Merge branch 'master' of http://git-wip-us.apache.org/repos/asf/directory-kerby
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java
index 5015ba2..08a9019 100644
--- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java
+++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java
@@ -29,7 +29,6 @@
/**
* The shortcut API for ASN1 encoding, decoding and dumping.
- * TO BE WELL DOCUMENTED.
*/
public final class Asn1 {
@@ -37,31 +36,85 @@
}
+ /**
+ * Encode value into buffer.
+ * @param buffer
+ * @param value
+ * @throws IOException
+ */
public static void encode(ByteBuffer buffer, Asn1Type value) throws IOException {
value.encode(buffer);
}
+ /**
+ * Encode value and return the result.
+ * @param value
+ * @return
+ * @throws IOException
+ */
public static byte[] encode(Asn1Type value) throws IOException {
return value.encode();
}
+ /**
+ * Blindly decode content and return the result ASN1 object.
+ * @param content
+ * @return
+ * @throws IOException
+ */
public static Asn1Type decode(byte[] content) throws IOException {
return decode(ByteBuffer.wrap(content));
}
+ /**
+ * See avove.
+ */
public static Asn1Type decode(ByteBuffer content) throws IOException {
Asn1ParseResult parseResult = Asn1Parser.parse(content);
return Asn1Converter.convert(parseResult, false);
}
+ /**
+ * Decode using specified value container. Better to use this when the value
+ * type is known prior to the call.
+ * @param content
+ * @param value
+ * @throws IOException
+ */
+ public static void decode(byte[] content, Asn1Type value) throws IOException {
+ value.decode(content);
+ }
+
+ /**
+ * See avove.
+ */
+ public static void decode(ByteBuffer content, Asn1Type value) throws IOException {
+ value.decode(content);
+ }
+
+ /**
+ * Parse content and return parse result. Note this is different from decode,
+ * as it doesn't decode into values, only parse result info like offset,
+ * header len, body len and etc. are out.
+ * @param content
+ * @return
+ * @throws IOException
+ */
public static Asn1ParseResult parse(byte[] content) throws IOException {
return parse(ByteBuffer.wrap(content));
}
+ /**
+ * See avove.
+ */
public static Asn1ParseResult parse(ByteBuffer content) throws IOException {
return Asn1Parser.parse(content);
}
+ /**
+ * Dump out a value.
+ * @param value
+ */
public static void dump(Asn1Type value) {
Asn1Dumper dumper = new Asn1Dumper();
dumper.dumpType(0, value);
@@ -69,28 +122,28 @@
System.out.println(output);
}
+ /**
+ * Parse first, and then dump out the parse result.
+ * @param hexStr
+ * @throws IOException
+ */
public static void parseAndDump(String hexStr) throws IOException {
byte[] data = HexUtil.hex2bytes(hexStr);
parseAndDump(data);
}
- public static void decodeAndDump(String hexStr) throws IOException {
- byte[] data = HexUtil.hex2bytes(hexStr);
- decodeAndDump(data);
- }
-
+ /**
+ * See avove.
+ */
public static void parseAndDump(ByteBuffer content) throws IOException {
byte[] bytes = new byte[content.remaining()];
content.get(bytes);
parseAndDump(bytes);
}
- public static void decodeAndDump(ByteBuffer content) throws IOException {
- byte[] bytes = new byte[content.remaining()];
- content.get(bytes);
- decodeAndDump(bytes);
- }
-
+ /**
+ * See avove.
+ */
public static void parseAndDump(byte[] content) throws IOException {
String hexStr = HexUtil.bytesToHex(content);
Asn1Dumper dumper = new Asn1Dumper();
@@ -101,6 +154,28 @@
System.out.println(output);
}
+ /**
+ * Decode first, and then dump out the decoded value.
+ * @param hexStr
+ * @throws IOException
+ */
+ public static void decodeAndDump(String hexStr) throws IOException {
+ byte[] data = HexUtil.hex2bytes(hexStr);
+ decodeAndDump(data);
+ }
+
+ /**
+ * See avove.
+ */
+ public static void decodeAndDump(ByteBuffer content) throws IOException {
+ byte[] bytes = new byte[content.remaining()];
+ content.get(bytes);
+ decodeAndDump(bytes);
+ }
+
+ /**
+ * See avove.
+ */
public static void decodeAndDump(byte[] content) throws IOException {
String hexStr = HexUtil.bytesToHex(content);
Asn1Dumper dumper = new Asn1Dumper();
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java
index f0cb632..f426764 100644
--- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java
+++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java
@@ -20,7 +20,7 @@
package org.apache.kerby.asn1;
import org.apache.kerby.asn1.parse.Asn1ParseResult;
-import org.apache.kerby.asn1.type.Asn1Specifix;
+import org.apache.kerby.asn1.type.Asn1Specific;
import org.apache.kerby.asn1.type.Asn1Collection;
import org.apache.kerby.asn1.type.Asn1Constructed;
import org.apache.kerby.asn1.type.Asn1Encodeable;
@@ -49,7 +49,7 @@
tmpValue.decode(parseResult);
return tmpValue;
} else if (parseResult.isTagSpecific()) {
- Asn1Specifix app = new Asn1Specifix(parseResult.tag());
+ Asn1Specific app = new Asn1Specific(parseResult.tag());
app.decode(parseResult);
return app;
} else {
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java
index 8e65ea2..3368a44 100644
--- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java
+++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java
@@ -22,7 +22,7 @@
import org.apache.kerby.asn1.parse.Asn1Item;
import org.apache.kerby.asn1.parse.Asn1ParseResult;
import org.apache.kerby.asn1.parse.Asn1Parser;
-import org.apache.kerby.asn1.type.Asn1Specifix;
+import org.apache.kerby.asn1.type.Asn1Specific;
import org.apache.kerby.asn1.type.Asn1Simple;
import org.apache.kerby.asn1.type.Asn1Type;
@@ -66,7 +66,7 @@
} else if (value instanceof Asn1Dumpable) {
Asn1Dumpable dumpable = (Asn1Dumpable) value;
dumpable.dumpWith(this, indents);
- } else if (value instanceof Asn1Specifix) {
+ } else if (value instanceof Asn1Specific) {
indent(indents).append(value.toString());
} else {
indent(indents).append("<Unknown>");
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
index 16e40b3..8f546c6 100644
--- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
+++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
@@ -228,10 +228,22 @@
setFieldAs(index, new Asn1Integer(value));
}
- protected void setFieldAsBigInteger(EnumType index, BigInteger value) {
+ protected void setFieldAsInt(EnumType index, BigInteger value) {
setFieldAs(index, new Asn1Integer(value));
}
+ protected void setFieldAsObjId(EnumType index, String value) {
+ setFieldAs(index, new Asn1ObjectIdentifier(value));
+ }
+
+ protected String getFieldAsObjId(EnumType index) {
+ Asn1ObjectIdentifier objId = getFieldAs(index, Asn1ObjectIdentifier.class);
+ if (objId != null) {
+ return objId.getValue();
+ }
+ return null;
+ }
+
protected <T extends Asn1Type> T getFieldAsAny(EnumType index, Class<T> t) {
Asn1Type value = fields[index.getValue()];
if (value != null && value instanceof Asn1Any) {
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specifix.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specific.java
similarity index 86%
rename from kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specifix.java
rename to kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specific.java
index b52259c..423e67e 100644
--- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specifix.java
+++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specific.java
@@ -25,15 +25,15 @@
import java.io.IOException;
/**
- * Application or context object mainly for using implicit encoding.
+ * Application or context specific object mainly for using implicit encoding.
*/
-public class Asn1Specifix extends AbstractAsn1Type<byte[]> {
+public class Asn1Specific extends AbstractAsn1Type<byte[]> {
- public Asn1Specifix(Tag tag, byte[] value) {
+ public Asn1Specific(Tag tag, byte[] value) {
super(tag, value);
}
- public Asn1Specifix(Tag tag) {
+ public Asn1Specific(Tag tag) {
super(tag);
}
diff --git a/kerby-config/src/main/java/org/apache/kerby/config/Conf.java b/kerby-config/src/main/java/org/apache/kerby/config/Conf.java
index d5bbcfc..86555e9 100644
--- a/kerby-config/src/main/java/org/apache/kerby/config/Conf.java
+++ b/kerby-config/src/main/java/org/apache/kerby/config/Conf.java
@@ -25,27 +25,23 @@
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
+/**
+ * A general class to describe and store all the config files.
+ */
public class Conf implements Config {
private static final Logger LOGGER = LoggerFactory.getLogger(Conf.class);
private List<ConfigLoader> resourceConfigs;
private final ConfigImpl config;
- private final Map<String, String> setValues;
- private boolean needReload;
public Conf() {
this.resourceConfigs = new ArrayList<ConfigLoader>(1);
this.config = new ConfigImpl("Conf");
- this.setValues = new HashMap<>(10);
- this.needReload = true;
-
- addMapConfig(setValues);
}
public void addXmlConfig(File xmlFile) throws IOException {
@@ -72,10 +68,16 @@
addResource(Resource.createMapResource(mapConfig));
}
- public void addResource(Resource resource) {
+ /**
+ * Load the resource name and content in one step.
+ * Add synchronized to avoid conflicts
+ * @param resource the config resource
+ */
+ public synchronized void addResource(Resource resource) {
ConfigLoader loader = getLoader(resource);
resourceConfigs.add(loader);
- needReload = true;
+ Config loaded = loader.load();
+ config.add(loaded);
}
private static ConfigLoader getLoader(Resource resource) {
@@ -94,16 +96,12 @@
return loader;
}
- private void checkAndLoad() {
- if (needReload) {
- reload();
- needReload = false;
- }
- }
-
- public void reload() {
+ /**
+ * For users usage, to determine whether to reload config files.
+ * Add synchronized to avoid conflicts
+ */
+ public synchronized void reload() {
config.reset();
-
for (ConfigLoader loader : resourceConfigs) {
Config loaded = loader.load();
config.add(loaded);
@@ -112,37 +110,38 @@
@Override
public String getResource() {
- checkAndLoad();
return config.getResource();
}
@Override
public Set<String> getNames() {
- checkAndLoad();
return config.getNames();
}
@Override
public String getString(String name) {
- checkAndLoad();
return config.getString(name);
}
@Override
public String getString(ConfigKey name, boolean useDefault) {
- checkAndLoad();
return config.getString(name, useDefault);
}
@Override
public String getString(String name, String defaultValue) {
- checkAndLoad();
return config.getString(name, defaultValue);
}
+ /**
+ * Values user sets will be add in config directly.
+ * Add synchronized to avoid conflicts
+ * @param name The property name
+ * @param value The string value
+ */
@Override
- public void setString(String name, String value) {
- setValues.put(name, value);
+ public synchronized void setString(String name, String value) {
+ config.set(name, value);
}
@Override
@@ -152,31 +151,26 @@
@Override
public String getTrimmed(String name) {
- checkAndLoad();
return config.getTrimmed(name);
}
@Override
public String getTrimmed(ConfigKey name) {
- checkAndLoad();
return config.getTrimmed(name);
}
@Override
public Boolean getBoolean(String name) {
- checkAndLoad();
return config.getBoolean(name);
}
@Override
public Boolean getBoolean(ConfigKey name, boolean useDefault) {
- checkAndLoad();
return config.getBoolean(name, useDefault);
}
@Override
public Boolean getBoolean(String name, Boolean defaultValue) {
- checkAndLoad();
return config.getBoolean(name, defaultValue);
}
@@ -192,19 +186,16 @@
@Override
public Integer getInt(String name) {
- checkAndLoad();
return config.getInt(name);
}
@Override
public Integer getInt(ConfigKey name, boolean useDefault) {
- checkAndLoad();
return config.getInt(name, useDefault);
}
@Override
public Integer getInt(String name, Integer defaultValue) {
- checkAndLoad();
return config.getInt(name, defaultValue);
}
@@ -220,19 +211,16 @@
@Override
public Long getLong(String name) {
- checkAndLoad();
return config.getLong(name);
}
@Override
public Long getLong(ConfigKey name, boolean useDefault) {
- checkAndLoad();
return config.getLong(name, useDefault);
}
@Override
public Long getLong(String name, Long defaultValue) {
- checkAndLoad();
return config.getLong(name, defaultValue);
}
@@ -248,19 +236,16 @@
@Override
public Float getFloat(String name) {
- checkAndLoad();
return config.getFloat(name);
}
@Override
public Float getFloat(ConfigKey name, boolean useDefault) {
- checkAndLoad();
return config.getFloat(name, useDefault);
}
@Override
public Float getFloat(String name, Float defaultValue) {
- checkAndLoad();
return config.getFloat(name, defaultValue);
}
@@ -276,69 +261,58 @@
@Override
public List<String> getList(String name) {
- checkAndLoad();
return config.getList(name);
}
@Override
public List<String> getList(String name, String[] defaultValue) {
- checkAndLoad();
return config.getList(name, defaultValue);
}
@Override
public List<String> getList(ConfigKey name) {
- checkAndLoad();
return config.getList(name);
}
@Override
public Config getConfig(String name) {
- checkAndLoad();
return config.getConfig(name);
}
@Override
public Config getConfig(ConfigKey name) {
- checkAndLoad();
return config.getConfig(name);
}
@Override
public Class<?> getClass(String name) throws ClassNotFoundException {
- checkAndLoad();
return config.getClass(name);
}
@Override
public Class<?> getClass(String name, Class<?> defaultValue)
throws ClassNotFoundException {
- checkAndLoad();
return config.getClass(name, defaultValue);
}
@Override
public Class<?> getClass(ConfigKey name, boolean useDefault)
throws ClassNotFoundException {
- checkAndLoad();
return config.getClass(name, useDefault);
}
@Override
public <T> T getInstance(String name) throws ClassNotFoundException {
- checkAndLoad();
return config.getInstance(name);
}
@Override
public <T> T getInstance(ConfigKey name) throws ClassNotFoundException {
- checkAndLoad();
return config.getInstance(name);
}
@Override
public <T> T getInstance(String name, Class<T> xface) throws ClassNotFoundException {
- checkAndLoad();
return config.getInstance(name, xface);
}
}
\ No newline at end of file
diff --git a/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java b/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java
index d083313..ec3090f 100644
--- a/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java
+++ b/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java
@@ -38,8 +38,6 @@
*/
private List<Config> configs;
- private Set<String> propNames;
-
protected ConfigImpl(String resource) {
this.resource = resource;
this.properties = new HashMap<String, ConfigObject>();
@@ -58,7 +56,10 @@
@Override
public Set<String> getNames() {
- reloadNames();
+ Set<String>propNames = new HashSet<String>(properties.keySet());
+ for (Config config : configs) {
+ propNames.addAll(config.getNames());
+ }
return propNames;
}
@@ -424,14 +425,4 @@
this.configs.add(config);
}
}
-
- private void reloadNames() {
- if (propNames != null) {
- propNames.clear();
- }
- propNames = new HashSet<String>(properties.keySet());
- for (Config config : configs) {
- propNames.addAll(config.getNames());
- }
- }
}
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AccessTokenKdcTest.java
similarity index 88%
rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AccessTokenKdcTest.java
index 3971265..57b2b1b 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AccessTokenKdcTest.java
@@ -34,7 +34,7 @@
import org.junit.Assert;
import org.junit.Test;
-public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
+public class AccessTokenKdcTest extends TokenKdcTestBase {
@Test
public void testRequestServiceTicketWithAccessToken() throws Exception {
@@ -44,7 +44,7 @@
@Test
public void testBadIssuer() throws Exception {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
prepareToken(getServerPrincipal(), "oauth1.com", privateKey, null);
@@ -59,7 +59,7 @@
@Test
public void testBadAudienceRestriction() throws Exception {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
prepareToken("bad-service" + "/" + getHostname() + "@" + TestKdcServer.KDC_REALM,
ISSUER, privateKey, null);
@@ -103,10 +103,10 @@
@Test
public void testSignedEncryptedToken() throws Exception {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
- is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
+ is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
prepareToken(getServerPrincipal(), ISSUER, privateKey, publicKey);
@@ -119,7 +119,7 @@
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.generateKeyPair();
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), publicKey);
@@ -136,7 +136,7 @@
private void performTest() throws Exception {
createCredentialCache(getClientPrincipal(), getClientPassword());
- KrbTokenClient tokenClient = new KrbTokenClient(getKrbClient());
+ KrbTokenClient tokenClient = getTokenClient();
try {
SgtTicket sgtTicket = tokenClient.requestSgt(
getKrbToken(), getServerPrincipal(), getcCacheFile().getPath());
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
index 9e64fe8..215d8b0 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
@@ -19,6 +19,7 @@
*/
package org.apache.kerby.kerberos.kdc;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
@@ -26,18 +27,24 @@
import org.apache.kerby.kerberos.kerb.server.KdcTestBase;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import static org.assertj.core.api.Assertions.assertThat;
+/**
+ * Anonymous PKINIT test.
+ */
public class AnonymousPkinitKdcTest extends KdcTestBase {
-
private String serverPrincipal;
+ private KrbPkinitClient pkinitClient;
@Before
public void setUp() throws Exception {
super.setUp();
+
+ pkinitClient = getPkinitClient();
}
@Override
@@ -57,28 +64,24 @@
super.createPrincipals();
//Anonymity support is not enabled by default.
//To enable it, you must create the principal WELLKNOWN/ANONYMOUS
- getKdcServer().createPrincipal("WELLKNOWN/ANONYMOUS");
+ getKdcServer().createPrincipal(KrbConstant.ANONYMOUS_PRINCIPAL);
}
@Test
public void testAnonymity() throws Exception {
-
- getKrbClient().init();
-
-
TgtTicket tgt;
- KrbPkinitClient pkinitClient = new KrbPkinitClient(getKrbClient());
+
try {
tgt = pkinitClient.requestTgt();
} catch (KrbException te) {
te.printStackTrace();
- assertThat(te.getMessage().contains("timeout")).isTrue();
+ Assert.fail();
return;
}
assertThat(tgt).isNotNull();
serverPrincipal = getServerPrincipal();
- SgtTicket tkt = getKrbClient().requestSgt(tgt, serverPrincipal);
+ SgtTicket tkt = pkinitClient.requestSgt(tgt, serverPrincipal);
assertThat(tkt).isNotNull();
}
}
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/IdentityTokenKdcTest.java
similarity index 89%
rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/IdentityTokenKdcTest.java
index 5eaa176..5aa2115 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/IdentityTokenKdcTest.java
@@ -35,7 +35,7 @@
import java.security.PrivateKey;
import java.security.PublicKey;
-public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
+public class IdentityTokenKdcTest extends TokenKdcTestBase {
@Test
public void testKdc() throws Exception {
@@ -45,7 +45,7 @@
@Test
public void testBadIssuer() throws Exception {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
prepareToken(getAudience("krbtgt"), "oauth1.com", privateKey, null);
@@ -60,7 +60,7 @@
@Test
public void testBadAudienceRestriction() throws Exception {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
prepareToken("krbtgt2@EXAMPLE.COM", ISSUER, privateKey, null);
@@ -102,10 +102,10 @@
@Test
public void testSignedEncryptedToken() throws Exception {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is);
- is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
+ is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
prepareToken(getAudience("krbtgt"), ISSUER, privateKey, publicKey);
@@ -118,7 +118,7 @@
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyGen.generateKeyPair();
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem");
PublicKey publicKey = PublicKeyReader.loadPublicKey(is);
prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), publicKey);
@@ -137,7 +137,7 @@
createCredentialCache(getClientPrincipal(), getClientPassword());
TgtTicket tgt;
- KrbTokenClient tokenClient = new KrbTokenClient(getKrbClient());
+ KrbTokenClient tokenClient = getTokenClient();
try {
tgt = tokenClient.requestTgt(getKrbToken(),
getcCacheFile().getPath());
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithCertKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/PkinitKdcTest.java
similarity index 94%
rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithCertKdcTest.java
rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/PkinitKdcTest.java
index 1705bf9..f226a97 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithCertKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/PkinitKdcTest.java
@@ -25,7 +25,7 @@
import org.apache.kerby.kerberos.kerb.server.KdcTestBase;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
-import org.apache.kerby.pki.PkiLoader;
+import org.apache.kerby.pkix.PkiLoader;
import org.junit.Before;
import org.junit.Test;
@@ -36,6 +36,10 @@
import static org.assertj.core.api.Assertions.assertThat;
/**
+ * RSA PKINIT test.
+ */
+
+/**
openssl genrsa -out cakey.pem 2048
openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
vi extensions.kdc
@@ -44,17 +48,21 @@
env REALM=SH.INTEL.COM openssl x509 -req -in kdc.req -CAkey cakey.pem \
-CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
*/
-public class WithCertKdcTest extends KdcTestBase {
+public class PkinitKdcTest extends KdcTestBase {
private PkiLoader pkiLoader;
private String serverPrincipal;
private Certificate userCert;
private PrivateKey userKey; //NOPMD
+ private KrbPkinitClient pkinitClient;
+
@Before
public void setUp() throws Exception {
pkiLoader = new PkiLoader();
super.setUp();
+
+ pkinitClient = getPkinitClient();
}
@Override
@@ -80,10 +88,7 @@
public void testPkinit() throws Exception {
assertThat(userCert).isNotNull();
- getKrbClient().init();
-
TgtTicket tgt;
- KrbPkinitClient pkinitClient = new KrbPkinitClient(getKrbClient());
try {
String userCertPath = getClass().getResource("/usercert.pem").getPath();
String userKeyPath = getClass().getResource("/userkey.pem").getPath();
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
similarity index 94%
rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
index f33309f..387ad52 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
@@ -48,7 +48,7 @@
import static org.assertj.core.api.Assertions.assertThat;
-public class WithTokenKdcTestBase extends KdcTestBase {
+public class TokenKdcTestBase extends KdcTestBase {
static final String SUBJECT = "test-sub";
static final String ISSUER = "oauth2.com";
static final String GROUP = "sales-group";
@@ -68,7 +68,7 @@
String verifyKeyPath = this.getClass().getResource("/").getPath();
getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_VERIFY_KEYS, verifyKeyPath);
- URL privateKeyPath = WithTokenKdcTestBase.class.getResource("/private_key.pem");
+ URL privateKeyPath = TokenKdcTestBase.class.getResource("/private_key.pem");
getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_DECRYPTION_KEYS, privateKeyPath.getPath());
getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_ISSUERS, ISSUER);
}
@@ -82,7 +82,7 @@
}
protected AuthToken prepareToken(String audience) {
- InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
+ InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem");
PrivateKey privateKey = null;
try {
privateKey = PrivateKeyReader.loadPrivateKey(is);
@@ -120,10 +120,10 @@
TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
if (tokenEncoder instanceof JwtTokenEncoder && signingKey != null) {
- ((JwtTokenEncoder) tokenEncoder).setSignKey(signingKey);
+ tokenEncoder.setSignKey(signingKey);
}
if (tokenEncoder instanceof JwtTokenEncoder && encryptionKey != null) {
- ((JwtTokenEncoder) tokenEncoder).setEncryptionKey(encryptionKey);
+ tokenEncoder.setEncryptionKey(encryptionKey);
}
krbToken = new KrbToken();
diff --git a/kerby-kerb/kerb-client/pom.xml b/kerby-kerb/kerb-client/pom.xml
index 5bbc680..d75eaea 100644
--- a/kerby-kerb/kerb-client/pom.xml
+++ b/kerby-kerb/kerb-client/pom.xml
@@ -46,10 +46,5 @@
<artifactId>kerb-util</artifactId>
<version>${project.version}</version>
</dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- <version>1.52</version>
- </dependency>
</dependencies>
</project>
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java
index 1a8306f..4c29394 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java
@@ -29,21 +29,21 @@
NONE(null),
/* KDC flags */
- FORWARDABLE(new KOptionInfo("forwardable", "forwardable",
+ FORWARDABLE(new KOptionInfo("-f", "forwardable",
KrbOptionGroup.KDC_FLAGS)),
- PROXIABLE(new KOptionInfo("proxiable", "proxiable",
+ PROXIABLE(new KOptionInfo("-p", "proxiable",
KrbOptionGroup.KDC_FLAGS)),
- REQUEST_ANONYMOUS(new KOptionInfo("request-anonymous",
+ REQUEST_ANONYMOUS(new KOptionInfo("-n",
"request anonymous", KrbOptionGroup.KDC_FLAGS)),
- VALIDATE(new KOptionInfo("validate", "validate",
+ VALIDATE(new KOptionInfo("-v", "validate",
KrbOptionGroup.KDC_FLAGS)),
- RENEW(new KOptionInfo("renew", "renew",
+ RENEW(new KOptionInfo("-R", "renew",
KrbOptionGroup.KDC_FLAGS)),
- RENEWABLE(new KOptionInfo("renewable", "renewable",
+ RENEWABLE(new KOptionInfo("-r", "renewable-life",
KrbOptionGroup.KDC_FLAGS)),
RENEWABLE_OK(new KOptionInfo("renewable-ok", "renewable ok",
KrbOptionGroup.KDC_FLAGS)),
- CANONICALIZE(new KOptionInfo("canonicalize", "canonicalize",
+ CANONICALIZE(new KOptionInfo("-C", "canonicalize",
KrbOptionGroup.KDC_FLAGS)),
ANONYMOUS(new KOptionInfo("-n", "anonymous",
KrbOptionGroup.KDC_FLAGS));
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
index 4668583..fd361f7 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.client;
import org.apache.kerby.KOptions;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
@@ -89,7 +90,8 @@
public TgtTicket requestTgt() throws KrbException {
KOptions requestOptions = new KOptions();
requestOptions.add(PkinitOption.USE_ANONYMOUS);
- requestOptions.add(KrbOption.CLIENT_PRINCIPAL, "WELLKNOWN/ANONYMOUS");
+ requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
+ KrbConstant.ANONYMOUS_PRINCIPAL);
return requestTgt(requestOptions);
}
}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 640f718..26b7203 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -50,7 +50,7 @@
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PkAuthenticator;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.TrustedCertifiers;
import org.apache.kerby.x509.type.AlgorithmIdentifier;
-import org.apache.kerby.x509.type.DHParameter;
+import org.apache.kerby.x509.type.DhParameter;
import org.apache.kerby.x509.type.SubjectPublicKeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -241,7 +241,7 @@
String content = "0x06 07 2A 86 48 ce 3e 02 01";
Asn1ObjectIdentifier dhOid = PkinitCrypto.createOid(content);
AlgorithmIdentifier dhAlg = new AlgorithmIdentifier();
- dhAlg.setAlgorithm(dhOid);
+ dhAlg.setAlgorithm(dhOid.getValue());
DhClient client = new DhClient();
@@ -256,7 +256,7 @@
DHParameterSpec type = clientPubKey.getParams();
BigInteger q = type.getP().shiftRight(1);
- DHParameter dhParameter = new DHParameter();
+ DhParameter dhParameter = new DhParameter();
dhParameter.setP(type.getP());
dhParameter.setG(type.getG());
dhParameter.setQ(q);
@@ -270,7 +270,7 @@
authPack.setClientPublicValue(pubInfo);
-// DHNonce dhNonce = new DHNonce();
+// DhNonce dhNonce = new DhNonce();
// authPack.setClientDhNonce(dhNonce);
} else {
@@ -293,7 +293,7 @@
private byte[] signAuthPack(AuthPack authPack) throws KrbException {
- Asn1ObjectIdentifier oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID();
+ String oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID();
byte[] signedDataBytes = PkinitCrypto.cmsSignedDataCreate(
KrbCodec.encode(authPack), oid, 3, null, null, null, null);
@@ -361,7 +361,6 @@
* @return PaDataEntry to be made.
*/
private PaDataEntry makeEntry(PaPkAsReq paPkAsReq) throws KrbException {
-
PaDataEntry paDataEntry = new PaDataEntry();
paDataEntry.setPaDataType(PaDataType.PK_AS_REQ);
paDataEntry.setPaDataValue(KrbCodec.encode(paPkAsReq));
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
deleted file mode 100644
index a63dfe9..0000000
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
+++ /dev/null
@@ -1,210 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
-
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.ReplyKeyPack;
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.cert.X509CertificateHolder;
-import org.bouncycastle.cert.jcajce.JcaCertStore;
-import org.bouncycastle.cms.CMSException;
-import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.CMSSignedData;
-import org.bouncycastle.cms.CMSSignedDataGenerator;
-import org.bouncycastle.cms.CMSTypedData;
-import org.bouncycastle.cms.SignerInformation;
-import org.bouncycastle.cms.SignerInformationStore;
-import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
-import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.util.Store;
-
-import java.io.IOException;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.List;
-
-
-/**
- * Encapsulates working with PKINIT signed data structures.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-public class SignedDataEngine {
- private static final String ID_PKINIT_AUTHDATA = "1.3.6.1.5.2.3.1";
- private static final String ID_PKINIT_DHKEYDATA = "1.3.6.1.5.2.3.2";
- private static final String ID_PKINIT_RKEYDATA = "1.3.6.1.5.2.3.3";
-
- /**
- * Uses a private key to sign data in a CMS SignedData structure and returns
- * the encoded CMS SignedData as bytes.
- * <p/>
- * 'signedAuthPack' contains a CMS type ContentInfo encoded according to [RFC3852].
- * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2),
- * and the content field is a SignedData.
- * <p/>
- * The eContentType field for the type SignedData is id-pkinit-authData (1.3.6.1.5.2.3.1),
- * and the eContent field contains the DER encoding of the type AuthPack.
- *
- * @param privateKey
- * @param certificate
- * @param authPack
- * @return The CMS SignedData bytes.
- * @throws OperatorCreationException
- * @throws CertificateEncodingException
- * @throws CMSException
- * @throws IOException
- */
- public static byte[] getSignedAuthPack(PrivateKey privateKey, X509Certificate certificate,
- AuthPack authPack)
- throws OperatorCreationException, CertificateEncodingException, CMSException, IOException {
- return getSignedData(privateKey, certificate, authPack.encode(), ID_PKINIT_AUTHDATA);
- }
-
-
- /**
- * Uses a private key to sign data in a CMS SignedData structure and returns
- * the encoded CMS SignedData as bytes.
- * <p/>
- * 'dhSignedData' contains a CMS type ContentInfo encoded according to [RFC3852].
- * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2),
- * and the content field is a SignedData.
- * <p/>
- * The eContentType field for the type SignedData is id-pkinit-DHKeyData (1.3.6.1.5.2.3.2),
- * and the eContent field contains the DER encoding of the type KDCDHKeyInfo.
- *
- * @param privateKey
- * @param certificate
- * @param kdcDhKeyInfo
- * @return The CMS SignedData bytes.
- * @throws OperatorCreationException
- * @throws CertificateEncodingException
- * @throws CMSException
- * @throws IOException
- */
- public static byte[] getSignedKdcDhKeyInfo(PrivateKey privateKey, X509Certificate certificate,
- KdcDHKeyInfo kdcDhKeyInfo)
- throws OperatorCreationException, CertificateEncodingException, CMSException, IOException {
- return getSignedData(privateKey, certificate, kdcDhKeyInfo.encode(), ID_PKINIT_DHKEYDATA);
- }
-
-
- /**
- * Uses a private key to sign data in a CMS SignedData structure and returns
- * the encoded CMS SignedData as bytes.
- * <p/>
- * Selected when public key encryption is used.
- * <p/>
- * The eContentType field for the inner type SignedData (when unencrypted) is
- * id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the eContent field contains the
- * DER encoding of the type ReplyKeyPack.
- *
- * @param privateKey
- * @param certificate
- * @param replyKeyPack
- * @return The CMS SignedData bytes.
- * @throws OperatorCreationException
- * @throws CertificateEncodingException
- * @throws CMSException
- * @throws IOException
- */
- public static byte[] getSignedReplyKeyPack(PrivateKey privateKey, X509Certificate certificate,
- ReplyKeyPack replyKeyPack)
- throws OperatorCreationException, CertificateEncodingException, CMSException, IOException {
- return getSignedData(privateKey, certificate, replyKeyPack.encode(), ID_PKINIT_RKEYDATA);
- }
-
-
- static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[] dataToSign,
- String eContentType) throws IOException, OperatorCreationException,
- CertificateEncodingException, CMSException {
-
- if (Security.getProvider("BC") == null) {
- Security.addProvider(new BouncyCastleProvider());
- }
-
-
- List certList = new ArrayList();
- certList.add(certificate);
- Store certs = new JcaCertStore(certList);
-
- CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
-
- gen.addSignerInfoGenerator(
- new JcaSimpleSignerInfoGeneratorBuilder()
- .setProvider("BC")
- .build("SHA1withRSA", privateKey, certificate));
-
- gen.addCertificates(certs);
-
- ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType);
- CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign);
- CMSSignedData s = gen.generate(msg, true);
-
- return s.getEncoded();
- }
-
- /**
- * Validates a CMS SignedData using the public key corresponding to the private
- * key used to sign the structure.
- *
- * @param s
- * @return true if the signature is valid.
- * @throws Exception
- */
- public static boolean validateSignedData(CMSSignedData s) throws Exception {
-
- Store certStore = s.getCertificates();
- Store crlStore = s.getCRLs();
- SignerInformationStore signers = s.getSignerInfos();
-
- Collection c = signers.getSigners();
- Iterator it = c.iterator();
-
- while (it.hasNext()) {
- SignerInformation signer = (SignerInformation) it.next();
- Collection certCollection = certStore.getMatches(signer.getSID());
-
- Iterator certIt = certCollection.iterator();
- X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
-
- if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) {
- return false;
- }
- }
-
- Collection certColl = certStore.getMatches(null);
- Collection crlColl = crlStore.getMatches(null);
-
- if (certColl.size() != s.getCertificates().getMatches(null).size()
- || crlColl.size() != s.getCRLs().getMatches(null).size()) {
- return false;
- }
- return true;
- }
-}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
index f6e0e41..3e7c114 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
@@ -32,7 +32,7 @@
import org.apache.kerby.kerberos.kerb.client.PkinitOption;
import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.crypto.dh.DhClient;
-import org.apache.kerby.kerberos.kerb.preauth.pkinit.CMSMessageType;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -44,8 +44,8 @@
import org.apache.kerby.kerberos.kerb.type.pa.PaData;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import org.apache.kerby.x509.type.Certificate;
import org.slf4j.Logger;
@@ -110,7 +110,7 @@
LOG.info("processing PK_AS_REP");
PaPkAsRep paPkAsRep = KrbCodec.decode(paEntry.getPaDataValue(), PaPkAsRep.class);
- DHRepInfo dhRepInfo = paPkAsRep.getDHRepInfo();
+ DhRepInfo dhRepInfo = paPkAsRep.getDHRepInfo();
byte[] dhSignedData = dhRepInfo.getDHSignedData();
@@ -123,8 +123,8 @@
SignedData signedData = contentInfo.getContentAs(SignedData.class);
- PkinitCrypto.verifyCMSSignedData(
- CMSMessageType.CMS_SIGN_SERVER, signedData);
+ PkinitCrypto.verifyCmsSignedData(
+ CmsMessageType.CMS_SIGN_SERVER, signedData);
String anchorFileName = getContext().getConfig().getPkinitAnchors().get(0);
@@ -163,16 +163,16 @@
LOG.info("skipping EKU check");
LOG.info("as_rep: DH key transport algorithm");
- KdcDHKeyInfo kdcDHKeyInfo = new KdcDHKeyInfo();
+ KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo();
try {
- kdcDHKeyInfo.decode(signedData.getEncapContentInfo().getContent());
+ kdcDhKeyInfo.decode(signedData.getEncapContentInfo().getContent());
} catch (IOException e) {
- String errMessage = "failed to decode KdcDHKeyInfo " + e.getMessage();
+ String errMessage = "failed to decode KdcDhKeyInfo " + e.getMessage();
LOG.error(errMessage);
throw new KrbException(errMessage);
}
- byte[] subjectPublicKey = kdcDHKeyInfo.getSubjectPublicKey().getValue();
+ byte[] subjectPublicKey = kdcDhKeyInfo.getSubjectPublicKey().getValue();
Asn1Integer clientPubKey = KrbCodec.decode(subjectPublicKey, Asn1Integer.class);
BigInteger y = clientPubKey.getValue();
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
index 08ca20b..32e0db2 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -23,7 +23,7 @@
import org.apache.kerby.KOptions;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbContext;
-import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.client.KrbKdcOption;
import org.apache.kerby.kerberos.kerb.client.KrbOptionGroup;
import org.apache.kerby.kerberos.kerb.client.preauth.KrbFastRequestState;
import org.apache.kerby.kerberos.kerb.client.preauth.PreauthContext;
@@ -412,9 +412,9 @@
for (KOption kOpt: requestOptions.getOptions()) {
if (kOpt.getOptionInfo().getGroup() == KrbOptionGroup.KDC_FLAGS) {
- KrbOption krbOption = (KrbOption) kOpt;
- KdcOption kdcOption = KdcOption.valueOf(krbOption.name());
- boolean flagValue = requestOptions.getBooleanOption(kOpt, false);
+ KrbKdcOption krbKdcOption = (KrbKdcOption) kOpt;
+ KdcOption kdcOption = KdcOption.valueOf(krbKdcOption.name());
+ boolean flagValue = requestOptions.getBooleanOption(kOpt, true);
kdcOptions.setFlag(kdcOption, flagValue);
}
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CMSMessageType.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CmsMessageType.java
similarity index 93%
rename from kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CMSMessageType.java
rename to kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CmsMessageType.java
index 683b52f..7aa2b9f 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CMSMessageType.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CmsMessageType.java
@@ -19,7 +19,7 @@
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
-public enum CMSMessageType {
+public enum CmsMessageType {
UNKNOWN (-1),
CMS_SIGN_CLIENT (0x01),
CMS_SIGN_SERVER (0x03),
@@ -32,7 +32,7 @@
/**
* Create an instance of this class
*/
- private CMSMessageType(int value) {
+ private CmsMessageType(int value) {
this.value = value;
}
@@ -48,7 +48,7 @@
* @param value The integer value
* @return The associated UniversalTag
*/
- public static CMSMessageType fromValue(int value) {
+ public static CmsMessageType fromValue(int value) {
switch (value) {
case 0x01 : return CMS_SIGN_CLIENT;
case 0x03 : return CMS_SIGN_SERVER;
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
index e9cca99..262f84c 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -30,8 +30,9 @@
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.util.HexUtil;
import org.apache.kerby.x509.type.Certificate;
-import org.apache.kerby.x509.type.DHParameter;
+import org.apache.kerby.x509.type.DhParameter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -63,15 +64,15 @@
* @param cmsMsgType The CMS message type
* @param signedData The signed data
*/
- public static void verifyCMSSignedData(CMSMessageType cmsMsgType, SignedData signedData)
+ public static void verifyCmsSignedData(CmsMessageType cmsMsgType, SignedData signedData)
throws KrbException {
- Asn1ObjectIdentifier oid = pkinitType2OID(cmsMsgType);
+ String oid = pkinitType2OID(cmsMsgType);
if (oid == null) {
throw new KrbException("Can't get the right oid ");
}
- Asn1ObjectIdentifier etype = signedData.getEncapContentInfo().getContentType();
- if (oid.getValue().equals(etype.getValue())) {
+ String etype = signedData.getEncapContentInfo().getContentType();
+ if (oid.equals(etype)) {
LOG.info("CMS Verification successful");
} else {
LOG.error("Wrong oid in eContentType");
@@ -80,25 +81,11 @@
}
/**
- * Check whether signed of data, true if the SignerInfos are not null
- * @param signedData The signed data
- * @return boolean
- */
- public static boolean isSigned(SignedData signedData) {
- /* Not actually signed; anonymous case */
- if (signedData.getSignerInfos().getElements().size() == 0) {
- return false;
- } else {
- return true;
- }
- }
-
- /**
* Change the CMS message type to oid
* @param cmsMsgType The CMS message type
* @return oid
*/
- public static Asn1ObjectIdentifier pkinitType2OID(CMSMessageType cmsMsgType) {
+ public static String pkinitType2OID(CmsMessageType cmsMsgType) {
switch (cmsMsgType) {
case UNKNOWN:
return null;
@@ -117,10 +104,10 @@
* KDC check the key parameter
* @param pluginOpts The PluginOpts
* @param cryptoctx The PkinitPlgCryptoContext
- * @param dhParameter The DHParameter
+ * @param dhParameter The DhParameter
*/
public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx,
- DHParameter dhParameter) throws KrbException {
+ DhParameter dhParameter) throws KrbException {
/* KDC SHOULD check to see if the key parameters satisfy its policy */
int dhPrimeBits = dhParameter.getP().bitLength();
if (dhPrimeBits < pluginOpts.dhMinBits) {
@@ -135,12 +122,12 @@
/**
* Check DH wellknown
* @param cryptoctx The PkinitPlgCryptoContext
- * @param dhParameter The DHParameter
+ * @param dhParameter The DhParameter
* @param dhPrimeBits The dh prime bits
* @return boolean
*/
public static boolean checkDHWellknown(PkinitPlgCryptoContext cryptoctx,
- DHParameter dhParameter, int dhPrimeBits) throws KrbException {
+ DhParameter dhParameter, int dhPrimeBits) throws KrbException {
boolean valid = false;
switch (dhPrimeBits) {
case 1024:
@@ -161,9 +148,9 @@
* Check parameters against a well-known DH group
*
* @param dh1 The DHParameterSpec
- * @param dh2 The DHParameter
+ * @param dh2 The DhParameter
*/
- public static boolean pkinitCheckDhParams(DHParameterSpec dh1, DHParameter dh2) {
+ public static boolean pkinitCheckDhParams(DHParameterSpec dh1, DhParameter dh2) {
if (!dh1.getP().equals(dh2.getP())) {
LOG.error("p is not well-known group dhparameter");
@@ -221,12 +208,12 @@
* @param signerInfos The signerInfos
* @return The encoded ContentInfo
*/
- public static byte[] cmsSignedDataCreate(byte[] data, Asn1ObjectIdentifier oid, int version,
+ public static byte[] cmsSignedDataCreate(byte[] data, String oid, int version,
DigestAlgorithmIdentifiers digestAlgorithmIdentifiers,
CertificateSet certificateSet,
RevocationInfoChoices crls, SignerInfos signerInfos) throws KrbException {
SignedContentInfo contentInfo = new SignedContentInfo();
- contentInfo.setContentType(new Asn1ObjectIdentifier("1.2.840.113549.1.7.2"));
+ contentInfo.setContentType("1.2.840.113549.1.7.2");
SignedData signedData = new SignedData();
signedData.setVersion(version);
if (digestAlgorithmIdentifiers != null) {
@@ -327,17 +314,19 @@
InvalidAlgorithmParameterException, CertPathValidatorException {
//TODO
-// CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-// CertPath certPath = certificateFactory.generateCertPath(certificateList);
-//
-// CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
-//
-// TrustAnchor trustAnchor = new TrustAnchor(anchor, null);
-//
-// PKIXParameters parameters = new PKIXParameters(Collections.singleton(trustAnchor));
-// parameters.setRevocationEnabled(false);
-//
-// cpv.validate(certPath, parameters);
+ /*
+ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+ CertPath certPath = certificateFactory.generatertPath(certificateList);
+
+ CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
+
+ TrustAnchor trustAnchor = new TrustAnchor(anchor, null);
+
+ PKIXParameters parameters = new PKIXParameters(Collections.singleton(trustAnchor));
+ parameters.setRevocationEnabled(false);
+
+ cpv.validate(certPath, parameters);
+ */
}
/**
@@ -346,14 +335,10 @@
* @param content The hex content
* @return The oid
*/
- public static Asn1ObjectIdentifier createOid(String content) {
+ public static Asn1ObjectIdentifier createOid(String content) throws KrbException {
Asn1ObjectIdentifier oid = new Asn1ObjectIdentifier();
oid.useDER();
- try {
- oid.decode(Util.hex2bytes(content));
- } catch (IOException e) {
- e.printStackTrace();
- }
+ KrbCodec.decode(HexUtil.hex2bytesFriendly(content), oid);
return oid;
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
index 23206db..6732b7d 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
@@ -18,7 +18,6 @@
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
-import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.kerberos.kerb.KrbException;
import javax.crypto.spec.DHParameterSpec;
@@ -134,15 +133,15 @@
}
- public static Asn1ObjectIdentifier getIdPkinitAuthDataOID() {
- return new Asn1ObjectIdentifier(ID_PKINIT_AUTHDATA);
+ public static String getIdPkinitAuthDataOID() {
+ return ID_PKINIT_AUTHDATA;
}
- public static Asn1ObjectIdentifier getIdPkinitDHKeyDataOID() {
- return new Asn1ObjectIdentifier(ID_PKINIT_DHKEYDATA);
+ public static String getIdPkinitDHKeyDataOID() {
+ return ID_PKINIT_DHKEYDATA;
}
- public static Asn1ObjectIdentifier getIdPkinitRkeyDataOID() {
- return new Asn1ObjectIdentifier(ID_PKINIT_RKEYDATA);
+ public static String getIdPkinitRkeyDataOID() {
+ return ID_PKINIT_RKEYDATA;
}
}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitUtil.java
new file mode 100644
index 0000000..a45f380
--- /dev/null
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitUtil.java
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.preauth.pkinit;
+
+import org.apache.kerby.kerberos.kerb.KrbCodec;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.ReplyKeyPack;
+import org.apache.kerby.pkix.PkiException;
+import org.apache.kerby.pkix.PkiUtil;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+
+/**
+ * Encapsulates working with PKINIT signed data structures.
+ */
+public class PkinitUtil {
+ private static final String ID_PKINIT_AUTHDATA = "1.3.6.1.5.2.3.1";
+ //private static final String ID_PKINIT_DHKEYDATA = "1.3.6.1.5.2.3.2";
+ //private static final String ID_PKINIT_RKEYDATA = "1.3.6.1.5.2.3.3";
+
+ /**
+ * Uses a private key to sign data in a CMS SignedData structure and returns
+ * the encoded CMS SignedData as bytes.
+ * <p/>
+ * 'signedAuthPack' contains a CMS type ContentInfo encoded according to [RFC3852].
+ * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2),
+ * and the content field is a SignedData.
+ * <p/>
+ * The eContentType field for the type SignedData is id-pkinit-authData (1.3.6.1.5.2.3.1),
+ * and the eContent field contains the DER encoding of the type AuthPack.
+ */
+ public static byte[] getSignedAuthPack(PrivateKey privateKey, X509Certificate certificate,
+ AuthPack authPack) throws KrbException {
+ byte[] dataToSign = KrbCodec.encode(authPack);
+ byte[] signedData;
+ try {
+ signedData = PkiUtil.getSignedData(privateKey, certificate, dataToSign, ID_PKINIT_AUTHDATA);
+ } catch (PkiException e) {
+ throw new KrbException("Failed to sign data", e);
+ }
+
+ return signedData;
+ }
+
+
+ /**
+ * Uses a private key to sign data in a CMS SignedData structure and returns
+ * the encoded CMS SignedData as bytes.
+ * <p/>
+ * 'dhSignedData' contains a CMS type ContentInfo encoded according to [RFC3852].
+ * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2),
+ * and the content field is a SignedData.
+ * <p/>
+ * The eContentType field for the type SignedData is id-pkinit-DHKeyData (1.3.6.1.5.2.3.2),
+ * and the eContent field contains the DER encoding of the type KDCDHKeyInfo.
+ */
+ public static byte[] getSignedKdcDhKeyInfo(PrivateKey privateKey, X509Certificate certificate,
+ KdcDhKeyInfo kdcDhKeyInfo) throws KrbException {
+ byte[] dataToSign = KrbCodec.encode(kdcDhKeyInfo);
+ byte[] signedData;
+ try {
+ signedData = PkiUtil.getSignedData(privateKey, certificate, dataToSign, ID_PKINIT_AUTHDATA);
+ } catch (PkiException e) {
+ throw new KrbException("Failed to sign data", e);
+ }
+
+ return signedData;
+ }
+
+
+ /**
+ * Uses a private key to sign data in a CMS SignedData structure and returns
+ * the encoded CMS SignedData as bytes.
+ * <p/>
+ * Selected when public key encryption is used.
+ * <p/>
+ * The eContentType field for the inner type SignedData (when unencrypted) is
+ * id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the eContent field contains the
+ * DER encoding of the type ReplyKeyPack.
+ */
+ public static byte[] getSignedReplyKeyPack(PrivateKey privateKey, X509Certificate certificate,
+ ReplyKeyPack replyKeyPack) throws KrbException {
+ byte[] dataToSign = KrbCodec.encode(replyKeyPack);
+ byte[] signedData;
+ try {
+ signedData = PkiUtil.getSignedData(privateKey, certificate, dataToSign, ID_PKINIT_AUTHDATA);
+ } catch (PkiException e) {
+ throw new KrbException("Failed to sign data", e);
+ }
+
+ return signedData;
+ }
+}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
index dcb55bd..96bb23f 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
+import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AlgorithmIdentifiers;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.TrustedCertifiers;
import org.apache.kerby.x509.type.AlgorithmIdentifier;
@@ -42,14 +43,14 @@
// The acceptable values are 1024, 2048, and 4096. The default is 1024.
public int dhMinBits = 1024;
- public AlgorithmIdentifiers createSupportedCMSTypes() {
+ public AlgorithmIdentifiers createSupportedCMSTypes() throws KrbException {
AlgorithmIdentifiers cmsAlgorithms = new AlgorithmIdentifiers();
AlgorithmIdentifier des3Alg = new AlgorithmIdentifier();
/* krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };*/
String content = "0x06 08 2A 86 48 86 F7 0D 03 07";
Asn1ObjectIdentifier des3Oid = PkinitCrypto.createOid(content);
- des3Alg.setAlgorithm(des3Oid);
+ des3Alg.setAlgorithm(des3Oid.getValue());
cmsAlgorithms.add(des3Alg);
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/Util.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/Util.java
deleted file mode 100644
index 74626cb..0000000
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/Util.java
+++ /dev/null
@@ -1,141 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.preauth.pkinit;
-
-public class Util {
-
- static final String HEX_CHARS_STR = "0123456789ABCDEF";
- static final char[] HEX_CHARS = HEX_CHARS_STR.toCharArray();
-
- /**
- * Convert bytes into format as:
- * 0x02 02 00 80
- */
- public static String bytesToHex(byte[] bytes) {
- int len = bytes.length * 2;
- len += bytes.length; // for ' ' appended for each char
- len += 2; // for '0x' prefix
- char[] hexChars = new char[len];
- hexChars[0] = '0';
- hexChars[1] = 'x';
- for (int j = 0; j < bytes.length; j++) {
- int v = bytes[j] & 0xFF;
- hexChars[j * 3 + 2] = HEX_CHARS[v >>> 4];
- hexChars[j * 3 + 3] = HEX_CHARS[v & 0x0F];
- hexChars[j * 3 + 4] = ' ';
- }
-
- return new String(hexChars);
- }
-
- /**
- * Convert hex string like follows into byte array
- * 0x02 02 00 80
- */
- public static byte[] hex2bytes(String hexString) {
- if (hexString == null) {
- throw new IllegalArgumentException("Invalid hex string to convert : null");
- }
- char[] hexStr = hexString.toCharArray();
-
- if (hexStr.length < 4) {
- throw new IllegalArgumentException("Invalid hex string to convert : length below 4");
- }
- if (hexStr[0] != '0' || (hexStr[1] != 'x') && (hexStr[1] != 'X')) {
- throw new IllegalArgumentException("Invalid hex string to convert : not starting with '0x'");
- }
- byte[] bytes = new byte[(hexStr.length - 1) / 3];
- int pos = 0;
- boolean high = false;
- boolean prefix = true;
- for (char c : hexStr) {
- if (prefix) {
- if (c == 'x' || c == 'X') {
- prefix = false;
- }
- continue;
- }
- switch (c) {
- case ' ' :
- if (high) {
- // We have had only the high part
- throw new IllegalArgumentException("Invalid hex string to convert");
- }
- // A hex pair has been decoded
- pos++;
- high = false;
- break;
- case '0':
- case '1':
- case '2':
- case '3':
- case '4':
- case '5':
- case '6':
- case '7':
- case '8':
- case '9':
- if (high) {
- bytes[pos] += (byte) (c - '0');
- } else {
- bytes[pos] = (byte) ((c - '0') << 4);
- }
- high = !high;
- break;
- case 'a' :
- case 'b' :
- case 'c' :
- case 'd' :
- case 'e' :
- case 'f' :
- if (high) {
- bytes[pos] += (byte) (c - 'a' + 10);
- } else {
- bytes[pos] = (byte) ((c - 'a' + 10) << 4);
- }
-
- high = !high;
- break;
-
- case 'A' :
- case 'B' :
- case 'C' :
- case 'D' :
- case 'E' :
- case 'F' :
- if (high) {
- bytes[pos] += (byte) (c - 'A' + 10);
- } else {
- bytes[pos] = (byte) ((c - 'A' + 10) << 4);
- }
-
- high = !high;
- break;
- default :
- throw new IllegalArgumentException("Invalid hex string to convert");
- }
- }
- if (high) {
- throw new IllegalArgumentException("Invalid hex string to convert");
- }
-
- return bytes;
- }
-}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java
index 1c2f4dc..98a272c 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java
@@ -49,7 +49,19 @@
try {
krbObj.encode(buffer);
} catch (IOException e) {
- throw new KrbException("encode failed", e);
+ throw new KrbException("Encoding failed", e);
+ }
+ }
+
+ public static void decode(byte[] content, Asn1Type value) throws KrbException {
+ decode(ByteBuffer.wrap(content), value);
+ }
+
+ public static void decode(ByteBuffer content, Asn1Type value) throws KrbException {
+ try {
+ value.decode(content);
+ } catch (IOException e) {
+ throw new KrbException("Decoding failed", e);
}
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java
index 7a97d1b..d9b4315 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java
@@ -23,4 +23,5 @@
public static final int KRB_V5 = 5;
public static final String TGS_PRINCIPAL = "krbtgt";
+ public static final String ANONYMOUS_PRINCIPAL = "WELLKNOWN/ANONYMOUS";
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java
index bfe2513..ee3fa8d 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java
@@ -21,7 +21,6 @@
public class KrbException extends Exception {
private static final long serialVersionUID = 7305497872367599428L;
- private KrbErrorCode errorCode;
public KrbException(String message) {
super(message);
@@ -33,20 +32,13 @@
public KrbException(KrbErrorCode errorCode) {
super(errorCode.getMessage());
- this.errorCode = errorCode;
}
public KrbException(KrbErrorCode errorCode, Throwable cause) {
super(errorCode.getMessage(), cause);
- this.errorCode = errorCode;
}
public KrbException(KrbErrorCode errorCode, String message) {
super(message + " with error code: " + errorCode.name());
- this.errorCode = errorCode;
- }
-
- public KrbErrorCode getErrorCode() {
- return errorCode;
}
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java
index 603b776..f2ef67a 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java
@@ -52,8 +52,8 @@
}
static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
- new ExplicitField(HostAddressField.ADDR_TYPE, 0, Asn1Integer.class),
- new ExplicitField(HostAddressField.ADDRESS, 1, Asn1OctetString.class)
+ new ExplicitField(HostAddressField.ADDR_TYPE, Asn1Integer.class),
+ new ExplicitField(HostAddressField.ADDRESS, Asn1OctetString.class)
};
public HostAddress() {
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java
index 0b75714..dea3f5e 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java
@@ -31,6 +31,11 @@
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
clientDHNonce [3] DHNonce OPTIONAL
+ supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
+ -- Contains an unordered set of KDFs supported by the client.
+ KDFAlgorithmId ::= SEQUENCE {
+ kdf-id [0] OBJECT IDENTIFIER,
+ -- The object identifier of the KDF
}
*/
public class AuthPack extends KrbSequenceType {
@@ -56,8 +61,8 @@
new ExplicitField(AuthPackField.PK_AUTHENTICATOR, PkAuthenticator.class),
new ExplicitField(AuthPackField.CLIENT_PUBLIC_VALUE, SubjectPublicKeyInfo.class),
new ExplicitField(AuthPackField.SUPPORTED_CMS_TYPES, AlgorithmIdentifiers.class),
- new ExplicitField(AuthPackField.CLIENT_DH_NONCE, DHNonce.class),
- new ExplicitField(AuthPackField.SUPPORTED_KDFS, SupportedKDFs.class)
+ new ExplicitField(AuthPackField.CLIENT_DH_NONCE, DhNonce.class),
+ new ExplicitField(AuthPackField.SUPPORTED_KDFS, SupportedKdfs.class)
};
public AuthPack() {
@@ -88,19 +93,19 @@
setFieldAs(AuthPackField.SUPPORTED_CMS_TYPES, supportedCMSTypes);
}
- public DHNonce getClientDhNonce() {
- return getFieldAs(AuthPackField.CLIENT_DH_NONCE, DHNonce.class);
+ public DhNonce getClientDhNonce() {
+ return getFieldAs(AuthPackField.CLIENT_DH_NONCE, DhNonce.class);
}
- public void setClientDhNonce(DHNonce dhNonce) {
+ public void setClientDhNonce(DhNonce dhNonce) {
setFieldAs(AuthPackField.CLIENT_DH_NONCE, dhNonce);
}
- public SupportedKDFs getsupportedKDFs() {
- return getFieldAs(AuthPackField.SUPPORTED_KDFS, SupportedKDFs.class);
+ public SupportedKdfs getsupportedKDFs() {
+ return getFieldAs(AuthPackField.SUPPORTED_KDFS, SupportedKdfs.class);
}
- public void setsupportedKDFs(SupportedKDFs supportedKDFs) {
- setFieldAs(AuthPackField.SUPPORTED_KDFS, supportedKDFs);
+ public void setsupportedKDFs(SupportedKdfs supportedKdfs) {
+ setFieldAs(AuthPackField.SUPPORTED_KDFS, supportedKdfs);
}
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhNonce.java
similarity index 95%
rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java
rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhNonce.java
index e6653b8..9fc86c1 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhNonce.java
@@ -24,5 +24,5 @@
/**
* DHNonce ::= OCTET STRING
*/
-public class DHNonce extends Asn1OctetString {
+public class DhNonce extends Asn1OctetString {
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHRepInfo.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhRepInfo.java
similarity index 64%
rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHRepInfo.java
rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhRepInfo.java
index 853fe65..05855a6 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHRepInfo.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhRepInfo.java
@@ -23,18 +23,19 @@
import org.apache.kerby.asn1.EnumType;
import org.apache.kerby.asn1.ExplicitField;
import org.apache.kerby.asn1.ImplicitField;
-import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.asn1.type.Asn1OctetString;
import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
/**
- DHRepInfo ::= SEQUENCE {
+ DhRepInfo ::= SEQUENCE {
dhSignedData [0] IMPLICIT OCTET STRING,
serverDHNonce [1] DHNonce OPTIONAL
+ kdf [2] KDFAlgorithmId OPTIONAL,
+ -- The KDF picked by the KDC.
}
*/
-public class DHRepInfo extends KrbSequenceType {
- protected enum DHRepInfoField implements EnumType {
+public class DhRepInfo extends KrbSequenceType {
+ protected enum DhRepInfoField implements EnumType {
DH_SIGNED_DATA,
SERVER_DH_NONCE,
KDF_ID;
@@ -51,36 +52,36 @@
}
static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
- new ImplicitField(DHRepInfoField.DH_SIGNED_DATA, Asn1OctetString.class),
- new ExplicitField(DHRepInfoField.SERVER_DH_NONCE, DHNonce.class),
- new ExplicitField(DHRepInfoField.KDF_ID, Asn1ObjectIdentifier.class)
+ new ImplicitField(DhRepInfoField.DH_SIGNED_DATA, Asn1OctetString.class),
+ new ExplicitField(DhRepInfoField.SERVER_DH_NONCE, DhNonce.class),
+ new ExplicitField(DhRepInfoField.KDF_ID, KdfAlgorithmId.class)
};
- public DHRepInfo() {
+ public DhRepInfo() {
super(fieldInfos);
}
public byte[] getDHSignedData() {
- return getFieldAsOctets(DHRepInfoField.DH_SIGNED_DATA);
+ return getFieldAsOctets(DhRepInfoField.DH_SIGNED_DATA);
}
public void setDHSignedData(byte[] dhSignedData) {
- setFieldAsOctets(DHRepInfoField.DH_SIGNED_DATA, dhSignedData);
+ setFieldAsOctets(DhRepInfoField.DH_SIGNED_DATA, dhSignedData);
}
- public DHNonce getServerDhNonce() {
- return getFieldAs(DHRepInfoField.SERVER_DH_NONCE, DHNonce.class);
+ public DhNonce getServerDhNonce() {
+ return getFieldAs(DhRepInfoField.SERVER_DH_NONCE, DhNonce.class);
}
- public void setServerDhNonce(DHNonce dhNonce) {
- setFieldAs(DHRepInfoField.SERVER_DH_NONCE, dhNonce);
+ public void setServerDhNonce(DhNonce dhNonce) {
+ setFieldAs(DhRepInfoField.SERVER_DH_NONCE, dhNonce);
}
- public Asn1ObjectIdentifier getKdfId() {
- return getFieldAs(DHRepInfoField.KDF_ID, Asn1ObjectIdentifier.class);
+ public KdfAlgorithmId getKdfId() {
+ return getFieldAs(DhRepInfoField.KDF_ID, KdfAlgorithmId.class);
}
- public void setKdfId(Asn1ObjectIdentifier kdfId) {
- setFieldAs(DHRepInfoField.KDF_ID, kdfId);
+ public void setKdfId(KdfAlgorithmId kdfId) {
+ setFieldAs(DhRepInfoField.KDF_ID, kdfId);
}
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDHKeyInfo.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDhKeyInfo.java
similarity index 76%
rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDHKeyInfo.java
rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDhKeyInfo.java
index 4f66a15..4ecbbcc 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDHKeyInfo.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDhKeyInfo.java
@@ -34,8 +34,8 @@
dhKeyExpiration [2] KerberosTime OPTIONAL,
}
*/
-public class KdcDHKeyInfo extends KrbSequenceType {
- protected static enum KdcDHKeyInfoField implements EnumType {
+public class KdcDhKeyInfo extends KrbSequenceType {
+ protected enum KdcDhKeyInfoField implements EnumType {
SUBJECT_PUBLIC_KEY,
NONCE,
DH_KEY_EXPIRATION;
@@ -52,36 +52,36 @@
}
static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
- new ExplicitField(KdcDHKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class),
- new ExplicitField(KdcDHKeyInfoField.NONCE, Asn1Integer.class),
- new ExplicitField(KdcDHKeyInfoField.DH_KEY_EXPIRATION, KerberosTime.class)
+ new ExplicitField(KdcDhKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class),
+ new ExplicitField(KdcDhKeyInfoField.NONCE, Asn1Integer.class),
+ new ExplicitField(KdcDhKeyInfoField.DH_KEY_EXPIRATION, KerberosTime.class)
};
- public KdcDHKeyInfo() {
+ public KdcDhKeyInfo() {
super(fieldInfos);
}
public Asn1BitString getSubjectPublicKey() {
- return getFieldAs(KdcDHKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class);
+ return getFieldAs(KdcDhKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class);
}
public void setSubjectPublicKey(byte[] subjectPubKey) {
- setFieldAs(KdcDHKeyInfoField.SUBJECT_PUBLIC_KEY, new Asn1BitString(subjectPubKey));
+ setFieldAs(KdcDhKeyInfoField.SUBJECT_PUBLIC_KEY, new Asn1BitString(subjectPubKey));
}
public int getNonce() {
- return getFieldAsInt(KdcDHKeyInfoField.NONCE);
+ return getFieldAsInt(KdcDhKeyInfoField.NONCE);
}
public void setNonce(int nonce) {
- setFieldAsInt(KdcDHKeyInfoField.NONCE, nonce);
+ setFieldAsInt(KdcDhKeyInfoField.NONCE, nonce);
}
public KerberosTime getDHKeyExpiration() {
- return getFieldAsTime(KdcDHKeyInfoField.DH_KEY_EXPIRATION);
+ return getFieldAsTime(KdcDhKeyInfoField.DH_KEY_EXPIRATION);
}
public void setDHKeyExpiration(KerberosTime time) {
- setFieldAs(KdcDHKeyInfoField.DH_KEY_EXPIRATION, time);
+ setFieldAs(KdcDhKeyInfoField.DH_KEY_EXPIRATION, time);
}
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdfAlgorithmId.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdfAlgorithmId.java
new file mode 100644
index 0000000..4dd44ee
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdfAlgorithmId.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.pa.pkinit;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/*
+ KDFAlgorithmId ::= SEQUENCE {
+ kdf-id [0] OBJECT IDENTIFIER,
+ -- The object identifier of the KDF
+ }
+ */
+public class KdfAlgorithmId extends KrbSequenceType {
+ protected enum KdfAlgorithmIdField implements EnumType {
+ KDF_ID;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(KdfAlgorithmIdField.KDF_ID, Asn1ObjectIdentifier.class)
+ };
+
+ public KdfAlgorithmId() {
+ super(fieldInfos);
+ }
+
+ public String getKdfId() {
+ return getFieldAsObjId(KdfAlgorithmIdField.KDF_ID);
+ }
+
+ public void setKdfId(String kdfId) {
+ setFieldAsObjId(KdfAlgorithmIdField.KDF_ID, kdfId);
+ }
+}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java
index 9d835ec..d882d84 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java
@@ -28,7 +28,7 @@
/**
PA-PK-AS-REP ::= CHOICE {
- dhInfo [0] DHRepInfo,
+ dhInfo [0] DhRepInfo,
encKeyPack [1] IMPLICIT OCTET STRING,
}
*/
@@ -49,7 +49,7 @@
}
static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
- new ExplicitField(PaPkAsRepField.DH_INFO, DHRepInfo.class),
+ new ExplicitField(PaPkAsRepField.DH_INFO, DhRepInfo.class),
new ImplicitField(PaPkAsRepField.ENCKEY_PACK, Asn1OctetString.class)
};
@@ -57,11 +57,11 @@
super(fieldInfos);
}
- public DHRepInfo getDHRepInfo() {
- return getChoiceValueAs(PaPkAsRepField.DH_INFO, DHRepInfo.class);
+ public DhRepInfo getDHRepInfo() {
+ return getChoiceValueAs(PaPkAsRepField.DH_INFO, DhRepInfo.class);
}
- public void setDHRepInfo(DHRepInfo dhRepInfo) {
+ public void setDHRepInfo(DhRepInfo dhRepInfo) {
setChoiceValue(PaPkAsRepField.DH_INFO, dhRepInfo);
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKDFs.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKdfs.java
similarity index 87%
rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKDFs.java
rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKdfs.java
index 2d1e654..e436018 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKDFs.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKdfs.java
@@ -19,8 +19,7 @@
*/
package org.apache.kerby.kerberos.kerb.type.pa.pkinit;
-import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType;
-public class SupportedKDFs extends KrbSequenceOfType<Asn1ObjectIdentifier> {
+public class SupportedKdfs extends KrbSequenceOfType<KdfAlgorithmId> {
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java
index 9428630..e7ca968 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java
@@ -83,7 +83,7 @@
new ExplicitField(EncTicketPartField.AUTHTIME, KerberosTime.class),
new ExplicitField(EncTicketPartField.STARTTIME, KerberosTime.class),
new ExplicitField(EncTicketPartField.ENDTIME, KerberosTime.class),
- new ExplicitField(EncTicketPartField.ENDTIME, KerberosTime.class),
+ new ExplicitField(EncTicketPartField.RENEW_TILL, KerberosTime.class),
new ExplicitField(EncTicketPartField.CADDR, HostAddresses.class),
new ExplicitField(EncTicketPartField.AUTHORIZATION_DATA, AuthorizationData.class)
};
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java
index 53d7abf..8af6fe8 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java
@@ -20,11 +20,10 @@
package org.apache.kerby.kerberos.kerb.codec;
import org.apache.kerby.asn1.Asn1;
-import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.cms.type.ContentInfo;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import org.junit.Test;
@@ -35,9 +34,9 @@
@Test
public void test() throws IOException, KrbException {
PaPkAsRep paPkAsRep = new PaPkAsRep();
- DHRepInfo dhRepInfo = new DHRepInfo();
+ DhRepInfo dhRepInfo = new DhRepInfo();
ContentInfo contentInfo = new ContentInfo();
- contentInfo.setContentType(new Asn1ObjectIdentifier("1.2.840.113549.1.7.2"));
+ contentInfo.setContentType("1.2.840.113549.1.7.2");
dhRepInfo.setDHSignedData(contentInfo.encode());
paPkAsRep.setDHRepInfo(dhRepInfo);
Asn1.parseAndDump(paPkAsRep.encode());
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java
index a67bb2c..ac660f5 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java
@@ -31,8 +31,8 @@
import org.apache.kerby.kerberos.kerb.type.pa.PaData;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.junit.Test;
@@ -102,19 +102,19 @@
private void testPaPkAsRep(PaPkAsRep paPkAsRep) throws IOException {
assertThat(paPkAsRep.getDHRepInfo()).isNotNull();
- DHRepInfo dhRepInfo = paPkAsRep.getDHRepInfo();
+ DhRepInfo dhRepInfo = paPkAsRep.getDHRepInfo();
byte[] dhSignedData = dhRepInfo.getDHSignedData();
SignedContentInfo contentInfo = new SignedContentInfo();
contentInfo.decode(dhSignedData);
- assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2");
+ assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2");
SignedData signedData = contentInfo.getContentAs(SignedData.class);
assertThat(signedData.getCertificates()).isNotNull();
EncapsulatedContentInfo encapsulatedContentInfo = signedData.getEncapContentInfo();
- assertThat(encapsulatedContentInfo.getContentType().getValue()).isEqualTo("1.3.6.1.5.2.3.2");
+ assertThat(encapsulatedContentInfo.getContentType()).isEqualTo("1.3.6.1.5.2.3.2");
byte[] eContentInfo = encapsulatedContentInfo.getContent();
- KdcDHKeyInfo kdcDhKeyInfo = new KdcDHKeyInfo();
+ KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo();
kdcDhKeyInfo.decode(eContentInfo);
assertThat(kdcDhKeyInfo.getSubjectPublicKey()).isNotNull();
assertThat(kdcDhKeyInfo.getDHKeyExpiration()).isNotNull();
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
index 8a59ee1..442bb7d 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
@@ -22,6 +22,7 @@
import org.apache.kerby.asn1.Asn1;
import org.apache.kerby.cms.type.SignedContentInfo;
import org.apache.kerby.cms.type.SignedData;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
import org.apache.kerby.kerberos.kerb.type.base.NameType;
@@ -33,7 +34,7 @@
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsReq;
-import org.apache.kerby.x509.type.DHParameter;
+import org.apache.kerby.x509.type.DhParameter;
import org.apache.kerby.x509.type.SubjectPublicKeyInfo;
import org.junit.Test;
@@ -44,7 +45,7 @@
import java.util.Arrays;
import java.util.List;
-import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.*;
public class TestPkinitAnonymousAsReqCodec {
@Test
@@ -84,7 +85,7 @@
assertThat(body.getKdcOptions().getValue()).isEqualTo(Arrays.copyOfRange(bytes, 1389, 1393));
PrincipalName cName = body.getCname();
assertThat(cName.getNameType()).isEqualTo(NameType.NT_WELLKNOWN);
- assertThat(cName.getName()).isEqualTo("WELLKNOWN/ANONYMOUS");
+ assertThat(cName.getName()).isEqualTo(KrbConstant.ANONYMOUS_PRINCIPAL);
assertThat(body.getRealm()).isEqualTo("EXAMPLE.COM");
PrincipalName sName = body.getSname();
assertThat(sName.getNameType()).isEqualTo(NameType.NT_SRV_INST);
@@ -113,7 +114,7 @@
SignedContentInfo contentInfo = new SignedContentInfo();
Asn1.parseAndDump(paPkAsReq.getSignedAuthPack());
contentInfo.decode(paPkAsReq.getSignedAuthPack());
- assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2");
+ assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2");
Asn1.dump(contentInfo);
SignedData signedData = contentInfo.getSignedData();
@@ -122,29 +123,29 @@
assertThat(signedData.getCertificates().getElements().isEmpty()).isTrue();
assertThat(signedData.getCrls().getElements().isEmpty()).isTrue();
assertThat(signedData.getSignerInfos().getElements().isEmpty()).isTrue();
- assertThat(signedData.getEncapContentInfo().getContentType().getValue())
+ assertThat(signedData.getEncapContentInfo().getContentType())
.isEqualTo("1.3.6.1.5.2.3.1");
AuthPack authPack = new AuthPack();
Asn1.parseAndDump(signedData.getEncapContentInfo().getContent());
authPack.decode(signedData.getEncapContentInfo().getContent());
assertThat(authPack.getsupportedCmsTypes().getElements().size()).isEqualTo(1);
- assertThat(authPack.getsupportedCmsTypes().getElements().get(0).getAlgorithm().getValue())
+ assertThat(authPack.getsupportedCmsTypes().getElements().get(0).getAlgorithm())
.isEqualTo("1.2.840.113549.3.7");
SubjectPublicKeyInfo subjectPublicKeyInfo = authPack.getClientPublicValue();
- assertThat(subjectPublicKeyInfo.getAlgorithm().getAlgorithm().getValue())
+ assertThat(subjectPublicKeyInfo.getAlgorithm().getAlgorithm())
.isEqualTo("1.2.840.10046.2.1");
- DHParameter dhParameter = subjectPublicKeyInfo.getAlgorithm().getParametersAs(DHParameter.class);
+ DhParameter dhParameter =
+ subjectPublicKeyInfo.getAlgorithm().getParametersAs(DhParameter.class);
assertThat(dhParameter.getG()).isEqualTo(BigInteger.valueOf(2));
assertThat(authPack.getsupportedKDFs().getElements().size()).isEqualTo(3);
- //TO BE FIXED
-// assertThat(authPack.getsupportedKDFs().getElements().get(0).getValue())
-// .isEqualTo("1.3.6.1.5.2.3.6.2");
-// assertThat(authPack.getsupportedKDFs().getElements().get(1).getValue())
-// .isEqualTo("1.3.6.1.5.2.3.6.1");
-// assertThat(authPack.getsupportedKDFs().getElements().get(2).getValue())
-// .isEqualTo("1.3.6.1.5.2.3.6.3");
+ assertThat(authPack.getsupportedKDFs().getElements().get(0).getKdfId())
+ .isEqualTo("1.3.6.1.5.2.3.6.2");
+ assertThat(authPack.getsupportedKDFs().getElements().get(1).getKdfId())
+ .isEqualTo("1.3.6.1.5.2.3.6.1");
+ assertThat(authPack.getsupportedKDFs().getElements().get(2).getKdfId())
+ .isEqualTo("1.3.6.1.5.2.3.6.3");
}
}
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java
index 0de845e..9e96cef 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java
@@ -33,7 +33,7 @@
import java.io.IOException;
import java.nio.ByteBuffer;
-import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.*;
public class TestPkinitRsaAsRepCodec {
@Test
@@ -61,7 +61,7 @@
Asn1.parseAndDump(encKeyPack);
ContentInfo contentInfo = new ContentInfo();
contentInfo.decode(encKeyPack);
- assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.3");
+ assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.3");
EnvelopedData envelopedData = contentInfo.getContentAs(EnvelopedData.class);
Asn1.dump(envelopedData);
}
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java
index 0cb6ad4..a5d6efc 100644
--- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java
+++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java
@@ -40,7 +40,7 @@
import java.util.Arrays;
import java.util.List;
-import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.*;
public class TestPkinitRsaAsReqCodec {
@Test
@@ -71,12 +71,12 @@
ContentInfo contentInfo = new ContentInfo();
//Asn1.parseAndDump(paPkAsReq.getSignedAuthPack());
contentInfo.decode(paPkAsReq.getSignedAuthPack());
- assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2");
+ assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2");
//Asn1.dump(contentInfo);
SignedData signedData = contentInfo.getContentAs(SignedData.class);
assertThat(signedData.getCertificates().getElements().size()).isEqualTo(1);
- assertThat(signedData.getEncapContentInfo().getContentType().getValue()).isEqualTo("1.3.6.1.5.2.3.1");
+ assertThat(signedData.getEncapContentInfo().getContentType()).isEqualTo("1.3.6.1.5.2.3.1");
PaDataEntry encpaEntry = paData.findEntry(PaDataType.ENCPADATA_REQ_ENC_PA_REP);
assertThat(encpaEntry.getPaDataType()).isEqualTo(PaDataType.ENCPADATA_REQ_ENC_PA_REP);
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java
index 91d7e34..0e6344b 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java
@@ -38,8 +38,6 @@
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import javax.crypto.Cipher;
-
/**
* Encryption handler as the highest level API for encryption stuffs defined in
* Kerberos RFC3961. It supports all the encryption types. New encryption type
@@ -47,23 +45,6 @@
*/
public class EncryptionHandler {
- private static boolean isAES256Enabled = false;
-
- static {
- try {
- isAES256Enabled = Cipher.getMaxAllowedKeyLength("AES") >= 256;
- } catch (Exception e) {
- System.err.println(e);
- }
- }
-
- /**
- * @return true if aes256 is enabled
- */
- public static boolean isAES256Enabled() {
- return isAES256Enabled;
- }
-
/**
* Get the encryption type.
* @param eType The encryption type string.
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java
index 9220f94..fc23f77 100644
--- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java
+++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java
@@ -23,6 +23,7 @@
import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.HexUtil;
import org.junit.Test;
@@ -112,7 +113,7 @@
@Test
public void testCheckSums_HMAC_SHA1_96_AES256() throws Exception {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new CksumTest(
"fourteen",
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java
index c0c938d..cf0bda2 100644
--- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java
+++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java
@@ -22,6 +22,7 @@
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.HexUtil;
import org.junit.Test;
@@ -695,7 +696,7 @@
*/
@Test
public void testDecryptAES256_CTS_HMAC_SHA1_96_0() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
TestCase testCase = new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -715,7 +716,7 @@
*/
@Test
public void testDecryptAES256_CTS_HMAC_SHA1_96_1() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
TestCase testCase = new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -735,7 +736,7 @@
*/
@Test
public void testDecryptAES256_CTS_HMAC_SHA1_96_9() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
TestCase testCase = new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -756,7 +757,7 @@
*/
@Test
public void testDecryptAES256_CTS_HMAC_SHA1_96_13() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
TestCase testCase = new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -777,7 +778,7 @@
*/
@Test
public void testDecryptAES256_CTS_HMAC_SHA1_96_30() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
TestCase testCase = new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java
index a08f01f..5130ed5 100644
--- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java
+++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java
@@ -22,6 +22,7 @@
import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.HexUtil;
import org.junit.Test;
@@ -125,7 +126,7 @@
@Test
public void testFastUtil_AES256_CTS_HMAC_SHA1() throws Exception {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java
index 7b44da0..3d9ee9a 100644
--- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java
+++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java
@@ -29,6 +29,7 @@
import org.apache.kerby.kerberos.kerb.crypto.key.Des3KeyMaker;
import org.apache.kerby.kerberos.kerb.crypto.key.DkKeyMaker;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.HexUtil;
import org.junit.Test;
@@ -126,7 +127,7 @@
@Test
public void testKeyDerive_AES256_CTS_HMAC_SHA1_96_299() throws Exception {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -140,7 +141,7 @@
@Test
public void testKeyDerive_AES256_CTS_HMAC_SHA1_96_2AA() throws Exception {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -154,7 +155,7 @@
@Test
public void testKeyDerive_AES256_CTS_HMAC_SHA1_96_255() throws Exception {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java
index c5dcac6..b87ba9b 100644
--- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java
+++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.crypto;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.HexUtil;
import org.junit.Test;
@@ -86,7 +87,7 @@
@Test
public void testPrf_AES256_CTS_HMAC_SHA1() throws Exception {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java
index abbbbfb..042b42a 100644
--- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java
+++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java
@@ -21,6 +21,7 @@
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.HexUtil;
import org.junit.Test;
@@ -270,7 +271,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_0() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -284,7 +285,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_1() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -298,7 +299,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_2() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -312,7 +313,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_3() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -326,7 +327,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_4() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -342,7 +343,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_5() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -356,7 +357,7 @@
@Test
public void test_AES256_CTS_HMAC_SHA1_96_6() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
@@ -371,7 +372,7 @@
// Check for KRB5_ERR_BAD_S2K_PARAMS return when weak iteration counts are forbidden
@Test
public void test_AES256_CTS_HMAC_SHA1_96_7() {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
performTest(new TestCase(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
index 49bf5cf..8bc4205 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
@@ -21,6 +21,8 @@
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
+import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
+import org.apache.kerby.kerberos.kerb.client.KrbTokenClient;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
@@ -71,6 +73,14 @@
return kdcServer.getKrbClient();
}
+ protected KrbPkinitClient getPkinitClient() {
+ return kdcServer.getPkinitClient();
+ }
+
+ protected KrbTokenClient getTokenClient() {
+ return kdcServer.getTokenClient();
+ }
+
protected String getClientPrincipalName() {
return clientPrincipalName;
}
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index 86d0a61..7782e41 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -23,7 +23,6 @@
import org.apache.kerby.asn1.parse.Asn1Container;
import org.apache.kerby.asn1.parse.Asn1ParseResult;
import org.apache.kerby.asn1.type.Asn1Integer;
-import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.cms.type.CertificateChoices;
import org.apache.kerby.cms.type.CertificateSet;
import org.apache.kerby.cms.type.ContentInfo;
@@ -35,8 +34,8 @@
import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.crypto.dh.DhServer;
import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
-import org.apache.kerby.kerberos.kerb.preauth.pkinit.CMSMessageType;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
+import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext;
import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
@@ -52,13 +51,13 @@
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo;
-import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo;
+import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsReq;
import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PkAuthenticator;
import org.apache.kerby.x509.type.Certificate;
-import org.apache.kerby.x509.type.DHParameter;
+import org.apache.kerby.x509.type.DhParameter;
import org.apache.kerby.x509.type.SubjectPublicKeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -143,9 +142,9 @@
SignedData signedData = contentInfo.getContentAs(SignedData.class);
- PkinitCrypto.verifyCMSSignedData(CMSMessageType.CMS_SIGN_CLIENT, signedData);
+ PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData);
- Boolean isSigned = PkinitCrypto.isSigned(signedData);
+ Boolean isSigned = signedData.isSigned();
if (isSigned) {
//TODO
LOG.info("Signed data.");
@@ -213,9 +212,9 @@
SubjectPublicKeyInfo publicKeyInfo = authPack.getClientPublicValue();
- DHParameter dhParameter;
+ DhParameter dhParameter;
if (publicKeyInfo.getSubjectPubKey() != null) {
- dhParameter = authPack.getClientPublicValue().getAlgorithm().getParametersAs(DHParameter.class);
+ dhParameter = authPack.getClientPublicValue().getAlgorithm().getParametersAs(DhParameter.class);
PkinitCrypto.serverCheckDH(pkinitContext.pluginOpts, pkinitContext.cryptoctx, dhParameter);
byte[] clientSubjectPubKey = publicKeyInfo.getSubjectPubKey().getValue();
@@ -321,8 +320,8 @@
}
PaPkAsRep paPkAsRep = new PaPkAsRep();
- DHRepInfo dhRepInfo = new DHRepInfo();
- KdcDHKeyInfo kdcDhKeyInfo = new KdcDHKeyInfo();
+ DhRepInfo dhRepInfo = new DhRepInfo();
+ KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo();
Asn1Integer publickey = new Asn1Integer(severPubKey.getY());
byte[] pubKeyData = KrbCodec.encode(publickey);
@@ -341,7 +340,7 @@
certificateSet.addElement(certificateChoices);
}
- Asn1ObjectIdentifier oid = cryptoContext.getIdPkinitDHKeyDataOID();
+ String oid = cryptoContext.getIdPkinitDHKeyDataOID();
signedDataBytes = PkinitCrypto.cmsSignedDataCreate(KrbCodec.encode(kdcDhKeyInfo), oid, 3, null,
null, null, null);
diff --git a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
index 0a7ad1d..5e83207 100644
--- a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
+++ b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
@@ -23,6 +23,8 @@
import org.apache.kerby.kerberos.kerb.admin.Kadmin;
import org.apache.kerby.kerberos.kerb.client.Krb5Conf;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
+import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
+import org.apache.kerby.kerberos.kerb.client.KrbTokenClient;
import org.apache.kerby.util.NetworkUtil;
import java.io.File;
@@ -36,9 +38,11 @@
private final KrbClient krbClnt;
private Kadmin kadmin;
private Krb5Conf krb5Conf;
-
private File workDir;
+ private KrbPkinitClient pkinitClient;
+ private KrbTokenClient tokenClient;
+
/**
* Default constructor.
*
@@ -155,6 +159,26 @@
}
/**
+ * @return PKINIT client
+ */
+ public KrbPkinitClient getPkinitClient() {
+ if (pkinitClient == null) {
+ pkinitClient = new KrbPkinitClient(krbClnt);
+ }
+ return pkinitClient;
+ }
+
+ /**
+ * @return Token client
+ */
+ public KrbTokenClient getTokenClient() {
+ if (tokenClient == null) {
+ tokenClient = new KrbTokenClient(krbClnt);
+ }
+ return tokenClient;
+ }
+
+ /**
* Get Kadmin operation interface.
* @return Kadmin
*/
diff --git a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java
index a00667a..2ae0baa 100644
--- a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java
+++ b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java
@@ -31,6 +31,7 @@
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import org.apache.kerby.util.EncryptoUtil;
import org.junit.Before;
import org.junit.Test;
@@ -74,7 +75,7 @@
@Test
public void testAes256() throws IOException, KrbException {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
testEncWith("aes256-cts-hmac-sha1-96.cc");
}
diff --git a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java
index 5790bda..8ccbb03 100644
--- a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java
+++ b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java
@@ -25,6 +25,7 @@
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
+import org.apache.kerby.util.EncryptoUtil;
import org.junit.Test;
import java.io.IOException;
@@ -67,7 +68,7 @@
@Test
public void testAes256CtsHmacSha1() throws IOException, KrbException {
- assumeTrue(EncryptionHandler.isAES256Enabled());
+ assumeTrue(EncryptoUtil.isAES256Enabled());
testEncWith(EncryptionType.AES256_CTS_HMAC_SHA1_96);
}
diff --git a/kerby-pkix/pom.xml b/kerby-pkix/pom.xml
index e53c6b8..03ed9cd 100644
--- a/kerby-pkix/pom.xml
+++ b/kerby-pkix/pom.xml
@@ -41,12 +41,18 @@
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-ext-jdk15on</artifactId>
+ <artifactId>bcpkix-jdk15on</artifactId>
<version>1.52</version>
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+
+ <dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>1.9.5</version>
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java
index 077abe2..5037efa 100644
--- a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java
@@ -66,12 +66,12 @@
super(fieldInfos);
}
- public Asn1ObjectIdentifier getContentType() {
- return getFieldAs(CONTENT_TYPE, Asn1ObjectIdentifier.class);
+ public String getContentType() {
+ return getFieldAsObjId(CONTENT_TYPE);
}
- public void setContentType(Asn1ObjectIdentifier contentType) {
- setFieldAs(CONTENT_TYPE, contentType);
+ public void setContentType(String contentType) {
+ setFieldAsObjId(CONTENT_TYPE, contentType);
}
public <T extends Asn1Type> T getContentAs(Class<T> t) {
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java
index 17b5c76..a7a260a 100644
--- a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java
@@ -61,12 +61,12 @@
super(fieldInfos);
}
- public Asn1ObjectIdentifier getContentType() {
- return getFieldAs(CONTENT_TYPE, Asn1ObjectIdentifier.class);
+ public String getContentType() {
+ return getFieldAsObjId(CONTENT_TYPE);
}
- public void setContentType(Asn1ObjectIdentifier contentType) {
- setFieldAs(CONTENT_TYPE, contentType);
+ public void setContentType(String contentType) {
+ setFieldAsObjId(CONTENT_TYPE, contentType);
}
public byte[] getContent() {
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java
index 7be20a2..776e028 100644
--- a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java
@@ -120,4 +120,16 @@
public void setSignerInfos(SignerInfos signerInfos) {
setFieldAs(SIGNER_INFOS, signerInfos);
}
+
+ /**
+ * Check whether signed of data, true if the SignerInfos are not null
+ * @return boolean
+ */
+ public boolean isSigned() {
+ if (getSignerInfos().getElements().size() == 0) {
+ return false;
+ } else {
+ return true;
+ }
+ }
}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiException.java
similarity index 69%
copy from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java
copy to kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiException.java
index e6653b8..a5fee6b 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiException.java
@@ -17,12 +17,19 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.type.pa.pkinit;
-
-import org.apache.kerby.asn1.type.Asn1OctetString;
+package org.apache.kerby.pkix;
/**
- * DHNonce ::= OCTET STRING
+ * The root exception for the module.
*/
-public class DHNonce extends Asn1OctetString {
+public class PkiException extends Exception {
+ private static final long serialVersionUID = 7305497872367599428L;
+
+ public PkiException(String message) {
+ super(message);
+ }
+
+ public PkiException(String message, Throwable cause) {
+ super(message, cause);
+ }
}
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/pki/PkiLoader.java b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiLoader.java
similarity index 94%
rename from kerby-pkix/src/main/java/org/apache/kerby/pki/PkiLoader.java
rename to kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiLoader.java
index 7523f39..402e5d4 100644
--- a/kerby-pkix/src/main/java/org/apache/kerby/pki/PkiLoader.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiLoader.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.pki;
+package org.apache.kerby.pkix;
import org.apache.commons.ssl.PKCS8Key;
@@ -53,9 +53,9 @@
CertificateFactory certFactory = null;
try {
certFactory = CertificateFactory.getInstance("X.509");
- Collection<? extends Certificate> certs = (Collection<? extends Certificate>)
- certFactory.generateCertificates(inputStream);
- return new ArrayList<Certificate>(certs);
+ Collection<? extends Certificate> certs =
+ certFactory.generateCertificates(inputStream);
+ return new ArrayList<>(certs);
} catch (CertificateException e) {
throw new IOException("Failed to load certificates", e);
}
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiUtil.java b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiUtil.java
new file mode 100644
index 0000000..34eda66
--- /dev/null
+++ b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiUtil.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.pkix;
+
+import org.apache.kerby.cms.type.SignedData;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * Pki utilities.
+ */
+public final class PkiUtil {
+ private PkiUtil() {
+
+ }
+
+ public static byte[] getSignedData(PrivateKey privateKey,
+ X509Certificate certificate, byte[] dataToSign,
+ String eContentType) throws PkiException {
+
+ /**
+ * TO DO
+ */
+ return null;
+ }
+
+ /**
+ * Validates a CMS SignedData using the public key corresponding to the private
+ * key used to sign the structure.
+ *
+ * @param signedData
+ * @return true if the signature is valid.
+ * @throws PkiException
+ */
+ public static boolean validateSignedData(SignedData signedData) throws PkiException {
+ /**
+ * TO DO
+ */
+ return false;
+ }
+}
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java
index 913768a..97623a2 100644
--- a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java
@@ -60,12 +60,12 @@
super(fieldInfos);
}
- public Asn1ObjectIdentifier getAlgorithm() {
- return getFieldAs(ALGORITHM, Asn1ObjectIdentifier.class);
+ public String getAlgorithm() {
+ return getFieldAsObjId(ALGORITHM);
}
- public void setAlgorithm(Asn1ObjectIdentifier algorithm) {
- setFieldAs(ALGORITHM, algorithm);
+ public void setAlgorithm(String algorithm) {
+ setFieldAsObjId(ALGORITHM, algorithm);
}
public <T extends Asn1Type> T getParametersAs(Class<T> t) {
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DHParameter.java b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DhParameter.java
similarity index 80%
rename from kerby-pkix/src/main/java/org/apache/kerby/x509/type/DHParameter.java
rename to kerby-pkix/src/main/java/org/apache/kerby/x509/type/DhParameter.java
index beb9474..af319ce 100644
--- a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DHParameter.java
+++ b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DhParameter.java
@@ -7,10 +7,10 @@
import java.math.BigInteger;
-import static org.apache.kerby.x509.type.DHParameter.MyEnum.*;
+import static org.apache.kerby.x509.type.DhParameter.MyEnum.*;
-public class DHParameter extends Asn1SequenceType {
- protected static enum MyEnum implements EnumType {
+public class DhParameter extends Asn1SequenceType {
+ protected enum MyEnum implements EnumType {
P,
G,
Q;
@@ -32,12 +32,12 @@
new Asn1FieldInfo(Q, Asn1Integer.class),
};
- public DHParameter() {
+ public DhParameter() {
super(fieldInfos);
}
public void setP(BigInteger p) {
- setFieldAsBigInteger(P, p);
+ setFieldAsInt(P, p);
}
public BigInteger getP() {
@@ -46,7 +46,7 @@
}
public void setG(BigInteger g) {
- setFieldAsBigInteger(G, g);
+ setFieldAsInt(G, g);
}
public BigInteger getG() {
@@ -55,7 +55,7 @@
}
public void setQ(BigInteger q) {
- setFieldAsBigInteger(Q, q);
+ setFieldAsInt(Q, q);
}
public BigInteger getQ() {
diff --git a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java
index 2b9329e..99a98e1 100644
--- a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java
+++ b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java
@@ -1,5 +1,6 @@
package org.apache.commons.ssl;
+import org.apache.kerby.util.EncryptoUtil;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Test;
@@ -14,6 +15,7 @@
import static org.apache.commons.ssl.JUnitConfig.TEST_HOME;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeTrue;
public class TestKeyMaterial {
public static final char[] PASSWORD1 = "changeit".toCharArray();
@@ -54,7 +56,10 @@
Date today = new Date();
KeyMaterial km;
+
+
try {
+ assumeTrue(EncryptoUtil.isAES256Enabled());
km = new KeyMaterial(dir + "/" + fileName, file2, pass1, pass2);
} catch (ProbablyBadPasswordException pbpe) {
System.out.println(" WARN: " + pbpe);
diff --git a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java
index b4f26de..df6837f 100644
--- a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java
+++ b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java
@@ -1,5 +1,6 @@
package org.apache.commons.ssl;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.Util;
import org.junit.Test;
@@ -12,6 +13,7 @@
import static org.apache.commons.ssl.JUnitConfig.TEST_HOME;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeTrue;
public class TestOpenSSL {
@@ -130,6 +132,7 @@
byte[] encrypted = Util.streamToBytes(in);
char[] pwd = "changeit".toCharArray();
try {
+ assumeTrue(EncryptoUtil.isAES256Enabled());
byte[] result = OpenSSL.decrypt(cipher, pwd, encrypted);
String s = new String(result, "ISO-8859-1");
if (!"Hello World!".equals(s)) {
diff --git a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java
index c166f42..59127da 100644
--- a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java
+++ b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java
@@ -1,5 +1,6 @@
package org.apache.commons.ssl;
+import org.apache.kerby.util.EncryptoUtil;
import org.apache.kerby.util.Util;
import org.junit.Test;
@@ -11,6 +12,7 @@
import static org.apache.commons.ssl.JUnitConfig.TEST_HOME;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeTrue;
public class TestPKCS8Key {
@@ -44,6 +46,7 @@
System.out.println("Checking PKCS file:" + filename);
FileInputStream in = new FileInputStream(f);
byte[] bytes = Util.streamToBytes(in);
+ assumeTrue(EncryptoUtil.isAES256Enabled());
PKCS8Key key = new PKCS8Key(bytes, password.toCharArray());
byte[] decrypted = key.getDecryptedBytes();
if (original == null) {
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java b/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java
index 18d452e..ab85e93 100644
--- a/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java
@@ -20,7 +20,6 @@
package org.apache.kerby.cms;
import org.apache.kerby.asn1.Asn1;
-import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.cms.type.CertificateChoices;
import org.apache.kerby.cms.type.CertificateSet;
import org.apache.kerby.cms.type.ContentInfo;
@@ -61,10 +60,10 @@
@Test
public void testEncoding() throws IOException {
SignedContentInfo contentInfo = new SignedContentInfo();
- contentInfo.setContentType(new Asn1ObjectIdentifier("1.2.840.113549.1.7.2"));
+ contentInfo.setContentType("1.2.840.113549.1.7.2");
SignedData signedData = new SignedData();
EncapsulatedContentInfo eContentInfo = new EncapsulatedContentInfo();
- eContentInfo.setContentType(new Asn1ObjectIdentifier("1.3.6.1.5.2.3.1"));
+ eContentInfo.setContentType("1.3.6.1.5.2.3.1");
eContentInfo.setContent("data".getBytes());
signedData.setEncapContentInfo(eContentInfo);
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactory.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
similarity index 95%
rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactory.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
index 8434f50..88907ae 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactory.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs;
+package org.apache.kerby.pkix;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -35,14 +35,8 @@
/**
* Factory for dynamically generating certificate chains.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
*/
public class CertificateChainFactory {
- /**
- * The log for this class.
- */
private static final Logger LOG = LoggerFactory.getLogger(CertificateChainFactory.class);
private static int trustAnchorLevel = 2;
@@ -117,7 +111,7 @@
PublicKey trustAnchorPublicKey = keyPair.getPublic();
X509Certificate trustAnchorCert = TrustAnchorGenerator.generate(trustAnchorPublicKey, trustAnchorPrivateKey,
- dn, validityDays, friendlyName);
+ dn, validityDays, friendlyName);
trustAnchorCert.checkValidity();
trustAnchorCert.verify(trustAnchorPublicKey);
@@ -134,7 +128,7 @@
PublicKey clientCaPublicKey = keyPair.getPublic();
X509Certificate clientCaCert = IntermediateCaGenerator.generate(trustAnchorCert, trustAnchorPrivateKey,
- clientCaPublicKey, dn, validityDays, friendlyName);
+ clientCaPublicKey, dn, validityDays, friendlyName);
clientCaCert.checkValidity();
clientCaCert.verify(trustAnchorPublicKey);
@@ -151,7 +145,7 @@
PublicKey clientPublicKey = keyPair.getPublic();
X509Certificate clientCert = EndEntityGenerator.generate(clientCaCert, clientCaPrivateKey, clientPublicKey,
- dn, validityDays, friendlyName);
+ dn, validityDays, friendlyName);
clientCert.checkValidity();
clientCert.verify(clientCaPublicKey);
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactoryTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
similarity index 97%
rename from kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactoryTest.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
index 556aaf5..31059c4 100644
--- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactoryTest.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs;
+package org.apache.kerby.pkix;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Before;
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
similarity index 98%
rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
index e2bf201..8f80599 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs;
+package org.apache.kerby.pkix;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERBMPString;
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
similarity index 98%
rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
index a72656a..63e1816 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+package org.apache.kerby.pkix;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
similarity index 93%
rename from kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
index 578602a..826815e 100644
--- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
@@ -17,9 +17,8 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+package org.apache.kerby.pkix;
-import org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs.CertificateChainFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Before;
import org.junit.Test;
@@ -44,10 +43,7 @@
import java.util.Arrays;
public class EnvelopedDataEngineTest extends org.junit.Assert {
- /**
- * The log for this class.
- */
- private static final Logger LOG = LoggerFactory.getLogger(EnvelopedDataEngineTest.class);
+ private static final Logger LOG = LoggerFactory.getLogger(CertificateChainFactory.class);
/**
* Certificate used to encrypt the data.
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
similarity index 98%
rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
index ec977b0..3b90eea 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs;
+package org.apache.kerby.pkix;
import org.bouncycastle.asn1.DERBMPString;
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java
new file mode 100644
index 0000000..cf07eaa
--- /dev/null
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.pkix;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * This is a JAVA sign and verify test to serve as a good sample.
+ */
+public class JavaSignTest {
+
+ static class SignAlgorithm {
+ String algo;
+ String keyType;
+
+ SignAlgorithm(String algo, String keyType) {
+ this.algo = algo;
+ this.keyType = keyType;
+ }
+ }
+
+ static final SignAlgorithm[] ALGORITHMS = {
+ new SignAlgorithm("DSA", "DSA"),
+ new SignAlgorithm("SHA1withDSA", "DSA"),
+ new SignAlgorithm("SHA1withRSA", "RSA"),
+ new SignAlgorithm("SHA256withRSA", "RSA"),
+ new SignAlgorithm("SHA384withRSA", "RSA"),
+ new SignAlgorithm("SHA512withRSA", "RSA"),
+ new SignAlgorithm("MD5withRSA", "RSA"),
+ new SignAlgorithm("MD5andSHA1withRSA", "RSA"),
+ new SignAlgorithm("SHA256withRSA", "RSA")
+ };
+
+ static byte[] signData(byte[] dataToSign, KeyPair keyPair,
+ SignAlgorithm sa) throws Exception {
+ byte[] signResult;
+ Signature signer = Signature.getInstance(sa.algo);
+ signer.initSign(keyPair.getPrivate());
+ signer.update(dataToSign);
+ signResult = signer.sign();
+
+ return signResult;
+ }
+
+ static boolean verifyData(byte[] dataToVerify, byte[] signature,
+ KeyPair keyPair, SignAlgorithm sa) throws Exception {
+ boolean verifyResult;
+ Signature verifier = Signature.getInstance(sa.algo);
+ verifier.initVerify(keyPair.getPublic());
+ verifier.update(dataToVerify);
+ verifyResult = verifier.verify(signature);
+
+ return verifyResult;
+ }
+
+ public static void main(String[] args) throws Exception {
+ for (SignAlgorithm sa : ALGORITHMS) {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance(sa.keyType);
+ keyGen.initialize(1024);
+ KeyPair keyPair = keyGen.generateKeyPair();
+
+ byte[] testMessage = "Hello, Kerby!!".getBytes();
+ byte[] signature = signData(testMessage, keyPair, sa);
+ boolean isOk = verifyData(testMessage, signature, keyPair, sa);
+ if (!isOk) {
+ throw new RuntimeException("Failed");
+ }
+ }
+ }
+}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/KeyPairSpec.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
similarity index 97%
rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/KeyPairSpec.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
index 7c6a091..b6cfa17 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/KeyPairSpec.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs;
+package org.apache.kerby.pkix;
import java.math.BigInteger;
@@ -27,9 +27,6 @@
/**
* Specifications for asymmetric key pairs.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
*/
@SuppressWarnings("checkstyle:linelength")
class KeyPairSpec {
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java
new file mode 100644
index 0000000..bb10273
--- /dev/null
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.pkix;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSProcessableByteArray;
+import org.bouncycastle.cms.CMSSignedData;
+import org.bouncycastle.cms.CMSSignedDataGenerator;
+import org.bouncycastle.cms.CMSTypedData;
+import org.bouncycastle.cms.SignerInformation;
+import org.bouncycastle.cms.SignerInformationStore;
+import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
+import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.util.Store;
+
+import java.io.IOException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+
+/**
+ * Encapsulates working with PKINIT signed data structures.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class SignedDataEngine {
+
+ static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[] dataToSign,
+ String eContentType) throws IOException, OperatorCreationException,
+ CertificateEncodingException, CMSException {
+
+ if (Security.getProvider("BC") == null) {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+
+ List certList = new ArrayList();
+ certList.add(certificate);
+ Store certs = new JcaCertStore(certList);
+
+ CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
+
+ gen.addSignerInfoGenerator(
+ new JcaSimpleSignerInfoGeneratorBuilder()
+ .setProvider("BC")
+ .build("SHA1withRSA", privateKey, certificate));
+
+ gen.addCertificates(certs);
+
+ ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType);
+ CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign);
+ CMSSignedData s = gen.generate(msg, true);
+
+ return s.getEncoded();
+ }
+
+ /**
+ * Validates a CMS SignedData using the public key corresponding to the private
+ * key used to sign the structure.
+ *
+ * @param s
+ * @return true if the signature is valid.
+ * @throws Exception
+ */
+ public static boolean validateSignedData(CMSSignedData s) throws Exception {
+
+ Store certStore = s.getCertificates();
+ Store crlStore = s.getCRLs();
+ SignerInformationStore signers = s.getSignerInfos();
+
+ Collection c = signers.getSigners();
+ Iterator it = c.iterator();
+
+ while (it.hasNext()) {
+ SignerInformation signer = (SignerInformation) it.next();
+ Collection certCollection = certStore.getMatches(signer.getSID());
+
+ Iterator certIt = certCollection.iterator();
+ X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
+
+ if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) {
+ return false;
+ }
+ }
+
+ Collection certColl = certStore.getMatches(null);
+ Collection crlColl = crlStore.getMatches(null);
+
+ if (certColl.size() != s.getCertificates().getMatches(null).size()
+ || crlColl.size() != s.getCRLs().getMatches(null).size()) {
+ return false;
+ }
+ return true;
+ }
+}
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngineTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
similarity index 83%
rename from kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngineTest.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
index 8989a88..60db909 100644
--- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngineTest.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
@@ -17,10 +17,9 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
+package org.apache.kerby.pkix;
-import org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs.CertificateChainFactory;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Before;
@@ -30,18 +29,9 @@
import java.io.File;
import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.security.InvalidKeyException;
import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
-import java.security.SignatureException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateCrtKey;
@@ -80,7 +70,6 @@
getCaFromFactory();
}
-
/**
* Tests that signed data signature validation works.
*
@@ -106,9 +95,7 @@
}
- void getCaFromFile(String caFile, String caPassword, String caAlias) throws KeyStoreException,
- NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException,
- UnrecoverableKeyException, InvalidKeyException, SignatureException, NoSuchProviderException {
+ void getCaFromFile(String caFile, String caPassword, String caAlias) throws Exception {
// Open the keystore.
KeyStore caKs = KeyStore.getInstance("PKCS12");
caKs.load(new FileInputStream(new File(caFile)), caPassword.toCharArray());
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
similarity index 95%
rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
index cdb601f..f26354d 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
@@ -17,7 +17,7 @@
* under the License.
*
*/
-package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs;
+package org.apache.kerby.pkix;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
@@ -47,9 +47,6 @@
/**
* Generates an X.509 "trust anchor" certificate programmatically.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
*/
public class TrustAnchorGenerator {
/**
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java b/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java
index b78e466..c150fc4 100644
--- a/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java
+++ b/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java
@@ -19,7 +19,7 @@
*/
package org.apache.kerby.x509;
-import org.apache.kerby.pki.PkiLoader;
+import org.apache.kerby.pkix.PkiLoader;
import org.junit.Before;
import org.junit.Test;
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
index d59867a..7014960 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
@@ -24,6 +24,7 @@
import org.apache.kerby.KOptionInfo;
import org.apache.kerby.KOptionType;
import org.apache.kerby.KOptions;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbKdcOption;
@@ -188,10 +189,6 @@
return krbClient;
}
- private static String getAnonymousPrincipal() {
- return "WELLKNOWN/ANONYMOUS";
- }
-
public static void main(String[] args) throws Exception {
KOptions ktOptions = new KOptions();
KinitOption kto;
@@ -238,7 +235,7 @@
if (principal == null) {
if (ktOptions.contains(KinitOption.ANONYMOUS)) {
- principal = getAnonymousPrincipal();
+ principal = KrbConstant.ANONYMOUS_PRINCIPAL;
} else {
printUsage("No principal is specified");
}
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java b/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java
index 557181e..c0323d1 100644
--- a/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java
+++ b/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java
@@ -1,3 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
package org.apache.kerby.util;
import java.io.ByteArrayInputStream;
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/EncryptoUtil.java b/kerby-util/src/main/java/org/apache/kerby/util/EncryptoUtil.java
new file mode 100644
index 0000000..a9e4b7a
--- /dev/null
+++ b/kerby-util/src/main/java/org/apache/kerby/util/EncryptoUtil.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.kerby.util;
+
+import javax.crypto.Cipher;
+
+/**
+ * This class gives a method to detect if system support AES256 or above.
+ */
+public class EncryptoUtil {
+ private static boolean isAES256Enabled = false;
+
+ static {
+ try {
+ isAES256Enabled = Cipher.getMaxAllowedKeyLength("AES") >= 256;
+ } catch (Exception e) {
+ System.err.println(e);
+ }
+ }
+
+ /**
+ * @return true if aes256 is enabled
+ */
+ public static boolean isAES256Enabled() {
+ return isAES256Enabled;
+ }
+
+}
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java b/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java
index 93f6dfd..f682f03 100644
--- a/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java
+++ b/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java
@@ -26,6 +26,53 @@
private static final char[] HEX_CHARS = HEX_CHARS_STR.toCharArray();
/**
+ * Convert bytes into friendly format as:
+ * 0x02 02 00 80
+ */
+ public static String bytesToHexFriendly(byte[] bytes) {
+ int len = bytes.length * 2;
+ len += bytes.length; // for ' ' appended for each char
+ len += 2; // for '0x' prefix
+ char[] hexChars = new char[len];
+ hexChars[0] = '0';
+ hexChars[1] = 'x';
+ for (int j = 0; j < bytes.length; j++) {
+ int v = bytes[j] & 0xFF;
+ hexChars[j * 3 + 2] = HEX_CHARS[v >>> 4];
+ hexChars[j * 3 + 3] = HEX_CHARS[v & 0x0F];
+ hexChars[j * 3 + 4] = ' ';
+ }
+
+ return new String(hexChars);
+ }
+
+ /**
+ * Convert friendly hex string like follows into byte array
+ * 0x02 02 00 80
+ */
+ public static byte[] hex2bytesFriendly(String hexString) {
+ hexString = hexString.toUpperCase();
+ String hexStr = hexString;
+ if (hexString.startsWith("0X")) {
+ hexStr = hexString.substring(2);
+ }
+ String[] hexParts = hexStr.split(" ");
+
+ byte[] bytes = new byte[hexParts.length];
+ char[] hexPart;
+ for (int i = 0; i < hexParts.length; ++i) {
+ hexPart = hexParts[i].toCharArray();
+ if (hexPart.length != 2) {
+ throw new IllegalArgumentException("Invalid hex string to convert");
+ }
+ bytes[i] = (byte) ((HEX_CHARS_STR.indexOf(hexPart[0]) << 4)
+ + HEX_CHARS_STR.indexOf(hexPart[1]));
+ }
+
+ return bytes;
+ }
+
+ /**
* Convert bytes into format as:
* 02020080
* @param bytes The bytes
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java b/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java
index 9d30095..f7a1db0 100644
--- a/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java
+++ b/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java
@@ -1,3 +1,22 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
package org.apache.kerby.util;
import java.io.IOException;
