directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dran...@apache.org
Subject [2/2] directory-kerby git commit: DIRKRB-542. Kerby Authorization. Contributed by Gerard Gagliano
Date Sun, 29 May 2016 21:08:56 GMT
DIRKRB-542. Kerby Authorization. Contributed by Gerard Gagliano


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/f751d390
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/f751d390
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/f751d390

Branch: refs/heads/trunk
Commit: f751d3906ed7b8c0e823dc372afd4c2876b99546
Parents: 369f27d
Author: Kai Zheng <kai.zheng@intel.com>
Authored: Mon May 30 05:08:31 2016 +0800
Committer: Kai Zheng <kai.zheng@intel.com>
Committed: Mon May 30 05:08:31 2016 +0800

----------------------------------------------------------------------
 .../org/apache/kerby/asn1/Asn1FieldInfo.java    |  12 +-
 .../kerby/asn1/type/AbstractAsn1Type.java       |   4 +
 .../kerby/asn1/type/Asn1CollectionType.java     |  53 +++--
 .../apache/kerby/asn1/type/Asn1Constructed.java |   5 +
 .../apache/kerby/asn1/type/Asn1Encodeable.java  |  12 +-
 .../org/apache/kerby/asn1/type/Asn1Simple.java  |   1 +
 .../kerberos/kdc/impl/NettyKdcHandler.java      |  14 ++
 .../kdc/impl/NettyKdcUdpServerHandler.java      |  14 ++
 .../client/preauth/pkinit/PkinitPreauth.java    |  29 +--
 .../kerby/kerberos/kerb/type/ad/ADAndOr.java    |  78 +++++++
 .../kerb/type/ad/ADAuthenticationIndicator.java |  82 +++++++
 .../kerby/kerberos/kerb/type/ad/ADCamMac.java   | 187 ++++++++++++++++
 .../kerb/type/ad/ADEnctypeNegotiation.java      |  83 +++++++
 .../type/ad/ADIntendedForApplicationClass.java  | 179 +++++++++++++++
 .../kerb/type/ad/ADIntendedForServer.java       | 162 ++++++++++++++
 .../kerberos/kerb/type/ad/ADKdcIssued.java      | 169 +++++++++++++++
 .../kerby/kerberos/kerb/type/ad/AndOr.java      |  87 ++++++++
 .../kerb/type/ad/AuthorizationData.java         |  10 +
 .../kerb/type/ad/AuthorizationDataEntry.java    |  49 ++++-
 .../kerb/type/ad/AuthorizationDataWrapper.java  | 118 ++++++++++
 .../kerb/type/ad/AuthorizationType.java         | 217 ++++++++++++++++++-
 .../kerb/type/ad/CamMacOtherVerifiers.java      |  30 +++
 .../kerb/type/ad/CamMacVerifierChoice.java      |  67 ++++++
 .../kerb/type/ad/CamMacVerifierMac.java         | 107 +++++++++
 .../kerberos/kerb/type/ad/PrincipalList.java    |  31 +++
 .../kerby/kerberos/kerb/type/base/KeyUsage.java |   3 +-
 .../kerby/kerberos/kerb/codec/ADTest.java       | 143 ++++++++++++
 .../codec/PkinitAnonymousAsRepCodecTest.java    |   2 +-
 .../codec/PkinitAnonymousAsReqCodecTest.java    |  22 +-
 .../kerb/identity/CacheableIdentityService.java |  13 ++
 .../kerberos/kerb/identity/IdentityService.java |  12 +
 .../backend/AbstractIdentityBackend.java        |  34 +++
 .../kerb/server/preauth/PreauthHandler.java     |  16 +-
 .../kerb/server/request/KdcRequest.java         |  46 ++--
 .../kerb/server/request/TgsRequest.java         |   2 +-
 .../kerb/server/request/TicketIssuer.java       |  13 ++
 36 files changed, 2023 insertions(+), 83 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
index 72182b0..fcad437 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1FieldInfo.java
@@ -29,6 +29,7 @@ public class Asn1FieldInfo {
     private int tagNo = -1; // Indicate a non-tagged field
     private boolean isImplicit;
     private Class<? extends Asn1Type> type;
+    private Tag tag = null;
 
     /**
      * Constructor for a tagged field, the tagNo being the same of index.
@@ -101,7 +102,14 @@ public class Asn1FieldInfo {
     }
 
     public Tag getFieldTag() {
-        Asn1Type fieldValue = createFieldValue();
-        return fieldValue.tag();
+        if (tag == null) {
+            Asn1Type fieldValue = createFieldValue();
+            tag = fieldValue.tag();
+        }
+        return tag;
+    }
+
+    public Class<? extends Asn1Type> getType() {
+        return type;
     }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
index 96c68a1..001c40e 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/AbstractAsn1Type.java
@@ -73,7 +73,11 @@ public abstract class AbstractAsn1Type<T> extends Asn1Encodeable {
     }
 
     public void setValue(T value) {
+        resetBodyLength();
         this.value = value;
+        if (value instanceof Asn1Encodeable) {
+            ((Asn1Encodeable) value).outerEncodeable = this;
+        }
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
index 8f546c6..d19864c 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
@@ -90,7 +90,6 @@ public abstract class Asn1CollectionType
 
     @Override
     protected void decodeBody(Asn1ParseResult parseResult) throws IOException {
-        checkAndInitFields();
         useDefinitiveLength(parseResult.isDefinitiveLength());
 
         Asn1Container container = (Asn1Container) parseResult;
@@ -115,8 +114,9 @@ public abstract class Asn1CollectionType
 
     private void attemptBinding(Asn1ParseResult parseItem,
                                 int foundPos) throws IOException {
-        Asn1Type fieldValue = fields[foundPos];
         Asn1FieldInfo fieldInfo = fieldInfos[foundPos];
+        checkAndInitField(foundPos);
+        Asn1Type fieldValue = fields[foundPos];
 
         if (fieldValue instanceof Asn1Any) {
             Asn1Any any = (Asn1Any) fieldValue;
@@ -146,30 +146,44 @@ public abstract class Asn1CollectionType
                     foundPos = i;
                     break;
                 }
-            } else if (fieldValue.tag().equals(parseItem.tag())) {
-                foundPos = i;
-                break;
-            } else if (fieldValue instanceof Asn1Choice) {
-                Asn1Choice aChoice = (Asn1Choice) fields[i];
-                if (aChoice.matchAndSetValue(parseItem.tag())) {
+            } else if (fieldValue != null) {
+                if (fieldValue.tag().equals(parseItem.tag())) {
+                    foundPos = i;
+                    break;
+                } else if (fieldValue instanceof Asn1Choice) {
+                    Asn1Choice aChoice = (Asn1Choice) fieldValue;
+                    if (aChoice.matchAndSetValue(parseItem.tag())) {
+                        foundPos = i;
+                        break;
+                    }
+                } else if (fieldValue instanceof Asn1Any) {
+                    foundPos = i;
+                    break;
+                }
+            } else {
+                if (fieldInfo.getFieldTag().equals(parseItem.tag())) {
+                    foundPos = i;
+                    break;
+
+                } else if (Asn1Choice.class
+                        .isAssignableFrom(fieldInfo.getType())) {
+                    Asn1Choice aChoice = (Asn1Choice) (fields[i] = fieldInfo
+                            .createFieldValue());
+                    if (aChoice.matchAndSetValue(parseItem.tag())) {
+                        foundPos = i;
+                        break;
+                    }
+                } else if (Asn1Any.class
+                        .isAssignableFrom(fieldInfo.getType())) {
                     foundPos = i;
                     break;
                 }
-            } else if (fieldValue instanceof Asn1Any) {
-                foundPos = i;
-                break;
             }
         }
 
         return foundPos;
     }
 
-    private void checkAndInitFields() {
-        for (int i = 0; i < fieldInfos.length; ++i) {
-            checkAndInitField(i);
-        }
-    }
-
     private void checkAndInitField(int index) {
         if (fields[index] == null) {
             fields[index] = fieldInfos[index].createFieldValue();
@@ -178,6 +192,7 @@ public abstract class Asn1CollectionType
 
     protected abstract Asn1Collection createCollection();
 
+    @SuppressWarnings("unchecked")
     protected <T extends Asn1Type> T getFieldAs(EnumType index, Class<T> t) {
         Asn1Type value = fields[index.getValue()];
         if (value == null) {
@@ -187,6 +202,10 @@ public abstract class Asn1CollectionType
     }
 
     protected void setFieldAs(EnumType index, Asn1Type value) {
+        resetBodyLength(); // Reset the pre-computed body length
+        if (value instanceof Asn1Encodeable) {
+            ((Asn1Encodeable) value).outerEncodeable = this;
+        }
         fields[index.getValue()] = value;
     }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
index fd8a187..6c62b6c 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Constructed.java
@@ -61,10 +61,15 @@ public class Asn1Constructed
     }
 
     public void addItem(Asn1Type value) {
+        resetBodyLength();
         getValue().add(value);
+        if (value instanceof Asn1Encodeable) {
+            ((Asn1Encodeable) value).outerEncodeable = this;
+        }
     }
 
     public void clear() {
+        resetBodyLength();
         getValue().clear();
     }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
index 0bd2e81..7f4e28f 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Encodeable.java
@@ -37,7 +37,8 @@ import java.nio.ByteBuffer;
  */
 public abstract class Asn1Encodeable extends Asn1Object implements Asn1Type {
 
-    private int bodyLength = -1;
+    protected int bodyLength = -1;
+    public Asn1Encodeable outerEncodeable = null;
 
     // encoding options
     private EncodingType encodingType = EncodingType.BER;
@@ -145,6 +146,15 @@ public abstract class Asn1Encodeable extends Asn1Object implements Asn1Type {
         encodeBody(buffer);
     }
 
+    public void resetBodyLength() {
+        if (bodyLength != -1) {
+            bodyLength = -1;
+            if (outerEncodeable != null) {
+                outerEncodeable.resetBodyLength();
+            }
+        }
+    }
+
     protected void encodeBody(ByteBuffer buffer) throws IOException { }
 
     @Override

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
index 2980086..cac3d60 100644
--- a/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
+++ b/kerby-common/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Simple.java
@@ -61,6 +61,7 @@ public abstract class Asn1Simple<T> extends AbstractAsn1Type<T> {
     }
 
     protected void setBytes(byte[] bytes) {
+        resetBodyLength();
         this.bytes = bytes;
     }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
index d442108..1253adf 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcHandler.java
@@ -58,6 +58,20 @@ public class NettyKdcHandler extends ChannelInboundHandlerAdapter {
         } catch (Exception e) {
             LOG.error("Error occurred while processing request:"
                     + e);
+            e.printStackTrace();
         }
     }
+
+    /**
+     * Calls {@link ChannelHandlerContext#fireExceptionCaught(Throwable)} to
+     * forward to the next {@link ChannelHandler} in the {@link ChannelPipeline}
+     *
+     * Sub-classes may override this method to change behavior.
+     */
+    @Override
+    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
+            throws Exception {
+        cause.printStackTrace();
+        ctx.fireExceptionCaught(cause);
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
index 797808e..04a314a 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcUdpServerHandler.java
@@ -60,6 +60,20 @@ public class NettyKdcUdpServerHandler extends SimpleChannelInboundHandler<Datagr
         } catch (Exception e) {
             LOG.error("Error occurred while processing request:"
                     + e.getMessage());
+            e.printStackTrace();
         }
     }
+
+    /**
+     * Calls {@link ChannelHandlerContext#fireExceptionCaught(Throwable)} to
+     * forward to the next {@link ChannelHandler} in the {@link ChannelPipeline}
+     *
+     * Sub-classes may override this method to change behavior.
+     */
+    @Override
+    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
+            throws Exception {
+        cause.printStackTrace();
+        ctx.fireExceptionCaught(cause);
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 230ccb0..3620f23 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -44,6 +44,7 @@ import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
 import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
 import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
 import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdenity;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext;
 import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
 import org.apache.kerby.kerberos.kerb.type.KerberosTime;
 import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
@@ -79,7 +80,6 @@ import java.util.Calendar;
 import java.util.Date;
 import java.util.List;
 
-@SuppressWarnings("PMD.UnusedFormalParameter")
 public class PkinitPreauth extends AbstractPreauthPlugin {
     private static final Logger LOG = LoggerFactory.getLogger(PkinitPreauth.class);
 
@@ -213,6 +213,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
                 processingRequest = true;
                 break;
             case PK_AS_REP:
+            default:
                 break;
         }
 
@@ -226,14 +227,17 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
         }
     }
 
+    @SuppressWarnings("unused")
     private void generateRequest(PkinitRequestContext reqCtx, KdcRequest kdcRequest,
                                  PaData outPadata) {
 
     }
 
+    @SuppressWarnings("unused")
     private PaPkAsReq makePaPkAsReq(KdcRequest kdcRequest,
                                     PkinitRequestContext reqCtx,
                                     int cusec, KerberosTime ctime, int nonce, CheckSum checkSum) throws KrbException {
+        KdcRequest kdc = kdcRequest;
 
         LOG.info("Making the PK_AS_REQ.");
         PaPkAsReq paPkAsReq = new PaPkAsReq();
@@ -291,30 +295,28 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
 
             authPack.setClientPublicValue(pubInfo);
 
-//            DhNonce dhNonce = new DhNonce();
-//            authPack.setClientDhNonce(dhNonce);
+            // DhNonce dhNonce = new DhNonce();
+            // authPack.setClientDhNonce(dhNonce);
             byte[] signedAuthPack = signAuthPack(authPack);
             paPkAsReq.setSignedAuthPack(signedAuthPack);
 
         } else {
             LOG.info("RSA key transport algorithm");
-//            authPack.setClientPublicValue(null);
+            // authPack.setClientPublicValue(null);
         }
 
-
-
         TrustedCertifiers trustedCertifiers = pkinitContext.pluginOpts.createTrustedCertifiers();
         paPkAsReq.setTrustedCertifiers(trustedCertifiers);
 
-//        byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
-//        paPkAsReq.setKdcPkId(kdcPkId);
+        // byte[] kdcPkId = pkinitContext.pluginOpts.createIssuerAndSerial();
+        // paPkAsReq.setKdcPkId(kdcPkId);
 
         return paPkAsReq;
     }
 
     private byte[] signAuthPack(AuthPack authPack) throws KrbException {
 
-        String oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID();
+        String oid = PkinitPlgCryptoContext.getIdPkinitAuthDataOID();
 
         byte[] signedDataBytes = PkinitCrypto.eContentInfoCreate(
                 KrbCodec.encode(authPack), oid);
@@ -348,7 +350,6 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
             PkinitCrypto.verifyCmsSignedData(
                     CmsMessageType.CMS_SIGN_SERVER, signedData);
 
-
             String anchorFileName = kdcRequest.getContext().getConfig().getPkinitAnchors().get(0);
 
             X509Certificate x509Certificate = null;
@@ -361,10 +362,12 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
             Certificate archorCertificate = PkinitCrypto.changeToCertificate(x509Certificate);
 
             CertificateSet certificateSet = signedData.getCertificates();
-            List<CertificateChoices> certificateChoicesList = certificateSet.getElements();
             List<Certificate> certificates = new ArrayList<>();
-            for (CertificateChoices certificateChoices : certificateChoicesList) {
-                certificates.add(certificateChoices.getCertificate());
+            if (certificateSet != null) {
+                List<CertificateChoices> certificateChoicesList = certificateSet.getElements();
+                for (CertificateChoices certificateChoices : certificateChoicesList) {
+                    certificates.add(certificateChoices.getCertificate());
+                }
             }
             try {
                 PkinitCrypto.validateChain(certificates, archorCertificate);

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java
new file mode 100644
index 0000000..50ac2f7
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAndOr.java
@@ -0,0 +1,78 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADAndOr extends AuthorizationDataEntry {
+
+    private KrbSequenceOfType<AndOr> myAndOr;
+
+    public ADAndOr() {
+        super(AuthorizationType.AD_AND_OR);
+        myAndOr = new KrbSequenceOfType<AndOr>();
+        myAndOr.outerEncodeable = this;
+    }
+
+    public ADAndOr(byte[] encoded) throws IOException {
+        this();
+        myAndOr.decode(encoded);
+    }
+
+    public ADAndOr(List<AndOr> elements) {
+        this();
+        for (AndOr element : elements) {
+            myAndOr.add(element);
+        }
+    }
+
+    public List<AndOr> getAndOrs() throws IOException {
+        return myAndOr.getElements();
+    }
+
+    public void add(AndOr element) {
+        myAndOr.add(element);
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myAndOr.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    };
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myAndOr.dumpWith(dumper, indents + 8);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java
new file mode 100644
index 0000000..f76b4e2
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADAuthenticationIndicator.java
@@ -0,0 +1,82 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.type.Asn1Utf8String;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADAuthenticationIndicator extends AuthorizationDataEntry {
+
+    private AuthIndicator myAuthIndicator;
+
+    private class AuthIndicator extends KrbSequenceOfType<Asn1Utf8String> {
+    }
+
+    public ADAuthenticationIndicator() {
+        super(AuthorizationType.AD_AUTHENTICAION_INDICATOR);
+        myAuthIndicator = new AuthIndicator();
+        myAuthIndicator.outerEncodeable = this;
+    }
+
+    public ADAuthenticationIndicator(byte[] encoded) throws IOException {
+        this();
+        myAuthIndicator.decode(encoded);
+    }
+
+    public List<Asn1Utf8String> getAuthIndicators() {
+        return myAuthIndicator.getElements();
+    }
+
+    public void add(Asn1Utf8String indicator) {
+        myAuthIndicator.add(indicator);
+        resetBodyLength();
+    }
+
+    public void clear() {
+        myAuthIndicator.clear();
+        resetBodyLength();
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myAuthIndicator.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    };
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myAuthIndicator.dumpWith(dumper, indents + 8);
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java
new file mode 100644
index 0000000..138ba04
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADCamMac.java
@@ -0,0 +1,187 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * <pre>
+ * AD-CAMMAC                   ::= SEQUENCE {
+ *          elements              [0] AuthorizationData,
+ *          kdc-verifier          [1] Verifier-MAC OPTIONAL,
+ *          svc-verifier          [2] Verifier-MAC OPTIONAL,
+ *          other-verifiers       [3] SEQUENCE (SIZE (1..MAX))
+ *                                    OF Verifier OPTIONAL
+ *    }
+ * </pre>
+ *
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADCamMac extends AuthorizationDataEntry {
+
+    private CamMac myCamMac;
+
+    private static class CamMac extends KrbSequenceType {
+
+        protected enum CamMacField implements EnumType {
+            CAMMAC_elements, CAMMAC_kdc_verifier, CAMMAC_svc_verifier, CAMMAC_other_verifiers;
+
+            @Override
+            public int getValue() {
+                return ordinal();
+            }
+
+            @Override
+            public String getName() {
+                return name();
+            }
+        }
+
+        /** The CamMac's fields */
+        private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+                new ExplicitField(CamMacField.CAMMAC_elements, AuthorizationData.class),
+                new ExplicitField(CamMacField.CAMMAC_kdc_verifier, CamMacVerifierMac.class),
+                new ExplicitField(CamMacField.CAMMAC_svc_verifier, CamMacVerifierMac.class),
+                new ExplicitField(CamMacField.CAMMAC_other_verifiers, CamMacOtherVerifiers.class)};
+
+        CamMac() {
+            super(fieldInfos);
+        }
+
+        CamMac(byte[] authzFields) {
+            super(fieldInfos);
+            super.setFieldAsOctets(AuthorizationDataEntryField.AD_DATA, authzFields);
+        }
+
+        CamMac(AuthorizationData authzData) {
+            super(fieldInfos);
+            setFieldAs(CamMacField.CAMMAC_elements, authzData);
+        }
+
+        public AuthorizationData getAuthorizationData() {
+            return getFieldAs(CamMacField.CAMMAC_elements, AuthorizationData.class);
+        }
+
+        public void setAuthorizationData(AuthorizationData authzData) {
+            setFieldAs(CamMacField.CAMMAC_elements, authzData);
+            resetBodyLength();
+        }
+
+        public CamMacVerifierMac getKdcVerifier() {
+            return getFieldAs(CamMacField.CAMMAC_kdc_verifier, CamMacVerifierMac.class);
+        }
+
+        public void setKdcVerifier(CamMacVerifierMac kdcVerifier) {
+            setFieldAs(CamMacField.CAMMAC_kdc_verifier, kdcVerifier);
+            resetBodyLength();
+        }
+
+        public CamMacVerifierMac getSvcVerifier() {
+            return getFieldAs(CamMacField.CAMMAC_svc_verifier, CamMacVerifierMac.class);
+        }
+
+        public void setSvcVerifier(CamMacVerifierMac svcVerifier) {
+            setFieldAs(CamMacField.CAMMAC_svc_verifier, svcVerifier);
+            resetBodyLength();
+        }
+
+        public CamMacOtherVerifiers getOtherVerifiers() {
+            return getFieldAs(CamMacField.CAMMAC_other_verifiers, CamMacOtherVerifiers.class);
+        }
+
+        public void setOtherVerifiers(CamMacOtherVerifiers svcVerifier) {
+            setFieldAs(CamMacField.CAMMAC_other_verifiers, svcVerifier);
+            resetBodyLength();
+        }
+    }
+
+    public ADCamMac() {
+        super(AuthorizationType.AD_CAMMAC);
+        myCamMac = new CamMac();
+        myCamMac.outerEncodeable = this;
+    }
+
+    public ADCamMac(byte[] encoded) throws IOException {
+        this();
+        myCamMac.decode(encoded);
+    }
+
+    public AuthorizationData getAuthorizationData() {
+        return myCamMac.getAuthorizationData();
+    }
+
+    public void setAuthorizationData(AuthorizationData authzData) {
+        myCamMac.setAuthorizationData(authzData);
+    }
+
+    public CamMacVerifierMac getKdcVerifier() {
+        return myCamMac.getKdcVerifier();
+    }
+
+    public void setKdcVerifier(CamMacVerifierMac kdcVerifier) {
+        myCamMac.setKdcVerifier(kdcVerifier);
+    }
+
+    public CamMacVerifierMac getSvcVerifier() {
+        return myCamMac.getSvcVerifier();
+    }
+
+    public void setSvcVerifier(CamMacVerifierMac svcVerifier) {
+        myCamMac.setSvcVerifier(svcVerifier);
+    }
+
+    public CamMacOtherVerifiers getOtherVerifiers() {
+        return myCamMac.getOtherVerifiers();
+    }
+
+    public void setOtherVerifiers(CamMacOtherVerifiers otherVerifiers) {
+        myCamMac.setOtherVerifiers(otherVerifiers);
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myCamMac.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    };
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        try {
+            setAuthzData(myCamMac.encode());
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myCamMac.dumpWith(dumper, indents + 8);
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java
new file mode 100644
index 0000000..3a40490
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADEnctypeNegotiation.java
@@ -0,0 +1,83 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADEnctypeNegotiation extends AuthorizationDataEntry {
+
+    private KrbSequenceOfType<Asn1Integer> myEnctypeNeg;
+
+    public ADEnctypeNegotiation() {
+        super(AuthorizationType.AD_ETYPE_NEGOTIATION);
+        myEnctypeNeg = new KrbSequenceOfType<Asn1Integer>();
+        myEnctypeNeg.outerEncodeable = this;
+    }
+
+    public ADEnctypeNegotiation(byte[] encoded) throws IOException {
+        this();
+        myEnctypeNeg.decode(encoded);
+    }
+
+    public ADEnctypeNegotiation(List<Asn1Integer> enctypeNeg) throws IOException {
+        this();
+        for (Asn1Integer element : enctypeNeg) {
+            myEnctypeNeg.add(element);
+        }
+    }
+
+    public List<Asn1Integer> getEnctypeNegotiation() {
+        return myEnctypeNeg.getElements();
+    }
+
+    public void add(Asn1Integer element) {
+        myEnctypeNeg.add(element);
+    }
+
+    public void clear() {
+        myEnctypeNeg.clear();
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myEnctypeNeg.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    }
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myEnctypeNeg.dumpWith(dumper, indents + 8);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java
new file mode 100644
index 0000000..fee3657
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForApplicationClass.java
@@ -0,0 +1,179 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KerberosStrings;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * Asn1 Class for the "intended for application class" authorization type.
+ *
+ * RFC 4120
+ * 
+ * AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+ * SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+ * 
+ * encapsulated within the intended-for-application-class element may be ignored
+ * if the application server is not in one of the named classes of application
+ * servers. Examples of application server classes include "FILESYSTEM", and
+ * other kinds of servers.
+ * 
+ * This element and the elements it encapsulates may be safely ignored by
+ * applications, application servers, and KDCs that do not implement this
+ * element.
+ * 
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADIntendedForApplicationClass extends AuthorizationDataEntry {
+
+    private IntendedForApplicationClass myIntForAppClass;
+
+    private static class IntendedForApplicationClass extends KrbSequenceType {
+
+        private AuthorizationData authzData;
+
+        /**
+         * The possible fields
+         */
+        protected enum IntendedForApplicationClassField implements EnumType {
+            IFAC_intendedAppClass, IFAC_elements;
+
+            /**
+             * {@inheritDoc}
+             */
+            @Override
+            public int getValue() {
+                return ordinal();
+            }
+
+            /**
+             * {@inheritDoc}
+             */
+            @Override
+            public String getName() {
+                return name();
+            }
+        }
+
+        /** The IntendedForApplicationClass's fields */
+        private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+                new ExplicitField(IntendedForApplicationClassField.IFAC_intendedAppClass, KerberosStrings.class),
+                new ExplicitField(IntendedForApplicationClassField.IFAC_elements, AuthorizationData.class)};
+
+        /**
+         * Creates an IntendedForApplicationClass instance
+         */
+        IntendedForApplicationClass() {
+            super(fieldInfos);
+        }
+
+        /**
+         * Creates an IntendedForApplicationClass instance
+         */
+        IntendedForApplicationClass(KerberosStrings intendedAppClass) {
+            super(fieldInfos);
+            setFieldAs(IntendedForApplicationClassField.IFAC_intendedAppClass, intendedAppClass);
+        }
+
+        public KerberosStrings getIntendedForApplicationClass() {
+            return getFieldAs(IntendedForApplicationClassField.IFAC_intendedAppClass, KerberosStrings.class);
+        }
+
+        /**
+         * Sets the Intended Application Class value.
+         */
+        public void setIntendedForApplicationClass(KerberosStrings intendedAppClass) {
+            setFieldAs(IntendedForApplicationClassField.IFAC_intendedAppClass, intendedAppClass);
+            resetBodyLength();
+        }
+
+        public AuthorizationData getAuthzData() {
+            if (authzData == null) {
+                authzData = getFieldAs(IntendedForApplicationClassField.IFAC_elements, AuthorizationData.class);
+            }
+            return authzData;
+        }
+
+        public void setAuthzData(AuthorizationData authzData) {
+            this.authzData = authzData;
+            setFieldAs(IntendedForApplicationClassField.IFAC_elements, authzData);
+            resetBodyLength();
+        }
+    }
+
+    public ADIntendedForApplicationClass() {
+        super(AuthorizationType.AD_INTENDED_FOR_APPLICATION_CLASS);
+        myIntForAppClass = new IntendedForApplicationClass();
+        myIntForAppClass.outerEncodeable = this;
+    }
+
+    public ADIntendedForApplicationClass(byte[] encoded) throws IOException {
+        this();
+        myIntForAppClass.decode(encoded);
+    }
+
+    public ADIntendedForApplicationClass(KerberosStrings intendedAppClass) throws IOException {
+        this();
+        myIntForAppClass.setIntendedForApplicationClass(intendedAppClass);
+    }
+
+    public KerberosStrings getIntendedForApplicationClass() {
+        return myIntForAppClass.getIntendedForApplicationClass();
+    }
+
+    /**
+     * Sets the Intended Application Class value.
+     */
+    public void setIntendedForApplicationClass(KerberosStrings intendedAppClass) {
+        myIntForAppClass.setIntendedForApplicationClass(intendedAppClass);
+    }
+
+    public AuthorizationData getAuthorizationData() {
+        return myIntForAppClass.getAuthzData();
+    }
+
+    public void setAuthorizationData(AuthorizationData authzData) {
+        myIntForAppClass.setAuthzData(authzData);
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myIntForAppClass.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    };
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myIntForAppClass.dumpWith(dumper, indents + 8);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java
new file mode 100644
index 0000000..fa28b96
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADIntendedForServer.java
@@ -0,0 +1,162 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * Asn1 Class for the "intended for server" authorization type.
+ *
+ * RFC 4120
+ * 
+ * AD-INTENDED-FOR-SERVER SEQUENCE { intended-server[0] SEQUENCE OF
+ * PrincipalName elements[1] AuthorizationData }
+ * 
+ * AD elements encapsulated within the intended-for-server element may be
+ * ignored if the application server is not in the list of principal names of
+ * intended servers. Further, a KDC issuing a ticket for an application server
+ * can remove this element if the application server is not in the list of
+ * intended servers.
+ * 
+ * Application servers should check for their principal name in the
+ * intended-server field of this element. If their principal name is not found,
+ * this element should be ignored. If found, then the encapsulated elements
+ * should be evaluated in the same manner as if they were present in the top
+ * level authorization data field. Applications and application servers that do
+ * not implement this element should reject tickets that contain authorization
+ * data elements of this type.
+ * 
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADIntendedForServer extends AuthorizationDataEntry {
+
+    private IntForSrvr myIntForSrvr;
+
+    private static class IntForSrvr extends KrbSequenceType {
+
+        private AuthorizationData authzData;
+
+        protected enum IntForSrvrField implements EnumType {
+            IFS_intendedServer, IFS_elements;
+
+            @Override
+            public int getValue() {
+                return ordinal();
+            }
+
+            @Override
+            public String getName() {
+                return name();
+            }
+        }
+
+        /** The IntendedForServer's fields */
+        private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+                new ExplicitField(IntForSrvrField.IFS_intendedServer, PrincipalList.class),
+                new ExplicitField(IntForSrvrField.IFS_elements, AuthorizationData.class)};
+
+        IntForSrvr() {
+            super(fieldInfos);
+        }
+
+        IntForSrvr(PrincipalList principals) {
+            super(fieldInfos);
+            setFieldAs(IntForSrvrField.IFS_intendedServer, principals);
+        }
+
+        public PrincipalList getIntendedServer() {
+            return getFieldAs(IntForSrvrField.IFS_intendedServer, PrincipalList.class);
+        }
+
+        public void setIntendedServer(PrincipalList principals) {
+            setFieldAs(IntForSrvrField.IFS_intendedServer, principals);
+            resetBodyLength();
+        }
+
+        public AuthorizationData getAuthzData() {
+            if (authzData == null) {
+                authzData = getFieldAs(IntForSrvrField.IFS_elements, AuthorizationData.class);
+            }
+            return authzData;
+        }
+
+        public void setAuthzData(AuthorizationData authzData) {
+            this.authzData = authzData;
+            setFieldAs(IntForSrvrField.IFS_elements, authzData);
+            resetBodyLength();
+        }
+    }
+
+    public ADIntendedForServer() {
+        super(AuthorizationType.AD_INTENDED_FOR_SERVER);
+        myIntForSrvr = new IntForSrvr();
+        myIntForSrvr.outerEncodeable = this;
+    }
+
+    public ADIntendedForServer(byte[] encoded) throws IOException {
+        this();
+        myIntForSrvr.decode(encoded);
+    }
+
+    public ADIntendedForServer(PrincipalList principals) throws IOException {
+        this();
+        myIntForSrvr.setIntendedServer(principals);
+    }
+
+    public PrincipalList getIntendedServer() {
+        return myIntForSrvr.getIntendedServer();
+    }
+
+    public void setIntendedServer(PrincipalList principals) {
+        myIntForSrvr.setIntendedServer(principals);
+    }
+
+    public AuthorizationData getAuthorizationData() {
+        return myIntForSrvr.getAuthzData();
+    }
+
+    public void setAuthorizationData(AuthorizationData authzData) {
+        myIntForSrvr.setAuthzData(authzData);
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myIntForSrvr.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    };
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myIntForSrvr.dumpWith(dumper, indents + 8);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java
new file mode 100644
index 0000000..22a7b52
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/ADKdcIssued.java
@@ -0,0 +1,169 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.base.Realm;
+
+/**
+ * <pre>
+ *    AD-KDCIssued            ::= SEQUENCE {
+ *         ad-checksum     [0] Checksum,
+ *         i-realm         [1] Realm OPTIONAL,
+ *         i-sname         [2] PrincipalName OPTIONAL,
+ *         elements        [3] AuthorizationData
+ *    }
+ * </pre>
+ * 
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class ADKdcIssued extends AuthorizationDataEntry {
+
+    private KdcIssued myKdcIssued;
+
+    private static class KdcIssued extends KrbSequenceType {
+
+        enum KdcIssuedField implements EnumType {
+            AD_CHECKSUM, I_REALM, I_SNAME, ELEMENTS;
+
+            @Override
+            public int getValue() {
+                return ordinal();
+            }
+
+            @Override
+            public String getName() {
+                return name();
+            }
+        }
+
+        /** The AuthorizationDataEntry's fields */
+        private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+                new ExplicitField(KdcIssuedField.AD_CHECKSUM, CheckSum.class),
+                new ExplicitField(KdcIssuedField.I_REALM, Realm.class),
+                new ExplicitField(KdcIssuedField.I_SNAME, PrincipalName.class),
+                new ExplicitField(KdcIssuedField.ELEMENTS, AuthorizationData.class)};
+
+        KdcIssued() {
+            super(fieldInfos);
+        }
+
+        public CheckSum getCheckSum() {
+            return getFieldAs(KdcIssuedField.AD_CHECKSUM, CheckSum.class);
+        }
+
+        public void setCheckSum(CheckSum chkSum) {
+            setFieldAs(KdcIssuedField.AD_CHECKSUM, chkSum);
+        }
+
+        public Realm getRealm() {
+            return getFieldAs(KdcIssuedField.I_REALM, Realm.class);
+        }
+
+        public void setRealm(Realm realm) {
+            setFieldAs(KdcIssuedField.I_REALM, realm);
+        }
+
+        public PrincipalName getSname() {
+            return getFieldAs(KdcIssuedField.I_SNAME, PrincipalName.class);
+        }
+
+        public void setSname(PrincipalName sName) {
+            setFieldAs(KdcIssuedField.I_SNAME, sName);
+        }
+
+        public AuthorizationData getAuthzData() {
+            return getFieldAs(KdcIssuedField.ELEMENTS, AuthorizationData.class);
+        }
+
+        public void setAuthzData(AuthorizationData authzData) {
+            setFieldAs(KdcIssuedField.ELEMENTS, authzData);
+        }
+    }
+
+    public ADKdcIssued() {
+        super(AuthorizationType.AD_KDC_ISSUED);
+        myKdcIssued = new KdcIssued();
+        myKdcIssued.outerEncodeable = this;
+    }
+
+    public ADKdcIssued(byte[] encoded) throws IOException {
+        this();
+        myKdcIssued.decode(encoded);
+    }
+
+    public CheckSum getCheckSum() {
+        return myKdcIssued.getCheckSum();
+    }
+
+    public void setCheckSum(CheckSum chkSum) {
+        myKdcIssued.setCheckSum(chkSum);
+    }
+
+    public Realm getRealm() {
+        return myKdcIssued.getRealm();
+    }
+
+    public void setRealm(Realm realm) {
+        myKdcIssued.setRealm(realm);
+    }
+
+    public PrincipalName getSname() {
+        return myKdcIssued.getSname();
+    }
+
+    public void setSname(PrincipalName sName) {
+        myKdcIssued.setSname(sName);
+    }
+
+    public AuthorizationData getAuthorizationData() {
+        return myKdcIssued.getAuthzData();
+    }
+
+    public void setAuthzData(AuthorizationData authzData) {
+        myKdcIssued.setAuthzData(authzData);
+    }
+
+    @Override
+    protected int encodingBodyLength() throws IOException {
+        if (bodyLength == -1) {
+            setAuthzData(myKdcIssued.encode());
+            bodyLength = super.encodingBodyLength();
+        }
+        return bodyLength;
+    };
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        myKdcIssued.dumpWith(dumper, indents + 8);
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java
new file mode 100644
index 0000000..927cc4a
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AndOr.java
@@ -0,0 +1,87 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * <pre>
+ * AD-AND-OR               ::= SEQUENCE {
+ *         condition-count [0] Int32,
+ *         elements        [1] AuthorizationData
+ * }
+ * </pre>
+ * 
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class AndOr extends KrbSequenceType {
+
+    protected enum AndOrField implements EnumType {
+        AndOr_ConditionCount, AndOr_Elements;
+
+        @Override
+        public int getValue() {
+            return ordinal();
+        }
+
+        @Override
+        public String getName() {
+            return name();
+        }
+    }
+
+    /** The CamMac's fields */
+    private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+            new ExplicitField(AndOrField.AndOr_ConditionCount, Asn1Integer.class),
+            new ExplicitField(AndOrField.AndOr_Elements, AuthorizationData.class)};
+
+    public AndOr() {
+        super(fieldInfos);
+    }
+
+    public AndOr(int conditionCount, AuthorizationData authzData) {
+        super(fieldInfos);
+        setFieldAs(AndOrField.AndOr_ConditionCount, new Asn1Integer(conditionCount));
+        setFieldAs(AndOrField.AndOr_Elements, authzData);
+    }
+
+    public int getConditionCount() {
+        return getFieldAs(AndOrField.AndOr_ConditionCount, Asn1Integer.class).getValue().intValue();
+    }
+
+    public void setConditionCount(int conditionCount) {
+        setFieldAs(AndOrField.AndOr_ConditionCount, new Asn1Integer(conditionCount));
+    }
+
+    public AuthorizationData getAuthzData() {
+        return getFieldAs(AndOrField.AndOr_Elements, AuthorizationData.class);
+    }
+
+    public void setAuthzData(AuthorizationData authzData) {
+        setFieldAs(AndOrField.AndOr_Elements, authzData);
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
index 57f8299..3f8b07d 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationData.java
@@ -35,4 +35,14 @@ import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public class AuthorizationData extends KrbSequenceOfType<AuthorizationDataEntry> {
+
+    public AuthorizationData clone() {
+        AuthorizationData result = new AuthorizationData();
+
+        for (AuthorizationDataEntry entry : super.getElements()) {
+            result.add(entry.clone());
+        }
+
+        return result;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
index bd08692..fa9284b 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataEntry.java
@@ -24,8 +24,11 @@ import org.apache.kerby.asn1.EnumType;
 import org.apache.kerby.asn1.ExplicitField;
 import org.apache.kerby.asn1.type.Asn1Integer;
 import org.apache.kerby.asn1.type.Asn1OctetString;
+import org.apache.kerby.asn1.type.Asn1Type;
 import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
 
+import java.io.IOException;
+
 /**
  * The AuthorizationData component as defined in RFC 4120 :
  * 
@@ -79,6 +82,23 @@ public class AuthorizationDataEntry extends KrbSequenceType {
     }
 
     /**
+     * Creates an AuthorizationDataEntry instance
+     */
+    public AuthorizationDataEntry(AuthorizationType type) {
+        super(fieldInfos);
+        setAuthzType(type);
+    }
+
+    /**
+     * Creates an AuthorizationDataEntry instance
+     */
+    public AuthorizationDataEntry(AuthorizationType type, byte[] authzData) {
+        super(fieldInfos);
+        setAuthzType(type);
+        setAuthzData(authzData);
+    }
+
+    /**
      * @return The AuthorizationType (AD_TYPE) field
      */
     public AuthorizationType getAuthzType() {
@@ -96,7 +116,7 @@ public class AuthorizationDataEntry extends KrbSequenceType {
     }
 
     /**
-     * @return The AuthorizationType (AD_DATA) field
+     * @return The AuthorizationData (AD_DATA) field
      */
     public byte[] getAuthzData() {
         return getFieldAsOctets(AuthorizationDataEntryField.AD_DATA);
@@ -109,4 +129,31 @@ public class AuthorizationDataEntry extends KrbSequenceType {
     public void setAuthzData(byte[] authzData) {
         setFieldAsOctets(AuthorizationDataEntryField.AD_DATA, authzData);
     }
+
+    /**
+     * @param <T>
+     * @return The AuthorizationData (AD_DATA) field
+     * @throws IllegalAccessException
+     * @throws InstantiationException
+     */
+    public <T extends Asn1Type> T getAuthzDataAs(Class<T> type) {
+        T result = null;
+        byte[] authzBytes = getFieldAsOctets(
+                AuthorizationDataEntryField.AD_DATA);
+        if (authzBytes != null) {
+            try {
+                result = type.newInstance();
+                result.decode(authzBytes);
+            } catch (InstantiationException | IllegalAccessException | IOException e) {
+                e.printStackTrace();
+            }
+
+        }
+        return result;
+    }
+
+    public AuthorizationDataEntry clone() {
+        return new AuthorizationDataEntry(getAuthzType(),
+                getAuthzData().clone());
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java
new file mode 100644
index 0000000..e7c3fa5
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationDataWrapper.java
@@ -0,0 +1,118 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import java.io.IOException;
+
+import org.apache.kerby.asn1.Asn1Dumper;
+import org.apache.kerby.asn1.EnumType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class AuthorizationDataWrapper extends AuthorizationDataEntry {
+
+    private AuthorizationData authorizationData;
+
+    public enum WrapperType implements EnumType {
+        AD_IF_RELEVANT(AuthorizationType.AD_IF_RELEVANT.getValue()), AD_MANDATORY_FOR_KDC(
+                AuthorizationType.AD_MANDATORY_FOR_KDC.getValue());
+
+        /** The internal value */
+        private final int value;
+
+        /**
+         * Create a new enum
+         */
+        WrapperType(int value) {
+            this.value = value;
+        }
+
+        /**
+         * {@inheritDoc}
+         */
+        @Override
+        public int getValue() {
+            return value;
+        }
+
+        /**
+         * {@inheritDoc}
+         */
+        @Override
+        public String getName() {
+            return name();
+        }
+
+    }
+
+    public AuthorizationDataWrapper(WrapperType type) {
+        super(Enum.valueOf(AuthorizationType.class, type.name()));
+    }
+
+    public AuthorizationDataWrapper(WrapperType type, AuthorizationData authzData) throws IOException {
+        super(Enum.valueOf(AuthorizationType.class, type.name()));
+        authorizationData = authzData;
+        if (authzData != null) {
+            setAuthzData(authzData.encode());
+        } else {
+            setAuthzData(null);
+        }
+    }
+
+    /**
+     * @return The AuthorizationType (AD_DATA) field
+     * @throws IOException
+     */
+    public AuthorizationData getAuthorizationData() throws IOException {
+        AuthorizationData result;
+        if (authorizationData != null) {
+            result = authorizationData;
+        } else {
+            result = new AuthorizationData();
+            result.decode(getAuthzData());
+        }
+        return result;
+    }
+
+    /**
+     * Sets the AuthorizationData (AD_DATA) field
+     * 
+     * @param authzData The AuthorizationData to set
+     * @throws IOException
+     */
+    public void setAuthorizationData(AuthorizationData authzData) throws IOException {
+        setAuthzData(authzData.encode());
+    }
+
+    @Override
+    public void dumpWith(Asn1Dumper dumper, int indents) {
+        super.dumpWith(dumper, indents);
+        dumper.newLine();
+        try {
+            getAuthorizationData().dumpWith(dumper, indents + 8);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
index 4718206..0135215 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
@@ -21,6 +21,9 @@ package org.apache.kerby.kerberos.kerb.type.ad;
 
 import org.apache.kerby.asn1.EnumType;
 
+import java.util.HashMap;
+import java.util.Map;
+
 /**
  * The various AuthorizationType values, as defined in RFC 4120 and RFC 1510.
  * 
@@ -36,6 +39,14 @@ public enum AuthorizationType implements EnumType {
      * Constant for the "if relevant" authorization type.
      *
      * RFC 4120
+     * 
+     * AD elements encapsulated within the if-relevant element are intended for
+     * interpretation only by application servers that understand the particular
+     * ad-type of the embedded element. Application servers that do not
+     * understand the type of an element embedded within the if-relevant element
+     * may ignore the uninterpretable element. This element promotes
+     * interoperability across implementations which may have local extensions
+     * for authorization.
      */
     AD_IF_RELEVANT(1),
 
@@ -43,6 +54,23 @@ public enum AuthorizationType implements EnumType {
      * Constant for the "intended for server" authorization type.
      *
      * RFC 4120
+     * 
+     * AD-INTENDED-FOR-SERVER SEQUENCE { intended-server[0] SEQUENCE OF
+     * PrincipalName elements[1] AuthorizationData }
+     * 
+     * AD elements encapsulated within the intended-for-server element may be
+     * ignored if the application server is not in the list of principal names
+     * of intended servers. Further, a KDC issuing a ticket for an application
+     * server can remove this element if the application server is not in the
+     * list of intended servers.
+     * 
+     * Application servers should check for their principal name in the
+     * intended-server field of this element. If their principal name is not
+     * found, this element should be ignored. If found, then the encapsulated
+     * elements should be evaluated in the same manner as if they were present
+     * in the top level authorization data field. Applications and application
+     * servers that do not implement this element should reject tickets that
+     * contain authorization data elements of this type.
      */
     AD_INTENDED_FOR_SERVER(2),
 
@@ -50,6 +78,19 @@ public enum AuthorizationType implements EnumType {
      * Constant for the  "intended for application class" authorization type.
      *
      * RFC 4120
+     * 
+     * AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
+     * intended-application-class[0] SEQUENCE OF GeneralString elements[1]
+     * AuthorizationData } AD elements
+     * 
+     * encapsulated within the intended-for-application-class element may be
+     * ignored if the application server is not in one of the named classes of
+     * application servers. Examples of application server classes include
+     * "FILESYSTEM", and other kinds of servers.
+     * 
+     * This element and the elements it encapsulates may be safely ignored by
+     * applications, application servers, and KDCs that do not implement this
+     * element.
      */
     AD_INTENDED_FOR_APPLICATION_CLASS(3),
 
@@ -57,20 +98,68 @@ public enum AuthorizationType implements EnumType {
      * Constant for the "kdc issued" authorization type.
      *
      * RFC 4120
+     * 
+     * AD-KDCIssued SEQUENCE { ad-checksum[0] Checksum, i-realm[1] Realm
+     * OPTIONAL, i-sname[2] PrincipalName OPTIONAL, elements[3]
+     * AuthorizationData. }
+     * 
+     * ad-checksum A checksum over the elements field using a cryptographic
+     * checksum method that is identical to the checksum used to protect the
+     * ticket itself (i.e. using the same hash function and the same encryption
+     * algorithm used to encrypt the ticket) and using a key derived from the
+     * same key used to protect the ticket. i-realm, i-sname The name of the
+     * issuing principal if different from the KDC itself. This field would be
+     * used when the KDC can verify the authenticity of elements signed by the
+     * issuing principal and it allows this KDC to notify the application server
+     * of the validity of those elements. elements A sequence of authorization
+     * data elements issued by the KDC.
+     * 
+     * The KDC-issued ad-data field is intended to provide a means for Kerberos
+     * principal credentials to embed within themselves privilege attributes and
+     * other mechanisms for positive authorization, amplifying the privileges of
+     * the principal beyond what can be done using a credentials without such an
+     * a-data element.
+     * 
+     * This can not be provided without this element because the definition of
+     * the authorization-data field allows elements to be added at will by the
+     * bearer of a TGT at the time that they request service tickets and
+     * elements may also be added to a delegated ticket by inclusion in the
+     * authenticator.
      */
     AD_KDC_ISSUED(4),
 
     /**
-     * Constant for the "or" authorization type.
+     * Constant for the "and/or" authorization type.
      *
      * RFC 4120
+     * 
+     * When restrictive AD elements encapsulated within the and-or element are
+     * encountered, only the number specified in condition-count of the
+     * encapsulated conditions must be met in order to satisfy this element.
+     * This element may be used to implement an "or" operation by setting the
+     * condition-count field to 1, and it may specify an "and" operation by
+     * setting the condition count to the number of embedded elements.
+     * Application servers that do not implement this element must reject
+     * tickets that contain authorization data elements of this type.
      */
-    AD_OR(5),
+    AD_AND_OR(5),
 
     /**
      * Constant for the "mandatory ticket extensions" authorization type.
      *
      * RFC 4120
+     * 
+     * AD-Mandatory-Ticket-Extensions Checksum
+     * 
+     * An authorization data element of type mandatory-ticket-extensions
+     * specifies a collision-proof checksum using the same hash algorithm used
+     * to protect the integrity of the ticket itself. This checksum will be
+     * calculated over the entire extensions field. If there are more than one
+     * extension, all will be covered by the checksum. This restriction
+     * indicates that the ticket should not be accepted if the checksum does not
+     * match that calculated over the ticket extensions. Application servers
+     * that do not implement this element must reject tickets that contain
+     * authorization data elements of this type.
      */
     AD_MANDATORY_TICKET_EXTENSIONS(6),
 
@@ -78,6 +167,22 @@ public enum AuthorizationType implements EnumType {
      * Constant for the "in ticket extensions" authorization type.
      *
      * RFC 4120
+     * 
+     * AD-IN-Ticket-Extensions Checksum
+     * 
+     * An authorization data element of type in-ticket-extensions specifies a
+     * collision-proof checksum using the same hash algorithm used to protect
+     * the integrity of the ticket itself. This checksum is calculated over a
+     * separate external AuthorizationData field carried in the ticket
+     * extensions. Application servers that do not implement this element must
+     * reject tickets that contain authorization data elements of this type.
+     * Application servers that do implement this element will search the ticket
+     * extensions for authorization data fields, calculate the specified
+     * checksum over each authorization data field and look for one matching the
+     * checksum in this in-ticket-extensions element. If not found, then the
+     * ticket must be rejected. If found, the corresponding authorization data
+     * elements will be interpreted in the same manner as if they were contained
+     * in the top level authorization data field.
      */
     AD_IN_TICKET_EXTENSIONS(7),
 
@@ -85,10 +190,74 @@ public enum AuthorizationType implements EnumType {
      * Constant for the "mandatory-for-kdc" authorization type.
      *
      * RFC 4120
+     * 
+     * AD-MANDATORY-FOR-KDC ::= AuthorizationData
+     * 
+     * AD elements encapsulated within the mandatory-for-kdc element are to be
+     * interpreted by the KDC. KDCs that do not understand the type of an
+     * element embedded within the mandatory-for-kdc element MUST reject the
+     * request.
      */
     AD_MANDATORY_FOR_KDC(8),
 
     /**
+     * Constant for the "initial-verified-cas" authorization type.
+     *
+     * RFC 4556
+     * 
+     * AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier --
+     * Identifies the certification path with which -- the client certificate
+     * was validated. -- Each ExternalPrincipalIdentifier identifies a CA -- or
+     * a CA certificate (thereby its public key).
+     * 
+     * The AD-INITIAL-VERIFIED-CAS structure identifies the certification path
+     * with which the client certificate was validated. Each
+     * ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
+     * INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
+     * (thereby its public key).
+     * 
+     * Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization data
+     * does permit empty SEQUENCEs to be encoded. Such empty sequences may only
+     * be used if the KDC itself vouches for the user's certificate.
+     * 
+     * The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
+     * containers if the list of CAs satisfies the AS' realm's local policy
+     * (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag [RFC4120]).
+     * Furthermore, any TGS MUST copy such authorization data from tickets used
+     * within a PA-TGS-REQ of the TGS-REQ into the resulting ticket. If the list
+     * of CAs satisfies the local KDC's realm's policy, the TGS MAY wrap the
+     * data into the AD-IF-RELEVANT container; otherwise, it MAY unwrap the
+     * authorization data out of the AD-IF-RELEVANT container.
+     * 
+     * Application servers that understand this authorization data type SHOULD
+     * apply local policy to determine whether a given ticket bearing such a
+     * type *not* contained within an AD-IF-RELEVANT container is acceptable.
+     * (This corresponds to the AP server's checking the transited field when
+     * the TRANSITED-POLICY-CHECKED flag has not been set [RFC4120].) If such a
+     * data type is contained within an AD-IF- RELEVANT container, AP servers
+     * MAY apply local policy to determine whether the authorization data is
+     * acceptable.
+     * 
+     * ExternalPrincipalIdentifier ::= SEQUENCE { subjectName [0] IMPLICIT OCTET
+     * STRING OPTIONAL, -- Contains a PKIX type Name encoded according to --
+     * [RFC3280]. -- Identifies the certificate subject by the -- distinguished
+     * subject name. -- REQUIRED when there is a distinguished subject -- name
+     * present in the certificate. issuerAndSerialNumber [1] IMPLICIT OCTET
+     * STRING OPTIONAL, -- Contains a CMS type IssuerAndSerialNumber encoded --
+     * according to [RFC3852]. -- Identifies a certificate of the subject. --
+     * REQUIRED for TD-INVALID-CERTIFICATES and -- TD-TRUSTED-CERTIFIERS.
+     * subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, -- Identifies
+     * the subject's public key by a key -- identifier. When an X.509
+     * certificate is -- referenced, this key identifier matches the X.509 --
+     * subjectKeyIdentifier extension value. When other -- certificate formats
+     * are referenced, the documents -- that specify the certificate format and
+     * their use -- with the CMS must include details on matching the -- key
+     * identifier to the appropriate certificate -- field. -- RECOMMENDED for
+     * TD-TRUSTED-CERTIFIERS. ... }
+     */
+    AD_INITIAL_VERIFIED_CAS(9),
+
+    /**
      * Constant for the "OSF DCE" authorization type.
      *
      * RFC 1510
@@ -98,34 +267,56 @@ public enum AuthorizationType implements EnumType {
     /**
      * Constant for the "sesame" authorization type.
      *
-     * RFC 1510
+     * RFC 4120
      */
     SESAME(65),
 
     /**
      * Constant for the "OSF-DCE pki certid" authorization type.
      *
-     * RFC 1510
+     * RFC 4120
      */
     AD_OSF_DCE_PKI_CERTID(66),
 
     /**
-     * Constant for the "sesame" authorization type.
+     * Constant for the "CAM-MAC" authorization type.
      *
-     * RFC 1510
+     * RFC 7751 for details.
+     */
+    AD_CAMMAC(96),
+
+    /**
+     * Constant for the "Windows 2K Privilege Attribute Certificate (PAC)"
+     * authorization type.
+     *
+     * RFC 4120
+     * 
+     * See: Microsoft standard documents MS-PAC and MS-KILE.
      */
     AD_WIN2K_PAC(128),
 
     /**
-     * Constant for the "sesame" authorization type.
+     * Constant for the "EncType-Negotiation" authorization type.
      *
-     * RFC 1510
+     * RFC 4537 for details.
      */
-    AD_ETYPE_NEGOTIATION(129);
+    AD_ETYPE_NEGOTIATION(129),
+
+    /**
+     * Constant for the "Authentication-Indicator" authorization type.
+     * 
+     * RFC 6711 An IANA Registry for Level of Assurance (LoA) Profiles provides
+     * the syntax and semantics of LoA profiles.
+     *
+     * See: Internet draft "draft-jain-kitten-krb-auth-indicator-01"
+     */
+    AD_AUTHENTICAION_INDICATOR(-1); // Not yet assigned an IANA registry number.
 
     /** The internal value */
     private final int value;
 
+    private static Map<Integer, AuthorizationType> valueMap;
+
     /**
      * Create a new enum 
      */
@@ -157,11 +348,13 @@ public enum AuthorizationType implements EnumType {
      */
     public static AuthorizationType fromValue(Integer value) {
         if (value != null) {
-            for (EnumType e : values()) {
-                if (e.getValue() == value.intValue()) {
-                    return (AuthorizationType) e;
+            if (valueMap == null) {
+                valueMap = new HashMap<Integer, AuthorizationType>(32);
+                for (EnumType e : values()) {
+                    valueMap.put(e.getValue(), (AuthorizationType) e);
                 }
             }
+            return valueMap.get(value);
         }
 
         return NULL;

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java
new file mode 100644
index 0000000..7430fdd
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacOtherVerifiers.java
@@ -0,0 +1,30 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
+
+/**
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class CamMacOtherVerifiers extends KrbSequenceOfType<CamMacVerifierChoice> {
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f751d390/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java
new file mode 100644
index 0000000..9832aca
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/CamMacVerifierChoice.java
@@ -0,0 +1,67 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.kerby.kerberos.kerb.type.ad;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Choice;
+import org.apache.kerby.asn1.type.Asn1Type;
+
+/**
+ * <pre>
+ * Verifier             ::= CHOICE {
+            mac            Verifier-MAC,
+            ...
+      }
+ * </pre>
+ * 
+ * Contributed to the Apache Kerby Project by: Prodentity - Corrales, NM
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache DirectoryProject</a>
+ */
+public class CamMacVerifierChoice extends Asn1Choice {
+
+    protected enum VerifierChoice implements EnumType {
+        CAMMAC_verifierMac;
+
+        @Override
+        public int getValue() {
+            return ordinal();
+        }
+
+        @Override
+        public String getName() {
+            return name();
+        }
+    }
+
+    /** The CamMac's fields */
+    private static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+            new ExplicitField(VerifierChoice.CAMMAC_verifierMac, CamMacVerifierMac.class)};
+
+    public CamMacVerifierChoice() {
+        super(fieldInfos);
+    }
+
+    public void setChoice(EnumType type, Asn1Type choice) {
+        setChoiceValue(type, choice);
+    }
+}


Mime
View raw message