directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel L├ęcharny <elecha...@gmail.com>
Subject ApOption vs ApOptions
Date Sun, 03 Jan 2016 20:18:20 GMT
Hi,

I'm continuing my review of the kerby-core module (and I'll try to
review a few classes every day if I have some time at night...).

I have a question regarding the APOptions implementation. RFC 4120
defines it as :

APOptions       ::= KerberosFlags
        -- reserved(0),
        -- use-session-key(1),
        -- mutual-required(2)

This element is used in the AP-REQ structure :

AP-REQ          ::= [APPLICATION 14] SEQUENCE {
        pvno            [0] INTEGER (5),
        msg-type        [1] INTEGER (14),
        ap-options      [2] APOptions,
        ticket          [3] Ticket,
        authenticator   [4] EncryptedData -- Authenticator
}

We currently have 2 classes for that : ApOptions and ApOption (actually,
this is an Enum).

- first, what is the ApOption Enum good for ? It's used in one place, in
the TgsRequest class, in the verifyAuthenticator() method :

        ...
        apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);

        setTgtSessionKey(tgtTicket.getEncPart().getKey());
    }
- second, assuming the ApOptions class is just a container, and the
ApOption the values that it can contain, then where are the last 2 value
coming from ? :

public enum ApOption implements EnumType {
    NONE(-1),
    RESERVED(0x80000000),
    USE_SESSION_KEY(0x40000000),
    MUTUAL_REQUIRED(0x20000000),
    ETYPE_NEGOTIATION(0x00000002),           // Where is it coming from ?
    USE_SUBKEY(0x00000001);                  // Where is it coming from ?

- AFAICT, The ApOptions class extend the Asn1Flags class, which header
is quite weird :

/**
 KrbFlags   ::= BIT STRING (SIZE (32..MAX))
 -- minimum number of bits shall be sent,
 -- but no fewer than 32
 */
public class Asn1Flags extends Asn1BitString {
   ...

IMO, this class should be part of the Kerby-core module, and its name
should be KerberosFlags.

Thoights ?


Mime
View raw message