Get the pkinit anchors from config file.
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
index fa26413..9e64fe8 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kdc;
import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
import org.apache.kerby.kerberos.kerb.server.KdcTestBase;
@@ -28,8 +29,6 @@
import org.junit.Before;
import org.junit.Test;
-import java.net.URL;
-
import static org.assertj.core.api.Assertions.assertThat;
public class AnonymousPkinitKdcTest extends KdcTestBase {
@@ -48,6 +47,9 @@
String pkinitIdentity = getClass().getResource("/kdccerttest.pem").getPath() + ","
+ getClass().getResource("/kdckey.pem").getPath();
getKdcServer().getKdcConfig().setString(KdcConfigKey.PKINIT_IDENTITY, pkinitIdentity);
+
+ String pkinitAnchors = getClass().getResource("/cacerttest.pem").getPath();
+ getKrbClient().getKrbConfig().setString(KrbConfigKey.PKINIT_ANCHORS, pkinitAnchors);
}
@Override
@@ -63,11 +65,11 @@
getKrbClient().init();
- URL url = getClass().getResource("/cacerttest.pem");
+
TgtTicket tgt;
KrbPkinitClient pkinitClient = new KrbPkinitClient(getKrbClient());
try {
- tgt = pkinitClient.requestTgt(url.getPath());
+ tgt = pkinitClient.requestTgt();
} catch (KrbException te) {
te.printStackTrace();
assertThat(te.getMessage().contains("timeout")).isTrue();
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
index 0f8b8b6..4668583 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
@@ -86,11 +86,10 @@
* @return TGT
* @throws KrbException e
*/
- public TgtTicket requestTgt(String anchors) throws KrbException {
+ public TgtTicket requestTgt() throws KrbException {
KOptions requestOptions = new KOptions();
requestOptions.add(PkinitOption.USE_ANONYMOUS);
requestOptions.add(KrbOption.CLIENT_PRINCIPAL, "WELLKNOWN/ANONYMOUS");
- requestOptions.add(PkinitOption.X509_ANCHORS, anchors);
return requestTgt(requestOptions);
}
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 640f718..0ad5219 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -20,8 +20,10 @@
package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
import org.apache.kerby.KOptions;
+import org.apache.kerby.asn1.Asn1;
import org.apache.kerby.asn1.type.Asn1Integer;
import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
+import org.apache.kerby.cms.type.SignedContentInfo;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbContext;
@@ -57,6 +59,7 @@
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
+import java.io.IOException;
import java.math.BigInteger;
import java.util.Arrays;
import java.util.Calendar;
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
index 88ee075..f6e0e41 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
@@ -46,6 +46,7 @@
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import org.apache.kerby.x509.type.Certificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -108,10 +109,8 @@
if (paEntry.getPaDataType() == PaDataType.PK_AS_REP) {
LOG.info("processing PK_AS_REP");
- //TODO CHOICE
- //PaPkAsRep paPkAsRep = KrbCodec.decode(paEntry.getPaDataValue(), PaPkAsRep.class);
- //DHRepInfo dhRepInfo = paPkAsRep.getDHRepInfo();
- DHRepInfo dhRepInfo = KrbCodec.decode(paEntry.getPaDataValue(), DHRepInfo.class);
+ PaPkAsRep paPkAsRep = KrbCodec.decode(paEntry.getPaDataValue(), PaPkAsRep.class);
+ DHRepInfo dhRepInfo = paPkAsRep.getDHRepInfo();
byte[] dhSignedData = dhRepInfo.getDHSignedData();
@@ -127,8 +126,8 @@
PkinitCrypto.verifyCMSSignedData(
CMSMessageType.CMS_SIGN_SERVER, signedData);
- String anchorFileName =
- getPreauthOptions().getStringOption(PkinitOption.X509_ANCHORS);
+
+ String anchorFileName = getContext().getConfig().getPkinitAnchors().get(0);
X509Certificate x509Certificate = null;
try {
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
index 8f8baed..8a59ee1 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
@@ -116,8 +116,12 @@
assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2");
Asn1.dump(contentInfo);
- SignedData signedData = contentInfo.getContentAs(SignedData.class);
- assertThat(signedData.getCertificates().getElements().isEmpty()).isEqualTo(true);
+ SignedData signedData = contentInfo.getSignedData();
+ assertThat(signedData.getVersion()).isEqualTo(3);
+ assertThat(signedData.getDigestAlgorithms().getElements().isEmpty()).isTrue();
+ assertThat(signedData.getCertificates().getElements().isEmpty()).isTrue();
+ assertThat(signedData.getCrls().getElements().isEmpty()).isTrue();
+ assertThat(signedData.getSignerInfos().getElements().isEmpty()).isTrue();
assertThat(signedData.getEncapContentInfo().getContentType().getValue())
.isEqualTo("1.3.6.1.5.2.3.1");
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index bceef01..86d0a61 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -279,9 +279,11 @@
PaDataEntry paDataEntry = new PaDataEntry();
paDataEntry.setPaDataType(PaDataType.PK_AS_REP);
//TODO CHOICE
- //paDataEntry.setPaDataValue(paPkAsRep.encode());
- byte[] paData = KrbCodec.encode(paPkAsRep.getDHRepInfo());
- paDataEntry.setPaDataValue(paData);
+ try {
+ paDataEntry.setPaDataValue(paPkAsRep.encode());
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
return paDataEntry;
}
