You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/11/24 08:59:56 UTC
[27/27] directory-kerby git commit: Merge from master.
Merge from master.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/a41ad79c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/a41ad79c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/a41ad79c
Branch: refs/heads/pkinit-support
Commit: a41ad79c8e9309e0b9401ce730b6f826a9686058
Parents: 1469671 4bc0369
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Nov 24 16:05:57 2015 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Tue Nov 24 16:05:57 2015 +0800
----------------------------------------------------------------------
README.md | 44 ++++++
.../ZookeeperIdentityBackend.java | 8 +-
.../main/java/org/apache/kerby/config/Conf.java | 52 ++++---
.../java/org/apache/kerby/config/Config.java | 37 +++--
.../org/apache/kerby/config/ConfigImpl.java | 75 +++++----
.../java/org/apache/kerby/config/ConfTest.java | 11 +-
kerby-dist/kdc-dist/assembly.xml | 2 +
kerby-dist/kdc-dist/bin/kadmin.sh | 2 +-
kerby-dist/kdc-dist/bin/kdcinit.sh | 2 +-
kerby-dist/kdc-dist/bin/start-kdc.sh | 2 +-
kerby-dist/tool-dist/assembly.xml | 2 +
kerby-dist/tool-dist/bin/kinit.sh | 2 +-
kerby-dist/tool-dist/bin/klist.sh | 2 +-
.../kerby/kerberos/kerb/admin/KadminOption.java | 18 +++
.../kerby/kerberos/kerb/client/KrbConfig.java | 88 ++++++-----
.../kerberos/kerb/client/KrbConfigKey.java | 62 +++-----
.../kerby/kerberos/kerb/client/KrbOption.java | 118 +++++++++-----
.../kerberos/kerb/client/KrbOptionGroup.java | 38 +++++
.../kerby/kerberos/kerb/client/KrbSetting.java | 4 +-
.../client/impl/AbstractInternalKrbClient.java | 7 +
.../kerb/client/request/ArmoredRequest.java | 29 +++-
.../kerberos/kerb/client/request/AsRequest.java | 12 +-
.../kerb/client/request/KdcRequest.java | 40 +++--
.../kerb/client/request/TgsRequest.java | 2 +-
.../kerb/client/request/TgsRequestWithTgt.java | 35 +++--
.../kerb/client/KrbClientSettingTest.java | 28 +++-
.../kerberos/kerb/client/TestKrbConfigLoad.java | 2 +-
.../client/TestKrbConfigLoadForSpecials.java | 51 ++++++
.../src/test/resources/krb5-specials.conf | 20 +++
.../kerb-client/src/test/resources/krb5.conf | 41 ++---
.../kerberos/kerb/common/CheckSumUtil.java | 21 ++-
.../kerby/kerberos/kerb/common/Krb5Conf.java | 154 ++++++++++++++++++
.../kerberos/kerb/common/KrbConfHelper.java | 106 -------------
.../kerby/kerberos/kerb/common/KrbUtil.java | 3 +-
.../kerberos/kerb/common/SectionConfigKey.java | 31 ----
.../kerberos/kerb/codec/TestAsReqCodec.java | 3 +-
.../kerberos/kerb/codec/TestTgsReqCodec.java | 5 +-
.../kerby/kerberos/kerb/spec/base/KrbFlags.java | 31 ++--
.../kerberos/kerb/spec/base/KrbFlagsTest.java | 155 +++++++++++++++++++
.../kerberos/kerb/crypto/EncryptionHandler.java | 4 +-
.../kerby/kerberos/kerb/server/KdcConfig.java | 76 +++++----
.../kerberos/kerb/server/KdcConfigKey.java | 43 ++---
.../kerberos/kerb/server/KdcServerOption.java | 18 +++
.../kerby/kerberos/kerb/server/KdcUtil.java | 2 +-
.../kerb/server/impl/DefaultKdcHandler.java | 1 -
.../kerb/server/request/TgsRequest.java | 1 +
.../apache/kerby/kerberos/tool/ToolUtil.java | 12 +-
.../kerby/kerberos/tool/kinit/KinitOption.java | 20 ++-
.../kerby/kerberos/tool/kinit/KinitTool.java | 11 +-
.../kerby/kerberos/tool/klist/KlistOption.java | 17 ++
.../kadmin/command/AddPrincipalCommand.java | 38 +++--
.../src/main/java/org/apache/kerby/KOption.java | 15 ++
.../java/org/apache/kerby/KOptionGroup.java | 33 ++++
53 files changed, 1108 insertions(+), 528 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
index a900b96,eeb5a1d..b46ab94
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
@@@ -19,11 -19,9 +19,10 @@@
*/
package org.apache.kerby.kerberos.kerb.client;
- import org.apache.kerby.config.Conf;
- import org.apache.kerby.kerberos.kerb.common.KrbConfHelper;
+ import org.apache.kerby.kerberos.kerb.common.Krb5Conf;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import java.util.Arrays;
import java.util.List;
/**
@@@ -287,16 -294,6 +295,16 @@@ public class KrbConfig extends Krb5Con
* @return The encryption type list
*/
public List<EncryptionType> getDefaultTktEnctypes() {
- return KrbConfHelper.getEncTypesUnderSection(this, KrbConfigKey.DEFAULT_TKT_ENCTYPES);
+ return getEncTypes(KrbConfigKey.DEFAULT_TKT_ENCTYPES, true, LIBDEFAULT);
}
+
+ public List<String> getPkinitAnchors() {
+ return Arrays.asList(KrbConfHelper.getStringArrayUnderSection(this,
+ KrbConfigKey.PKINIT_ANCHORS));
+ }
+
+ public List<String> getPkinitIdentities() {
+ return Arrays.asList(KrbConfHelper.getStringArrayUnderSection(this,
+ KrbConfigKey.PKINIT_IDENTITIES));
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java
index cdd0568,0dd911a..3f7e3ed
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java
@@@ -39,41 -39,27 +39,29 @@@ public enum KrbConfigKey implements Con
MAXIMUM_TICKET_LIFETIME(24 * 3600L),
MINIMUM_TICKET_LIFETIME(1 * 3600L),
MAXIMUM_RENEWABLE_LIFETIME(48 * 3600L),
- FORWARDABLE(true, "libdefaults"),
+ FORWARDABLE(true),
POSTDATED_ALLOWED(true),
- PROXIABLE(true, "libdefaults"),
+ PROXIABLE(true),
RENEWABLE_ALLOWED(true),
VERIFY_BODY_CHECKSUM(true),
- PERMITTED_ENCTYPES("aes128-cts-hmac-sha1-96", "libdefaults"),
- DEFAULT_REALM("EXAMPLE.COM", "libdefaults"),
- DNS_LOOKUP_KDC(false, "libdefaults"),
- DNS_LOOKUP_REALM(false, "libdefaults"),
- ALLOW_WEAK_CRYPTO(true, "libdefaults"),
- TICKET_LIFETIME(24 * 3600L, "libdefaults"),
- RENEW_LIFETIME(48 * 3600L, "libdefaults"),
+ PERMITTED_ENCTYPES("aes128-cts-hmac-sha1-96"),
+ DEFAULT_REALM(null),
+ DNS_LOOKUP_KDC(false),
+ DNS_LOOKUP_REALM(false),
+ ALLOW_WEAK_CRYPTO(true),
+ TICKET_LIFETIME(24 * 3600L),
+ RENEW_LIFETIME(48 * 3600L),
DEFAULT_TGS_ENCTYPES("aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 "
+ "des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac "
- + "camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4",
- "libdefaults"),
+ + "camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4"),
DEFAULT_TKT_ENCTYPES("aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 "
+ "des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac "
- + "camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4",
- "libdefaults"),
-
- //key for logging location
- DEFAULT(null, "logging"),
- KDC(null, "logging"),
- ADMIN_SERVER(null, "logging"),
- PKINIT_ANCHORS(null, "libdefaults"),
- PKINIT_IDENTITIES(null, "libdefaults");
- + "camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4");
++ + "camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4"),
++ PKINIT_ANCHORS(null),
++ PKINIT_IDENTITIES(null);
private Object defaultValue;
- /**
- * The name of a section where a config key is contained in
- * section-able config file.
- */
- private String sectionName;
private KrbConfigKey() {
this.defaultValue = null;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
index baf97d8,40d1827..09a8632
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
@@@ -99,12 -99,15 +99,19 @@@ public abstract class AbstractInternalK
String principal = requestOptions.getStringOption(
KrbOption.CLIENT_PRINCIPAL);
principal = fixPrincipal(principal);
- asRequest.setClientPrincipal(new PrincipalName(principal));
+ PrincipalName principalName = new PrincipalName(principal);
+ if (requestOptions.contains(KrbOption.USE_PKINIT_ANONYMOUS)) {
+ principalName.setNameType(NameType.KRB5_NT_WELLKNOWN);
+ }
+ asRequest.setClientPrincipal(principalName);
}
+ if (requestOptions.contains(KrbOption.SERVER_PRINCIPAL)) {
+ String serverPrincipalName = requestOptions.getStringOption(KrbOption.SERVER_PRINCIPAL);
+ serverPrincipalName = fixPrincipal(serverPrincipalName);
+ PrincipalName serverPrincipal = new PrincipalName(serverPrincipalName, NameType.NT_PRINCIPAL);
+ asRequest.setServerPrincipal(serverPrincipal);
+ }
+
asRequest.setKrbOptions(requestOptions);
return doRequestTgtTicket(asRequest);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-client/src/test/resources/krb5.conf
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-client/src/test/resources/krb5.conf
index 13432e5,1a5b35e..85bc0b0
--- a/kerby-kerb/kerb-client/src/test/resources/krb5.conf
+++ b/kerby-kerb/kerb-client/src/test/resources/krb5.conf
@@@ -29,31 -30,29 +30,31 @@@
proxiable = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
+ pkinit_anchors = FILE:/etc/krb5/cacert.pem
+ pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
[realms]
- # ATHENA.MIT.EDU = {
- # admin_server = KERBEROS.MIT.EDU
- # default_domain = MIT.EDU
- # v4_instance_convert = {
- # mit = mit.edu
- # lithium = lithium.lcs.mit.edu
- # }
- # }
- # ANDREW.CMU.EDU = {
- # admin_server = vice28.fs.andrew.cmu.edu
- # }
- # GNU.ORG = {
- # kdc = kerberos.gnu.org
- # kdc = kerberos-2.gnu.org
- # admin_server = kerberos.gnu.org
- # }
+ ATHENA.MIT.EDU = {
+ admin_server = KERBEROS.MIT.EDU
+ default_domain = MIT.EDU
+ v4_instance_convert = {
+ mit = mit.edu
+ lithium = lithium.lcs.mit.edu
+ }
+ }
+ ANDREW.CMU.EDU = {
+ admin_server = vice28.fs.andrew.cmu.edu
+ }
+ GNU.ORG = {
+ kdc = kerberos.gnu.org
+ kdc = kerberos-2.gnu.org
+ admin_server = kerberos.gnu.org
+ }
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
- mit.edu = ATHENA.MIT.EDU
- .media.mit.edu = MEDIA-LAB.MIT.EDU
- media.mit.edu = MEDIA-LAB.MIT.EDU
- .ucsc.edu = CATS.UCSC.EDU
+ mit.edu = ATHENA.MIT.EDU
+ .media.mit.edu = MEDIA-LAB.MIT.EDU
+ media.mit.edu = MEDIA-LAB.MIT.EDU
+ .ucsc.edu = CATS.UCSC.EDU
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
index e6dd9db,1bf17d6..ab4b8ac
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
@@@ -50,28 -44,4 +50,27 @@@ public class KrbUtil
String nameString = "kadmin/" + realm + "@" + realm;
return new PrincipalName(nameString, NameType.NT_PRINCIPAL);
}
+
+ public static boolean pricipalCompareIgnoreRealm(PrincipalName princ1, PrincipalName princ2)
+ throws KrbException {
+
+ if (princ1 != null && princ2 != null) {
+ princ1.setRealm(null);
+ princ2.setRealm(null);
+ if (princ1.getName().equals(princ2.getName())) {
+ return true;
+ } else {
+ return false;
+ }
+ } else {
+ throw new KrbException("principal can't be null.");
+ }
+ }
+
+ public static PrincipalName makeAnonymousPrincipal() {
+ PrincipalName principalName = new PrincipalName(KRB5_WELLKNOWN_NAMESTR + "/" + KRB5_ANONYMOUS_PRINCSTR);
+ principalName.setRealm(KRB5_ANONYMOUS_REALMSTR);
+ principalName.setNameType(NameType.NT_PRINCIPAL);
+ return principalName;
+ }
-
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java
index 79d3323,60db052..d0af97d
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java
@@@ -30,6 -30,18 +30,19 @@@ import java.io.IOException
-- but no fewer than 32
*/
public class KrbFlags extends Asn1BitString {
++
+ private static final int MAX_SIZE = 32;
+ private static final int MASK;
+
+ static {
+ int maskBuilder = 0;
+ for (int i = 0; i < MAX_SIZE; i++) {
+ maskBuilder = maskBuilder << 1;
+ maskBuilder |= 0x00000001;
+ }
+ MASK = maskBuilder;
+ }
+
private int flags;
public KrbFlags() {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
index 8d1565e,0eb476e..1ee2a03
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
@@@ -172,16 -168,6 +168,16 @@@ public class KdcConfig extends Krb5Con
}
public List<String> getIssuers() {
- return Arrays.asList(KrbConfHelper.getStringArrayUnderSection(this, KdcConfigKey.ISSUERS));
+ return Arrays.asList(getStringArray(KdcConfigKey.ISSUERS, true, KDCDEFAULT));
}
+
+ public List<String> getPkinitAnchors() {
+ return Arrays.asList(KrbConfHelper.getStringArrayUnderSection(this,
+ KdcConfigKey.PKINIT_ANCHORS));
+ }
+
+ public String getPkinitIdentity() {
+ return KrbConfHelper.getStringUnderSection(this,
+ KdcConfigKey.PKINIT_IDENTITY);
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
----------------------------------------------------------------------
diff --cc kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
index 5e7d8a4,e9c736d..847b1d2
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
@@@ -47,13 -47,11 +47,8 @@@ public enum KdcConfigKey implements Con
RENEWABLE_ALLOWED(true),
VERIFY_BODY_CHECKSUM(true),
ENCRYPTION_TYPES("aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd"),
- RESTRICT_ANONYMOUS_TO_TGT(false, "kdcdefaults"),
- KDC_MAX_DGRAM_REPLY_SIZE(4096, "kdcdefaults"),
- VERIFY_KEY(null, "kdcdefaults"),
- DECRYPTION_KEY(null, "kdcdefaults"),
- ISSUERS(null, "kdcdefaults"),
- PKINIT_IDENTITY(null, "libdefaults"),
- PKINIT_ANCHORS(null, "libdefaults");
- RESTRICT_ANONYMOUS_TO_TGT(false),
- KDC_MAX_DGRAM_REPLY_SIZE(4096),
- VERIFY_KEY(),
- DECRYPTION_KEY(),
- ISSUERS();
++ PKINIT_IDENTITY(null),
++ PKINIT_ANCHORS(null);
private Object defaultValue;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a41ad79c/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
----------------------------------------------------------------------
diff --cc kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
index 5ea108a,a7329c4..d785c75
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
@@@ -110,15 -110,10 +110,13 @@@ public class KinitTool
File confDir = null;
if (ktOptions.contains(KinitOption.CONF_DIR)) {
confDir = ktOptions.getDirOption(KinitOption.CONF_DIR);
- } else {
- printUsage("Can't get the conf dir!");
}
- //If not request tickets by keytab than by password.
- if (!ktOptions.contains(KinitOption.USE_KEYTAB)) {
+ if (ktOptions.contains(KinitOption.ANONYMOUS)) {
+ ktOptions.add(KrbOption.USE_PKINIT_ANONYMOUS);
+ ktOptions.add(KrbOption.PKINIT_X509_ANCHORS);
+ } else if (!ktOptions.contains(KinitOption.USE_KEYTAB)) {
+ //If not request tickets by keytab than by password.
ktOptions.add(KinitOption.USE_PASSWD);
String password = getPassword(principal);
ktOptions.add(KinitOption.USER_PASSWD, password);