directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r561714 - in /directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol: AuthenticationEncryptionTypeTest.java TicketGrantingEncryptionTypeTest.java
Date Wed, 01 Aug 2007 08:50:50 GMT
Author: erodriguez
Date: Wed Aug  1 01:50:49 2007
New Revision: 561714

URL: http://svn.apache.org/viewvc?view=rev&rev=561714
Log:
Added 10 new test cases covering various facets of using encryption types with the AS and
TGS services.

Added:
    directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
  (with props)
    directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingEncryptionTypeTest.java
  (with props)

Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java?view=auto&rev=561714
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
(added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
Wed Aug  1 01:50:49 2007
@@ -0,0 +1,277 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
+import org.apache.directory.server.kerberos.shared.io.encoder.EncryptedDataEncoder;
+import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
+import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.MessageType;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
+
+
+/**
+ * Tests various facets of working with encryption types in the Authentication Service (AS).
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class AuthenticationEncryptionTypeTest extends AbstractAuthenticationServiceTest
+{
+    private KdcConfiguration config;
+    private PrincipalStore store;
+    private KerberosProtocolHandler handler;
+    private DummySession session;
+
+
+    /**
+     * Creates a new instance of {@link AuthenticationEncryptionTypeTest}.
+     */
+    public AuthenticationEncryptionTypeTest()
+    {
+        config = new KdcConfiguration();
+        store = new MapPrincipalStoreImpl();
+        handler = new KerberosProtocolHandler( config, store );
+        session = new DummySession();
+        lockBox = new CipherTextHandler();
+    }
+
+
+    /**
+     * Tests a basic request using DES-CBC-MD5.
+     * 
+     * @throws Exception
+     */
+    public void testRequestDesCbcMd5() throws Exception
+    {
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setClientName( getPrincipalName( "hnelson" ) );
+        modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.DES_CBC_MD5 };
+
+        modifier.setEType( encryptionTypes );
+        modifier.setNonce( random.nextInt() );
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        String passPhrase = "secret";
+        PreAuthenticationData[] paData = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase
);
+
+        KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, paData, modifier.getRequestBody()
);
+
+        handler.messageReceived( session, message );
+
+        AuthenticationReply reply = ( AuthenticationReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.DES_CBC_MD5, reply.getEncPart().getEncryptionType()
);
+    }
+
+
+    /**
+     * Tests the configuration of AES-128 as the sole supported encryption type.
+     * 
+     * @throws Exception
+     */
+    public void testRequestAes128() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setClientName( getPrincipalName( "hnelson" ) );
+        modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+        modifier.setNonce( random.nextInt() );
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        String principalName = "hnelson@EXAMPLE.COM";
+        String passPhrase = "secret";
+        Set<EncryptionType> preAuthEncryptionTypes = new HashSet<EncryptionType>();
+        preAuthEncryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Map<EncryptionType, EncryptionKey> keyMap = KerberosKeyFactory.getKerberosKeys(
principalName, passPhrase,
+            preAuthEncryptionTypes );
+        EncryptionKey clientKey = keyMap.get( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        KerberosTime timeStamp = new KerberosTime();
+        PreAuthenticationData[] paData = getPreAuthEncryptedTimeStamp( clientKey, timeStamp
);
+
+        KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, paData, modifier.getRequestBody()
);
+
+        handler.messageReceived( session, message );
+
+        AuthenticationReply reply = ( AuthenticationReply ) session.getMessage();
+
+        assertTrue( "Requested end time", requestedEndTime.equals( reply.getEndTime() ) );
+        assertTrue( "PRE_AUTHENT flag", reply.getTicket().getFlags().get( TicketFlags.PRE_AUTHENT
) );
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getEncPart().getEncryptionType()
);
+    }
+
+
+    /**
+     * Tests that the client-chosen nonce is correctly returned in the response.
+     * 
+     * @throws Exception
+     */
+    public void testNonce() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setClientName( getPrincipalName( "hnelson" ) );
+        modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+        int nonce = random.nextInt();
+        modifier.setNonce( nonce );
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        String principalName = "hnelson@EXAMPLE.COM";
+        String passPhrase = "secret";
+        Set<EncryptionType> preAuthEncryptionTypes = new HashSet<EncryptionType>();
+        preAuthEncryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Map<EncryptionType, EncryptionKey> keyMap = KerberosKeyFactory.getKerberosKeys(
principalName, passPhrase,
+            preAuthEncryptionTypes );
+        EncryptionKey clientKey = keyMap.get( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        KerberosTime timeStamp = new KerberosTime();
+        PreAuthenticationData[] paData = getPreAuthEncryptedTimeStamp( clientKey, timeStamp
);
+
+        KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, paData, modifier.getRequestBody()
);
+
+        handler.messageReceived( session, message );
+
+        AuthenticationReply reply = ( AuthenticationReply ) session.getMessage();
+
+        assertTrue( "Requested end time", requestedEndTime.equals( reply.getEndTime() ) );
+        assertTrue( "PRE_AUTHENT flag", reply.getTicket().getFlags().get( TicketFlags.PRE_AUTHENT
) );
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getEncPart().getEncryptionType()
);
+
+        assertEquals( "Nonce", nonce, reply.getNonce() );
+    }
+
+
+    /**
+     * Tests when a request is made for an encryption type that is not enabled in
+     * configuration that the request fails with the correct error message.
+     * 
+     * @throws Exception
+     */
+    public void testAes128Configuration() throws Exception
+    {
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setClientName( getPrincipalName( "hnelson" ) );
+        modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] requestedEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( requestedEncryptionTypes );
+        modifier.setNonce( random.nextInt() );
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        String passPhrase = "secret";
+        PreAuthenticationData[] paData = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase
);
+
+        KdcRequest message = new KdcRequest( 5, MessageType.KRB_AS_REQ, paData, modifier.getRequestBody()
);
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "KDC has no support for encryption type", 14, error.getErrorCode()
);
+    }
+
+
+    protected PreAuthenticationData[] getPreAuthEncryptedTimeStamp( EncryptionKey clientKey,
KerberosTime timeStamp )
+        throws Exception
+    {
+        PreAuthenticationData[] paData = new PreAuthenticationData[1];
+
+        EncryptedTimeStamp encryptedTimeStamp = new EncryptedTimeStamp( timeStamp, 0 );
+
+        EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp, KeyUsage.NUMBER1
);
+
+        byte[] encodedEncryptedData = EncryptedDataEncoder.encode( encryptedData );
+
+        PreAuthenticationDataModifier preAuth = new PreAuthenticationDataModifier();
+        preAuth.setDataType( PreAuthenticationDataType.PA_ENC_TIMESTAMP );
+        preAuth.setDataValue( encodedEncryptedData );
+
+        paData[0] = preAuth.getPreAuthenticationData();
+
+        return paData;
+    }
+}

Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingEncryptionTypeTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingEncryptionTypeTest.java?view=auto&rev=561714
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingEncryptionTypeTest.java
(added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingEncryptionTypeTest.java
Wed Aug  1 01:50:49 2007
@@ -0,0 +1,436 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
+import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
+
+
+/**
+ * Tests various facets of working with encryption types in the Ticket-Granting Service (TGS).
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class TicketGrantingEncryptionTypeTest extends AbstractTicketGrantingServiceTest
+{
+    private KdcConfiguration config;
+    private PrincipalStore store;
+    private KerberosProtocolHandler handler;
+    private DummySession session;
+
+
+    /**
+     * Creates a new instance of {@link TicketGrantingEncryptionTypeTest}.
+     */
+    public TicketGrantingEncryptionTypeTest()
+    {
+        config = new KdcConfiguration();
+
+        /*
+         * Body checksum verification must be disabled because we are bypassing
+         * the codecs, where the body bytes are set on the KdcRequest message.
+         */
+        config.setBodyChecksumVerified( false );
+
+        store = new MapPrincipalStoreImpl();
+        handler = new KerberosProtocolHandler( config, store );
+        session = new DummySession();
+        lockBox = new CipherTextHandler();
+    }
+
+
+    /**
+     * Tests a basic request using DES-CBC-MD5.
+     *
+     * @throws Exception
+     */
+    public void testRequestDesCbcMd5() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal
);
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM"
);
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.DES_CBC_MD5 };
+
+        modifier.setEType( encryptionTypes );
+
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.DES_CBC_MD5, reply.getEncPart().getEncryptionType()
);
+    }
+
+
+    /**
+     * Tests the use of a TGT containing a DES-CBC-MD5 session key while the
+     * requested encryption type is AES-128.
+     * 
+     * @throws Exception
+     */
+    public void testRequestAes128() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal
);
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM"
);
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.DES_CBC_MD5, reply.getEncPart().getEncryptionType()
);
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getTicket().getEncPart()
+            .getEncryptionType() );
+    }
+
+
+    /**
+     * Tests the use of a TGT containing an AES-128 session key while the
+     * requested encryption type is also AES-128.
+     *
+     * @throws Exception
+     */
+    public void testRequestAes128TgtAndRequested() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal
);
+
+        // Make changes to test.
+        sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96
);
+        encTicketPartModifier.setSessionKey( sessionKey );
+
+        // Seal the ticket for the server.
+        String principalName = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( principalName );
+        String passPhrase = "randomKey";
+        Set<EncryptionType> preAuthEncryptionTypes = new HashSet<EncryptionType>();
+        preAuthEncryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Map<EncryptionType, EncryptionKey> keyMap = KerberosKeyFactory.getKerberosKeys(
principalName, passPhrase,
+            preAuthEncryptionTypes );
+        EncryptionKey serverKey = keyMap.get( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getEncPart().getEncryptionType()
);
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getTicket().getEncPart()
+            .getEncryptionType() );
+    }
+
+
+    /**
+     * Tests that the client-chosen nonce is correctly returned in the response.
+     * 
+     * @throws Exception
+     */
+    public void testNonce() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal
);
+
+        // Make changes to test.
+        sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96
);
+        encTicketPartModifier.setSessionKey( sessionKey );
+
+        // Seal the ticket for the server.
+        String principalName = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( principalName );
+        String passPhrase = "randomKey";
+        Set<EncryptionType> preAuthEncryptionTypes = new HashSet<EncryptionType>();
+        preAuthEncryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Map<EncryptionType, EncryptionKey> keyMap = KerberosKeyFactory.getKerberosKeys(
principalName, passPhrase,
+            preAuthEncryptionTypes );
+        EncryptionKey serverKey = keyMap.get( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+
+        int nonce = random.nextInt();
+        modifier.setNonce( nonce );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getEncPart().getEncryptionType()
);
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getTicket().getEncPart()
+            .getEncryptionType() );
+
+        assertEquals( "Nonce", nonce, reply.getNonce() );
+    }
+
+
+    /**
+     * Tests that the default reply key is the session key from the TGT.
+     * 
+     * @throws Exception
+     */
+    public void testDecryptWithSessionKey() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal
);
+
+        // Make changes to test.
+        sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96
);
+        encTicketPartModifier.setSessionKey( sessionKey );
+
+        // Seal the ticket for the server.
+        String principalName = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( principalName );
+        String passPhrase = "randomKey";
+        Set<EncryptionType> preAuthEncryptionTypes = new HashSet<EncryptionType>();
+        preAuthEncryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Map<EncryptionType, EncryptionKey> keyMap = KerberosKeyFactory.getKerberosKeys(
principalName, passPhrase,
+            preAuthEncryptionTypes );
+        EncryptionKey serverKey = keyMap.get( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getEncPart().getEncryptionType()
);
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getTicket().getEncPart()
+            .getEncryptionType() );
+    }
+
+
+    /**
+     * Tests when a sub-session key is placed in the Authenticator that the
+     * reply key is the sub-session key and not the TGT session key.
+     *
+     * @throws Exception
+     */
+    public void testDecryptWithSubSessionKey() throws Exception
+    {
+        EncryptionType[] configuredEncryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+        config.setEncryptionTypes( configuredEncryptionTypes );
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM"
);
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal
);
+
+        // Make changes to test.
+        sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96
);
+        encTicketPartModifier.setSessionKey( sessionKey );
+
+        // Seal the ticket for the server.
+        String principalName = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( principalName );
+        String passPhrase = "randomKey";
+        Set<EncryptionType> preAuthEncryptionTypes = new HashSet<EncryptionType>();
+        preAuthEncryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Map<EncryptionType, EncryptionKey> keyMap = KerberosKeyFactory.getKerberosKeys(
principalName, passPhrase,
+            preAuthEncryptionTypes );
+        EncryptionKey serverKey = keyMap.get( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes =
+            { EncryptionType.AES128_CTS_HMAC_SHA1_96 };
+
+        modifier.setEType( encryptionTypes );
+
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        subSessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertEquals( "Encryption type", EncryptionType.DES_CBC_MD5, reply.getEncPart().getEncryptionType()
);
+        assertEquals( "Encryption type", EncryptionType.AES128_CTS_HMAC_SHA1_96, reply.getTicket().getEncPart()
+            .getEncryptionType() );
+    }
+}

Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingEncryptionTypeTest.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message