Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 38226 invoked from network); 3 May 2007 01:26:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 May 2007 01:26:37 -0000 Received: (qmail 12586 invoked by uid 500); 3 May 2007 01:26:43 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 12543 invoked by uid 500); 3 May 2007 01:26:43 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 12531 invoked by uid 99); 3 May 2007 01:26:43 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2007 18:26:43 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2007 18:26:36 -0700 Received: by eris.apache.org (Postfix, from userid 65534) id 0B3601A9838; Wed, 2 May 2007 18:26:16 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r534675 - in /directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src: main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/ test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/ Date: Thu, 03 May 2007 01:26:15 -0000 To: commits@directory.apache.org From: erodriguez@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20070503012616.0B3601A9838@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: erodriguez Date: Wed May 2 18:26:14 2007 New Revision: 534675 URL: http://svn.apache.org/viewvc?view=rev&rev=534675 Log: o Overhaul of the SessionKeyFactory to support DES, DES3, AES, and RC4-HMAC. o Test case covering session key generation. Added: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactoryTest.java (with props) Modified: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactory.java Modified: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactory.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactory.java?view=diff&rev=534675&r1=534674&r2=534675 ============================================================================== --- directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactory.java (original) +++ directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactory.java Wed May 2 18:26:14 2007 @@ -20,13 +20,16 @@ package org.apache.directory.server.kerberos.shared.crypto.encryption; -import java.security.InvalidKeyException; -import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; -import javax.crypto.spec.DESKeySpec; -import javax.crypto.spec.SecretKeySpec; +import org.apache.directory.server.kerberos.shared.exceptions.ErrorType; +import org.apache.directory.server.kerberos.shared.exceptions.KerberosException; import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey; @@ -38,105 +41,64 @@ */ public class SessionKeyFactory { - /** - * SecureRandom.nextBytes() is synchronized, making this safe for static use. - */ - private static final SecureRandom random = new SecureRandom(); + /** a map of the default encryption types to the encryption engine class names */ + private static final Map DEFAULT_CIPHERS; - - /** - * Get a new random session key. - * - * @return The new random session key. - */ - public static EncryptionKey getSessionKey() + static { - // Only need 7 bytes. With parity will result in 8 bytes. - byte[] raw = new byte[7]; - - // SecureRandom.nextBytes is already synchronized - random.nextBytes( raw ); - - byte[] keyBytes = addParity( raw ); - - try - { - // check for weakness - if ( DESKeySpec.isWeak( keyBytes, 0 ) ) - { - keyBytes = getStrongKey( keyBytes ); - } - } - catch ( InvalidKeyException ike ) - { - /* - * Will only get here if the key is null or less - * than 8 bytes, which won't ever happen. - */ - return null; - } + Map map = new HashMap(); - SecretKey key = new SecretKeySpec( keyBytes, "DES" ); - byte[] subSessionKey = key.getEncoded(); + map.put( EncryptionType.DES_CBC_MD5, "DES" ); + map.put( EncryptionType.DES3_CBC_SHA1_KD, "DESede" ); + map.put( EncryptionType.RC4_HMAC, "RC4" ); + map.put( EncryptionType.AES128_CTS_HMAC_SHA1_96, "AES" ); + map.put( EncryptionType.AES256_CTS_HMAC_SHA1_96, "AES" ); - return new EncryptionKey( EncryptionType.DES_CBC_MD5, subSessionKey ); + DEFAULT_CIPHERS = Collections.unmodifiableMap( map ); } /** - * Adds parity to 7-bytes to form an 8-byte DES key. - * - * @param sevenBytes - * @return The 8-byte DES key with parity. + * Get a new random session key for a given {@link EncryptionType}. + * + * @param encryptionType + * + * @return The new random session key. + * @throws KerberosException */ - static byte[] addParity( byte[] sevenBytes ) + public static EncryptionKey getSessionKey( EncryptionType encryptionType ) throws KerberosException { - byte[] result = new byte[8]; + String algorithm = DEFAULT_CIPHERS.get( encryptionType ); - // Keeps track of the bit position in the result. - int resultIndex = 1; - - // Used to keep track of the number of 1 bits in each 7-bit chunk. - int bitCount = 0; + if ( algorithm == null ) + { + throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP, encryptionType.getName() + + " is not a supported encryption type." ); + } - // Process each of the 56 bits. - for ( int i = 0; i < 56; i++ ) + try { - // Get the bit at bit position i - boolean bit = ( sevenBytes[6 - i / 8] & ( 1 << ( i % 8 ) ) ) > 0; + KeyGenerator keyGenerator = KeyGenerator.getInstance( algorithm ); - // If set, set the corresponding bit in the result. - if ( bit ) + if ( encryptionType.equals( EncryptionType.AES128_CTS_HMAC_SHA1_96 ) ) { - result[7 - resultIndex / 8] |= ( 1 << ( resultIndex % 8 ) ) & 0xFF; - bitCount++; + keyGenerator.init( 128 ); } - // Set the parity bit after every 7 bits. - if ( ( i + 1 ) % 7 == 0 ) + if ( encryptionType.equals( EncryptionType.AES256_CTS_HMAC_SHA1_96 ) ) { - if ( bitCount % 2 == 0 ) - { - // Set low-order bit (parity bit) if bit count is even. - result[7 - resultIndex / 8] |= 1; - } - resultIndex++; - bitCount = 0; + keyGenerator.init( 256 ); } - resultIndex++; - } - return result; - } + SecretKey key = keyGenerator.generateKey(); + byte[] keyBytes = key.getEncoded(); - /** - * Corrects the weak key by exclusive OR with 0xF0 constant. - */ - private static byte[] getStrongKey( byte keyValue[] ) - { - keyValue[7] ^= 0xf0; - - return keyValue; + return new EncryptionKey( encryptionType, keyBytes ); + } + catch ( NoSuchAlgorithmException nsae ) + { + throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP, nsae.getMessage() ); + } } } Added: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactoryTest.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactoryTest.java?view=auto&rev=534675 ============================================================================== --- directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactoryTest.java (added) +++ directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactoryTest.java Wed May 2 18:26:14 2007 @@ -0,0 +1,118 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.directory.server.kerberos.shared.crypto.encryption; + + +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.spec.DESKeySpec; + +import junit.framework.TestCase; + + +/** + * Test cases for random-to-key functions for DES-, DES3-, AES-, and RC4-based + * encryption types. + * + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +public class SessionKeyFactoryTest extends TestCase +{ + /** + * Tests that random DES keys can be generated. + * + * @throws Exception + */ + public void testGenerateDesKey() throws Exception + { + KeyGenerator keygen = KeyGenerator.getInstance( "DES" ); + SecretKey key = keygen.generateKey(); + assertEquals( "DES key size", 8, key.getEncoded().length ); + assertTrue( DESKeySpec.isParityAdjusted( key.getEncoded(), 0 ) ); + } + + + /** + * Tests that random Triple-DES keys can be generated. + * + * @throws Exception + */ + public void testGenerateTripleDesKey() throws Exception + { + KeyGenerator keygen = KeyGenerator.getInstance( "DESede" ); + SecretKey key = keygen.generateKey(); + assertEquals( "DESede key size", 24, key.getEncoded().length ); + } + + + /** + * Tests that random AES128 keys can be generated. + * + * @throws Exception + */ + public void testGenerateAes128Key() throws Exception + { + KeyGenerator keygen = KeyGenerator.getInstance( "AES" ); + keygen.init( 128 ); + SecretKey key = keygen.generateKey(); + assertEquals( "AES key size", 16, key.getEncoded().length ); + } + + + /** + * Tests that random AES256 keys can be generated. + * + * @throws Exception + */ + public void testGenerateAes256Key() throws Exception + { + // KeyGenerator keygen = KeyGenerator.getInstance( "AES" ); + // keygen.init( 256 ); + // SecretKey key = keygen.generateKey(); + // assertEquals( "AES key size", 32, key.getEncoded().length ); + } + + + /** + * Tests that random ARCFOUR keys can be generated. + * + * @throws Exception + */ + public void testGenerateArcFourKey() throws Exception + { + KeyGenerator keygen = KeyGenerator.getInstance( "ARCFOUR" ); + SecretKey key = keygen.generateKey(); + assertEquals( "ARCFOUR key size", 16, key.getEncoded().length ); + } + + + /** + * Tests that random RC4 keys can be generated. + * + * @throws Exception + */ + public void testGenerateRc4Key() throws Exception + { + KeyGenerator keygen = KeyGenerator.getInstance( "RC4" ); + SecretKey key = keygen.generateKey(); + assertEquals( "RC4 key size", 16, key.getEncoded().length ); + } +} Propchange: directory/apacheds/branches/kerberos-encryption-types/kerberos-shared/src/test/java/org/apache/directory/server/kerberos/shared/crypto/encryption/SessionKeyFactoryTest.java ------------------------------------------------------------------------------ svn:eol-style = native