You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by dr...@apache.org on 2016/05/29 21:08:56 UTC
[2/2] directory-kerby git commit: DIRKRB-542. Kerby Authorization.
Contributed by Gerard Gagliano
DIRKRB-542. Kerby Authorization. Contributed by Gerard Gagliano
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/f751d390
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/f751d390
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/f751d390
Branch: refs/heads/trunk
Commit: f751d3906ed7b8c0e823dc372afd4c2876b99546
Parents: 369f27d
Author: Kai Zheng <ka...@intel.com>
Authored: Mon May 30 05:08:31 2016 +0800
Committer: Kai Zheng <ka...@intel.com>
Committed: Mon May 30 05:08:31 2016 +0800
----------------------------------------------------------------------
.../org/apache/kerby/asn1/Asn1FieldInfo.java | 12 +-
.../kerby/asn1/type/AbstractAsn1Type.java | 4 +
.../kerby/asn1/type/Asn1CollectionType.java | 53 +++--
.../apache/kerby/asn1/type/Asn1Constructed.java | 5 +
.../apache/kerby/asn1/type/Asn1Encodeable.java | 12 +-
.../org/apache/kerby/asn1/type/Asn1Simple.java | 1 +
.../kerberos/kdc/impl/NettyKdcHandler.java | 14 ++
.../kdc/impl/NettyKdcUdpServerHandler.java | 14 ++
.../client/preauth/pkinit/PkinitPreauth.java | 29 +--
.../kerby/kerberos/kerb/type/ad/ADAndOr.java | 78 +++++++
.../kerb/type/ad/ADAuthenticationIndicator.java | 82 +++++++
.../kerby/kerberos/kerb/type/ad/ADCamMac.java | 187 ++++++++++++++++
.../kerb/type/ad/ADEnctypeNegotiation.java | 83 +++++++
.../type/ad/ADIntendedForApplicationClass.java | 179 +++++++++++++++
.../kerb/type/ad/ADIntendedForServer.java | 162 ++++++++++++++
.../kerberos/kerb/type/ad/ADKdcIssued.java | 169 +++++++++++++++
.../kerby/kerberos/kerb/type/ad/AndOr.java | 87 ++++++++
.../kerb/type/ad/AuthorizationData.java | 10 +
.../kerb/type/ad/AuthorizationDataEntry.java | 49 ++++-
.../kerb/type/ad/AuthorizationDataWrapper.java | 118 ++++++++++
.../kerb/type/ad/AuthorizationType.java | 217 ++++++++++++++++++-
.../kerb/type/ad/CamMacOtherVerifiers.java | 30 +++
.../kerb/type/ad/CamMacVerifierChoice.java | 67 ++++++
.../kerb/type/ad/CamMacVerifierMac.java | 107 +++++++++
.../kerberos/kerb/type/ad/PrincipalList.java | 31 +++
.../kerby/kerberos/kerb/type/base/KeyUsage.java | 3 +-
.../kerby/kerberos/kerb/codec/ADTest.java | 143 ++++++++++++
.../codec/PkinitAnonymousAsRepCodecTest.java | 2 +-
.../codec/PkinitAnonymousAsReqCodecTest.java | 22 +-
.../kerb/identity/CacheableIdentityService.java | 13 ++
.../kerberos/kerb/identity/IdentityService.java | 12 +
.../backend/AbstractIdentityBackend.java | 34 +++
.../kerb/server/preauth/PreauthHandler.java | 16 +-
.../kerb/server/request/KdcRequest.java | 46 ++--
.../kerb/server/request/TgsRequest.java | 2 +-
.../kerb/server/request/TicketIssuer.java | 13 ++
36 files changed, 2023 insertions(+), 83 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
index 72182b0..fcad437 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
@@ -29,6 +29,7 @@ public class Asn1FieldInfo {
private int tagNo = -1; // Indicate a non-tagged field
private boolean isImplicit;
private Class<? extends Asn1Type> type;
+ private Tag tag = null;
/**
* Constructor for a tagged field, the tagNo being the same of index.
@@ -101,7 +102,14 @@ public class Asn1FieldInfo {
}
public Tag getFieldTag() {
- Asn1Type fieldValue = createFieldValue();
- return fieldValue.tag();
+ if (tag == null) {
+ Asn1Type fieldValue = createFieldValue();
+ tag = fieldValue.tag();
+ }
+ return tag;
+ }
+
+ public Class<? extends Asn1Type> getType() {
+ return type;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
index 96c68a1..001c40e 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
@@ -73,7 +73,11 @@ public abstract class AbstractAsn1Type<T> extends Asn1Encodeable {
}
public void setValue(T value) {
+ resetBodyLength();
this.value = value;
+ if (value instanceof Asn1Encodeable) {
+ ((Asn1Encodeable) value).outerEncodeable = this;
+ }
}
@Override
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
index 8f546c6..d19864c 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
@@ -90,7 +90,6 @@ public abstract class Asn1CollectionType
@Override
protected void decodeBody(Asn1ParseResult parseResult) throws IOException {
- checkAndInitFields();
useDefinitiveLength(parseResult.isDefinitiveLength());
Asn1Container container = (Asn1Container) parseResult;
@@ -115,8 +114,9 @@ public abstract class Asn1CollectionType
private void attemptBinding(Asn1ParseResult parseItem,
int foundPos) throws IOException {
- Asn1Type fieldValue = fields[foundPos];
Asn1FieldInfo fieldInfo = fieldInfos[foundPos];
+ checkAndInitField(foundPos);
+ Asn1Type fieldValue = fields[foundPos];
if (fieldValue instanceof Asn1Any) {
Asn1Any any = (Asn1Any) fieldValue;
@@ -146,30 +146,44 @@ public abstract class Asn1CollectionType
foundPos = i;
break;
}
- } else if (fieldValue.tag().equals(parseItem.tag())) {
- foundPos = i;
- break;
- } else if (fieldValue instanceof Asn1Choice) {
- Asn1Choice aChoice = (Asn1Choice) fields[i];
- if (aChoice.matchAndSetValue(parseItem.tag())) {
+ } else if (fieldValue != null) {
+ if (fieldValue.tag().equals(parseItem.tag())) {
+ foundPos = i;
+ break;
+ } else if (fieldValue instanceof Asn1Choice) {
+ Asn1Choice aChoice = (Asn1Choice) fieldValue;
+ if (aChoice.matchAndSetValue(parseItem.tag())) {
+ foundPos = i;
+ break;
+ }
+ } else if (fieldValue instanceof Asn1Any) {
+ foundPos = i;
+ break;
+ }
+ } else {
+ if (fieldInfo.getFieldTag().equals(parseItem.tag())) {
+ foundPos = i;
+ break;
+
+ } else if (Asn1Choice.class
+ .isAssignableFrom(fieldInfo.getType())) {
+ Asn1Choice aChoice = (Asn1Choice) (fields[i] = fieldInfo
+ .createFieldValue());
+ if (aChoice.matchAndSetValue(parseItem.tag())) {
+ foundPos = i;
+ break;
+ }
+ } else if (Asn1Any.class
+ .isAssignableFrom(fieldInfo.getType())) {
foundPos = i;
break;
}
- } else if (fieldValue instanceof Asn1Any) {
- foundPos = i;
- break;
}
}
return foundPos;
}
- private void checkAndInitFields() {
- for (int i = 0; i < fieldInfos.length; ++i) {
- checkAndInitField(i);
- }
- }
-
private void checkAndInitField(int index) {
if (fields[index] == null) {
fields[index] = fieldInfos[index].createFieldValue();
@@ -178,6 +192,7 @@ public abstract class Asn1CollectionType
protected abstract Asn1Collection createCollection();
+ @SuppressWarnings("unchecked")
protected <T extends Asn1Type> T getFieldAs(EnumType index, Class<T> t) {
Asn1Type value = fields[index.getValue()];
if (value == null) {
@@ -187,6 +202,10 @@ public abstract class Asn1CollectionType
}
protected void setFieldAs(EnumType index, Asn1Type value) {
+ resetBodyLength(); // Reset the pre-computed body length
+ if (value instanceof Asn1Encodeable) {
+ ((Asn1Encodeable) value).outerEncodeable = this;
+ }
fields[index.getValue()] = value;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
index fd8a187..6c62b6c 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
@@ -61,10 +61,15 @@ public class Asn1Constructed
}
public void addItem(Asn1Type value) {
+ resetBodyLength();
getValue().add(value);
+ if (value instanceof Asn1Encodeable) {
+ ((Asn1Encodeable) value).outerEncodeable = this;
+ }
}
public void clear() {
+ resetBodyLength();
getValue().clear();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
index 0bd2e81..7f4e28f 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
@@ -37,7 +37,8 @@ import java.nio.ByteBuffer;
*/
public abstract class Asn1Encodeable extends Asn1Object implements Asn1Type {
- private int bodyLength = -1;
+ protected int bodyLength = -1;
+ public Asn1Encodeable outerEncodeable = null;
// encoding options
private EncodingType encodingType = EncodingType.BER;
@@ -145,6 +146,15 @@ public abstract class Asn1Encodeable extends Asn1Object implements Asn1Type {
encodeBody(buffer);
}
+ public void resetBodyLength() {
+ if (bodyLength != -1) {
+ bodyLength = -1;
+ if (outerEncodeable != null) {
+ outerEncodeable.resetBodyLength();
+ }
+ }
+ }
+
protected void encodeBody(ByteBuffer buffer) throws IOException { }
@Override
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
index 2980086..cac3d60 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
@@ -61,6 +61,7 @@ public abstract class Asn1Simple<T> extends AbstractAsn1Type<T> {
}
protected void setBytes(byte[] bytes) {
+ resetBodyLength();
this.bytes = bytes;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
index d442108..1253adf 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
@@ -58,6 +58,20 @@ public class NettyKdcHandler extends ChannelInboundHandlerAdapter {
} catch (Exception e) {
LOG.error("Error occurred while processing request:"
+ e);
+ e.printStackTrace();
}
}
+
+ /**
+ * Calls {@link ChannelHandlerContext#fireExceptionCaught(Throwable)} to
+ * forward to the next {@link ChannelHandler} in the {@link ChannelPipeline}
+ *
+ * Sub-classes may override this method to change behavior.
+ */
+ @Override
+ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
+ throws Exception {
+ cause.printStackTrace();
+ ctx.fireExceptionCaught(cause);
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
index 797808e..04a314a 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
@@ -60,6 +60,20 @@ public class NettyKdcUdpServerHandler extends SimpleChannelInboundHandler<Datagr
} catch (Exception e) {
LOG.error("Error occurred while processing request:"
+ e.getMessage());
+ e.printStackTrace();
}
}
+
+ /**
+ * Calls {@link ChannelHandlerContext#fireExceptionCaught(Throwable)} to
+ * forward to the next {@link ChannelHandler} in the {@link ChannelPipeline}
+ *
+ * Sub-classes may override this method to change behavior.
+ */
+ @Override
+ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
+ throws Exception {
+ cause.printStackTrace();
+ ctx.fireExceptionCaught(cause);
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 230ccb0..3620f23 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -44,6 +44,7 @@ import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdenity;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
@@ -79,7 +80,6 @@ import java.util.Calendar;
import java.util.Date;
import java.util.List;
-@SuppressWarnings("PMD.UnusedFormalParameter")
public class PkinitPreauth extends AbstractPreauthPlugin {
private static final Logger LOG = LoggerFactory.getLogger(PkinitPreauth.class);
@@ -213,6 +213,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
processingRequest = true;
break;
case PK_AS_REP:
+ default:
break;
}
@@ -226,14 +227,17 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
}
}
+ @SuppressWarnings("unused")
private void generateRequest(PkinitRequestContext reqCtx, KdcRequest kdcRequest,
PaData outPadata) {
}
+ @SuppressWarnings("unused")
private PaPkAsReq makePaPkAsReq(KdcRequest kdcRequest,
PkinitRequestContext reqCtx,
int cusec, KerberosTime ctime, int nonce, CheckSum checkSum) throws KrbException {
+ KdcRequest kdc = kdcRequest;
LOG.info("Making the PK_AS_REQ.");
PaPkAsReq paPkAsReq = new PaPkAsReq();
@@ -291,30 +295,28 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
authPack.setClientPublicValue(pubInfo);
-// DhNonce dhNonce = new DhNonce();
-// authPack.setClientDhNonce(dhNonce);
+ // DhNonce dhNonce = new DhNonce();
+ // authPack.setClientDhNonce(dhNonce);
byte[] signedAuthPack = signAuthPack(authPack);
paPkAsReq.setSignedAuthPack(signedAuthPack);
} else {
LOG.info("RSA key transport algorithm");
-// authPack.setClientPublicValue(null);
+ // authPack.setClientPublicValue(null);
}
-
-
TrustedCertifiers trustedCertifiers = pkinitContext.pluginOpts.createTrustedCertifiers();
paPkAsReq.setTrustedCertifiers(trustedCertifiers);
-// byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
-// paPkAsReq.setKdcPkId(kdcPkId);
+ // byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
+ // paPkAsReq.setKdcPkId(kdcPkId);
return paPkAsReq;
}
private byte[] signAuthPack(AuthPack authPack) throws KrbException {
- String oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID();
+ String oid = PkinitPlgCryptoContext.getIdPkinitAuthDataOID();
byte[] signedDataBytes = PkinitCrypto.eContentInfoCreate(
KrbCodec.encode(authPack), oid);
@@ -348,7 +350,6 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
PkinitCrypto.verifyCmsSignedData(
CmsMessageType.CMS_SIGN_SERVER, signedData);
-
String anchorFileName = kdcRequest.getContext().getConfig().getPkinitAnchors().get(0);
X509Certificate x509Certificate = null;
@@ -361,10 +362,12 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
Certificate archorCertificate = PkinitCrypto.changeToCertificate(x509Certificate);
CertificateSet certificateSet = signedData.getCertificates();
- List<CertificateChoices> certificateChoicesList = certificateSet.getElements();
List<Certificate> certificates = new ArrayList<>();
- for (CertificateChoices certificateChoices : certificateChoicesList) {
- certificates.add(certificateChoices.getCertificate());
+ if (certificateSet != null) {
+ List<CertificateChoices> certificateChoicesList = certificateSet.getElements();
+ for (CertificateChoices certificateChoices : certificateChoicesList) {
+ certificates.add(certificateChoices.getCertificate());
+ }
}
try {
PkinitCrypto.validateChain(certificates, archorCertificate);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java
new file mode 100644
index 0000000..50ac2f7
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java
@@ -0,0 +1,78 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADAndOr extends AuthorizationDataEntry {
+
+ private KrbSequenceOfType<AndOr> myAndOr;
+
+ public ADAndOr() {
+ super(AuthorizationType.AD_AND_OR);
+ myAndOr = new KrbSequenceOfType<AndOr>();
+ myAndOr.outerEncodeable = this;
+ }
+
+ public ADAndOr(byte[] encoded) throws IOException {
+ this();
+ myAndOr.decode(encoded);
+ }
+
+ public ADAndOr(List<AndOr> elements) {
+ this();
+ for (AndOr element : elements) {
+ myAndOr.add(element);
+ }
+ }
+
+ public List<AndOr> getAndOrs() throws IOException {
+ return myAndOr.getElements();
+ }
+
+ public void add(AndOr element) {
+ myAndOr.add(element);
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myAndOr.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ };
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myAndOr.dumpWith(dumper, indents + 8);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java
new file mode 100644
index 0000000..f76b4e2
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.type.Asn1Utf8String;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADAuthenticationIndicator extends AuthorizationDataEntry {
+
+ private AuthIndicator myAuthIndicator;
+
+ private class AuthIndicator extends KrbSequenceOfType<Asn1Utf8String> {
+ }
+
+ public ADAuthenticationIndicator() {
+ super(AuthorizationType.AD_AUTHENTICAION_INDICATOR);
+ myAuthIndicator = new AuthIndicator();
+ myAuthIndicator.outerEncodeable = this;
+ }
+
+ public ADAuthenticationIndicator(byte[] encoded) throws IOException {
+ this();
+ myAuthIndicator.decode(encoded);
+ }
+
+ public List<Asn1Utf8String> getAuthIndicators() {
+ return myAuthIndicator.getElements();
+ }
+
+ public void add(Asn1Utf8String indicator) {
+ myAuthIndicator.add(indicator);
+ resetBodyLength();
+ }
+
+ public void clear() {
+ myAuthIndicator.clear();
+ resetBodyLength();
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myAuthIndicator.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ };
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myAuthIndicator.dumpWith(dumper, indents + 8);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java
new file mode 100644
index 0000000..138ba04
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java
@@ -0,0 +1,187 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * <pre>
+ * AD-CAMMAC ::= SEQUENCE {
+ * elements [0] AuthorizationData,
+ * kdc-verifier [1] Verifier-MAC OPTIONAL,
+ * svc-verifier [2] Verifier-MAC OPTIONAL,
+ * other-verifiers [3] SEQUENCE (SIZE (1..MAX))
+ * OF Verifier OPTIONAL
+ * }
+ * </pre>
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADCamMac extends AuthorizationDataEntry {
+
+ private CamMac myCamMac;
+
+ private static class CamMac extends KrbSequenceType {
+
+ protected enum CamMacField implements EnumType {
+ CAMMAC_elements, CAMMAC_kdc_verifier, CAMMAC_svc_verifier, CAMMAC_other_verifiers;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The CamMac's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(CamMacField.CAMMAC_elements, AuthorizationData.class),
+ new ExplicitField(CamMacField.CAMMAC_kdc_verifier, CamMacVerifierMac.class),
+ new ExplicitField(CamMacField.CAMMAC_svc_verifier, CamMacVerifierMac.class),
+ new ExplicitField(CamMacField.CAMMAC_other_verifiers, CamMacOtherVerifiers.class)};
+
+ CamMac() {
+ super(fieldInfos);
+ }
+
+ CamMac(byte[] authzFields) {
+ super(fieldInfos);
+ super.setFieldAsOctets(AuthorizationDataEntryField.AD_DATA, authzFields);
+ }
+
+ CamMac(AuthorizationData authzData) {
+ super(fieldInfos);
+ setFieldAs(CamMacField.CAMMAC_elements, authzData);
+ }
+
+ public AuthorizationData getAuthorizationData() {
+ return getFieldAs(CamMacField.CAMMAC_elements, AuthorizationData.class);
+ }
+
+ public void setAuthorizationData(AuthorizationData authzData) {
+ setFieldAs(CamMacField.CAMMAC_elements, authzData);
+ resetBodyLength();
+ }
+
+ public CamMacVerifierMac getKdcVerifier() {
+ return getFieldAs(CamMacField.CAMMAC_kdc_verifier, CamMacVerifierMac.class);
+ }
+
+ public void setKdcVerifier(CamMacVerifierMac kdcVerifier) {
+ setFieldAs(CamMacField.CAMMAC_kdc_verifier, kdcVerifier);
+ resetBodyLength();
+ }
+
+ public CamMacVerifierMac getSvcVerifier() {
+ return getFieldAs(CamMacField.CAMMAC_svc_verifier, CamMacVerifierMac.class);
+ }
+
+ public void setSvcVerifier(CamMacVerifierMac svcVerifier) {
+ setFieldAs(CamMacField.CAMMAC_svc_verifier, svcVerifier);
+ resetBodyLength();
+ }
+
+ public CamMacOtherVerifiers getOtherVerifiers() {
+ return getFieldAs(CamMacField.CAMMAC_other_verifiers, CamMacOtherVerifiers.class);
+ }
+
+ public void setOtherVerifiers(CamMacOtherVerifiers svcVerifier) {
+ setFieldAs(CamMacField.CAMMAC_other_verifiers, svcVerifier);
+ resetBodyLength();
+ }
+ }
+
+ public ADCamMac() {
+ super(AuthorizationType.AD_CAMMAC);
+ myCamMac = new CamMac();
+ myCamMac.outerEncodeable = this;
+ }
+
+ public ADCamMac(byte[] encoded) throws IOException {
+ this();
+ myCamMac.decode(encoded);
+ }
+
+ public AuthorizationData getAuthorizationData() {
+ return myCamMac.getAuthorizationData();
+ }
+
+ public void setAuthorizationData(AuthorizationData authzData) {
+ myCamMac.setAuthorizationData(authzData);
+ }
+
+ public CamMacVerifierMac getKdcVerifier() {
+ return myCamMac.getKdcVerifier();
+ }
+
+ public void setKdcVerifier(CamMacVerifierMac kdcVerifier) {
+ myCamMac.setKdcVerifier(kdcVerifier);
+ }
+
+ public CamMacVerifierMac getSvcVerifier() {
+ return myCamMac.getSvcVerifier();
+ }
+
+ public void setSvcVerifier(CamMacVerifierMac svcVerifier) {
+ myCamMac.setSvcVerifier(svcVerifier);
+ }
+
+ public CamMacOtherVerifiers getOtherVerifiers() {
+ return myCamMac.getOtherVerifiers();
+ }
+
+ public void setOtherVerifiers(CamMacOtherVerifiers otherVerifiers) {
+ myCamMac.setOtherVerifiers(otherVerifiers);
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myCamMac.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ };
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ try {
+ setAuthzData(myCamMac.encode());
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myCamMac.dumpWith(dumper, indents + 8);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java
new file mode 100644
index 0000000..3a40490
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java
@@ -0,0 +1,83 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADEnctypeNegotiation extends AuthorizationDataEntry {
+
+ private KrbSequenceOfType<Asn1Integer> myEnctypeNeg;
+
+ public ADEnctypeNegotiation() {
+ super(AuthorizationType.AD_ETYPE_NEGOTIATION);
+ myEnctypeNeg = new KrbSequenceOfType<Asn1Integer>();
+ myEnctypeNeg.outerEncodeable = this;
+ }
+
+ public ADEnctypeNegotiation(byte[] encoded) throws IOException {
+ this();
+ myEnctypeNeg.decode(encoded);
+ }
+
+ public ADEnctypeNegotiation(List<Asn1Integer> enctypeNeg) throws IOException {
+ this();
+ for (Asn1Integer element : enctypeNeg) {
+ myEnctypeNeg.add(element);
+ }
+ }
+
+ public List<Asn1Integer> getEnctypeNegotiation() {
+ return myEnctypeNeg.getElements();
+ }
+
+ public void add(Asn1Integer element) {
+ myEnctypeNeg.add(element);
+ }
+
+ public void clear() {
+ myEnctypeNeg.clear();
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myEnctypeNeg.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ }
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myEnctypeNeg.dumpWith(dumper, indents + 8);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java
new file mode 100644
index 0000000..fee3657
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java
@@ -0,0 +1,179 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KerberosStrings;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * Asn1 Class for the "intended for application class" authorization type.
+ *
+ * RFC 4120
+ *
+ * AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+ * SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+ *
+ * encapsulated within the intended-for-application-class element may be ignored
+ * if the application server is not in one of the named classes of application
+ * servers. Examples of application server classes include "FILESYSTEM", and
+ * other kinds of servers.
+ *
+ * This element and the elements it encapsulates may be safely ignored by
+ * applications, application servers, and KDCs that do not implement this
+ * element.
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADIntendedForApplicationClass extends AuthorizationDataEntry {
+
+ private IntendedForApplicationClass myIntForAppClass;
+
+ private static class IntendedForApplicationClass extends KrbSequenceType {
+
+ private AuthorizationData authzData;
+
+ /**
+ * The possible fields
+ */
+ protected enum IntendedForApplicationClassField implements EnumType {
+ IFAC_intendedAppClass, IFAC_elements;
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The IntendedForApplicationClass's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(IntendedForApplicationClassField.IFAC_intendedAppClass, KerberosStrings.class),
+ new ExplicitField(IntendedForApplicationClassField.IFAC_elements, AuthorizationData.class)};
+
+ /**
+ * Creates an IntendedForApplicationClass instance
+ */
+ IntendedForApplicationClass() {
+ super(fieldInfos);
+ }
+
+ /**
+ * Creates an IntendedForApplicationClass instance
+ */
+ IntendedForApplicationClass(KerberosStrings intendedAppClass) {
+ super(fieldInfos);
+ setFieldAs(IntendedForApplicationClassField.IFAC_intendedAppClass, intendedAppClass);
+ }
+
+ public KerberosStrings getIntendedForApplicationClass() {
+ return getFieldAs(IntendedForApplicationClassField.IFAC_intendedAppClass, KerberosStrings.class);
+ }
+
+ /**
+ * Sets the Intended Application Class value.
+ */
+ public void setIntendedForApplicationClass(KerberosStrings intendedAppClass) {
+ setFieldAs(IntendedForApplicationClassField.IFAC_intendedAppClass, intendedAppClass);
+ resetBodyLength();
+ }
+
+ public AuthorizationData getAuthzData() {
+ if (authzData == null) {
+ authzData = getFieldAs(IntendedForApplicationClassField.IFAC_elements, AuthorizationData.class);
+ }
+ return authzData;
+ }
+
+ public void setAuthzData(AuthorizationData authzData) {
+ this.authzData = authzData;
+ setFieldAs(IntendedForApplicationClassField.IFAC_elements, authzData);
+ resetBodyLength();
+ }
+ }
+
+ public ADIntendedForApplicationClass() {
+ super(AuthorizationType.AD_INTENDED_FOR_APPLICATION_CLASS);
+ myIntForAppClass = new IntendedForApplicationClass();
+ myIntForAppClass.outerEncodeable = this;
+ }
+
+ public ADIntendedForApplicationClass(byte[] encoded) throws IOException {
+ this();
+ myIntForAppClass.decode(encoded);
+ }
+
+ public ADIntendedForApplicationClass(KerberosStrings intendedAppClass) throws IOException {
+ this();
+ myIntForAppClass.setIntendedForApplicationClass(intendedAppClass);
+ }
+
+ public KerberosStrings getIntendedForApplicationClass() {
+ return myIntForAppClass.getIntendedForApplicationClass();
+ }
+
+ /**
+ * Sets the Intended Application Class value.
+ */
+ public void setIntendedForApplicationClass(KerberosStrings intendedAppClass) {
+ myIntForAppClass.setIntendedForApplicationClass(intendedAppClass);
+ }
+
+ public AuthorizationData getAuthorizationData() {
+ return myIntForAppClass.getAuthzData();
+ }
+
+ public void setAuthorizationData(AuthorizationData authzData) {
+ myIntForAppClass.setAuthzData(authzData);
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myIntForAppClass.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ };
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myIntForAppClass.dumpWith(dumper, indents + 8);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java
new file mode 100644
index 0000000..fa28b96
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java
@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * Asn1 Class for the "intended for server" authorization type.
+ *
+ * RFC 4120
+ *
+ * AD-INTENDED-FOR-SERVER SEQUENCE { intended-server[0] SEQUENCE OF
+ * PrincipalName elements[1] AuthorizationData }
+ *
+ * AD elements encapsulated within the intended-for-server element may be
+ * ignored if the application server is not in the list of principal names of
+ * intended servers. Further, a KDC issuing a ticket for an application server
+ * can remove this element if the application server is not in the list of
+ * intended servers.
+ *
+ * Application servers should check for their principal name in the
+ * intended-server field of this element. If their principal name is not found,
+ * this element should be ignored. If found, then the encapsulated elements
+ * should be evaluated in the same manner as if they were present in the top
+ * level authorization data field. Applications and application servers that do
+ * not implement this element should reject tickets that contain authorization
+ * data elements of this type.
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADIntendedForServer extends AuthorizationDataEntry {
+
+ private IntForSrvr myIntForSrvr;
+
+ private static class IntForSrvr extends KrbSequenceType {
+
+ private AuthorizationData authzData;
+
+ protected enum IntForSrvrField implements EnumType {
+ IFS_intendedServer, IFS_elements;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The IntendedForServer's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(IntForSrvrField.IFS_intendedServer, PrincipalList.class),
+ new ExplicitField(IntForSrvrField.IFS_elements, AuthorizationData.class)};
+
+ IntForSrvr() {
+ super(fieldInfos);
+ }
+
+ IntForSrvr(PrincipalList principals) {
+ super(fieldInfos);
+ setFieldAs(IntForSrvrField.IFS_intendedServer, principals);
+ }
+
+ public PrincipalList getIntendedServer() {
+ return getFieldAs(IntForSrvrField.IFS_intendedServer, PrincipalList.class);
+ }
+
+ public void setIntendedServer(PrincipalList principals) {
+ setFieldAs(IntForSrvrField.IFS_intendedServer, principals);
+ resetBodyLength();
+ }
+
+ public AuthorizationData getAuthzData() {
+ if (authzData == null) {
+ authzData = getFieldAs(IntForSrvrField.IFS_elements, AuthorizationData.class);
+ }
+ return authzData;
+ }
+
+ public void setAuthzData(AuthorizationData authzData) {
+ this.authzData = authzData;
+ setFieldAs(IntForSrvrField.IFS_elements, authzData);
+ resetBodyLength();
+ }
+ }
+
+ public ADIntendedForServer() {
+ super(AuthorizationType.AD_INTENDED_FOR_SERVER);
+ myIntForSrvr = new IntForSrvr();
+ myIntForSrvr.outerEncodeable = this;
+ }
+
+ public ADIntendedForServer(byte[] encoded) throws IOException {
+ this();
+ myIntForSrvr.decode(encoded);
+ }
+
+ public ADIntendedForServer(PrincipalList principals) throws IOException {
+ this();
+ myIntForSrvr.setIntendedServer(principals);
+ }
+
+ public PrincipalList getIntendedServer() {
+ return myIntForSrvr.getIntendedServer();
+ }
+
+ public void setIntendedServer(PrincipalList principals) {
+ myIntForSrvr.setIntendedServer(principals);
+ }
+
+ public AuthorizationData getAuthorizationData() {
+ return myIntForSrvr.getAuthzData();
+ }
+
+ public void setAuthorizationData(AuthorizationData authzData) {
+ myIntForSrvr.setAuthzData(authzData);
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myIntForSrvr.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ };
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myIntForSrvr.dumpWith(dumper, indents + 8);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java
new file mode 100644
index 0000000..22a7b52
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.base.Realm;
+
+/**
+ * <pre>
+ * AD-KDCIssued ::= SEQUENCE {
+ * ad-checksum [0] Checksum,
+ * i-realm [1] Realm OPTIONAL,
+ * i-sname [2] PrincipalName OPTIONAL,
+ * elements [3] AuthorizationData
+ * }
+ * </pre>
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADKdcIssued extends AuthorizationDataEntry {
+
+ private KdcIssued myKdcIssued;
+
+ private static class KdcIssued extends KrbSequenceType {
+
+ enum KdcIssuedField implements EnumType {
+ AD_CHECKSUM, I_REALM, I_SNAME, ELEMENTS;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The AuthorizationDataEntry's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(KdcIssuedField.AD_CHECKSUM, CheckSum.class),
+ new ExplicitField(KdcIssuedField.I_REALM, Realm.class),
+ new ExplicitField(KdcIssuedField.I_SNAME, PrincipalName.class),
+ new ExplicitField(KdcIssuedField.ELEMENTS, AuthorizationData.class)};
+
+ KdcIssued() {
+ super(fieldInfos);
+ }
+
+ public CheckSum getCheckSum() {
+ return getFieldAs(KdcIssuedField.AD_CHECKSUM, CheckSum.class);
+ }
+
+ public void setCheckSum(CheckSum chkSum) {
+ setFieldAs(KdcIssuedField.AD_CHECKSUM, chkSum);
+ }
+
+ public Realm getRealm() {
+ return getFieldAs(KdcIssuedField.I_REALM, Realm.class);
+ }
+
+ public void setRealm(Realm realm) {
+ setFieldAs(KdcIssuedField.I_REALM, realm);
+ }
+
+ public PrincipalName getSname() {
+ return getFieldAs(KdcIssuedField.I_SNAME, PrincipalName.class);
+ }
+
+ public void setSname(PrincipalName sName) {
+ setFieldAs(KdcIssuedField.I_SNAME, sName);
+ }
+
+ public AuthorizationData getAuthzData() {
+ return getFieldAs(KdcIssuedField.ELEMENTS, AuthorizationData.class);
+ }
+
+ public void setAuthzData(AuthorizationData authzData) {
+ setFieldAs(KdcIssuedField.ELEMENTS, authzData);
+ }
+ }
+
+ public ADKdcIssued() {
+ super(AuthorizationType.AD_KDC_ISSUED);
+ myKdcIssued = new KdcIssued();
+ myKdcIssued.outerEncodeable = this;
+ }
+
+ public ADKdcIssued(byte[] encoded) throws IOException {
+ this();
+ myKdcIssued.decode(encoded);
+ }
+
+ public CheckSum getCheckSum() {
+ return myKdcIssued.getCheckSum();
+ }
+
+ public void setCheckSum(CheckSum chkSum) {
+ myKdcIssued.setCheckSum(chkSum);
+ }
+
+ public Realm getRealm() {
+ return myKdcIssued.getRealm();
+ }
+
+ public void setRealm(Realm realm) {
+ myKdcIssued.setRealm(realm);
+ }
+
+ public PrincipalName getSname() {
+ return myKdcIssued.getSname();
+ }
+
+ public void setSname(PrincipalName sName) {
+ myKdcIssued.setSname(sName);
+ }
+
+ public AuthorizationData getAuthorizationData() {
+ return myKdcIssued.getAuthzData();
+ }
+
+ public void setAuthzData(AuthorizationData authzData) {
+ myKdcIssued.setAuthzData(authzData);
+ }
+
+ @Override
+ protected int encodingBodyLength() throws IOException {
+ if (bodyLength == -1) {
+ setAuthzData(myKdcIssued.encode());
+ bodyLength = super.encodingBodyLength();
+ }
+ return bodyLength;
+ };
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ myKdcIssued.dumpWith(dumper, indents + 8);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java
new file mode 100644
index 0000000..927cc4a
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * <pre>
+ * AD-AND-OR ::= SEQUENCE {
+ * condition-count [0] Int32,
+ * elements [1] AuthorizationData
+ * }
+ * </pre>
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class AndOr extends KrbSequenceType {
+
+ protected enum AndOrField implements EnumType {
+ AndOr_ConditionCount, AndOr_Elements;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The CamMac's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(AndOrField.AndOr_ConditionCount, Asn1Integer.class),
+ new ExplicitField(AndOrField.AndOr_Elements, AuthorizationData.class)};
+
+ public AndOr() {
+ super(fieldInfos);
+ }
+
+ public AndOr(int conditionCount, AuthorizationData authzData) {
+ super(fieldInfos);
+ setFieldAs(AndOrField.AndOr_ConditionCount, new Asn1Integer(conditionCount));
+ setFieldAs(AndOrField.AndOr_Elements, authzData);
+ }
+
+ public int getConditionCount() {
+ return getFieldAs(AndOrField.AndOr_ConditionCount, Asn1Integer.class).getValue().intValue();
+ }
+
+ public void setConditionCount(int conditionCount) {
+ setFieldAs(AndOrField.AndOr_ConditionCount, new Asn1Integer(conditionCount));
+ }
+
+ public AuthorizationData getAuthzData() {
+ return getFieldAs(AndOrField.AndOr_Elements, AuthorizationData.class);
+ }
+
+ public void setAuthzData(AuthorizationData authzData) {
+ setFieldAs(AndOrField.AndOr_Elements, authzData);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
index 57f8299..3f8b07d 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
@@ -35,4 +35,14 @@ import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
public class AuthorizationData extends KrbSequenceOfType<AuthorizationDataEntry> {
+
+ public AuthorizationData clone() {
+ AuthorizationData result = new AuthorizationData();
+
+ for (AuthorizationDataEntry entry : super.getElements()) {
+ result.add(entry.clone());
+ }
+
+ return result;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
index bd08692..fa9284b 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
@@ -24,8 +24,11 @@ import org.apache.kerby.asn1.EnumType;
import org.apache.kerby.asn1.ExplicitField;
import org.apache.kerby.asn1.type.Asn1Integer;
import org.apache.kerby.asn1.type.Asn1OctetString;
+import org.apache.kerby.asn1.type.Asn1Type;
import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+import java.io.IOException;
+
/**
* The AuthorizationData component as defined in RFC 4120 :
*
@@ -79,6 +82,23 @@ public class AuthorizationDataEntry extends KrbSequenceType {
}
/**
+ * Creates an AuthorizationDataEntry instance
+ */
+ public AuthorizationDataEntry(AuthorizationType type) {
+ super(fieldInfos);
+ setAuthzType(type);
+ }
+
+ /**
+ * Creates an AuthorizationDataEntry instance
+ */
+ public AuthorizationDataEntry(AuthorizationType type, byte[] authzData) {
+ super(fieldInfos);
+ setAuthzType(type);
+ setAuthzData(authzData);
+ }
+
+ /**
* @return The AuthorizationType (AD_TYPE) field
*/
public AuthorizationType getAuthzType() {
@@ -96,7 +116,7 @@ public class AuthorizationDataEntry extends KrbSequenceType {
}
/**
- * @return The AuthorizationType (AD_DATA) field
+ * @return The AuthorizationData (AD_DATA) field
*/
public byte[] getAuthzData() {
return getFieldAsOctets(AuthorizationDataEntryField.AD_DATA);
@@ -109,4 +129,31 @@ public class AuthorizationDataEntry extends KrbSequenceType {
public void setAuthzData(byte[] authzData) {
setFieldAsOctets(AuthorizationDataEntryField.AD_DATA, authzData);
}
+
+ /**
+ * @param <T>
+ * @return The AuthorizationData (AD_DATA) field
+ * @throws IllegalAccessException
+ * @throws InstantiationException
+ */
+ public <T extends Asn1Type> T getAuthzDataAs(Class<T> type) {
+ T result = null;
+ byte[] authzBytes = getFieldAsOctets(
+ AuthorizationDataEntryField.AD_DATA);
+ if (authzBytes != null) {
+ try {
+ result = type.newInstance();
+ result.decode(authzBytes);
+ } catch (InstantiationException | IllegalAccessException | IOException e) {
+ e.printStackTrace();
+ }
+
+ }
+ return result;
+ }
+
+ public AuthorizationDataEntry clone() {
+ return new AuthorizationDataEntry(getAuthzType(),
+ getAuthzData().clone());
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java
new file mode 100644
index 0000000..e7c3fa5
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.EnumType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class AuthorizationDataWrapper extends AuthorizationDataEntry {
+
+ private AuthorizationData authorizationData;
+
+ public enum WrapperType implements EnumType {
+ AD_IF_RELEVANT(AuthorizationType.AD_IF_RELEVANT.getValue()), AD_MANDATORY_FOR_KDC(
+ AuthorizationType.AD_MANDATORY_FOR_KDC.getValue());
+
+ /** The internal value */
+ private final int value;
+
+ /**
+ * Create a new enum
+ */
+ WrapperType(int value) {
+ this.value = value;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public int getValue() {
+ return value;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public String getName() {
+ return name();
+ }
+
+ }
+
+ public AuthorizationDataWrapper(WrapperType type) {
+ super(Enum.valueOf(AuthorizationType.class, type.name()));
+ }
+
+ public AuthorizationDataWrapper(WrapperType type, AuthorizationData authzData) throws IOException {
+ super(Enum.valueOf(AuthorizationType.class, type.name()));
+ authorizationData = authzData;
+ if (authzData != null) {
+ setAuthzData(authzData.encode());
+ } else {
+ setAuthzData(null);
+ }
+ }
+
+ /**
+ * @return The AuthorizationType (AD_DATA) field
+ * @throws IOException
+ */
+ public AuthorizationData getAuthorizationData() throws IOException {
+ AuthorizationData result;
+ if (authorizationData != null) {
+ result = authorizationData;
+ } else {
+ result = new AuthorizationData();
+ result.decode(getAuthzData());
+ }
+ return result;
+ }
+
+ /**
+ * Sets the AuthorizationData (AD_DATA) field
+ *
+ * @param authzData The AuthorizationData to set
+ * @throws IOException
+ */
+ public void setAuthorizationData(AuthorizationData authzData) throws IOException {
+ setAuthzData(authzData.encode());
+ }
+
+ @Override
+ public void dumpWith(Asn1Dumper dumper, int indents) {
+ super.dumpWith(dumper, indents);
+ dumper.newLine();
+ try {
+ getAuthorizationData().dumpWith(dumper, indents + 8);
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
index 4718206..0135215 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
@@ -21,6 +21,9 @@ package org.apache.kerby.kerberos.kerb.type.ad;
import org.apache.kerby.asn1.EnumType;
+import java.util.HashMap;
+import java.util.Map;
+
/**
* The various AuthorizationType values, as defined in RFC 4120 and RFC 1510.
*
@@ -36,6 +39,14 @@ public enum AuthorizationType implements EnumType {
* Constant for the "if relevant" authorization type.
*
* RFC 4120
+ *
+ * AD elements encapsulated within the if-relevant element are intended for
+ * interpretation only by application servers that understand the particular
+ * ad-type of the embedded element. Application servers that do not
+ * understand the type of an element embedded within the if-relevant element
+ * may ignore the uninterpretable element. This element promotes
+ * interoperability across implementations which may have local extensions
+ * for authorization.
*/
AD_IF_RELEVANT(1),
@@ -43,6 +54,23 @@ public enum AuthorizationType implements EnumType {
* Constant for the "intended for server" authorization type.
*
* RFC 4120
+ *
+ * AD-INTENDED-FOR-SERVER SEQUENCE { intended-server[0] SEQUENCE OF
+ * PrincipalName elements[1] AuthorizationData }
+ *
+ * AD elements encapsulated within the intended-for-server element may be
+ * ignored if the application server is not in the list of principal names
+ * of intended servers. Further, a KDC issuing a ticket for an application
+ * server can remove this element if the application server is not in the
+ * list of intended servers.
+ *
+ * Application servers should check for their principal name in the
+ * intended-server field of this element. If their principal name is not
+ * found, this element should be ignored. If found, then the encapsulated
+ * elements should be evaluated in the same manner as if they were present
+ * in the top level authorization data field. Applications and application
+ * servers that do not implement this element should reject tickets that
+ * contain authorization data elements of this type.
*/
AD_INTENDED_FOR_SERVER(2),
@@ -50,6 +78,19 @@ public enum AuthorizationType implements EnumType {
* Constant for the "intended for application class" authorization type.
*
* RFC 4120
+ *
+ * AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
+ * intended-application-class[0] SEQUENCE OF GeneralString elements[1]
+ * AuthorizationData } AD elements
+ *
+ * encapsulated within the intended-for-application-class element may be
+ * ignored if the application server is not in one of the named classes of
+ * application servers. Examples of application server classes include
+ * "FILESYSTEM", and other kinds of servers.
+ *
+ * This element and the elements it encapsulates may be safely ignored by
+ * applications, application servers, and KDCs that do not implement this
+ * element.
*/
AD_INTENDED_FOR_APPLICATION_CLASS(3),
@@ -57,20 +98,68 @@ public enum AuthorizationType implements EnumType {
* Constant for the "kdc issued" authorization type.
*
* RFC 4120
+ *
+ * AD-KDCIssued SEQUENCE { ad-checksum[0] Checksum, i-realm[1] Realm
+ * OPTIONAL, i-sname[2] PrincipalName OPTIONAL, elements[3]
+ * AuthorizationData. }
+ *
+ * ad-checksum A checksum over the elements field using a cryptographic
+ * checksum method that is identical to the checksum used to protect the
+ * ticket itself (i.e. using the same hash function and the same encryption
+ * algorithm used to encrypt the ticket) and using a key derived from the
+ * same key used to protect the ticket. i-realm, i-sname The name of the
+ * issuing principal if different from the KDC itself. This field would be
+ * used when the KDC can verify the authenticity of elements signed by the
+ * issuing principal and it allows this KDC to notify the application server
+ * of the validity of those elements. elements A sequence of authorization
+ * data elements issued by the KDC.
+ *
+ * The KDC-issued ad-data field is intended to provide a means for Kerberos
+ * principal credentials to embed within themselves privilege attributes and
+ * other mechanisms for positive authorization, amplifying the privileges of
+ * the principal beyond what can be done using a credentials without such an
+ * a-data element.
+ *
+ * This can not be provided without this element because the definition of
+ * the authorization-data field allows elements to be added at will by the
+ * bearer of a TGT at the time that they request service tickets and
+ * elements may also be added to a delegated ticket by inclusion in the
+ * authenticator.
*/
AD_KDC_ISSUED(4),
/**
- * Constant for the "or" authorization type.
+ * Constant for the "and/or" authorization type.
*
* RFC 4120
+ *
+ * When restrictive AD elements encapsulated within the and-or element are
+ * encountered, only the number specified in condition-count of the
+ * encapsulated conditions must be met in order to satisfy this element.
+ * This element may be used to implement an "or" operation by setting the
+ * condition-count field to 1, and it may specify an "and" operation by
+ * setting the condition count to the number of embedded elements.
+ * Application servers that do not implement this element must reject
+ * tickets that contain authorization data elements of this type.
*/
- AD_OR(5),
+ AD_AND_OR(5),
/**
* Constant for the "mandatory ticket extensions" authorization type.
*
* RFC 4120
+ *
+ * AD-Mandatory-Ticket-Extensions Checksum
+ *
+ * An authorization data element of type mandatory-ticket-extensions
+ * specifies a collision-proof checksum using the same hash algorithm used
+ * to protect the integrity of the ticket itself. This checksum will be
+ * calculated over the entire extensions field. If there are more than one
+ * extension, all will be covered by the checksum. This restriction
+ * indicates that the ticket should not be accepted if the checksum does not
+ * match that calculated over the ticket extensions. Application servers
+ * that do not implement this element must reject tickets that contain
+ * authorization data elements of this type.
*/
AD_MANDATORY_TICKET_EXTENSIONS(6),
@@ -78,6 +167,22 @@ public enum AuthorizationType implements EnumType {
* Constant for the "in ticket extensions" authorization type.
*
* RFC 4120
+ *
+ * AD-IN-Ticket-Extensions Checksum
+ *
+ * An authorization data element of type in-ticket-extensions specifies a
+ * collision-proof checksum using the same hash algorithm used to protect
+ * the integrity of the ticket itself. This checksum is calculated over a
+ * separate external AuthorizationData field carried in the ticket
+ * extensions. Application servers that do not implement this element must
+ * reject tickets that contain authorization data elements of this type.
+ * Application servers that do implement this element will search the ticket
+ * extensions for authorization data fields, calculate the specified
+ * checksum over each authorization data field and look for one matching the
+ * checksum in this in-ticket-extensions element. If not found, then the
+ * ticket must be rejected. If found, the corresponding authorization data
+ * elements will be interpreted in the same manner as if they were contained
+ * in the top level authorization data field.
*/
AD_IN_TICKET_EXTENSIONS(7),
@@ -85,10 +190,74 @@ public enum AuthorizationType implements EnumType {
* Constant for the "mandatory-for-kdc" authorization type.
*
* RFC 4120
+ *
+ * AD-MANDATORY-FOR-KDC ::= AuthorizationData
+ *
+ * AD elements encapsulated within the mandatory-for-kdc element are to be
+ * interpreted by the KDC. KDCs that do not understand the type of an
+ * element embedded within the mandatory-for-kdc element MUST reject the
+ * request.
*/
AD_MANDATORY_FOR_KDC(8),
/**
+ * Constant for the "initial-verified-cas" authorization type.
+ *
+ * RFC 4556
+ *
+ * AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier --
+ * Identifies the certification path with which -- the client certificate
+ * was validated. -- Each ExternalPrincipalIdentifier identifies a CA -- or
+ * a CA certificate (thereby its public key).
+ *
+ * The AD-INITIAL-VERIFIED-CAS structure identifies the certification path
+ * with which the client certificate was validated. Each
+ * ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
+ * INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
+ * (thereby its public key).
+ *
+ * Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization data
+ * does permit empty SEQUENCEs to be encoded. Such empty sequences may only
+ * be used if the KDC itself vouches for the user's certificate.
+ *
+ * The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
+ * containers if the list of CAs satisfies the AS' realm's local policy
+ * (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag [RFC4120]).
+ * Furthermore, any TGS MUST copy such authorization data from tickets used
+ * within a PA-TGS-REQ of the TGS-REQ into the resulting ticket. If the list
+ * of CAs satisfies the local KDC's realm's policy, the TGS MAY wrap the
+ * data into the AD-IF-RELEVANT container; otherwise, it MAY unwrap the
+ * authorization data out of the AD-IF-RELEVANT container.
+ *
+ * Application servers that understand this authorization data type SHOULD
+ * apply local policy to determine whether a given ticket bearing such a
+ * type *not* contained within an AD-IF-RELEVANT container is acceptable.
+ * (This corresponds to the AP server's checking the transited field when
+ * the TRANSITED-POLICY-CHECKED flag has not been set [RFC4120].) If such a
+ * data type is contained within an AD-IF- RELEVANT container, AP servers
+ * MAY apply local policy to determine whether the authorization data is
+ * acceptable.
+ *
+ * ExternalPrincipalIdentifier ::= SEQUENCE { subjectName [0] IMPLICIT OCTET
+ * STRING OPTIONAL, -- Contains a PKIX type Name encoded according to --
+ * [RFC3280]. -- Identifies the certificate subject by the -- distinguished
+ * subject name. -- REQUIRED when there is a distinguished subject -- name
+ * present in the certificate. issuerAndSerialNumber [1] IMPLICIT OCTET
+ * STRING OPTIONAL, -- Contains a CMS type IssuerAndSerialNumber encoded --
+ * according to [RFC3852]. -- Identifies a certificate of the subject. --
+ * REQUIRED for TD-INVALID-CERTIFICATES and -- TD-TRUSTED-CERTIFIERS.
+ * subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, -- Identifies
+ * the subject's public key by a key -- identifier. When an X.509
+ * certificate is -- referenced, this key identifier matches the X.509 --
+ * subjectKeyIdentifier extension value. When other -- certificate formats
+ * are referenced, the documents -- that specify the certificate format and
+ * their use -- with the CMS must include details on matching the -- key
+ * identifier to the appropriate certificate -- field. -- RECOMMENDED for
+ * TD-TRUSTED-CERTIFIERS. ... }
+ */
+ AD_INITIAL_VERIFIED_CAS(9),
+
+ /**
* Constant for the "OSF DCE" authorization type.
*
* RFC 1510
@@ -98,34 +267,56 @@ public enum AuthorizationType implements EnumType {
/**
* Constant for the "sesame" authorization type.
*
- * RFC 1510
+ * RFC 4120
*/
SESAME(65),
/**
* Constant for the "OSF-DCE pki certid" authorization type.
*
- * RFC 1510
+ * RFC 4120
*/
AD_OSF_DCE_PKI_CERTID(66),
/**
- * Constant for the "sesame" authorization type.
+ * Constant for the "CAM-MAC" authorization type.
*
- * RFC 1510
+ * RFC 7751 for details.
+ */
+ AD_CAMMAC(96),
+
+ /**
+ * Constant for the "Windows 2K Privilege Attribute Certificate (PAC)"
+ * authorization type.
+ *
+ * RFC 4120
+ *
+ * See: Microsoft standard documents MS-PAC and MS-KILE.
*/
AD_WIN2K_PAC(128),
/**
- * Constant for the "sesame" authorization type.
+ * Constant for the "EncType-Negotiation" authorization type.
*
- * RFC 1510
+ * RFC 4537 for details.
*/
- AD_ETYPE_NEGOTIATION(129);
+ AD_ETYPE_NEGOTIATION(129),
+
+ /**
+ * Constant for the "Authentication-Indicator" authorization type.
+ *
+ * RFC 6711 An IANA Registry for Level of Assurance (LoA) Profiles provides
+ * the syntax and semantics of LoA profiles.
+ *
+ * See: Internet draft "draft-jain-kitten-krb-auth-indicator-01"
+ */
+ AD_AUTHENTICAION_INDICATOR(-1); // Not yet assigned an IANA registry number.
/** The internal value */
private final int value;
+ private static Map<Integer, AuthorizationType> valueMap;
+
/**
* Create a new enum
*/
@@ -157,11 +348,13 @@ public enum AuthorizationType implements EnumType {
*/
public static AuthorizationType fromValue(Integer value) {
if (value != null) {
- for (EnumType e : values()) {
- if (e.getValue() == value.intValue()) {
- return (AuthorizationType) e;
+ if (valueMap == null) {
+ valueMap = new HashMap<Integer, AuthorizationType>(32);
+ for (EnumType e : values()) {
+ valueMap.put(e.getValue(), (AuthorizationType) e);
}
}
+ return valueMap.get(value);
}
return NULL;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java
new file mode 100644
index 0000000..7430fdd
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class CamMacOtherVerifiers extends KrbSequenceOfType<CamMacVerifierChoice> {
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java
new file mode 100644
index 0000000..9832aca
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Choice;
+import org.apache.kerby.asn1.type.Asn1Type;
+
+/**
+ * <pre>
+ * Verifier ::= CHOICE {
+ mac Verifier-MAC,
+ ...
+ }
+ * </pre>
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class CamMacVerifierChoice extends Asn1Choice {
+
+ protected enum VerifierChoice implements EnumType {
+ CAMMAC_verifierMac;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ /** The CamMac's fields */
+ private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(VerifierChoice.CAMMAC_verifierMac, CamMacVerifierMac.class)};
+
+ public CamMacVerifierChoice() {
+ super(fieldInfos);
+ }
+
+ public void setChoice(EnumType type, Asn1Type choice) {
+ setChoiceValue(type, choice);
+ }
+}