You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Leo Li <li...@gmail.com> on 2007/11/13 09:15:15 UTC
[kerberos]How to use org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder.decode?
Hi, all
I would like to use the ApplicationRequestDecoder.decode() to decode
a message token between kerberos client and server, but it fails. I found
that the first several bytes should be treated and discarded before it is
decoded, but how can I find the example ? Furthermore, does Apache DS has
support for treat with the issues about the communication between client and
server after client got TGS from KDC?
Thanks in advacne.
Here is the code:
//The byte array of the token sent from client to server as an
ApplicationRequest.
byte[] token = new byte[] { 96, -126, 1, -53, 6, 9, 42, -122, 72, -122,
-9, 18, 1, 2, 2, 1, 0, 110, -126, 1, -70, 48, -126, 1, -74,
-96, 3, 2, 1, 5, -95, 3, 2, 1, 14, -94, 7, 3, 5, 0, 32, 0, 0,
0, -93, -127, -9, 97, -127, -12, 48, -127, -15, -96, 3, 2, 1,
5, -95, 13, 27, 11, 69, 88, 65, 77, 80, 76, 69, 46, 67, 79, 77,
-94, 49, 48, 47, -96, 3, 2, 1, 0, -95, 40, 48, 38, 27, 11, 115,
101, 114, 118, 105, 99, 101, 116, 101, 115, 116, 27, 23, 119,
107, 115, 49, 48, 55, 57, 48, 52, 119, 115, 115, 46, 99, 110,
46, 105, 98, 109, 46, 99, 111, 109, -93, -127, -89, 48, -127,
-92, -96, 3, 2, 1, 16, -95, 3, 2, 1, 1, -94, -127, -105, 4,
-127, -108, 50, -17, -15, -80, 69, -71, 92, -67, -61, -71, 55,
-49, 23, 112, -113, 93, -54, 115, 68, 21, 65, 72, -15, 45, -30,
72, 29, 61, 123, -54, 22, 77, 71, 99, -82, 58, 92, -106, 22,
40, -41, 80, -55, 32, 6, 36, 91, -11, 59, 55, -95, -41, 117,
-68, -107, -18, 121, -117, 61, -82, 46, -40, 5, -108, -99, 100,
122, 107, 37, -95, -71, 48, -60, 98, -44, 124, 84, 115, -92,
-15, -44, -85, 75, -109, -10, 75, 5, -71, -38, 38, 71, 123, -2,
-66, -54, -89, 101, -68, 122, 97, -33, -98, 4, -112, -51, 1,
24, 46, 97, -16, -107, -122, -76, -65, -79, -25, 72, -11, -108,
93, 59, 27, -32, -54, -80, 51, 114, -25, 65, -77, 5, -61, -123,
-99, 70, -77, 26, -74, -120, -48, -80, -69, -91, -83, 45, 53,
-60, -40, -92, -127, -90, 48, -127, -93, -96, 3, 2, 1, 1, -94,
-127, -101, 4, -127, -104, -100, 84, -28, 91, 21, -87, 42, -52,
-112, -117, 52, 111, 103, -61, 123, 61, 3, -53, -37, 22, 123,
51, -65, -22, -51, 120, 76, -76, -119, -126, 24, -54, 94, 123,
57, 22, -44, 124, 15, 82, 87, -85, 47, 91, -76, 127, -6, 0, 53,
8, -114, -128, 87, -95, 70, 20, 32, 86, -36, 22, -80, 75, 78,
-89, -42, 53, 76, 71, -74, -112, 55, -15, 62, -17, 40, 90, 73,
-59, 79, -125, -56, 110, -125, -121, 10, -118, 63, -119, -19,
91, -46, -26, -110, -13, -104, 82, 65, 123, 20, -30, -62, 28,
-125, 55, 11, -47, 87, -126, -94, 11, 112, 41, 44, -9, 113,
-33, 75, -15, -44, -90, 14, -60, -89, 105, 119, -68, -51, -29,
45, 118, -35, -26, 60, -58, -14, -78, -37, 12, 100, 125, -42,
114, -5, 18, 47, 115, 96, 56, -86, -69, 66, -14 };
ApplicationRequest applicationRequest = new
ApplicationRequestDecoder().decode(token);
And it fails with stacktrace:
Exception in thread "main" java.lang.ClassCastException:
org.apache.directory.shared.asn1.der.DERObjectIdentifier
at
org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder.decode(
ApplicationRequestDecoder.java:57)
at Test.main(Test.java:53)
--
Leo Li
China Software Development Lab, IBM
Re: [kerberos]How to use org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder.decode?
Posted by Leo Li <li...@gmail.com>.
On 11/13/07, Emmanuel Lecharny <el...@gmail.com> wrote:
>
> Hi Leo,
>
> I have no idea where the data you are trying to decode are coming from,
> but this is certainly not a AP-REQ : it should start with a 0x6E.
>
> Here is your data and some analysis :
>
> 0x60 0x82 0x01 0xCB // ??? with a 0x01CB length
> 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 0x12 0x01 0x02 0x02 //
> ObjectIdentifier : 1.2.1608.423698.1.2.2
> 0x01 0x00 // Null length boolean...
> 0x6E 0x82 0x01 0xBA // AP-Request, 442 bytes long
> 0x30 0x82 0x010xB6 // Sequence, length 438 bytes
> 0xA0 0x03 0x02 0x01 0x05 // pvno
> 0xA1 0x03 0x02 0x01 0x0E // messageType : Application Request
> 0xA2 0x07 0x03 0x05 0x00 0x20 0x00 0x00 0x00 // ap-options
> 0xA3 0x81 0xF7 // Ticket, length 247 bytes
> ...
Thank you, Emmanuel.
I have made a mistake. The token is a GSS token, it has wrapped the
Kerberos Application Request with a Mechanism-dependent and
Mechanism-independent header. I write a ASN1 decoder to treat with them
according to RFC2743.
Furthermore, I found that there is a
org.apache.directory.server.kerberos.shared.service.VerifyAuthHeader which
is able to decode the encrypted part of the Kerberos Application
Request. But it is an abstract class so I guess it shall be used in a
framework. So how to use it? Especially, the ticket parameter in
its verifyAuthHeader :
public Authenticator verifyAuthHeader( ApplicationRequest
authHeader, Ticket ticket, EncryptionKey serverKey,
long clockSkew, ReplayCache replayCache, boolean
emptyAddressesAllowed, InetAddress clientAddress,
CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean
isValidate )
Excuse me for my ignorance in Kerberos.:)
If it is used by the server to validate the Request from a client
(1) Is the ticket parameter got from the authHeader.getTicket()?
(2) The server has it own password, does it need to create an EncryptionKey
according to the Application Request?
For example, if the Application Request denotes the encryption type is
"DES-CBC-MD5", "DES-CBC-MD4" or "DES-CBC-CRC", the server shall create a
KerberosKey with "DES" algorithm and then generate EncrytpionKey with the
KerberosKey.getEncode() and the encryption type?
And alike, if the encryption type is "ARCFOUR-HMAC", another KerberosKey
with "ARCFOUR" algorithm is created and wrap it as a EncryptionKey for use
in verifyAuthHeader?
Thanks.
> Leo Li wrote:
> > Hi, all
> > I would like to use the ApplicationRequestDecoder.decode() to
> > decode a message token between kerberos client and server, but it
> > fails. I found that the first several bytes should be treated and
> > discarded before it is decoded, but how can I find the example ?
> > Furthermore, does Apache DS has support for treat with the issues
> > about the communication between client and server after client got TGS
> > from KDC?
> >
> > Thanks in advacne.
> >
> >
> > Here is the code:
> >
> > //The byte array of the token sent from client to server as an
> > ApplicationRequest.
> > byte[] token = new byte[] { 96, -126, 1, -53, 6, 9, 42, -122, 72,
> > -122,
> > -9, 18, 1, 2, 2, 1, 0, 110, -126, 1, -70, 48, -126, 1, -74,
> > -96, 3, 2, 1, 5, -95, 3, 2, 1, 14, -94, 7, 3, 5, 0, 32, 0, 0,
> > 0, -93, -127, -9, 97, -127, -12, 48, -127, -15, -96, 3, 2, 1,
> > 5, -95, 13, 27, 11, 69, 88, 65, 77, 80, 76, 69, 46, 67, 79, 77,
> > -94, 49, 48, 47, -96, 3, 2, 1, 0, -95, 40, 48, 38, 27, 11, 115,
> > 101, 114, 118, 105, 99, 101, 116, 101, 115, 116, 27, 23, 119,
> > 107, 115, 49, 48, 55, 57, 48, 52, 119, 115, 115, 46, 99, 110,
> > 46, 105, 98, 109, 46, 99, 111, 109, -93, -127, -89, 48, -127,
> > -92, -96, 3, 2, 1, 16, -95, 3, 2, 1, 1, -94, -127, -105, 4,
> > -127, -108, 50, -17, -15, -80, 69, -71, 92, -67, -61, -71, 55,
> > -49, 23, 112, -113, 93, -54, 115, 68, 21, 65, 72, -15, 45, -30,
> > 72, 29, 61, 123, -54, 22, 77, 71, 99, -82, 58, 92, -106, 22,
> > 40, -41, 80, -55, 32, 6, 36, 91, -11, 59, 55, -95, -41, 117,
> > -68, -107, -18, 121, -117, 61, -82, 46, -40, 5, -108, -99, 100,
> > 122, 107, 37, -95, -71, 48, -60, 98, -44, 124, 84, 115, -92,
> > -15, -44, -85, 75, -109, -10, 75, 5, -71, -38, 38, 71, 123, -2,
> > -66, -54, -89, 101, -68, 122, 97, -33, -98, 4, -112, -51, 1,
> > 24, 46, 97, -16, -107, -122, -76, -65, -79, -25, 72, -11, -108,
> > 93, 59, 27, -32, -54, -80, 51, 114, -25, 65, -77, 5, -61, -123,
> > -99, 70, -77, 26, -74, -120, -48, -80, -69, -91, -83, 45, 53,
> > -60, -40, -92, -127, -90, 48, -127, -93, -96, 3, 2, 1, 1, -94,
> > -127, -101, 4, -127, -104, -100, 84, -28, 91, 21, -87, 42, -52,
> > -112, -117, 52, 111, 103, -61, 123, 61, 3, -53, -37, 22, 123,
> > 51, -65, -22, -51, 120, 76, -76, -119, -126, 24, -54, 94, 123,
> > 57, 22, -44, 124, 15, 82, 87, -85, 47, 91, -76, 127, -6, 0, 53,
> > 8, -114, -128, 87, -95, 70, 20, 32, 86, -36, 22, -80, 75, 78,
> > -89, -42, 53, 76, 71, -74, -112, 55, -15, 62, -17, 40, 90, 73,
> > -59, 79, -125, -56, 110, -125, -121, 10, -118, 63, -119, -19,
> > 91, -46, -26, -110, -13, -104, 82, 65, 123, 20, -30, -62, 28,
> > -125, 55, 11, -47, 87, -126, -94, 11, 112, 41, 44, -9, 113,
> > -33, 75, -15, -44, -90, 14, -60, -89, 105, 119, -68, -51, -29,
> > 45, 118, -35, -26, 60, -58, -14, -78, -37, 12, 100, 125, -42,
> > 114, -5, 18, 47, 115, 96, 56, -86, -69, 66, -14 };
> >
> > ApplicationRequest applicationRequest = new
> > ApplicationRequestDecoder().decode(token);
> >
> > And it fails with stacktrace:
> >
> > Exception in thread "main" java.lang.ClassCastException:
> > org.apache.directory.shared.asn1.der.DERObjectIdentifier
> > at
> >
> org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder.decode
> > (ApplicationRequestDecoder.java:57)
> > at Test.main(Test.java:53)
> >
> > --
> > Leo Li
> > China Software Development Lab, IBM
>
>
> --
> --
> cordialement, regards,
> Emmanuel Lécharny
> www.iktek.com
> directory.apache.org
>
>
>
--
Leo Li
China Software Development Lab, IBM
Re: [kerberos]How to use org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder.decode?
Posted by Emmanuel Lecharny <el...@gmail.com>.
Hi Leo,
I have no idea where the data you are trying to decode are coming from,
but this is certainly not a AP-REQ : it should start with a 0x6E.
Here is your data and some analysis :
0x60 0x82 0x01 0xCB // ??? with a 0x01CB length
0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 0x12 0x01 0x02 0x02 //
ObjectIdentifier : 1.2.1608.423698.1.2.2
0x01 0x00 // Null length boolean...
0x6E 0x82 0x01 0xBA // AP-Request, 442 bytes long
0x30 0x82 0x010xB6 // Sequence, length 438 bytes
0xA0 0x03 0x02 0x01 0x05 // pvno
0xA1 0x03 0x02 0x01 0x0E // messageType : Application Request
0xA2 0x07 0x03 0x05 0x00 0x20 0x00 0x00 0x00 // ap-options
0xA3 0x81 0xF7 // Ticket, length 247 bytes
...
Leo Li wrote:
> Hi, all
> I would like to use the ApplicationRequestDecoder.decode() to
> decode a message token between kerberos client and server, but it
> fails. I found that the first several bytes should be treated and
> discarded before it is decoded, but how can I find the example ?
> Furthermore, does Apache DS has support for treat with the issues
> about the communication between client and server after client got TGS
> from KDC?
>
> Thanks in advacne.
>
>
> Here is the code:
>
> //The byte array of the token sent from client to server as an
> ApplicationRequest.
> byte[] token = new byte[] { 96, -126, 1, -53, 6, 9, 42, -122, 72,
> -122,
> -9, 18, 1, 2, 2, 1, 0, 110, -126, 1, -70, 48, -126, 1, -74,
> -96, 3, 2, 1, 5, -95, 3, 2, 1, 14, -94, 7, 3, 5, 0, 32, 0, 0,
> 0, -93, -127, -9, 97, -127, -12, 48, -127, -15, -96, 3, 2, 1,
> 5, -95, 13, 27, 11, 69, 88, 65, 77, 80, 76, 69, 46, 67, 79, 77,
> -94, 49, 48, 47, -96, 3, 2, 1, 0, -95, 40, 48, 38, 27, 11, 115,
> 101, 114, 118, 105, 99, 101, 116, 101, 115, 116, 27, 23, 119,
> 107, 115, 49, 48, 55, 57, 48, 52, 119, 115, 115, 46, 99, 110,
> 46, 105, 98, 109, 46, 99, 111, 109, -93, -127, -89, 48, -127,
> -92, -96, 3, 2, 1, 16, -95, 3, 2, 1, 1, -94, -127, -105, 4,
> -127, -108, 50, -17, -15, -80, 69, -71, 92, -67, -61, -71, 55,
> -49, 23, 112, -113, 93, -54, 115, 68, 21, 65, 72, -15, 45, -30,
> 72, 29, 61, 123, -54, 22, 77, 71, 99, -82, 58, 92, -106, 22,
> 40, -41, 80, -55, 32, 6, 36, 91, -11, 59, 55, -95, -41, 117,
> -68, -107, -18, 121, -117, 61, -82, 46, -40, 5, -108, -99, 100,
> 122, 107, 37, -95, -71, 48, -60, 98, -44, 124, 84, 115, -92,
> -15, -44, -85, 75, -109, -10, 75, 5, -71, -38, 38, 71, 123, -2,
> -66, -54, -89, 101, -68, 122, 97, -33, -98, 4, -112, -51, 1,
> 24, 46, 97, -16, -107, -122, -76, -65, -79, -25, 72, -11, -108,
> 93, 59, 27, -32, -54, -80, 51, 114, -25, 65, -77, 5, -61, -123,
> -99, 70, -77, 26, -74, -120, -48, -80, -69, -91, -83, 45, 53,
> -60, -40, -92, -127, -90, 48, -127, -93, -96, 3, 2, 1, 1, -94,
> -127, -101, 4, -127, -104, -100, 84, -28, 91, 21, -87, 42, -52,
> -112, -117, 52, 111, 103, -61, 123, 61, 3, -53, -37, 22, 123,
> 51, -65, -22, -51, 120, 76, -76, -119, -126, 24, -54, 94, 123,
> 57, 22, -44, 124, 15, 82, 87, -85, 47, 91, -76, 127, -6, 0, 53,
> 8, -114, -128, 87, -95, 70, 20, 32, 86, -36, 22, -80, 75, 78,
> -89, -42, 53, 76, 71, -74, -112, 55, -15, 62, -17, 40, 90, 73,
> -59, 79, -125, -56, 110, -125, -121, 10, -118, 63, -119, -19,
> 91, -46, -26, -110, -13, -104, 82, 65, 123, 20, -30, -62, 28,
> -125, 55, 11, -47, 87, -126, -94, 11, 112, 41, 44, -9, 113,
> -33, 75, -15, -44, -90, 14, -60, -89, 105, 119, -68, -51, -29,
> 45, 118, -35, -26, 60, -58, -14, -78, -37, 12, 100, 125, -42,
> 114, -5, 18, 47, 115, 96, 56, -86, -69, 66, -14 };
>
> ApplicationRequest applicationRequest = new
> ApplicationRequestDecoder().decode(token);
>
> And it fails with stacktrace:
>
> Exception in thread "main" java.lang.ClassCastException:
> org.apache.directory.shared.asn1.der.DERObjectIdentifier
> at
> org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder.decode
> (ApplicationRequestDecoder.java:57)
> at Test.main(Test.java:53)
>
> --
> Leo Li
> China Software Development Lab, IBM
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org