You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2015/03/23 07:28:14 UTC
directory-kerby git commit: WIP: Implementing FAST/Preauth framework
Repository: directory-kerby
Updated Branches:
refs/heads/master cfee779bd -> b1b28bbc3
WIP: Implementing FAST/Preauth framework
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/b1b28bbc
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/b1b28bbc
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/b1b28bbc
Branch: refs/heads/master
Commit: b1b28bbc37a847261e2265d27375a725d4209cc4
Parents: cfee779
Author: Drankye <dr...@gmail.com>
Authored: Mon Mar 23 14:27:51 2015 +0800
Committer: Drankye <dr...@gmail.com>
Committed: Mon Mar 23 14:27:51 2015 +0800
----------------------------------------------------------------------
.../kerby/kerberos/kdc/WithTokenKdcTest.java | 40 ++++++++-
kerby-kerb/kerb-client/pom.xml | 5 ++
.../kerb/client/request/ArmoredAsRequest.java | 86 ++++++++++++++++++++
.../kerberos/kerb/client/request/AsRequest.java | 11 +++
.../kerb/client/request/AsRequestWithToken.java | 15 ++--
.../kerberos/kerb/crypto/fast/FastArmor.java | 45 ++++++++++
6 files changed, 194 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b1b28bbc/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
index 427dd77..e8f6a5a 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
@@ -29,21 +29,57 @@ import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
import org.junit.Before;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+
import static org.assertj.core.api.Assertions.assertThat;
public class WithTokenKdcTest extends KdcTestBase {
+ static final String SUBJECT = "test-sub";
+ static final String AUDIENCE = "krbtgt@EXAMPLE.COM";
+ static final String ISSUER = "oauth2.com";
+ static final String GROUP = "sales-group";
+ static final String ROLE = "ADMIN";
+
private TokenEncoder tokenEncoder;
- private AuthToken token;
+ private AuthToken authToken;
@Before
public void setUp() throws Exception {
KrbRuntime.setTokenProvider(new JwtTokenProvider());
tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+ prepareToken();
super.setUp();
}
+ private void prepareToken() {
+ authToken = KrbRuntime.getTokenProvider().createTokenFactory().createToken();
+
+ authToken.setIssuer(ISSUER);
+ authToken.setSubject(SUBJECT);
+
+ authToken.addAttribute("group", GROUP);
+ authToken.addAttribute("role", ROLE);
+
+ List<String> aud = new ArrayList<String>();
+ aud.add(AUDIENCE);
+ authToken.setAudiences(aud);
+
+ // Set expiration in 60 minutes
+ final Date NOW = new Date(new Date().getTime() / 1000 * 1000);
+ Date exp = new Date(NOW.getTime() + 1000 * 60 * 60);
+ authToken.setExpirationTime(exp);
+
+ Date nbf = NOW;
+ authToken.setNotBeforeTime(nbf);
+
+ Date iat = NOW;
+ authToken.setIssueTime(iat);
+ }
+
@Override
protected void setUpKdcServer() throws Exception {
super.setUpKdcServer();
@@ -58,7 +94,7 @@ public class WithTokenKdcTest extends KdcTestBase {
TgtTicket tgt;
try {
- tgt = krbClnt.requestTgtTicket(clientPrincipal, token, null);
+ tgt = krbClnt.requestTgtTicket(clientPrincipal, authToken, null);
} catch (KrbException te) {
assertThat(te.getMessage().contains("timeout")).isTrue();
return;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b1b28bbc/kerby-kerb/kerb-client/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/pom.xml b/kerby-kerb/kerb-client/pom.xml
index a6b03c2..5d01fe3 100644
--- a/kerby-kerb/kerb-client/pom.xml
+++ b/kerby-kerb/kerb-client/pom.xml
@@ -46,6 +46,11 @@
<artifactId>kerby-event</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-util</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
<profiles>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b1b28bbc/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
new file mode 100644
index 0000000..35e541d
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
+import org.apache.kerby.kerberos.kerb.client.KOptions;
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.crypto.fast.FastArmor;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+
+import java.io.File;
+import java.io.IOException;
+
+/**
+ * This initiates an armor protected AS-REQ using FAST/Pre-auth.
+ */
+public abstract class ArmoredAsRequest extends AsRequest {
+
+ public ArmoredAsRequest(KrbContext context) {
+ super(context);
+ }
+
+ @Override
+ public KOptions getPreauthOptions() {
+ KOptions results = new KOptions();
+
+ KOptions krbOptions = getKrbOptions();
+ results.add(krbOptions.getOption(KrbOption.ARMOR_CACHE));
+
+ return results;
+ }
+
+ /**
+ * Prepare FAST armor key.
+ * @return
+ * @throws KrbException
+ */
+ protected EncryptionKey makeArmorKey() throws KrbException {
+ EncryptionKey subKey = null;
+ EncryptionKey armorCacheKey = getArmorCacheKey();
+ EncryptionKey armorKey = FastArmor.cf2(subKey, "subkeyarmor",
+ armorCacheKey, "ticketarmor");
+
+ return armorKey;
+ }
+
+ /**
+ * Get armor cache key.
+ * @return armor cache key
+ * @throws KrbException
+ */
+ protected EncryptionKey getArmorCacheKey() throws KrbException {
+ KOptions preauthOptions = getPreauthOptions();
+ String ccache = preauthOptions.getStringOption(KrbOption.KRB5_CACHE);
+ File ccacheFile = new File(ccache);
+ CredentialCache cc = null;
+ try {
+ cc = resolveCredCache(ccacheFile);
+ } catch (IOException e) {
+ throw new KrbException("Failed to load armor cache file");
+ }
+ EncryptionKey armorCacheKey =
+ cc.getCredentials().iterator().next().getKey();;
+
+ return armorCacheKey;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b1b28bbc/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
index 7a29bdd..55419bf 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.client.request;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
import org.apache.kerby.kerberos.kerb.client.KrbContext;
import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.KrbException;
@@ -27,7 +28,9 @@ import org.apache.kerby.kerberos.kerb.spec.base.*;
import org.apache.kerby.kerberos.kerb.spec.kdc.*;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
+import java.io.File;
import java.io.IOException;
+import java.io.InputStream;
import java.util.List;
public class AsRequest extends KdcRequest {
@@ -53,6 +56,7 @@ public class AsRequest extends KdcRequest {
this.clientKey = clientKey;
}
+ @Override
public EncryptionKey getClientKey() throws KrbException {
return clientKey;
}
@@ -124,4 +128,11 @@ public class AsRequest extends KdcRequest {
private PrincipalName makeTgsPrincipal() {
return new PrincipalName(KrbConstant.TGS_PRINCIPAL + "@" + getContext().getKdcRealm());
}
+
+ protected CredentialCache resolveCredCache(File ccacheFile) throws IOException {
+ CredentialCache cc = new CredentialCache();
+ cc.load(ccacheFile);
+
+ return cc;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b1b28bbc/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
index de5f0f2..95e6021 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
@@ -19,13 +19,16 @@
*/
package org.apache.kerby.kerberos.kerb.client.request;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KOptions;
import org.apache.kerby.kerberos.kerb.client.KrbContext;
import org.apache.kerby.kerberos.kerb.client.KrbOption;
-import org.apache.kerby.kerberos.kerb.client.KOptions;
-import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
-public class AsRequestWithToken extends AsRequest {
+/**
+ * This initiates an AS-REQ using TokenPreauth mechanism.
+ */
+public class AsRequestWithToken extends ArmoredAsRequest {
public AsRequestWithToken(KrbContext context) {
super(context);
@@ -40,12 +43,12 @@ public class AsRequestWithToken extends AsRequest {
@Override
public KOptions getPreauthOptions() {
- KOptions results = new KOptions();
-
+ KOptions results = super.getPreauthOptions();
KOptions krbOptions = getKrbOptions();
+
results.add(krbOptions.getOption(KrbOption.TOKEN_USING_IDTOKEN));
results.add(krbOptions.getOption(KrbOption.TOKEN_USER_ID_TOKEN));
- results.add(krbOptions.getOption(KrbOption.TOKEN_USER_AC_TOKEN));
+ //results.add(krbOptions.getOption(KrbOption.TOKEN_USER_AC_TOKEN));
return results;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b1b28bbc/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/fast/FastArmor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/fast/FastArmor.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/fast/FastArmor.java
new file mode 100644
index 0000000..e2dd724
--- /dev/null
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/fast/FastArmor.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.crypto.fast;
+
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+
+/**
+ * Implementing FAST (RFC6113) armor key related algorithms.
+ * Take two keys and two pepper strings as input and return a combined key.
+ */
+public class FastArmor {
+
+ /**
+ * Call the PRF function multiple times with the pepper prefixed with
+ * a count byte to get enough bits of output.
+ */
+ public static byte[] prfPlus(EncryptionKey key, String pepper,
+ int keyBytesLen) {
+ // TODO
+ return null;
+ }
+
+ public static EncryptionKey cf2(EncryptionKey key1, String pepper1,
+ EncryptionKey key2, String pepper2) {
+ // TODO
+ return null;
+ }
+}