directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: DIRKRB-533 Implementing ApRequest and ApResponse.
Date Wed, 13 Apr 2016 07:05:31 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk ddd4112f8 -> 752799ec9


DIRKRB-533 Implementing ApRequest and ApResponse.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/752799ec
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/752799ec
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/752799ec

Branch: refs/heads/trunk
Commit: 752799ec930b77e2099a8940f249f81703541897
Parents: ddd4112
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Wed Apr 13 15:10:30 2016 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Wed Apr 13 15:10:30 2016 +0800

----------------------------------------------------------------------
 .../kerby/kerberos/kerb/request/ApRequest.java  | 130 +++++++++++++++++++
 .../kerberos/kerb/response/ApResponse.java      |  80 ++++++++++++
 .../kerberos/kerb/server/ApRequestTest.java     |  75 +++++++++++
 3 files changed, 285 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/752799ec/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
new file mode 100644
index 0000000..82666a6
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -0,0 +1,130 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.request;
+
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ap.ApOption;
+import org.apache.kerby.kerberos.kerb.type.ap.ApOptions;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+
+/**
+ * A wrapper for ApReq request
+ * The client principal and sgt ticket are needed to create ApReq message.
+ */
+public class ApRequest {
+
+    private PrincipalName clientPrincipal;
+    private SgtTicket sgtTicket;
+    private ApReq apReq;
+
+    public ApRequest(PrincipalName clientPrincipal, SgtTicket sgtTicket) {
+        this.clientPrincipal = clientPrincipal;
+        this.sgtTicket = sgtTicket;
+    }
+
+    public ApReq getApReq() throws KrbException {
+        if (apReq == null) {
+            apReq = makeApReq();
+        }
+        return apReq;
+    }
+
+    public void setApReq(ApReq apReq) {
+        this.apReq = apReq;
+    }
+
+    private ApReq makeApReq() throws KrbException {
+        ApReq apReq = new ApReq();
+
+        Authenticator authenticator = makeAuthenticator();
+        EncryptionKey sessionKey = sgtTicket.getSessionKey();
+        EncryptedData authData = EncryptionUtil.seal(authenticator,
+                sessionKey, KeyUsage.AP_REQ_AUTH);
+        apReq.setEncryptedAuthenticator(authData);
+        apReq.setAuthenticator(authenticator);
+        apReq.setTicket(sgtTicket.getTicket());
+        ApOptions apOptions = new ApOptions();
+        apOptions.setFlag(ApOption.USE_SESSION_KEY);
+        apReq.setApOptions(apOptions);
+
+        return apReq;
+    }
+
+    /*
+     * Make the Authenticator for ApReq.
+     */
+    private Authenticator makeAuthenticator() throws KrbException {
+        Authenticator authenticator = new Authenticator();
+        authenticator.setAuthenticatorVno(5);
+        authenticator.setCname(clientPrincipal);
+        authenticator.setCrealm(sgtTicket.getRealm());
+        authenticator.setCtime(KerberosTime.now());
+        authenticator.setCusec(0);
+        authenticator.setSubKey(sgtTicket.getSessionKey());
+
+        return authenticator;
+    }
+
+    /*
+     *  Validate the ApReq.
+     */
+    public static void validate(EncryptionKey encKey, ApReq apReq) throws KrbException {
+        Ticket ticket = apReq.getTicket();
+
+        if (encKey == null) {
+            throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY);
+        }
+        EncTicketPart encPart = EncryptionUtil.unseal(ticket.getEncryptedEncPart(),
+                encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
+        ticket.setEncPart(encPart);
+
+        unsealAuthenticator(encPart.getKey(), apReq);
+
+        Authenticator authenticator = apReq.getAuthenticator();
+        if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) {
+            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
+        }
+        if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) {
+            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
+        }
+    }
+
+    /*
+     *  Unseal the authenticator through the encryption key from ticket
+     */
+    public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException
{
+        EncryptedData authData = apReq.getEncryptedAuthenticator();
+
+        Authenticator authenticator = EncryptionUtil.unseal(authData,
+                encKey, KeyUsage.AP_REQ_AUTH, Authenticator.class);
+        apReq.setAuthenticator(authenticator);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/752799ec/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
new file mode 100644
index 0000000..2d01004
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
@@ -0,0 +1,80 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.response;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
+
+/**
+ * A wrapper for ApRep request.
+ */
+public class ApResponse {
+    private ApReq apReq;
+    private ApRep apRep;
+    EncryptionKey encryptionKey;
+
+    public ApResponse(ApReq apReq, EncryptionKey encryptionKey) {
+        this.apReq = apReq;
+        this.encryptionKey = encryptionKey;
+    }
+
+    public ApRep getApRep() throws KrbException {
+        ApRequest.validate(encryptionKey, apReq);
+
+        if (apRep == null) {
+            apRep = makeApRep();
+        }
+        return apRep;
+    }
+
+    public void setApRep(ApRep apRep) {
+        this.apRep = apRep;
+    }
+
+    /*
+     *  The KRB_AP_REP message contains the Kerberos protocol version number,
+     *  the message type, and an encrypted time-stamp.
+     */
+    private ApRep makeApRep() throws KrbException {
+
+        ApRep apRep = new ApRep();
+        EncAPRepPart encAPRepPart = new EncAPRepPart();
+        // This field contains the current time on the client's host.
+        encAPRepPart.setCtime(KerberosTime.now());
+        // This field contains the microsecond part of the client's timestamp.
+        encAPRepPart.setCusec((int) KerberosTime.now().getTimeInSeconds());
+        encAPRepPart.setSubkey(apReq.getAuthenticator().getSubKey());
+        encAPRepPart.setSeqNumber(0);
+        apRep.setEncRepPart(encAPRepPart);
+        EncryptedData encPart = EncryptionUtil.seal(encAPRepPart,
+                apReq.getAuthenticator().getSubKey(), KeyUsage.AP_REP_ENCPART);
+        apRep.setEncryptedEncPart(encPart);
+
+        return apRep;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/752799ec/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/ApRequestTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/ApRequestTest.java
b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/ApRequestTest.java
new file mode 100644
index 0000000..da868f9
--- /dev/null
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/ApRequestTest.java
@@ -0,0 +1,75 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.response.ApResponse;
+import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class ApRequestTest extends KdcTestBase {
+
+    @Test
+    public void test() throws IOException, KrbException {
+
+        TgtTicket tgt = null;
+        SgtTicket tkt = null;
+
+        try {
+            tgt = getKrbClient().requestTgt(getClientPrincipal(),
+                    getClientPassword());
+            assertThat(tgt).isNotNull();
+
+            tkt = getKrbClient().requestSgt(tgt, getServerPrincipal());
+            assertThat(tkt).isNotNull();
+        } catch (Exception e) {
+            System.out.println("Exception occurred with good password");
+            e.printStackTrace();
+            Assert.fail();
+        }
+
+        ApRequest apRequest = new ApRequest(new PrincipalName(getClientPrincipal()), tkt);
+        ApReq apReq = apRequest.getApReq();
+
+        assertThat(apReq.getPvno()).isEqualTo(5);
+        assertThat(apReq.getMsgType()).isEqualTo(KrbMessageType.AP_REQ);
+        assertThat(apReq.getAuthenticator().getCname()).isEqualTo(tgt.getClientPrincipal());
+        assertThat(apReq.getAuthenticator().getCrealm()).isEqualTo(tgt.getRealm());
+
+        EncryptionKey encryptedKey = getKdcServer().getKadmin().getPrincipal(
+                getServerPrincipal()).getKey(tkt.getTicket().getEncryptedEncPart().getEType());
+        ApResponse apResponse = new ApResponse(apReq, encryptedKey);
+        ApRep apRep = apResponse.getApRep();
+        assertThat(apRep.getPvno()).isEqualTo(5);
+        assertThat(apRep.getMsgType()).isEqualTo(KrbMessageType.AP_REP);
+    }
+}


Mime
View raw message