Return-Path: X-Original-To: apmail-directory-kerby-archive@minotaur.apache.org Delivered-To: apmail-directory-kerby-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 672451843A for ; Sun, 3 Jan 2016 20:18:33 +0000 (UTC) Received: (qmail 38428 invoked by uid 500); 3 Jan 2016 20:18:33 -0000 Delivered-To: apmail-directory-kerby-archive@directory.apache.org Received: (qmail 38393 invoked by uid 500); 3 Jan 2016 20:18:33 -0000 Mailing-List: contact kerby-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: kerby@directory.apache.org Delivered-To: mailing list kerby@directory.apache.org Received: (qmail 38381 invoked by uid 99); 3 Jan 2016 20:18:33 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jan 2016 20:18:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 7427C18023B for ; Sun, 3 Jan 2016 20:18:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.121 X-Spam-Level: X-Spam-Status: No, score=-0.121 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id qSbIH7GjzcJk for ; Sun, 3 Jan 2016 20:18:31 +0000 (UTC) Received: from mail-wm0-f49.google.com (mail-wm0-f49.google.com [74.125.82.49]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 56FFC20515 for ; Sun, 3 Jan 2016 20:18:31 +0000 (UTC) Received: by mail-wm0-f49.google.com with SMTP id b14so159171454wmb.1 for ; Sun, 03 Jan 2016 12:18:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=bVT3tP0X8vdmNwO9aOs5VRHasYD1Y99nGateaA4KT1s=; b=MzJ25XUy7tkWeI7a1kZ9M2tfLcdOkHPhNpVz1q3ulRInZWkUh9/9nfr9t+JWi2mE1b iDFQ/Qw+KxOkV2yVArAAaVG9+LrITkKjMytLFEDVJdob0C+OxEJSpn2a3jKHWJ/o2pCZ GslUR54RcKoYRnEIdDhRyfF1gdkFIxu+5hFXvSnqvrdqirLKSRaX7+C1wAzCeWEC2jSZ IYl7gZLfweKJROA3uJw0E7u4VH+SVgQHHSx+djYz6te5/ixs7wBamG83CQL+MkpmOdPh xd9EnGBCn1ReTg4qBqFDRMIh3aI0avGnwtPiBYEuXzbPtYbMIuQZ6cmJjJaJzPNxH8r9 R50g== X-Received: by 10.194.242.195 with SMTP id ws3mr91636775wjc.131.1451852304174; Sun, 03 Jan 2016 12:18:24 -0800 (PST) Received: from [172.20.10.3] ([80.12.63.218]) by smtp.googlemail.com with ESMTPSA id v82sm57560983wmv.12.2016.01.03.12.18.22 for (version=TLSv1/SSLv3 cipher=OTHER); Sun, 03 Jan 2016 12:18:23 -0800 (PST) To: kerby@directory.apache.org From: =?UTF-8?Q?Emmanuel_L=c3=a9charny?= Subject: ApOption vs ApOptions X-Enigmail-Draft-Status: N1110 Message-ID: <5689820C.2000006@gmail.com> Date: Sun, 3 Jan 2016 21:18:20 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, I'm continuing my review of the kerby-core module (and I'll try to review a few classes every day if I have some time at night...). I have a question regarding the APOptions implementation. RFC 4120 defines it as : APOptions ::=3D KerberosFlags -- reserved(0), -- use-session-key(1), -- mutual-required(2) This element is used in the AP-REQ structure : AP-REQ ::=3D [APPLICATION 14] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (14), ap-options [2] APOptions, ticket [3] Ticket, authenticator [4] EncryptedData -- Authenticator } We currently have 2 classes for that : ApOptions and ApOption (actually, this is an Enum). - first, what is the ApOption Enum good for ? It's used in one place, in the TgsRequest class, in the verifyAuthenticator() method : ... apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED); setTgtSessionKey(tgtTicket.getEncPart().getKey()); } - second, assuming the ApOptions class is just a container, and the ApOption the values that it can contain, then where are the last 2 value coming from ? : public enum ApOption implements EnumType { NONE(-1), RESERVED(0x80000000), USE_SESSION_KEY(0x40000000), MUTUAL_REQUIRED(0x20000000), ETYPE_NEGOTIATION(0x00000002), // Where is it coming from ?= USE_SUBKEY(0x00000001); // Where is it coming from ?= - AFAICT, The ApOptions class extend the Asn1Flags class, which header is quite weird : /** KrbFlags ::=3D BIT STRING (SIZE (32..MAX)) -- minimum number of bits shall be sent, -- but no fewer than 32 */ public class Asn1Flags extends Asn1BitString { ... IMO, this class should be part of the Kerby-core module, and its name should be KerberosFlags. Thoights ?