directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kayyag...@apache.org
Subject svn commit: r1443107 [4/6] - in /directory/apacheds/trunk: interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/ kerberos-codec/ kerberos-codec/src/main/java/org/apache/directory/server/kerberos/changepwd/ kerberos-codec/src/mai...
Date Wed, 06 Feb 2013 18:19:39 GMT
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java Wed Feb  6 18:19:36 2013
@@ -21,31 +21,25 @@ package org.apache.directory.server.kerb
 
 
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import javax.security.auth.kerberos.KerberosPrincipal;
 
 import net.sf.ehcache.Cache;
 
 import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
 import org.apache.directory.api.ldap.model.name.Dn;
-import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.directory.server.kerberos.KerberosConfig;
+import org.apache.directory.server.kerberos.changepwd.ChangePasswordServer;
 import org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler;
 import org.apache.directory.server.kerberos.protocol.codec.KerberosProtocolCodecFactory;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCacheImpl;
-import org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.directory.server.protocol.shared.DirectoryBackedService;
 import org.apache.directory.server.protocol.shared.transport.TcpTransport;
 import org.apache.directory.server.protocol.shared.transport.Transport;
-import org.apache.directory.server.protocol.shared.transport.UdpTransport;
-import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
 import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder;
 import org.apache.mina.core.filterchain.IoFilterChainBuilder;
 import org.apache.mina.core.service.IoAcceptor;
 import org.apache.mina.filter.codec.ProtocolCodecFilter;
-import org.apache.mina.transport.socket.DatagramAcceptor;
 import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -62,374 +56,37 @@ public class KdcServer extends Directory
 
     /** logger for this class */
     private static final Logger LOG = LoggerFactory.getLogger( KdcServer.class.getName() );
-
-    /** The default kdc port */
-    private static final int DEFAULT_IP_PORT = 88;
-
-    /** The default kdc service pid */
-    private static final String DEFAULT_PID = "org.apache.directory.server.kerberos";
-
+    
     /** The default kdc service name */
-    private static final String DEFAULT_NAME = "ApacheDS Kerberos Service";
-
-    /** The default kdc service principal */
-    private static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
-
-    /** The default kdc realm */
-    private static final String DEFAULT_REALM = "EXAMPLE.COM";
-
-    /** The default allowable clockskew */
-    private static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5 * 60000;
-
-    /** The default encryption types */
-    private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
-        { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "des-cbc-md5" };
-
-    /** The default for allowing empty addresses */
-    private static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
-
-    /** The default for requiring encrypted timestamps */
-    private static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true;
-
-    /** The default for the maximum ticket lifetime */
-    private static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440;
-
-    /** The default for the maximum renewable lifetime */
-    private static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080;
-
-    /** The default for allowing forwardable tickets */
-    private static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true;
-
-    /** The default for allowing proxiable tickets */
-    private static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true;
-
-    /** The default for allowing postdated tickets */
-    private static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true;
-
-    /** The default for allowing renewable tickets */
-    private static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true;
-
-    /** The default for verifying the body checksum */
-    private static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true;
-
-    /** The encryption types. */
-    private List<EncryptionType> encryptionTypes;
-
-    /** The primary realm */
-    private String primaryRealm = DEFAULT_REALM;
-
-    /** The service principal name. */
-    private String servicePrincipal = DEFAULT_PRINCIPAL;
-
-    /** The allowable clock skew. */
-    private long allowableClockSkew = DEFAULT_ALLOWABLE_CLOCKSKEW;
-
-    /** Whether pre-authentication by encrypted timestamp is required. */
-    private boolean isPaEncTimestampRequired = DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
-
-    /** The maximum ticket lifetime. */
-    private long maximumTicketLifetime = DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
-
-    /** The maximum renewable lifetime. */
-    private long maximumRenewableLifetime = DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
-
-    /** Whether empty addresses are allowed. */
-    private boolean isEmptyAddressesAllowed = DEFAULT_EMPTY_ADDRESSES_ALLOWED;
-
-    /** Whether forwardable addresses are allowed. */
-    private boolean isForwardableAllowed = DEFAULT_TGS_FORWARDABLE_ALLOWED;
-
-    /** Whether proxiable addresses are allowed. */
-    private boolean isProxiableAllowed = DEFAULT_TGS_PROXIABLE_ALLOWED;
-
-    /** Whether postdated tickets are allowed. */
-    private boolean isPostdatedAllowed = DEFAULT_TGS_POSTDATED_ALLOWED;
-
-    /** Whether renewable tickets are allowed. */
-    private boolean isRenewableAllowed = DEFAULT_TGS_RENEWABLE_ALLOWED;
-
-    /** Whether to verify the body checksum. */
-    private boolean isBodyChecksumVerified = DEFAULT_VERIFY_BODY_CHECKSUM;
+    private static final String SERVICE_NAME = "Keydap Kerberos Service";
 
     /** the cache used for storing AS and TGS requests */
     private ReplayCache replayCache;
 
-
+    private KerberosConfig config;
+    
+    private ChangePasswordServer changePwdServer;
+    
     /**
-     * Creates a new instance of KdcConfiguration.
+     * Creates a new instance of KdcServer with the default configuration.
      */
     public KdcServer()
     {
-        super.setServiceName( DEFAULT_NAME );
-        super.setServiceId( DEFAULT_PID );
-        super.setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN );
-
-        prepareEncryptionTypes();
-    }
-
-
-    /**
-     * Returns the allowable clock skew.
-     *
-     * @return The allowable clock skew.
-     */
-    public long getAllowableClockSkew()
-    {
-        return allowableClockSkew;
-    }
-
-
-    /**
-     * @return the isEmptyAddressesAllowed
-     */
-    public boolean isEmptyAddressesAllowed()
-    {
-        return isEmptyAddressesAllowed;
-    }
-
-
-    /**
-     * @return the isForwardableAllowed
-     */
-    public boolean isForwardableAllowed()
-    {
-        return isForwardableAllowed;
-    }
-
-
-    /**
-     * @return the isPostdatedAllowed
-     */
-    public boolean isPostdatedAllowed()
-    {
-        return isPostdatedAllowed;
-    }
-
-
-    /**
-     * @return the isProxiableAllowed
-     */
-    public boolean isProxiableAllowed()
-    {
-        return isProxiableAllowed;
-    }
-
-
-    /**
-     * @return the isRenewableAllowed
-     */
-    public boolean isRenewableAllowed()
-    {
-        return isRenewableAllowed;
-    }
-
-
-    /**
-     * @return the maximumRenewableLifetime
-     */
-    public long getMaximumRenewableLifetime()
-    {
-        return maximumRenewableLifetime;
-    }
-
-
-    /**
-     * @return the maximumTicketLifetime
-     */
-    public long getMaximumTicketLifetime()
-    {
-        return maximumTicketLifetime;
-    }
-
-
-    /**
-     * @param allowableClockSkew the allowableClockSkew to set
-     */
-    public void setAllowableClockSkew( long allowableClockSkew )
-    {
-        this.allowableClockSkew = allowableClockSkew;
-    }
-
-
-    /**
-     * Initialize the encryptionTypes set
-     * 
-     * @param encryptionTypes the encryptionTypes to set
-     */
-    public void setEncryptionTypes( EncryptionType[] encryptionTypes )
-    {
-        if ( encryptionTypes != null )
-        {
-            this.encryptionTypes.clear();
-
-            for ( EncryptionType encryptionType : encryptionTypes )
-            {
-                this.encryptionTypes.add( encryptionType );
-            }
-        }
+        this( new KerberosConfig() );
     }
-
-
+    
+    
     /**
-     * Initialize the encryptionTypes set
      * 
-     * @param encryptionTypes the encryptionTypes to set
-     */
-    public void setEncryptionTypes( List<EncryptionType> encryptionTypes )
-    {
-        this.encryptionTypes = encryptionTypes;
-    }
-
-
-    /**
-     * @param isEmptyAddressesAllowed the isEmptyAddressesAllowed to set
-     */
-    public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed )
-    {
-        this.isEmptyAddressesAllowed = isEmptyAddressesAllowed;
-    }
-
-
-    /**
-     * @param isForwardableAllowed the isForwardableAllowed to set
-     */
-    public void setForwardableAllowed( boolean isForwardableAllowed )
-    {
-        this.isForwardableAllowed = isForwardableAllowed;
-    }
-
-
-    /**
-     * @param isPaEncTimestampRequired the isPaEncTimestampRequired to set
-     */
-    public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired )
-    {
-        this.isPaEncTimestampRequired = isPaEncTimestampRequired;
-    }
-
-
-    /**
-     * @param isPostdatedAllowed the isPostdatedAllowed to set
-     */
-    public void setPostdatedAllowed( boolean isPostdatedAllowed )
-    {
-        this.isPostdatedAllowed = isPostdatedAllowed;
-    }
-
-
-    /**
-     * @param isProxiableAllowed the isProxiableAllowed to set
-     */
-    public void setProxiableAllowed( boolean isProxiableAllowed )
-    {
-        this.isProxiableAllowed = isProxiableAllowed;
-    }
-
-
-    /**
-     * @param isRenewableAllowed the isRenewableAllowed to set
-     */
-    public void setRenewableAllowed( boolean isRenewableAllowed )
-    {
-        this.isRenewableAllowed = isRenewableAllowed;
-    }
-
-
-    /**
-     * @param kdcPrincipal the kdcPrincipal to set
-     */
-    public void setKdcPrincipal( String kdcPrincipal )
-    {
-        this.servicePrincipal = kdcPrincipal;
-    }
-
-
-    /**
-     * @param maximumRenewableLifetime the maximumRenewableLifetime to set
-     */
-    public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
-    {
-        this.maximumRenewableLifetime = maximumRenewableLifetime;
-    }
-
-
-    /**
-     * @param maximumTicketLifetime the maximumTicketLifetime to set
-     */
-    public void setMaximumTicketLifetime( long maximumTicketLifetime )
-    {
-        this.maximumTicketLifetime = maximumTicketLifetime;
-    }
-
-
-    /**
-     * @param primaryRealm the primaryRealm to set
-     */
-    public void setPrimaryRealm( String primaryRealm )
-    {
-        this.primaryRealm = primaryRealm;
-    }
-
-
-    /**
-     * Returns the primary realm.
-     *
-     * @return The primary realm.
-     */
-    public String getPrimaryRealm()
-    {
-        return primaryRealm;
-    }
-
-
-    /**
-     * Returns the service principal for this KDC service.
-     *
-     * @return The service principal for this KDC service.
-     */
-    public KerberosPrincipal getServicePrincipal()
-    {
-        return new KerberosPrincipal( servicePrincipal );
-    }
-
-
-    /**
-     * Returns the encryption types.
+     * Creates a new instance of KdcServer with the given config.
      *
-     * @return The encryption types.
+     * @param config the kerberos server configuration
      */
-    public List<EncryptionType> getEncryptionTypes()
+    public KdcServer( KerberosConfig config )
     {
-        return encryptionTypes;
-    }
-
-
-    /**
-     * Returns whether pre-authentication by encrypted timestamp is required.
-     *
-     * @return Whether pre-authentication by encrypted timestamp is required.
-     */
-    public boolean isPaEncTimestampRequired()
-    {
-        return isPaEncTimestampRequired;
-    }
-
-
-    /**
-     * @return the isBodyChecksumVerified
-     */
-    public boolean isBodyChecksumVerified()
-    {
-        return isBodyChecksumVerified;
-    }
-
-
-    /**
-     * @param isBodyChecksumVerified the isBodyChecksumVerified to set
-     */
-    public void setBodyChecksumVerified( boolean isBodyChecksumVerified )
-    {
-        this.isBodyChecksumVerified = isBodyChecksumVerified;
+        this.config = config;
+        super.setServiceName( SERVICE_NAME );
+        super.setSearchBaseDn( config.getSearchBaseDn() );
     }
 
 
@@ -449,78 +106,55 @@ public class KdcServer extends Directory
     {
         PrincipalStore store;
 
-        // TODO - for now ignoring this catalog crap
-        store = new DirectoryPrincipalStore( getDirectoryService(), new Dn( this.getSearchBaseDn() ) );
-
+        store = new DirectoryPrincipalStore( getDirectoryService(), new Dn(this.getSearchBaseDn())  );
+        
         LOG.debug( "initializing the kerberos replay cache" );
 
         Cache cache = getDirectoryService().getCacheService().getCache( "kdcReplayCache" );
-        replayCache = new ReplayCacheImpl( cache, allowableClockSkew );
-
-        if ( ( transports == null ) || ( transports.size() == 0 ) )
+        replayCache = new ReplayCacheImpl( cache, config.getAllowableClockSkew() );
+        
+        // Kerberos can use UDP or TCP
+        for ( Transport transport:transports )
         {
-            // Default to UDP with port 88
-            // We have to create a DatagramAcceptor
-            UdpTransport transport = new UdpTransport( DEFAULT_IP_PORT );
-            setTransports( transport );
-
-            DatagramAcceptor acceptor = transport.getAcceptor();
-
+            IoAcceptor acceptor = transport.getAcceptor();
+            
+            // Now, configure the acceptor
             // Inject the chain
-            IoFilterChainBuilder udpChainBuilder = new DefaultIoFilterChainBuilder();
-
-            ( ( DefaultIoFilterChainBuilder ) udpChainBuilder ).addFirst( "codec",
-                new ProtocolCodecFilter(
+            IoFilterChainBuilder chainBuilder = new DefaultIoFilterChainBuilder();
+            
+            if ( transport instanceof TcpTransport )
+            {
+                // Now, configure the acceptor
+                // Disable the disconnection of the clients on unbind
+                acceptor.setCloseOnDeactivation( false );
+                
+                // No Nagle's algorithm
+                ((NioSocketAcceptor)acceptor).getSessionConfig().setTcpNoDelay( true );
+                
+                // Allow the port to be reused even if the socket is in TIME_WAIT state
+                ((NioSocketAcceptor)acceptor).setReuseAddress( true );
+            }
+            
+            // Inject the codec
+            ((DefaultIoFilterChainBuilder)chainBuilder).addFirst( "codec", 
+                new ProtocolCodecFilter( 
                     KerberosProtocolCodecFactory.getInstance() ) );
-
-            acceptor.setFilterChainBuilder( udpChainBuilder );
-
+            
+            acceptor.setFilterChainBuilder( chainBuilder );
+            
             // Inject the protocol handler
             acceptor.setHandler( new KerberosProtocolHandler( this, store ) );
-
+            
             // Bind to the configured address
             acceptor.bind();
         }
-        else
+        
+        LOG.info( "Kerberos service started." );
+        
+        if( changePwdServer != null )
         {
-            // Kerberos can use UDP or TCP
-            for ( Transport transport : transports )
-            {
-                IoAcceptor acceptor = transport.getAcceptor();
-
-                // Now, configure the acceptor
-                // Inject the chain
-                IoFilterChainBuilder chainBuilder = new DefaultIoFilterChainBuilder();
-
-                if ( transport instanceof TcpTransport )
-                {
-                    // Now, configure the acceptor
-                    // Disable the disconnection of the clients on unbind
-                    acceptor.setCloseOnDeactivation( false );
-
-                    // No Nagle's algorithm
-                    ( ( NioSocketAcceptor ) acceptor ).getSessionConfig().setTcpNoDelay( true );
-
-                    // Allow the port to be reused even if the socket is in TIME_WAIT state
-                    ( ( NioSocketAcceptor ) acceptor ).setReuseAddress( true );
-                }
-
-                // Inject the codec
-                ( ( DefaultIoFilterChainBuilder ) chainBuilder ).addFirst( "codec",
-                    new ProtocolCodecFilter(
-                        KerberosProtocolCodecFactory.getInstance() ) );
-
-                acceptor.setFilterChainBuilder( chainBuilder );
-
-                // Inject the protocol handler
-                acceptor.setHandler( new KerberosProtocolHandler( this, store ) );
-
-                // Bind to the configured address
-                acceptor.bind();
-            }
+            changePwdServer.start();
         }
-
-        LOG.info( "Kerberos service started." );
     }
 
 
@@ -542,27 +176,49 @@ public class KdcServer extends Directory
         }
 
         LOG.info( "Kerberos service stopped." );
+        
+        if( changePwdServer != null )
+        {
+            changePwdServer.stop();
+        }
     }
 
 
     /**
-     * Construct an HashSet containing the default encryption types
+     * gets the port number on which TCP transport is running
+     * @return the port number if TCP transport is enabled, -1 otherwise 
      */
-    private void prepareEncryptionTypes()
+    public int getTcpPort()
     {
-        String[] encryptionTypeStrings = DEFAULT_ENCRYPTION_TYPES;
-
-        encryptionTypes = new ArrayList<EncryptionType>();
-
-        for ( String enc : encryptionTypeStrings )
+        for( Transport t : transports )
         {
-            EncryptionType type = EncryptionType.getByName( enc );
-
-            if ( !EncryptionType.UNKNOWN.equals( type ) )
+            if ( t instanceof TcpTransport )
             {
-                encryptionTypes.add( type );
+                return t.getPort();
             }
         }
+        
+        return -1;
+    }
+    
+    /**
+     * @return the KDC server configuration
+     */
+    public KerberosConfig getConfig()
+    {
+        return config;
+    }
+
+
+    public ChangePasswordServer getChangePwdServer()
+    {
+        return changePwdServer;
+    }
+
+
+    public void setChangePwdServer( ChangePasswordServer changePwdServer )
+    {
+        this.changePwdServer = changePwdServer;
     }
 
 

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java Wed Feb  6 18:19:36 2013
@@ -24,6 +24,7 @@ import java.net.InetAddress;
 import java.nio.ByteBuffer;
 import java.util.Date;
 import java.util.List;
+import java.util.Set;
 
 import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosPrincipal;
@@ -31,8 +32,8 @@ import javax.security.auth.kerberos.Kerb
 import org.apache.directory.api.asn1.EncoderException;
 import org.apache.directory.api.util.Strings;
 import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.server.kerberos.KerberosConfig;
 import org.apache.directory.server.kerberos.kdc.KdcContext;
-import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
 import org.apache.directory.server.kerberos.sam.SamException;
 import org.apache.directory.server.kerberos.sam.SamSubsystem;
@@ -49,6 +50,8 @@ import org.apache.directory.shared.kerbe
 import org.apache.directory.shared.kerberos.codec.types.LastReqType;
 import org.apache.directory.shared.kerberos.codec.types.PaDataType;
 import org.apache.directory.shared.kerberos.components.ETypeInfo;
+import org.apache.directory.shared.kerberos.components.ETypeInfo2;
+import org.apache.directory.shared.kerberos.components.ETypeInfo2Entry;
 import org.apache.directory.shared.kerberos.components.ETypeInfoEntry;
 import org.apache.directory.shared.kerberos.components.EncKdcRepPart;
 import org.apache.directory.shared.kerberos.components.EncTicketPart;
@@ -103,7 +106,7 @@ public class AuthenticationService
         {
             monitorRequest( authContext );
         }
-
+        
         authContext.setCipherTextHandler( cipherTextHandler );
 
         if ( authContext.getRequest().getProtocolVersionNumber() != KerberosConstants.KERBEROS_V5 )
@@ -116,26 +119,21 @@ public class AuthenticationService
         verifyPolicy( authContext );
         verifySam( authContext );
         verifyEncryptedTimestamp( authContext );
-
-        if ( authContext.getClientKey() == null )
-        {
-            verifyEncryptedTimestamp( authContext );
-        }
-
+        
         getServerEntry( authContext );
         generateTicket( authContext );
         buildReply( authContext );
     }
 
-
-    private static void selectEncryptionType( AuthenticationContext authContext ) throws KerberosException,
-        InvalidTicketException
+    
+    private static void selectEncryptionType( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
-        KdcContext kdcContext = authContext;
-        KdcServer config = kdcContext.getConfig();
-
-        List<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
+        KdcContext kdcContext = ( KdcContext ) authContext;
+        KerberosConfig config = kdcContext.getConfig();
 
+        Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
+        LOG.debug( "Encryption types requested by client {}.", requestedTypes );
+        
         EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );
 
         LOG.debug( "Session will use encryption type {}.", bestType );
@@ -148,21 +146,19 @@ public class AuthenticationService
         kdcContext.setEncryptionType( bestType );
     }
 
-
-    private static void getClientEntry( AuthenticationContext authContext ) throws KerberosException,
-        InvalidTicketException
+    
+    private static void getClientEntry( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
-        KerberosPrincipal principal = KerberosUtils.getKerberosPrincipal(
+        KerberosPrincipal principal = KerberosUtils.getKerberosPrincipal( 
             authContext.getRequest().getKdcReqBody().getCName(), authContext.getRequest().getKdcReqBody().getRealm() );
         PrincipalStore store = authContext.getStore();
 
-        PrincipalStoreEntry storeEntry = getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN );
+        PrincipalStoreEntry storeEntry = KerberosUtils.getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN ); 
         authContext.setClientEntry( storeEntry );
     }
-
-
-    private static void verifyPolicy( AuthenticationContext authContext ) throws KerberosException,
-        InvalidTicketException
+    
+    
+    private static void verifyPolicy( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
         PrincipalStoreEntry entry = authContext.getClientEntry();
 
@@ -181,13 +177,13 @@ public class AuthenticationService
             throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
         }
     }
-
-
+    
+    
     private static void verifySam( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
         LOG.debug( "Verifying using SAM subsystem." );
         KdcReq request = authContext.getRequest();
-        KdcServer config = authContext.getConfig();
+        KerberosConfig config = authContext.getConfig();
 
         PrincipalStoreEntry clientEntry = authContext.getClientEntry();
         String clientName = clientEntry.getPrincipal().getName();
@@ -207,8 +203,8 @@ public class AuthenticationService
 
             if ( preAuthData == null || preAuthData.size() == 0 )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
-                    request.getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
+                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( authContext.getEncryptionType(), config
+                    .getEncryptionTypes() ) );
             }
 
             try
@@ -238,14 +234,13 @@ public class AuthenticationService
             }
         }
     }
-
-
-    private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException,
-        InvalidTicketException
+    
+    
+    private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
         LOG.debug( "Verifying using encrypted timestamp." );
-
-        KdcServer config = authContext.getConfig();
+        
+        KerberosConfig config = authContext.getConfig();
         KdcReq request = authContext.getRequest();
         CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
         PrincipalStoreEntry clientEntry = authContext.getClientEntry();
@@ -277,8 +272,7 @@ public class AuthenticationService
                 if ( preAuthData == null )
                 {
                     throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
-                        preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
-                            config.getEncryptionTypes() ) );
+                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                 }
 
                 PaEncTsEnc timestamp = null;
@@ -288,23 +282,15 @@ public class AuthenticationService
                     if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                     {
                         EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
-                        paData.getPaDataType();
-                        byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
-                            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
+                        byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue, KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
                         timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
                     }
                 }
 
-                if ( ( preAuthData.size() > 0 ) && ( timestamp == null ) )
-                {
-                    throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
-                }
-
                 if ( timestamp == null )
                 {
                     throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
-                        preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
-                            config.getEncryptionTypes() ) );
+                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                 }
 
                 if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
@@ -330,22 +316,19 @@ public class AuthenticationService
             LOG.debug( "Pre-authentication by encrypted timestamp successful for {}.", clientName );
         }
     }
-
-
-    private static void getServerEntry( AuthenticationContext authContext ) throws KerberosException,
-        InvalidTicketException
+    
+    
+    private static void getServerEntry( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
         PrincipalName principal = authContext.getRequest().getKdcReqBody().getSName();
         PrincipalStore store = authContext.getStore();
-
-        KerberosPrincipal principalWithRealm = new KerberosPrincipal( principal.getNameString() + "@"
-            + authContext.getRequest().getKdcReqBody().getRealm() );
-        authContext.setServerEntry( getEntry( principalWithRealm, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
-    }
-
-
-    private static void generateTicket( AuthenticationContext authContext ) throws KerberosException,
-        InvalidTicketException
+    
+        KerberosPrincipal principalWithRealm = new KerberosPrincipal( principal.getNameString() + "@" + authContext.getRequest().getKdcReqBody().getRealm() );
+        authContext.setServerEntry( KerberosUtils.getEntry( principalWithRealm, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
+    }    
+    
+    
+    private static void generateTicket( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
     {
         KdcReq request = authContext.getRequest();
         CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
@@ -355,9 +338,9 @@ public class AuthenticationService
         EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );
 
         PrincipalName ticketPrincipal = request.getKdcReqBody().getSName();
-
+        
         EncTicketPart encTicketPart = new EncTicketPart();
-        KdcServer config = authContext.getConfig();
+        KerberosConfig config = authContext.getConfig();
 
         // The INITIAL flag indicates that a ticket was issued using the AS protocol.
         TicketFlags ticketFlags = new TicketFlags();
@@ -400,9 +383,9 @@ public class AuthenticationService
             ticketFlags.setFlag( TicketFlag.MAY_POSTDATE );
         }
 
-        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEW )
+        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEW ) 
             || request.getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE )
-            || request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY )
+            || request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY ) 
             || request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDED )
             || request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
         {
@@ -441,7 +424,7 @@ public class AuthenticationService
          * KDC_ERR_CANNOT_POSTDATE is returned."
          */
         if ( startTime != null && startTime.greaterThan( now )
-            && !startTime.isInClockSkew( config.getAllowableClockSkew() )
+            && !startTime.isInClockSkew( config.getAllowableClockSkew() ) 
             && !request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) )
         {
             throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
@@ -465,7 +448,7 @@ public class AuthenticationService
         }
 
         long till = 0;
-
+        
         if ( request.getKdcReqBody().getTill().getTime() == 0 )
         {
             till = Long.MAX_VALUE;
@@ -494,8 +477,8 @@ public class AuthenticationService
         }
 
         long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
-
-        if ( ticketLifeTime < config.getAllowableClockSkew() )
+        
+        if ( ticketLifeTime < config.getMinimumTicketLifetime() )
         {
             throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
         }
@@ -587,6 +570,7 @@ public class AuthenticationService
         reply.setTicket( ticket );
 
         EncKdcRepPart encKdcRepPart = new EncKdcRepPart();
+        //session key
         encKdcRepPart.setKey( ticket.getEncTicketPart().getKey() );
 
         // TODO - fetch lastReq for this client; requires store
@@ -625,8 +609,9 @@ public class AuthenticationService
         EncryptedData encryptedData = cipherTextHandler.seal( clientKey, encAsRepPart,
             KeyUsage.AS_REP_ENC_PART_WITH_CKEY );
         reply.setEncPart( encryptedData );
+        //FIXME the below setter is useless, remove it
         reply.setEncKdcRepPart( encKdcRepPart );
-
+        
         authContext.setReply( reply );
     }
 
@@ -750,40 +735,8 @@ public class AuthenticationService
             }
         }
     }
-
-
-    /**
-     * Get a PrincipalStoreEntry given a principal.  The ErrorType is used to indicate
-     * whether any resulting error pertains to a server or client.
-     */
-    private static PrincipalStoreEntry getEntry( KerberosPrincipal principal, PrincipalStore store, ErrorType errorType )
-        throws KerberosException
-    {
-        PrincipalStoreEntry entry = null;
-
-        try
-        {
-            entry = store.getPrincipal( principal );
-        }
-        catch ( Exception e )
-        {
-            throw new KerberosException( errorType, e );
-        }
-
-        if ( entry == null )
-        {
-            throw new KerberosException( errorType );
-        }
-
-        if ( entry.getKeyMap() == null || entry.getKeyMap().isEmpty() )
-        {
-            throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
-        }
-
-        return entry;
-    }
-
-
+    
+    
     /**
      * Prepares a pre-authentication error message containing required
      * encryption types.
@@ -791,45 +744,56 @@ public class AuthenticationService
      * @param encryptionTypes
      * @return The error message as bytes.
      */
-    private static byte[] preparePreAuthenticationError( List<EncryptionType> clientEncryptionTypes,
-        List<EncryptionType> serverEncryptionTypes )
+    private static byte[] preparePreAuthenticationError( EncryptionType requestedType, Set<EncryptionType> encryptionTypes )
     {
-        PaData[] paDataSequence = new PaData[2];
-
-        PaData paData = new PaData();
-        paData.setPaDataType( PaDataType.PA_ENC_TIMESTAMP );
-        paData.setPaDataValue( Strings.EMPTY_BYTES );
-
-        paDataSequence[0] = paData;
-
+        boolean isNewEtype = KerberosUtils.isNewEncryptionType( requestedType );
+        
+        ETypeInfo2 eTypeInfo2 = new ETypeInfo2();
+        
         ETypeInfo eTypeInfo = new ETypeInfo();
-
-        for ( EncryptionType encryptionType : clientEncryptionTypes )
+        
+        for ( EncryptionType encryptionType : encryptionTypes )
         {
-            if ( serverEncryptionTypes.contains( encryptionType ) )
+            if ( !isNewEtype )
             {
                 ETypeInfoEntry etypeInfoEntry = new ETypeInfoEntry( encryptionType, null );
                 eTypeInfo.addETypeInfoEntry( etypeInfoEntry );
             }
+            
+            ETypeInfo2Entry etypeInfo2Entry = new ETypeInfo2Entry( encryptionType );
+            eTypeInfo2.addETypeInfo2Entry( etypeInfo2Entry );
         }
 
         byte[] encTypeInfo = null;
-
+        byte[] encTypeInfo2 = null;
         try
         {
-            ByteBuffer buffer = ByteBuffer.allocate( eTypeInfo.computeLength() );
-            encTypeInfo = eTypeInfo.encode( buffer ).array();
+            if ( !isNewEtype )
+            {
+                ByteBuffer buffer = ByteBuffer.allocate( eTypeInfo.computeLength() );
+                encTypeInfo = eTypeInfo.encode( buffer ).array();
+            }
+            
+            ByteBuffer buffer = ByteBuffer.allocate( eTypeInfo2.computeLength() );
+            encTypeInfo2 = eTypeInfo2.encode( buffer ).array();
         }
         catch ( EncoderException ioe )
         {
             return null;
         }
 
-        PaData responsePaData = new PaData( PaDataType.PA_ENCTYPE_INFO, encTypeInfo );
-
         MethodData methodData = new MethodData();
-        methodData.addPaData( responsePaData );
-
+        
+        methodData.addPaData( new PaData( PaDataType.PA_ENC_TIMESTAMP, null ) );
+        
+        if ( !isNewEtype )
+        {
+            methodData.addPaData( new PaData( PaDataType.PA_ENCTYPE_INFO, encTypeInfo ) );
+        }
+        
+        methodData.addPaData( new PaData( PaDataType.PA_ENCTYPE_INFO2, encTypeInfo2 ) );
+        
+        
         try
         {
             ByteBuffer buffer = ByteBuffer.allocate( methodData.computeLength() );
@@ -837,6 +801,7 @@ public class AuthenticationService
         }
         catch ( EncoderException ee )
         {
+            LOG.warn( "Failed to encode the etype information", ee );
             return null;
         }
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java Wed Feb  6 18:19:36 2013
@@ -25,10 +25,13 @@ import java.nio.ByteBuffer;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Set;
+
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.directory.api.asn1.EncoderException;
 import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.server.kerberos.KerberosConfig;
 import org.apache.directory.server.kerberos.kdc.KdcContext;
 import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
@@ -46,6 +49,7 @@ import org.apache.directory.shared.kerbe
 import org.apache.directory.shared.kerberos.codec.options.ApOptions;
 import org.apache.directory.shared.kerberos.codec.options.KdcOptions;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.apache.directory.shared.kerberos.codec.types.LastReqType;
 import org.apache.directory.shared.kerberos.codec.types.PaDataType;
 import org.apache.directory.shared.kerberos.components.AuthorizationData;
 import org.apache.directory.shared.kerberos.components.Checksum;
@@ -58,6 +62,7 @@ import org.apache.directory.shared.kerbe
 import org.apache.directory.shared.kerberos.components.KdcReq;
 import org.apache.directory.shared.kerberos.components.KdcReqBody;
 import org.apache.directory.shared.kerberos.components.LastReq;
+import org.apache.directory.shared.kerberos.components.LastReqEntry;
 import org.apache.directory.shared.kerberos.components.PaData;
 import org.apache.directory.shared.kerberos.components.PrincipalName;
 import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
@@ -100,7 +105,8 @@ public class TicketGrantingService
         configureTicketGranting( tgsContext );
         selectEncryptionType( tgsContext );
         getAuthHeader( tgsContext );
-        verifyTgt( tgsContext );
+        // commenting to allow cross-realm auth
+        //verifyTgt( tgsContext );
         getTicketPrincipalEntry( tgsContext );
         verifyTgtAuthHeader( tgsContext );
         verifyBodyChecksum( tgsContext );
@@ -159,10 +165,10 @@ public class TicketGrantingService
 
     private static void selectEncryptionType( TicketGrantingContext tgsContext ) throws Exception
     {
-        KdcContext kdcContext = tgsContext;
-        KdcServer config = kdcContext.getConfig();
+        KdcContext kdcContext = (KdcContext)tgsContext;
+        KerberosConfig config = kdcContext.getConfig();
 
-        List<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
+        Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
 
         EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );
 
@@ -212,7 +218,7 @@ public class TicketGrantingService
 
     public static void verifyTgt( TicketGrantingContext tgsContext ) throws KerberosException
     {
-        KdcServer config = tgsContext.getConfig();
+        KerberosConfig config = tgsContext.getConfig();
         Ticket tgt = tgsContext.getTgt();
 
         // Check primary realm.
@@ -254,21 +260,21 @@ public class TicketGrantingService
     {
         ApReq authHeader = tgsContext.getAuthHeader();
         Ticket tgt = tgsContext.getTgt();
-
-        boolean isValidate = tgsContext.getRequest().getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE );
+        
+        KdcOptions kdcOptions = tgsContext.getRequest().getKdcReqBody().getKdcOptions();
+        boolean isValidate = kdcOptions.get( KdcOptions.VALIDATE );
 
         EncryptionType encryptionType = tgt.getEncPart().getEType();
         EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getKeyMap().get( encryptionType );
 
         long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
-        ReplayCache replayCache = tgsContext.getConfig().getReplayCache();
+        ReplayCache replayCache = tgsContext.getReplayCache();
         boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
         InetAddress clientAddress = tgsContext.getClientAddress();
         CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
 
-        Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
-            emptyAddressesAllowed, clientAddress, cipherTextHandler,
-            KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_TGS_SESS_KEY, isValidate );
+        Authenticator authenticator = KerberosUtils.verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
+            emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_TGS_SESS_KEY, isValidate );
 
         tgsContext.setAuthenticator( authenticator );
     }
@@ -281,7 +287,7 @@ public class TicketGrantingService
      */
     private static void verifyBodyChecksum( TicketGrantingContext tgsContext ) throws KerberosException
     {
-        KdcServer config = tgsContext.getConfig();
+        KerberosConfig config = tgsContext.getConfig();
 
         if ( config.isBodyChecksumVerified() )
         {
@@ -302,21 +308,24 @@ public class TicketGrantingService
             byte[] bodyBytes = buf.array();
             Checksum authenticatorChecksum = tgsContext.getAuthenticator().getCksum();
 
-            // we need the session key
-            Ticket tgt = tgsContext.getTgt();
-            EncTicketPart encTicketPart = tgt.getEncTicketPart();
-            EncryptionKey sessionKey = encTicketPart.getKey();
-
-            if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
-                || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
+            if ( authenticatorChecksum != null )
             {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+                // we need the session key
+                Ticket tgt = tgsContext.getTgt();
+                EncTicketPart encTicketPart = tgt.getEncTicketPart();
+                EncryptionKey sessionKey = encTicketPart.getKey();
+                
+                if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
+                    || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
+                {
+                    throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+                }
+                
+                LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
+                
+                checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(),
+                    KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY );
             }
-
-            LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
-
-            checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(),
-                KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY );
         }
     }
 
@@ -345,8 +354,10 @@ public class TicketGrantingService
         EncryptionType encryptionType = tgsContext.getEncryptionType();
         EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );
 
-        KdcServer config = tgsContext.getConfig();
+        KerberosConfig config = tgsContext.getConfig();
 
+        tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();
+        
         EncTicketPart newTicketPart = new EncTicketPart();
 
         newTicketPart.setClientAddresses( tgt.getEncTicketPart().getClientAddresses() );
@@ -374,6 +385,21 @@ public class TicketGrantingService
 
         if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
         {
+            Ticket[] additionalTkts = tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();
+
+            if( additionalTkts == null || additionalTkts.length == 0 )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+            
+            Ticket additionalTgt = additionalTkts[0];
+            // reject if it is not a TGT
+            if( !additionalTgt.getEncTicketPart().getFlags().isInitial() )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+            }
+            
+            serverKey = additionalTgt.getEncTicketPart().getKey();
             /*
              * if (server not specified) then
              *         server = req.second_ticket.client;
@@ -386,19 +412,16 @@ public class TicketGrantingService
              * 
              * new_tkt.enc-part := encrypt OCTET STRING using etype_for_key(second-ticket.key), second-ticket.key;
              */
-            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-        }
-        else
-        {
-            EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart,
-                KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
-
-            Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData );
-            newTicket.setEncTicketPart( newTicketPart );
-            newTicket.setRealm( request.getKdcReqBody().getRealm() );
-
-            tgsContext.setNewTicket( newTicket );
+            //throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
         }
+        
+        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart, KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
+        
+        Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData );
+        newTicket.setEncTicketPart( newTicketPart );
+        newTicket.setRealm( request.getKdcReqBody().getRealm() );
+        
+        tgsContext.setNewTicket( newTicket );
     }
 
 
@@ -419,7 +442,11 @@ public class TicketGrantingService
         encKdcRepPart.setKey( newTicket.getEncTicketPart().getKey() );
         encKdcRepPart.setNonce( request.getKdcReqBody().getNonce() );
         // TODO - resp.last-req := fetch_last_request_info(client); requires store
-        encKdcRepPart.setLastReq( new LastReq() );
+        // FIXME temporary fix, IMO we should create some new ATs to store this info in DIT
+        LastReq lastReq = new LastReq();
+        lastReq.addEntry( new LastReqEntry( LastReqType.TIME_OF_INITIAL_REQ, new KerberosTime() ) );
+        encKdcRepPart.setLastReq( lastReq );
+
         encKdcRepPart.setFlags( newTicket.getEncTicketPart().getFlags() );
         encKdcRepPart.setClientAddresses( newTicket.getEncTicketPart().getClientAddresses() );
         encKdcRepPart.setAuthTime( newTicket.getEncTicketPart().getAuthTime() );
@@ -470,7 +497,15 @@ public class TicketGrantingService
         {
             Ticket tgt = tgsContext.getTgt();
             long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
-            ChecksumType checksumType = tgsContext.getAuthenticator().getCksum().getChecksumType();
+            
+            Checksum cksum = tgsContext.getAuthenticator().getCksum();
+            
+            ChecksumType checksumType = null;
+            if ( cksum != null )
+            {
+                checksumType = cksum.getChecksumType();
+            }
+            
             InetAddress clientAddress = tgsContext.getClientAddress();
             HostAddresses clientAddresses = tgt.getEncTicketPart().getClientAddresses();
 
@@ -553,8 +588,8 @@ public class TicketGrantingService
         }
     }
 
-
-    private static void processFlags( KdcServer config, KdcReq request, Ticket tgt,
+    
+    private static void processFlags( KerberosConfig config, KdcReq request, Ticket tgt,
         EncTicketPart newTicketPart ) throws KerberosException
     {
         if ( tgt.getEncTicketPart().getFlags().isPreAuth() )
@@ -749,7 +784,7 @@ public class TicketGrantingService
     }
 
 
-    private static void processTimes( KdcServer config, KdcReq request, EncTicketPart newTicketPart,
+    private static void processTimes( KerberosConfig config, KdcReq request, EncTicketPart newTicketPart,
         Ticket tgt ) throws KerberosException
     {
         KerberosTime now = new KerberosTime();
@@ -1001,142 +1036,4 @@ public class TicketGrantingService
         return entry;
     }
 
-
-    /**
-     * Verifies an AuthHeader using guidelines from RFC 1510 section A.10., "KRB_AP_REQ verification."
-     *
-     * @param authHeader
-     * @param ticket
-     * @param serverKey
-     * @param clockSkew
-     * @param replayCache
-     * @param emptyAddressesAllowed
-     * @param clientAddress
-     * @param lockBox
-     * @param authenticatorKeyUsage
-     * @param isValidate
-     * @return The authenticator.
-     * @throws KerberosException
-     */
-    public static Authenticator verifyAuthHeader( ApReq authHeader, Ticket ticket, EncryptionKey serverKey,
-        long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
-        CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean isValidate ) throws KerberosException
-    {
-        if ( authHeader.getProtocolVersionNumber() != KerberosConstants.KERBEROS_V5 )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
-        }
-
-        if ( authHeader.getMessageType() != KerberosMessageType.AP_REQ )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
-        }
-
-        if ( authHeader.getTicket().getTktVno() != KerberosConstants.KERBEROS_V5 )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
-        }
-
-        EncryptionKey ticketKey = null;
-
-        if ( authHeader.getOption( ApOptions.USE_SESSION_KEY ) )
-        {
-            ticketKey = authHeader.getTicket().getEncTicketPart().getKey();
-        }
-        else
-        {
-            ticketKey = serverKey;
-        }
-
-        if ( ticketKey == null )
-        {
-            // TODO - check server key version number, skvno; requires store
-            //            if ( false )
-            //            {
-            //                throw new KerberosException( ErrorType.KRB_AP_ERR_BADKEYVER );
-            //            }
-
-            throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
-        }
-
-        byte[] encTicketPartData = lockBox.decrypt( ticketKey, ticket.getEncPart(),
-            KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
-        EncTicketPart encPart = KerberosDecoder.decodeEncTicketPart( encTicketPartData );
-        ticket.setEncTicketPart( encPart );
-
-        byte[] authenticatorData = lockBox.decrypt( ticket.getEncTicketPart().getKey(), authHeader.getAuthenticator(),
-            authenticatorKeyUsage );
-
-        Authenticator authenticator = KerberosDecoder.decodeAuthenticator( authenticatorData );
-
-        if ( !authenticator.getCName().getNameString().equals( ticket.getEncTicketPart().getCName().getNameString() ) )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
-        }
-
-        if ( ticket.getEncTicketPart().getClientAddresses() != null )
-        {
-            if ( !ticket.getEncTicketPart().getClientAddresses().contains( new HostAddress( clientAddress ) ) )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
-            }
-        }
-        else
-        {
-            if ( !emptyAddressesAllowed )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
-            }
-        }
-
-        KerberosPrincipal serverPrincipal = KerberosUtils.getKerberosPrincipal( ticket.getSName(), ticket.getRealm() );
-        KerberosPrincipal clientPrincipal = KerberosUtils.getKerberosPrincipal( authenticator.getCName(),
-            authenticator.getCRealm() );
-        KerberosTime clientTime = authenticator.getCtime();
-        int clientMicroSeconds = authenticator.getCusec();
-
-        if ( replayCache != null )
-        {
-            if ( replayCache.isReplay( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds ) )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
-            }
-
-            replayCache.save( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds );
-        }
-
-        if ( !authenticator.getCtime().isInClockSkew( clockSkew ) )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
-        }
-
-        /*
-         * "The server computes the age of the ticket: local (server) time minus
-         * the starttime inside the Ticket.  If the starttime is later than the
-         * current time by more than the allowable clock skew, or if the INVALID
-         * flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is returned."
-         */
-        KerberosTime startTime = ( ticket.getEncTicketPart().getStartTime() != null ) ? ticket.getEncTicketPart()
-            .getStartTime() : ticket.getEncTicketPart().getAuthTime();
-
-        KerberosTime now = new KerberosTime();
-        boolean isValidStartTime = startTime.lessThan( now );
-
-        if ( !isValidStartTime || ( ticket.getEncTicketPart().getFlags().isInvalid() && !isValidate ) )
-        {
-            // it hasn't yet become valid
-            throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
-        }
-
-        // TODO - doesn't take into account skew
-        if ( !ticket.getEncTicketPart().getEndTime().greaterThan( now ) )
-        {
-            throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
-        }
-
-        authHeader.getApOptions().set( ApOptions.MUTUAL_REQUIRED );
-
-        return authenticator;
-    }
-
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java Wed Feb  6 18:19:36 2013
@@ -26,6 +26,7 @@ import java.net.InetSocketAddress;
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.server.kerberos.KerberosConfig;
 import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService;
@@ -57,8 +58,8 @@ public class KerberosProtocolHandler imp
     /** The logger for this class */
     private static final Logger log = LoggerFactory.getLogger( KerberosProtocolHandler.class );
 
-    /** The KDC server instance */
-    private KdcServer config;
+    /** The KDC server */
+    private KdcServer kdcServer;
 
     /** The principal Name store */
     private PrincipalStore store;
@@ -69,12 +70,12 @@ public class KerberosProtocolHandler imp
     /**
      * Creates a new instance of KerberosProtocolHandler.
      *
-     * @param config
+     * @param kdcServer
      * @param store
      */
-    public KerberosProtocolHandler( KdcServer config, PrincipalStore store )
+    public KerberosProtocolHandler( KdcServer kdcServer, PrincipalStore store )
     {
-        this.config = config;
+        this.kdcServer = kdcServer;
         this.store = store;
     }
 
@@ -135,7 +136,7 @@ public class KerberosProtocolHandler imp
         {
             log.error( I18n.err( I18n.ERR_152, ErrorType.KRB_AP_ERR_BADDIRECTION ) );
 
-            session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
+            session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
                 ErrorType.KRB_AP_ERR_BADDIRECTION ) ) );
             return;
         }
@@ -150,7 +151,7 @@ public class KerberosProtocolHandler imp
             {
                 case AS_REQ:
                     AuthenticationContext authContext = new AuthenticationContext();
-                    authContext.setConfig( config );
+                    authContext.setConfig( kdcServer.getConfig() );
                     authContext.setStore( store );
                     authContext.setClientAddress( clientAddress );
                     authContext.setRequest( request );
@@ -163,7 +164,8 @@ public class KerberosProtocolHandler imp
 
                 case TGS_REQ:
                     TicketGrantingContext tgsContext = new TicketGrantingContext();
-                    tgsContext.setConfig( config );
+                    tgsContext.setConfig( kdcServer.getConfig() );
+                    tgsContext.setReplayCache( kdcServer.getReplayCache() );
                     tgsContext.setStore( store );
                     tgsContext.setClientAddress( clientAddress );
                     tgsContext.setRequest( request );
@@ -195,7 +197,7 @@ public class KerberosProtocolHandler imp
                 log.warn( messageText );
             }
 
-            KrbError error = getErrorMessage( config.getServicePrincipal(), ke );
+            KrbError error = getErrorMessage( kdcServer.getConfig().getServicePrincipal(), ke );
 
             if ( log.isDebugEnabled() )
             {
@@ -208,7 +210,7 @@ public class KerberosProtocolHandler imp
         {
             log.error( I18n.err( I18n.ERR_152, e.getLocalizedMessage() ), e );
 
-            session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
+            session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
                 ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
         }
     }

Added: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java?rev=1443107&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java Wed Feb  6 18:19:36 2013
@@ -0,0 +1,66 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.protocol.codec;
+
+
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.codec.ProtocolCodecFactory;
+import org.apache.mina.filter.codec.ProtocolDecoder;
+import org.apache.mina.filter.codec.ProtocolEncoder;
+
+
+/**
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class KerberosProtocolCodecFactory implements ProtocolCodecFactory
+{
+    private static final KerberosProtocolCodecFactory INSTANCE = new KerberosProtocolCodecFactory();
+
+
+    /**
+     * Returns the singleton {@link KerberosProtocolCodecFactory}.
+     *
+     * @return The singleton {@link KerberosProtocolCodecFactory}.
+     */
+    public static KerberosProtocolCodecFactory getInstance()
+    {
+        return INSTANCE;
+    }
+
+
+    private KerberosProtocolCodecFactory()
+    {
+        // Private constructor prevents instantiation outside this class.
+    }
+
+
+    public ProtocolEncoder getEncoder( IoSession session )
+    {
+        // Create a new encoder.
+        return new MinaKerberosEncoder();
+    }
+
+
+    public ProtocolDecoder getDecoder( IoSession session )
+    {
+        // Create a new decoder.
+        return new MinaKerberosDecoder();
+    }
+}

Added: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java?rev=1443107&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java Wed Feb  6 18:19:36 2013
@@ -0,0 +1,48 @@
+
+package org.apache.directory.server.kerberos.protocol.codec;
+
+import java.nio.ByteBuffer;
+
+import org.apache.directory.api.asn1.ber.Asn1Decoder;
+import org.apache.directory.shared.kerberos.codec.KerberosMessageContainer;
+import org.apache.mina.core.buffer.IoBuffer;
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.codec.ProtocolDecoderAdapter;
+import org.apache.mina.filter.codec.ProtocolDecoderOutput;
+
+public class MinaKerberosDecoder extends ProtocolDecoderAdapter
+{
+    /** the key used while storing message container in the session */
+    private static final String KERBEROS_MESSAGE_CONTAINER = "kerberosMessageContainer";
+
+    /** The ASN 1 decoder instance */
+    private Asn1Decoder asn1Decoder = new Asn1Decoder();
+
+    @Override
+    public void decode( IoSession session, IoBuffer in, ProtocolDecoderOutput out ) throws Exception
+    {
+        ByteBuffer buf = in.buf();
+        
+        KerberosMessageContainer kerberosMessageContainer = ( KerberosMessageContainer ) session.getAttribute( KERBEROS_MESSAGE_CONTAINER );
+        
+        if ( kerberosMessageContainer == null )
+        {
+            kerberosMessageContainer = new KerberosMessageContainer();
+            session.setAttribute( KERBEROS_MESSAGE_CONTAINER, kerberosMessageContainer );
+            kerberosMessageContainer.setStream( buf );
+            kerberosMessageContainer.setGathering( true );
+            kerberosMessageContainer.setTCP( !session.getTransportMetadata().isConnectionless() );
+        }
+
+        try
+        {
+            Object obj = KerberosDecoder.decode( kerberosMessageContainer, asn1Decoder );
+            out.write( obj );
+        }
+        finally
+        {
+            session.removeAttribute( KERBEROS_MESSAGE_CONTAINER );
+        }
+    }
+
+}

Added: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java?rev=1443107&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java Wed Feb  6 18:19:36 2013
@@ -0,0 +1,27 @@
+
+package org.apache.directory.server.kerberos.protocol.codec;
+
+import java.nio.ByteBuffer;
+
+import org.apache.directory.api.asn1.AbstractAsn1Object;
+import org.apache.mina.core.buffer.IoBuffer;
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.codec.ProtocolEncoderAdapter;
+import org.apache.mina.filter.codec.ProtocolEncoderOutput;
+
+public class MinaKerberosEncoder extends ProtocolEncoderAdapter
+{
+
+    @Override
+    public void encode( IoSession session, Object message, ProtocolEncoderOutput out ) throws Exception
+    {
+        AbstractAsn1Object asn1Obj = ( AbstractAsn1Object ) message;
+        boolean isTcp = !session.getTransportMetadata().isConnectionless();
+
+        ByteBuffer encodedByteBuf = KerberosEncoder.encode( asn1Obj, isTcp );
+        IoBuffer buf = IoBuffer.allocate( encodedByteBuf.remaining() );
+        buf.put( encodedByteBuf.array() );
+        buf.flip();
+        out.write( buf );
+    }
+}

Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java Wed Feb  6 18:19:36 2013
@@ -59,26 +59,25 @@ public abstract class AbstractAuthentica
     protected static final SecureRandom random = new SecureRandom();
 
 
-    protected PaData[] getPreAuthEncryptedTimeStamp( KerberosPrincipal clientPrincipal, String passPhrase, List<EncryptionType> encryptionTypes )
+    protected PaData[] getPreAuthEncryptedTimeStamp( KerberosPrincipal clientPrincipal, String passPhrase )
         throws Exception
     {
         KerberosTime timeStamp = new KerberosTime();
 
-        return getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, timeStamp, encryptionTypes );
+        return getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, timeStamp );
     }
 
 
     protected PaData[] getPreAuthEncryptedTimeStamp( KerberosPrincipal clientPrincipal,
-        String passPhrase, KerberosTime timeStamp, List<EncryptionType> encryptionTypes ) throws Exception
+        String passPhrase, KerberosTime timeStamp ) throws Exception
     {
         PaData[] paData = new PaData[1];
 
         PaEncTsEnc encryptedTimeStamp = new PaEncTsEnc( timeStamp, 0 );
 
-        EncryptionKey clientKey = getEncryptionKey( clientPrincipal, passPhrase, encryptionTypes );
+        EncryptionKey clientKey = getEncryptionKey( clientPrincipal, passPhrase );
 
-        EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp,
-            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
+        EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp, KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
 
         ByteBuffer buffer = ByteBuffer.allocate( encryptedData.computeLength() );
         byte[] encodedEncryptedData = encryptedData.encode( buffer ).array();
@@ -110,13 +109,11 @@ public abstract class AbstractAuthentica
      * @param passPhrase
      * @return The server's {@link EncryptionKey}.
      */
-    protected EncryptionKey getEncryptionKey( KerberosPrincipal principal, String passPhrase, List<EncryptionType> encryptionTypes )
+    protected EncryptionKey getEncryptionKey( KerberosPrincipal principal, String passPhrase )
     {
-        EncryptionType encryptionType = encryptionTypes.get( 0 );
-        
         KerberosKey kerberosKey = new KerberosKey( principal, passPhrase.toCharArray(), "AES128" );
         byte[] keyBytes = kerberosKey.getEncoded();
-        EncryptionKey key = new EncryptionKey( encryptionType, keyBytes );
+        EncryptionKey key = new EncryptionKey( EncryptionType.AES128_CTS_HMAC_SHA1_96, keyBytes );
 
         return key;
     }

Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java Wed Feb  6 18:19:36 2013
@@ -123,7 +123,7 @@ public abstract class AbstractTicketGran
         ticketFlags.setFlag( TicketFlag.RENEWABLE );
         encTicketPart.setFlags( ticketFlags );
 
-        EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+        EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
 
         encTicketPart.setKey( sessionKey );
         encTicketPart.setCName( new PrincipalName( clientPrincipal ) );
@@ -161,7 +161,7 @@ public abstract class AbstractTicketGran
         ticketFlags.setFlag( TicketFlag.RENEWABLE );
         encTicketPart.setFlags( ticketFlags );
 
-        EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+        EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
 
         encTicketPart.setKey( sessionKey );
         encTicketPart.setCName( new PrincipalName( clientPrincipal ) );

Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java Wed Feb  6 18:19:36 2013
@@ -24,14 +24,13 @@ import static org.junit.Assert.assertEqu
 import static org.junit.Assert.assertTrue;
 
 import java.nio.ByteBuffer;
-import java.util.ArrayList;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 
+import org.apache.directory.server.kerberos.KerberosConfig;
 import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
@@ -64,7 +63,8 @@ import org.junit.Test;
  */
 public class AuthenticationEncryptionTypeTest extends AbstractAuthenticationServiceTest
 {
-    private KdcServer config;
+    private KerberosConfig config;
+    private KdcServer kdcServer;
     private PrincipalStore store;
     private KerberosProtocolHandler handler;
     private KrbDummySession session;
@@ -76,9 +76,10 @@ public class AuthenticationEncryptionTyp
     @Before
     public void setUp()
     {
-        config = new KdcServer();
+        kdcServer = new KdcServer();
+        config = kdcServer.getConfig();
         store = new MapPrincipalStoreImpl();
-        handler = new KerberosProtocolHandler( config, store );
+        handler = new KerberosProtocolHandler( kdcServer, store );
         session = new KrbDummySession();
         lockBox = new CipherTextHandler();
     }
@@ -90,7 +91,7 @@ public class AuthenticationEncryptionTyp
     @After
     public void shutDown()
     {
-        config.stop();
+        kdcServer.stop();
     }
 
 
@@ -100,7 +101,7 @@ public class AuthenticationEncryptionTyp
      * @throws Exception
      */
     @Test
-    @Ignore("AbstractAuthenticationServiceTest.getEncryptionKey() always uses AES128_CTS_HMAC_SHA1_96")
+    @Ignore( "uses DES but the encryption key is generated in AbstractAuthenticationServiceTest always uses AES" )
     public void testRequestDesCbcMd5() throws Exception
     {
         KdcReqBody kdcReqBody = new KdcReqBody();
@@ -108,7 +109,7 @@ public class AuthenticationEncryptionTyp
         kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
         kdcReqBody.setRealm( "EXAMPLE.COM" );
 
-        List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
+        Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
         encryptionTypes.add( EncryptionType.DES_CBC_MD5 );
 
         kdcReqBody.setEType( encryptionTypes );
@@ -121,7 +122,7 @@ public class AuthenticationEncryptionTyp
 
         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
         String passPhrase = "secret";
-        PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, config.getEncryptionTypes() );
+        PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase );
 
         KdcReq message = new AsReq();
         message.setKdcReqBody( kdcReqBody );
@@ -158,7 +159,7 @@ public class AuthenticationEncryptionTyp
         kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
         kdcReqBody.setRealm( "EXAMPLE.COM" );
 
-        List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
+        Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
         encryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
 
         kdcReqBody.setEType( encryptionTypes );
@@ -218,7 +219,7 @@ public class AuthenticationEncryptionTyp
         kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
         kdcReqBody.setRealm( "EXAMPLE.COM" );
 
-        List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
+        Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
         encryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
 
         kdcReqBody.setEType( encryptionTypes );
@@ -278,8 +279,8 @@ public class AuthenticationEncryptionTyp
         kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
         kdcReqBody.setRealm( "EXAMPLE.COM" );
 
-        List<EncryptionType> requestedEncryptionTypes = new ArrayList<EncryptionType>();
-        requestedEncryptionTypes.add( EncryptionType.RC4_MD4 );
+        Set<EncryptionType> requestedEncryptionTypes = new HashSet<EncryptionType>();
+        requestedEncryptionTypes.add( EncryptionType.RC4_HMAC );
 
         kdcReqBody.setEType( requestedEncryptionTypes );
         kdcReqBody.setNonce( random.nextInt() );
@@ -291,7 +292,7 @@ public class AuthenticationEncryptionTyp
 
         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
         String passPhrase = "secret";
-        PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, config.getEncryptionTypes() );
+        PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase );
 
         KdcReq message = new AsReq();
         message.setKdcReqBody( kdcReqBody );
@@ -317,8 +318,7 @@ public class AuthenticationEncryptionTyp
 
         PaEncTsEnc encryptedTimeStamp = new PaEncTsEnc( timeStamp, 0 );
 
-        EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp,
-            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
+        EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp, KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
 
         ByteBuffer buffer = ByteBuffer.allocate( encryptedData.computeLength() );
         byte[] encodedEncryptedData = encryptedData.encode( buffer ).array();

Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java Wed Feb  6 18:19:36 2013
@@ -22,6 +22,7 @@ package org.apache.directory.server.kerb
 
 import static org.junit.Assert.assertEquals;
 
+import org.apache.directory.server.kerberos.KerberosConfig;
 import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.directory.shared.kerberos.KerberosTime;
@@ -43,7 +44,8 @@ import org.junit.Test;
  */
 public class AuthenticationPolicyTest extends AbstractAuthenticationServiceTest
 {
-    private KdcServer config;
+    private KerberosConfig config;
+    private KdcServer kdcServer;
     private PrincipalStore store;
     private KerberosProtocolHandler handler;
     private KrbDummySession session;
@@ -55,9 +57,10 @@ public class AuthenticationPolicyTest ex
     @Before
     public void setUp()
     {
-        config = new KdcServer();
+        kdcServer = new KdcServer();
+        config = kdcServer.getConfig();
         store = new MapPrincipalStoreImpl();
-        handler = new KerberosProtocolHandler( config, store );
+        handler = new KerberosProtocolHandler( kdcServer, store );
         session = new KrbDummySession();
     }
 
@@ -68,7 +71,7 @@ public class AuthenticationPolicyTest ex
     @After
     public void shutDown()
     {
-        config.stop();
+        kdcServer.stop();
     }
 
 



Mime
View raw message