Mailing-List: contact commits-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@directory.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: drankye@apache.org
To: commits@directory.apache.org
Date: Sat, 21 Mar 2015 12:11:43 -0000
Message-Id: <a6166f988baf4a2189e237d8e8515fe1@git.apache.org>
Subject: [1/3] directory-kerby git commit: WIP: Working on token provider and
 pki provider

Repository: directory-kerby
Updated Branches:
  refs/heads/master c8d651662 -> c59056a8e


WIP: Working on token provider and pki provider


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/80749319
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/80749319
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/80749319

Branch: refs/heads/master
Commit: 80749319e1bfe0e7f3084ad48000684ec998a6ab
Parents: c8d6516
Author: Drankye <drankye@gmail.com>
Authored: Sat Mar 21 12:54:21 2015 +0800
Committer: Drankye <drankye@gmail.com>
Committed: Sat Mar 21 12:54:21 2015 +0800

----------------------------------------------------------------------
 kdc-backend/pom.xml                             |   2 +-
 kdc-backend/zookeeper-backend/pom.xml           |   1 -
 kerby-kerb/README.md                            |   2 +
 .../apache/kerby/kerberos/kerb/KrbProvider.java |  27 -----
 .../apache/kerby/kerberos/kerb/KrbRuntime.java  |  29 ++++-
 .../kerby/kerberos/kerb/TokenProvider.java      |  37 ------
 .../kerberos/kerb/provider/KrbProvider.java     |  27 +++++
 .../kerberos/kerb/provider/OtpProvider.java     |  29 +++++
 .../kerby/kerberos/kerb/provider/PkiLoader.java |  70 +++++++++++
 .../kerberos/kerb/provider/PkiProvider.java     |  33 ++++++
 .../kerberos/kerb/provider/TokenEncoder.java    |  44 +++++++
 .../kerberos/kerb/provider/TokenProvider.java   |  35 ++++++
 .../kerby/kerberos/kerb/spec/base/KrbToken.java |   1 +
 .../kerberos/kerb/spec/base/TokenEncoder.java   |  40 -------
 kerby-kerb/kerb-kdc-test/pom.xml                |   9 +-
 .../kerberos/kerb/server/WithCertKdcTest.java   |  22 ++--
 kerby-provider/README.md                        |   4 +
 kerby-provider/pki-provider/pom.xml             |  55 +++++++++
 .../kerberos/provider/pki/KerbyPkiLoader.java   | 117 +++++++++++++++++++
 .../kerberos/provider/pki/KerbyPkiProvider.java |  35 ++++++
 .../provider/pki/KerbyPkiLoaderTest.java        |  67 +++++++++++
 .../pki-provider/src/test/resources/cacert.pem  |  23 ++++
 .../pki-provider/src/test/resources/cakey.pem   |  27 +++++
 .../src/test/resources/extensions.kdc           |  36 ++++++
 .../pki-provider/src/test/resources/kdccert.pem |  26 +++++
 .../pki-provider/src/test/resources/kdckey.pem  |  27 +++++
 .../src/test/resources/usercert.pem             |  26 +++++
 .../pki-provider/src/test/resources/userkey.pem |  27 +++++
 kerby-provider/pom.xml                          |  22 ++++
 kerby-provider/token-provider/pom.xml           |  29 +++++
 .../provider/token/KerbyTokenEncoder.java       |  37 ++++++
 .../provider/token/KerbyTokenProvider.java      |  35 ++++++
 lib/kerby-pkix/pom.xml                          |  39 -------
 .../main/java/org/apache/kerby/pki/Pkix.java    |  89 --------------
 .../java/org/apache/kerby/pki/PkixTest.java     |  61 ----------
 lib/kerby-pkix/src/test/resources/cacert.pem    |  23 ----
 lib/kerby-pkix/src/test/resources/cakey.pem     |  27 -----
 .../src/test/resources/extensions.kdc           |  36 ------
 lib/kerby-pkix/src/test/resources/kdccert.pem   |  26 -----
 lib/kerby-pkix/src/test/resources/kdckey.pem    |  27 -----
 lib/kerby-pkix/src/test/resources/usercert.pem  |  26 -----
 lib/kerby-pkix/src/test/resources/userkey.pem   |  27 -----
 lib/pom.xml                                     |   1 -
 pom.xml                                         |   1 +
 44 files changed, 879 insertions(+), 505 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kdc-backend/pom.xml
----------------------------------------------------------------------
diff --git a/kdc-backend/pom.xml b/kdc-backend/pom.xml
index fd1f626..2cbae64 100644
--- a/kdc-backend/pom.xml
+++ b/kdc-backend/pom.xml
@@ -22,7 +22,7 @@
   </parent>
 
   <artifactId>kdc-backend</artifactId>
-  <name>Kdc Backend Project</name>
+  <name>Kdc Backends</name>
   <version>1.0-SNAPSHOT</version>
   <packaging>pom</packaging>
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kdc-backend/zookeeper-backend/pom.xml
----------------------------------------------------------------------
diff --git a/kdc-backend/zookeeper-backend/pom.xml b/kdc-backend/zookeeper-backend/pom.xml
index aed9fa1..d756646 100644
--- a/kdc-backend/zookeeper-backend/pom.xml
+++ b/kdc-backend/zookeeper-backend/pom.xml
@@ -22,7 +22,6 @@
   </parent>
 
   <artifactId>zookeeper-backend</artifactId>
-
   <name>Zookeeper identity backend</name>
   <description>Zookeeper identity backend</description>
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/README.md
----------------------------------------------------------------------
diff --git a/kerby-kerb/README.md b/kerby-kerb/README.md
index e48a10b..cc8ecf1 100644
--- a/kerby-kerb/README.md
+++ b/kerby-kerb/README.md
@@ -1,2 +1,4 @@
+Kerby-kerb - the Kerberos library
+
 A Kerberos protocol and standards implementation with least dependencies (only relying on JCE).
 The provided APIs and facilities can be used as Kerberos library.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbProvider.java
deleted file mode 100644
index aa33158..0000000
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbProvider.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb;
-
-/**
- * Krb provider for allowing to hook external dependencies.
- */
-public interface KrbProvider {
-    // no op, just an interface mark.
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
index d2718c6..14df34c 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
@@ -19,13 +19,19 @@
  */
 package org.apache.kerby.kerberos.kerb;
 
+import org.apache.kerby.kerberos.kerb.provider.PkiProvider;
+import org.apache.kerby.kerberos.kerb.provider.TokenProvider;
+
 /**
  * This runtime allows hook external dependencies thru ServiceProvider interface.
  * The hook behavior should be done at the very initial time during startup.
+ *
+ * TODO: to be enhanced to allow arbitrary provider to be hooked into.
  */
 public class KrbRuntime {
 
     private static TokenProvider tokenProvider;
+    private static PkiProvider pkiProvider;
 
     /**
      * Set up token provider, should be done at very initial time
@@ -39,10 +45,27 @@ public class KrbRuntime {
     }
 
     /**
-     * Get token provider.
-     * @param tokenProvider
+     * Set token provider.
      */
-    public static void setTokenProvider(TokenProvider tokenProvider) {
+    public synchronized static void setTokenProvider(TokenProvider tokenProvider) {
         KrbRuntime.tokenProvider = tokenProvider;
     }
+
+    /**
+     * Get pki provider
+     * @return pki provider
+     */
+    public synchronized static PkiProvider getPkiProvider() {
+        if (pkiProvider == null) {
+            throw new RuntimeException("No token provider is hooked into yet");
+        }
+        return pkiProvider;
+    }
+
+    /**
+     * Setup pkiProvider.
+     */
+    public synchronized static void setPkiProvider(PkiProvider pkiProvider) {
+        KrbRuntime.pkiProvider = pkiProvider;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProvider.java
deleted file mode 100644
index fb67fcc..0000000
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/TokenProvider.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb;
-
-import org.apache.kerby.kerberos.kerb.spec.base.TokenEncoder;
-
-/**
- * Token provider for TokenPreauth mechanism. This is needed because JWT token
- * encoding and decoding require various facilities that can be provided by 3rd
- * libraries. We need them but would not allow them to invade into the core.
- */
-public interface TokenProvider extends KrbProvider {
-
-    /**
-     * Create a token encoder.
-     * @return token encoder
-     */
-    public TokenEncoder createTokenEncoder();
-
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/KrbProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/KrbProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/KrbProvider.java
new file mode 100644
index 0000000..07238a5
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/KrbProvider.java
@@ -0,0 +1,27 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.provider;
+
+/**
+ * Krb provider for allowing to hook external dependencies.
+ */
+public interface KrbProvider {
+    // no op, just an interface mark.
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/OtpProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/OtpProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/OtpProvider.java
new file mode 100644
index 0000000..8cbe94d
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/OtpProvider.java
@@ -0,0 +1,29 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.provider;
+
+/**
+ * Otp provider for OTP mechanism.
+ */
+public interface OtpProvider extends KrbProvider {
+
+
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiLoader.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiLoader.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiLoader.java
new file mode 100644
index 0000000..d2a7dd0
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiLoader.java
@@ -0,0 +1,70 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *
+ */
+package org.apache.kerby.kerberos.kerb.provider;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+
+import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.util.List;
+
+/**
+ * A PKI certificate and key loader.
+ */
+public interface PkiLoader {
+
+    /**
+     * Load certificates from a cert file.
+     * @param certFile
+     * @return
+     * @throws KrbException
+     */
+    public List<Certificate> loadCerts(String certFile) throws KrbException;
+
+    /**
+     * Load certificates from an input stream.
+     * @param inputStream
+     * @return
+     * @throws KrbException
+     */
+    public List<Certificate> loadCerts(InputStream inputStream) throws KrbException;
+
+    /**
+     * Load private key from a key file with a password.
+     * @param keyFile
+     * @param password
+     * @return private key
+     * @throws KrbException
+     */
+    public PrivateKey loadPrivateKey(String keyFile,
+                                    String password) throws KrbException;
+
+    /**
+     * Load a private key from input stream with a password.
+     * @param inputStream
+     * @param password
+     * @return private key
+     * @throws KrbException
+     */
+    public PrivateKey loadPrivateKey(InputStream inputStream,
+                                    String password) throws KrbException;
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiProvider.java
new file mode 100644
index 0000000..f1f2b4e
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/PkiProvider.java
@@ -0,0 +1,33 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.provider;
+
+/**
+ * Pki provider for PKINIT mechanism.
+ */
+public interface PkiProvider extends KrbProvider {
+
+    /**
+     * Create a pki loader.
+     * @return pki loader
+     */
+    public PkiLoader createPkiLoader();
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenEncoder.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenEncoder.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenEncoder.java
new file mode 100644
index 0000000..7fa34ff
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenEncoder.java
@@ -0,0 +1,44 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.provider;
+
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+
+import java.io.IOException;
+
+/**
+ * An AuthToken encoder and decoder.
+ */
+public interface TokenEncoder {
+
+    /**
+     * Encode a token resulting in a bytes array.
+     * @param token
+     * @return bytes array
+     */
+    public byte[] encode(AuthToken token);
+
+    /**
+     * Decode a token from a bytes array.
+     * @param content
+     * @return token
+     */
+    public AuthToken decode(byte[] content) throws IOException;
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
new file mode 100644
index 0000000..56ff20a
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/provider/TokenProvider.java
@@ -0,0 +1,35 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.provider;
+
+/**
+ * Token provider for TokenPreauth mechanism. This is needed because JWT token
+ * encoding and decoding require various facilities that can be provided by 3rd
+ * libraries. We need them but would not allow them to invade into the core.
+ */
+public interface TokenProvider extends KrbProvider {
+
+    /**
+     * Create a token encoder.
+     * @return token encoder
+     */
+    public TokenEncoder createTokenEncoder();
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
index 4f189b5..d7c30f2 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
@@ -23,6 +23,7 @@ import org.apache.kerby.asn1.type.Asn1FieldInfo;
 import org.apache.kerby.asn1.type.Asn1Integer;
 import org.apache.kerby.asn1.type.Asn1OctetString;
 import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
 import org.apache.kerby.kerberos.kerb.spec.KrbSequenceType;
 
 import java.io.IOException;

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/TokenEncoder.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/TokenEncoder.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/TokenEncoder.java
deleted file mode 100644
index 9c6ced4..0000000
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/TokenEncoder.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.kerberos.kerb.spec.base;
-
-/**
- * An AuthToken encoder and decoder.
- */
-public interface TokenEncoder {
-
-    /**
-     * Encode a token resulting in a bytes array.
-     * @param token
-     * @return bytes array
-     */
-    public byte[] encode(AuthToken token);
-
-    /**
-     * Decode a token from a bytes array.
-     * @param content
-     * @return token
-     */
-    public AuthToken decode(byte[] content);
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-kdc-test/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/pom.xml b/kerby-kerb/kerb-kdc-test/pom.xml
index f9c0752..c42d6c4 100644
--- a/kerby-kerb/kerb-kdc-test/pom.xml
+++ b/kerby-kerb/kerb-kdc-test/pom.xml
@@ -23,8 +23,8 @@
 
   <artifactId>kerb-kdc-test</artifactId>
 
-  <name>Kerby-kerb-KdcTest</name>
-  <description>Kerby-kerb Kdc Test</description>
+  <name>Kerb Kdc Test</name>
+  <description>Kerb Kdc Test</description>
 
   <dependencies>
     <dependency>
@@ -54,11 +54,6 @@
     </dependency>
     <dependency>
       <groupId>org.apache.kerby</groupId>
-      <artifactId>kerby-pkix</artifactId>
-      <version>${project.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.kerby</groupId>
       <artifactId>Json-identity-backend</artifactId>
       <version>${project.version}</version>
     </dependency>

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithCertKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithCertKdcTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithCertKdcTest.java
index cfac9d0..01a6474 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithCertKdcTest.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/WithCertKdcTest.java
@@ -20,13 +20,13 @@
 package org.apache.kerby.kerberos.kerb.server;
 
 import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.provider.PkiLoader;
 import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
-import org.apache.kerby.pki.Pkix;
+import org.junit.Before;
 
-import java.io.IOException;
 import java.io.InputStream;
-import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 
@@ -42,10 +42,18 @@ import static org.assertj.core.api.Assertions.assertThat;
  -CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
  */
 public class WithCertKdcTest extends KdcTestBase {
-
+    private PkiLoader pkiLoader;
     private Certificate userCert;
     private PrivateKey userKey;
 
+    @Before
+    public void setUp() throws Exception {
+        //KrbRuntime.setPkiProvider(new KerbyPkiProvider());
+        pkiLoader = KrbRuntime.getPkiProvider().createPkiLoader();
+
+        super.setUp();
+    }
+
     @Override
     protected void setUpClient() throws Exception {
         super.setUpClient();
@@ -80,11 +88,11 @@ public class WithCertKdcTest extends KdcTestBase {
         assertThat(tkt).isNull();
     }
 
-    private void loadCredentials() throws IOException, GeneralSecurityException {
+    private void loadCredentials() throws KrbException {
         InputStream res = getClass().getResourceAsStream("/usercert.pem");
-        userCert = Pkix.getCerts(res).iterator().next();
+        userCert = pkiLoader.loadCerts(res).iterator().next();
 
         res = getClass().getResourceAsStream("/userkey.pem");
-        userKey = Pkix.getPrivateKey(res, null);
+        userKey = pkiLoader.loadPrivateKey(res, null);
     }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/README.md
----------------------------------------------------------------------
diff --git a/kerby-provider/README.md b/kerby-provider/README.md
new file mode 100644
index 0000000..d73d551
--- /dev/null
+++ b/kerby-provider/README.md
@@ -0,0 +1,4 @@
+This contains all the facility providers that the Kerberos implementation relies on.
+These providers are not to be coupled with the Kerberos library, and just hooked into
+during run time thru KrbRuntime. Kerby KDC may integrate some of such providers regarding
+what preauth mechanism(s) it would provide.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/pom.xml b/kerby-provider/pki-provider/pom.xml
new file mode 100644
index 0000000..aec84de
--- /dev/null
+++ b/kerby-provider/pki-provider/pom.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.kerby</groupId>
+    <artifactId>kerby-provider</artifactId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>pki-provider</artifactId>
+  <name>Pki provider</name>
+  <description>Pki provider</description>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-core</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>not-yet-commons-ssl</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <scope>test</scope>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>${junit.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <version>${assertj.version}</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoader.java
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoader.java b/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoader.java
new file mode 100644
index 0000000..276e90b
--- /dev/null
+++ b/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoader.java
@@ -0,0 +1,117 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.provider.pki;
+
+import org.apache.commons.ssl.PKCS8Key;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.provider.PkiLoader;
+
+import java.io.*;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public class KerbyPkiLoader implements PkiLoader {
+
+    @Override
+    public List<Certificate> loadCerts(String certFile) throws KrbException {
+        InputStream is;
+        try {
+            is = new FileInputStream(new File(certFile));
+        } catch (FileNotFoundException e) {
+            throw new KrbException("No cert file found", e);
+        }
+        return loadCerts(is);
+    }
+
+    @Override
+    public List<Certificate> loadCerts(InputStream inputStream) throws KrbException {
+        CertificateFactory certFactory = null;
+        try {
+            certFactory = CertificateFactory.getInstance("X.509");
+            Collection<? extends Certificate> certs = (Collection<? extends Certificate>)
+                    certFactory.generateCertificates(inputStream);
+            return new ArrayList<Certificate>(certs);
+        } catch (CertificateException e) {
+            throw new KrbException("Failed to load certificates", e);
+        }
+    }
+
+    @Override
+    public PrivateKey loadPrivateKey(String keyFile, String password) throws KrbException {
+        InputStream in = null;
+        try {
+            in = new FileInputStream("/path/to/pkcs8_private_key.der");
+        } catch (FileNotFoundException e) {
+            throw new KrbException("No cert file found", e);
+        }
+        return loadPrivateKey(in, password);
+    }
+
+    @Override
+    public PrivateKey loadPrivateKey(InputStream inputStream, String password) throws KrbException {
+        try {
+            return doLoadPrivateKey(inputStream, password);
+        } catch (GeneralSecurityException e) {
+            throw new KrbException("Failed to load private key", e);
+        } catch (IOException e) {
+            throw new KrbException("Failed to load private key", e);
+        }
+    }
+
+    private PrivateKey doLoadPrivateKey(
+            InputStream inputStream, String password) throws GeneralSecurityException, IOException {
+        if (password == null) {
+            password = "";
+        }
+        // If the provided InputStream is encrypted, we need a password to decrypt
+        // it. If the InputStream is not encrypted, then the password is ignored
+        // (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
+        PKCS8Key pkcs8 = new PKCS8Key(inputStream, password.toCharArray());
+
+        // If an unencrypted PKCS8 key was provided, then this actually returns
+        // exactly what was originally passed inputStream (with no changes).  If an OpenSSL
+        // key was provided, it gets reformatted as PKCS #8 first, and so these
+        // bytes will still be PKCS #8, not OpenSSL.
+        byte[] decrypted = pkcs8.getDecryptedBytes();
+        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decrypted);
+
+        // A Java PrivateKey object is born.
+        PrivateKey pk = null;
+        if (pkcs8.isDSA()) {
+            pk = KeyFactory.getInstance("DSA").generatePrivate(spec);
+        }
+        else if (pkcs8.isRSA()) {
+            pk = KeyFactory.getInstance("RSA").generatePrivate(spec);
+        }
+
+        // For lazier types:
+        pk = pkcs8.getPrivateKey();
+
+        return pk;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiProvider.java
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiProvider.java b/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiProvider.java
new file mode 100644
index 0000000..7a830f9
--- /dev/null
+++ b/kerby-provider/pki-provider/src/main/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiProvider.java
@@ -0,0 +1,35 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.provider.pki;
+
+import org.apache.kerby.kerberos.kerb.provider.PkiLoader;
+import org.apache.kerby.kerberos.kerb.provider.PkiProvider;
+
+/**
+ * Kerby Pki provider.
+ */
+public class KerbyPkiProvider implements PkiProvider {
+
+    @Override
+    public PkiLoader createPkiLoader() {
+        return new KerbyPkiLoader();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoaderTest.java
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoaderTest.java b/kerby-provider/pki-provider/src/test/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoaderTest.java
new file mode 100644
index 0000000..4091dca
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/java/org/apache/kerby/kerberos/provider/pki/KerbyPkiLoaderTest.java
@@ -0,0 +1,67 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.provider.pki;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.provider.PkiLoader;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ openssl genrsa -out cakey.pem 2048
+ openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
+ vi extensions.kdc
+ openssl genrsa -out kdckey.pem 2048
+ openssl req -new -out kdc.req -key kdckey.pem
+ env REALM=SH.INTEL.COM openssl x509 -req -in kdc.req -CAkey cakey.pem \
+ -CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
+ */
+public class KerbyPkiLoaderTest {
+    private PkiLoader pkiLoader;
+
+    @Before
+    public void setup() {
+        pkiLoader = new KerbyPkiLoader();
+    }
+
+    @Test
+    public void loadCert() throws KrbException {
+        InputStream res = getClass().getResourceAsStream("/usercert.pem");
+        List<Certificate> certs = pkiLoader.loadCerts(res);
+        Certificate userCert = certs.iterator().next();
+
+        assertThat(userCert).isNotNull();
+    }
+
+    @Test
+    public void loadKey() throws KrbException {
+        InputStream res = getClass().getResourceAsStream("/userkey.pem");
+        PrivateKey key = pkiLoader.loadPrivateKey(res, null);
+
+        assertThat(key).isNotNull();
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/cacert.pem
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/cacert.pem b/kerby-provider/pki-provider/src/test/resources/cacert.pem
new file mode 100644
index 0000000..6b91561
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/cacert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAtOgAwIBAgIJAMrZoeDxTzwWMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
+DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
+YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
+MzEzMjdaFw0yNDA1MTAxMzEzMjdaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
+c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
+A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
+a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMCznJJ02ZUjCPvAwnBmfPs0akb5QRc/NKu8kCtAPWzgHS2JPTQfJhkDbTAD
+eIlg8IeJpOdrYnzdaBCzgxqjSkls+vxjYotOU0Zbrpy2bj0lRDqdYbNsiuConKgT
+MeuDEd/4ZI0X9NWLAi06Iv1F4mHXf36c6uqiUWTtXiofogrFUoTRwACKR2qeC95X
+Py+FDmpS9lz0mo0vDWjetLQC2IBngjjPFdR16n87QDIWfRBkk66rn7rEA6Li66b/
+cToajMSA/n+2Ud1mntSY4RdDdd0TBtAq9RrXtUOfzGaE7S6t+FtYyEprvT4FdOTU
+uyYgSNaI9ANVP1zhQ9LACKuudOECAwEAAaNQME4wHQYDVR0OBBYEFD91SVOejfwx
+u33+5N0TdYbHJbgAMB8GA1UdIwQYMBaAFD91SVOejfwxu33+5N0TdYbHJbgAMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADsONtUqGNBPBXnRowcJwv+Y
+F1Vea+4dkBwYbhkiO6H5XMKr+waOnOD2eAvgP4aeYg/a0xOzzETRD9wi1Z1P1ZMy
+d/NzHQjj4egPENwDv1PH2voZgsXXzXIqUMOtz9t12TuJUrSA2SBW1tz/evckHhNY
+fHg4ThvTIgwEdV/yvrOEBLV9dXG5IhhF+NW1MegTGkt4SpOoH1pi3o9VekVRnix9
+xrIdaC4Ee6vQaR603HwDS9Y+a1c2KU7QoLX8Vaa904cQ+rxhGsTAkocnZXeo6Hl5
+V8BlDYXxeP86fzcWi04ll2BmEEw/RimHEOLpGqxTVHJ5p5BVSCHP8aCD0VJheaU=
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/cakey.pem
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/cakey.pem b/kerby-provider/pki-provider/src/test/resources/cakey.pem
new file mode 100644
index 0000000..66dc806
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/cakey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwLOcknTZlSMI+8DCcGZ8+zRqRvlBFz80q7yQK0A9bOAdLYk9
+NB8mGQNtMAN4iWDwh4mk52tifN1oELODGqNKSWz6/GNii05TRluunLZuPSVEOp1h
+s2yK4KicqBMx64MR3/hkjRf01YsCLToi/UXiYdd/fpzq6qJRZO1eKh+iCsVShNHA
+AIpHap4L3lc/L4UOalL2XPSajS8NaN60tALYgGeCOM8V1HXqfztAMhZ9EGSTrquf
+usQDouLrpv9xOhqMxID+f7ZR3Wae1JjhF0N13RMG0Cr1Gte1Q5/MZoTtLq34W1jI
+Smu9PgV05NS7JiBI1oj0A1U/XOFD0sAIq6504QIDAQABAoIBAHqFeMax3unxBbQ0
+Aiy/LTX3RJ9tuZITUOTklnG5fZStBkA+oxhxuaJryE+f1VLbvPMgdCXj5BHqIFGG
+IZSdQA1hak9wzWYvXck9X88qOvtLp47xI/6Vw9NFwZ0n3zST+JiD8UK4eaYQpUim
+Tzrj5SU6hEi3crHOlJvsRFPaGwhnA9wycoOo4o22XBj3C8Hwzi4vWcKXH/RCSwZQ
+zFuYbe77Pn9Sv5q5zdglkmm7wngoVt/aKQke/Vk+Eincx1V12b05DNLjugo6FWQh
+0f2MmHpvqNSHs9USC5+y2lKQ1JNHh7mnpPCXkZEH4V7q+3mKVzl9tXzj9Gul20pw
+tneD6WUCgYEA9QUrQoWHKeVMjeukHjDJa2KjRLMmg9YRQyVABH9+nQTp1jYUjMRA
+GUoUx91gG6gjjJD/xvor/U0Fh3vKtZE93c+avrcaYDwf3q/L4gh+3b87lVDfzjrp
+L+MPTpEzWiyyLfr/kLA0TgUjnrj9bav5uDps8mJpNf8s9ZP1/QDhF5sCgYEAyVZA
+pHSIyBI2GT0+92JXvYDK/ZfV5m4RGHaG/PMDoU4IbGbjHVyzzsyzDUgvOASXwfF8
+YzwX7Tf95RZw12P/Jepxt0vqBJPKUCsMLUrmANQvN1Pz8+Vk6UADLM7kNc06MqB9
+/U3GKCFZZuedEhbgXnEV9gzelhILImJGZMxG0zMCgYApymnofLHjGXMHOcvSQmv4
+XuiODShikB59n1rd6YkE6xOfL7YtlEOCjLoipMWBshnuHcUigQUDvSFWTGz0rwMo
+VAKGyOA8zcR5zO4vbVeGJtnYy+SAXlfrjQTNV8K0fK8fXJI+cW9aZ1H9/ntrO0vq
+ejye0t4zEYTvlf782iuKRQKBgQCnTQ7mGRfX+JoPmv8JniR+idkjpNnPYsK96y/8
+XQs1LJx/R3eN3IxlWV+nt8XU7KwWMs5Dv5m6Ov61MFKQCL3qCch4oZJSP2Sr/Tlf
+IY/CPI8HkLF0h7e0wsZgo4Kq2mBz1T0cEVaJ3jxl8Cxq7at/jsTK8qK7XT73UWZh
+OAXaVQKBgDmg2QTX7c0/dbDMOuw18g3xfE/oqU+VWT784wtvpcdjHR+KAVLWHG8l
+oc/bm8Bs0o0f5dfH7uUvWdP6JMvbgYZBgIMqw+iH8P2lFCLzIRf0me/l+r0Oi64U
+5jp9K+7Ggc7S0SSnCLmBLMN5lXQZbhzks1La7DZmFeAz8rOEnlUB
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/extensions.kdc
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/extensions.kdc b/kerby-provider/pki-provider/src/test/resources/extensions.kdc
new file mode 100644
index 0000000..8052f71
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/extensions.kdc
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/kdccert.pem
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/kdccert.pem b/kerby-provider/pki-provider/src/test/resources/kdccert.pem
new file mode 100644
index 0000000..67e538c
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/kdccert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
+DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
+YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
+MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
+c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
+A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
+a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
+fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
+quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
+nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
+EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
+JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
+Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
+HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
+ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
+AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
+YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
+txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
+R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
+FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
+5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/kdckey.pem
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/kdckey.pem b/kerby-provider/pki-provider/src/test/resources/kdckey.pem
new file mode 100644
index 0000000..c9e75e2
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/kdckey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
+8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
+2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
+GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
+fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
+DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
+QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
+6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
+bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
+5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
+8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
+XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
+kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
+Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
+P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
+KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
+qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
+7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
+UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
+n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
+5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
+AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
+KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
+9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
+7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/usercert.pem
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/usercert.pem b/kerby-provider/pki-provider/src/test/resources/usercert.pem
new file mode 100644
index 0000000..67e538c
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/usercert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
+DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
+YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
+MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
+c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
+A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
+a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
+fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
+quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
+nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
+EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
+JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
+Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
+HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
+ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
+AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
+YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
+txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
+R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
+FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
+5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pki-provider/src/test/resources/userkey.pem
----------------------------------------------------------------------
diff --git a/kerby-provider/pki-provider/src/test/resources/userkey.pem b/kerby-provider/pki-provider/src/test/resources/userkey.pem
new file mode 100644
index 0000000..c9e75e2
--- /dev/null
+++ b/kerby-provider/pki-provider/src/test/resources/userkey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
+8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
+2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
+GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
+fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
+DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
+QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
+6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
+bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
+5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
+8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
+XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
+kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
+Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
+P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
+KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
+qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
+7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
+UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
+n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
+5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
+AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
+KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
+9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
+7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-provider/pom.xml b/kerby-provider/pom.xml
new file mode 100644
index 0000000..86d2c5f
--- /dev/null
+++ b/kerby-provider/pom.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>kerby-all</artifactId>
+    <groupId>org.apache.kerby</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>kerby-provider</artifactId>
+  <name>Kerby providers</name>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>pom</packaging>
+
+  <modules>
+    <module>token-provider</module>
+    <module>pki-provider</module>
+  </modules>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/token-provider/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/pom.xml b/kerby-provider/token-provider/pom.xml
new file mode 100644
index 0000000..af7fe34
--- /dev/null
+++ b/kerby-provider/token-provider/pom.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>kerby-provider</artifactId>
+    <groupId>org.apache.kerby</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>token-provider</artifactId>
+  <name>Token provider</name>
+  <description>Token provider project</description>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-core</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>3.8.2</version>
+    </dependency>
+  </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenEncoder.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenEncoder.java b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenEncoder.java
new file mode 100644
index 0000000..6d10fcc
--- /dev/null
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenEncoder.java
@@ -0,0 +1,37 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.provider.token;
+
+import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+
+import java.io.IOException;
+
+public class KerbyTokenEncoder implements TokenEncoder {
+    @Override
+    public byte[] encode(AuthToken token) {
+        return new byte[0];
+    }
+
+    @Override
+    public AuthToken decode(byte[] content) throws IOException {
+        return null;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenProvider.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenProvider.java b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenProvider.java
new file mode 100644
index 0000000..1096b58
--- /dev/null
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/KerbyTokenProvider.java
@@ -0,0 +1,35 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.provider.token;
+
+import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
+import org.apache.kerby.kerberos.kerb.provider.TokenProvider;
+
+/**
+ * Kerby Token provider.
+ */
+public class KerbyTokenProvider implements TokenProvider {
+
+    @Override
+    public TokenEncoder createTokenEncoder() {
+        return new KerbyTokenEncoder();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/pom.xml
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/pom.xml b/lib/kerby-pkix/pom.xml
deleted file mode 100644
index 01aa22d..0000000
--- a/lib/kerby-pkix/pom.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License. See accompanying LICENSE file.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <modelVersion>4.0.0</modelVersion>
-
-  <parent>
-    <groupId>org.apache.kerby</groupId>
-    <artifactId>lib</artifactId>
-    <version>1.0-SNAPSHOT</version>
-  </parent>
-
-  <artifactId>kerby-pkix</artifactId>
-
-  <name>Kerby PKIX</name>
-  <description>Kerby PKIX utilities</description>
-
-  <dependencies>
-    <dependency>
-      <groupId>org.apache.kerby</groupId>
-      <artifactId>not-yet-commons-ssl</artifactId>
-      <version>${project.version}</version>
-    </dependency>
-  </dependencies>
-
-</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/main/java/org/apache/kerby/pki/Pkix.java
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/main/java/org/apache/kerby/pki/Pkix.java b/lib/kerby-pkix/src/main/java/org/apache/kerby/pki/Pkix.java
deleted file mode 100644
index 5dd66ad..0000000
--- a/lib/kerby-pkix/src/main/java/org/apache/kerby/pki/Pkix.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.pki;
-
-import org.apache.commons.ssl.PKCS8Key;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
-public class Pkix {
-
-    public static List<Certificate> getCerts(String certFile) throws IOException, CertificateException {
-        InputStream is = new FileInputStream(new File(certFile));
-        return getCerts(is);
-    }
-
-    public static List<Certificate> getCerts(InputStream inputStream) throws IOException, CertificateException {
-        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-        Collection<? extends Certificate> certs =
-                (Collection<? extends Certificate>) certFactory.generateCertificates(inputStream);
-
-        return new ArrayList<Certificate>(certs);
-    }
-
-    public static PrivateKey getPrivateKey(String keyFile, String password) throws IOException, GeneralSecurityException {
-        InputStream in = new FileInputStream("/path/to/pkcs8_private_key.der");
-        return getPrivateKey(in, password);
-    }
-
-    public static PrivateKey getPrivateKey(InputStream inputStream, String password) throws GeneralSecurityException, IOException {
-        if (password == null) {
-            password = "";
-        }
-        // If the provided InputStream is encrypted, we need a password to decrypt
-        // it. If the InputStream is not encrypted, then the password is ignored
-        // (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
-        PKCS8Key pkcs8 = new PKCS8Key(inputStream, password.toCharArray());
-
-        // If an unencrypted PKCS8 key was provided, then this actually returns
-        // exactly what was originally passed inputStream (with no changes).  If an OpenSSL
-        // key was provided, it gets reformatted as PKCS #8 first, and so these
-        // bytes will still be PKCS #8, not OpenSSL.
-        byte[] decrypted = pkcs8.getDecryptedBytes();
-        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decrypted);
-
-        // A Java PrivateKey object is born.
-        PrivateKey pk = null;
-        if (pkcs8.isDSA()) {
-            pk = KeyFactory.getInstance("DSA").generatePrivate(spec);
-        }
-        else if (pkcs8.isRSA()) {
-            pk = KeyFactory.getInstance("RSA").generatePrivate(spec);
-        }
-
-        // For lazier types:
-        pk = pkcs8.getPrivateKey();
-
-        return pk;
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/java/org/apache/kerby/pki/PkixTest.java
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/java/org/apache/kerby/pki/PkixTest.java b/lib/kerby-pkix/src/test/java/org/apache/kerby/pki/PkixTest.java
deleted file mode 100644
index 2b44e1c..0000000
--- a/lib/kerby-pkix/src/test/java/org/apache/kerby/pki/PkixTest.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.pki;
-
-import org.junit.Test;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.GeneralSecurityException;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.util.List;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-/**
- openssl genrsa -out cakey.pem 2048
- openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
- vi extensions.kdc
- openssl genrsa -out kdckey.pem 2048
- openssl req -new -out kdc.req -key kdckey.pem
- env REALM=SH.INTEL.COM openssl x509 -req -in kdc.req -CAkey cakey.pem \
- -CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
- */
-public class PkixTest {
-
-    @Test
-    public void loadCert() throws CertificateException, IOException {
-        InputStream res = getClass().getResourceAsStream("/usercert.pem");
-        List<Certificate> certs = Pkix.getCerts(res);
-        Certificate userCert = certs.iterator().next();
-
-        assertThat(userCert).isNotNull();
-    }
-
-    @Test
-    public void loadKey() throws GeneralSecurityException, IOException {
-        InputStream res = getClass().getResourceAsStream("/userkey.pem");
-        PrivateKey key = Pkix.getPrivateKey(res, null);
-
-        assertThat(key).isNotNull();
-    }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/cacert.pem
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/cacert.pem b/lib/kerby-pkix/src/test/resources/cacert.pem
deleted file mode 100644
index 6b91561..0000000
--- a/lib/kerby-pkix/src/test/resources/cacert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID6zCCAtOgAwIBAgIJAMrZoeDxTzwWMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
-DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
-YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
-MzEzMjdaFw0yNDA1MTAxMzEzMjdaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
-c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
-A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
-a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMCznJJ02ZUjCPvAwnBmfPs0akb5QRc/NKu8kCtAPWzgHS2JPTQfJhkDbTAD
-eIlg8IeJpOdrYnzdaBCzgxqjSkls+vxjYotOU0Zbrpy2bj0lRDqdYbNsiuConKgT
-MeuDEd/4ZI0X9NWLAi06Iv1F4mHXf36c6uqiUWTtXiofogrFUoTRwACKR2qeC95X
-Py+FDmpS9lz0mo0vDWjetLQC2IBngjjPFdR16n87QDIWfRBkk66rn7rEA6Li66b/
-cToajMSA/n+2Ud1mntSY4RdDdd0TBtAq9RrXtUOfzGaE7S6t+FtYyEprvT4FdOTU
-uyYgSNaI9ANVP1zhQ9LACKuudOECAwEAAaNQME4wHQYDVR0OBBYEFD91SVOejfwx
-u33+5N0TdYbHJbgAMB8GA1UdIwQYMBaAFD91SVOejfwxu33+5N0TdYbHJbgAMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADsONtUqGNBPBXnRowcJwv+Y
-F1Vea+4dkBwYbhkiO6H5XMKr+waOnOD2eAvgP4aeYg/a0xOzzETRD9wi1Z1P1ZMy
-d/NzHQjj4egPENwDv1PH2voZgsXXzXIqUMOtz9t12TuJUrSA2SBW1tz/evckHhNY
-fHg4ThvTIgwEdV/yvrOEBLV9dXG5IhhF+NW1MegTGkt4SpOoH1pi3o9VekVRnix9
-xrIdaC4Ee6vQaR603HwDS9Y+a1c2KU7QoLX8Vaa904cQ+rxhGsTAkocnZXeo6Hl5
-V8BlDYXxeP86fzcWi04ll2BmEEw/RimHEOLpGqxTVHJ5p5BVSCHP8aCD0VJheaU=
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/cakey.pem
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/cakey.pem b/lib/kerby-pkix/src/test/resources/cakey.pem
deleted file mode 100644
index 66dc806..0000000
--- a/lib/kerby-pkix/src/test/resources/cakey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAwLOcknTZlSMI+8DCcGZ8+zRqRvlBFz80q7yQK0A9bOAdLYk9
-NB8mGQNtMAN4iWDwh4mk52tifN1oELODGqNKSWz6/GNii05TRluunLZuPSVEOp1h
-s2yK4KicqBMx64MR3/hkjRf01YsCLToi/UXiYdd/fpzq6qJRZO1eKh+iCsVShNHA
-AIpHap4L3lc/L4UOalL2XPSajS8NaN60tALYgGeCOM8V1HXqfztAMhZ9EGSTrquf
-usQDouLrpv9xOhqMxID+f7ZR3Wae1JjhF0N13RMG0Cr1Gte1Q5/MZoTtLq34W1jI
-Smu9PgV05NS7JiBI1oj0A1U/XOFD0sAIq6504QIDAQABAoIBAHqFeMax3unxBbQ0
-Aiy/LTX3RJ9tuZITUOTklnG5fZStBkA+oxhxuaJryE+f1VLbvPMgdCXj5BHqIFGG
-IZSdQA1hak9wzWYvXck9X88qOvtLp47xI/6Vw9NFwZ0n3zST+JiD8UK4eaYQpUim
-Tzrj5SU6hEi3crHOlJvsRFPaGwhnA9wycoOo4o22XBj3C8Hwzi4vWcKXH/RCSwZQ
-zFuYbe77Pn9Sv5q5zdglkmm7wngoVt/aKQke/Vk+Eincx1V12b05DNLjugo6FWQh
-0f2MmHpvqNSHs9USC5+y2lKQ1JNHh7mnpPCXkZEH4V7q+3mKVzl9tXzj9Gul20pw
-tneD6WUCgYEA9QUrQoWHKeVMjeukHjDJa2KjRLMmg9YRQyVABH9+nQTp1jYUjMRA
-GUoUx91gG6gjjJD/xvor/U0Fh3vKtZE93c+avrcaYDwf3q/L4gh+3b87lVDfzjrp
-L+MPTpEzWiyyLfr/kLA0TgUjnrj9bav5uDps8mJpNf8s9ZP1/QDhF5sCgYEAyVZA
-pHSIyBI2GT0+92JXvYDK/ZfV5m4RGHaG/PMDoU4IbGbjHVyzzsyzDUgvOASXwfF8
-YzwX7Tf95RZw12P/Jepxt0vqBJPKUCsMLUrmANQvN1Pz8+Vk6UADLM7kNc06MqB9
-/U3GKCFZZuedEhbgXnEV9gzelhILImJGZMxG0zMCgYApymnofLHjGXMHOcvSQmv4
-XuiODShikB59n1rd6YkE6xOfL7YtlEOCjLoipMWBshnuHcUigQUDvSFWTGz0rwMo
-VAKGyOA8zcR5zO4vbVeGJtnYy+SAXlfrjQTNV8K0fK8fXJI+cW9aZ1H9/ntrO0vq
-ejye0t4zEYTvlf782iuKRQKBgQCnTQ7mGRfX+JoPmv8JniR+idkjpNnPYsK96y/8
-XQs1LJx/R3eN3IxlWV+nt8XU7KwWMs5Dv5m6Ov61MFKQCL3qCch4oZJSP2Sr/Tlf
-IY/CPI8HkLF0h7e0wsZgo4Kq2mBz1T0cEVaJ3jxl8Cxq7at/jsTK8qK7XT73UWZh
-OAXaVQKBgDmg2QTX7c0/dbDMOuw18g3xfE/oqU+VWT784wtvpcdjHR+KAVLWHG8l
-oc/bm8Bs0o0f5dfH7uUvWdP6JMvbgYZBgIMqw+iH8P2lFCLzIRf0me/l+r0Oi64U
-5jp9K+7Ggc7S0SSnCLmBLMN5lXQZbhzks1La7DZmFeAz8rOEnlUB
------END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/extensions.kdc
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/extensions.kdc b/lib/kerby-pkix/src/test/resources/extensions.kdc
deleted file mode 100644
index 8052f71..0000000
--- a/lib/kerby-pkix/src/test/resources/extensions.kdc
+++ /dev/null
@@ -1,36 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-[kdc_cert]
-basicConstraints=CA:FALSE
-keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.5
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1=GeneralString:krbtgt
-princ2=GeneralString:${ENV::REALM}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/kdccert.pem
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/kdccert.pem b/lib/kerby-pkix/src/test/resources/kdccert.pem
deleted file mode 100644
index 67e538c..0000000
--- a/lib/kerby-pkix/src/test/resources/kdccert.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
-DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
-YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
-MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
-c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
-A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
-a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
-fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
-quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
-nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
-EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
-JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
-DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
-Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
-HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
-ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
-AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
-YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
-txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
-R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
-FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
-5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/kdckey.pem
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/kdckey.pem b/lib/kerby-pkix/src/test/resources/kdckey.pem
deleted file mode 100644
index c9e75e2..0000000
--- a/lib/kerby-pkix/src/test/resources/kdckey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
-8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
-2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
-GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
-fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
-DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
-QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
-6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
-bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
-5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
-8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
-XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
-kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
-Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
-P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
-KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
-qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
-7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
-UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
-n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
-5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
-AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
-KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
-9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
-7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
------END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/usercert.pem
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/usercert.pem b/lib/kerby-pkix/src/test/resources/usercert.pem
deleted file mode 100644
index 67e538c..0000000
--- a/lib/kerby-pkix/src/test/resources/usercert.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEYjCCA0qgAwIBAgIJAL2ZFUkXCgK2MA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
-VQQGEwJjaDERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4w
-DAYDVQQKDAVpbnRlbDEQMA4GA1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0
-YTEiMCAGCSqGSIb3DQEJARYTa2FpLnpoZW5nQGludGVsLmNvbTAeFw0xNDA1MTMx
-MzI3MjFaFw0xNTA1MTMxMzI3MjFaMIGLMQswCQYDVQQGEwJjaDERMA8GA1UECAwI
-c2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ4wDAYDVQQKDAVpbnRlbDEQMA4G
-A1UECwwHYmlnZGF0YTEQMA4GA1UEAwwHYmlnZGF0YTEiMCAGCSqGSIb3DQEJARYT
-a2FpLnpoZW5nQGludGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMs0jF1fi5AVMunQ/jpxgSjRlpmVQyT//LrwBmyI77C+hCD4z/InoG4q2tl5
-fAH+2n7HHgon4E0QXyRxAz0+Ugun7qHW9oT2pnxoc1l8seyGNMK9adsxLpCv7RXK
-quqLcj34UQCzRDKxgkH5UBwxGY0kId0W1MqPh1LZRZIk1hakREC4DBj+slnDkN0s
-nh8pC/8q/hTPJ9QrqWT6oc1FjMVKz3FxFbxXELYxg4M6SXnzGzdWa3xSe4Ou0QO2
-EwncQUoo8N6plOKX5lncDhC2usT//AZHvKdcVmOwX0ByxZqGQIXk7g1kbsbG5m45
-JMjt/HnOQcfg88iSLKJZu+ODw00CAwEAAaOBxjCBwzAJBgNVHRMEAjAAMAsGA1Ud
-DwQEAwID6DASBgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBS8Bmb9kTUkw61e
-Is+9KDV5U6JjyjAfBgNVHSMEGDAWgBQ/dUlTno38Mbt9/uTdE3WGxyW4ADAJBgNV
-HRIEAjAAMEoGA1UdEQRDMEGgPwYGKwYBBQICoDUwM6AOGwxTSC5JTlRFTC5DT02h
-ITAfoAMCAQGhGDAWGwZrcmJ0Z3QbDFNILklOVEVMLkNPTTANBgkqhkiG9w0BAQUF
-AAOCAQEAS/I0zH9ByFcXTF56I5aPmPdzYKpIpFF6Kkwyw0M2EuIcTcpDl74/xmq9
-YPHS6TSDAt3wHzs9JQlSWah04L0R+IgHVacLRgdXfTWqglFFH/pve3p49WCrYmWz
-txQeRV5dxzaE3oTdDq15DRkUJmt0GIk1x6ehrGZOpIL8oTFmVmnR7EgrKWlIMYCs
-R/GkEuCH15wadom/Hw5Db1KLPEjxCdwy947guOh4SO0fcW3h55V3troS/46TbVFF
-FvNSqGD+19/QM/MhLIy5OnTxOio8M9zp+yfDlzLnpbMi0ZO6tLvB4XhjvP0as34c
-5vCA/8HPfaearSyAYi2Ir9vT3O9J/w==
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/kerby-pkix/src/test/resources/userkey.pem
----------------------------------------------------------------------
diff --git a/lib/kerby-pkix/src/test/resources/userkey.pem b/lib/kerby-pkix/src/test/resources/userkey.pem
deleted file mode 100644
index c9e75e2..0000000
--- a/lib/kerby-pkix/src/test/resources/userkey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyzSMXV+LkBUy6dD+OnGBKNGWmZVDJP/8uvAGbIjvsL6EIPjP
-8iegbira2Xl8Af7afsceCifgTRBfJHEDPT5SC6fuodb2hPamfGhzWXyx7IY0wr1p
-2zEukK/tFcqq6otyPfhRALNEMrGCQflQHDEZjSQh3RbUyo+HUtlFkiTWFqREQLgM
-GP6yWcOQ3SyeHykL/yr+FM8n1CupZPqhzUWMxUrPcXEVvFcQtjGDgzpJefMbN1Zr
-fFJ7g67RA7YTCdxBSijw3qmU4pfmWdwOELa6xP/8Bke8p1xWY7BfQHLFmoZAheTu
-DWRuxsbmbjkkyO38ec5Bx+DzyJIsolm744PDTQIDAQABAoIBAQC4Byb3iQgDvK8X
-QcZ7dz/Zj7Yr8RmV8J8ZTTcEJB+umVtf4PWyAGEyZG0+dt7vj7ahCgMSf3qLUEBZ
-6F9en4n+NF/RAbTQRfAQyydr65nW8tPlaVTsxWW+cxTrn1eagh88MB5r2+3vWwL0
-bK04Wt8hC4//giXELKgJR+vRprqcVRgy11nYaTP59IDdg4YscbHfc/LYa7ABQ1G5
-5NKtjMy13UvtD/4C3TS1NpL2xtzAgQRe3XFDIyOmv476Ts1boqSHBFX+MXmLBAfi
-8Qhaj1DO8A0HS/c4egcL6esCe4kcgtCuq66n8JzOlVbCDGOYIUkUyQ9Nfo31M5i5
-XhqF9CsBAoGBAP7PqkncLAvyjHQKPpDyWCBtkV7z+DWRZRPz4w8tit+TiAv6hRF7
-kK+NUhP1mBuS4duyEV58B8LWOR0ir7ftbL0/unxR1XWMOvTEHr/9lG1sKZoI0dJS
-Ee+VvuVFwdm/ABxfnveGCRrSHY7GAvFln3gC1Cst3NPPKbpznb3FiH/JAoGBAMwn
-P1Labt/OuzB70Vxve3TCeFA6jYzcYdA3riv1V0FIWoNgcQ742b0+6HDpEQgn4Rdb
-KiKz8hSplM1nx8NyWwS9r7gRQ9HIc0qC5S4A0A9QEbdKrkUiQDlwHgdDKPPCWih9
-qH05etiQ044BtOq7uXsWYqiIomOW/XyDUEhbRRFlAoGALmVnj01Mo9xFILfgzomh
-7D2nE4/+qNpRekGVHWVgfPci9XNnGVjTbnOf90xnptWm1Fbm/Lo+u4ZAHgL71dSg
-UREyhoJsCJxA++Jd6v1kMkxYgtiKQ+53n5U3jg2Wj2xMu93ZVx6Lt9t8UEvTq1qi
-n7p8IWSXaeW1pmJ43V4DTakCgYAFcSpj+ASqnKUqxrIvB52/4As7AESTs7A7z7Ap
-5dFcoSQgimqZHpMXU1z43Y2hrQZ4C+sUn71dRaP80b5mfF7mwnOzsWogZnqESvb3
-AfiJ3/WI8Emy+BXEMjPqt6SY0t56Y9cg925J5ZpuF6eN9lEccd1RZssFYpoBPrLe
-KuitbQKBgQC3DNejUqol2max6rf4h/GnwLE2BOTmFLnswexlw76p/63Jo1SaVpk7
-9nAltsqNCl4L/eAJ8hJdeTE5YVjYsgAVJrXZbiRfxHBMeHj9g0d1VafGqdomKf0R
-7Qytlcvsw8jn96ckEMPPLJF0bX5cu9S6lMyEbb6Ih41P13uvgP6ufg==
------END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/lib/pom.xml
----------------------------------------------------------------------
diff --git a/lib/pom.xml b/lib/pom.xml
index 2185fdd..d2859f3 100644
--- a/lib/pom.xml
+++ b/lib/pom.xml
@@ -29,7 +29,6 @@
   <modules>
     <module>kerby-config</module>
     <module>kerby-event</module>
-    <module>kerby-pkix</module>
     <module>kerby-util</module>
   </modules>
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/80749319/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 42a1f3a..625d7c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,6 +45,7 @@
     <module>kdc-backend</module>
     <module>kerby-dist</module>
     <module>benchmark</module>
+    <module>kerby-provider</module>
   </modules>
 
   <dependencyManagement>