directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r540371 [6/7] - in /directory/apacheds/trunk: kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/ kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/ kerberos-s...
Date Tue, 22 May 2007 00:00:59 GMT
Modified: directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/MonitorRequest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/MonitorRequest.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/MonitorRequest.java (original)
+++ directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/MonitorRequest.java Mon May 21 17:00:43 2007
@@ -38,13 +38,15 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         if ( log.isDebugEnabled() )
         {
             try
             {
-                ChangePasswordContext changepwContext = ( ChangePasswordContext ) session.getAttribute( getContextKey() );
+                ChangePasswordContext changepwContext = ( ChangePasswordContext ) session
+                    .getAttribute( getContextKey() );
 
                 ChangePasswordRequest request = ( ChangePasswordRequest ) changepwContext.getRequest();
                 short authHeaderLength = request.getAuthHeaderLength();
@@ -70,7 +72,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/ProcessPasswordChange.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/ProcessPasswordChange.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/ProcessPasswordChange.java (original)
+++ directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/ProcessPasswordChange.java Mon May 21 17:00:43 2007
@@ -20,7 +20,7 @@
 package org.apache.directory.server.changepw.service;
 
 
-import javax.security.auth.kerberos.KerberosKey;
+import javax.naming.NamingException;
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.directory.server.changepw.exceptions.ChangePasswordException;
@@ -34,6 +34,8 @@
 
 
 /**
+ * An {@link IoHandlerCommand} for storing the new password.
+ * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
  */
@@ -44,31 +46,33 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         ChangePasswordContext changepwContext = ( ChangePasswordContext ) session.getAttribute( getContextKey() );
 
         PrincipalStore store = changepwContext.getStore();
         Authenticator authenticator = changepwContext.getAuthenticator();
-        String password = changepwContext.getPassword();
+        String newPassword = changepwContext.getPassword();
+        KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
 
         // usec and seq-number must be present per MS but aren't in legacy kpasswd
         // seq-number must have same value as authenticator
         // ignore r-address
 
-        // generate key from password
-        KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
-        KerberosKey newKey = new KerberosKey( clientPrincipal, password.toCharArray(), "DES" );
-
-        // store password in database
         try
         {
-            String principalName = store.changePassword( clientPrincipal, newKey );
+            String principalName = store.changePassword( clientPrincipal, newPassword );
             log.debug( "Successfully modified principal {}", principalName );
         }
+        catch ( NamingException ne )
+        {
+            log.warn( ne.getMessage(), ne );
+            throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, ne.getExplanation().getBytes() );
+        }
         catch ( Exception e )
         {
-            log.error( e.getMessage(), e );
+            log.error( "Unexpected exception.", e );
             throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_HARDERROR );
         }
 
@@ -76,7 +80,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java (original)
+++ directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/service/VerifyServiceTicketAuthHeader.java Mon May 21 17:00:43 2007
@@ -22,12 +22,14 @@
 
 import java.net.InetAddress;
 
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.directory.server.kerberos.shared.service.VerifyAuthHeader;
 import org.apache.mina.common.IoSession;
 
@@ -40,21 +42,25 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         ChangePasswordContext changepwContext = ( ChangePasswordContext ) session.getAttribute( getContextKey() );
 
         ApplicationRequest authHeader = changepwContext.getAuthHeader();
         Ticket ticket = changepwContext.getTicket();
-        EncryptionKey serverKey = changepwContext.getServerEntry().getEncryptionKey();
+
+        EncryptionType encryptionType = ticket.getEncPart().getEncryptionType();
+        EncryptionKey serverKey = changepwContext.getServerEntry().getKeyMap().get( encryptionType );
+
         long clockSkew = changepwContext.getConfig().getClockSkew();
         ReplayCache replayCache = changepwContext.getReplayCache();
         boolean emptyAddressesAllowed = changepwContext.getConfig().isEmptyAddressesAllowed();
         InetAddress clientAddress = changepwContext.getClientAddress();
-        LockBox lockBox = changepwContext.getLockBox();
+        CipherTextHandler cipherTextHandler = changepwContext.getCipherTextHandler();
 
         Authenticator authenticator = verifyAuthHeader( authHeader, ticket, serverKey, clockSkew, replayCache,
-            emptyAddressesAllowed, clientAddress, lockBox );
+            emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER11 );
 
         changepwContext.setAuthenticator( authenticator );
 

Modified: directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordData.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordData.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordData.java (original)
+++ directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordData.java Mon May 21 17:00:43 2007
@@ -34,7 +34,14 @@
     private String realm;
 
 
-    public ChangePasswordData(byte[] password, PrincipalName principalName, String realm)
+    /**
+     * Creates a new instance of ChangePasswordData.
+     *
+     * @param password
+     * @param principalName
+     * @param realm
+     */
+    public ChangePasswordData( byte[] password, PrincipalName principalName, String realm )
     {
         this.password = password;
         this.principalName = principalName;
@@ -42,18 +49,33 @@
     }
 
 
+    /**
+     * Returns the password as bytes.
+     *
+     * @return The password as bytes.
+     */
     public byte[] getPassword()
     {
         return password;
     }
 
 
+    /**
+     * Returns the principal name.
+     *
+     * @return The principal name.
+     */
     public PrincipalName getPrincipalName()
     {
         return principalName;
     }
 
 
+    /**
+     * Returns the realm.
+     *
+     * @return The realm.
+     */
     public String getRealm()
     {
         return realm;

Modified: directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordDataModifier.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordDataModifier.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordDataModifier.java (original)
+++ directory/apacheds/trunk/protocol-changepw/src/main/java/org/apache/directory/server/changepw/value/ChangePasswordDataModifier.java Mon May 21 17:00:43 2007
@@ -34,24 +34,44 @@
     private String realm;
 
 
+    /**
+     * Returns the {@link ChangePasswordData}.
+     *
+     * @return The {@link ChangePasswordData}.
+     */
     public ChangePasswordData getChangePasswdData()
     {
         return new ChangePasswordData( password, principalName, realm );
     }
 
 
+    /**
+     * Sets the bytes of the new password.
+     *
+     * @param password
+     */
     public void setNewPassword( byte[] password )
     {
         this.password = password;
     }
 
 
+    /**
+     * Sets the target principal name whose password is to be changed.
+     *
+     * @param principalName
+     */
     public void setTargetName( PrincipalName principalName )
     {
         this.principalName = principalName;
     }
 
 
+    /**
+     * Sets the target realm of the principal whose password is to be changed.
+     *
+     * @param realm
+     */
     public void setTargetRealm( String realm )
     {
         this.realm = realm;

Modified: directory/apacheds/trunk/protocol-changepw/src/test/java/org/apache/directory/server/changepw/service/CheckPasswordPolicyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-changepw/src/test/java/org/apache/directory/server/changepw/service/CheckPasswordPolicyTest.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-changepw/src/test/java/org/apache/directory/server/changepw/service/CheckPasswordPolicyTest.java (original)
+++ directory/apacheds/trunk/protocol-changepw/src/test/java/org/apache/directory/server/changepw/service/CheckPasswordPolicyTest.java Mon May 21 17:00:43 2007
@@ -22,8 +22,6 @@
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 
-import org.apache.directory.server.changepw.service.CheckPasswordPolicy;
-
 import junit.framework.TestCase;
 
 
@@ -42,6 +40,9 @@
     private CheckPasswordPolicy policy = new CheckPasswordPolicy();
 
 
+    /**
+     * Tests that a good password is valid according to all policy checks.
+     */
     public void testGoodPassword()
     {
         String username = "Enrique Rodriguez";
@@ -53,6 +54,9 @@
     }
 
 
+    /**
+     * Tests that a bad password fails all validity checks.
+     */
     public void testBadPassword()
     {
         String username = "Erin Randall";
@@ -64,6 +68,9 @@
     }
 
 
+    /**
+     * Tests variations of a password where the password includes tokens of the username.
+     */
     public void testPrincipalAsUsername()
     {
         String username = new KerberosPrincipal( "erodriguez@EXAMPLE.COM" ).getName();

Modified: directory/apacheds/trunk/protocol-dns/src/main/java/org/apache/directory/server/dns/DnsConfiguration.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-dns/src/main/java/org/apache/directory/server/dns/DnsConfiguration.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-dns/src/main/java/org/apache/directory/server/dns/DnsConfiguration.java (original)
+++ directory/apacheds/trunk/protocol-dns/src/main/java/org/apache/directory/server/dns/DnsConfiguration.java Mon May 21 17:00:43 2007
@@ -64,20 +64,20 @@
      * Creates a new instance with default settings that operates on the
      * {@link DirectoryService} with the specified ID.
      */
-    public DnsConfiguration(String instanceId)
+    public DnsConfiguration( String instanceId )
     {
         this( getDefaultConfig(), LoadStrategy.LDAP );
         setInstanceId( instanceId );
     }
 
 
-    public DnsConfiguration( Map<String, String> properties )
+    public DnsConfiguration( Map<String, Object> properties )
     {
         this( properties, LoadStrategy.LDAP );
     }
 
 
-    public DnsConfiguration( Map<String, String> properties, int strategy )
+    public DnsConfiguration( Map<String, Object> properties, int strategy )
     {
         if ( properties == null )
         {
@@ -97,9 +97,9 @@
     }
 
 
-    public static Map<String, String> getDefaultConfig()
+    public static Map<String, Object> getDefaultConfig()
     {
-        Map<String, String> defaults = new HashMap<String, String>();
+        Map<String, Object> defaults = new HashMap<String, Object>();
 
         defaults.put( SERVICE_PID, DEFAULT_PID );
         defaults.put( IP_PORT_KEY, DEFAULT_IP_PORT );

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcConfiguration.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcConfiguration.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcConfiguration.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcConfiguration.java Mon May 21 17:00:43 2007
@@ -143,21 +143,34 @@
     /**
      * Creates a new instance with default settings that operates on the
      * {@link DirectoryService} with the specified ID.
+     * 
+     * @param instanceId 
      */
-    public KdcConfiguration(String instanceId)
+    public KdcConfiguration( String instanceId )
     {
         this( getDefaultConfig(), LoadStrategy.LDAP );
         setInstanceId( instanceId );
     }
 
 
-    public KdcConfiguration( Map<String, String> properties )
+    /**
+     * Creates a new instance of KdcConfiguration.
+     *
+     * @param properties
+     */
+    public KdcConfiguration( Map<String, Object> properties )
     {
         this( properties, LoadStrategy.LDAP );
     }
 
 
-    public KdcConfiguration( Map<String, String> properties, int strategy )
+    /**
+     * Creates a new instance of KdcConfiguration.
+     *
+     * @param properties
+     * @param strategy
+     */
+    public KdcConfiguration( Map<String, Object> properties, int strategy )
     {
         if ( properties == null )
         {
@@ -179,9 +192,14 @@
     }
 
 
-    public static Map<String, String> getDefaultConfig()
+    /**
+     * Returns a Map of the default config.
+     *
+     * @return The default config.
+     */
+    public static Map<String, Object> getDefaultConfig()
     {
-        Map<String, String> defaults = new HashMap<String, String>();
+        Map<String, Object> defaults = new HashMap<String, Object>();
 
         defaults.put( SERVICE_PID, DEFAULT_PID );
         defaults.put( IP_PORT_KEY, DEFAULT_IP_PORT );
@@ -190,6 +208,12 @@
     }
 
 
+    /**
+     * Returns whether the Dictionary of config is different from this config.
+     *
+     * @param config
+     * @return true if the configs are different.
+     */
     public boolean isDifferent( Dictionary config )
     {
         int port = getPort();
@@ -203,12 +227,22 @@
     }
 
 
+    /**
+     * Returns the name of this service.
+     *
+     * @return The name of this service.
+     */
     public String getName()
     {
         return DEFAULT_NAME;
     }
 
 
+    /**
+     * Returns the primary realm.
+     *
+     * @return The primary realm.
+     */
     public String getPrimaryRealm()
     {
         String key = REALM_KEY;
@@ -222,6 +256,11 @@
     }
 
 
+    /**
+     * Returns the KDC principal.
+     *
+     * @return The KDC principal.
+     */
     public KerberosPrincipal getKdcPrincipal()
     {
         String key = PRINCIPAL_KEY;
@@ -248,13 +287,23 @@
     }
 
 
+    /**
+     * Returns the encryption types.
+     *
+     * @return The encryption types.
+     */
     public EncryptionType[] getEncryptionTypes()
     {
         return encryptionTypes;
     }
 
 
-    public Map<String, String> getProperties()
+    /**
+     * Returns the properties.
+     *
+     * @return The properties.
+     */
+    public Map<String, Object> getProperties()
     {
         // Request that the krb5key value be returned as binary
         configuration.put( JndiPropertyConstants.JNDI_LDAP_ATTRIBUTES_BINARY, "krb5Key" );
@@ -263,6 +312,11 @@
     }
 
 
+    /**
+     * Returns the clock skew.
+     *
+     * @return The clock skew.
+     */
     public long getClockSkew()
     {
         String key = ALLOWABLE_CLOCKSKEW_KEY;
@@ -276,6 +330,11 @@
     }
 
 
+    /**
+     * Returns the port.
+     *
+     * @return The port.
+     */
     public int getPort()
     {
         String key = IP_PORT_KEY;
@@ -289,6 +348,11 @@
     }
 
 
+    /**
+     * Returns the buffer size.
+     *
+     * @return The buffer size.
+     */
     public int getBufferSize()
     {
         String key = BUFFER_SIZE_KEY;
@@ -302,6 +366,11 @@
     }
 
 
+    /**
+     * Returns whether pre-authentication by encrypted timestamp is required.
+     *
+     * @return true if pre-authentication by encrypted timestamp is required.
+     */
     public boolean isPaEncTimestampRequired()
     {
         String key = PA_ENC_TIMESTAMP_REQUIRED_KEY;
@@ -315,6 +384,11 @@
     }
 
 
+    /**
+     * Returns the maximum ticket lifetime.
+     *
+     * @return The maximum ticket lifetime.
+     */
     public long getMaximumTicketLifetime()
     {
         String key = TGS_MAXIMUM_TICKET_LIFETIME_KEY;
@@ -328,6 +402,11 @@
     }
 
 
+    /**
+     * Returns the maximum renewable lifetime.
+     *
+     * @return The maximum renewable lifetime.
+     */
     public long getMaximumRenewableLifetime()
     {
         String key = TGS_MAXIMUM_RENEWABLE_LIFETIME_KEY;
@@ -341,6 +420,11 @@
     }
 
 
+    /**
+     * Returns whether empty addresses are allowed.
+     *
+     * @return true if empty addresses are allowed.
+     */
     public boolean isEmptyAddressesAllowed()
     {
         String key = EMPTY_ADDRESSES_ALLOWED_KEY;
@@ -354,6 +438,11 @@
     }
 
 
+    /**
+     * Returns whether forwardable tickets are allowed.
+     *
+     * @return true if forwardable tickets are allowed.
+     */
     public boolean isForwardableAllowed()
     {
         String key = TGS_FORWARDABLE_ALLOWED_KEY;
@@ -367,6 +456,11 @@
     }
 
 
+    /**
+     * Returns whether proxiable tickets are allowed.
+     *
+     * @return true if proxiable tickets are allowed.
+     */
     public boolean isProxiableAllowed()
     {
         String key = TGS_PROXIABLE_ALLOWED_KEY;
@@ -380,6 +474,11 @@
     }
 
 
+    /**
+     * Returns whether postdated tickets are allowed.
+     *
+     * @return true if postdated tickets are allowed.
+     */
     public boolean isPostdateAllowed()
     {
         String key = TGS_POSTDATE_ALLOWED_KEY;
@@ -393,6 +492,11 @@
     }
 
 
+    /**
+     * Returns whether renewable tickets are allowed.
+     *
+     * @return true if renewable tickets are allowed.
+     */
     public boolean isRenewableAllowed()
     {
         String key = TGS_RENEWABLE_ALLOWED_KEY;
@@ -423,11 +527,11 @@
 
         List<EncryptionType> encTypes = new ArrayList<EncryptionType>();
 
-        for ( String enc:encryptionTypeStrings )
+        for ( String enc : encryptionTypeStrings )
         {
-            for ( EncryptionType type:EncryptionType.VALUES )
+            for ( EncryptionType type : EncryptionType.VALUES )
             {
-                if ( type.toString().equalsIgnoreCase( enc ) )
+                if ( type.getName().equalsIgnoreCase( enc ) )
                 {
                     encTypes.add( type );
                 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcContext.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcContext.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcContext.java Mon May 21 17:00:43 2007
@@ -22,9 +22,10 @@
 
 import java.net.InetAddress;
 
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
 import org.apache.directory.server.kerberos.shared.messages.KerberosMessage;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 
 
@@ -41,7 +42,8 @@
     private KdcRequest request;
     private KerberosMessage reply;
     private InetAddress clientAddress;
-    private LockBox lockBox;
+    private CipherTextHandler cipherTextHandler;
+    private EncryptionType encryptionType;
 
 
     /**
@@ -135,19 +137,41 @@
 
 
     /**
-     * @return Returns the lockBox.
+     * @return Returns the {@link CipherTextHandler}.
      */
-    public LockBox getLockBox()
+    public CipherTextHandler getCipherTextHandler()
     {
-        return lockBox;
+        return cipherTextHandler;
     }
 
 
     /**
-     * @param lockBox The lockBox to set.
+     * @param cipherTextHandler The {@link CipherTextHandler} to set.
      */
-    public void setLockBox( LockBox lockBox )
+    public void setCipherTextHandler( CipherTextHandler cipherTextHandler )
     {
-        this.lockBox = lockBox;
+        this.cipherTextHandler = cipherTextHandler;
+    }
+
+
+    /**
+     * Returns the encryption type to use for this session.
+     *
+     * @return The encryption type.
+     */
+    public EncryptionType getEncryptionType()
+    {
+        return encryptionType;
+    }
+
+
+    /**
+     * Sets the encryption type to use for this session.
+     *
+     * @param encryptionType The encryption type to set.
+     */
+    public void setEncryptionType( EncryptionType encryptionType )
+    {
+        this.encryptionType = encryptionType;
     }
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KerberosServer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KerberosServer.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KerberosServer.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KerberosServer.java Mon May 21 17:00:43 2007
@@ -53,7 +53,16 @@
     private IoHandler handler;
 
 
-    public KerberosServer( KdcConfiguration config, IoAcceptor acceptor, IoServiceConfig serviceConfig, PrincipalStore store )
+    /**
+     * Creates a new instance of KerberosServer.
+     *
+     * @param config
+     * @param acceptor
+     * @param serviceConfig
+     * @param store
+     */
+    public KerberosServer( KdcConfiguration config, IoAcceptor acceptor, IoServiceConfig serviceConfig,
+        PrincipalStore store )
     {
         this.config = config;
         this.acceptor = acceptor;
@@ -64,7 +73,7 @@
 
         try
         {
-            handler = new KerberosProtocolHandler( new KdcConfiguration(), this.store );
+            handler = new KerberosProtocolHandler( config, this.store );
 
             acceptor.bind( new InetSocketAddress( port ), handler, serviceConfig );
 
@@ -77,12 +86,21 @@
     }
 
 
+    /**
+     * Returns whether configuration being proposed as new is really different.
+     *
+     * @param newConfig
+     * @return Whether configuration being proposed as new is really different.
+     */
     public boolean isDifferent( Dictionary newConfig )
     {
         return config.isDifferent( newConfig );
     }
 
 
+    /**
+     * Destroys this instance of KerberosServer.
+     */
     public void destroy()
     {
         acceptor.unbind( new InetSocketAddress( config.getPort() ) );

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorContext.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorContext.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorContext.java Mon May 21 17:00:43 2007
@@ -37,6 +37,7 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         KdcContext kdcContext = ( KdcContext ) session.getAttribute( getContextKey() );
@@ -52,7 +53,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorReply.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorReply.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorReply.java Mon May 21 17:00:43 2007
@@ -39,6 +39,7 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         KdcContext kdcContext = ( KdcContext ) session.getAttribute( getContextKey() );
@@ -82,7 +83,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorRequest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorRequest.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorRequest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/MonitorRequest.java Mon May 21 17:00:43 2007
@@ -39,6 +39,7 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         KdcContext kdcContext = ( KdcContext ) session.getAttribute( getContextKey() );
@@ -62,7 +63,7 @@
     }
 
 
-    public String getEncryptionTypes( KdcRequest request )
+    protected String getEncryptionTypes( KdcRequest request )
     {
         EncryptionType[] etypes = request.getEType();
 
@@ -82,7 +83,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/SelectEncryptionType.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/SelectEncryptionType.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/SelectEncryptionType.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/SelectEncryptionType.java Mon May 21 17:00:43 2007
@@ -25,6 +25,8 @@
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
 /**
@@ -33,8 +35,12 @@
  */
 public class SelectEncryptionType implements IoHandlerCommand
 {
+    /** The log for this class. */
+    private static final Logger log = LoggerFactory.getLogger( SelectEncryptionType.class );
+
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         KdcContext kdcContext = ( KdcContext ) session.getAttribute( getContextKey() );
@@ -44,11 +50,15 @@
 
         EncryptionType bestType = getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );
 
+        log.debug( "Session will use encryption type " + bestType );
+
         if ( bestType == null )
         {
             throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
         }
 
+        kdcContext.setEncryptionType( bestType );
+
         next.execute( session, message );
     }
 
@@ -70,7 +80,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationServiceChain.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationServiceChain.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationServiceChain.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationServiceChain.java Mon May 21 17:00:43 2007
@@ -21,6 +21,7 @@
 
 
 import org.apache.directory.server.kerberos.kdc.MonitorRequest;
+import org.apache.directory.server.kerberos.kdc.SelectEncryptionType;
 import org.apache.directory.server.kerberos.kdc.preauthentication.PreAuthenticationChain;
 import org.apache.mina.handler.chain.IoHandlerChain;
 
@@ -31,10 +32,14 @@
  */
 public class AuthenticationServiceChain extends IoHandlerChain
 {
+    /**
+     * Creates a new instance of AuthenticationServiceChain.
+     */
     public AuthenticationServiceChain()
     {
         addLast( "monitorRequest", new MonitorRequest() );
         addLast( "configureAuthenticationChain", new ConfigureAuthenticationChain() );
+        addLast( "selectEncryptionType", new SelectEncryptionType() );
         addLast( "getClientEntry", new GetClientEntry() );
         addLast( "verifyPolicy", new VerifyPolicy() );
         addLast( "preAuthenticationChain", new PreAuthenticationChain() );

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/BuildReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/BuildReply.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/BuildReply.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/BuildReply.java Mon May 21 17:00:43 2007
@@ -74,7 +74,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/ConfigureAuthenticationChain.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/ConfigureAuthenticationChain.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/ConfigureAuthenticationChain.java Mon May 21 17:00:43 2007
@@ -20,14 +20,9 @@
 package org.apache.directory.server.kerberos.kdc.authentication;
 
 
-import java.util.Map;
-
-import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
-import org.apache.directory.server.kerberos.shared.crypto.checksum.RsaMd5Checksum;
-import org.apache.directory.server.kerberos.shared.crypto.checksum.Sha1Checksum;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.replay.InMemoryReplayCache;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -39,26 +34,23 @@
 public class ConfigureAuthenticationChain implements IoHandlerCommand
 {
     private static final ReplayCache replayCache = new InMemoryReplayCache();
-    private static final LockBox lockBox = new LockBox();
+    private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
 
         authContext.setReplayCache( replayCache );
-        authContext.setLockBox( lockBox );
-
-        Map checksumEngines = authContext.getChecksumEngines();
-        checksumEngines.put( ChecksumType.RSA_MD5, new RsaMd5Checksum() );
-        checksumEngines.put( ChecksumType.SHA1, new Sha1Checksum() );
+        authContext.setCipherTextHandler( cipherTextHandler );
 
         next.execute( session, message );
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java Mon May 21 17:00:43 2007
@@ -23,6 +23,9 @@
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
@@ -35,7 +38,6 @@
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
 import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
 import org.apache.directory.server.kerberos.shared.messages.value.TransitedEncoding;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 import org.slf4j.Logger;
@@ -53,14 +55,18 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
 
         KdcRequest request = authContext.getRequest();
-        LockBox lockBox = authContext.getLockBox();
+        CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
         KerberosPrincipal serverPrincipal = request.getServerPrincipal();
-        EncryptionKey serverKey = authContext.getServerEntry().getEncryptionKey();
+
+        EncryptionType encryptionType = authContext.getEncryptionType();
+        EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );
+
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
         EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
         KdcConfiguration config = authContext.getConfig();
@@ -138,9 +144,9 @@
          endif
          */
 
-        if ( tempRtime == 0 )
+        if ( tempRtime == 0 || request.getRtime() == null )
         {
-            tempRtime = Long.MAX_VALUE;
+            tempRtime = request.getTill().getTime();
         }
         else
         {
@@ -172,7 +178,7 @@
 
         EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
 
-        EncryptedData encryptedData = lockBox.seal( serverKey, ticketPart );
+        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
 
         Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
         newTicket.setEncTicketPart( ticketPart );
@@ -188,7 +194,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetSessionKey.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetSessionKey.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetSessionKey.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetSessionKey.java Mon May 21 17:00:43 2007
@@ -20,7 +20,7 @@
 package org.apache.directory.server.kerberos.kdc.authentication;
 
 
-import org.apache.directory.server.kerberos.shared.service.SessionKeyFactory;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -39,7 +39,7 @@
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
-        authContext.setSessionKey( SessionKeyFactory.getSessionKey() );
+        authContext.setSessionKey( RandomKeyFactory.getRandomKey( authContext.getEncryptionType() ) );
 
         next.execute( session, message );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java Mon May 21 17:00:43 2007
@@ -20,10 +20,11 @@
 package org.apache.directory.server.kerberos.kdc.authentication;
 
 
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -36,22 +37,23 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
 
         AuthenticationReply reply = ( AuthenticationReply ) authContext.getReply();
         EncryptionKey clientKey = authContext.getClientKey();
-        LockBox lockBox = authContext.getLockBox();
+        CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
 
-        EncryptedData encryptedData = lockBox.seal( clientKey, reply );
+        EncryptedData encryptedData = cipherTextHandler.seal( clientKey, reply, KeyUsage.NUMBER3 );
         reply.setEncPart( encryptedData );
 
         next.execute( session, message );
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java Mon May 21 17:00:43 2007
@@ -27,8 +27,6 @@
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
-//import org.slf4j.Logger;
-//import org.slf4j.LoggerFactory;
 
 
 /**
@@ -37,10 +35,8 @@
  */
 public class VerifyPolicy implements IoHandlerCommand
 {
-    /** the log for this class */
-//    private static final Logger log = LoggerFactory.getLogger( VerifyPolicy.class );
     private String contextKey = "context";
-    
+
 
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
@@ -61,11 +57,12 @@
         {
             throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
         }
-        next.execute( session, message ); 
+
+        next.execute( session, message );
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/PreAuthenticationChain.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/PreAuthenticationChain.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/PreAuthenticationChain.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/PreAuthenticationChain.java Mon May 21 17:00:43 2007
@@ -28,6 +28,9 @@
  */
 public class PreAuthenticationChain extends IoHandlerChain
 {
+    /**
+     * Creates a new instance of PreAuthenticationChain.
+     */
     public PreAuthenticationChain()
     {
         addLast( "verifySam", new VerifySam() );

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java Mon May 21 17:00:43 2007
@@ -40,12 +40,15 @@
 {
     private String contextKey = "context";
 
-    public String getContextKey()
-    {
-        return ( this.contextKey );
-    }
 
-    public byte[] preparePreAuthenticationError()
+    /**
+     * Prepares a pre-authentication error message containing required
+     * encryption types.
+     *
+     * @param encryptionTypes
+     * @return The error message as bytes.
+     */
+    public byte[] preparePreAuthenticationError( EncryptionType[] encryptionTypes )
     {
         PreAuthenticationData[] paDataSequence = new PreAuthenticationData[2];
 
@@ -55,8 +58,11 @@
 
         paDataSequence[0] = modifier.getPreAuthenticationData();
 
-        EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[1];
-        entries[0] = new EncryptionTypeInfoEntry( EncryptionType.DES_CBC_MD5, null );
+        EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[encryptionTypes.length];
+        for ( int ii = 0; ii < encryptionTypes.length; ii++ )
+        {
+            entries[ii] = new EncryptionTypeInfoEntry( encryptionTypes[ii], null );
+        }
 
         byte[] encTypeInfo = null;
 
@@ -83,5 +89,11 @@
         {
             return null;
         }
+    }
+
+
+    protected String getContextKey()
+    {
+        return ( this.contextKey );
     }
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java Mon May 21 17:00:43 2007
@@ -24,6 +24,9 @@
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
@@ -33,7 +36,6 @@
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
 import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.mina.common.IoSession;
 import org.slf4j.Logger;
@@ -62,7 +64,7 @@
         log.debug( "Verifying using encrypted timestamp." );
         KdcConfiguration config = authContext.getConfig();
         KdcRequest request = authContext.getRequest();
-        LockBox lockBox = authContext.getLockBox();
+        CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
         PrincipalStoreEntry clientEntry = authContext.getClientEntry();
         String clientName = clientEntry.getPrincipal().getName();
 
@@ -76,7 +78,8 @@
                     + " has no SAM type: proceeding with standard pre-authentication" );
             }
 
-            clientKey = clientEntry.getEncryptionKey();
+            EncryptionType encryptionType = authContext.getEncryptionType();
+            clientKey = clientEntry.getKeyMap().get( encryptionType );
 
             if ( clientKey == null )
             {
@@ -89,7 +92,8 @@
 
                 if ( preAuthData == null )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError() );
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                        preparePreAuthenticationError( config.getEncryptionTypes() ) );
                 }
 
                 EncryptedTimeStamp timestamp = null;
@@ -113,14 +117,15 @@
                             throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
                         }
 
-                        timestamp = ( EncryptedTimeStamp ) lockBox.unseal( EncryptedTimeStamp.class, clientKey,
-                            dataValue );
+                        timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal( EncryptedTimeStamp.class,
+                            clientKey, dataValue, KeyUsage.NUMBER1 );
                     }
                 }
 
                 if ( timestamp == null )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError() );
+                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                        preparePreAuthenticationError( config.getEncryptionTypes() ) );
                 }
 
                 if ( !timestamp.getTimeStamp().isInClockSkew( config.getClockSkew() ) )

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java Mon May 21 17:00:43 2007
@@ -22,6 +22,7 @@
 
 import javax.security.auth.kerberos.KerberosKey;
 
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
 import org.apache.directory.server.kerberos.sam.SamException;
 import org.apache.directory.server.kerberos.sam.SamSubsystem;
@@ -60,6 +61,8 @@
         log.debug( "Verifying using SAM subsystem." );
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
         KdcRequest request = authContext.getRequest();
+        KdcConfiguration config = authContext.getConfig();
+
         PrincipalStoreEntry clientEntry = authContext.getClientEntry();
         String clientName = clientEntry.getPrincipal().getName();
 
@@ -77,7 +80,7 @@
 
             if ( preAuthData == null || preAuthData.length == 0 )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError() );
+                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config.getEncryptionTypes() ) );
             }
 
             try

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java Mon May 21 17:00:43 2007
@@ -71,7 +71,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java Mon May 21 17:00:43 2007
@@ -20,9 +20,9 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.replay.InMemoryReplayCache;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -34,7 +34,7 @@
 public class ConfigureTicketGrantingChain implements IoHandlerCommand
 {
     private static final ReplayCache replayCache = new InMemoryReplayCache();
-    private static final LockBox lockBox = new LockBox();
+    private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();
 
     private String contextKey = "context";
 
@@ -43,13 +43,13 @@
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
 
         tgsContext.setReplayCache( replayCache );
-        tgsContext.setLockBox( lockBox );
+        tgsContext.setCipherTextHandler( cipherTextHandler );
 
         next.execute( session, message );
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java Mon May 21 17:00:43 2007
@@ -27,6 +27,9 @@
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
@@ -40,7 +43,6 @@
 import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
 import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -53,6 +55,7 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
@@ -60,9 +63,12 @@
         KdcRequest request = tgsContext.getRequest();
         Ticket tgt = tgsContext.getTgt();
         Authenticator authenticator = tgsContext.getAuthenticator();
-        LockBox lockBox = tgsContext.getLockBox();
+        CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
-        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getEncryptionKey();
+
+        EncryptionType encryptionType = tgsContext.getEncryptionType();
+        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );
+
         KdcConfiguration config = tgsContext.getConfig();
         EncryptionKey sessionKey = tgsContext.getSessionKey();
 
@@ -77,8 +83,8 @@
 
         if ( request.getEncAuthorizationData() != null )
         {
-            AuthorizationData authData = ( AuthorizationData ) lockBox.unseal( AuthorizationData.class, authenticator
-                .getSubSessionKey(), request.getEncAuthorizationData() );
+            AuthorizationData authData = ( AuthorizationData ) cipherTextHandler.unseal( AuthorizationData.class,
+                authenticator.getSubSessionKey(), request.getEncAuthorizationData(), KeyUsage.NUMBER4 );
             authData.add( tgt.getAuthorizationData() );
             newTicketBody.setAuthorizationData( authData );
         }
@@ -105,7 +111,7 @@
             throw new KerberosException( ErrorType.KDC_ERR_SVC_UNAVAILABLE );
         }
 
-        EncryptedData encryptedData = lockBox.seal( serverKey, ticketPart );
+        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
 
         Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
         newTicket.setEncTicketPart( ticketPart );
@@ -116,12 +122,6 @@
     }
 
 
-    public String getContextKey()
-    {
-        return ( this.contextKey );
-    }
-
-
     private void processFlags( KdcConfiguration config, KdcRequest request, Ticket tgt,
         EncTicketPartModifier newTicketBody ) throws KerberosException
     {
@@ -274,7 +274,7 @@
              new_tkt.starttime+client.max_life,
              new_tkt.starttime+server.max_life,
              */
-            List minimizer = new ArrayList();
+            List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
             minimizer.add( till );
             minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) );
             minimizer.add( tgt.getEndTime() );
@@ -315,7 +315,7 @@
              new_tkt.starttime+server.max_rlife,
              */
             // TODO - client and server configurable; requires store
-            List minimizer = new ArrayList();
+            List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
 
             /*
              * 'rtime' KerberosTime is OPTIONAL
@@ -327,7 +327,7 @@
 
             minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) );
             minimizer.add( tgt.getRenewTill() );
-            newTicketBody.setRenewTill( ( KerberosTime ) Collections.min( minimizer ) );
+            newTicketBody.setRenewTill( Collections.min( minimizer ) );
         }
     }
 
@@ -362,5 +362,11 @@
         newTicketBody.setRenewTill( tgt.getRenewTill() );
         newTicketBody.setSessionKey( tgt.getSessionKey() );
         newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+    }
+
+
+    protected String getContextKey()
+    {
+        return ( this.contextKey );
     }
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java Mon May 21 17:00:43 2007
@@ -44,6 +44,7 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
@@ -59,12 +60,6 @@
     }
 
 
-    public String getContextKey()
-    {
-        return ( this.contextKey );
-    }
-
-
     protected ApplicationRequest getAuthHeader( KdcRequest request ) throws KerberosException, IOException
     {
         byte[] undecodedAuthHeader = null;
@@ -87,5 +82,11 @@
         ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader );
 
         return authHeader;
+    }
+
+
+    protected String getContextKey()
+    {
+        return ( this.contextKey );
     }
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetSessionKey.java Mon May 21 17:00:43 2007
@@ -20,8 +20,7 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
-import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
-import org.apache.directory.server.kerberos.shared.service.SessionKeyFactory;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -39,8 +38,8 @@
 
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
-        AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
-        authContext.setSessionKey( SessionKeyFactory.getSessionKey() );
+        TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
+        tgsContext.setSessionKey( RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType() ) );
 
         next.execute( session, message );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java Mon May 21 17:00:43 2007
@@ -25,6 +25,7 @@
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
@@ -49,6 +50,7 @@
 
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         if ( log.isDebugEnabled() )
@@ -92,8 +94,6 @@
                 sb.append( "\n\t" + "realm                  " + requestPrincipal.getRealmName() );
                 sb.append( "\n\t" + "principal              " + requestPrincipal.getPrincipal() );
                 sb.append( "\n\t" + "SAM type               " + requestPrincipal.getSamType() );
-                sb.append( "\n\t" + "Key type               " + requestPrincipal.getEncryptionKey().getKeyType() );
-                sb.append( "\n\t" + "Key version            " + requestPrincipal.getEncryptionKey().getKeyVersion() );
 
                 KerberosPrincipal ticketServerPrincipal = tgsContext.getTgt().getServerPrincipal();
                 PrincipalStoreEntry ticketPrincipal = tgsContext.getTicketPrincipalEntry();
@@ -103,8 +103,11 @@
                 sb.append( "\n\t" + "realm                  " + ticketPrincipal.getRealmName() );
                 sb.append( "\n\t" + "principal              " + ticketPrincipal.getPrincipal() );
                 sb.append( "\n\t" + "SAM type               " + ticketPrincipal.getSamType() );
-                sb.append( "\n\t" + "Key type               " + ticketPrincipal.getEncryptionKey().getKeyType() );
-                sb.append( "\n\t" + "Key version            " + ticketPrincipal.getEncryptionKey().getKeyVersion() );
+
+                EncryptionType encryptionType = tgsContext.getTgt().getEncPart().getEncryptionType();
+                int keyVersion = ticketPrincipal.getKeyMap().get( encryptionType ).getKeyVersion();
+                sb.append( "\n\t" + "Ticket key type        " + encryptionType );
+                sb.append( "\n\t" + "Service key version    " + keyVersion );
 
                 log.debug( sb.toString() );
             }
@@ -119,7 +122,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/SealReply.java Mon May 21 17:00:43 2007
@@ -20,11 +20,12 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -37,24 +38,25 @@
 {
     private String contextKey = "context";
 
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
 
         TicketGrantReply reply = ( TicketGrantReply ) tgsContext.getReply();
         Ticket tgt = tgsContext.getTgt();
-        LockBox lockBox = tgsContext.getLockBox();
+        CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
         Authenticator authenticator = tgsContext.getAuthenticator();
 
         EncryptedData encryptedData;
 
         if ( authenticator.getSubSessionKey() != null )
         {
-            encryptedData = lockBox.seal( authenticator.getSubSessionKey(), reply );
+            encryptedData = cipherTextHandler.seal( authenticator.getSubSessionKey(), reply, KeyUsage.NUMBER9 );
         }
         else
         {
-            encryptedData = lockBox.seal( tgt.getSessionKey(), reply );
+            encryptedData = cipherTextHandler.seal( tgt.getSessionKey(), reply, KeyUsage.NUMBER8 );
         }
 
         reply.setEncPart( encryptedData );
@@ -63,7 +65,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java Mon May 21 17:00:43 2007
@@ -22,6 +22,7 @@
 
 import org.apache.directory.server.kerberos.kdc.MonitorReply;
 import org.apache.directory.server.kerberos.kdc.MonitorRequest;
+import org.apache.directory.server.kerberos.kdc.SelectEncryptionType;
 import org.apache.mina.handler.chain.IoHandlerChain;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -39,6 +40,9 @@
     private static final Logger log = LoggerFactory.getLogger( TicketGrantingServiceChain.class );
 
 
+    /**
+     * Creates a new instance of TicketGrantingServiceChain.
+     */
     public TicketGrantingServiceChain()
     {
         if ( log.isDebugEnabled() )
@@ -47,6 +51,7 @@
         }
 
         addLast( "configureTicketGrantingChain", new ConfigureTicketGrantingChain() );
+        addLast( "selectEncryptionType", new SelectEncryptionType() );
         addLast( "getAuthHeader", new GetAuthHeader() );
         addLast( "verifyTgt", new VerifyTgt() );
         addLast( "getTicketPrincipalEntry", new GetTicketPrincipalEntry() );

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java Mon May 21 17:00:43 2007
@@ -20,14 +20,19 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
-import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumEngine;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
-import org.apache.directory.server.kerberos.shared.crypto.checksum.RsaMd5Checksum;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
-import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
 /**
@@ -36,44 +41,52 @@
  */
 public class VerifyBodyChecksum implements IoHandlerCommand
 {
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( VerifyBodyChecksum.class );
+
+    private ChecksumHandler checksumHandler = new ChecksumHandler();
     private String contextKey = "context";
 
-    public void execute( NextCommand next, IoSession session, Object message ) throws Exception
+    /** a map of the default encryption types to the encryption engine class names */
+    private static final Map<EncryptionType, ChecksumType> DEFAULT_CHECKSUMS;
+
+    static
     {
-        TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
-        byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
-        Checksum checksum = tgsContext.getAuthenticator().getChecksum();
+        Map<EncryptionType, ChecksumType> map = new HashMap<EncryptionType, ChecksumType>();
 
-        verifyChecksum( checksum, bodyBytes );
+        map.put( EncryptionType.DES_CBC_MD5, ChecksumType.RSA_MD5 );
+        map.put( EncryptionType.DES3_CBC_SHA1_KD, ChecksumType.HMAC_SHA1_DES3_KD );
+        map.put( EncryptionType.RC4_HMAC, ChecksumType.HMAC_MD5 );
+        map.put( EncryptionType.AES128_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES128 );
+        map.put( EncryptionType.AES256_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES256 );
 
-        next.execute( session, message );
+        DEFAULT_CHECKSUMS = Collections.unmodifiableMap( map );
     }
 
 
-    public String getContextKey()
+    public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
-        return ( this.contextKey );
-    }
+        TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
+        byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
+        Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
 
+        EncryptionType encryptionType = tgsContext.getEncryptionType();
+        ChecksumType allowedChecksumType = DEFAULT_CHECKSUMS.get( encryptionType );
 
-    private void verifyChecksum( Checksum checksum, byte[] bytes ) throws KerberosException
-    {
-        if ( checksum == null )
+        if ( !allowedChecksumType.equals( authenticatorChecksum.getChecksumType() ) )
         {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+            log.warn( "Allowed checksum type '" + allowedChecksumType + "' did not match authenticator checksum type '"
+                + authenticatorChecksum.getChecksumType() + "'." );
         }
 
-        if ( !checksum.getChecksumType().equals( ChecksumType.RSA_MD5 ) )
-        {
-            throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
-        }
+        checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
 
-        ChecksumEngine digester = new RsaMd5Checksum();
-        Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum( bytes ) );
+        next.execute( session, message );
+    }
 
-        if ( !newChecksum.equals( checksum ) )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
-        }
+
+    private String getContextKey()
+    {
+        return ( this.contextKey );
     }
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java Mon May 21 17:00:43 2007
@@ -22,12 +22,14 @@
 
 import java.net.InetAddress;
 
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
-import org.apache.directory.server.kerberos.shared.service.LockBox;
 import org.apache.directory.server.kerberos.shared.service.VerifyAuthHeader;
 import org.apache.mina.common.IoSession;
 
@@ -44,15 +46,18 @@
 
         ApplicationRequest authHeader = tgsContext.getAuthHeader();
         Ticket tgt = tgsContext.getTgt();
-        EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getEncryptionKey();
+
+        EncryptionType encryptionType = tgt.getEncPart().getEncryptionType();
+        EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getKeyMap().get( encryptionType );
+
         long clockSkew = tgsContext.getConfig().getClockSkew();
         ReplayCache replayCache = tgsContext.getReplayCache();
         boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
         InetAddress clientAddress = tgsContext.getClientAddress();
-        LockBox lockBox = tgsContext.getLockBox();
+        CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
 
         Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
-            emptyAddressesAllowed, clientAddress, lockBox );
+            emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER7 );
 
         tgsContext.setAuthenticator( authenticator );
 

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolCodecFactory.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolCodecFactory.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolCodecFactory.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolCodecFactory.java Mon May 21 17:00:43 2007
@@ -34,6 +34,11 @@
     private static final KerberosProtocolCodecFactory INSTANCE = new KerberosProtocolCodecFactory();
 
 
+    /**
+     * Returns the singleton {@link KerberosProtocolCodecFactory}.
+     *
+     * @return The singleton {@link KerberosProtocolCodecFactory}.
+     */
     public static KerberosProtocolCodecFactory getInstance()
     {
         return INSTANCE;

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java Mon May 21 17:00:43 2007
@@ -64,7 +64,13 @@
     private String contextKey = "context";
 
 
-    public KerberosProtocolHandler(KdcConfiguration config, PrincipalStore store)
+    /**
+     * Creates a new instance of KerberosProtocolHandler.
+     *
+     * @param config
+     * @param store
+     */
+    public KerberosProtocolHandler( KdcConfiguration config, PrincipalStore store )
     {
         this.config = config;
         this.store = store;
@@ -164,20 +170,32 @@
 
                 case 11:
                 case 13:
-                    log.error( "Kerberos error:  " + ErrorType.KRB_AP_ERR_BADDIRECTION.getMessage() );
+                    throw new KerberosException( ErrorType.KRB_AP_ERR_BADDIRECTION );
 
                 default:
-                    log.error( "Kerberos error:  " + ErrorType.KRB_AP_ERR_MSG_TYPE.getMessage() );
+                    throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
             }
         }
-        catch ( Exception e )
+        catch ( KerberosException ke )
         {
-            log.error( e.getMessage() );
-
-            KerberosException ke = ( KerberosException ) e;
+            if ( log.isDebugEnabled() )
+            {
+                log.debug( ke.getMessage(), ke );
+            }
+            else
+            {
+                log.warn( ke.getMessage() );
+            }
 
             session.write( getErrorMessage( config.getKdcPrincipal(), ke ) );
         }
+        catch ( Exception e )
+        {
+            log.error( "Unexpected exception:  " + e.getMessage(), e );
+
+            session.write( getErrorMessage( config.getKdcPrincipal(), new KerberosException(
+                ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
+        }
     }
 
 
@@ -190,7 +208,7 @@
     }
 
 
-    public ErrorMessage getErrorMessage( KerberosPrincipal principal, KerberosException exception )
+    protected ErrorMessage getErrorMessage( KerberosPrincipal principal, KerberosException exception )
     {
         ErrorMessageModifier modifier = new ErrorMessageModifier();
 
@@ -207,7 +225,7 @@
     }
 
 
-    public String getContextKey()
+    protected String getContextKey()
     {
         return ( this.contextKey );
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/SamSubsystem.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/SamSubsystem.java?view=diff&rev=540371&r1=540370&r2=540371
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/SamSubsystem.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/sam/SamSubsystem.java Mon May 21 17:00:43 2007
@@ -22,11 +22,13 @@
 
 import java.util.HashMap;
 import java.util.Hashtable;
+import java.util.Map;
 
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
 import javax.security.auth.kerberos.KerberosKey;
 
+import org.apache.directory.server.kerberos.shared.messages.value.SamType;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 
 
@@ -42,10 +44,11 @@
     /** the property key base used for SAM algorithm verifiers */
     public static final String PROPKEY_BASE = "kerberos.sam.type.";
 
+    /** the SAM subsystem instance */
     public static SamSubsystem instance;
 
     /** a map of verifiers so we do not need to create a new one every time */
-    private final HashMap verifiers = new HashMap();
+    private final Map<SamType, SamVerifier> verifiers = new HashMap<SamType, SamVerifier>();
 
     /** the key integrity checker used by the subsystem for all sam types */
     private KeyIntegrityChecker keyChecker;
@@ -115,7 +118,7 @@
 
         String key = PROPKEY_BASE + entry.getSamType().getOrdinal();
 
-        Hashtable env = new Hashtable();
+        Hashtable<Object, Object> env = new Hashtable<Object, Object>();
 
         try
         {



Mime
View raw message