Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 52112 invoked from network); 1 May 2007 20:35:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 May 2007 20:35:06 -0000 Received: (qmail 7934 invoked by uid 500); 1 May 2007 20:35:12 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 7890 invoked by uid 500); 1 May 2007 20:35:12 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 7875 invoked by uid 99); 1 May 2007 20:35:12 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 May 2007 13:35:12 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 May 2007 13:35:05 -0700 Received: by eris.apache.org (Postfix, from userid 65534) id 4482A1A9838; Tue, 1 May 2007 13:34:45 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r534231 - /directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/ Date: Tue, 01 May 2007 20:34:44 -0000 To: commits@directory.apache.org From: erodriguez@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20070501203445.4482A1A9838@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: erodriguez Date: Tue May 1 13:34:43 2007 New Revision: 534231 URL: http://svn.apache.org/viewvc?view=rev&rev=534231 Log: Addition of support for AES encryption types: o aes128-cts-hmac-sha1-96 o aes256-cts-hmac-sha1-96 Added: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes128CtsSha1Encryption.java (with props) directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes256CtsSha1Encryption.java (with props) directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/AesCtsSha1Encryption.java (with props) Added: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes128CtsSha1Encryption.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes128CtsSha1Encryption.java?view=auto&rev=534231 ============================================================================== --- directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes128CtsSha1Encryption.java (added) +++ directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes128CtsSha1Encryption.java Tue May 1 13:34:43 2007 @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.directory.server.kerberos.shared.crypto.encryption; + + +/** + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +public class Aes128CtsSha1Encryption extends AesCtsSha1Encryption +{ + public EncryptionType getEncryptionType() + { + return EncryptionType.AES128_CTS_HMAC_SHA1_96; + } + + + public int getKeyLength() + { + return 128; + } +} Propchange: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes128CtsSha1Encryption.java ------------------------------------------------------------------------------ svn:eol-style = native Added: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes256CtsSha1Encryption.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes256CtsSha1Encryption.java?view=auto&rev=534231 ============================================================================== --- directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes256CtsSha1Encryption.java (added) +++ directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes256CtsSha1Encryption.java Tue May 1 13:34:43 2007 @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.directory.server.kerberos.shared.crypto.encryption; + + +/** + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +public class Aes256CtsSha1Encryption extends AesCtsSha1Encryption +{ + public EncryptionType getEncryptionType() + { + return EncryptionType.AES256_CTS_HMAC_SHA1_96; + } + + + public int getKeyLength() + { + return 256; + } +} Propchange: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Aes256CtsSha1Encryption.java ------------------------------------------------------------------------------ svn:eol-style = native Added: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/AesCtsSha1Encryption.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/AesCtsSha1Encryption.java?view=auto&rev=534231 ============================================================================== --- directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/AesCtsSha1Encryption.java (added) +++ directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/AesCtsSha1Encryption.java Tue May 1 13:34:43 2007 @@ -0,0 +1,189 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.directory.server.kerberos.shared.crypto.encryption; + + +import java.security.GeneralSecurityException; +import java.security.spec.AlgorithmParameterSpec; +import java.util.Arrays; + +import javax.crypto.Cipher; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.apache.directory.server.kerberos.shared.exceptions.ErrorType; +import org.apache.directory.server.kerberos.shared.exceptions.KerberosException; +import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData; +import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey; + + +/** + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +public abstract class AesCtsSha1Encryption extends EncryptionEngine +{ + private static final byte[] usageKe = + { ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x01, ( byte ) 0xaa }; + + private static final byte[] usageKi = + { ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x01, ( byte ) 0x55 }; + + private static final byte[] iv = new byte[] + { ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, + ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, + ( byte ) 0x00, ( byte ) 0x00 }; + + + public int getConfounderLength() + { + return 16; + } + + + public int getChecksumLength() + { + return 12; + } + + + protected abstract int getKeyLength(); + + + protected byte[] deriveKey( byte[] baseKey, byte[] usage, int n, int k ) + { + return deriveRandom( baseKey, usage, n, k ); + } + + + public byte[] getDecryptedData( EncryptionKey key, EncryptedData data ) throws KerberosException + { + byte[] Ke = deriveKey( key.getKeyValue(), usageKe, 128, getKeyLength() ); + byte[] Ki = deriveKey( key.getKeyValue(), usageKi, 128, getKeyLength() ); + + byte[] encryptedData = data.getCipherText(); + + // extract the old checksum + byte[] oldChecksum = new byte[getChecksumLength()]; + System + .arraycopy( encryptedData, encryptedData.length - getChecksumLength(), oldChecksum, 0, oldChecksum.length ); + + // remove trailing checksum + encryptedData = removeTrailingBytes( encryptedData, 0, getChecksumLength() ); + + // decrypt the data + byte[] decryptedData = decrypt( encryptedData, Ke ); + + // remove leading confounder + byte[] withoutConfounder = removeLeadingBytes( decryptedData, getConfounderLength(), 0 ); + + // calculate a new checksum + byte[] newChecksum = calculateChecksum( decryptedData, Ki ); + newChecksum = removeTrailingBytes( newChecksum, 0, newChecksum.length - getChecksumLength() ); + + // compare checksums + if ( !Arrays.equals( oldChecksum, newChecksum ) ) + { + throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY ); + } + + return withoutConfounder; + } + + + public EncryptedData getEncryptedData( EncryptionKey key, byte[] plainText ) + { + byte[] Ke = deriveKey( key.getKeyValue(), usageKe, 128, getKeyLength() ); + byte[] Ki = deriveKey( key.getKeyValue(), usageKi, 128, getKeyLength() ); + + // build the ciphertext structure + byte[] conFounder = getRandomBytes( getConfounderLength() ); + byte[] dataBytes = concatenateBytes( conFounder, plainText ); + + byte[] checksumBytes = calculateChecksum( dataBytes, Ki ); + checksumBytes = removeTrailingBytes( checksumBytes, 0, checksumBytes.length - getChecksumLength() ); + + byte[] encryptedData = encrypt( dataBytes, Ke ); + byte[] cipherText = concatenateBytes( encryptedData, checksumBytes ); + + return new EncryptedData( getEncryptionType(), key.getKeyVersion(), cipherText ); + } + + + public byte[] encrypt( byte[] plainText, byte[] keyBytes ) + { + return processCipher( true, plainText, keyBytes ); + } + + + public byte[] decrypt( byte[] cipherText, byte[] keyBytes ) + { + return processCipher( false, cipherText, keyBytes ); + } + + + public byte[] calculateChecksum( byte[] data, byte[] key ) + { + try + { + SecretKey sk = new SecretKeySpec( key, "AES" ); + + Mac mac = Mac.getInstance( "HmacSHA1" ); + mac.init( sk ); + + return mac.doFinal( data ); + } + catch ( GeneralSecurityException nsae ) + { + nsae.printStackTrace(); + return null; + } + } + + + private byte[] processCipher( boolean isEncrypt, byte[] data, byte[] keyBytes ) + { + try + { + Cipher cipher = Cipher.getInstance( "AES/CTS/NoPadding" ); + SecretKey key = new SecretKeySpec( keyBytes, "AES" ); + + AlgorithmParameterSpec paramSpec = new IvParameterSpec( iv ); + + if ( isEncrypt ) + { + cipher.init( Cipher.ENCRYPT_MODE, key, paramSpec ); + } + else + { + cipher.init( Cipher.DECRYPT_MODE, key, paramSpec ); + } + + return cipher.doFinal( data ); + } + catch ( GeneralSecurityException nsae ) + { + nsae.printStackTrace(); + return null; + } + } +} Propchange: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/AesCtsSha1Encryption.java ------------------------------------------------------------------------------ svn:eol-style = native