, passwd, eType);
+ results.add(encKey);
+ }
+
+ return results;
+ }
+
+ public static EncryptionType getBestEncryptionType(List<EncryptionType> requestedTypes,
+ List<EncryptionType> configuredTypes) {
+ for (EncryptionType encryptionType : configuredTypes) {
+ if (requestedTypes.contains(encryptionType)) {
+ return encryptionType;
+ }
+ }
+
+ return null;
+ }
+
+ public static EncryptedData seal(AbstractAsn1Type asn1Type,
+ EncryptionKey key, KeyUsage usage) throws KrbException {
+ byte[] encoded = asn1Type.encode();
+ EncryptedData encrypted = EncryptionHandler.encrypt(encoded, key, usage);
+ return encrypted;
+ }
+
+ public static <T extends Asn1Type> T unseal(EncryptedData encrypted, EncryptionKey key,
+ KeyUsage usage, Class<T> krbType) throws KrbException {
+ byte[] encoded = EncryptionHandler.decrypt(encrypted, key, usage);
+ return KrbCodec.decode(encoded, krbType);
+ }
+
+ public static byte[] encrypt(EncryptionKey key,
+ byte[] plaintext, int usage) throws KrbException {
+ EncTypeHandler encType = EncryptionHandler.getEncHandler(key.getKeyType());
+ byte[] cipherData = encType.encrypt(plaintext, key.getKeyData(), usage);
+ return cipherData;
+ }
+
+ public static byte[] decrypt(EncryptionKey key,
+ byte[] cipherData, int usage) throws KrbException {
+ EncTypeHandler encType = EncryptionHandler.getEncHandler(key.getKeyType());
+ byte[] plainData = encType.decrypt(cipherData, key.getKeyData(), usage);
+ return plainData;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
new file mode 100644
index 0000000..0100b0b
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
@@ -0,0 +1,104 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.config.Conf;
+import org.apache.kerby.config.Config;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Help KrbConfig and KdcConfig to load configs.
+ */
+public class KrbConfHelper {
+ /**
+ * The regex to split a config value(string) to a list of config value(string list).
+ */
+ private static final String LIST_SPLITTER = " ";
+
+ public static String getStringUnderSection(Conf conf, SectionConfigKey key) {
+ Config subConfig = conf.getConfig(key.getSectionName());
+ if (subConfig != null) {
+ return subConfig.getString(key);
+ } else {
+ return (String) key.getDefaultValue();
+ }
+ }
+
+ public static boolean getBooleanUnderSection(Conf conf, SectionConfigKey key) {
+ Config subConfig = conf.getConfig(key.getSectionName());
+ if (subConfig != null) {
+ return subConfig.getBoolean(key);
+ } else {
+ return (Boolean) key.getDefaultValue();
+ }
+ }
+
+ public static long getLongUnderSection(Conf conf, SectionConfigKey key) {
+ Config subConfig = conf.getConfig(key.getSectionName());
+ if (subConfig != null) {
+ return subConfig.getLong(key);
+ } else {
+ return (Long) key.getDefaultValue();
+ }
+ }
+
+ public static int getIntUnderSection(Conf conf, SectionConfigKey key) {
+ Config subConfig = conf.getConfig(key.getSectionName());
+ if (subConfig != null) {
+ return subConfig.getInt(key);
+ } else {
+ return (Integer) key.getDefaultValue();
+ }
+ }
+
+ public static String[] getStringArrayUnderSection(Conf conf, SectionConfigKey key) {
+ String value = getStringUnderSection(conf, key);
+ String[] values = value.split(LIST_SPLITTER);
+ return values;
+ }
+
+ public static List<EncryptionType> getEncTypesUnderSection(Conf conf, SectionConfigKey key) {
+ String[] encTypesNames = getStringArrayUnderSection(conf, key);
+ return getEncryptionTypes(encTypesNames);
+ }
+
+ public static List<EncryptionType> getEncryptionTypes(String[] encTypeNames) {
+ return getEncryptionTypes(Arrays.asList(encTypeNames));
+ }
+
+ public static List<EncryptionType> getEncryptionTypes(List<String> encTypeNames) {
+ List<EncryptionType> results = new ArrayList<EncryptionType>(encTypeNames.size());
+
+ EncryptionType eType;
+ for (String eTypeName : encTypeNames) {
+ eType = EncryptionType.fromName(eTypeName);
+ if (eType != EncryptionType.NONE) {
+ results.add(eType);
+ }
+ }
+ return results;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java
new file mode 100644
index 0000000..e252d5b
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class KrbErrorUtil {
+
+ public static List<EncryptionType> getEtypes(KrbError error) throws IOException {
+ MethodData methodData = new MethodData();
+ methodData.decode(error.getEdata());
+
+ for( PaDataEntry pd : methodData.getElements()) {
+ if( pd.getPaDataType() == PaDataType.ETYPE_INFO2 ) {
+ return getEtypes2(pd.getPaDataValue());
+ }
+ else if( pd.getPaDataType() == PaDataType.ETYPE_INFO ) {
+ return getEtypes(pd.getPaDataValue());
+ }
+ }
+ return Collections.EMPTY_LIST;
+ }
+
+ private static List<EncryptionType> getEtypes(byte[] data) throws IOException {
+ EtypeInfo info = new EtypeInfo();
+ info.decode(data);
+ List<EncryptionType> results = new ArrayList<EncryptionType>();
+ for( EtypeInfoEntry entry : info.getElements() ) {
+ results.add(entry.getEtype());
+ }
+ return results;
+ }
+
+ private static List<EncryptionType> getEtypes2(byte[] data) throws IOException {
+ EtypeInfo2 info2 = new EtypeInfo2();
+ info2.decode(data);
+ List<EncryptionType> results = new ArrayList<EncryptionType>();
+ for( EtypeInfo2Entry entry : info2.getElements() ) {
+ results.add(entry.getEtype());
+ }
+ return results;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java
new file mode 100644
index 0000000..82015ee
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.transport.tcp.DecodingCallback;
+import org.apache.kerby.transport.tcp.StreamingDecoder;
+
+import java.nio.ByteBuffer;
+
+public class KrbStreamingDecoder implements StreamingDecoder {
+
+ @Override
+ public void decode(ByteBuffer streamingBuffer, DecodingCallback callback) {
+ if (streamingBuffer.remaining() >= 4) {
+ int len = streamingBuffer.getInt();
+ if (streamingBuffer.remaining() >= len) {
+ callback.onMessageComplete(len + 4);
+ } else {
+ callback.onMoreDataNeeded(len + 4);
+ }
+ } else {
+ callback.onMoreDataNeeded();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
new file mode 100644
index 0000000..77e9d56
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.kerberos.kerb.codec.KrbCodec;
+import org.apache.kerby.kerberos.kerb.spec.common.KrbMessage;
+import org.apache.kerby.transport.Transport;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+public class KrbUtil {
+
+ public static void sendMessage(KrbMessage message, Transport transport) {
+ int bodyLen = message.encodingLength();
+ ByteBuffer buffer = ByteBuffer.allocate(bodyLen + 4);
+ buffer.putInt(bodyLen);
+ message.encode(buffer);
+ buffer.flip();
+ transport.sendMessage(buffer);
+ }
+
+ public static KrbMessage decodeMessage(ByteBuffer message) throws IOException {
+ int bodyLen = message.getInt();
+ assert (message.remaining() >= bodyLen);
+
+ KrbMessage krbMessage = KrbCodec.decodeMessage(message);
+
+ return krbMessage;
+ }
+
+}