directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: [DIRKRB-124]-Implementing preauth/FAST framework.
Date Tue, 26 May 2015 05:39:36 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/master f6c9665dc -> c0f382089


[DIRKRB-124]-Implementing preauth/FAST framework.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/c0f38208
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/c0f38208
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/c0f38208

Branch: refs/heads/master
Commit: c0f3820890ef505529920b465084925a27b9037d
Parents: f6c9665
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Tue May 26 13:44:17 2015 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Tue May 26 13:44:17 2015 +0800

----------------------------------------------------------------------
 .../kerb/client/preauth/KrbFastContext.java     |  86 ------------
 .../client/preauth/KrbFastRequestState.java     |  86 ++++++++++++
 .../kerb/client/request/ArmoredAsRequest.java   | 134 +++++++++++++++++--
 .../kerberos/kerb/client/request/AsRequest.java |  14 +-
 .../kerb/client/request/KdcRequest.java         |  47 ++++++-
 .../kerb/client/request/TgsRequest.java         |  26 ++--
 .../kerberos/kerb/common/CheckSumUtil.java      |  47 +++++++
 .../kerb/server/request/KdcRequest.java         |  70 ++++++++++
 8 files changed, 388 insertions(+), 122 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastContext.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastContext.java
deleted file mode 100644
index 7aa031e..0000000
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastContext.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/**
- *  Licensed to the Apache Software Foundation (ASF) under one
- *  or more contributor license agreements.  See the NOTICE file
- *  distributed with this work for additional information
- *  regarding copyright ownership.  The ASF licenses this file
- *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
- *  with the License.  You may obtain a copy of the License at
- *  
- *    http://www.apache.org/licenses/LICENSE-2.0
- *  
- *  Unless required by applicable law or agreed to in writing,
- *  software distributed under the License is distributed on an
- *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *  KIND, either express or implied.  See the License for the
- *  specific language governing permissions and limitations
- *  under the License. 
- *  
- */
-package org.apache.kerby.kerberos.kerb.client.preauth;
-
-import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.spec.fast.FastOptions;
-import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
-import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
-
-/**
- * Maintaining FAST processing state in client side per request.
- */
-public class KrbFastContext {
-
-    private KdcReq fastOuterRequest;
-    private EncryptionKey armorKey;
-    private KrbFastArmor fastArmor;
-    private FastOptions fastOptions;
-    private int nonce;
-    private int fastFlags;
-
-    public KdcReq getFastOuterRequest() {
-        return fastOuterRequest;
-    }
-
-    public void setFastOuterRequest(KdcReq fastOuterRequest) {
-        this.fastOuterRequest = fastOuterRequest;
-    }
-
-    public EncryptionKey getArmorKey() {
-        return armorKey;
-    }
-
-    public void setArmorKey(EncryptionKey armorKey) {
-        this.armorKey = armorKey;
-    }
-
-    public KrbFastArmor getFastArmor() {
-        return fastArmor;
-    }
-
-    public void setFastArmor(KrbFastArmor fastArmor) {
-        this.fastArmor = fastArmor;
-    }
-
-    public FastOptions getFastOptions() {
-        return fastOptions;
-    }
-
-    public void setFastOptions(FastOptions fastOptions) {
-        this.fastOptions = fastOptions;
-    }
-
-    public int getNonce() {
-        return nonce;
-    }
-
-    public void setNonce(int nonce) {
-        this.nonce = nonce;
-    }
-
-    public int getFastFlags() {
-        return fastFlags;
-    }
-
-    public void setFastFlags(int fastFlags) {
-        this.fastFlags = fastFlags;
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastRequestState.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastRequestState.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastRequestState.java
new file mode 100644
index 0000000..5db3d5e
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/KrbFastRequestState.java
@@ -0,0 +1,86 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.preauth;
+
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.fast.FastOptions;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+
+/**
+ * Maintaining FAST processing state in client side per request.
+ */
+public class KrbFastRequestState {
+
+    private KdcReq fastOuterRequest;
+    private EncryptionKey armorKey;
+    private KrbFastArmor fastArmor;
+    private FastOptions fastOptions;
+    private int nonce;
+    private int fastFlags;
+
+    public KdcReq getFastOuterRequest() {
+        return fastOuterRequest;
+    }
+
+    public void setFastOuterRequest(KdcReq fastOuterRequest) {
+        this.fastOuterRequest = fastOuterRequest;
+    }
+
+    public EncryptionKey getArmorKey() {
+        return armorKey;
+    }
+
+    public void setArmorKey(EncryptionKey armorKey) {
+        this.armorKey = armorKey;
+    }
+
+    public KrbFastArmor getFastArmor() {
+        return fastArmor;
+    }
+
+    public void setFastArmor(KrbFastArmor fastArmor) {
+        this.fastArmor = fastArmor;
+    }
+
+    public FastOptions getFastOptions() {
+        return fastOptions;
+    }
+
+    public void setFastOptions(FastOptions fastOptions) {
+        this.fastOptions = fastOptions;
+    }
+
+    public int getNonce() {
+        return nonce;
+    }
+
+    public void setNonce(int nonce) {
+        this.nonce = nonce;
+    }
+
+    public int getFastFlags() {
+        return fastFlags;
+    }
+
+    public void setFastFlags(int fastFlags) {
+        this.fastFlags = fastFlags;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
index f0831ee..8ad5a88 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
@@ -19,13 +19,37 @@
  */
 package org.apache.kerby.kerberos.kerb.client.request;
 
+import org.apache.kerby.KOptions;
 import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.ccache.Credential;
 import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
-import org.apache.kerby.KOptions;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
 import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.preauth.KrbFastRequestState;
+import org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
 import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.spec.base.CheckSum;
+import org.apache.kerby.kerberos.kerb.spec.base.CheckSumType;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.fast.ArmorType;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmoredReq;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.AsReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
 
 import java.io.File;
 import java.io.IOException;
@@ -35,11 +59,27 @@ import java.io.IOException;
  */
 public abstract class ArmoredAsRequest extends AsRequest {
 
+    private Credential credential;
+    private EncryptionKey subKey;
+
     public ArmoredAsRequest(KrbContext context) {
         super(context);
     }
 
     @Override
+    protected void preauth() throws KrbException {
+        makeArmorKey();
+        super.preauth();
+    }
+
+    @Override
+    public void process() throws KrbException {
+        super.process();
+        fastAsArmor();
+        getKdcReq().getPaData().addElement(makeFastEntry());
+    }
+
+    @Override
     public KOptions getPreauthOptions() {
         KOptions results = new KOptions();
 
@@ -49,27 +89,45 @@ public abstract class ArmoredAsRequest extends AsRequest {
         return results;
     }
 
+    @Override
+    public EncryptionKey getClientKey() throws KrbException {
+        return getFastRequestState().getArmorKey();
+    }
+
     /**
      * Prepare FAST armor key.
      * @return
      * @throws KrbException
      */
     protected EncryptionKey makeArmorKey() throws KrbException {
-        EncryptionKey subKey = null;
-        EncryptionKey armorCacheKey = getArmorCacheKey();
-        EncryptionKey armorKey = FastUtil.cf2(subKey, "subkeyarmor", armorCacheKey, "ticketarmor");
+        getCredential();
 
+        EncryptionKey armorCacheKey = getArmorCacheKey();
+        subKey = getSubKey(armorCacheKey.getKeyType());
+        EncryptionKey armorKey = FastUtil.cf2(subKey, "subkeyarmor",
+            armorCacheKey, "ticketarmor");
+        getFastRequestState().setArmorKey(armorKey);
         return armorKey;
     }
 
+    protected EncryptionKey getSubKey(EncryptionType type) throws KrbException {
+        return EncryptionHandler.random2Key(type);
+    }
+
     /**
      * Get armor cache key.
      * @return armor cache key
      * @throws KrbException
      */
     protected EncryptionKey getArmorCacheKey() throws KrbException {
+        EncryptionKey armorCacheKey = credential.getKey();
+
+        return armorCacheKey;
+    }
+
+    private void getCredential() throws KrbException {
         KOptions preauthOptions = getPreauthOptions();
-        String ccache = preauthOptions.getStringOption(KrbOption.KRB5_CACHE);
+        String ccache = preauthOptions.getStringOption(KrbOption.ARMOR_CACHE);
         File ccacheFile = new File(ccache);
         CredentialCache cc = null;
         try {
@@ -77,9 +135,67 @@ public abstract class ArmoredAsRequest extends AsRequest {
         } catch (IOException e) {
             throw new KrbException("Failed to load armor cache file");
         }
-        EncryptionKey armorCacheKey =
-                cc.getCredentials().iterator().next().getKey();
+        // TODO: get the right credential.
+        this.credential = cc.getCredentials().iterator().next();
+    }
 
-        return armorCacheKey;
+    public void fastAsArmor() throws KrbException {
+        KrbFastRequestState state = getFastRequestState();
+        state.setArmorKey(getArmorKey());
+        state.setFastArmor(fastArmorApRequest(subKey, credential));
+        KdcReq fastOuterRequest = new AsReq();
+        fastOuterRequest.setReqBody(getKdcReq().getReqBody());
+        fastOuterRequest.setPaData(null);
+        state.setFastOuterRequest(fastOuterRequest);
+        setFastRequestState(state);
+
+        setOuterRequestBody(state.getFastOuterRequest().encode());
+    }
+
+    private PaDataEntry makeFastEntry() throws KrbException {
+        KrbFastRequestState state = getFastRequestState();
+
+        KrbFastReq fastReq = new KrbFastReq();
+        fastReq.setKdcReqBody(getKdcReq().getReqBody());
+        fastReq.setFastOptions(state.getFastOptions());
+
+        KrbFastArmoredReq armoredReq = new KrbFastArmoredReq();
+        armoredReq.setArmor(state.getFastArmor());
+        CheckSum reqCheckSum = CheckSumUtil.makeCheckSumWithKey(CheckSumType.NONE,
+            getOuterRequestBody(), state.getArmorKey(), KeyUsage.FAST_REQ_CHKSUM);
+        armoredReq.setReqChecksum(reqCheckSum);
+        armoredReq.setEncryptedFastReq(EncryptionUtil.seal(fastReq, state.getArmorKey(),
+            KeyUsage.FAST_ENC));
+
+        PaDataEntry paDataEntry = new PaDataEntry();
+        paDataEntry.setPaDataType(PaDataType.FX_FAST);
+        paDataEntry.setPaDataValue(armoredReq.encode());
+
+        return paDataEntry;
+    }
+
+     public static KrbFastArmor fastArmorApRequest(EncryptionKey subKey, Credential credential)
+        throws KrbException {
+        KrbFastArmor fastArmor = new KrbFastArmor();
+        fastArmor.setArmorType(ArmorType.ARMOR_AP_REQUEST);
+        ApReq apReq = makeApReq(subKey, credential);
+        fastArmor.setArmorValue(apReq.encode());
+        return fastArmor;
+    }
+
+    private static ApReq makeApReq(EncryptionKey subKey, Credential credential)
+        throws KrbException {
+        ApReq apReq = new ApReq();
+        ApOptions apOptions = new ApOptions();
+        apReq.setApOptions(apOptions);
+        Ticket ticket = credential.getTicket();
+        apReq.setTicket(ticket);
+        Authenticator authenticator = makeAuthenticator(credential.getClientName(),
+            credential.getClientRealm(), subKey);
+        apReq.setAuthenticator(authenticator);
+        EncryptedData authnData = EncryptionUtil.seal(authenticator,
+            credential.getKey(), KeyUsage.AP_REQ_AUTH);
+        apReq.setEncryptedAuthenticator(authnData);
+        return apReq;
     }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
index 47c09e3..5aeba91 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
@@ -20,12 +20,20 @@
 package org.apache.kerby.kerberos.kerb.client.request;
 
 import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
-import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.common.KrbUtil;
-import org.apache.kerby.kerberos.kerb.spec.base.*;
-import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.HostAddress;
+import org.apache.kerby.kerberos.kerb.spec.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.kdc.AsReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
 
 import java.io.File;

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
index 0abb5a4..e017376 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -22,13 +22,20 @@ package org.apache.kerby.kerberos.kerb.client.request;
 import org.apache.kerby.KOptions;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
-import org.apache.kerby.kerberos.kerb.client.preauth.KrbFastContext;
+import org.apache.kerby.kerberos.kerb.client.preauth.KrbFastRequestState;
 import org.apache.kerby.kerberos.kerb.client.preauth.PreauthContext;
 import org.apache.kerby.kerberos.kerb.client.preauth.PreauthHandler;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
 import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerby.kerberos.kerb.spec.base.*;
+import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.HostAddress;
+import org.apache.kerby.kerberos.kerb.spec.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
 import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
 import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
 import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
@@ -60,8 +67,9 @@ public abstract class KdcRequest {
     private KdcRep kdcRep;
     protected Map<String, Object> credCache;
     private PreauthContext preauthContext;
-    private KrbFastContext fastContext;
+    private KrbFastRequestState fastRequestState;
     private EncryptionKey asKey;
+    private byte[] outerRequestBody;
 
     private boolean isRetrying;
 
@@ -71,7 +79,23 @@ public abstract class KdcRequest {
         this.credCache = new HashMap<String, Object>();
         this.preauthContext = context.getPreauthHandler()
                 .preparePreauthContext(this);
-        this.fastContext = new KrbFastContext();
+        this.fastRequestState = new KrbFastRequestState();
+    }
+
+    public KrbFastRequestState getFastRequestState() {
+        return fastRequestState;
+    }
+
+    public void setFastRequestState(KrbFastRequestState state) {
+        this.fastRequestState = state;
+    }
+
+    public byte[] getOuterRequestBody() {
+        return outerRequestBody;
+    }
+
+    public void setOuterRequestBody(byte[] outerRequestBody) {
+        this.outerRequestBody = outerRequestBody;
     }
 
     public void setSessionData(Object sessionData) {
@@ -319,7 +343,7 @@ public abstract class KdcRequest {
      * Get a pointer to the FAST armor key, or NULL if the client is not using FAST.
      */
     public EncryptionKey getArmorKey() {
-        return fastContext.getArmorKey();
+        return fastRequestState.getArmorKey();
     }
 
     /**
@@ -353,4 +377,15 @@ public abstract class KdcRequest {
     public void cacheValue(String key, Object value) {
         credCache.put(key, value);
     }
-}
+
+    protected static Authenticator makeAuthenticator(PrincipalName clientName, String clientRealm,
EncryptionKey subKey)
+        throws KrbException {
+        Authenticator authenticator = new Authenticator();
+        authenticator.setCname(clientName);
+        authenticator.setCrealm(clientRealm);
+        authenticator.setCtime(KerberosTime.now());
+        authenticator.setCusec(0);
+        authenticator.setSubKey(subKey);
+        return authenticator;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
index 10b4dbb..c9d1144 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
@@ -19,10 +19,9 @@
  */
 package org.apache.kerby.kerberos.kerb.client.request;
 
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
 import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
@@ -30,7 +29,11 @@ import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
 import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
 import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncTgsRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
+import org.apache.kerby.kerberos.kerb.spec.kdc.TgsRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.TgsReq;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
 import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
@@ -85,7 +88,8 @@ public class TgsRequest extends KdcRequest {
     private ApReq makeApReq() throws KrbException {
         ApReq apReq = new ApReq();
 
-        Authenticator authenticator = makeAuthenticator();
+        Authenticator authenticator = makeAuthenticator(tgt.getClientPrincipal(), tgt.getRealm(),
+            tgt.getSessionKey());
         EncryptionKey sessionKey = tgt.getSessionKey();
         EncryptedData authnData = EncryptionUtil.seal(authenticator,
                 sessionKey, KeyUsage.TGS_REQ_AUTH);
@@ -98,20 +102,6 @@ public class TgsRequest extends KdcRequest {
         return apReq;
     }
 
-    private Authenticator makeAuthenticator() {
-        Authenticator authenticator = new Authenticator();
-        authenticator.setCname(tgt.getClientPrincipal());
-        authenticator.setCrealm(tgt.getRealm());
-
-        authenticator.setCtime(KerberosTime.now());
-        authenticator.setCusec(0);
-
-        EncryptionKey sessionKey = tgt.getSessionKey();
-        authenticator.setSubKey(sessionKey);
-
-        return authenticator;
-    }
-
     @Override
     public void processResponse(KdcRep kdcRep) throws KrbException {
         setKdcRep(kdcRep);

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
new file mode 100644
index 0000000..1231ef4
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
@@ -0,0 +1,47 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.common;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.spec.base.CheckSum;
+import org.apache.kerby.kerberos.kerb.spec.base.CheckSumType;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+
+public class CheckSumUtil {
+
+    public static CheckSum makeCheckSum(CheckSumType checkSumType, byte[] input)
+        throws KrbException {
+        return CheckSumHandler.checksum(checkSumType, input);
+    }
+
+    public static CheckSum makeCheckSumWithKey(CheckSumType checkSumType, byte[] input,
+                                               EncryptionKey key, KeyUsage usage)
+        throws KrbException {
+        if (checkSumType == CheckSumType.NONE) {
+            EncTypeHandler handler = EncryptionHandler.getEncHandler(key.getKeyType());
+            checkSumType = handler.checksumType();
+        }
+        return CheckSumHandler.checksumWithKey(checkSumType, input, key.getKeyData(), usage);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c0f38208/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index bd9a43d..82cce78 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -22,17 +22,27 @@ package org.apache.kerby.kerberos.kerb.server.request;
 import org.apache.kerby.kerberos.kerb.*;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.common.KrbUtil;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
 import org.apache.kerby.kerberos.kerb.identity.KrbIdentity;
 import org.apache.kerby.kerberos.kerb.server.KdcContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.KdcFastContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.PreauthContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.PreauthHandler;
+import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
 import org.apache.kerby.kerberos.kerb.spec.base.*;
+import org.apache.kerby.kerberos.kerb.spec.fast.ArmorType;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmoredReq;
+import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastReq;
 import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
 import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.ticket.EncTicketPart;
 import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
 
 import java.net.InetAddress;
@@ -59,6 +69,7 @@ public abstract class KdcRequest {
     private PreauthContext preauthContext;
     private KdcFastContext fastContext;
     private PrincipalName serverPrincipal;
+    private byte[] innerBodyout;
 
     public KdcRequest(KdcReq kdcReq, KdcContext kdcContext) {
         this.kdcReq = kdcReq;
@@ -83,6 +94,7 @@ public abstract class KdcRequest {
 
     public void process() throws KrbException {
         checkVersion();
+        kdcFindFast();
         checkClient();
         checkServer();
         preauth();
@@ -91,6 +103,56 @@ public abstract class KdcRequest {
         makeReply();
     }
 
+    private void kdcFindFast() throws KrbException {
+
+        PaData paData = getKdcReq().getPaData();
+        for (PaDataEntry paEntry : paData.getElements()) {
+            if (paEntry.getPaDataType() == PaDataType.FX_FAST) {
+                KrbFastArmoredReq fastArmoredReq = KrbCodec.decode(paEntry.getPaDataValue(),
+                    KrbFastArmoredReq.class);
+                KrbFastArmor fastArmor = fastArmoredReq.getArmor();
+                armorApRequest(fastArmor);
+
+                EncryptedData encryptedData = fastArmoredReq.getEncryptedFastReq();
+                KrbFastReq fastReq = KrbCodec.decode(
+                    EncryptionHandler.decrypt(encryptedData, getArmorKey(), KeyUsage.FAST_ENC),
+                    KrbFastReq.class);
+                innerBodyout = fastReq.getKdcReqBody().encode();
+
+                // TODO: get checksumed date in stream
+                CheckSum checkSum = fastArmoredReq.getReqChecksum();
+                CheckSumHandler.verifyWithKey(checkSum, getKdcReq().getReqBody().encode(),
+                    getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM);
+            }
+        }
+    }
+
+    private void armorApRequest(KrbFastArmor fastArmor) throws KrbException {
+        if (fastArmor.getArmorType() == ArmorType.ARMOR_AP_REQUEST) {
+            ApReq apReq = KrbCodec.decode(fastArmor.getArmorValue(), ApReq.class);
+
+            Ticket ticket = apReq.getTicket();
+            EncryptionType encType = ticket.getEncryptedEncPart().getEType();
+            EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
+            if (ticket.getTktvno() != KrbConstant.KRB_V5) {
+                throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
+            }
+
+            EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(),
+                tgsKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
+            ticket.setEncPart(encPart);
+
+            EncryptionKey encKey = ticket.getEncPart().getKey();
+
+            Authenticator authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(),
+                encKey, KeyUsage.AP_REQ_AUTH, Authenticator.class);
+
+            EncryptionKey armorKey = FastUtil.cf2(authenticator.getSubKey(), "subkeyarmor",
+                encKey, "ticketarmor");
+            setArmorKey(armorKey);
+        }
+    }
+
     public KrbIdentity getTgsEntry() {
         return tgsEntry;
     }
@@ -359,7 +421,15 @@ public abstract class KdcRequest {
         return fastContext.getArmorKey();
     }
 
+    public void setArmorKey(EncryptionKey armorKey) {
+        fastContext.setArmorKey(armorKey);
+    }
+
     public PrincipalName getServerPrincipal() {
         return serverPrincipal;
     }
+
+    public byte[] getInnerBodyout() {
+        return innerBodyout;
+    }
 }


Mime
View raw message