directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dran...@apache.org
Subject [19/45] directory-kerberos git commit: DIRKRB-149 New layout structure with the new name "Apache Kerby"
Date Thu, 22 Jan 2015 21:47:58 GMT
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
new file mode 100644
index 0000000..b7902b4
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitContext.java
@@ -0,0 +1,30 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.IdentityOpts;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PluginOpts;
+
+public class PkinitContext {
+
+    public PluginOpts pluginOpts = new PluginOpts();
+    public IdentityOpts identityOpts = new IdentityOpts();
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
new file mode 100644
index 0000000..d5a516c
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -0,0 +1,233 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin;
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.client.request.KdcRequest;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlag;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlags;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdenity;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.*;
+import org.apache.kerby.kerberos.kerb.spec.x509.SubjectPublicKeyInfo;
+
+public class PkinitPreauth extends AbstractPreauthPlugin {
+
+    private PkinitContext pkinitContext;
+
+    public PkinitPreauth() {
+        super(new PkinitPreauthMeta());
+    }
+
+    @Override
+    public void init(KrbContext context) {
+        super.init(context);
+        this.pkinitContext = new PkinitContext();
+    }
+
+    @Override
+    public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
+        PkinitRequestContext reqCtx = new PkinitRequestContext();
+
+        reqCtx.updateRequestOpts(pkinitContext.pluginOpts);
+
+        return reqCtx;
+    }
+
+    @Override
+    public void setPreauthOptions(KdcRequest kdcRequest,
+                                  PluginRequestContext requestContext,
+                                  KrbOptions options) {
+        if (options.contains(KrbOption.PKINIT_X509_IDENTITY)) {
+            pkinitContext.identityOpts.identity =
+                    options.getStringOption(KrbOption.PKINIT_X509_IDENTITY);
+        }
+
+        if (options.contains(KrbOption.PKINIT_X509_ANCHORS)) {
+            pkinitContext.identityOpts.anchors.add(
+                    options.getStringOption(KrbOption.PKINIT_X509_ANCHORS));
+        }
+
+        if (options.contains(KrbOption.PKINIT_USING_RSA)) {
+            pkinitContext.pluginOpts.usingRsa =
+                    options.getBooleanOption(KrbOption.PKINIT_USING_RSA);
+        }
+
+    }
+
+    @Override
+    public void prepareQuestions(KdcRequest kdcRequest,
+                                 PluginRequestContext requestContext) {
+
+        PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
+
+        if (!reqCtx.identityInitialized) {
+            PkinitIdenity.initialize(reqCtx.identityOpts, kdcRequest.getClientPrincipal());
+            reqCtx.identityInitialized = true;
+        }
+
+        // Might have questions asking for password to access the private key
+    }
+
+    public void tryFirst(KdcRequest kdcRequest,
+                         PluginRequestContext requestContext,
+                         PaData outPadata) throws KrbException {
+
+    }
+
+    @Override
+    public boolean process(KdcRequest kdcRequest,
+                        PluginRequestContext requestContext,
+                        PaDataEntry inPadata,
+                        PaData outPadata) throws KrbException {
+
+        PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
+        if (inPadata == null) return false;
+
+        boolean processingRequest = false;
+        switch (inPadata.getPaDataType()) {
+            case PK_AS_REQ:
+                processingRequest = true;
+                break;
+            case PK_AS_REP:
+                break;
+        }
+
+        if (processingRequest) {
+            generateRequest(reqCtx, kdcRequest, outPadata);
+        } else {
+            EncryptionType encType = kdcRequest.getEncType();
+            processReply(kdcRequest, reqCtx, inPadata, encType);
+        }
+
+        return false;
+    }
+
+    private void generateRequest(PkinitRequestContext reqCtx, KdcRequest kdcRequest,
+                                 PaData outPadata) {
+
+    }
+
+    private PaPkAsReq makePaPkAsReq(PkinitContext pkinitContext, PkinitRequestContext reqCtx,
+                                    KerberosTime ctime, int cusec, int nonce, byte[] checksum,
+                                    PrincipalName client, PrincipalName server) {
+
+        PaPkAsReq paPkAsReq = new PaPkAsReq();
+        AuthPack authPack = new AuthPack();
+        SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo();
+        PkAuthenticator pkAuthen = new PkAuthenticator();
+
+        boolean usingRsa = reqCtx.requestOpts.usingRsa;
+        PaDataType paType = reqCtx.paType = PaDataType.PK_AS_REQ;
+
+        pkAuthen.setCtime(ctime);
+        pkAuthen.setCusec(cusec);
+        pkAuthen.setNonce(nonce);
+        pkAuthen.setPaChecksum(checksum);
+
+        authPack.setPkAuthenticator(pkAuthen);
+        DHNonce dhNonce = new DHNonce();
+        authPack.setClientDhNonce(dhNonce);
+        authPack.setClientPublicValue(pubInfo);
+
+        authPack.setsupportedCmsTypes(pkinitContext.pluginOpts.createSupportedCMSTypes());
+
+        if (usingRsa) {
+            // DH case
+        } else {
+            authPack.setClientPublicValue(null);
+        }
+
+        byte[] signedAuthPack = signAuthPack(pkinitContext, reqCtx, authPack);
+        paPkAsReq.setSignedAuthPack(signedAuthPack);
+
+        TrustedCertifiers trustedCertifiers = pkinitContext.pluginOpts.createTrustedCertifiers();
+        paPkAsReq.setTrustedCertifiers(trustedCertifiers);
+
+        byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
+        paPkAsReq.setKdcPkId(kdcPkId);
+
+        return paPkAsReq;
+    }
+
+    private byte[] signAuthPack(PkinitContext pkinitContext,
+                                   PkinitRequestContext reqCtx, AuthPack authPack) {
+        return null;
+    }
+
+    private void processReply(KdcRequest kdcRequest,
+                              PkinitRequestContext reqCtx,
+                              PaDataEntry inPadata,
+                              EncryptionType encType) {
+
+        EncryptionKey asKey = null;
+
+        // TODO
+
+        kdcRequest.setAsKey(asKey);
+    }
+
+    @Override
+    public boolean tryAgain(KdcRequest kdcRequest,
+                         PluginRequestContext requestContext,
+                         PaDataType preauthType,
+                         PaData errPadata,
+                         PaData outPadata) {
+
+        PkinitRequestContext reqCtx = (PkinitRequestContext) requestContext;
+        if (reqCtx.paType != preauthType && errPadata == null) {
+            return false;
+        }
+
+        boolean doAgain = false;
+        for (PaDataEntry pde : errPadata.getElements()) {
+            switch (pde.getPaDataType()) {
+                // TODO
+            }
+        }
+
+        if (doAgain) {
+            generateRequest(reqCtx, kdcRequest, outPadata);
+        }
+
+        return false;
+    }
+
+    @Override
+    public PaFlags getFlags(PaDataType paType) {
+        PaFlags paFlags = new PaFlags(0);
+        paFlags.setFlag(PaFlag.PA_REAL);
+
+        return paFlags;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
new file mode 100644
index 0000000..bfbf7f2
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestContext.java
@@ -0,0 +1,44 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.IdentityOpts;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PluginOpts;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class PkinitRequestContext implements PluginRequestContext {
+
+    public PkinitRequestOpts requestOpts = new PkinitRequestOpts();
+    public IdentityOpts identityOpts = new IdentityOpts();
+    public boolean doIdentityMatching;
+    public PaDataType paType;
+    public boolean rfc6112Kdc;
+    public boolean identityInitialized;
+    public boolean identityPrompted;
+    
+    public void updateRequestOpts(PluginOpts pluginOpts) {
+        requestOpts.requireEku = pluginOpts.requireEku;
+        requestOpts.acceptSecondaryEku = pluginOpts.acceptSecondaryEku;
+        requestOpts.allowUpn = pluginOpts.allowUpn;
+        requestOpts.usingRsa = pluginOpts.usingRsa;
+        requestOpts.requireCrlChecking = pluginOpts.requireCrlChecking;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
new file mode 100644
index 0000000..97e989f
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitRequestOpts.java
@@ -0,0 +1,40 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+
+public class PkinitRequestOpts {
+
+    // From MIT Krb5 _pkinit_plg_opts
+
+    // require EKU checking (default is true)
+    public boolean requireEku = true;
+    // accept secondary EKU (default is false)
+    public boolean acceptSecondaryEku = false;
+    // allow UPN-SAN instead of pkinit-SAN
+    public boolean allowUpn = true;
+    // selects DH or RSA based pkinit
+    public boolean usingRsa = true;
+    // require CRL for a CA (default is false)
+    public boolean requireCrlChecking = false;
+    // initial request DH modulus size (default=1024)
+    public int dhSize = 1024;
+
+    public boolean requireHostnameMatch = true;
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
new file mode 100644
index 0000000..e1696dc
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenContext.java
@@ -0,0 +1,28 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.token;
+
+import org.apache.kerby.token.KerbToken;
+
+public class TokenContext {
+
+    public boolean usingIdToken = true;
+    public KerbToken token = null;
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
new file mode 100644
index 0000000..f67ad71
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -0,0 +1,124 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.token;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin;
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.client.request.KdcRequest;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlag;
+import org.apache.kerby.kerberos.kerb.preauth.PaFlags;
+import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.token.KerbToken;
+
+import java.util.Collections;
+import java.util.List;
+
+public class TokenPreauth extends AbstractPreauthPlugin {
+
+    private TokenContext tokenContext;
+
+    public TokenPreauth() {
+        super(new TokenPreauthMeta());
+    }
+
+    public void init(KrbContext context) {
+        super.init(context);
+        this.tokenContext = new TokenContext();
+    }
+
+    @Override
+    public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
+        TokenRequestContext reqCtx = new TokenRequestContext();
+
+        return reqCtx;
+    }
+
+    @Override
+    public void prepareQuestions(KdcRequest kdcRequest,
+                                 PluginRequestContext requestContext) {
+
+    }
+
+    @Override
+    public List<EncryptionType> getEncTypes(KdcRequest kdcRequest,
+                                            PluginRequestContext requestContext) {
+        return Collections.emptyList();
+    }
+
+    @Override
+    public void setPreauthOptions(KdcRequest kdcRequest,
+                                  PluginRequestContext requestContext,
+                                  KrbOptions options) {
+
+        tokenContext.usingIdToken = options.getBooleanOption(KrbOption.TOKEN_USING_IDTOKEN);
+        if (tokenContext.usingIdToken) {
+            if (options.contains(KrbOption.TOKEN_USER_ID_TOKEN)) {
+                tokenContext.token =
+                        (KerbToken) options.getOptionValue(KrbOption.TOKEN_USER_ID_TOKEN);
+            }
+        } else {
+            if (options.contains(KrbOption.TOKEN_USER_AC_TOKEN)) {
+                tokenContext.token =
+                        (KerbToken) options.getOptionValue(KrbOption.TOKEN_USER_AC_TOKEN);
+            }
+        }
+
+    }
+
+    public void tryFirst(KdcRequest kdcRequest,
+                         PluginRequestContext requestContext,
+                         PaData outPadata) throws KrbException {
+
+    }
+
+    @Override
+    public boolean process(KdcRequest kdcRequest,
+                        PluginRequestContext requestContext,
+                        PaDataEntry inPadata,
+                        PaData outPadata) throws KrbException {
+
+        return false;
+    }
+
+    @Override
+    public boolean tryAgain(KdcRequest kdcRequest,
+                         PluginRequestContext requestContext,
+                         PaDataType preauthType,
+                         PaData errPadata,
+                         PaData outPadata) {
+        return false;
+    }
+
+    @Override
+    public PaFlags getFlags(PaDataType paType) {
+        PaFlags paFlags = new PaFlags(0);
+        paFlags.setFlag(PaFlag.PA_REAL);
+
+        return paFlags;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
new file mode 100644
index 0000000..ca7eb87
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenRequestContext.java
@@ -0,0 +1,32 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth.token;
+
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class TokenRequestContext implements PluginRequestContext {
+
+    public boolean doIdentityMatching;
+    public PaDataType paType;
+    public boolean identityInitialized;
+    public boolean identityPrompted;
+    
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
new file mode 100644
index 0000000..ca20e00
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
@@ -0,0 +1,127 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
+
+import java.io.IOException;
+import java.util.List;
+
+public class AsRequest extends KdcRequest {
+
+    private PrincipalName clientPrincipal;
+    private EncryptionKey clientKey;
+
+    public AsRequest(KrbContext context) {
+        super(context);
+
+        setServerPrincipal(makeTgsPrincipal());
+    }
+
+    public PrincipalName getClientPrincipal() {
+        return clientPrincipal;
+    }
+
+    public void setClientPrincipal(PrincipalName clientPrincipal) {
+        this.clientPrincipal = clientPrincipal;
+    }
+
+    public void setClientKey(EncryptionKey clientKey) {
+        this.clientKey = clientKey;
+    }
+
+    public EncryptionKey getClientKey() throws KrbException {
+        return clientKey;
+    }
+
+    @Override
+    public void process() throws KrbException {
+        super.process();
+
+        KdcReqBody body = makeReqBody();
+
+        AsReq asReq = new AsReq();
+        asReq.setReqBody(body);
+        asReq.setPaData(getPreauthContext().getOutputPaData());
+
+        setKdcReq(asReq);
+    }
+
+    @Override
+    public void processResponse(KdcRep kdcRep) throws KrbException  {
+        setKdcRep(kdcRep);
+
+        PrincipalName clientPrincipal = getKdcRep().getCname();
+        String clientRealm = getKdcRep().getCrealm();
+        clientPrincipal.setRealm(clientRealm);
+        if (! clientPrincipal.equals(getClientPrincipal())) {
+            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_NAME_MISMATCH);
+        }
+
+        byte[] decryptedData = decryptWithClientKey(getKdcRep().getEncryptedEncPart(),
+                KeyUsage.AS_REP_ENCPART);
+        EncKdcRepPart encKdcRepPart = new EncAsRepPart();
+        try {
+            encKdcRepPart.decode(decryptedData);
+        } catch (IOException e) {
+            throw new KrbException("Failed to decode EncAsRepPart", e);
+        }
+        getKdcRep().setEncPart(encKdcRepPart);
+
+        if (getChosenNonce() != encKdcRepPart.getNonce()) {
+            throw new KrbException("Nonce didn't match");
+        }
+
+        PrincipalName serverPrincipal = encKdcRepPart.getSname();
+        serverPrincipal.setRealm(encKdcRepPart.getSrealm());
+        if (! serverPrincipal.equals(getServerPrincipal())) {
+            throw new KrbException(KrbErrorCode.KDC_ERR_SERVER_NOMATCH);
+        }
+
+        HostAddresses hostAddresses = getHostAddresses();
+        if (hostAddresses != null) {
+            List<HostAddress> requestHosts = hostAddresses.getElements();
+            if (!requestHosts.isEmpty()) {
+                List<HostAddress> responseHosts = encKdcRepPart.getCaddr().getElements();
+                for (HostAddress h : requestHosts) {
+                    if (!responseHosts.contains(h)) {
+                        throw new KrbException("Unexpected client host");
+                    }
+                }
+            }
+        }
+    }
+
+    public TgtTicket getTicket() {
+        TgtTicket TgtTicket = new TgtTicket(getKdcRep().getTicket(),
+                (EncAsRepPart) getKdcRep().getEncPart(), getKdcRep().getCname().getName());
+        return TgtTicket;
+    }
+
+    private PrincipalName makeTgsPrincipal() {
+        return new PrincipalName(KrbConstant.TGS_PRINCIPAL + "@" + getContext().getKdcRealm());
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
new file mode 100644
index 0000000..43b2368
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
@@ -0,0 +1,57 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class AsRequestWithCert extends AsRequest {
+
+    public static final String ANONYMOUS_PRINCIPAL = "ANONYMOUS@WELLKNOWN:ANONYMOUS";
+
+    public AsRequestWithCert(KrbContext context) {
+        super(context);
+
+        setAllowedPreauth(PaDataType.PK_AS_REQ);
+    }
+
+    @Override
+    public void process() throws KrbException {
+        throw new RuntimeException("To be implemented");
+    }
+
+    @Override
+    public KrbOptions getPreauthOptions() {
+        KrbOptions results = new KrbOptions();
+
+        KrbOptions krbOptions = getKrbOptions();
+        results.add(krbOptions.getOption(KrbOption.PKINIT_X509_CERTIFICATE));
+        results.add(krbOptions.getOption(KrbOption.PKINIT_X509_ANCHORS));
+        results.add(krbOptions.getOption(KrbOption.PKINIT_X509_PRIVATE_KEY));
+        results.add(krbOptions.getOption(KrbOption.PKINIT_X509_IDENTITY));
+        results.add(krbOptions.getOption(KrbOption.PKINIT_USING_RSA));
+
+        return results;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java
new file mode 100644
index 0000000..721ab85
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithPasswd.java
@@ -0,0 +1,50 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class AsRequestWithPasswd extends AsRequest {
+
+    public AsRequestWithPasswd(KrbContext context) {
+        super(context);
+
+        setAllowedPreauth(PaDataType.ENC_TIMESTAMP);
+    }
+
+    public String getPassword() {
+        return getKrbOptions().getStringOption(KrbOption.USER_PASSWD);
+    }
+
+    @Override
+    public EncryptionKey getClientKey() throws KrbException {
+        if (super.getClientKey() == null) {
+            EncryptionKey tmpKey = EncryptionHandler.string2Key(getClientPrincipal().getName(),
+                    getPassword(), getChosenEncryptionType());
+            setClientKey(tmpKey);
+        }
+        return super.getClientKey();
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
new file mode 100644
index 0000000..586c9ed
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
@@ -0,0 +1,52 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+public class AsRequestWithToken extends AsRequest {
+
+    public AsRequestWithToken(KrbContext context) {
+        super(context);
+
+        setAllowedPreauth(PaDataType.TOKEN_REQUEST);
+    }
+
+    @Override
+    public void process() throws KrbException {
+        throw new RuntimeException("To be implemented");
+    }
+
+    @Override
+    public KrbOptions getPreauthOptions() {
+        KrbOptions results = new KrbOptions();
+
+        KrbOptions krbOptions = getKrbOptions();
+        results.add(krbOptions.getOption(KrbOption.TOKEN_USING_IDTOKEN));
+        results.add(krbOptions.getOption(KrbOption.TOKEN_USER_ID_TOKEN));
+        results.add(krbOptions.getOption(KrbOption.TOKEN_USER_AC_TOKEN));
+
+        return results;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
new file mode 100644
index 0000000..bbbadab
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -0,0 +1,358 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOptions;
+import org.apache.kerby.kerberos.kerb.client.preauth.FastContext;
+import org.apache.kerby.kerberos.kerb.client.preauth.PreauthContext;
+import org.apache.kerby.kerberos.kerb.client.preauth.PreauthHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.transport.Transport;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * A wrapper for KdcReq request
+ */
+public abstract class KdcRequest {
+    private KrbContext context;
+    private Transport transport;
+
+    private KrbOptions krbOptions;
+    private PrincipalName serverPrincipal;
+    private List<HostAddress> hostAddresses = new ArrayList<HostAddress>();
+    private KdcOptions kdcOptions = new KdcOptions();
+    private List<EncryptionType> encryptionTypes;
+    private EncryptionType chosenEncryptionType;
+    private int chosenNonce;
+    private KdcReq kdcReq;
+    private KdcRep kdcRep;
+    protected Map<String, Object> credCache;
+    private PreauthContext preauthContext;
+    private FastContext fastContext;
+    private EncryptionKey asKey;
+
+    private KrbError errorReply;
+    private boolean isRetrying;
+
+    public KdcRequest(KrbContext context) {
+        this.context = context;
+        this.isRetrying = false;
+        this.credCache = new HashMap<String, Object>();
+        this.preauthContext = context.getPreauthHandler()
+                .preparePreauthContext(this);
+        this.fastContext = new FastContext();
+    }
+
+    public void setTransport(Transport transport) {
+        this.transport = transport;
+    }
+
+    public Transport getTransport() {
+        return this.transport;
+    }
+
+    public void setKrbOptions(KrbOptions options) {
+        this.krbOptions = options;
+    }
+
+    public KrbOptions getKrbOptions() {
+        return krbOptions;
+    }
+
+    public boolean isRetrying() {
+        return isRetrying;
+    }
+
+    public void setAsKey(EncryptionKey asKey) {
+        this.asKey = asKey;
+    }
+
+    public EncryptionKey getAsKey() throws KrbException {
+        return asKey;
+    }
+
+    public void setAllowedPreauth(PaDataType paType) {
+        preauthContext.setAllowedPaType(paType);
+    }
+
+    public Map<String, Object> getCredCache() {
+        return credCache;
+    }
+
+    public void setPreauthRequired(boolean preauthRequired) {
+        preauthContext.setPreauthRequired(preauthRequired);
+    }
+
+    public PreauthContext getPreauthContext() {
+        return preauthContext;
+    }
+
+    protected void loadCredCache() {
+        // TODO
+    }
+
+    public KdcReq getKdcReq() {
+        return kdcReq;
+    }
+
+    public void setKdcReq(KdcReq kdcReq) {
+        this.kdcReq = kdcReq;
+    }
+
+    public KdcRep getKdcRep() {
+        return kdcRep;
+    }
+
+    public void setKdcRep(KdcRep kdcRep) {
+        this.kdcRep = kdcRep;
+    }
+
+    protected KdcReqBody makeReqBody() throws KrbException {
+        KdcReqBody body = new KdcReqBody();
+
+        long startTime = System.currentTimeMillis();
+        body.setFrom(new KerberosTime(startTime));
+
+        PrincipalName cName = null;
+        cName = getClientPrincipal();
+        body.setCname(cName);
+
+        body.setRealm(cName.getRealm());
+
+        PrincipalName sName = getServerPrincipal();
+        body.setSname(sName);
+
+        body.setTill(new KerberosTime(startTime + getTicketValidTime()));
+
+        int nonce = generateNonce();
+        body.setNonce(nonce);
+        setChosenNonce(nonce);
+
+        body.setKdcOptions(getKdcOptions());
+
+        HostAddresses addresses = getHostAddresses();
+        if (addresses != null) {
+            body.setAddresses(addresses);
+        }
+
+        body.setEtypes(getEncryptionTypes());
+
+        return body;
+    }
+
+    public KdcOptions getKdcOptions() {
+        return kdcOptions;
+    }
+
+    public HostAddresses getHostAddresses() {
+        HostAddresses addresses = null;
+        if (!hostAddresses.isEmpty()) {
+            addresses = new HostAddresses();
+            for(HostAddress ha : hostAddresses) {
+                addresses.addElement(ha);
+            }
+        }
+        return addresses;
+    }
+
+    public KrbContext getContext() {
+        return context;
+    }
+
+    protected byte[] decryptWithClientKey(EncryptedData data, KeyUsage usage) throws KrbException {
+        return EncryptionHandler.decrypt(data, getClientKey(), usage);
+    }
+
+    public void setContext(KrbContext context) {
+        this.context = context;
+    }
+
+    public void setHostAddresses(List<HostAddress> hostAddresses) {
+        this.hostAddresses = hostAddresses;
+    }
+
+    public void setKdcOptions(KdcOptions kdcOptions) {
+        this.kdcOptions = kdcOptions;
+    }
+
+    public abstract PrincipalName getClientPrincipal();
+
+    public PrincipalName getServerPrincipal() {
+        return serverPrincipal;
+    }
+
+    public void setServerPrincipal(PrincipalName serverPrincipal) {
+        this.serverPrincipal = serverPrincipal;
+    }
+
+    public List<EncryptionType> getEncryptionTypes() {
+        if (encryptionTypes == null) {
+            encryptionTypes = context.getConfig().getEncryptionTypes();
+        }
+        return encryptionTypes;
+    }
+
+    public void setEncryptionTypes(List<EncryptionType> encryptionTypes) {
+        this.encryptionTypes = encryptionTypes;
+    }
+
+    public EncryptionType getChosenEncryptionType() {
+        return chosenEncryptionType;
+    }
+
+    public void setChosenEncryptionType(EncryptionType chosenEncryptionType) {
+        this.chosenEncryptionType = chosenEncryptionType;
+    }
+
+    public int generateNonce() {
+        return context.generateNonce();
+    }
+
+    public int getChosenNonce() {
+        return chosenNonce;
+    }
+
+    public void setChosenNonce(int nonce) {
+        this.chosenNonce = nonce;
+    }
+
+    public abstract EncryptionKey getClientKey() throws KrbException;
+
+    public long getTicketValidTime() {
+        return context.getTicketValidTime();
+    }
+
+    public KerberosTime getTicketTillTime() {
+        long now = System.currentTimeMillis();
+        return new KerberosTime(now + KerberosTime.MINUTE * 60 * 1000);
+    }
+
+    public void addHost(String hostNameOrIpAddress) throws UnknownHostException {
+        InetAddress address = InetAddress.getByName(hostNameOrIpAddress);
+        hostAddresses.add(new HostAddress(address));
+    }
+
+    public void process() throws KrbException {
+        preauth();
+    }
+
+    public abstract void processResponse(KdcRep kdcRep) throws KrbException;
+
+    public KrbOptions getPreauthOptions() {
+        return new KrbOptions();
+    }
+
+    protected void preauth() throws KrbException {
+        loadCredCache();
+
+        List<EncryptionType> etypes = getEncryptionTypes();
+        if (etypes.isEmpty()) {
+            throw new KrbException("No encryption type is configured and available");
+        }
+        EncryptionType encryptionType = etypes.iterator().next();
+        setChosenEncryptionType(encryptionType);
+
+        getPreauthHandler().preauth(this);
+    }
+
+    protected PreauthHandler getPreauthHandler() {
+        return getContext().getPreauthHandler();
+    }
+
+    /**
+     * Indicate interest in the AS key.
+     */
+    public void needAsKey() throws KrbException {
+        EncryptionKey clientKey = getClientKey();
+        if (clientKey == null) {
+            throw new RuntimeException("Client key should be prepared or prompted at this time!");
+        }
+        setAsKey(clientKey);
+    }
+
+    /**
+     * Get the enctype expected to be used to encrypt the encrypted portion of
+     * the AS_REP packet.  When handling a PREAUTH_REQUIRED error, this
+     * typically comes from etype-info2.  When handling an AS reply, it is
+     * initialized from the AS reply itself.
+     */
+    public EncryptionType getEncType() {
+
+        return getChosenEncryptionType();
+    }
+
+    public void askQuestion(String question, String challenge) {
+        preauthContext.getUserResponser().askQuestion(question, challenge);
+    }
+
+    /**
+     * Get a pointer to the FAST armor key, or NULL if the client is not using FAST.
+     */
+    public EncryptionKey getArmorKey() {
+        return fastContext.armorKey;
+    }
+
+    /**
+     * Get the current time for use in a preauth response.  If
+     * allow_unauth_time is true and the library has been configured to allow
+     * it, the current time will be offset using unauthenticated timestamp
+     * information received from the KDC in the preauth-required error, if one
+     * has been received.  Otherwise, the timestamp in a preauth-required error
+     * will only be used if it is protected by a FAST channel.  Only set
+     * allow_unauth_time if using an unauthenticated time offset would not
+     * create a security issue.
+     */
+    public KerberosTime getPreauthTime() {
+        return KerberosTime.now();
+    }
+
+    /**
+     * Get a state item from an input ccache, which may allow it
+     * to retrace the steps it took last time.  The returned data string is an
+     * alias and should not be freed.
+     */
+    public Object getCacheValue(String key) {
+        return credCache.get(key);
+    }
+
+    /**
+     * Set a state item which will be recorded to an output
+     * ccache, if the calling application supplied one.  Both key and data
+     * should be valid UTF-8 text.
+     */
+    public void cacheValue(String key, Object value) {
+        credCache.put(key, value);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
new file mode 100644
index 0000000..699cd67
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
@@ -0,0 +1,136 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.common.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.common.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
+import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
+
+public class TgsRequest extends KdcRequest {
+    private TgtTicket tgt;
+    private ApReq apReq;
+
+    public TgsRequest(KrbContext context, TgtTicket tgtTicket) {
+        super(context);
+        this.tgt = tgtTicket;
+
+        setAllowedPreauth(PaDataType.TGS_REQ);
+    }
+
+    public PrincipalName getClientPrincipal() {
+        return tgt.getClientPrincipal();
+    }
+
+    @Override
+    public EncryptionKey getClientKey() throws KrbException {
+        return getSessionKey();
+    }
+
+    public EncryptionKey getSessionKey() {
+        return tgt.getSessionKey();
+    }
+
+    @Override
+    protected void preauth() throws KrbException {
+        apReq = makeApReq();
+        super.preauth();
+    }
+
+    @Override
+    public void process() throws KrbException {
+        super.process();
+
+        TgsReq tgsReq = new TgsReq();
+
+        KdcReqBody tgsReqBody = makeReqBody();
+        tgsReq.setReqBody(tgsReqBody);
+        tgsReq.setPaData(getPreauthContext().getOutputPaData());
+
+        setKdcReq(tgsReq);
+    }
+
+    private ApReq makeApReq() throws KrbException {
+        ApReq apReq = new ApReq();
+
+        Authenticator authenticator = makeAuthenticator();
+        EncryptionKey sessionKey = tgt.getSessionKey();
+        EncryptedData authnData = EncryptionUtil.seal(authenticator,
+                sessionKey, KeyUsage.TGS_REQ_AUTH);
+        apReq.setEncryptedAuthenticator(authnData);
+
+        apReq.setTicket(tgt.getTicket());
+        ApOptions apOptions = new ApOptions();
+        apReq.setApOptions(apOptions);
+
+        return apReq;
+    }
+
+    private Authenticator makeAuthenticator() {
+        Authenticator authenticator = new Authenticator();
+        authenticator.setCname(getClientPrincipal());
+        authenticator.setCrealm(tgt.getRealm());
+
+        authenticator.setCtime(KerberosTime.now());
+        authenticator.setCusec(0);
+
+        EncryptionKey sessionKey = tgt.getSessionKey();
+        authenticator.setSubKey(sessionKey);
+
+        return authenticator;
+    }
+
+    @Override
+    public void processResponse(KdcRep kdcRep) throws KrbException {
+        setKdcRep(kdcRep);
+
+        TgsRep tgsRep = (TgsRep) getKdcRep();
+        EncTgsRepPart encTgsRepPart = EncryptionUtil.unseal(tgsRep.getEncryptedEncPart(),
+                getSessionKey(),
+                KeyUsage.TGS_REP_ENCPART_SESSKEY, EncTgsRepPart.class);
+
+        tgsRep.setEncPart(encTgsRepPart);
+
+        if (getChosenNonce() != encTgsRepPart.getNonce()) {
+            throw new KrbException("Nonce didn't match");
+        }
+    }
+
+    public ServiceTicket getServiceTicket() {
+        ServiceTicket serviceTkt = new ServiceTicket(getKdcRep().getTicket(),
+                (EncTgsRepPart) getKdcRep().getEncPart());
+        return serviceTkt;
+    }
+
+    public ApReq getApReq() {
+        return apReq;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf b/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf
new file mode 100644
index 0000000..d118dd1
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/resources/kdc-krb5.conf
@@ -0,0 +1,25 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+[libdefaults]
+    default_realm = {0}
+    udp_preference_limit = 1
+
+[realms]
+    {0} = '{'
+        kdc = {1}:{2}
+    '}'
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff b/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff
new file mode 100644
index 0000000..bc989c3
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/resources/kdc.ldiff
@@ -0,0 +1,46 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+dn: ou=users,dc=${0},dc=${1}
+objectClass: organizationalUnit
+objectClass: top
+ou: users
+
+dn: uid=krbtgt,ou=users,dc=${0},dc=${1}
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: KDC Service
+sn: Service
+uid: krbtgt
+userPassword: secret
+krb5PrincipalName: krbtgt/${2}.${3}@${2}.${3}
+krb5KeyVersionNumber: 0
+
+dn: uid=ldap,ou=users,dc=${0},dc=${1}
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: krb5principal
+objectClass: krb5kdcentry
+cn: LDAP
+sn: Service
+uid: ldap
+userPassword: secret
+krb5PrincipalName: ldap/${4}@${2}.${3}
+krb5KeyVersionNumber: 0

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/main/resources/krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/resources/krb5.conf b/kerby-kerb/kerb-client/src/main/resources/krb5.conf
new file mode 100644
index 0000000..4222475
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/resources/krb5.conf
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+[libdefaults]
+  default_realm = KRB.COM
+  dns_lookup_kdc = false
+  dns_lookup_realm = false
+  allow_weak_crypto = true
+  ticket_lifetime = 86400
+  renew_lifetime = 604800
+  forwardable = true
+  permitted_enctypes = des-cbc-crc aes128-cts-hmac-sha1-96
+  clockskew = 300
+  proxiable = true
+  default_tgs_enctypes = des-cbc-crc
+  default_tkt_enctypes = des-cbc-crc
+[realms]
+#  ATHENA.MIT.EDU = {
+#		admin_server = KERBEROS.MIT.EDU
+#		default_domain = MIT.EDU
+#		v4_instance_convert = {
+#			mit = mit.edu
+#			lithium = lithium.lcs.mit.edu
+#		}
+#	}
+#	ANDREW.CMU.EDU = {
+#	  admin_server = vice28.fs.andrew.cmu.edu
+#	}
+#  GNU.ORG = {
+#    kdc = kerberos.gnu.org
+#    kdc = kerberos-2.gnu.org
+#    admin_server = kerberos.gnu.org
+#  }
+[domain_realm]
+  .mit.edu = ATHENA.MIT.EDU
+	mit.edu = ATHENA.MIT.EDU
+	.media.mit.edu = MEDIA-LAB.MIT.EDU
+	media.mit.edu = MEDIA-LAB.MIT.EDU
+	.ucsc.edu = CATS.UCSC.EDU
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
new file mode 100644
index 0000000..b766c48
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoad.java
@@ -0,0 +1,71 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client;
+
+import org.apache.kerby.config.Conf;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import org.junit.Test;
+import org.junit.Assert;
+
+
+/**
+ * Test for loading configurations form krb5.conf.
+ * krb5.conf is the configuration file in MIT Kerberos.
+ */
+public class TestKrbConfigLoad {
+
+    @Test
+    public void test() throws IOException, URISyntaxException {
+        URL confFileUrl = TestKrbConfigLoad.class.getResource("/krb5.conf");
+        File confFile = new File(confFileUrl.toURI());
+
+        KrbConfig krbConfig = new KrbConfig();
+        Conf conf = krbConfig.getConf();
+        conf.addIniConfig(confFile);
+
+        Assert.assertEquals(krbConfig.getDefaultRealm(), "KRB.COM");
+        Assert.assertFalse(krbConfig.getDnsLookUpKdc());
+        Assert.assertFalse(krbConfig.getDnsLookUpRealm());
+        Assert.assertTrue(krbConfig.getAllowWeakCrypto());
+        Assert.assertEquals(krbConfig.getTicketLifetime(), 24 * 3600);
+        Assert.assertEquals(krbConfig.getRenewLifetime(), 7 * 24 * 3600);
+        Assert.assertTrue(krbConfig.isForwardableAllowed());
+        Assert.assertEquals(krbConfig.getEncryptionTypes().size(), 2);
+        Assert.assertEquals(krbConfig.getEncryptionTypes().get(0), EncryptionType.DES_CBC_CRC);
+        Assert.assertEquals(krbConfig.getEncryptionTypes().get(1), EncryptionType.AES128_CTS_HMAC_SHA1_96);
+        Assert.assertEquals(krbConfig.getAllowableClockSkew(), 300);
+        Assert.assertTrue(krbConfig.isProxiableAllowed());
+        Assert.assertEquals(krbConfig.getDefaultTgsEnctypes().size(), 1);
+        Assert.assertEquals(krbConfig.getDefaultTgsEnctypes().get(0), EncryptionType.DES_CBC_CRC);
+        Assert.assertEquals(krbConfig.getDefaultTktEnctypes().size(), 1);
+        Assert.assertEquals(krbConfig.getDefaultTktEnctypes().get(0), EncryptionType.DES_CBC_CRC);
+
+        Assert.assertEquals(krbConfig.getDefaultLoggingLocation(), "FILE:/var/log/krb5libs.log");
+        Assert.assertEquals(krbConfig.getKdcLoggingLocation(), "FILE:/var/log/krb5kdc.log");
+        Assert.assertEquals(krbConfig.getAdminLoggingLocation(), "FILE:/var/log/kadmind.log");
+
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/pom.xml b/kerby-kerb/kerb-common/pom.xml
new file mode 100644
index 0000000..d21d320
--- /dev/null
+++ b/kerby-kerb/kerb-common/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.kerby</groupId>
+    <artifactId>kerby-kerb</artifactId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>kerb-common</artifactId>
+  <name>Kerby-kerb Common</name>
+  <description>Kerby-kerb Common facilities for both client and server</description>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-config</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-event</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-core</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-crypto</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+</project>

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java
new file mode 100644
index 0000000..ee9c962
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/KrbThrow.java
@@ -0,0 +1,35 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb;
+
+public class KrbThrow {
+
+    public static KrbException out(MessageCode messageCode) throws KrbException {
+        throw new KrbException(Message.getMessage(messageCode));
+    }
+
+    public static void out(MessageCode messageCode, Exception e) throws KrbException {
+        throw new KrbException(Message.getMessage(messageCode), e);
+    }
+
+    public static void out(MessageCode messageCode, String message) throws KrbException {
+        throw new KrbException(Message.getMessage(messageCode) + ":" + message);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java
new file mode 100644
index 0000000..5712f51
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/Message.java
@@ -0,0 +1,43 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class Message {
+    private static Map<MessageCode, String> entries = new HashMap<MessageCode, String>();
+
+    public static void init() {
+
+    }
+
+    public static void define(MessageCode code, String message) {
+        entries.put(code, message);
+    }
+
+    public static String getMessage(MessageCode code) {
+        String msg = entries.get(code);
+        if (msg == null) {
+            msg = code.getCodeName();
+        }
+        return msg;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java
new file mode 100644
index 0000000..a8ada14
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/MessageCode.java
@@ -0,0 +1,24 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb;
+
+public interface MessageCode {
+    public String getCodeName();
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
new file mode 100644
index 0000000..aa9618d
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
@@ -0,0 +1,98 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.asn1.type.AbstractAsn1Type;
+import org.apache.kerby.asn1.type.Asn1Type;
+import org.apache.kerby.kerberos.kerb.codec.KrbCodec;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.common.KeyUsage;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class EncryptionUtil {
+
+    public static List<EncryptionKey> generateKeys(List<EncryptionType> encryptionTypes) throws KrbException {
+        List<EncryptionKey> results = new ArrayList<EncryptionKey>(encryptionTypes.size());
+        EncryptionKey encKey;
+        for (EncryptionType eType : encryptionTypes) {
+            encKey = EncryptionHandler.random2Key(eType);
+            results.add(encKey);
+        }
+
+        return results;
+    }
+
+    public static List<EncryptionKey> generateKeys(String principal, String passwd,
+                                                   List<EncryptionType> encryptionTypes) throws KrbException {
+        List<EncryptionKey> results = new ArrayList<EncryptionKey>(encryptionTypes.size());
+        EncryptionKey encKey;
+        for (EncryptionType eType : encryptionTypes) {
+            encKey = EncryptionHandler.string2Key(principal, passwd, eType);
+            results.add(encKey);
+        }
+
+        return results;
+    }
+
+    public static EncryptionType getBestEncryptionType(List<EncryptionType> requestedTypes,
+                                                       List<EncryptionType> configuredTypes) {
+        for (EncryptionType encryptionType : configuredTypes) {
+            if (requestedTypes.contains(encryptionType)) {
+                return encryptionType;
+            }
+        }
+
+        return null;
+    }
+
+    public static EncryptedData seal(AbstractAsn1Type asn1Type,
+                                     EncryptionKey key, KeyUsage usage) throws KrbException {
+        byte[] encoded = asn1Type.encode();
+        EncryptedData encrypted = EncryptionHandler.encrypt(encoded, key, usage);
+        return encrypted;
+    }
+
+    public static <T extends Asn1Type> T unseal(EncryptedData encrypted, EncryptionKey key,
+                                          KeyUsage usage, Class<T> krbType) throws KrbException {
+        byte[] encoded = EncryptionHandler.decrypt(encrypted, key, usage);
+        return KrbCodec.decode(encoded, krbType);
+    }
+
+    public static byte[] encrypt(EncryptionKey key,
+          byte[] plaintext, int usage) throws KrbException {
+        EncTypeHandler encType = EncryptionHandler.getEncHandler(key.getKeyType());
+        byte[] cipherData = encType.encrypt(plaintext, key.getKeyData(), usage);
+        return cipherData;
+    }
+
+    public static byte[] decrypt(EncryptionKey key,
+           byte[] cipherData, int usage) throws KrbException {
+        EncTypeHandler encType = EncryptionHandler.getEncHandler(key.getKeyType());
+        byte[] plainData = encType.decrypt(cipherData, key.getKeyData(), usage);
+        return plainData;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
new file mode 100644
index 0000000..0100b0b
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
@@ -0,0 +1,104 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.config.Conf;
+import org.apache.kerby.config.Config;
+import org.apache.kerby.kerberos.kerb.spec.common.EncryptionType;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Help KrbConfig and KdcConfig to load configs.
+ */
+public class KrbConfHelper {
+    /**
+     * The regex to split a config value(string) to a list of config value(string list).
+     */
+    private static final String LIST_SPLITTER = " ";
+
+    public static String getStringUnderSection(Conf conf, SectionConfigKey key) {
+        Config subConfig = conf.getConfig(key.getSectionName());
+        if (subConfig != null) {
+            return subConfig.getString(key);
+        } else {
+            return (String) key.getDefaultValue();
+        }
+    }
+
+    public static boolean getBooleanUnderSection(Conf conf, SectionConfigKey key) {
+        Config subConfig = conf.getConfig(key.getSectionName());
+        if (subConfig != null) {
+            return subConfig.getBoolean(key);
+        } else {
+            return (Boolean) key.getDefaultValue();
+        }
+    }
+
+    public static long getLongUnderSection(Conf conf, SectionConfigKey key) {
+        Config subConfig = conf.getConfig(key.getSectionName());
+        if (subConfig != null) {
+            return subConfig.getLong(key);
+        } else {
+            return (Long) key.getDefaultValue();
+        }
+    }
+
+    public static int getIntUnderSection(Conf conf, SectionConfigKey key) {
+        Config subConfig = conf.getConfig(key.getSectionName());
+        if (subConfig != null) {
+            return subConfig.getInt(key);
+        } else {
+            return (Integer) key.getDefaultValue();
+        }
+    }
+
+    public static String[] getStringArrayUnderSection(Conf conf, SectionConfigKey key) {
+        String value = getStringUnderSection(conf, key);
+        String[] values = value.split(LIST_SPLITTER);
+        return values;
+    }
+
+    public static List<EncryptionType> getEncTypesUnderSection(Conf conf, SectionConfigKey key) {
+        String[] encTypesNames = getStringArrayUnderSection(conf, key);
+        return getEncryptionTypes(encTypesNames);
+    }
+
+    public static List<EncryptionType> getEncryptionTypes(String[] encTypeNames) {
+        return getEncryptionTypes(Arrays.asList(encTypeNames));
+    }
+
+    public static List<EncryptionType> getEncryptionTypes(List<String> encTypeNames) {
+        List<EncryptionType> results = new ArrayList<EncryptionType>(encTypeNames.size());
+
+        EncryptionType eType;
+        for (String eTypeName : encTypeNames) {
+            eType = EncryptionType.fromName(eTypeName);
+            if (eType != EncryptionType.NONE) {
+                results.add(eType);
+            }
+        }
+        return results;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java
new file mode 100644
index 0000000..e252d5b
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbErrorUtil.java
@@ -0,0 +1,67 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.kerberos.kerb.spec.common.*;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class KrbErrorUtil {
+
+    public static List<EncryptionType> getEtypes(KrbError error) throws IOException {
+        MethodData methodData = new MethodData();
+        methodData.decode(error.getEdata());
+
+        for( PaDataEntry pd : methodData.getElements()) {
+            if( pd.getPaDataType() == PaDataType.ETYPE_INFO2 ) {
+                return getEtypes2(pd.getPaDataValue());
+            }
+            else if( pd.getPaDataType() == PaDataType.ETYPE_INFO ) {
+                return getEtypes(pd.getPaDataValue());
+            }
+        }
+        return Collections.EMPTY_LIST;
+    }
+
+    private static List<EncryptionType> getEtypes(byte[] data) throws IOException {
+        EtypeInfo info = new EtypeInfo();
+        info.decode(data);
+        List<EncryptionType> results = new ArrayList<EncryptionType>();
+        for( EtypeInfoEntry entry : info.getElements() ) {
+            results.add(entry.getEtype());
+        }
+        return results;
+    }
+
+    private static List<EncryptionType> getEtypes2(byte[] data) throws IOException {
+        EtypeInfo2 info2 = new EtypeInfo2();
+        info2.decode(data);
+        List<EncryptionType> results = new ArrayList<EncryptionType>();
+        for( EtypeInfo2Entry entry : info2.getElements() ) {
+            results.add(entry.getEtype());
+        }
+        return results;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java
new file mode 100644
index 0000000..82015ee
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbStreamingDecoder.java
@@ -0,0 +1,42 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.transport.tcp.DecodingCallback;
+import org.apache.kerby.transport.tcp.StreamingDecoder;
+
+import java.nio.ByteBuffer;
+
+public class KrbStreamingDecoder implements StreamingDecoder {
+
+    @Override
+    public void decode(ByteBuffer streamingBuffer, DecodingCallback callback) {
+        if (streamingBuffer.remaining() >= 4) {
+            int len = streamingBuffer.getInt();
+            if (streamingBuffer.remaining() >= len) {
+                callback.onMessageComplete(len + 4);
+            } else {
+                callback.onMoreDataNeeded(len + 4);
+            }
+        } else {
+            callback.onMoreDataNeeded();
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/ceacb982/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
new file mode 100644
index 0000000..77e9d56
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
@@ -0,0 +1,49 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.kerberos.kerb.codec.KrbCodec;
+import org.apache.kerby.kerberos.kerb.spec.common.KrbMessage;
+import org.apache.kerby.transport.Transport;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+public class KrbUtil {
+
+    public static void sendMessage(KrbMessage message, Transport transport) {
+        int bodyLen = message.encodingLength();
+        ByteBuffer buffer = ByteBuffer.allocate(bodyLen + 4);
+        buffer.putInt(bodyLen);
+        message.encode(buffer);
+        buffer.flip();
+        transport.sendMessage(buffer);
+    }
+
+    public static KrbMessage decodeMessage(ByteBuffer message) throws IOException {
+        int bodyLen = message.getInt();
+        assert (message.remaining() >= bodyLen);
+
+        KrbMessage krbMessage = KrbCodec.decodeMessage(message);
+
+        return krbMessage;
+    }
+
+}


Mime
View raw message