directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eirik Bjørsnøs <eir...@gmail.com>
Subject Using KdcConnection on Android
Date Mon, 07 Nov 2016 15:37:43 GMT
Hi,

I'm working on building an Android Authenticator for SPNEGO/Kerberos using
Apache Directory's KdcConnection API for communication with the KDC

I wanted to share my experience. So far I've been able to implement a proof
of concept, however I did have to make a few changes to the Apache DS code
to make it work on Android:

*KerberosKeyFactory.string2Key: *

This uses KerberosKey and KerberosPrincipal
from javax.security.auth.kerberos. This package does not exist on Android.

Luckily, ApacheDs and Java/Android already includes most of what is needed
to replace the usage of KerberosKey, without having to write a lot of code:

Get base key with PBKDF2: Easy to do using SecretKeyFactory with
"PBKDF2WithHmacSHA1"

Get encryption key: Calling AesCtsSha1Encryption.deriveKey with the base
key, the usage bytes and correct n and k parameters produces the correct
key.

At first, I just changed string2Key to use these API's instead of
KerberosKey. Later, I tried making my changes less intrusive by introducing
a new protected method in KdcConnection which I could override to produce
client keys. However, AesCtsSha1Encryption.deriveKey is protected, so I
can't access it from my code.

*ChecksumType in org.apache.directory.shared.kerberos.crypto.checksum:*

In order to produce a valid KRB_AP_REQ message for use in an SPNEGO token,
an GSSAPI 0x8003 checksum needs to be set on the AP_REQ's Authenticator.

The ChecksumType enum is missing a value for this checksum type. I added
one looking like this: KRB_AP_REQ_AUTHN(0x8003, "krb-ap-req-authn");

(Not that this isn't really a checksum, GSSAPI just uses that field for
passing some bytes containing flags and delegation info)

If there's interest in the Apache Directory project for improving support
for KdcConnection on Android, I'd be happy to supply patches.

What's the easiest way to do that these days?

Cheers,
Eirik.

Mime
View raw message