directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dran...@apache.org
Subject [30/50] [abbrv] directory-kerberos git commit: Renaming packages in haox-kdc projects, using "apache"
Date Mon, 12 Jan 2015 13:06:38 GMT
Renaming packages in haox-kdc projects, using "apache"


Project: http://git-wip-us.apache.org/repos/asf/directory-kerberos/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerberos/commit/44fca291
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerberos/tree/44fca291
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerberos/diff/44fca291

Branch: refs/heads/master
Commit: 44fca2915e107f20e0bdf279f7759f01ef9c85cf
Parents: 967d7e1
Author: Drankye <drankye@gmail.com>
Authored: Thu Dec 25 17:24:27 2014 +0800
Committer: Drankye <drankye@gmail.com>
Committed: Thu Dec 25 17:24:27 2014 +0800

----------------------------------------------------------------------
 contrib/haox-pkix/pom.xml                       |  25 +++++
 .../src/main/java/org/haox/pki/Pkix.java        |  68 ++++++++++++
 contrib/haox-pkix/src/main/resources/cacert.pem |  23 ++++
 contrib/haox-pkix/src/main/resources/cakey.pem  |  27 +++++
 .../haox-pkix/src/main/resources/extensions.kdc |  20 ++++
 .../haox-pkix/src/main/resources/kdccert.pem    |  26 +++++
 contrib/haox-pkix/src/main/resources/kdckey.pem |  27 +++++
 .../haox-pkix/src/main/resources/usercert.pem   |  26 +++++
 .../haox-pkix/src/main/resources/userkey.pem    |  27 +++++
 .../src/test/java/org/haox/pki/PkixTest.java    |  41 ++++++++
 contrib/haox-token/pom.xml                      |  31 ++++++
 .../java/org/haox/token/AuthzDataEntry.java     |  33 ++++++
 .../src/main/java/org/haox/token/KerbToken.java |  28 +++++
 .../main/java/org/haox/token/TokenCache.java    |  63 +++++++++++
 .../java/org/haox/token/TokenExtractor.java     |  82 +++++++++++++++
 .../src/main/java/org/haox/token/TokenTool.java | 105 +++++++++++++++++++
 contrib/pom.xml                                 |   2 +
 .../kerberos/kdc/server/ApacheKdcServer.java    |  22 ++++
 .../java/org/haox/kdc/server/HaoxKdcServer.java |  22 ----
 .../org/apache/kerberos/kdc/server/KdcTest.java |  52 +++++++++
 .../test/java/org/haox/kdc/server/KdcTest.java  |  51 ---------
 .../kdc-server/src/test/resources/kdc-krb5.conf |  25 -----
 .../kdc-server/src/test/resources/kdc.ldiff     |  30 ------
 .../identitybackend/LdapIdentityBackend.java    |  58 ++++++++++
 .../identitybackend/LdapIdentityBackend.java    |  58 ----------
 .../src/test/resources/kdc-krb5.conf            |  25 -----
 .../src/test/resources/kdc.ldiff                |  30 ------
 .../java/org/apache/kerberos/tool/Kinit.java    |  23 ++++
 .../src/main/java/org/haox/kdc/tool/Kinit.java  |  23 ----
 haox-kdc/tools/src/main/resources/kdc-krb5.conf |  25 -----
 haox-kdc/tools/src/main/resources/kdc.ldiff     |  30 ------
 haox-pkix/pom.xml                               |  25 -----
 haox-pkix/src/main/java/org/haox/pki/Pkix.java  |  68 ------------
 haox-pkix/src/main/resources/cacert.pem         |  23 ----
 haox-pkix/src/main/resources/cakey.pem          |  27 -----
 haox-pkix/src/main/resources/extensions.kdc     |  20 ----
 haox-pkix/src/main/resources/kdccert.pem        |  26 -----
 haox-pkix/src/main/resources/kdckey.pem         |  27 -----
 haox-pkix/src/main/resources/usercert.pem       |  26 -----
 haox-pkix/src/main/resources/userkey.pem        |  27 -----
 .../src/test/java/org/haox/pki/PkixTest.java    |  41 --------
 haox-token/pom.xml                              |  31 ------
 .../java/org/haox/token/AuthzDataEntry.java     |  33 ------
 .../src/main/java/org/haox/token/KerbToken.java |  28 -----
 .../main/java/org/haox/token/TokenCache.java    |  63 -----------
 .../java/org/haox/token/TokenExtractor.java     |  82 ---------------
 .../src/main/java/org/haox/token/TokenTool.java | 105 -------------------
 pom.xml                                         |   2 -
 48 files changed, 809 insertions(+), 973 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/pom.xml
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/pom.xml b/contrib/haox-pkix/pom.xml
new file mode 100644
index 0000000..15ba6ee
--- /dev/null
+++ b/contrib/haox-pkix/pom.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.haox</groupId>
+        <artifactId>haox-contrib</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>haox-pkix</artifactId>
+
+    <name>Haox PKIX</name>
+    <description>Haox PKIX utilities</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.haox</groupId>
+            <artifactId>not-yet-commons-ssl</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/java/org/haox/pki/Pkix.java
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/java/org/haox/pki/Pkix.java b/contrib/haox-pkix/src/main/java/org/haox/pki/Pkix.java
new file mode 100644
index 0000000..147b7a2
--- /dev/null
+++ b/contrib/haox-pkix/src/main/java/org/haox/pki/Pkix.java
@@ -0,0 +1,68 @@
+package org.haox.pki;
+
+import org.apache.commons.ssl.PKCS8Key;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public class Pkix {
+
+    public static List<Certificate> getCerts(String certFile) throws IOException, CertificateException {
+        InputStream is = new FileInputStream(new File(certFile));
+        return getCerts(is);
+    }
+
+    public static List<Certificate> getCerts(InputStream inputStream) throws IOException, CertificateException {
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+        Collection<? extends Certificate> certs =
+                (Collection<? extends Certificate>) certFactory.generateCertificates(inputStream);
+
+        return new ArrayList<Certificate>(certs);
+    }
+
+    public static PrivateKey getPrivateKey(String keyFile, String password) throws IOException, GeneralSecurityException {
+        InputStream in = new FileInputStream("/path/to/pkcs8_private_key.der");
+        return getPrivateKey(in, password);
+    }
+
+    public static PrivateKey getPrivateKey(InputStream inputStream, String password) throws GeneralSecurityException, IOException {
+        if (password == null) password = "";
+        // If the provided InputStream is encrypted, we need a password to decrypt
+        // it. If the InputStream is not encrypted, then the password is ignored
+        // (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
+        PKCS8Key pkcs8 = new PKCS8Key(inputStream, password.toCharArray());
+
+        // If an unencrypted PKCS8 key was provided, then this actually returns
+        // exactly what was originally passed inputStream (with no changes).  If an OpenSSL
+        // key was provided, it gets reformatted as PKCS #8 first, and so these
+        // bytes will still be PKCS #8, not OpenSSL.
+        byte[] decrypted = pkcs8.getDecryptedBytes();
+        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decrypted);
+
+        // A Java PrivateKey object is born.
+        PrivateKey pk = null;
+        if (pkcs8.isDSA()) {
+            pk = KeyFactory.getInstance("DSA").generatePrivate(spec);
+        }
+        else if (pkcs8.isRSA()) {
+            pk = KeyFactory.getInstance("RSA").generatePrivate(spec);
+        }
+
+        // For lazier types:
+        pk = pkcs8.getPrivateKey();
+
+        return pk;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/cacert.pem
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/cacert.pem b/contrib/haox-pkix/src/main/resources/cacert.pem
new file mode 100644
index 0000000..6b91561
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/cacert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIJAMrZoeDxTzwWMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
+DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
+YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
+MzEzMjdaFw0yNDA1MTAxMzEzMjdaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
+c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
+A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
+a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMCznJJ02ZUjCPvAwnBmfPs0akb5QRc/NKu8kCtAPWzgHS2JPTQfJhkDbTAD
+eIlg8IeJpOdrYnzdaBCzgxqjSkls+vxjYotOU0Zbrpy2bj0lRDqdYbNsiuConKgT
+MeuDEd/4ZI0X9NWLAi06Iv1F4mHXf36c6uqiUWTtXiofogrFUoTRwACKR2qeC95X
+Py+FDmpS9lz0mo0vDWjetLQC2IBngjjPFdR16n87QDIWfRBkk66rn7rEA6Li66b/
+cToajMSA/n+2Ud1mntSY4RdDdd0TBtAq9RrXtUOfzGaE7S6t+FtYyEprvT4FdOTU
+uyYgSNaI9ANVP1zhQ9LACKuudOECAwEAAaNQME4wHQYDVR0OBBYEFD91SVOejfwx
+u33+5N0TdYbHJbgAMB8GA1UdIwQYMBaAFD91SVOejfwxu33+5N0TdYbHJbgAMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADsONtUqGNBPBXnRowcJwv+Y
+F1Vea+4dkBwYbhkiO6H5XMKr+waOnOD2eAvgP4aeYg/a0xOzzETRD9wi1Z1P1ZMy
+d/NzHQjj4egPENwDv1PH2voZgsXXzXIqUMOtz9t12TuJUrSA2SBW1tz/evckHhNY
+fHg4ThvTIgwEdV/yvrOEBLV9dXG5IhhF+NW1MegTGkt4SpOoH1pi3o9VekVRnix9
+xrIdaC4Ee6vQaR603HwDS9Y+a1c2KU7QoLX8Vaa904cQ+rxhGsTAkocnZXeo6Hl5
+V8BlDYXxeP86fzcWi04ll2BmEEw/RimHEOLpGqxTVHJ5p5BVSCHP8aCD0VJheaU=
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/cakey.pem
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/cakey.pem b/contrib/haox-pkix/src/main/resources/cakey.pem
new file mode 100644
index 0000000..66dc806
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/cakey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwLOcknTZlSMI+8DCcGZ8+zRqRvlBFz80q7yQK0A9bOAdLYk9
+NB8mGQNtMAN4iWDwh4mk52tifN1oELODGqNKSWz6/GNii05TRluunLZuPSVEOp1h
+s2yK4KicqBMx64MR3/hkjRf01YsCLToi/UXiYdd/fpzq6qJRZO1eKh+iCsVShNHA
+AIpHap4L3lc/L4UOalL2XPSajS8NaN60tALYgGeCOM8V1HXqfztAMhZ9EGSTrquf
+usQDouLrpv9xOhqMxID+f7ZR3Wae1JjhF0N13RMG0Cr1Gte1Q5/MZoTtLq34W1jI
+Smu9PgV05NS7JiBI1oj0A1U/XOFD0sAIq6504QIDAQABAoIBAHqFeMax3unxBbQ0
+Aiy/LTX3RJ9tuZITUOTklnG5fZStBkA+oxhxuaJryE+f1VLbvPMgdCXj5BHqIFGG
+IZSdQA1hak9wzWYvXck9X88qOvtLp47xI/6Vw9NFwZ0n3zST+JiD8UK4eaYQpUim
+Tzrj5SU6hEi3crHOlJvsRFPaGwhnA9wycoOo4o22XBj3C8Hwzi4vWcKXH/RCSwZQ
+zFuYbe77Pn9Sv5q5zdglkmm7wngoVt/aKQke/Vk+Eincx1V12b05DNLjugo6FWQh
+0f2MmHpvqNSHs9USC5+y2lKQ1JNHh7mnpPCXkZEH4V7q+3mKVzl9tXzj9Gul20pw
+tneD6WUCgYEA9QUrQoWHKeVMjeukHjDJa2KjRLMmg9YRQyVABH9+nQTp1jYUjMRA
+GUoUx91gG6gjjJD/xvor/U0Fh3vKtZE93c+avrcaYDwf3q/L4gh+3b87lVDfzjrp
+L+MPTpEzWiyyLfr/kLA0TgUjnrj9bav5uDps8mJpNf8s9ZP1/QDhF5sCgYEAyVZA
+pHSIyBI2GT0+92JXvYDK/ZfV5m4RGHaG/PMDoU4IbGbjHVyzzsyzDUgvOASXwfF8
+YzwX7Tf95RZw12P/Jepxt0vqBJPKUCsMLUrmANQvN1Pz8+Vk6UADLM7kNc06MqB9
+/U3GKCFZZuedEhbgXnEV9gzelhILImJGZMxG0zMCgYApymnofLHjGXMHOcvSQmv4
+XuiODShikB59n1rd6YkE6xOfL7YtlEOCjLoipMWBshnuHcUigQUDvSFWTGz0rwMo
+VAKGyOA8zcR5zO4vbVeGJtnYy+SAXlfrjQTNV8K0fK8fXJI+cW9aZ1H9/ntrO0vq
+ejye0t4zEYTvlf782iuKRQKBgQCnTQ7mGRfX+JoPmv8JniR+idkjpNnPYsK96y/8
+XQs1LJx/R3eN3IxlWV+nt8XU7KwWMs5Dv5m6Ov61MFKQCL3qCch4oZJSP2Sr/Tlf
+IY/CPI8HkLF0h7e0wsZgo4Kq2mBz1T0cEVaJ3jxl8Cxq7at/jsTK8qK7XT73UWZh
+OAXaVQKBgDmg2QTX7c0/dbDMOuw18g3xfE/oqU+VWT784wtvpcdjHR+KAVLWHG8l
+oc/bm8Bs0o0f5dfH7uUvWdP6JMvbgYZBgIMqw+iH8P2lFCLzIRf0me/l+r0Oi64U
+5jp9K+7Ggc7S0SSnCLmBLMN5lXQZbhzks1La7DZmFeAz8rOEnlUB
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/extensions.kdc
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/extensions.kdc b/contrib/haox-pkix/src/main/resources/extensions.kdc
new file mode 100644
index 0000000..e0d1578
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/extensions.kdc
@@ -0,0 +1,20 @@
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/kdccert.pem
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/kdccert.pem b/contrib/haox-pkix/src/main/resources/kdccert.pem
new file mode 100644
index 0000000..67e538c
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/kdccert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
+DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
+YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
+MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
+c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
+A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
+a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
+fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
+quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
+nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
+EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
+JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
+Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
+HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
+ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
+AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
+YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
+txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
+R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
+FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
+5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/kdckey.pem
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/kdckey.pem b/contrib/haox-pkix/src/main/resources/kdckey.pem
new file mode 100644
index 0000000..c9e75e2
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/kdckey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
+8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
+2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
+GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
+fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
+DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
+QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
+6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
+bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
+5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
+8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
+XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
+kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
+Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
+P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
+KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
+qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
+7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
+UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
+n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
+5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
+AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
+KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
+9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
+7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/usercert.pem
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/usercert.pem b/contrib/haox-pkix/src/main/resources/usercert.pem
new file mode 100644
index 0000000..67e538c
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/usercert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
+DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
+YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
+MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
+c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
+A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
+a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
+fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
+quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
+nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
+EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
+JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
+Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
+HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
+ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
+AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
+YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
+txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
+R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
+FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
+5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/main/resources/userkey.pem
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/main/resources/userkey.pem b/contrib/haox-pkix/src/main/resources/userkey.pem
new file mode 100644
index 0000000..c9e75e2
--- /dev/null
+++ b/contrib/haox-pkix/src/main/resources/userkey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
+8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
+2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
+GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
+fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
+DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
+QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
+6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
+bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
+5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
+8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
+XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
+kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
+Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
+P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
+KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
+qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
+7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
+UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
+n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
+5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
+AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
+KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
+9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
+7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-pkix/src/test/java/org/haox/pki/PkixTest.java
----------------------------------------------------------------------
diff --git a/contrib/haox-pkix/src/test/java/org/haox/pki/PkixTest.java b/contrib/haox-pkix/src/test/java/org/haox/pki/PkixTest.java
new file mode 100644
index 0000000..3c4bff5
--- /dev/null
+++ b/contrib/haox-pkix/src/test/java/org/haox/pki/PkixTest.java
@@ -0,0 +1,41 @@
+package org.haox.pki;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.util.List;
+
+/**
+ openssl genrsa -out cakey.pem 2048
+ openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
+ vi extensions.kdc
+ openssl genrsa -out kdckey.pem 2048
+ openssl req -new -out kdc.req -key kdckey.pem
+ env REALM=SH.INTEL.COM openssl x509 -req -in kdc.req -CAkey cakey.pem \
+ -CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
+ */
+public class PkixTest {
+
+    @Test
+    public void loadCert() throws CertificateException, IOException {
+        InputStream res = getClass().getResourceAsStream("/usercert.pem");
+        List<Certificate> certs = Pkix.getCerts(res);
+        Certificate userCert = certs.iterator().next();
+
+        Assert.assertNotNull(userCert);
+    }
+
+    @Test
+    public void loadKey() throws GeneralSecurityException, IOException {
+        InputStream res = getClass().getResourceAsStream("/userkey.pem");
+        PrivateKey key = Pkix.getPrivateKey(res, null);
+
+        Assert.assertNotNull(key);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-token/pom.xml
----------------------------------------------------------------------
diff --git a/contrib/haox-token/pom.xml b/contrib/haox-token/pom.xml
new file mode 100644
index 0000000..35559ba
--- /dev/null
+++ b/contrib/haox-token/pom.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.haox</groupId>
+        <artifactId>haox-contrib</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>haox-token</artifactId>
+    <name>Haox-token Project</name>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>pom</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>3.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.haox</groupId>
+            <artifactId>haox-asn1</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java
----------------------------------------------------------------------
diff --git a/contrib/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java b/contrib/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java
new file mode 100644
index 0000000..46421e4
--- /dev/null
+++ b/contrib/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java
@@ -0,0 +1,33 @@
+package org.haox.token;
+
+import org.apache.haox.asn1.type.Asn1FieldInfo;
+import org.apache.haox.asn1.type.Asn1Integer;
+import org.apache.haox.asn1.type.Asn1OctetString;
+import org.apache.haox.asn1.type.Asn1SequenceType;
+
+/**
+ AuthorizationData       ::= SEQUENCE OF SEQUENCE {
+     ad-type         [0] Int32,
+     ad-data         [1] OCTET STRING
+ }
+ */
+public class AuthzDataEntry extends Asn1SequenceType {
+    static int AD_TYPE = 0;
+    static int AD_DATA = 1;
+
+    public AuthzDataEntry() {
+        super(new Asn1FieldInfo[] {
+                new Asn1FieldInfo(AD_TYPE, Asn1Integer.class),
+                new Asn1FieldInfo(AD_DATA, Asn1OctetString.class)
+        });
+    }
+
+    public int getAuthzType() {
+        Integer value = getFieldAsInteger(AD_TYPE);
+        return value;
+    }
+
+    public byte[] getAuthzData() {
+        return getFieldAsOctets(AD_DATA);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-token/src/main/java/org/haox/token/KerbToken.java
----------------------------------------------------------------------
diff --git a/contrib/haox-token/src/main/java/org/haox/token/KerbToken.java b/contrib/haox-token/src/main/java/org/haox/token/KerbToken.java
new file mode 100644
index 0000000..8c68ac0
--- /dev/null
+++ b/contrib/haox-token/src/main/java/org/haox/token/KerbToken.java
@@ -0,0 +1,28 @@
+package org.haox.token;
+
+import java.util.Map;
+
+public class KerbToken {
+
+  private Map<String, Object> attributes;
+
+  public KerbToken(Map<String, Object> attributes) {
+    this.attributes = attributes;
+  }
+
+  public Map<String, Object> getAttributes() {
+    return attributes;
+  }
+
+  public String getPrincipal() {
+    return (String) attributes.get("sub");
+  }
+
+  public String[] getGroups() {
+    String grp = (String) attributes.get("group");
+    if (grp != null) {
+      return new String[] { grp };
+    }
+    return new String[0];
+  }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-token/src/main/java/org/haox/token/TokenCache.java
----------------------------------------------------------------------
diff --git a/contrib/haox-token/src/main/java/org/haox/token/TokenCache.java b/contrib/haox-token/src/main/java/org/haox/token/TokenCache.java
new file mode 100644
index 0000000..0811319
--- /dev/null
+++ b/contrib/haox-token/src/main/java/org/haox/token/TokenCache.java
@@ -0,0 +1,63 @@
+package org.haox.token;
+
+import java.io.*;
+
+public class TokenCache {
+    private static final String DEFAULT_TOKEN_CACHE_PATH = ".tokenauth";
+    private static final String TOKEN_CACHE_FILE = ".tokenauth.token";
+
+    public static String readToken(String tokenCacheFile) {
+        File cacheFile = null;
+
+        if (tokenCacheFile != null && ! tokenCacheFile.isEmpty()) {
+            cacheFile = new File(tokenCacheFile);
+            if (!cacheFile.exists()) {
+                throw new RuntimeException("Invalid token cache specified: " + tokenCacheFile);
+            };
+        } else {
+            cacheFile = getDefaultTokenCache();
+            if (!cacheFile.exists()) {
+                throw new RuntimeException("No token cache available by default");
+            };
+        }
+
+        String token = null;
+        try {
+            BufferedReader reader = new BufferedReader(new FileReader(cacheFile));
+            String line = reader.readLine();
+            reader.close();
+            if (line != null) {
+                token = line;
+            }
+        } catch (IOException ex) {
+            //NOP
+        }
+
+        return token;
+    }
+
+    public static void writeToken(String token) {
+        File cacheFile = getDefaultTokenCache();
+
+        try {
+            Writer writer = new FileWriter(cacheFile);
+            writer.write(token.toString());
+            writer.close();
+            // sets read-write permissions to owner only
+            cacheFile.setReadable(false, false);
+            cacheFile.setReadable(true, true);
+            cacheFile.setWritable(true, true);
+        }
+        catch (IOException ioe) {
+            // if case of any error we just delete the cache, if user-only
+            // write permissions are not properly set a security exception
+            // is thrown and the file will be deleted.
+            cacheFile.delete();
+        }
+    }
+
+    public static File getDefaultTokenCache() {
+        String homeDir = System.getProperty("user.home", DEFAULT_TOKEN_CACHE_PATH);
+        return new File(homeDir, TOKEN_CACHE_FILE);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-token/src/main/java/org/haox/token/TokenExtractor.java
----------------------------------------------------------------------
diff --git a/contrib/haox-token/src/main/java/org/haox/token/TokenExtractor.java b/contrib/haox-token/src/main/java/org/haox/token/TokenExtractor.java
new file mode 100644
index 0000000..4e7e951
--- /dev/null
+++ b/contrib/haox-token/src/main/java/org/haox/token/TokenExtractor.java
@@ -0,0 +1,82 @@
+package org.haox.token;
+
+import com.sun.security.jgss.AuthorizationDataEntry;
+import com.sun.security.jgss.ExtendedGSSContext;
+import com.sun.security.jgss.InquireType;
+import org.apache.haox.asn1.type.Asn1SequenceOf;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+
+import java.io.IOException;
+import java.util.List;
+
+public class TokenExtractor {
+    static final int JWT_AUTHZ_DATA_TYPE = 81;
+    public static final int AD_IF_RELEVANT_TYPE = 1;
+
+    /**
+     AuthorizationData       ::= SEQUENCE OF SEQUENCE {
+         ad-type         [0] Int32,
+         ad-data         [1] OCTET STRING
+     }
+     */
+    public static class AuthorizationData extends Asn1SequenceOf<AuthzDataEntry> {
+
+    }
+
+    public static KerbToken checkAuthzData(GSSContext context) throws GSSException, IOException {
+        System.out.println("Looking for token from authorization data in GSSContext");
+
+        Object authzData = null;
+        if (context instanceof ExtendedGSSContext) {
+            ExtendedGSSContext ex = (ExtendedGSSContext)context;
+            authzData = ex.inquireSecContext(
+                    InquireType.KRB5_GET_AUTHZ_DATA);
+        }
+
+        if (authzData != null) {
+            AuthorizationDataEntry[] authzEntries = (AuthorizationDataEntry[]) authzData;
+            KerbToken resultToken = null;
+            for (int i = 0; i < authzEntries.length; ++i) {
+                resultToken = getAuthzToken(authzEntries[i]);
+                if (resultToken != null) {
+                    return resultToken;
+                }
+            }
+        }
+        return null;
+    }
+
+    public static KerbToken getAuthzToken(AuthorizationDataEntry authzDataEntry) throws IOException {
+        if (authzDataEntry.getType() == AD_IF_RELEVANT_TYPE) {
+            String token = getToken(authzDataEntry);
+            if (token == null) {
+                return null;
+            }
+
+            try {
+                return TokenTool.fromJwtToken(token);
+            } catch (Exception e) {
+                // noop when not jwt token
+            }
+        }
+
+        return null;
+    }
+
+    public static String getToken(AuthorizationDataEntry authzDataEntry) throws IOException {
+        List<AuthzDataEntry> entries = decode(authzDataEntry);
+        for (AuthzDataEntry entry : entries) {
+            if (entry.getAuthzType() == JWT_AUTHZ_DATA_TYPE) {
+                return new String(entry.getAuthzData());
+            }
+        }
+        return null;
+    }
+
+    public static List<AuthzDataEntry> decode(AuthorizationDataEntry authzDataEntry) throws IOException {
+        AuthorizationData authzData = new AuthorizationData();
+        authzData.decode(authzDataEntry.getData());
+        return authzData.getElements();
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/haox-token/src/main/java/org/haox/token/TokenTool.java
----------------------------------------------------------------------
diff --git a/contrib/haox-token/src/main/java/org/haox/token/TokenTool.java b/contrib/haox-token/src/main/java/org/haox/token/TokenTool.java
new file mode 100644
index 0000000..24aa314
--- /dev/null
+++ b/contrib/haox-token/src/main/java/org/haox/token/TokenTool.java
@@ -0,0 +1,105 @@
+package org.haox.token;
+
+import com.nimbusds.jose.PlainHeader;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+
+import java.text.ParseException;
+import java.util.*;
+
+public class TokenTool {
+
+    public static JWT issueToken(String principal, String group, String role) {
+        // must have for kerb-token
+        String krbPrincipal = principal + "@SH.INTEL.COM";
+
+        PlainHeader header = new PlainHeader();
+        //header.setCustomParameter("krbPrincipal", krbPrincipal);
+
+        JWTClaimsSet jwtClaims = new JWTClaimsSet();
+
+        String iss = "token-service";
+        jwtClaims.setIssuer(iss);
+
+        String sub = principal;
+        jwtClaims.setSubject(sub);
+
+        // must have for kerb-token
+        jwtClaims.setSubject(krbPrincipal);
+
+        jwtClaims.setClaim("group", group);
+        if (role != null) {
+            jwtClaims.setClaim("role", role);
+        }
+
+        List<String> aud = new ArrayList<String>();
+        aud.add("krb5kdc-with-token-extension");
+        jwtClaims.setAudience(aud);
+
+        // Set expiration in 60 minutes
+        final Date NOW =  new Date(new Date().getTime() / 1000 * 1000);
+        Date exp = new Date(NOW.getTime() + 1000 * 60 * 60);
+        jwtClaims.setExpirationTime(exp);
+
+        Date nbf = NOW;
+        jwtClaims.setNotBeforeTime(nbf);
+
+        Date iat = NOW;
+        jwtClaims.setIssueTime(iat);
+
+        String jti = UUID.randomUUID().toString();
+        jwtClaims.setJWTID(jti);
+
+        PlainJWT jwt = new PlainJWT(header, jwtClaims);
+        return jwt;
+    }
+
+    public static JWT decodeToken(String token) throws ParseException {
+        PlainJWT jwt = PlainJWT.parse(token);
+
+        return jwt;
+    }
+
+    public static KerbToken fromJwtToken(String token) throws ParseException {
+        Map<String, Object> attrs = decodeAndExtractTokenAttributes(token);
+        return new KerbToken(attrs);
+    }
+
+    public static Map<String, Object> decodeAndExtractTokenAttributes(String token) throws ParseException {
+        PlainJWT jwt = PlainJWT.parse(token);
+
+        Map<String, Object> attrs = new HashMap<String, Object>();
+        attrs.putAll(jwt.getJWTClaimsSet().getAllClaims());
+        //attrs.putAll(jwt.getHeader().getCustomParameters());
+
+        return attrs;
+    }
+
+    public static void main(String[] args) throws ParseException {
+        String principal, group, role = null;
+
+        if (args.length != 2 && args.length != 3) {
+            System.out.println("This is a simple token issuing tool just for kerb-token PoC usage\n");
+            System.out.println("tokeninit <username> <group> [role]\n");
+            System.exit(1);
+        }
+        principal = args[0];
+        group = args[1];
+        if (args.length > 2) {
+            role = args[2];
+        }
+
+        JWT jwt = issueToken(principal, group, role);
+        String token = jwt.serialize();
+
+        TokenCache.writeToken(token);
+        System.out.println("Issued token: " + token);
+
+        /*
+        JWT jwt2 = decodeToken(token);
+        String krbPrincipal = (String) jwt2.getHeader().getCustomParameter("krbPrincipal");
+        System.out.println("Decoded token with krbprincipal: " + krbPrincipal);
+        */
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/contrib/pom.xml
----------------------------------------------------------------------
diff --git a/contrib/pom.xml b/contrib/pom.xml
index 7cf9e13..b9b3815 100644
--- a/contrib/pom.xml
+++ b/contrib/pom.xml
@@ -17,6 +17,8 @@
         <module>haox-config</module>
         <module>haox-event</module>
         <module>haox-asn1</module>
+        <module>haox-pkix</module>
+        <module>haox-token</module>
     </modules>
 
     <dependencies>

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/kdc-server/src/main/java/org/apache/kerberos/kdc/server/ApacheKdcServer.java
----------------------------------------------------------------------
diff --git a/haox-kdc/kdc-server/src/main/java/org/apache/kerberos/kdc/server/ApacheKdcServer.java b/haox-kdc/kdc-server/src/main/java/org/apache/kerberos/kdc/server/ApacheKdcServer.java
new file mode 100644
index 0000000..3ee272f
--- /dev/null
+++ b/haox-kdc/kdc-server/src/main/java/org/apache/kerberos/kdc/server/ApacheKdcServer.java
@@ -0,0 +1,22 @@
+package org.apache.kerberos.kdc.server;
+
+import org.apache.kerberos.kdc.identitybackend.LdapIdentityBackend;
+import org.apache.kerberos.kerb.identity.IdentityService;
+import org.apache.kerberos.kerb.server.KdcServer;
+
+public class ApacheKdcServer extends KdcServer {
+
+    public ApacheKdcServer() {
+        super();
+    }
+
+    public void init() {
+        super.init();
+        initIdentityService();
+    }
+
+    protected void initIdentityService() {
+        IdentityService identityService = new LdapIdentityBackend();
+        setIdentityService(identityService);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/kdc-server/src/main/java/org/haox/kdc/server/HaoxKdcServer.java
----------------------------------------------------------------------
diff --git a/haox-kdc/kdc-server/src/main/java/org/haox/kdc/server/HaoxKdcServer.java b/haox-kdc/kdc-server/src/main/java/org/haox/kdc/server/HaoxKdcServer.java
deleted file mode 100644
index 68b7d83..0000000
--- a/haox-kdc/kdc-server/src/main/java/org/haox/kdc/server/HaoxKdcServer.java
+++ /dev/null
@@ -1,22 +0,0 @@
-package org.haox.kdc.server;
-
-import org.haox.kdc.identitybackend.LdapIdentityBackend;
-import org.apache.kerberos.kerb.identity.IdentityService;
-import org.apache.kerberos.kerb.server.KdcServer;
-
-public class HaoxKdcServer extends KdcServer {
-
-    public HaoxKdcServer() {
-        super();
-    }
-
-    public void init() {
-        super.init();
-        initIdentityService();
-    }
-
-    protected void initIdentityService() {
-        IdentityService identityService = new LdapIdentityBackend();
-        setIdentityService(identityService);
-    }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/kdc-server/src/test/java/org/apache/kerberos/kdc/server/KdcTest.java
----------------------------------------------------------------------
diff --git a/haox-kdc/kdc-server/src/test/java/org/apache/kerberos/kdc/server/KdcTest.java b/haox-kdc/kdc-server/src/test/java/org/apache/kerberos/kdc/server/KdcTest.java
new file mode 100644
index 0000000..0596cf5
--- /dev/null
+++ b/haox-kdc/kdc-server/src/test/java/org/apache/kerberos/kdc/server/KdcTest.java
@@ -0,0 +1,52 @@
+package org.apache.kerberos.kdc.server;
+
+import org.apache.kerberos.kdc.server.ApacheKdcServer;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+import java.nio.ByteBuffer;
+import java.nio.channels.SocketChannel;
+
+public class KdcTest {
+
+    private String serverHost = "localhost";
+    private short serverPort = 8088;
+
+    private ApacheKdcServer kdcServer;
+
+    @Before
+    public void setUp() throws Exception {
+        kdcServer = new ApacheKdcServer();
+        kdcServer.setKdcHost(serverHost);
+        kdcServer.setKdcPort(serverPort);
+        kdcServer.init();
+        kdcServer.start();
+    }
+
+    @Test
+    public void testKdc() throws IOException, InterruptedException {
+        Thread.sleep(10);
+
+        SocketChannel socketChannel = SocketChannel.open();
+        socketChannel.configureBlocking(true);
+        SocketAddress sa = new InetSocketAddress(serverHost, serverPort);
+        socketChannel.connect(sa);
+
+        String BAD_KRB_MESSAGE = "Hello World!";
+        ByteBuffer writeBuffer = ByteBuffer.allocate(4 + BAD_KRB_MESSAGE.getBytes().length);
+        writeBuffer.putInt(BAD_KRB_MESSAGE.getBytes().length);
+        writeBuffer.put(BAD_KRB_MESSAGE.getBytes());
+        writeBuffer.flip();
+
+        socketChannel.write(writeBuffer);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        kdcServer.stop();
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/kdc-server/src/test/java/org/haox/kdc/server/KdcTest.java
----------------------------------------------------------------------
diff --git a/haox-kdc/kdc-server/src/test/java/org/haox/kdc/server/KdcTest.java b/haox-kdc/kdc-server/src/test/java/org/haox/kdc/server/KdcTest.java
deleted file mode 100644
index ec87ab3..0000000
--- a/haox-kdc/kdc-server/src/test/java/org/haox/kdc/server/KdcTest.java
+++ /dev/null
@@ -1,51 +0,0 @@
-package org.haox.kdc.server;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.net.SocketAddress;
-import java.nio.ByteBuffer;
-import java.nio.channels.SocketChannel;
-
-public class KdcTest {
-
-    private String serverHost = "localhost";
-    private short serverPort = 8088;
-
-    private HaoxKdcServer kdcServer;
-
-    @Before
-    public void setUp() throws Exception {
-        kdcServer = new HaoxKdcServer();
-        kdcServer.setKdcHost(serverHost);
-        kdcServer.setKdcPort(serverPort);
-        kdcServer.init();
-        kdcServer.start();
-    }
-
-    @Test
-    public void testKdc() throws IOException, InterruptedException {
-        Thread.sleep(10);
-
-        SocketChannel socketChannel = SocketChannel.open();
-        socketChannel.configureBlocking(true);
-        SocketAddress sa = new InetSocketAddress(serverHost, serverPort);
-        socketChannel.connect(sa);
-
-        String BAD_KRB_MESSAGE = "Hello World!";
-        ByteBuffer writeBuffer = ByteBuffer.allocate(4 + BAD_KRB_MESSAGE.getBytes().length);
-        writeBuffer.putInt(BAD_KRB_MESSAGE.getBytes().length);
-        writeBuffer.put(BAD_KRB_MESSAGE.getBytes());
-        writeBuffer.flip();
-
-        socketChannel.write(writeBuffer);
-    }
-
-    @After
-    public void tearDown() throws Exception {
-        kdcServer.stop();
-    }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/kdc-server/src/test/resources/kdc-krb5.conf
----------------------------------------------------------------------
diff --git a/haox-kdc/kdc-server/src/test/resources/kdc-krb5.conf b/haox-kdc/kdc-server/src/test/resources/kdc-krb5.conf
deleted file mode 100644
index d118dd1..0000000
--- a/haox-kdc/kdc-server/src/test/resources/kdc-krb5.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-[libdefaults]
-    default_realm = {0}
-    udp_preference_limit = 1
-
-[realms]
-    {0} = '{'
-        kdc = {1}:{2}
-    '}'
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/kdc-server/src/test/resources/kdc.ldiff
----------------------------------------------------------------------
diff --git a/haox-kdc/kdc-server/src/test/resources/kdc.ldiff b/haox-kdc/kdc-server/src/test/resources/kdc.ldiff
deleted file mode 100644
index e344131..0000000
--- a/haox-kdc/kdc-server/src/test/resources/kdc.ldiff
+++ /dev/null
@@ -1,30 +0,0 @@
-dn: ou=users,dc=${0},dc=${1}
-objectClass: organizationalUnit
-objectClass: top
-ou: users
-
-dn: uid=krbtgt,ou=users,dc=${0},dc=${1}
-objectClass: top
-objectClass: person
-objectClass: inetOrgPerson
-objectClass: krb5principal
-objectClass: krb5kdcentry
-cn: KDC Service
-sn: Service
-uid: krbtgt
-userPassword: secret
-krb5PrincipalName: krbtgt/${2}.${3}@${2}.${3}
-krb5KeyVersionNumber: 0
-
-dn: uid=ldap,ou=users,dc=${0},dc=${1}
-objectClass: top
-objectClass: person
-objectClass: inetOrgPerson
-objectClass: krb5principal
-objectClass: krb5kdcentry
-cn: LDAP
-sn: Service
-uid: ldap
-userPassword: secret
-krb5PrincipalName: ldap/${4}@${2}.${3}
-krb5KeyVersionNumber: 0
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/ldap-identity-backend/src/main/java/org/apache/kerberos/kdc/identitybackend/LdapIdentityBackend.java
----------------------------------------------------------------------
diff --git a/haox-kdc/ldap-identity-backend/src/main/java/org/apache/kerberos/kdc/identitybackend/LdapIdentityBackend.java b/haox-kdc/ldap-identity-backend/src/main/java/org/apache/kerberos/kdc/identitybackend/LdapIdentityBackend.java
new file mode 100644
index 0000000..8f26e28
--- /dev/null
+++ b/haox-kdc/ldap-identity-backend/src/main/java/org/apache/kerberos/kdc/identitybackend/LdapIdentityBackend.java
@@ -0,0 +1,58 @@
+package org.apache.kerberos.kdc.identitybackend;
+
+import org.apache.kerberos.kerb.identity.KrbIdentity;
+import org.apache.kerberos.kerb.identity.backend.AbstractIdentityBackend;
+
+import java.util.List;
+
+public class LdapIdentityBackend extends AbstractIdentityBackend {
+
+
+    public LdapIdentityBackend() {
+        super();
+    }
+
+    /**
+     * Load identities from file
+     */
+    public void load() {
+        // todo
+    }
+
+    /**
+     * Persist the updated identities back
+     */
+    public void save() {
+        // todo
+    }
+
+    @Override
+    public List<KrbIdentity> getIdentities() {
+        return null;
+    }
+
+    @Override
+    public boolean checkIdentity(String name) {
+        return false;
+    }
+
+    @Override
+    public KrbIdentity getIdentity(String name) {
+        return null;
+    }
+
+    @Override
+    public void addIdentity(KrbIdentity identity) {
+
+    }
+
+    @Override
+    public void updateIdentity(KrbIdentity identity) {
+
+    }
+
+    @Override
+    public void deleteIdentity(KrbIdentity identity) {
+
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/ldap-identity-backend/src/main/java/org/haox/kdc/identitybackend/LdapIdentityBackend.java
----------------------------------------------------------------------
diff --git a/haox-kdc/ldap-identity-backend/src/main/java/org/haox/kdc/identitybackend/LdapIdentityBackend.java b/haox-kdc/ldap-identity-backend/src/main/java/org/haox/kdc/identitybackend/LdapIdentityBackend.java
deleted file mode 100644
index e99e001..0000000
--- a/haox-kdc/ldap-identity-backend/src/main/java/org/haox/kdc/identitybackend/LdapIdentityBackend.java
+++ /dev/null
@@ -1,58 +0,0 @@
-package org.haox.kdc.identitybackend;
-
-import org.apache.kerberos.kerb.identity.KrbIdentity;
-import org.apache.kerberos.kerb.identity.backend.AbstractIdentityBackend;
-
-import java.util.List;
-
-public class LdapIdentityBackend extends AbstractIdentityBackend {
-
-
-    public LdapIdentityBackend() {
-        super();
-    }
-
-    /**
-     * Load identities from file
-     */
-    public void load() {
-        // todo
-    }
-
-    /**
-     * Persist the updated identities back
-     */
-    public void save() {
-        // todo
-    }
-
-    @Override
-    public List<KrbIdentity> getIdentities() {
-        return null;
-    }
-
-    @Override
-    public boolean checkIdentity(String name) {
-        return false;
-    }
-
-    @Override
-    public KrbIdentity getIdentity(String name) {
-        return null;
-    }
-
-    @Override
-    public void addIdentity(KrbIdentity identity) {
-
-    }
-
-    @Override
-    public void updateIdentity(KrbIdentity identity) {
-
-    }
-
-    @Override
-    public void deleteIdentity(KrbIdentity identity) {
-
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/ldap-identity-backend/src/test/resources/kdc-krb5.conf
----------------------------------------------------------------------
diff --git a/haox-kdc/ldap-identity-backend/src/test/resources/kdc-krb5.conf b/haox-kdc/ldap-identity-backend/src/test/resources/kdc-krb5.conf
deleted file mode 100644
index d118dd1..0000000
--- a/haox-kdc/ldap-identity-backend/src/test/resources/kdc-krb5.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-[libdefaults]
-    default_realm = {0}
-    udp_preference_limit = 1
-
-[realms]
-    {0} = '{'
-        kdc = {1}:{2}
-    '}'
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/ldap-identity-backend/src/test/resources/kdc.ldiff
----------------------------------------------------------------------
diff --git a/haox-kdc/ldap-identity-backend/src/test/resources/kdc.ldiff b/haox-kdc/ldap-identity-backend/src/test/resources/kdc.ldiff
deleted file mode 100644
index e344131..0000000
--- a/haox-kdc/ldap-identity-backend/src/test/resources/kdc.ldiff
+++ /dev/null
@@ -1,30 +0,0 @@
-dn: ou=users,dc=${0},dc=${1}
-objectClass: organizationalUnit
-objectClass: top
-ou: users
-
-dn: uid=krbtgt,ou=users,dc=${0},dc=${1}
-objectClass: top
-objectClass: person
-objectClass: inetOrgPerson
-objectClass: krb5principal
-objectClass: krb5kdcentry
-cn: KDC Service
-sn: Service
-uid: krbtgt
-userPassword: secret
-krb5PrincipalName: krbtgt/${2}.${3}@${2}.${3}
-krb5KeyVersionNumber: 0
-
-dn: uid=ldap,ou=users,dc=${0},dc=${1}
-objectClass: top
-objectClass: person
-objectClass: inetOrgPerson
-objectClass: krb5principal
-objectClass: krb5kdcentry
-cn: LDAP
-sn: Service
-uid: ldap
-userPassword: secret
-krb5PrincipalName: ldap/${4}@${2}.${3}
-krb5KeyVersionNumber: 0
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/tools/src/main/java/org/apache/kerberos/tool/Kinit.java
----------------------------------------------------------------------
diff --git a/haox-kdc/tools/src/main/java/org/apache/kerberos/tool/Kinit.java b/haox-kdc/tools/src/main/java/org/apache/kerberos/tool/Kinit.java
new file mode 100644
index 0000000..a2ac435
--- /dev/null
+++ b/haox-kdc/tools/src/main/java/org/apache/kerberos/tool/Kinit.java
@@ -0,0 +1,23 @@
+package org.apache.kerberos.tool;
+
+import org.apache.kerberos.kerb.client.KrbClient;
+
+/**
+ * kinit like tool
+ */
+public class Kinit {
+
+    public static void main(String[] args) throws Exception {
+        if (args.length < 2 || args.length > 3) {
+            System.err.println(
+                    "Usage: " + Kinit.class.getSimpleName() +
+                            " <kdcHost> <kdcPort>");
+            return;
+        }
+
+        final String host = args[0];
+        final Integer port = Integer.parseInt(args[1]);
+        KrbClient krbClnt = new KrbClient(host, port.shortValue());
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/tools/src/main/java/org/haox/kdc/tool/Kinit.java
----------------------------------------------------------------------
diff --git a/haox-kdc/tools/src/main/java/org/haox/kdc/tool/Kinit.java b/haox-kdc/tools/src/main/java/org/haox/kdc/tool/Kinit.java
deleted file mode 100644
index 3aae9c8..0000000
--- a/haox-kdc/tools/src/main/java/org/haox/kdc/tool/Kinit.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package org.haox.kdc.tool;
-
-import org.apache.kerberos.kerb.client.KrbClient;
-
-/**
- * kinit like tool
- */
-public class Kinit {
-
-    public static void main(String[] args) throws Exception {
-        if (args.length < 2 || args.length > 3) {
-            System.err.println(
-                    "Usage: " + Kinit.class.getSimpleName() +
-                            " <kdcHost> <kdcPort>");
-            return;
-        }
-
-        final String host = args[0];
-        final Integer port = Integer.parseInt(args[1]);
-        KrbClient krbClnt = new KrbClient(host, port.shortValue());
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/tools/src/main/resources/kdc-krb5.conf
----------------------------------------------------------------------
diff --git a/haox-kdc/tools/src/main/resources/kdc-krb5.conf b/haox-kdc/tools/src/main/resources/kdc-krb5.conf
deleted file mode 100644
index d118dd1..0000000
--- a/haox-kdc/tools/src/main/resources/kdc-krb5.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-[libdefaults]
-    default_realm = {0}
-    udp_preference_limit = 1
-
-[realms]
-    {0} = '{'
-        kdc = {1}:{2}
-    '}'
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-kdc/tools/src/main/resources/kdc.ldiff
----------------------------------------------------------------------
diff --git a/haox-kdc/tools/src/main/resources/kdc.ldiff b/haox-kdc/tools/src/main/resources/kdc.ldiff
deleted file mode 100644
index e344131..0000000
--- a/haox-kdc/tools/src/main/resources/kdc.ldiff
+++ /dev/null
@@ -1,30 +0,0 @@
-dn: ou=users,dc=${0},dc=${1}
-objectClass: organizationalUnit
-objectClass: top
-ou: users
-
-dn: uid=krbtgt,ou=users,dc=${0},dc=${1}
-objectClass: top
-objectClass: person
-objectClass: inetOrgPerson
-objectClass: krb5principal
-objectClass: krb5kdcentry
-cn: KDC Service
-sn: Service
-uid: krbtgt
-userPassword: secret
-krb5PrincipalName: krbtgt/${2}.${3}@${2}.${3}
-krb5KeyVersionNumber: 0
-
-dn: uid=ldap,ou=users,dc=${0},dc=${1}
-objectClass: top
-objectClass: person
-objectClass: inetOrgPerson
-objectClass: krb5principal
-objectClass: krb5kdcentry
-cn: LDAP
-sn: Service
-uid: ldap
-userPassword: secret
-krb5PrincipalName: ldap/${4}@${2}.${3}
-krb5KeyVersionNumber: 0
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/pom.xml
----------------------------------------------------------------------
diff --git a/haox-pkix/pom.xml b/haox-pkix/pom.xml
deleted file mode 100644
index 6ff9b5d..0000000
--- a/haox-pkix/pom.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <parent>
-        <groupId>org.haox</groupId>
-        <artifactId>haox-all</artifactId>
-        <version>1.0-SNAPSHOT</version>
-    </parent>
-
-    <artifactId>haox-pkix</artifactId>
-
-    <name>Haox PKIX</name>
-    <description>Haox PKIX utilities</description>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.haox</groupId>
-            <artifactId>not-yet-commons-ssl</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-    </dependencies>
-
-</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/java/org/haox/pki/Pkix.java
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/java/org/haox/pki/Pkix.java b/haox-pkix/src/main/java/org/haox/pki/Pkix.java
deleted file mode 100644
index 147b7a2..0000000
--- a/haox-pkix/src/main/java/org/haox/pki/Pkix.java
+++ /dev/null
@@ -1,68 +0,0 @@
-package org.haox.pki;
-
-import org.apache.commons.ssl.PKCS8Key;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
-public class Pkix {
-
-    public static List<Certificate> getCerts(String certFile) throws IOException, CertificateException {
-        InputStream is = new FileInputStream(new File(certFile));
-        return getCerts(is);
-    }
-
-    public static List<Certificate> getCerts(InputStream inputStream) throws IOException, CertificateException {
-        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-        Collection<? extends Certificate> certs =
-                (Collection<? extends Certificate>) certFactory.generateCertificates(inputStream);
-
-        return new ArrayList<Certificate>(certs);
-    }
-
-    public static PrivateKey getPrivateKey(String keyFile, String password) throws IOException, GeneralSecurityException {
-        InputStream in = new FileInputStream("/path/to/pkcs8_private_key.der");
-        return getPrivateKey(in, password);
-    }
-
-    public static PrivateKey getPrivateKey(InputStream inputStream, String password) throws GeneralSecurityException, IOException {
-        if (password == null) password = "";
-        // If the provided InputStream is encrypted, we need a password to decrypt
-        // it. If the InputStream is not encrypted, then the password is ignored
-        // (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
-        PKCS8Key pkcs8 = new PKCS8Key(inputStream, password.toCharArray());
-
-        // If an unencrypted PKCS8 key was provided, then this actually returns
-        // exactly what was originally passed inputStream (with no changes).  If an OpenSSL
-        // key was provided, it gets reformatted as PKCS #8 first, and so these
-        // bytes will still be PKCS #8, not OpenSSL.
-        byte[] decrypted = pkcs8.getDecryptedBytes();
-        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decrypted);
-
-        // A Java PrivateKey object is born.
-        PrivateKey pk = null;
-        if (pkcs8.isDSA()) {
-            pk = KeyFactory.getInstance("DSA").generatePrivate(spec);
-        }
-        else if (pkcs8.isRSA()) {
-            pk = KeyFactory.getInstance("RSA").generatePrivate(spec);
-        }
-
-        // For lazier types:
-        pk = pkcs8.getPrivateKey();
-
-        return pk;
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/cacert.pem
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/cacert.pem b/haox-pkix/src/main/resources/cacert.pem
deleted file mode 100644
index 6b91561..0000000
--- a/haox-pkix/src/main/resources/cacert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID6zCCAtOgAwIBAgIJAMrZoeDxTzwWMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
-DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
-YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
-MzEzMjdaFw0yNDA1MTAxMzEzMjdaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
-c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
-A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
-a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMCznJJ02ZUjCPvAwnBmfPs0akb5QRc/NKu8kCtAPWzgHS2JPTQfJhkDbTAD
-eIlg8IeJpOdrYnzdaBCzgxqjSkls+vxjYotOU0Zbrpy2bj0lRDqdYbNsiuConKgT
-MeuDEd/4ZI0X9NWLAi06Iv1F4mHXf36c6uqiUWTtXiofogrFUoTRwACKR2qeC95X
-Py+FDmpS9lz0mo0vDWjetLQC2IBngjjPFdR16n87QDIWfRBkk66rn7rEA6Li66b/
-cToajMSA/n+2Ud1mntSY4RdDdd0TBtAq9RrXtUOfzGaE7S6t+FtYyEprvT4FdOTU
-uyYgSNaI9ANVP1zhQ9LACKuudOECAwEAAaNQME4wHQYDVR0OBBYEFD91SVOejfwx
-u33+5N0TdYbHJbgAMB8GA1UdIwQYMBaAFD91SVOejfwxu33+5N0TdYbHJbgAMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADsONtUqGNBPBXnRowcJwv+Y
-F1Vea+4dkBwYbhkiO6H5XMKr+waOnOD2eAvgP4aeYg/a0xOzzETRD9wi1Z1P1ZMy
-d/NzHQjj4egPENwDv1PH2voZgsXXzXIqUMOtz9t12TuJUrSA2SBW1tz/evckHhNY
-fHg4ThvTIgwEdV/yvrOEBLV9dXG5IhhF+NW1MegTGkt4SpOoH1pi3o9VekVRnix9
-xrIdaC4Ee6vQaR603HwDS9Y+a1c2KU7QoLX8Vaa904cQ+rxhGsTAkocnZXeo6Hl5
-V8BlDYXxeP86fzcWi04ll2BmEEw/RimHEOLpGqxTVHJ5p5BVSCHP8aCD0VJheaU=
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/cakey.pem
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/cakey.pem b/haox-pkix/src/main/resources/cakey.pem
deleted file mode 100644
index 66dc806..0000000
--- a/haox-pkix/src/main/resources/cakey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwLOcknTZlSMI+8DCcGZ8+zRqRvlBFz80q7yQK0A9bOAdLYk9
-NB8mGQNtMAN4iWDwh4mk52tifN1oELODGqNKSWz6/GNii05TRluunLZuPSVEOp1h
-s2yK4KicqBMx64MR3/hkjRf01YsCLToi/UXiYdd/fpzq6qJRZO1eKh+iCsVShNHA
-AIpHap4L3lc/L4UOalL2XPSajS8NaN60tALYgGeCOM8V1HXqfztAMhZ9EGSTrquf
-usQDouLrpv9xOhqMxID+f7ZR3Wae1JjhF0N13RMG0Cr1Gte1Q5/MZoTtLq34W1jI
-Smu9PgV05NS7JiBI1oj0A1U/XOFD0sAIq6504QIDAQABAoIBAHqFeMax3unxBbQ0
-Aiy/LTX3RJ9tuZITUOTklnG5fZStBkA+oxhxuaJryE+f1VLbvPMgdCXj5BHqIFGG
-IZSdQA1hak9wzWYvXck9X88qOvtLp47xI/6Vw9NFwZ0n3zST+JiD8UK4eaYQpUim
-Tzrj5SU6hEi3crHOlJvsRFPaGwhnA9wycoOo4o22XBj3C8Hwzi4vWcKXH/RCSwZQ
-zFuYbe77Pn9Sv5q5zdglkmm7wngoVt/aKQke/Vk+Eincx1V12b05DNLjugo6FWQh
-0f2MmHpvqNSHs9USC5+y2lKQ1JNHh7mnpPCXkZEH4V7q+3mKVzl9tXzj9Gul20pw
-tneD6WUCgYEA9QUrQoWHKeVMjeukHjDJa2KjRLMmg9YRQyVABH9+nQTp1jYUjMRA
-GUoUx91gG6gjjJD/xvor/U0Fh3vKtZE93c+avrcaYDwf3q/L4gh+3b87lVDfzjrp
-L+MPTpEzWiyyLfr/kLA0TgUjnrj9bav5uDps8mJpNf8s9ZP1/QDhF5sCgYEAyVZA
-pHSIyBI2GT0+92JXvYDK/ZfV5m4RGHaG/PMDoU4IbGbjHVyzzsyzDUgvOASXwfF8
-YzwX7Tf95RZw12P/Jepxt0vqBJPKUCsMLUrmANQvN1Pz8+Vk6UADLM7kNc06MqB9
-/U3GKCFZZuedEhbgXnEV9gzelhILImJGZMxG0zMCgYApymnofLHjGXMHOcvSQmv4
-XuiODShikB59n1rd6YkE6xOfL7YtlEOCjLoipMWBshnuHcUigQUDvSFWTGz0rwMo
-VAKGyOA8zcR5zO4vbVeGJtnYy+SAXlfrjQTNV8K0fK8fXJI+cW9aZ1H9/ntrO0vq
-ejye0t4zEYTvlf782iuKRQKBgQCnTQ7mGRfX+JoPmv8JniR+idkjpNnPYsK96y/8
-XQs1LJx/R3eN3IxlWV+nt8XU7KwWMs5Dv5m6Ov61MFKQCL3qCch4oZJSP2Sr/Tlf
-IY/CPI8HkLF0h7e0wsZgo4Kq2mBz1T0cEVaJ3jxl8Cxq7at/jsTK8qK7XT73UWZh
-OAXaVQKBgDmg2QTX7c0/dbDMOuw18g3xfE/oqU+VWT784wtvpcdjHR+KAVLWHG8l
-oc/bm8Bs0o0f5dfH7uUvWdP6JMvbgYZBgIMqw+iH8P2lFCLzIRf0me/l+r0Oi64U
-5jp9K+7Ggc7S0SSnCLmBLMN5lXQZbhzks1La7DZmFeAz8rOEnlUB
------END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/extensions.kdc
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/extensions.kdc b/haox-pkix/src/main/resources/extensions.kdc
deleted file mode 100644
index e0d1578..0000000
--- a/haox-pkix/src/main/resources/extensions.kdc
+++ /dev/null
@@ -1,20 +0,0 @@
-[kdc_cert]
-basicConstraints=CA:FALSE
-keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.5
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1=GeneralString:krbtgt
-princ2=GeneralString:${ENV::REALM}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/kdccert.pem
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/kdccert.pem b/haox-pkix/src/main/resources/kdccert.pem
deleted file mode 100644
index 67e538c..0000000
--- a/haox-pkix/src/main/resources/kdccert.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
-DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
-YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
-MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
-c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
-A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
-a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
-fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
-quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
-nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
-EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
-JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
-DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
-Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
-HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
-ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
-AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
-YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
-txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
-R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
-FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
-5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/kdckey.pem
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/kdckey.pem b/haox-pkix/src/main/resources/kdckey.pem
deleted file mode 100644
index c9e75e2..0000000
--- a/haox-pkix/src/main/resources/kdckey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
-8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
-2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
-GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
-fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
-DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
-QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
-6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
-bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
-5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
-8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
-XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
-kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
-Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
-P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
-KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
-qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
-7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
-UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
-n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
-5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
-AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
-KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
-9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
-7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
------END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/usercert.pem
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/usercert.pem b/haox-pkix/src/main/resources/usercert.pem
deleted file mode 100644
index 67e538c..0000000
--- a/haox-pkix/src/main/resources/usercert.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
-DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
-YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
-MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
-c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
-A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
-a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
-fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
-quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
-nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
-EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
-JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
-DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
-Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
-HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
-ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
-AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
-YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
-txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
-R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
-FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
-5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/main/resources/userkey.pem
----------------------------------------------------------------------
diff --git a/haox-pkix/src/main/resources/userkey.pem b/haox-pkix/src/main/resources/userkey.pem
deleted file mode 100644
index c9e75e2..0000000
--- a/haox-pkix/src/main/resources/userkey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
-8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
-2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
-GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
-fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
-DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
-QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
-6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
-bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
-5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
-8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
-XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
-kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
-Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
-P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
-KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
-qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
-7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
-UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
-n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
-5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
-AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
-KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
-9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
-7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
------END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-pkix/src/test/java/org/haox/pki/PkixTest.java
----------------------------------------------------------------------
diff --git a/haox-pkix/src/test/java/org/haox/pki/PkixTest.java b/haox-pkix/src/test/java/org/haox/pki/PkixTest.java
deleted file mode 100644
index 3c4bff5..0000000
--- a/haox-pkix/src/test/java/org/haox/pki/PkixTest.java
+++ /dev/null
@@ -1,41 +0,0 @@
-package org.haox.pki;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.GeneralSecurityException;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.util.List;
-
-/**
- openssl genrsa -out cakey.pem 2048
- openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
- vi extensions.kdc
- openssl genrsa -out kdckey.pem 2048
- openssl req -new -out kdc.req -key kdckey.pem
- env REALM=SH.INTEL.COM openssl x509 -req -in kdc.req -CAkey cakey.pem \
- -CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
- */
-public class PkixTest {
-
-    @Test
-    public void loadCert() throws CertificateException, IOException {
-        InputStream res = getClass().getResourceAsStream("/usercert.pem");
-        List<Certificate> certs = Pkix.getCerts(res);
-        Certificate userCert = certs.iterator().next();
-
-        Assert.assertNotNull(userCert);
-    }
-
-    @Test
-    public void loadKey() throws GeneralSecurityException, IOException {
-        InputStream res = getClass().getResourceAsStream("/userkey.pem");
-        PrivateKey key = Pkix.getPrivateKey(res, null);
-
-        Assert.assertNotNull(key);
-    }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-token/pom.xml
----------------------------------------------------------------------
diff --git a/haox-token/pom.xml b/haox-token/pom.xml
deleted file mode 100644
index 7bdbb53..0000000
--- a/haox-token/pom.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <parent>
-        <groupId>org.haox</groupId>
-        <artifactId>haox-all</artifactId>
-        <version>1.0-SNAPSHOT</version>
-    </parent>
-
-    <artifactId>haox-token</artifactId>
-    <name>Haox-token Project</name>
-    <version>1.0-SNAPSHOT</version>
-    <packaging>pom</packaging>
-
-    <dependencies>
-        <dependency>
-            <groupId>com.nimbusds</groupId>
-            <artifactId>nimbus-jose-jwt</artifactId>
-            <version>3.2</version>
-        </dependency>
-        <dependency>
-            <groupId>org.haox</groupId>
-            <artifactId>haox-asn1</artifactId>
-            <version>1.0-SNAPSHOT</version>
-        </dependency>
-    </dependencies>
-
-</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java
----------------------------------------------------------------------
diff --git a/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java b/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java
deleted file mode 100644
index 46421e4..0000000
--- a/haox-token/src/main/java/org/haox/token/AuthzDataEntry.java
+++ /dev/null
@@ -1,33 +0,0 @@
-package org.haox.token;
-
-import org.apache.haox.asn1.type.Asn1FieldInfo;
-import org.apache.haox.asn1.type.Asn1Integer;
-import org.apache.haox.asn1.type.Asn1OctetString;
-import org.apache.haox.asn1.type.Asn1SequenceType;
-
-/**
- AuthorizationData       ::= SEQUENCE OF SEQUENCE {
-     ad-type         [0] Int32,
-     ad-data         [1] OCTET STRING
- }
- */
-public class AuthzDataEntry extends Asn1SequenceType {
-    static int AD_TYPE = 0;
-    static int AD_DATA = 1;
-
-    public AuthzDataEntry() {
-        super(new Asn1FieldInfo[] {
-                new Asn1FieldInfo(AD_TYPE, Asn1Integer.class),
-                new Asn1FieldInfo(AD_DATA, Asn1OctetString.class)
-        });
-    }
-
-    public int getAuthzType() {
-        Integer value = getFieldAsInteger(AD_TYPE);
-        return value;
-    }
-
-    public byte[] getAuthzData() {
-        return getFieldAsOctets(AD_DATA);
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-token/src/main/java/org/haox/token/KerbToken.java
----------------------------------------------------------------------
diff --git a/haox-token/src/main/java/org/haox/token/KerbToken.java b/haox-token/src/main/java/org/haox/token/KerbToken.java
deleted file mode 100644
index 8c68ac0..0000000
--- a/haox-token/src/main/java/org/haox/token/KerbToken.java
+++ /dev/null
@@ -1,28 +0,0 @@
-package org.haox.token;
-
-import java.util.Map;
-
-public class KerbToken {
-
-  private Map<String, Object> attributes;
-
-  public KerbToken(Map<String, Object> attributes) {
-    this.attributes = attributes;
-  }
-
-  public Map<String, Object> getAttributes() {
-    return attributes;
-  }
-
-  public String getPrincipal() {
-    return (String) attributes.get("sub");
-  }
-
-  public String[] getGroups() {
-    String grp = (String) attributes.get("group");
-    if (grp != null) {
-      return new String[] { grp };
-    }
-    return new String[0];
-  }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-token/src/main/java/org/haox/token/TokenCache.java
----------------------------------------------------------------------
diff --git a/haox-token/src/main/java/org/haox/token/TokenCache.java b/haox-token/src/main/java/org/haox/token/TokenCache.java
deleted file mode 100644
index 0811319..0000000
--- a/haox-token/src/main/java/org/haox/token/TokenCache.java
+++ /dev/null
@@ -1,63 +0,0 @@
-package org.haox.token;
-
-import java.io.*;
-
-public class TokenCache {
-    private static final String DEFAULT_TOKEN_CACHE_PATH = ".tokenauth";
-    private static final String TOKEN_CACHE_FILE = ".tokenauth.token";
-
-    public static String readToken(String tokenCacheFile) {
-        File cacheFile = null;
-
-        if (tokenCacheFile != null && ! tokenCacheFile.isEmpty()) {
-            cacheFile = new File(tokenCacheFile);
-            if (!cacheFile.exists()) {
-                throw new RuntimeException("Invalid token cache specified: " + tokenCacheFile);
-            };
-        } else {
-            cacheFile = getDefaultTokenCache();
-            if (!cacheFile.exists()) {
-                throw new RuntimeException("No token cache available by default");
-            };
-        }
-
-        String token = null;
-        try {
-            BufferedReader reader = new BufferedReader(new FileReader(cacheFile));
-            String line = reader.readLine();
-            reader.close();
-            if (line != null) {
-                token = line;
-            }
-        } catch (IOException ex) {
-            //NOP
-        }
-
-        return token;
-    }
-
-    public static void writeToken(String token) {
-        File cacheFile = getDefaultTokenCache();
-
-        try {
-            Writer writer = new FileWriter(cacheFile);
-            writer.write(token.toString());
-            writer.close();
-            // sets read-write permissions to owner only
-            cacheFile.setReadable(false, false);
-            cacheFile.setReadable(true, true);
-            cacheFile.setWritable(true, true);
-        }
-        catch (IOException ioe) {
-            // if case of any error we just delete the cache, if user-only
-            // write permissions are not properly set a security exception
-            // is thrown and the file will be deleted.
-            cacheFile.delete();
-        }
-    }
-
-    public static File getDefaultTokenCache() {
-        String homeDir = System.getProperty("user.home", DEFAULT_TOKEN_CACHE_PATH);
-        return new File(homeDir, TOKEN_CACHE_FILE);
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/44fca291/haox-token/src/main/java/org/haox/token/TokenExtractor.java
----------------------------------------------------------------------
diff --git a/haox-token/src/main/java/org/haox/token/TokenExtractor.java b/haox-token/src/main/java/org/haox/token/TokenExtractor.java
deleted file mode 100644
index 4e7e951..0000000
--- a/haox-token/src/main/java/org/haox/token/TokenExtractor.java
+++ /dev/null
@@ -1,82 +0,0 @@
-package org.haox.token;
-
-import com.sun.security.jgss.AuthorizationDataEntry;
-import com.sun.security.jgss.ExtendedGSSContext;
-import com.sun.security.jgss.InquireType;
-import org.apache.haox.asn1.type.Asn1SequenceOf;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-
-import java.io.IOException;
-import java.util.List;
-
-public class TokenExtractor {
-    static final int JWT_AUTHZ_DATA_TYPE = 81;
-    public static final int AD_IF_RELEVANT_TYPE = 1;
-
-    /**
-     AuthorizationData       ::= SEQUENCE OF SEQUENCE {
-         ad-type         [0] Int32,
-         ad-data         [1] OCTET STRING
-     }
-     */
-    public static class AuthorizationData extends Asn1SequenceOf<AuthzDataEntry> {
-
-    }
-
-    public static KerbToken checkAuthzData(GSSContext context) throws GSSException, IOException {
-        System.out.println("Looking for token from authorization data in GSSContext");
-
-        Object authzData = null;
-        if (context instanceof ExtendedGSSContext) {
-            ExtendedGSSContext ex = (ExtendedGSSContext)context;
-            authzData = ex.inquireSecContext(
-                    InquireType.KRB5_GET_AUTHZ_DATA);
-        }
-
-        if (authzData != null) {
-            AuthorizationDataEntry[] authzEntries = (AuthorizationDataEntry[]) authzData;
-            KerbToken resultToken = null;
-            for (int i = 0; i < authzEntries.length; ++i) {
-                resultToken = getAuthzToken(authzEntries[i]);
-                if (resultToken != null) {
-                    return resultToken;
-                }
-            }
-        }
-        return null;
-    }
-
-    public static KerbToken getAuthzToken(AuthorizationDataEntry authzDataEntry) throws IOException {
-        if (authzDataEntry.getType() == AD_IF_RELEVANT_TYPE) {
-            String token = getToken(authzDataEntry);
-            if (token == null) {
-                return null;
-            }
-
-            try {
-                return TokenTool.fromJwtToken(token);
-            } catch (Exception e) {
-                // noop when not jwt token
-            }
-        }
-
-        return null;
-    }
-
-    public static String getToken(AuthorizationDataEntry authzDataEntry) throws IOException {
-        List<AuthzDataEntry> entries = decode(authzDataEntry);
-        for (AuthzDataEntry entry : entries) {
-            if (entry.getAuthzType() == JWT_AUTHZ_DATA_TYPE) {
-                return new String(entry.getAuthzData());
-            }
-        }
-        return null;
-    }
-
-    public static List<AuthzDataEntry> decode(AuthorizationDataEntry authzDataEntry) throws IOException {
-        AuthorizationData authzData = new AuthorizationData();
-        authzData.decode(authzDataEntry.getData());
-        return authzData.getElements();
-    }
-}


Mime
View raw message