Merge branch 'master' of http://git-wip-us.apache.org/repos/asf/directory-kerby
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java index 5015ba2..08a9019 100644 --- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java +++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1.java
@@ -29,7 +29,6 @@ /** * The shortcut API for ASN1 encoding, decoding and dumping. - * TO BE WELL DOCUMENTED. */ public final class Asn1 { @@ -37,31 +36,85 @@ } + /** + * Encode value into buffer. + * @param buffer + * @param value + * @throws IOException + */ public static void encode(ByteBuffer buffer, Asn1Type value) throws IOException { value.encode(buffer); } + /** + * Encode value and return the result. + * @param value + * @return + * @throws IOException + */ public static byte[] encode(Asn1Type value) throws IOException { return value.encode(); } + /** + * Blindly decode content and return the result ASN1 object. + * @param content + * @return + * @throws IOException + */ public static Asn1Type decode(byte[] content) throws IOException { return decode(ByteBuffer.wrap(content)); } + /** + * See avove. + */ public static Asn1Type decode(ByteBuffer content) throws IOException { Asn1ParseResult parseResult = Asn1Parser.parse(content); return Asn1Converter.convert(parseResult, false); } + /** + * Decode using specified value container. Better to use this when the value + * type is known prior to the call. + * @param content + * @param value + * @throws IOException + */ + public static void decode(byte[] content, Asn1Type value) throws IOException { + value.decode(content); + } + + /** + * See avove. + */ + public static void decode(ByteBuffer content, Asn1Type value) throws IOException { + value.decode(content); + } + + /** + * Parse content and return parse result. Note this is different from decode, + * as it doesn't decode into values, only parse result info like offset, + * header len, body len and etc. are out. + * @param content + * @return + * @throws IOException + */ public static Asn1ParseResult parse(byte[] content) throws IOException { return parse(ByteBuffer.wrap(content)); } + /** + * See avove. + */ public static Asn1ParseResult parse(ByteBuffer content) throws IOException { return Asn1Parser.parse(content); } + /** + * Dump out a value. + * @param value + */ public static void dump(Asn1Type value) { Asn1Dumper dumper = new Asn1Dumper(); dumper.dumpType(0, value); @@ -69,28 +122,28 @@ System.out.println(output); } + /** + * Parse first, and then dump out the parse result. + * @param hexStr + * @throws IOException + */ public static void parseAndDump(String hexStr) throws IOException { byte[] data = HexUtil.hex2bytes(hexStr); parseAndDump(data); } - public static void decodeAndDump(String hexStr) throws IOException { - byte[] data = HexUtil.hex2bytes(hexStr); - decodeAndDump(data); - } - + /** + * See avove. + */ public static void parseAndDump(ByteBuffer content) throws IOException { byte[] bytes = new byte[content.remaining()]; content.get(bytes); parseAndDump(bytes); } - public static void decodeAndDump(ByteBuffer content) throws IOException { - byte[] bytes = new byte[content.remaining()]; - content.get(bytes); - decodeAndDump(bytes); - } - + /** + * See avove. + */ public static void parseAndDump(byte[] content) throws IOException { String hexStr = HexUtil.bytesToHex(content); Asn1Dumper dumper = new Asn1Dumper(); @@ -101,6 +154,28 @@ System.out.println(output); } + /** + * Decode first, and then dump out the decoded value. + * @param hexStr + * @throws IOException + */ + public static void decodeAndDump(String hexStr) throws IOException { + byte[] data = HexUtil.hex2bytes(hexStr); + decodeAndDump(data); + } + + /** + * See avove. + */ + public static void decodeAndDump(ByteBuffer content) throws IOException { + byte[] bytes = new byte[content.remaining()]; + content.get(bytes); + decodeAndDump(bytes); + } + + /** + * See avove. + */ public static void decodeAndDump(byte[] content) throws IOException { String hexStr = HexUtil.bytesToHex(content); Asn1Dumper dumper = new Asn1Dumper();
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java index f0cb632..f426764 100644 --- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java +++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Converter.java
@@ -20,7 +20,7 @@ package org.apache.kerby.asn1; import org.apache.kerby.asn1.parse.Asn1ParseResult; -import org.apache.kerby.asn1.type.Asn1Specifix; +import org.apache.kerby.asn1.type.Asn1Specific; import org.apache.kerby.asn1.type.Asn1Collection; import org.apache.kerby.asn1.type.Asn1Constructed; import org.apache.kerby.asn1.type.Asn1Encodeable; @@ -49,7 +49,7 @@ tmpValue.decode(parseResult); return tmpValue; } else if (parseResult.isTagSpecific()) { - Asn1Specifix app = new Asn1Specifix(parseResult.tag()); + Asn1Specific app = new Asn1Specific(parseResult.tag()); app.decode(parseResult); return app; } else {
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java index 8e65ea2..3368a44 100644 --- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java +++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/Asn1Dumper.java
@@ -22,7 +22,7 @@ import org.apache.kerby.asn1.parse.Asn1Item; import org.apache.kerby.asn1.parse.Asn1ParseResult; import org.apache.kerby.asn1.parse.Asn1Parser; -import org.apache.kerby.asn1.type.Asn1Specifix; +import org.apache.kerby.asn1.type.Asn1Specific; import org.apache.kerby.asn1.type.Asn1Simple; import org.apache.kerby.asn1.type.Asn1Type; @@ -66,7 +66,7 @@ } else if (value instanceof Asn1Dumpable) { Asn1Dumpable dumpable = (Asn1Dumpable) value; dumpable.dumpWith(this, indents); - } else if (value instanceof Asn1Specifix) { + } else if (value instanceof Asn1Specific) { indent(indents).append(value.toString()); } else { indent(indents).append("<Unknown>");
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java index 16e40b3..8f546c6 100644 --- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java +++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1CollectionType.java
@@ -228,10 +228,22 @@ setFieldAs(index, new Asn1Integer(value)); } - protected void setFieldAsBigInteger(EnumType index, BigInteger value) { + protected void setFieldAsInt(EnumType index, BigInteger value) { setFieldAs(index, new Asn1Integer(value)); } + protected void setFieldAsObjId(EnumType index, String value) { + setFieldAs(index, new Asn1ObjectIdentifier(value)); + } + + protected String getFieldAsObjId(EnumType index) { + Asn1ObjectIdentifier objId = getFieldAs(index, Asn1ObjectIdentifier.class); + if (objId != null) { + return objId.getValue(); + } + return null; + } + protected <T extends Asn1Type> T getFieldAsAny(EnumType index, Class<T> t) { Asn1Type value = fields[index.getValue()]; if (value != null && value instanceof Asn1Any) {
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specifix.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specific.java similarity index 86% rename from kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specifix.java rename to kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specific.java index b52259c..423e67e 100644 --- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specifix.java +++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1Specific.java
@@ -25,15 +25,15 @@ import java.io.IOException; /** - * Application or context object mainly for using implicit encoding. + * Application or context specific object mainly for using implicit encoding. */ -public class Asn1Specifix extends AbstractAsn1Type<byte[]> { +public class Asn1Specific extends AbstractAsn1Type<byte[]> { - public Asn1Specifix(Tag tag, byte[] value) { + public Asn1Specific(Tag tag, byte[] value) { super(tag, value); } - public Asn1Specifix(Tag tag) { + public Asn1Specific(Tag tag) { super(tag); }
diff --git a/kerby-config/src/main/java/org/apache/kerby/config/Conf.java b/kerby-config/src/main/java/org/apache/kerby/config/Conf.java index d5bbcfc..86555e9 100644 --- a/kerby-config/src/main/java/org/apache/kerby/config/Conf.java +++ b/kerby-config/src/main/java/org/apache/kerby/config/Conf.java
@@ -25,27 +25,23 @@ import java.io.File; import java.io.IOException; import java.util.ArrayList; -import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.Set; +/** + * A general class to describe and store all the config files. + */ public class Conf implements Config { private static final Logger LOGGER = LoggerFactory.getLogger(Conf.class); private List<ConfigLoader> resourceConfigs; private final ConfigImpl config; - private final Map<String, String> setValues; - private boolean needReload; public Conf() { this.resourceConfigs = new ArrayList<ConfigLoader>(1); this.config = new ConfigImpl("Conf"); - this.setValues = new HashMap<>(10); - this.needReload = true; - - addMapConfig(setValues); } public void addXmlConfig(File xmlFile) throws IOException { @@ -72,10 +68,16 @@ addResource(Resource.createMapResource(mapConfig)); } - public void addResource(Resource resource) { + /** + * Load the resource name and content in one step. + * Add synchronized to avoid conflicts + * @param resource the config resource + */ + public synchronized void addResource(Resource resource) { ConfigLoader loader = getLoader(resource); resourceConfigs.add(loader); - needReload = true; + Config loaded = loader.load(); + config.add(loaded); } private static ConfigLoader getLoader(Resource resource) { @@ -94,16 +96,12 @@ return loader; } - private void checkAndLoad() { - if (needReload) { - reload(); - needReload = false; - } - } - - public void reload() { + /** + * For users usage, to determine whether to reload config files. + * Add synchronized to avoid conflicts + */ + public synchronized void reload() { config.reset(); - for (ConfigLoader loader : resourceConfigs) { Config loaded = loader.load(); config.add(loaded); @@ -112,37 +110,38 @@ @Override public String getResource() { - checkAndLoad(); return config.getResource(); } @Override public Set<String> getNames() { - checkAndLoad(); return config.getNames(); } @Override public String getString(String name) { - checkAndLoad(); return config.getString(name); } @Override public String getString(ConfigKey name, boolean useDefault) { - checkAndLoad(); return config.getString(name, useDefault); } @Override public String getString(String name, String defaultValue) { - checkAndLoad(); return config.getString(name, defaultValue); } + /** + * Values user sets will be add in config directly. + * Add synchronized to avoid conflicts + * @param name The property name + * @param value The string value + */ @Override - public void setString(String name, String value) { - setValues.put(name, value); + public synchronized void setString(String name, String value) { + config.set(name, value); } @Override @@ -152,31 +151,26 @@ @Override public String getTrimmed(String name) { - checkAndLoad(); return config.getTrimmed(name); } @Override public String getTrimmed(ConfigKey name) { - checkAndLoad(); return config.getTrimmed(name); } @Override public Boolean getBoolean(String name) { - checkAndLoad(); return config.getBoolean(name); } @Override public Boolean getBoolean(ConfigKey name, boolean useDefault) { - checkAndLoad(); return config.getBoolean(name, useDefault); } @Override public Boolean getBoolean(String name, Boolean defaultValue) { - checkAndLoad(); return config.getBoolean(name, defaultValue); } @@ -192,19 +186,16 @@ @Override public Integer getInt(String name) { - checkAndLoad(); return config.getInt(name); } @Override public Integer getInt(ConfigKey name, boolean useDefault) { - checkAndLoad(); return config.getInt(name, useDefault); } @Override public Integer getInt(String name, Integer defaultValue) { - checkAndLoad(); return config.getInt(name, defaultValue); } @@ -220,19 +211,16 @@ @Override public Long getLong(String name) { - checkAndLoad(); return config.getLong(name); } @Override public Long getLong(ConfigKey name, boolean useDefault) { - checkAndLoad(); return config.getLong(name, useDefault); } @Override public Long getLong(String name, Long defaultValue) { - checkAndLoad(); return config.getLong(name, defaultValue); } @@ -248,19 +236,16 @@ @Override public Float getFloat(String name) { - checkAndLoad(); return config.getFloat(name); } @Override public Float getFloat(ConfigKey name, boolean useDefault) { - checkAndLoad(); return config.getFloat(name, useDefault); } @Override public Float getFloat(String name, Float defaultValue) { - checkAndLoad(); return config.getFloat(name, defaultValue); } @@ -276,69 +261,58 @@ @Override public List<String> getList(String name) { - checkAndLoad(); return config.getList(name); } @Override public List<String> getList(String name, String[] defaultValue) { - checkAndLoad(); return config.getList(name, defaultValue); } @Override public List<String> getList(ConfigKey name) { - checkAndLoad(); return config.getList(name); } @Override public Config getConfig(String name) { - checkAndLoad(); return config.getConfig(name); } @Override public Config getConfig(ConfigKey name) { - checkAndLoad(); return config.getConfig(name); } @Override public Class<?> getClass(String name) throws ClassNotFoundException { - checkAndLoad(); return config.getClass(name); } @Override public Class<?> getClass(String name, Class<?> defaultValue) throws ClassNotFoundException { - checkAndLoad(); return config.getClass(name, defaultValue); } @Override public Class<?> getClass(ConfigKey name, boolean useDefault) throws ClassNotFoundException { - checkAndLoad(); return config.getClass(name, useDefault); } @Override public <T> T getInstance(String name) throws ClassNotFoundException { - checkAndLoad(); return config.getInstance(name); } @Override public <T> T getInstance(ConfigKey name) throws ClassNotFoundException { - checkAndLoad(); return config.getInstance(name); } @Override public <T> T getInstance(String name, Class<T> xface) throws ClassNotFoundException { - checkAndLoad(); return config.getInstance(name, xface); } } \ No newline at end of file
diff --git a/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java b/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java index d083313..ec3090f 100644 --- a/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java +++ b/kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java
@@ -38,8 +38,6 @@ */ private List<Config> configs; - private Set<String> propNames; - protected ConfigImpl(String resource) { this.resource = resource; this.properties = new HashMap<String, ConfigObject>(); @@ -58,7 +56,10 @@ @Override public Set<String> getNames() { - reloadNames(); + Set<String>propNames = new HashSet<String>(properties.keySet()); + for (Config config : configs) { + propNames.addAll(config.getNames()); + } return propNames; } @@ -424,14 +425,4 @@ this.configs.add(config); } } - - private void reloadNames() { - if (propNames != null) { - propNames.clear(); - } - propNames = new HashSet<String>(properties.keySet()); - for (Config config : configs) { - propNames.addAll(config.getNames()); - } - } }
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AccessTokenKdcTest.java similarity index 88% rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AccessTokenKdcTest.java index 3971265..57b2b1b 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AccessTokenKdcTest.java
@@ -34,7 +34,7 @@ import org.junit.Assert; import org.junit.Test; -public class WithAccessTokenKdcTest extends WithTokenKdcTestBase { +public class AccessTokenKdcTest extends TokenKdcTestBase { @Test public void testRequestServiceTicketWithAccessToken() throws Exception { @@ -44,7 +44,7 @@ @Test public void testBadIssuer() throws Exception { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); prepareToken(getServerPrincipal(), "oauth1.com", privateKey, null); @@ -59,7 +59,7 @@ @Test public void testBadAudienceRestriction() throws Exception { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); prepareToken("bad-service" + "/" + getHostname() + "@" + TestKdcServer.KDC_REALM, ISSUER, privateKey, null); @@ -103,10 +103,10 @@ @Test public void testSignedEncryptedToken() throws Exception { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); - is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); + is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); prepareToken(getServerPrincipal(), ISSUER, privateKey, publicKey); @@ -119,7 +119,7 @@ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); KeyPair keyPair = keyGen.generateKeyPair(); - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); prepareToken(getServerPrincipal(), ISSUER, keyPair.getPrivate(), publicKey); @@ -136,7 +136,7 @@ private void performTest() throws Exception { createCredentialCache(getClientPrincipal(), getClientPassword()); - KrbTokenClient tokenClient = new KrbTokenClient(getKrbClient()); + KrbTokenClient tokenClient = getTokenClient(); try { SgtTicket sgtTicket = tokenClient.requestSgt( getKrbToken(), getServerPrincipal(), getcCacheFile().getPath());
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java index 9e64fe8..215d8b0 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/AnonymousPkinitKdcTest.java
@@ -19,6 +19,7 @@ */ package org.apache.kerby.kerberos.kdc; +import org.apache.kerby.kerberos.kerb.KrbConstant; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.client.KrbConfigKey; import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient; @@ -26,18 +27,24 @@ import org.apache.kerby.kerberos.kerb.server.KdcTestBase; import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket; import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket; +import org.junit.Assert; import org.junit.Before; import org.junit.Test; import static org.assertj.core.api.Assertions.assertThat; +/** + * Anonymous PKINIT test. + */ public class AnonymousPkinitKdcTest extends KdcTestBase { - private String serverPrincipal; + private KrbPkinitClient pkinitClient; @Before public void setUp() throws Exception { super.setUp(); + + pkinitClient = getPkinitClient(); } @Override @@ -57,28 +64,24 @@ super.createPrincipals(); //Anonymity support is not enabled by default. //To enable it, you must create the principal WELLKNOWN/ANONYMOUS - getKdcServer().createPrincipal("WELLKNOWN/ANONYMOUS"); + getKdcServer().createPrincipal(KrbConstant.ANONYMOUS_PRINCIPAL); } @Test public void testAnonymity() throws Exception { - - getKrbClient().init(); - - TgtTicket tgt; - KrbPkinitClient pkinitClient = new KrbPkinitClient(getKrbClient()); + try { tgt = pkinitClient.requestTgt(); } catch (KrbException te) { te.printStackTrace(); - assertThat(te.getMessage().contains("timeout")).isTrue(); + Assert.fail(); return; } assertThat(tgt).isNotNull(); serverPrincipal = getServerPrincipal(); - SgtTicket tkt = getKrbClient().requestSgt(tgt, serverPrincipal); + SgtTicket tkt = pkinitClient.requestSgt(tgt, serverPrincipal); assertThat(tkt).isNotNull(); } }
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/IdentityTokenKdcTest.java similarity index 89% rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/IdentityTokenKdcTest.java index 5eaa176..5aa2115 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/IdentityTokenKdcTest.java
@@ -35,7 +35,7 @@ import java.security.PrivateKey; import java.security.PublicKey; -public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase { +public class IdentityTokenKdcTest extends TokenKdcTestBase { @Test public void testKdc() throws Exception { @@ -45,7 +45,7 @@ @Test public void testBadIssuer() throws Exception { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); prepareToken(getAudience("krbtgt"), "oauth1.com", privateKey, null); @@ -60,7 +60,7 @@ @Test public void testBadAudienceRestriction() throws Exception { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); prepareToken("krbtgt2@EXAMPLE.COM", ISSUER, privateKey, null); @@ -102,10 +102,10 @@ @Test public void testSignedEncryptedToken() throws Exception { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = PrivateKeyReader.loadPrivateKey(is); - is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); + is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); prepareToken(getAudience("krbtgt"), ISSUER, privateKey, publicKey); @@ -118,7 +118,7 @@ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); KeyPair keyPair = keyGen.generateKeyPair(); - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/oauth2.com_public_key.pem"); PublicKey publicKey = PublicKeyReader.loadPublicKey(is); prepareToken(getAudience("krbtgt"), ISSUER, keyPair.getPrivate(), publicKey); @@ -137,7 +137,7 @@ createCredentialCache(getClientPrincipal(), getClientPassword()); TgtTicket tgt; - KrbTokenClient tokenClient = new KrbTokenClient(getKrbClient()); + KrbTokenClient tokenClient = getTokenClient(); try { tgt = tokenClient.requestTgt(getKrbToken(), getcCacheFile().getPath());
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithCertKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/PkinitKdcTest.java similarity index 94% rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithCertKdcTest.java rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/PkinitKdcTest.java index 1705bf9..f226a97 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithCertKdcTest.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/PkinitKdcTest.java
@@ -25,7 +25,7 @@ import org.apache.kerby.kerberos.kerb.server.KdcTestBase; import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket; import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket; -import org.apache.kerby.pki.PkiLoader; +import org.apache.kerby.pkix.PkiLoader; import org.junit.Before; import org.junit.Test; @@ -36,6 +36,10 @@ import static org.assertj.core.api.Assertions.assertThat; /** + * RSA PKINIT test. + */ + +/** openssl genrsa -out cakey.pem 2048 openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 vi extensions.kdc @@ -44,17 +48,21 @@ env REALM=SH.INTEL.COM openssl x509 -req -in kdc.req -CAkey cakey.pem \ -CA cacert.pem -out kdc.pem -days 365 -extfile extensions.kdc -extensions kdc_cert -CAcreateserial */ -public class WithCertKdcTest extends KdcTestBase { +public class PkinitKdcTest extends KdcTestBase { private PkiLoader pkiLoader; private String serverPrincipal; private Certificate userCert; private PrivateKey userKey; //NOPMD + private KrbPkinitClient pkinitClient; + @Before public void setUp() throws Exception { pkiLoader = new PkiLoader(); super.setUp(); + + pkinitClient = getPkinitClient(); } @Override @@ -80,10 +88,7 @@ public void testPkinit() throws Exception { assertThat(userCert).isNotNull(); - getKrbClient().init(); - TgtTicket tgt; - KrbPkinitClient pkinitClient = new KrbPkinitClient(getKrbClient()); try { String userCertPath = getClass().getResource("/usercert.pem").getPath(); String userKeyPath = getClass().getResource("/userkey.pem").getPath();
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java similarity index 94% rename from kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java rename to kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java index f33309f..387ad52 100644 --- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTestBase.java +++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/TokenKdcTestBase.java
@@ -48,7 +48,7 @@ import static org.assertj.core.api.Assertions.assertThat; -public class WithTokenKdcTestBase extends KdcTestBase { +public class TokenKdcTestBase extends KdcTestBase { static final String SUBJECT = "test-sub"; static final String ISSUER = "oauth2.com"; static final String GROUP = "sales-group"; @@ -68,7 +68,7 @@ String verifyKeyPath = this.getClass().getResource("/").getPath(); getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_VERIFY_KEYS, verifyKeyPath); - URL privateKeyPath = WithTokenKdcTestBase.class.getResource("/private_key.pem"); + URL privateKeyPath = TokenKdcTestBase.class.getResource("/private_key.pem"); getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_DECRYPTION_KEYS, privateKeyPath.getPath()); getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_ISSUERS, ISSUER); } @@ -82,7 +82,7 @@ } protected AuthToken prepareToken(String audience) { - InputStream is = WithTokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); + InputStream is = TokenKdcTestBase.class.getResourceAsStream("/private_key.pem"); PrivateKey privateKey = null; try { privateKey = PrivateKeyReader.loadPrivateKey(is); @@ -120,10 +120,10 @@ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder(); if (tokenEncoder instanceof JwtTokenEncoder && signingKey != null) { - ((JwtTokenEncoder) tokenEncoder).setSignKey(signingKey); + tokenEncoder.setSignKey(signingKey); } if (tokenEncoder instanceof JwtTokenEncoder && encryptionKey != null) { - ((JwtTokenEncoder) tokenEncoder).setEncryptionKey(encryptionKey); + tokenEncoder.setEncryptionKey(encryptionKey); } krbToken = new KrbToken();
diff --git a/kerby-kerb/kerb-client/pom.xml b/kerby-kerb/kerb-client/pom.xml index 5bbc680..d75eaea 100644 --- a/kerby-kerb/kerb-client/pom.xml +++ b/kerby-kerb/kerb-client/pom.xml
@@ -46,10 +46,5 @@ <artifactId>kerb-util</artifactId> <version>${project.version}</version> </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcpkix-jdk15on</artifactId> - <version>1.52</version> - </dependency> </dependencies> </project>
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java index 1a8306f..4c29394 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbKdcOption.java
@@ -29,21 +29,21 @@ NONE(null), /* KDC flags */ - FORWARDABLE(new KOptionInfo("forwardable", "forwardable", + FORWARDABLE(new KOptionInfo("-f", "forwardable", KrbOptionGroup.KDC_FLAGS)), - PROXIABLE(new KOptionInfo("proxiable", "proxiable", + PROXIABLE(new KOptionInfo("-p", "proxiable", KrbOptionGroup.KDC_FLAGS)), - REQUEST_ANONYMOUS(new KOptionInfo("request-anonymous", + REQUEST_ANONYMOUS(new KOptionInfo("-n", "request anonymous", KrbOptionGroup.KDC_FLAGS)), - VALIDATE(new KOptionInfo("validate", "validate", + VALIDATE(new KOptionInfo("-v", "validate", KrbOptionGroup.KDC_FLAGS)), - RENEW(new KOptionInfo("renew", "renew", + RENEW(new KOptionInfo("-R", "renew", KrbOptionGroup.KDC_FLAGS)), - RENEWABLE(new KOptionInfo("renewable", "renewable", + RENEWABLE(new KOptionInfo("-r", "renewable-life", KrbOptionGroup.KDC_FLAGS)), RENEWABLE_OK(new KOptionInfo("renewable-ok", "renewable ok", KrbOptionGroup.KDC_FLAGS)), - CANONICALIZE(new KOptionInfo("canonicalize", "canonicalize", + CANONICALIZE(new KOptionInfo("-C", "canonicalize", KrbOptionGroup.KDC_FLAGS)), ANONYMOUS(new KOptionInfo("-n", "anonymous", KrbOptionGroup.KDC_FLAGS));
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java index 4668583..fd361f7 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbPkinitClient.java
@@ -20,6 +20,7 @@ package org.apache.kerby.kerberos.kerb.client; import org.apache.kerby.KOptions; +import org.apache.kerby.kerberos.kerb.KrbConstant; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket; @@ -89,7 +90,8 @@ public TgtTicket requestTgt() throws KrbException { KOptions requestOptions = new KOptions(); requestOptions.add(PkinitOption.USE_ANONYMOUS); - requestOptions.add(KrbOption.CLIENT_PRINCIPAL, "WELLKNOWN/ANONYMOUS"); + requestOptions.add(KrbOption.CLIENT_PRINCIPAL, + KrbConstant.ANONYMOUS_PRINCIPAL); return requestTgt(requestOptions); } }
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java index 640f718..26b7203 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -50,7 +50,7 @@ import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PkAuthenticator; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.TrustedCertifiers; import org.apache.kerby.x509.type.AlgorithmIdentifier; -import org.apache.kerby.x509.type.DHParameter; +import org.apache.kerby.x509.type.DhParameter; import org.apache.kerby.x509.type.SubjectPublicKeyInfo; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -241,7 +241,7 @@ String content = "0x06 07 2A 86 48 ce 3e 02 01"; Asn1ObjectIdentifier dhOid = PkinitCrypto.createOid(content); AlgorithmIdentifier dhAlg = new AlgorithmIdentifier(); - dhAlg.setAlgorithm(dhOid); + dhAlg.setAlgorithm(dhOid.getValue()); DhClient client = new DhClient(); @@ -256,7 +256,7 @@ DHParameterSpec type = clientPubKey.getParams(); BigInteger q = type.getP().shiftRight(1); - DHParameter dhParameter = new DHParameter(); + DhParameter dhParameter = new DhParameter(); dhParameter.setP(type.getP()); dhParameter.setG(type.getG()); dhParameter.setQ(q); @@ -270,7 +270,7 @@ authPack.setClientPublicValue(pubInfo); -// DHNonce dhNonce = new DHNonce(); +// DhNonce dhNonce = new DhNonce(); // authPack.setClientDhNonce(dhNonce); } else { @@ -293,7 +293,7 @@ private byte[] signAuthPack(AuthPack authPack) throws KrbException { - Asn1ObjectIdentifier oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID(); + String oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID(); byte[] signedDataBytes = PkinitCrypto.cmsSignedDataCreate( KrbCodec.encode(authPack), oid, 3, null, null, null, null); @@ -361,7 +361,6 @@ * @return PaDataEntry to be made. */ private PaDataEntry makeEntry(PaPkAsReq paPkAsReq) throws KrbException { - PaDataEntry paDataEntry = new PaDataEntry(); paDataEntry.setPaDataType(PaDataType.PK_AS_REQ); paDataEntry.setPaDataValue(KrbCodec.encode(paPkAsReq));
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java deleted file mode 100644 index a63dfe9..0000000 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java +++ /dev/null
@@ -1,210 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit; - -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.ReplyKeyPack; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaCertStore; -import org.bouncycastle.cms.CMSException; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.cms.CMSSignedData; -import org.bouncycastle.cms.CMSSignedDataGenerator; -import org.bouncycastle.cms.CMSTypedData; -import org.bouncycastle.cms.SignerInformation; -import org.bouncycastle.cms.SignerInformationStore; -import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder; -import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.util.Store; - -import java.io.IOException; -import java.security.PrivateKey; -import java.security.Security; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Iterator; -import java.util.List; - - -/** - * Encapsulates working with PKINIT signed data structures. - * - * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> - * @version $Rev$, $Date$ - */ -public class SignedDataEngine { - private static final String ID_PKINIT_AUTHDATA = "1.3.6.1.5.2.3.1"; - private static final String ID_PKINIT_DHKEYDATA = "1.3.6.1.5.2.3.2"; - private static final String ID_PKINIT_RKEYDATA = "1.3.6.1.5.2.3.3"; - - /** - * Uses a private key to sign data in a CMS SignedData structure and returns - * the encoded CMS SignedData as bytes. - * <p/> - * 'signedAuthPack' contains a CMS type ContentInfo encoded according to [RFC3852]. - * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), - * and the content field is a SignedData. - * <p/> - * The eContentType field for the type SignedData is id-pkinit-authData (1.3.6.1.5.2.3.1), - * and the eContent field contains the DER encoding of the type AuthPack. - * - * @param privateKey - * @param certificate - * @param authPack - * @return The CMS SignedData bytes. - * @throws OperatorCreationException - * @throws CertificateEncodingException - * @throws CMSException - * @throws IOException - */ - public static byte[] getSignedAuthPack(PrivateKey privateKey, X509Certificate certificate, - AuthPack authPack) - throws OperatorCreationException, CertificateEncodingException, CMSException, IOException { - return getSignedData(privateKey, certificate, authPack.encode(), ID_PKINIT_AUTHDATA); - } - - - /** - * Uses a private key to sign data in a CMS SignedData structure and returns - * the encoded CMS SignedData as bytes. - * <p/> - * 'dhSignedData' contains a CMS type ContentInfo encoded according to [RFC3852]. - * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), - * and the content field is a SignedData. - * <p/> - * The eContentType field for the type SignedData is id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), - * and the eContent field contains the DER encoding of the type KDCDHKeyInfo. - * - * @param privateKey - * @param certificate - * @param kdcDhKeyInfo - * @return The CMS SignedData bytes. - * @throws OperatorCreationException - * @throws CertificateEncodingException - * @throws CMSException - * @throws IOException - */ - public static byte[] getSignedKdcDhKeyInfo(PrivateKey privateKey, X509Certificate certificate, - KdcDHKeyInfo kdcDhKeyInfo) - throws OperatorCreationException, CertificateEncodingException, CMSException, IOException { - return getSignedData(privateKey, certificate, kdcDhKeyInfo.encode(), ID_PKINIT_DHKEYDATA); - } - - - /** - * Uses a private key to sign data in a CMS SignedData structure and returns - * the encoded CMS SignedData as bytes. - * <p/> - * Selected when public key encryption is used. - * <p/> - * The eContentType field for the inner type SignedData (when unencrypted) is - * id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the eContent field contains the - * DER encoding of the type ReplyKeyPack. - * - * @param privateKey - * @param certificate - * @param replyKeyPack - * @return The CMS SignedData bytes. - * @throws OperatorCreationException - * @throws CertificateEncodingException - * @throws CMSException - * @throws IOException - */ - public static byte[] getSignedReplyKeyPack(PrivateKey privateKey, X509Certificate certificate, - ReplyKeyPack replyKeyPack) - throws OperatorCreationException, CertificateEncodingException, CMSException, IOException { - return getSignedData(privateKey, certificate, replyKeyPack.encode(), ID_PKINIT_RKEYDATA); - } - - - static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[] dataToSign, - String eContentType) throws IOException, OperatorCreationException, - CertificateEncodingException, CMSException { - - if (Security.getProvider("BC") == null) { - Security.addProvider(new BouncyCastleProvider()); - } - - - List certList = new ArrayList(); - certList.add(certificate); - Store certs = new JcaCertStore(certList); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSignerInfoGenerator( - new JcaSimpleSignerInfoGeneratorBuilder() - .setProvider("BC") - .build("SHA1withRSA", privateKey, certificate)); - - gen.addCertificates(certs); - - ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType); - CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign); - CMSSignedData s = gen.generate(msg, true); - - return s.getEncoded(); - } - - /** - * Validates a CMS SignedData using the public key corresponding to the private - * key used to sign the structure. - * - * @param s - * @return true if the signature is valid. - * @throws Exception - */ - public static boolean validateSignedData(CMSSignedData s) throws Exception { - - Store certStore = s.getCertificates(); - Store crlStore = s.getCRLs(); - SignerInformationStore signers = s.getSignerInfos(); - - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) { - SignerInformation signer = (SignerInformation) it.next(); - Collection certCollection = certStore.getMatches(signer.getSID()); - - Iterator certIt = certCollection.iterator(); - X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); - - if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) { - return false; - } - } - - Collection certColl = certStore.getMatches(null); - Collection crlColl = crlStore.getMatches(null); - - if (certColl.size() != s.getCertificates().getMatches(null).size() - || crlColl.size() != s.getCRLs().getMatches(null).size()) { - return false; - } - return true; - } -}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java index f6e0e41..3e7c114 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
@@ -32,7 +32,7 @@ import org.apache.kerby.kerberos.kerb.client.PkinitOption; import org.apache.kerby.kerberos.kerb.common.KrbUtil; import org.apache.kerby.kerberos.kerb.crypto.dh.DhClient; -import org.apache.kerby.kerberos.kerb.preauth.pkinit.CMSMessageType; +import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType; import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper; import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto; import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey; @@ -44,8 +44,8 @@ import org.apache.kerby.kerberos.kerb.type.pa.PaData; import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry; import org.apache.kerby.kerberos.kerb.type.pa.PaDataType; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep; import org.apache.kerby.x509.type.Certificate; import org.slf4j.Logger; @@ -110,7 +110,7 @@ LOG.info("processing PK_AS_REP"); PaPkAsRep paPkAsRep = KrbCodec.decode(paEntry.getPaDataValue(), PaPkAsRep.class); - DHRepInfo dhRepInfo = paPkAsRep.getDHRepInfo(); + DhRepInfo dhRepInfo = paPkAsRep.getDHRepInfo(); byte[] dhSignedData = dhRepInfo.getDHSignedData(); @@ -123,8 +123,8 @@ SignedData signedData = contentInfo.getContentAs(SignedData.class); - PkinitCrypto.verifyCMSSignedData( - CMSMessageType.CMS_SIGN_SERVER, signedData); + PkinitCrypto.verifyCmsSignedData( + CmsMessageType.CMS_SIGN_SERVER, signedData); String anchorFileName = getContext().getConfig().getPkinitAnchors().get(0); @@ -163,16 +163,16 @@ LOG.info("skipping EKU check"); LOG.info("as_rep: DH key transport algorithm"); - KdcDHKeyInfo kdcDHKeyInfo = new KdcDHKeyInfo(); + KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo(); try { - kdcDHKeyInfo.decode(signedData.getEncapContentInfo().getContent()); + kdcDhKeyInfo.decode(signedData.getEncapContentInfo().getContent()); } catch (IOException e) { - String errMessage = "failed to decode KdcDHKeyInfo " + e.getMessage(); + String errMessage = "failed to decode KdcDhKeyInfo " + e.getMessage(); LOG.error(errMessage); throw new KrbException(errMessage); } - byte[] subjectPublicKey = kdcDHKeyInfo.getSubjectPublicKey().getValue(); + byte[] subjectPublicKey = kdcDhKeyInfo.getSubjectPublicKey().getValue(); Asn1Integer clientPubKey = KrbCodec.decode(subjectPublicKey, Asn1Integer.class); BigInteger y = clientPubKey.getValue();
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java index 08ca20b..32e0db2 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -23,7 +23,7 @@ import org.apache.kerby.KOptions; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.client.KrbContext; -import org.apache.kerby.kerberos.kerb.client.KrbOption; +import org.apache.kerby.kerberos.kerb.client.KrbKdcOption; import org.apache.kerby.kerberos.kerb.client.KrbOptionGroup; import org.apache.kerby.kerberos.kerb.client.preauth.KrbFastRequestState; import org.apache.kerby.kerberos.kerb.client.preauth.PreauthContext; @@ -412,9 +412,9 @@ for (KOption kOpt: requestOptions.getOptions()) { if (kOpt.getOptionInfo().getGroup() == KrbOptionGroup.KDC_FLAGS) { - KrbOption krbOption = (KrbOption) kOpt; - KdcOption kdcOption = KdcOption.valueOf(krbOption.name()); - boolean flagValue = requestOptions.getBooleanOption(kOpt, false); + KrbKdcOption krbKdcOption = (KrbKdcOption) kOpt; + KdcOption kdcOption = KdcOption.valueOf(krbKdcOption.name()); + boolean flagValue = requestOptions.getBooleanOption(kOpt, true); kdcOptions.setFlag(kdcOption, flagValue); } }
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CMSMessageType.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CmsMessageType.java similarity index 93% rename from kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CMSMessageType.java rename to kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CmsMessageType.java index 683b52f..7aa2b9f 100644 --- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CMSMessageType.java +++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CmsMessageType.java
@@ -19,7 +19,7 @@ */ package org.apache.kerby.kerberos.kerb.preauth.pkinit; -public enum CMSMessageType { +public enum CmsMessageType { UNKNOWN (-1), CMS_SIGN_CLIENT (0x01), CMS_SIGN_SERVER (0x03), @@ -32,7 +32,7 @@ /** * Create an instance of this class */ - private CMSMessageType(int value) { + private CmsMessageType(int value) { this.value = value; } @@ -48,7 +48,7 @@ * @param value The integer value * @return The associated UniversalTag */ - public static CMSMessageType fromValue(int value) { + public static CmsMessageType fromValue(int value) { switch (value) { case 0x01 : return CMS_SIGN_CLIENT; case 0x03 : return CMS_SIGN_SERVER;
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java index e9cca99..262f84c 100644 --- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java +++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -30,8 +30,9 @@ import org.apache.kerby.kerberos.kerb.KrbErrorCode; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.type.base.PrincipalName; +import org.apache.kerby.util.HexUtil; import org.apache.kerby.x509.type.Certificate; -import org.apache.kerby.x509.type.DHParameter; +import org.apache.kerby.x509.type.DhParameter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -63,15 +64,15 @@ * @param cmsMsgType The CMS message type * @param signedData The signed data */ - public static void verifyCMSSignedData(CMSMessageType cmsMsgType, SignedData signedData) + public static void verifyCmsSignedData(CmsMessageType cmsMsgType, SignedData signedData) throws KrbException { - Asn1ObjectIdentifier oid = pkinitType2OID(cmsMsgType); + String oid = pkinitType2OID(cmsMsgType); if (oid == null) { throw new KrbException("Can't get the right oid "); } - Asn1ObjectIdentifier etype = signedData.getEncapContentInfo().getContentType(); - if (oid.getValue().equals(etype.getValue())) { + String etype = signedData.getEncapContentInfo().getContentType(); + if (oid.equals(etype)) { LOG.info("CMS Verification successful"); } else { LOG.error("Wrong oid in eContentType"); @@ -80,25 +81,11 @@ } /** - * Check whether signed of data, true if the SignerInfos are not null - * @param signedData The signed data - * @return boolean - */ - public static boolean isSigned(SignedData signedData) { - /* Not actually signed; anonymous case */ - if (signedData.getSignerInfos().getElements().size() == 0) { - return false; - } else { - return true; - } - } - - /** * Change the CMS message type to oid * @param cmsMsgType The CMS message type * @return oid */ - public static Asn1ObjectIdentifier pkinitType2OID(CMSMessageType cmsMsgType) { + public static String pkinitType2OID(CmsMessageType cmsMsgType) { switch (cmsMsgType) { case UNKNOWN: return null; @@ -117,10 +104,10 @@ * KDC check the key parameter * @param pluginOpts The PluginOpts * @param cryptoctx The PkinitPlgCryptoContext - * @param dhParameter The DHParameter + * @param dhParameter The DhParameter */ public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, - DHParameter dhParameter) throws KrbException { + DhParameter dhParameter) throws KrbException { /* KDC SHOULD check to see if the key parameters satisfy its policy */ int dhPrimeBits = dhParameter.getP().bitLength(); if (dhPrimeBits < pluginOpts.dhMinBits) { @@ -135,12 +122,12 @@ /** * Check DH wellknown * @param cryptoctx The PkinitPlgCryptoContext - * @param dhParameter The DHParameter + * @param dhParameter The DhParameter * @param dhPrimeBits The dh prime bits * @return boolean */ public static boolean checkDHWellknown(PkinitPlgCryptoContext cryptoctx, - DHParameter dhParameter, int dhPrimeBits) throws KrbException { + DhParameter dhParameter, int dhPrimeBits) throws KrbException { boolean valid = false; switch (dhPrimeBits) { case 1024: @@ -161,9 +148,9 @@ * Check parameters against a well-known DH group * * @param dh1 The DHParameterSpec - * @param dh2 The DHParameter + * @param dh2 The DhParameter */ - public static boolean pkinitCheckDhParams(DHParameterSpec dh1, DHParameter dh2) { + public static boolean pkinitCheckDhParams(DHParameterSpec dh1, DhParameter dh2) { if (!dh1.getP().equals(dh2.getP())) { LOG.error("p is not well-known group dhparameter"); @@ -221,12 +208,12 @@ * @param signerInfos The signerInfos * @return The encoded ContentInfo */ - public static byte[] cmsSignedDataCreate(byte[] data, Asn1ObjectIdentifier oid, int version, + public static byte[] cmsSignedDataCreate(byte[] data, String oid, int version, DigestAlgorithmIdentifiers digestAlgorithmIdentifiers, CertificateSet certificateSet, RevocationInfoChoices crls, SignerInfos signerInfos) throws KrbException { SignedContentInfo contentInfo = new SignedContentInfo(); - contentInfo.setContentType(new Asn1ObjectIdentifier("1.2.840.113549.1.7.2")); + contentInfo.setContentType("1.2.840.113549.1.7.2"); SignedData signedData = new SignedData(); signedData.setVersion(version); if (digestAlgorithmIdentifiers != null) { @@ -327,17 +314,19 @@ InvalidAlgorithmParameterException, CertPathValidatorException { //TODO -// CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); -// CertPath certPath = certificateFactory.generateCertPath(certificateList); -// -// CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); -// -// TrustAnchor trustAnchor = new TrustAnchor(anchor, null); -// -// PKIXParameters parameters = new PKIXParameters(Collections.singleton(trustAnchor)); -// parameters.setRevocationEnabled(false); -// -// cpv.validate(certPath, parameters); + /* + CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); + CertPath certPath = certificateFactory.generatertPath(certificateList); + + CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); + + TrustAnchor trustAnchor = new TrustAnchor(anchor, null); + + PKIXParameters parameters = new PKIXParameters(Collections.singleton(trustAnchor)); + parameters.setRevocationEnabled(false); + + cpv.validate(certPath, parameters); + */ } /** @@ -346,14 +335,10 @@ * @param content The hex content * @return The oid */ - public static Asn1ObjectIdentifier createOid(String content) { + public static Asn1ObjectIdentifier createOid(String content) throws KrbException { Asn1ObjectIdentifier oid = new Asn1ObjectIdentifier(); oid.useDER(); - try { - oid.decode(Util.hex2bytes(content)); - } catch (IOException e) { - e.printStackTrace(); - } + KrbCodec.decode(HexUtil.hex2bytesFriendly(content), oid); return oid; }
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java index 23206db..6732b7d 100644 --- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java +++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitPlgCryptoContext.java
@@ -18,7 +18,6 @@ */ package org.apache.kerby.kerberos.kerb.preauth.pkinit; -import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; import org.apache.kerby.kerberos.kerb.KrbException; import javax.crypto.spec.DHParameterSpec; @@ -134,15 +133,15 @@ } - public static Asn1ObjectIdentifier getIdPkinitAuthDataOID() { - return new Asn1ObjectIdentifier(ID_PKINIT_AUTHDATA); + public static String getIdPkinitAuthDataOID() { + return ID_PKINIT_AUTHDATA; } - public static Asn1ObjectIdentifier getIdPkinitDHKeyDataOID() { - return new Asn1ObjectIdentifier(ID_PKINIT_DHKEYDATA); + public static String getIdPkinitDHKeyDataOID() { + return ID_PKINIT_DHKEYDATA; } - public static Asn1ObjectIdentifier getIdPkinitRkeyDataOID() { - return new Asn1ObjectIdentifier(ID_PKINIT_RKEYDATA); + public static String getIdPkinitRkeyDataOID() { + return ID_PKINIT_RKEYDATA; } }
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitUtil.java new file mode 100644 index 0000000..a45f380 --- /dev/null +++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitUtil.java
@@ -0,0 +1,114 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.kerberos.kerb.preauth.pkinit; + +import org.apache.kerby.kerberos.kerb.KrbCodec; +import org.apache.kerby.kerberos.kerb.KrbException; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.ReplyKeyPack; +import org.apache.kerby.pkix.PkiException; +import org.apache.kerby.pkix.PkiUtil; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; + + +/** + * Encapsulates working with PKINIT signed data structures. + */ +public class PkinitUtil { + private static final String ID_PKINIT_AUTHDATA = "1.3.6.1.5.2.3.1"; + //private static final String ID_PKINIT_DHKEYDATA = "1.3.6.1.5.2.3.2"; + //private static final String ID_PKINIT_RKEYDATA = "1.3.6.1.5.2.3.3"; + + /** + * Uses a private key to sign data in a CMS SignedData structure and returns + * the encoded CMS SignedData as bytes. + * <p/> + * 'signedAuthPack' contains a CMS type ContentInfo encoded according to [RFC3852]. + * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), + * and the content field is a SignedData. + * <p/> + * The eContentType field for the type SignedData is id-pkinit-authData (1.3.6.1.5.2.3.1), + * and the eContent field contains the DER encoding of the type AuthPack. + */ + public static byte[] getSignedAuthPack(PrivateKey privateKey, X509Certificate certificate, + AuthPack authPack) throws KrbException { + byte[] dataToSign = KrbCodec.encode(authPack); + byte[] signedData; + try { + signedData = PkiUtil.getSignedData(privateKey, certificate, dataToSign, ID_PKINIT_AUTHDATA); + } catch (PkiException e) { + throw new KrbException("Failed to sign data", e); + } + + return signedData; + } + + + /** + * Uses a private key to sign data in a CMS SignedData structure and returns + * the encoded CMS SignedData as bytes. + * <p/> + * 'dhSignedData' contains a CMS type ContentInfo encoded according to [RFC3852]. + * The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), + * and the content field is a SignedData. + * <p/> + * The eContentType field for the type SignedData is id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), + * and the eContent field contains the DER encoding of the type KDCDHKeyInfo. + */ + public static byte[] getSignedKdcDhKeyInfo(PrivateKey privateKey, X509Certificate certificate, + KdcDhKeyInfo kdcDhKeyInfo) throws KrbException { + byte[] dataToSign = KrbCodec.encode(kdcDhKeyInfo); + byte[] signedData; + try { + signedData = PkiUtil.getSignedData(privateKey, certificate, dataToSign, ID_PKINIT_AUTHDATA); + } catch (PkiException e) { + throw new KrbException("Failed to sign data", e); + } + + return signedData; + } + + + /** + * Uses a private key to sign data in a CMS SignedData structure and returns + * the encoded CMS SignedData as bytes. + * <p/> + * Selected when public key encryption is used. + * <p/> + * The eContentType field for the inner type SignedData (when unencrypted) is + * id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the eContent field contains the + * DER encoding of the type ReplyKeyPack. + */ + public static byte[] getSignedReplyKeyPack(PrivateKey privateKey, X509Certificate certificate, + ReplyKeyPack replyKeyPack) throws KrbException { + byte[] dataToSign = KrbCodec.encode(replyKeyPack); + byte[] signedData; + try { + signedData = PkiUtil.getSignedData(privateKey, certificate, dataToSign, ID_PKINIT_AUTHDATA); + } catch (PkiException e) { + throw new KrbException("Failed to sign data", e); + } + + return signedData; + } +}
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java index dcb55bd..96bb23f 100644 --- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java +++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PluginOpts.java
@@ -20,6 +20,7 @@ package org.apache.kerby.kerberos.kerb.preauth.pkinit; import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; +import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AlgorithmIdentifiers; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.TrustedCertifiers; import org.apache.kerby.x509.type.AlgorithmIdentifier; @@ -42,14 +43,14 @@ // The acceptable values are 1024, 2048, and 4096. The default is 1024. public int dhMinBits = 1024; - public AlgorithmIdentifiers createSupportedCMSTypes() { + public AlgorithmIdentifiers createSupportedCMSTypes() throws KrbException { AlgorithmIdentifiers cmsAlgorithms = new AlgorithmIdentifiers(); AlgorithmIdentifier des3Alg = new AlgorithmIdentifier(); /* krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };*/ String content = "0x06 08 2A 86 48 86 F7 0D 03 07"; Asn1ObjectIdentifier des3Oid = PkinitCrypto.createOid(content); - des3Alg.setAlgorithm(des3Oid); + des3Alg.setAlgorithm(des3Oid.getValue()); cmsAlgorithms.add(des3Alg);
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/Util.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/Util.java deleted file mode 100644 index 74626cb..0000000 --- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/Util.java +++ /dev/null
@@ -1,141 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.kerby.kerberos.kerb.preauth.pkinit; - -public class Util { - - static final String HEX_CHARS_STR = "0123456789ABCDEF"; - static final char[] HEX_CHARS = HEX_CHARS_STR.toCharArray(); - - /** - * Convert bytes into format as: - * 0x02 02 00 80 - */ - public static String bytesToHex(byte[] bytes) { - int len = bytes.length * 2; - len += bytes.length; // for ' ' appended for each char - len += 2; // for '0x' prefix - char[] hexChars = new char[len]; - hexChars[0] = '0'; - hexChars[1] = 'x'; - for (int j = 0; j < bytes.length; j++) { - int v = bytes[j] & 0xFF; - hexChars[j * 3 + 2] = HEX_CHARS[v >>> 4]; - hexChars[j * 3 + 3] = HEX_CHARS[v & 0x0F]; - hexChars[j * 3 + 4] = ' '; - } - - return new String(hexChars); - } - - /** - * Convert hex string like follows into byte array - * 0x02 02 00 80 - */ - public static byte[] hex2bytes(String hexString) { - if (hexString == null) { - throw new IllegalArgumentException("Invalid hex string to convert : null"); - } - char[] hexStr = hexString.toCharArray(); - - if (hexStr.length < 4) { - throw new IllegalArgumentException("Invalid hex string to convert : length below 4"); - } - if (hexStr[0] != '0' || (hexStr[1] != 'x') && (hexStr[1] != 'X')) { - throw new IllegalArgumentException("Invalid hex string to convert : not starting with '0x'"); - } - byte[] bytes = new byte[(hexStr.length - 1) / 3]; - int pos = 0; - boolean high = false; - boolean prefix = true; - for (char c : hexStr) { - if (prefix) { - if (c == 'x' || c == 'X') { - prefix = false; - } - continue; - } - switch (c) { - case ' ' : - if (high) { - // We have had only the high part - throw new IllegalArgumentException("Invalid hex string to convert"); - } - // A hex pair has been decoded - pos++; - high = false; - break; - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - if (high) { - bytes[pos] += (byte) (c - '0'); - } else { - bytes[pos] = (byte) ((c - '0') << 4); - } - high = !high; - break; - case 'a' : - case 'b' : - case 'c' : - case 'd' : - case 'e' : - case 'f' : - if (high) { - bytes[pos] += (byte) (c - 'a' + 10); - } else { - bytes[pos] = (byte) ((c - 'a' + 10) << 4); - } - - high = !high; - break; - - case 'A' : - case 'B' : - case 'C' : - case 'D' : - case 'E' : - case 'F' : - if (high) { - bytes[pos] += (byte) (c - 'A' + 10); - } else { - bytes[pos] = (byte) ((c - 'A' + 10) << 4); - } - - high = !high; - break; - default : - throw new IllegalArgumentException("Invalid hex string to convert"); - } - } - if (high) { - throw new IllegalArgumentException("Invalid hex string to convert"); - } - - return bytes; - } -}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java index 1c2f4dc..98a272c 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbCodec.java
@@ -49,7 +49,19 @@ try { krbObj.encode(buffer); } catch (IOException e) { - throw new KrbException("encode failed", e); + throw new KrbException("Encoding failed", e); + } + } + + public static void decode(byte[] content, Asn1Type value) throws KrbException { + decode(ByteBuffer.wrap(content), value); + } + + public static void decode(ByteBuffer content, Asn1Type value) throws KrbException { + try { + value.decode(content); + } catch (IOException e) { + throw new KrbException("Decoding failed", e); } }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java index 7a97d1b..d9b4315 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbConstant.java
@@ -23,4 +23,5 @@ public static final int KRB_V5 = 5; public static final String TGS_PRINCIPAL = "krbtgt"; + public static final String ANONYMOUS_PRINCIPAL = "WELLKNOWN/ANONYMOUS"; }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java index bfe2513..ee3fa8d 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbException.java
@@ -21,7 +21,6 @@ public class KrbException extends Exception { private static final long serialVersionUID = 7305497872367599428L; - private KrbErrorCode errorCode; public KrbException(String message) { super(message); @@ -33,20 +32,13 @@ public KrbException(KrbErrorCode errorCode) { super(errorCode.getMessage()); - this.errorCode = errorCode; } public KrbException(KrbErrorCode errorCode, Throwable cause) { super(errorCode.getMessage(), cause); - this.errorCode = errorCode; } public KrbException(KrbErrorCode errorCode, String message) { super(message + " with error code: " + errorCode.name()); - this.errorCode = errorCode; - } - - public KrbErrorCode getErrorCode() { - return errorCode; } }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java index 603b776..f2ef67a 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddress.java
@@ -52,8 +52,8 @@ } static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] { - new ExplicitField(HostAddressField.ADDR_TYPE, 0, Asn1Integer.class), - new ExplicitField(HostAddressField.ADDRESS, 1, Asn1OctetString.class) + new ExplicitField(HostAddressField.ADDR_TYPE, Asn1Integer.class), + new ExplicitField(HostAddressField.ADDRESS, Asn1OctetString.class) }; public HostAddress() {
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java index 0b75714..dea3f5e 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/AuthPack.java
@@ -31,6 +31,11 @@ clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL, clientDHNonce [3] DHNonce OPTIONAL + supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL, + -- Contains an unordered set of KDFs supported by the client. + KDFAlgorithmId ::= SEQUENCE { + kdf-id [0] OBJECT IDENTIFIER, + -- The object identifier of the KDF } */ public class AuthPack extends KrbSequenceType { @@ -56,8 +61,8 @@ new ExplicitField(AuthPackField.PK_AUTHENTICATOR, PkAuthenticator.class), new ExplicitField(AuthPackField.CLIENT_PUBLIC_VALUE, SubjectPublicKeyInfo.class), new ExplicitField(AuthPackField.SUPPORTED_CMS_TYPES, AlgorithmIdentifiers.class), - new ExplicitField(AuthPackField.CLIENT_DH_NONCE, DHNonce.class), - new ExplicitField(AuthPackField.SUPPORTED_KDFS, SupportedKDFs.class) + new ExplicitField(AuthPackField.CLIENT_DH_NONCE, DhNonce.class), + new ExplicitField(AuthPackField.SUPPORTED_KDFS, SupportedKdfs.class) }; public AuthPack() { @@ -88,19 +93,19 @@ setFieldAs(AuthPackField.SUPPORTED_CMS_TYPES, supportedCMSTypes); } - public DHNonce getClientDhNonce() { - return getFieldAs(AuthPackField.CLIENT_DH_NONCE, DHNonce.class); + public DhNonce getClientDhNonce() { + return getFieldAs(AuthPackField.CLIENT_DH_NONCE, DhNonce.class); } - public void setClientDhNonce(DHNonce dhNonce) { + public void setClientDhNonce(DhNonce dhNonce) { setFieldAs(AuthPackField.CLIENT_DH_NONCE, dhNonce); } - public SupportedKDFs getsupportedKDFs() { - return getFieldAs(AuthPackField.SUPPORTED_KDFS, SupportedKDFs.class); + public SupportedKdfs getsupportedKDFs() { + return getFieldAs(AuthPackField.SUPPORTED_KDFS, SupportedKdfs.class); } - public void setsupportedKDFs(SupportedKDFs supportedKDFs) { - setFieldAs(AuthPackField.SUPPORTED_KDFS, supportedKDFs); + public void setsupportedKDFs(SupportedKdfs supportedKdfs) { + setFieldAs(AuthPackField.SUPPORTED_KDFS, supportedKdfs); } }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhNonce.java similarity index 95% rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhNonce.java index e6653b8..9fc86c1 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhNonce.java
@@ -24,5 +24,5 @@ /** * DHNonce ::= OCTET STRING */ -public class DHNonce extends Asn1OctetString { +public class DhNonce extends Asn1OctetString { }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHRepInfo.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhRepInfo.java similarity index 64% rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHRepInfo.java rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhRepInfo.java index 853fe65..05855a6 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHRepInfo.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DhRepInfo.java
@@ -23,18 +23,19 @@ import org.apache.kerby.asn1.EnumType; import org.apache.kerby.asn1.ExplicitField; import org.apache.kerby.asn1.ImplicitField; -import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; import org.apache.kerby.asn1.type.Asn1OctetString; import org.apache.kerby.kerberos.kerb.type.KrbSequenceType; /** - DHRepInfo ::= SEQUENCE { + DhRepInfo ::= SEQUENCE { dhSignedData [0] IMPLICIT OCTET STRING, serverDHNonce [1] DHNonce OPTIONAL + kdf [2] KDFAlgorithmId OPTIONAL, + -- The KDF picked by the KDC. } */ -public class DHRepInfo extends KrbSequenceType { - protected enum DHRepInfoField implements EnumType { +public class DhRepInfo extends KrbSequenceType { + protected enum DhRepInfoField implements EnumType { DH_SIGNED_DATA, SERVER_DH_NONCE, KDF_ID; @@ -51,36 +52,36 @@ } static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] { - new ImplicitField(DHRepInfoField.DH_SIGNED_DATA, Asn1OctetString.class), - new ExplicitField(DHRepInfoField.SERVER_DH_NONCE, DHNonce.class), - new ExplicitField(DHRepInfoField.KDF_ID, Asn1ObjectIdentifier.class) + new ImplicitField(DhRepInfoField.DH_SIGNED_DATA, Asn1OctetString.class), + new ExplicitField(DhRepInfoField.SERVER_DH_NONCE, DhNonce.class), + new ExplicitField(DhRepInfoField.KDF_ID, KdfAlgorithmId.class) }; - public DHRepInfo() { + public DhRepInfo() { super(fieldInfos); } public byte[] getDHSignedData() { - return getFieldAsOctets(DHRepInfoField.DH_SIGNED_DATA); + return getFieldAsOctets(DhRepInfoField.DH_SIGNED_DATA); } public void setDHSignedData(byte[] dhSignedData) { - setFieldAsOctets(DHRepInfoField.DH_SIGNED_DATA, dhSignedData); + setFieldAsOctets(DhRepInfoField.DH_SIGNED_DATA, dhSignedData); } - public DHNonce getServerDhNonce() { - return getFieldAs(DHRepInfoField.SERVER_DH_NONCE, DHNonce.class); + public DhNonce getServerDhNonce() { + return getFieldAs(DhRepInfoField.SERVER_DH_NONCE, DhNonce.class); } - public void setServerDhNonce(DHNonce dhNonce) { - setFieldAs(DHRepInfoField.SERVER_DH_NONCE, dhNonce); + public void setServerDhNonce(DhNonce dhNonce) { + setFieldAs(DhRepInfoField.SERVER_DH_NONCE, dhNonce); } - public Asn1ObjectIdentifier getKdfId() { - return getFieldAs(DHRepInfoField.KDF_ID, Asn1ObjectIdentifier.class); + public KdfAlgorithmId getKdfId() { + return getFieldAs(DhRepInfoField.KDF_ID, KdfAlgorithmId.class); } - public void setKdfId(Asn1ObjectIdentifier kdfId) { - setFieldAs(DHRepInfoField.KDF_ID, kdfId); + public void setKdfId(KdfAlgorithmId kdfId) { + setFieldAs(DhRepInfoField.KDF_ID, kdfId); } }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDHKeyInfo.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDhKeyInfo.java similarity index 76% rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDHKeyInfo.java rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDhKeyInfo.java index 4f66a15..4ecbbcc 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDHKeyInfo.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdcDhKeyInfo.java
@@ -34,8 +34,8 @@ dhKeyExpiration [2] KerberosTime OPTIONAL, } */ -public class KdcDHKeyInfo extends KrbSequenceType { - protected static enum KdcDHKeyInfoField implements EnumType { +public class KdcDhKeyInfo extends KrbSequenceType { + protected enum KdcDhKeyInfoField implements EnumType { SUBJECT_PUBLIC_KEY, NONCE, DH_KEY_EXPIRATION; @@ -52,36 +52,36 @@ } static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] { - new ExplicitField(KdcDHKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class), - new ExplicitField(KdcDHKeyInfoField.NONCE, Asn1Integer.class), - new ExplicitField(KdcDHKeyInfoField.DH_KEY_EXPIRATION, KerberosTime.class) + new ExplicitField(KdcDhKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class), + new ExplicitField(KdcDhKeyInfoField.NONCE, Asn1Integer.class), + new ExplicitField(KdcDhKeyInfoField.DH_KEY_EXPIRATION, KerberosTime.class) }; - public KdcDHKeyInfo() { + public KdcDhKeyInfo() { super(fieldInfos); } public Asn1BitString getSubjectPublicKey() { - return getFieldAs(KdcDHKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class); + return getFieldAs(KdcDhKeyInfoField.SUBJECT_PUBLIC_KEY, Asn1BitString.class); } public void setSubjectPublicKey(byte[] subjectPubKey) { - setFieldAs(KdcDHKeyInfoField.SUBJECT_PUBLIC_KEY, new Asn1BitString(subjectPubKey)); + setFieldAs(KdcDhKeyInfoField.SUBJECT_PUBLIC_KEY, new Asn1BitString(subjectPubKey)); } public int getNonce() { - return getFieldAsInt(KdcDHKeyInfoField.NONCE); + return getFieldAsInt(KdcDhKeyInfoField.NONCE); } public void setNonce(int nonce) { - setFieldAsInt(KdcDHKeyInfoField.NONCE, nonce); + setFieldAsInt(KdcDhKeyInfoField.NONCE, nonce); } public KerberosTime getDHKeyExpiration() { - return getFieldAsTime(KdcDHKeyInfoField.DH_KEY_EXPIRATION); + return getFieldAsTime(KdcDhKeyInfoField.DH_KEY_EXPIRATION); } public void setDHKeyExpiration(KerberosTime time) { - setFieldAs(KdcDHKeyInfoField.DH_KEY_EXPIRATION, time); + setFieldAs(KdcDhKeyInfoField.DH_KEY_EXPIRATION, time); } }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdfAlgorithmId.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdfAlgorithmId.java new file mode 100644 index 0000000..4dd44ee --- /dev/null +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/KdfAlgorithmId.java
@@ -0,0 +1,64 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.kerberos.kerb.type.pa.pkinit; + +import org.apache.kerby.asn1.Asn1FieldInfo; +import org.apache.kerby.asn1.EnumType; +import org.apache.kerby.asn1.ExplicitField; +import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; +import org.apache.kerby.kerberos.kerb.type.KrbSequenceType; + +/* + KDFAlgorithmId ::= SEQUENCE { + kdf-id [0] OBJECT IDENTIFIER, + -- The object identifier of the KDF + } + */ +public class KdfAlgorithmId extends KrbSequenceType { + protected enum KdfAlgorithmIdField implements EnumType { + KDF_ID; + + @Override + public int getValue() { + return ordinal(); + } + + @Override + public String getName() { + return name(); + } + } + + static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] { + new ExplicitField(KdfAlgorithmIdField.KDF_ID, Asn1ObjectIdentifier.class) + }; + + public KdfAlgorithmId() { + super(fieldInfos); + } + + public String getKdfId() { + return getFieldAsObjId(KdfAlgorithmIdField.KDF_ID); + } + + public void setKdfId(String kdfId) { + setFieldAsObjId(KdfAlgorithmIdField.KDF_ID, kdfId); + } +}
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java index 9d835ec..d882d84 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/PaPkAsRep.java
@@ -28,7 +28,7 @@ /** PA-PK-AS-REP ::= CHOICE { - dhInfo [0] DHRepInfo, + dhInfo [0] DhRepInfo, encKeyPack [1] IMPLICIT OCTET STRING, } */ @@ -49,7 +49,7 @@ } static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] { - new ExplicitField(PaPkAsRepField.DH_INFO, DHRepInfo.class), + new ExplicitField(PaPkAsRepField.DH_INFO, DhRepInfo.class), new ImplicitField(PaPkAsRepField.ENCKEY_PACK, Asn1OctetString.class) }; @@ -57,11 +57,11 @@ super(fieldInfos); } - public DHRepInfo getDHRepInfo() { - return getChoiceValueAs(PaPkAsRepField.DH_INFO, DHRepInfo.class); + public DhRepInfo getDHRepInfo() { + return getChoiceValueAs(PaPkAsRepField.DH_INFO, DhRepInfo.class); } - public void setDHRepInfo(DHRepInfo dhRepInfo) { + public void setDHRepInfo(DhRepInfo dhRepInfo) { setChoiceValue(PaPkAsRepField.DH_INFO, dhRepInfo); }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKDFs.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKdfs.java similarity index 87% rename from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKDFs.java rename to kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKdfs.java index 2d1e654..e436018 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKDFs.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/SupportedKdfs.java
@@ -19,8 +19,7 @@ */ package org.apache.kerby.kerberos.kerb.type.pa.pkinit; -import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; import org.apache.kerby.kerberos.kerb.type.KrbSequenceOfType; -public class SupportedKDFs extends KrbSequenceOfType<Asn1ObjectIdentifier> { +public class SupportedKdfs extends KrbSequenceOfType<KdfAlgorithmId> { }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java index 9428630..e7ca968 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ticket/EncTicketPart.java
@@ -83,7 +83,7 @@ new ExplicitField(EncTicketPartField.AUTHTIME, KerberosTime.class), new ExplicitField(EncTicketPartField.STARTTIME, KerberosTime.class), new ExplicitField(EncTicketPartField.ENDTIME, KerberosTime.class), - new ExplicitField(EncTicketPartField.ENDTIME, KerberosTime.class), + new ExplicitField(EncTicketPartField.RENEW_TILL, KerberosTime.class), new ExplicitField(EncTicketPartField.CADDR, HostAddresses.class), new ExplicitField(EncTicketPartField.AUTHORIZATION_DATA, AuthorizationData.class) };
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java index 53d7abf..8af6fe8 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPaPkAsRep.java
@@ -20,11 +20,10 @@ package org.apache.kerby.kerberos.kerb.codec; import org.apache.kerby.asn1.Asn1; -import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; import org.apache.kerby.cms.type.ContentInfo; import org.apache.kerby.kerberos.kerb.KrbCodec; import org.apache.kerby.kerberos.kerb.KrbException; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep; import org.junit.Test; @@ -35,9 +34,9 @@ @Test public void test() throws IOException, KrbException { PaPkAsRep paPkAsRep = new PaPkAsRep(); - DHRepInfo dhRepInfo = new DHRepInfo(); + DhRepInfo dhRepInfo = new DhRepInfo(); ContentInfo contentInfo = new ContentInfo(); - contentInfo.setContentType(new Asn1ObjectIdentifier("1.2.840.113549.1.7.2")); + contentInfo.setContentType("1.2.840.113549.1.7.2"); dhRepInfo.setDHSignedData(contentInfo.encode()); paPkAsRep.setDHRepInfo(dhRepInfo); Asn1.parseAndDump(paPkAsRep.encode());
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java index a67bb2c..ac660f5 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsRepCodec.java
@@ -31,8 +31,8 @@ import org.apache.kerby.kerberos.kerb.type.pa.PaData; import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry; import org.apache.kerby.kerberos.kerb.type.pa.PaDataType; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep; import org.apache.kerby.kerberos.kerb.type.ticket.Ticket; import org.junit.Test; @@ -102,19 +102,19 @@ private void testPaPkAsRep(PaPkAsRep paPkAsRep) throws IOException { assertThat(paPkAsRep.getDHRepInfo()).isNotNull(); - DHRepInfo dhRepInfo = paPkAsRep.getDHRepInfo(); + DhRepInfo dhRepInfo = paPkAsRep.getDHRepInfo(); byte[] dhSignedData = dhRepInfo.getDHSignedData(); SignedContentInfo contentInfo = new SignedContentInfo(); contentInfo.decode(dhSignedData); - assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2"); + assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2"); SignedData signedData = contentInfo.getContentAs(SignedData.class); assertThat(signedData.getCertificates()).isNotNull(); EncapsulatedContentInfo encapsulatedContentInfo = signedData.getEncapContentInfo(); - assertThat(encapsulatedContentInfo.getContentType().getValue()).isEqualTo("1.3.6.1.5.2.3.2"); + assertThat(encapsulatedContentInfo.getContentType()).isEqualTo("1.3.6.1.5.2.3.2"); byte[] eContentInfo = encapsulatedContentInfo.getContent(); - KdcDHKeyInfo kdcDhKeyInfo = new KdcDHKeyInfo(); + KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo(); kdcDhKeyInfo.decode(eContentInfo); assertThat(kdcDhKeyInfo.getSubjectPublicKey()).isNotNull(); assertThat(kdcDhKeyInfo.getDHKeyExpiration()).isNotNull();
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java index 8a59ee1..442bb7d 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitAnonymousAsReqCodec.java
@@ -22,6 +22,7 @@ import org.apache.kerby.asn1.Asn1; import org.apache.kerby.cms.type.SignedContentInfo; import org.apache.kerby.cms.type.SignedData; +import org.apache.kerby.kerberos.kerb.KrbConstant; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType; import org.apache.kerby.kerberos.kerb.type.base.NameType; @@ -33,7 +34,7 @@ import org.apache.kerby.kerberos.kerb.type.pa.PaDataType; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsReq; -import org.apache.kerby.x509.type.DHParameter; +import org.apache.kerby.x509.type.DhParameter; import org.apache.kerby.x509.type.SubjectPublicKeyInfo; import org.junit.Test; @@ -44,7 +45,7 @@ import java.util.Arrays; import java.util.List; -import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.*; public class TestPkinitAnonymousAsReqCodec { @Test @@ -84,7 +85,7 @@ assertThat(body.getKdcOptions().getValue()).isEqualTo(Arrays.copyOfRange(bytes, 1389, 1393)); PrincipalName cName = body.getCname(); assertThat(cName.getNameType()).isEqualTo(NameType.NT_WELLKNOWN); - assertThat(cName.getName()).isEqualTo("WELLKNOWN/ANONYMOUS"); + assertThat(cName.getName()).isEqualTo(KrbConstant.ANONYMOUS_PRINCIPAL); assertThat(body.getRealm()).isEqualTo("EXAMPLE.COM"); PrincipalName sName = body.getSname(); assertThat(sName.getNameType()).isEqualTo(NameType.NT_SRV_INST); @@ -113,7 +114,7 @@ SignedContentInfo contentInfo = new SignedContentInfo(); Asn1.parseAndDump(paPkAsReq.getSignedAuthPack()); contentInfo.decode(paPkAsReq.getSignedAuthPack()); - assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2"); + assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2"); Asn1.dump(contentInfo); SignedData signedData = contentInfo.getSignedData(); @@ -122,29 +123,29 @@ assertThat(signedData.getCertificates().getElements().isEmpty()).isTrue(); assertThat(signedData.getCrls().getElements().isEmpty()).isTrue(); assertThat(signedData.getSignerInfos().getElements().isEmpty()).isTrue(); - assertThat(signedData.getEncapContentInfo().getContentType().getValue()) + assertThat(signedData.getEncapContentInfo().getContentType()) .isEqualTo("1.3.6.1.5.2.3.1"); AuthPack authPack = new AuthPack(); Asn1.parseAndDump(signedData.getEncapContentInfo().getContent()); authPack.decode(signedData.getEncapContentInfo().getContent()); assertThat(authPack.getsupportedCmsTypes().getElements().size()).isEqualTo(1); - assertThat(authPack.getsupportedCmsTypes().getElements().get(0).getAlgorithm().getValue()) + assertThat(authPack.getsupportedCmsTypes().getElements().get(0).getAlgorithm()) .isEqualTo("1.2.840.113549.3.7"); SubjectPublicKeyInfo subjectPublicKeyInfo = authPack.getClientPublicValue(); - assertThat(subjectPublicKeyInfo.getAlgorithm().getAlgorithm().getValue()) + assertThat(subjectPublicKeyInfo.getAlgorithm().getAlgorithm()) .isEqualTo("1.2.840.10046.2.1"); - DHParameter dhParameter = subjectPublicKeyInfo.getAlgorithm().getParametersAs(DHParameter.class); + DhParameter dhParameter = + subjectPublicKeyInfo.getAlgorithm().getParametersAs(DhParameter.class); assertThat(dhParameter.getG()).isEqualTo(BigInteger.valueOf(2)); assertThat(authPack.getsupportedKDFs().getElements().size()).isEqualTo(3); - //TO BE FIXED -// assertThat(authPack.getsupportedKDFs().getElements().get(0).getValue()) -// .isEqualTo("1.3.6.1.5.2.3.6.2"); -// assertThat(authPack.getsupportedKDFs().getElements().get(1).getValue()) -// .isEqualTo("1.3.6.1.5.2.3.6.1"); -// assertThat(authPack.getsupportedKDFs().getElements().get(2).getValue()) -// .isEqualTo("1.3.6.1.5.2.3.6.3"); + assertThat(authPack.getsupportedKDFs().getElements().get(0).getKdfId()) + .isEqualTo("1.3.6.1.5.2.3.6.2"); + assertThat(authPack.getsupportedKDFs().getElements().get(1).getKdfId()) + .isEqualTo("1.3.6.1.5.2.3.6.1"); + assertThat(authPack.getsupportedKDFs().getElements().get(2).getKdfId()) + .isEqualTo("1.3.6.1.5.2.3.6.3"); } }
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java index 0de845e..9e96cef 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsRepCodec.java
@@ -33,7 +33,7 @@ import java.io.IOException; import java.nio.ByteBuffer; -import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.*; public class TestPkinitRsaAsRepCodec { @Test @@ -61,7 +61,7 @@ Asn1.parseAndDump(encKeyPack); ContentInfo contentInfo = new ContentInfo(); contentInfo.decode(encKeyPack); - assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.3"); + assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.3"); EnvelopedData envelopedData = contentInfo.getContentAs(EnvelopedData.class); Asn1.dump(envelopedData); }
diff --git a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java index 0cb6ad4..a5d6efc 100644 --- a/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java +++ b/kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestPkinitRsaAsReqCodec.java
@@ -40,7 +40,7 @@ import java.util.Arrays; import java.util.List; -import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.*; public class TestPkinitRsaAsReqCodec { @Test @@ -71,12 +71,12 @@ ContentInfo contentInfo = new ContentInfo(); //Asn1.parseAndDump(paPkAsReq.getSignedAuthPack()); contentInfo.decode(paPkAsReq.getSignedAuthPack()); - assertThat(contentInfo.getContentType().getValue()).isEqualTo("1.2.840.113549.1.7.2"); + assertThat(contentInfo.getContentType()).isEqualTo("1.2.840.113549.1.7.2"); //Asn1.dump(contentInfo); SignedData signedData = contentInfo.getContentAs(SignedData.class); assertThat(signedData.getCertificates().getElements().size()).isEqualTo(1); - assertThat(signedData.getEncapContentInfo().getContentType().getValue()).isEqualTo("1.3.6.1.5.2.3.1"); + assertThat(signedData.getEncapContentInfo().getContentType()).isEqualTo("1.3.6.1.5.2.3.1"); PaDataEntry encpaEntry = paData.findEntry(PaDataType.ENCPADATA_REQ_ENC_PA_REP); assertThat(encpaEntry.getPaDataType()).isEqualTo(PaDataType.ENCPADATA_REQ_ENC_PA_REP);
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java index 91d7e34..0e6344b 100644 --- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java +++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncryptionHandler.java
@@ -38,8 +38,6 @@ import org.apache.kerby.kerberos.kerb.type.base.KeyUsage; import org.apache.kerby.kerberos.kerb.type.base.PrincipalName; -import javax.crypto.Cipher; - /** * Encryption handler as the highest level API for encryption stuffs defined in * Kerberos RFC3961. It supports all the encryption types. New encryption type @@ -47,23 +45,6 @@ */ public class EncryptionHandler { - private static boolean isAES256Enabled = false; - - static { - try { - isAES256Enabled = Cipher.getMaxAllowedKeyLength("AES") >= 256; - } catch (Exception e) { - System.err.println(e); - } - } - - /** - * @return true if aes256 is enabled - */ - public static boolean isAES256Enabled() { - return isAES256Enabled; - } - /** * Get the encryption type. * @param eType The encryption type string.
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java index 9220f94..fc23f77 100644 --- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java +++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/CheckSumsTest.java
@@ -23,6 +23,7 @@ import org.apache.kerby.kerberos.kerb.type.base.CheckSumType; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; import org.apache.kerby.kerberos.kerb.type.base.KeyUsage; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.HexUtil; import org.junit.Test; @@ -112,7 +113,7 @@ @Test public void testCheckSums_HMAC_SHA1_96_AES256() throws Exception { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new CksumTest( "fourteen",
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java index c0c938d..cf0bda2 100644 --- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java +++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/DecryptionTest.java
@@ -22,6 +22,7 @@ import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; import org.apache.kerby.kerberos.kerb.type.base.KeyUsage; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.HexUtil; import org.junit.Test; @@ -695,7 +696,7 @@ */ @Test public void testDecryptAES256_CTS_HMAC_SHA1_96_0() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); TestCase testCase = new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -715,7 +716,7 @@ */ @Test public void testDecryptAES256_CTS_HMAC_SHA1_96_1() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); TestCase testCase = new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -735,7 +736,7 @@ */ @Test public void testDecryptAES256_CTS_HMAC_SHA1_96_9() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); TestCase testCase = new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -756,7 +757,7 @@ */ @Test public void testDecryptAES256_CTS_HMAC_SHA1_96_13() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); TestCase testCase = new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -777,7 +778,7 @@ */ @Test public void testDecryptAES256_CTS_HMAC_SHA1_96_30() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); TestCase testCase = new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java index a08f01f..5130ed5 100644 --- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java +++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/FastUtilTest.java
@@ -22,6 +22,7 @@ import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil; import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.HexUtil; import org.junit.Test; @@ -125,7 +126,7 @@ @Test public void testFastUtil_AES256_CTS_HMAC_SHA1() throws Exception { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java index 7b44da0..3d9ee9a 100644 --- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java +++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/KeyDeriveTest.java
@@ -29,6 +29,7 @@ import org.apache.kerby.kerberos.kerb.crypto.key.Des3KeyMaker; import org.apache.kerby.kerberos.kerb.crypto.key.DkKeyMaker; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.HexUtil; import org.junit.Test; @@ -126,7 +127,7 @@ @Test public void testKeyDerive_AES256_CTS_HMAC_SHA1_96_299() throws Exception { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -140,7 +141,7 @@ @Test public void testKeyDerive_AES256_CTS_HMAC_SHA1_96_2AA() throws Exception { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -154,7 +155,7 @@ @Test public void testKeyDerive_AES256_CTS_HMAC_SHA1_96_255() throws Exception { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java index c5dcac6..b87ba9b 100644 --- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java +++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/PrfTest.java
@@ -20,6 +20,7 @@ package org.apache.kerby.kerberos.kerb.crypto; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.HexUtil; import org.junit.Test; @@ -86,7 +87,7 @@ @Test public void testPrf_AES256_CTS_HMAC_SHA1() throws Exception { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java index abbbbfb..042b42a 100644 --- a/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java +++ b/kerby-kerb/kerb-crypto/src/test/java/org/apache/kerby/kerberos/kerb/crypto/String2keyTest.java
@@ -21,6 +21,7 @@ import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.HexUtil; import org.junit.Test; @@ -270,7 +271,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_0() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -284,7 +285,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_1() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -298,7 +299,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_2() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -312,7 +313,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_3() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -326,7 +327,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_4() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -342,7 +343,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_5() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -356,7 +357,7 @@ @Test public void test_AES256_CTS_HMAC_SHA1_96_6() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96, @@ -371,7 +372,7 @@ // Check for KRB5_ERR_BAD_S2K_PARAMS return when weak iteration counts are forbidden @Test public void test_AES256_CTS_HMAC_SHA1_96_7() { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); performTest(new TestCase( EncryptionType.AES256_CTS_HMAC_SHA1_96,
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java index 49bf5cf..8bc4205 100644 --- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java +++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
@@ -21,6 +21,8 @@ import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.client.KrbClient; +import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient; +import org.apache.kerby.kerberos.kerb.client.KrbTokenClient; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; @@ -71,6 +73,14 @@ return kdcServer.getKrbClient(); } + protected KrbPkinitClient getPkinitClient() { + return kdcServer.getPkinitClient(); + } + + protected KrbTokenClient getTokenClient() { + return kdcServer.getTokenClient(); + } + protected String getClientPrincipalName() { return clientPrincipalName; }
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java index 86d0a61..7782e41 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -23,7 +23,6 @@ import org.apache.kerby.asn1.parse.Asn1Container; import org.apache.kerby.asn1.parse.Asn1ParseResult; import org.apache.kerby.asn1.type.Asn1Integer; -import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; import org.apache.kerby.cms.type.CertificateChoices; import org.apache.kerby.cms.type.CertificateSet; import org.apache.kerby.cms.type.ContentInfo; @@ -35,8 +34,8 @@ import org.apache.kerby.kerberos.kerb.common.KrbUtil; import org.apache.kerby.kerberos.kerb.crypto.dh.DhServer; import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext; -import org.apache.kerby.kerberos.kerb.preauth.pkinit.CMSMessageType; import org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper; +import org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType; import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto; import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext; import org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta; @@ -52,13 +51,13 @@ import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry; import org.apache.kerby.kerberos.kerb.type.pa.PaDataType; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DHRepInfo; -import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDHKeyInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo; +import org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsReq; import org.apache.kerby.kerberos.kerb.type.pa.pkinit.PkAuthenticator; import org.apache.kerby.x509.type.Certificate; -import org.apache.kerby.x509.type.DHParameter; +import org.apache.kerby.x509.type.DhParameter; import org.apache.kerby.x509.type.SubjectPublicKeyInfo; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -143,9 +142,9 @@ SignedData signedData = contentInfo.getContentAs(SignedData.class); - PkinitCrypto.verifyCMSSignedData(CMSMessageType.CMS_SIGN_CLIENT, signedData); + PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData); - Boolean isSigned = PkinitCrypto.isSigned(signedData); + Boolean isSigned = signedData.isSigned(); if (isSigned) { //TODO LOG.info("Signed data."); @@ -213,9 +212,9 @@ SubjectPublicKeyInfo publicKeyInfo = authPack.getClientPublicValue(); - DHParameter dhParameter; + DhParameter dhParameter; if (publicKeyInfo.getSubjectPubKey() != null) { - dhParameter = authPack.getClientPublicValue().getAlgorithm().getParametersAs(DHParameter.class); + dhParameter = authPack.getClientPublicValue().getAlgorithm().getParametersAs(DhParameter.class); PkinitCrypto.serverCheckDH(pkinitContext.pluginOpts, pkinitContext.cryptoctx, dhParameter); byte[] clientSubjectPubKey = publicKeyInfo.getSubjectPubKey().getValue(); @@ -321,8 +320,8 @@ } PaPkAsRep paPkAsRep = new PaPkAsRep(); - DHRepInfo dhRepInfo = new DHRepInfo(); - KdcDHKeyInfo kdcDhKeyInfo = new KdcDHKeyInfo(); + DhRepInfo dhRepInfo = new DhRepInfo(); + KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo(); Asn1Integer publickey = new Asn1Integer(severPubKey.getY()); byte[] pubKeyData = KrbCodec.encode(publickey); @@ -341,7 +340,7 @@ certificateSet.addElement(certificateChoices); } - Asn1ObjectIdentifier oid = cryptoContext.getIdPkinitDHKeyDataOID(); + String oid = cryptoContext.getIdPkinitDHKeyDataOID(); signedDataBytes = PkinitCrypto.cmsSignedDataCreate(KrbCodec.encode(kdcDhKeyInfo), oid, 3, null, null, null, null);
diff --git a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java index 0a7ad1d..5e83207 100644 --- a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java +++ b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
@@ -23,6 +23,8 @@ import org.apache.kerby.kerberos.kerb.admin.Kadmin; import org.apache.kerby.kerberos.kerb.client.Krb5Conf; import org.apache.kerby.kerberos.kerb.client.KrbClient; +import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient; +import org.apache.kerby.kerberos.kerb.client.KrbTokenClient; import org.apache.kerby.util.NetworkUtil; import java.io.File; @@ -36,9 +38,11 @@ private final KrbClient krbClnt; private Kadmin kadmin; private Krb5Conf krb5Conf; - private File workDir; + private KrbPkinitClient pkinitClient; + private KrbTokenClient tokenClient; + /** * Default constructor. * @@ -155,6 +159,26 @@ } /** + * @return PKINIT client + */ + public KrbPkinitClient getPkinitClient() { + if (pkinitClient == null) { + pkinitClient = new KrbPkinitClient(krbClnt); + } + return pkinitClient; + } + + /** + * @return Token client + */ + public KrbTokenClient getTokenClient() { + if (tokenClient == null) { + tokenClient = new KrbTokenClient(krbClnt); + } + return tokenClient; + } + + /** * Get Kadmin operation interface. * @return Kadmin */
diff --git a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java index a00667a..2ae0baa 100644 --- a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java +++ b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/EncryptionTest.java
@@ -31,6 +31,7 @@ import org.apache.kerby.kerberos.kerb.type.base.PrincipalName; import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart; import org.apache.kerby.kerberos.kerb.type.ticket.Ticket; +import org.apache.kerby.util.EncryptoUtil; import org.junit.Before; import org.junit.Test; @@ -74,7 +75,7 @@ @Test public void testAes256() throws IOException, KrbException { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); testEncWith("aes256-cts-hmac-sha1-96.cc"); }
diff --git a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java index 5790bda..8ccbb03 100644 --- a/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java +++ b/kerby-kerb/kerb-util/src/test/java/org/apache/kerby/kerberos/kerb/util/NewEncryptionTest.java
@@ -25,6 +25,7 @@ import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey; import org.apache.kerby.kerberos.kerb.type.base.EncryptionType; import org.apache.kerby.kerberos.kerb.type.base.KeyUsage; +import org.apache.kerby.util.EncryptoUtil; import org.junit.Test; import java.io.IOException; @@ -67,7 +68,7 @@ @Test public void testAes256CtsHmacSha1() throws IOException, KrbException { - assumeTrue(EncryptionHandler.isAES256Enabled()); + assumeTrue(EncryptoUtil.isAES256Enabled()); testEncWith(EncryptionType.AES256_CTS_HMAC_SHA1_96); }
diff --git a/kerby-pkix/pom.xml b/kerby-pkix/pom.xml index e53c6b8..03ed9cd 100644 --- a/kerby-pkix/pom.xml +++ b/kerby-pkix/pom.xml
@@ -41,12 +41,18 @@ <dependency> <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-ext-jdk15on</artifactId> + <artifactId>bcpkix-jdk15on</artifactId> <version>1.52</version> <scope>test</scope> </dependency> <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + <version>${slf4j.version}</version> + </dependency> + + <dependency> <groupId>org.mockito</groupId> <artifactId>mockito-all</artifactId> <version>1.9.5</version>
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java index 077abe2..5037efa 100644 --- a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/ContentInfo.java
@@ -66,12 +66,12 @@ super(fieldInfos); } - public Asn1ObjectIdentifier getContentType() { - return getFieldAs(CONTENT_TYPE, Asn1ObjectIdentifier.class); + public String getContentType() { + return getFieldAsObjId(CONTENT_TYPE); } - public void setContentType(Asn1ObjectIdentifier contentType) { - setFieldAs(CONTENT_TYPE, contentType); + public void setContentType(String contentType) { + setFieldAsObjId(CONTENT_TYPE, contentType); } public <T extends Asn1Type> T getContentAs(Class<T> t) {
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java index 17b5c76..a7a260a 100644 --- a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/EncapsulatedContentInfo.java
@@ -61,12 +61,12 @@ super(fieldInfos); } - public Asn1ObjectIdentifier getContentType() { - return getFieldAs(CONTENT_TYPE, Asn1ObjectIdentifier.class); + public String getContentType() { + return getFieldAsObjId(CONTENT_TYPE); } - public void setContentType(Asn1ObjectIdentifier contentType) { - setFieldAs(CONTENT_TYPE, contentType); + public void setContentType(String contentType) { + setFieldAsObjId(CONTENT_TYPE, contentType); } public byte[] getContent() {
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java index 7be20a2..776e028 100644 --- a/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/cms/type/SignedData.java
@@ -120,4 +120,16 @@ public void setSignerInfos(SignerInfos signerInfos) { setFieldAs(SIGNER_INFOS, signerInfos); } + + /** + * Check whether signed of data, true if the SignerInfos are not null + * @return boolean + */ + public boolean isSigned() { + if (getSignerInfos().getElements().size() == 0) { + return false; + } else { + return true; + } + } }
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiException.java similarity index 69% copy from kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java copy to kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiException.java index e6653b8..a5fee6b 100644 --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/pkinit/DHNonce.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiException.java
@@ -17,12 +17,19 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.type.pa.pkinit; - -import org.apache.kerby.asn1.type.Asn1OctetString; +package org.apache.kerby.pkix; /** - * DHNonce ::= OCTET STRING + * The root exception for the module. */ -public class DHNonce extends Asn1OctetString { +public class PkiException extends Exception { + private static final long serialVersionUID = 7305497872367599428L; + + public PkiException(String message) { + super(message); + } + + public PkiException(String message, Throwable cause) { + super(message, cause); + } }
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/pki/PkiLoader.java b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiLoader.java similarity index 94% rename from kerby-pkix/src/main/java/org/apache/kerby/pki/PkiLoader.java rename to kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiLoader.java index 7523f39..402e5d4 100644 --- a/kerby-pkix/src/main/java/org/apache/kerby/pki/PkiLoader.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiLoader.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.pki; +package org.apache.kerby.pkix; import org.apache.commons.ssl.PKCS8Key; @@ -53,9 +53,9 @@ CertificateFactory certFactory = null; try { certFactory = CertificateFactory.getInstance("X.509"); - Collection<? extends Certificate> certs = (Collection<? extends Certificate>) - certFactory.generateCertificates(inputStream); - return new ArrayList<Certificate>(certs); + Collection<? extends Certificate> certs = + certFactory.generateCertificates(inputStream); + return new ArrayList<>(certs); } catch (CertificateException e) { throw new IOException("Failed to load certificates", e); }
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiUtil.java b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiUtil.java new file mode 100644 index 0000000..34eda66 --- /dev/null +++ b/kerby-pkix/src/main/java/org/apache/kerby/pkix/PkiUtil.java
@@ -0,0 +1,59 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.pkix; + +import org.apache.kerby.cms.type.SignedData; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; + +/** + * Pki utilities. + */ +public final class PkiUtil { + private PkiUtil() { + + } + + public static byte[] getSignedData(PrivateKey privateKey, + X509Certificate certificate, byte[] dataToSign, + String eContentType) throws PkiException { + + /** + * TO DO + */ + return null; + } + + /** + * Validates a CMS SignedData using the public key corresponding to the private + * key used to sign the structure. + * + * @param signedData + * @return true if the signature is valid. + * @throws PkiException + */ + public static boolean validateSignedData(SignedData signedData) throws PkiException { + /** + * TO DO + */ + return false; + } +}
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java index 913768a..97623a2 100644 --- a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/AlgorithmIdentifier.java
@@ -60,12 +60,12 @@ super(fieldInfos); } - public Asn1ObjectIdentifier getAlgorithm() { - return getFieldAs(ALGORITHM, Asn1ObjectIdentifier.class); + public String getAlgorithm() { + return getFieldAsObjId(ALGORITHM); } - public void setAlgorithm(Asn1ObjectIdentifier algorithm) { - setFieldAs(ALGORITHM, algorithm); + public void setAlgorithm(String algorithm) { + setFieldAsObjId(ALGORITHM, algorithm); } public <T extends Asn1Type> T getParametersAs(Class<T> t) {
diff --git a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DHParameter.java b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DhParameter.java similarity index 80% rename from kerby-pkix/src/main/java/org/apache/kerby/x509/type/DHParameter.java rename to kerby-pkix/src/main/java/org/apache/kerby/x509/type/DhParameter.java index beb9474..af319ce 100644 --- a/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DHParameter.java +++ b/kerby-pkix/src/main/java/org/apache/kerby/x509/type/DhParameter.java
@@ -7,10 +7,10 @@ import java.math.BigInteger; -import static org.apache.kerby.x509.type.DHParameter.MyEnum.*; +import static org.apache.kerby.x509.type.DhParameter.MyEnum.*; -public class DHParameter extends Asn1SequenceType { - protected static enum MyEnum implements EnumType { +public class DhParameter extends Asn1SequenceType { + protected enum MyEnum implements EnumType { P, G, Q; @@ -32,12 +32,12 @@ new Asn1FieldInfo(Q, Asn1Integer.class), }; - public DHParameter() { + public DhParameter() { super(fieldInfos); } public void setP(BigInteger p) { - setFieldAsBigInteger(P, p); + setFieldAsInt(P, p); } public BigInteger getP() { @@ -46,7 +46,7 @@ } public void setG(BigInteger g) { - setFieldAsBigInteger(G, g); + setFieldAsInt(G, g); } public BigInteger getG() { @@ -55,7 +55,7 @@ } public void setQ(BigInteger q) { - setFieldAsBigInteger(Q, q); + setFieldAsInt(Q, q); } public BigInteger getQ() {
diff --git a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java index 2b9329e..99a98e1 100644 --- a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java +++ b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestKeyMaterial.java
@@ -1,5 +1,6 @@ package org.apache.commons.ssl; +import org.apache.kerby.util.EncryptoUtil; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.Test; @@ -14,6 +15,7 @@ import static org.apache.commons.ssl.JUnitConfig.TEST_HOME; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import static org.junit.Assume.assumeTrue; public class TestKeyMaterial { public static final char[] PASSWORD1 = "changeit".toCharArray(); @@ -54,7 +56,10 @@ Date today = new Date(); KeyMaterial km; + + try { + assumeTrue(EncryptoUtil.isAES256Enabled()); km = new KeyMaterial(dir + "/" + fileName, file2, pass1, pass2); } catch (ProbablyBadPasswordException pbpe) { System.out.println(" WARN: " + pbpe);
diff --git a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java index b4f26de..df6837f 100644 --- a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java +++ b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestOpenSSL.java
@@ -1,5 +1,6 @@ package org.apache.commons.ssl; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.Util; import org.junit.Test; @@ -12,6 +13,7 @@ import static org.apache.commons.ssl.JUnitConfig.TEST_HOME; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import static org.junit.Assume.assumeTrue; public class TestOpenSSL { @@ -130,6 +132,7 @@ byte[] encrypted = Util.streamToBytes(in); char[] pwd = "changeit".toCharArray(); try { + assumeTrue(EncryptoUtil.isAES256Enabled()); byte[] result = OpenSSL.decrypt(cipher, pwd, encrypted); String s = new String(result, "ISO-8859-1"); if (!"Hello World!".equals(s)) {
diff --git a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java index c166f42..59127da 100644 --- a/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java +++ b/kerby-pkix/src/test/java/org/apache/commons/ssl/TestPKCS8Key.java
@@ -1,5 +1,6 @@ package org.apache.commons.ssl; +import org.apache.kerby.util.EncryptoUtil; import org.apache.kerby.util.Util; import org.junit.Test; @@ -11,6 +12,7 @@ import static org.apache.commons.ssl.JUnitConfig.TEST_HOME; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import static org.junit.Assume.assumeTrue; public class TestPKCS8Key { @@ -44,6 +46,7 @@ System.out.println("Checking PKCS file:" + filename); FileInputStream in = new FileInputStream(f); byte[] bytes = Util.streamToBytes(in); + assumeTrue(EncryptoUtil.isAES256Enabled()); PKCS8Key key = new PKCS8Key(bytes, password.toCharArray()); byte[] decrypted = key.getDecryptedBytes(); if (original == null) {
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java b/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java index 18d452e..ab85e93 100644 --- a/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/cms/TestSignedData.java
@@ -20,7 +20,6 @@ package org.apache.kerby.cms; import org.apache.kerby.asn1.Asn1; -import org.apache.kerby.asn1.type.Asn1ObjectIdentifier; import org.apache.kerby.cms.type.CertificateChoices; import org.apache.kerby.cms.type.CertificateSet; import org.apache.kerby.cms.type.ContentInfo; @@ -61,10 +60,10 @@ @Test public void testEncoding() throws IOException { SignedContentInfo contentInfo = new SignedContentInfo(); - contentInfo.setContentType(new Asn1ObjectIdentifier("1.2.840.113549.1.7.2")); + contentInfo.setContentType("1.2.840.113549.1.7.2"); SignedData signedData = new SignedData(); EncapsulatedContentInfo eContentInfo = new EncapsulatedContentInfo(); - eContentInfo.setContentType(new Asn1ObjectIdentifier("1.3.6.1.5.2.3.1")); + eContentInfo.setContentType("1.3.6.1.5.2.3.1"); eContentInfo.setContent("data".getBytes()); signedData.setEncapContentInfo(eContentInfo);
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactory.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java similarity index 95% rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactory.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java index 8434f50..88907ae 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactory.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs; +package org.apache.kerby.pkix; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -35,14 +35,8 @@ /** * Factory for dynamically generating certificate chains. - * - * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> - * @version $Rev$, $Date$ */ public class CertificateChainFactory { - /** - * The log for this class. - */ private static final Logger LOG = LoggerFactory.getLogger(CertificateChainFactory.class); private static int trustAnchorLevel = 2; @@ -117,7 +111,7 @@ PublicKey trustAnchorPublicKey = keyPair.getPublic(); X509Certificate trustAnchorCert = TrustAnchorGenerator.generate(trustAnchorPublicKey, trustAnchorPrivateKey, - dn, validityDays, friendlyName); + dn, validityDays, friendlyName); trustAnchorCert.checkValidity(); trustAnchorCert.verify(trustAnchorPublicKey); @@ -134,7 +128,7 @@ PublicKey clientCaPublicKey = keyPair.getPublic(); X509Certificate clientCaCert = IntermediateCaGenerator.generate(trustAnchorCert, trustAnchorPrivateKey, - clientCaPublicKey, dn, validityDays, friendlyName); + clientCaPublicKey, dn, validityDays, friendlyName); clientCaCert.checkValidity(); clientCaCert.verify(trustAnchorPublicKey); @@ -151,7 +145,7 @@ PublicKey clientPublicKey = keyPair.getPublic(); X509Certificate clientCert = EndEntityGenerator.generate(clientCaCert, clientCaPrivateKey, clientPublicKey, - dn, validityDays, friendlyName); + dn, validityDays, friendlyName); clientCert.checkValidity(); clientCert.verify(clientCaPublicKey);
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactoryTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java similarity index 97% rename from kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactoryTest.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java index 556aaf5..31059c4 100644 --- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/CertificateChainFactoryTest.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs; +package org.apache.kerby.pkix; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.Before;
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java similarity index 98% rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java index e2bf201..8f80599 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs; +package org.apache.kerby.pkix; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.DERBMPString;
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java similarity index 98% rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java index a72656a..63e1816 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit; +package org.apache.kerby.pkix; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java similarity index 93% rename from kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java index 578602a..826815e 100644 --- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
@@ -17,9 +17,8 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit; +package org.apache.kerby.pkix; -import org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs.CertificateChainFactory; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.Before; import org.junit.Test; @@ -44,10 +43,7 @@ import java.util.Arrays; public class EnvelopedDataEngineTest extends org.junit.Assert { - /** - * The log for this class. - */ - private static final Logger LOG = LoggerFactory.getLogger(EnvelopedDataEngineTest.class); + private static final Logger LOG = LoggerFactory.getLogger(CertificateChainFactory.class); /** * Certificate used to encrypt the data.
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java similarity index 98% rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java index ec977b0..3b90eea 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs; +package org.apache.kerby.pkix; import org.bouncycastle.asn1.DERBMPString;
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java new file mode 100644 index 0000000..cf07eaa --- /dev/null +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java
@@ -0,0 +1,89 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.pkix; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * This is a JAVA sign and verify test to serve as a good sample. + */ +public class JavaSignTest { + + static class SignAlgorithm { + String algo; + String keyType; + + SignAlgorithm(String algo, String keyType) { + this.algo = algo; + this.keyType = keyType; + } + } + + static final SignAlgorithm[] ALGORITHMS = { + new SignAlgorithm("DSA", "DSA"), + new SignAlgorithm("SHA1withDSA", "DSA"), + new SignAlgorithm("SHA1withRSA", "RSA"), + new SignAlgorithm("SHA256withRSA", "RSA"), + new SignAlgorithm("SHA384withRSA", "RSA"), + new SignAlgorithm("SHA512withRSA", "RSA"), + new SignAlgorithm("MD5withRSA", "RSA"), + new SignAlgorithm("MD5andSHA1withRSA", "RSA"), + new SignAlgorithm("SHA256withRSA", "RSA") + }; + + static byte[] signData(byte[] dataToSign, KeyPair keyPair, + SignAlgorithm sa) throws Exception { + byte[] signResult; + Signature signer = Signature.getInstance(sa.algo); + signer.initSign(keyPair.getPrivate()); + signer.update(dataToSign); + signResult = signer.sign(); + + return signResult; + } + + static boolean verifyData(byte[] dataToVerify, byte[] signature, + KeyPair keyPair, SignAlgorithm sa) throws Exception { + boolean verifyResult; + Signature verifier = Signature.getInstance(sa.algo); + verifier.initVerify(keyPair.getPublic()); + verifier.update(dataToVerify); + verifyResult = verifier.verify(signature); + + return verifyResult; + } + + public static void main(String[] args) throws Exception { + for (SignAlgorithm sa : ALGORITHMS) { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance(sa.keyType); + keyGen.initialize(1024); + KeyPair keyPair = keyGen.generateKeyPair(); + + byte[] testMessage = "Hello, Kerby!!".getBytes(); + byte[] signature = signData(testMessage, keyPair, sa); + boolean isOk = verifyData(testMessage, signature, keyPair, sa); + if (!isOk) { + throw new RuntimeException("Failed"); + } + } + } +}
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/KeyPairSpec.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java similarity index 97% rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/KeyPairSpec.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java index 7c6a091..b6cfa17 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/KeyPairSpec.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs; +package org.apache.kerby.pkix; import java.math.BigInteger; @@ -27,9 +27,6 @@ /** * Specifications for asymmetric key pairs. - * - * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> - * @version $Rev$, $Date$ */ @SuppressWarnings("checkstyle:linelength") class KeyPairSpec {
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java new file mode 100644 index 0000000..bb10273 --- /dev/null +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java
@@ -0,0 +1,124 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.kerby.pkix; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaCertStore; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.CMSProcessableByteArray; +import org.bouncycastle.cms.CMSSignedData; +import org.bouncycastle.cms.CMSSignedDataGenerator; +import org.bouncycastle.cms.CMSTypedData; +import org.bouncycastle.cms.SignerInformation; +import org.bouncycastle.cms.SignerInformationStore; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.util.Store; + +import java.io.IOException; +import java.security.PrivateKey; +import java.security.Security; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Iterator; +import java.util.List; + + +/** + * Encapsulates working with PKINIT signed data structures. + * + * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> + * @version $Rev$, $Date$ + */ +public class SignedDataEngine { + + static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[] dataToSign, + String eContentType) throws IOException, OperatorCreationException, + CertificateEncodingException, CMSException { + + if (Security.getProvider("BC") == null) { + Security.addProvider(new BouncyCastleProvider()); + } + + + List certList = new ArrayList(); + certList.add(certificate); + Store certs = new JcaCertStore(certList); + + CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); + + gen.addSignerInfoGenerator( + new JcaSimpleSignerInfoGeneratorBuilder() + .setProvider("BC") + .build("SHA1withRSA", privateKey, certificate)); + + gen.addCertificates(certs); + + ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType); + CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign); + CMSSignedData s = gen.generate(msg, true); + + return s.getEncoded(); + } + + /** + * Validates a CMS SignedData using the public key corresponding to the private + * key used to sign the structure. + * + * @param s + * @return true if the signature is valid. + * @throws Exception + */ + public static boolean validateSignedData(CMSSignedData s) throws Exception { + + Store certStore = s.getCertificates(); + Store crlStore = s.getCRLs(); + SignerInformationStore signers = s.getSignerInfos(); + + Collection c = signers.getSigners(); + Iterator it = c.iterator(); + + while (it.hasNext()) { + SignerInformation signer = (SignerInformation) it.next(); + Collection certCollection = certStore.getMatches(signer.getSID()); + + Iterator certIt = certCollection.iterator(); + X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); + + if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) { + return false; + } + } + + Collection certColl = certStore.getMatches(null); + Collection crlColl = crlStore.getMatches(null); + + if (certColl.size() != s.getCertificates().getMatches(null).size() + || crlColl.size() != s.getCRLs().getMatches(null).size()) { + return false; + } + return true; + } +}
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngineTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java similarity index 83% rename from kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngineTest.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java index 8989a88..60db909 100644 --- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngineTest.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
@@ -17,10 +17,9 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit; +package org.apache.kerby.pkix; -import org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs.CertificateChainFactory; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.Before; @@ -30,18 +29,9 @@ import java.io.File; import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.security.InvalidKeyException; import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.Security; -import java.security.SignatureException; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPrivateCrtKey; @@ -80,7 +70,6 @@ getCaFromFactory(); } - /** * Tests that signed data signature validation works. * @@ -106,9 +95,7 @@ } - void getCaFromFile(String caFile, String caPassword, String caAlias) throws KeyStoreException, - NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, - UnrecoverableKeyException, InvalidKeyException, SignatureException, NoSuchProviderException { + void getCaFromFile(String caFile, String caPassword, String caAlias) throws Exception { // Open the keystore. KeyStore caKs = KeyStore.getInstance("PKCS12"); caKs.load(new FileInputStream(new File(caFile)), caPassword.toCharArray());
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java similarity index 95% rename from kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java rename to kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java index cdb601f..f26354d 100644 --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
@@ -17,7 +17,7 @@ * under the License. * */ -package org.apache.kerby.kerberos.kerb.client.preauth.pkinit.certs; +package org.apache.kerby.pkix; import org.bouncycastle.asn1.DERBMPString; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; @@ -47,9 +47,6 @@ /** * Generates an X.509 "trust anchor" certificate programmatically. - * - * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> - * @version $Rev$, $Date$ */ public class TrustAnchorGenerator { /**
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java b/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java index b78e466..c150fc4 100644 --- a/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java +++ b/kerby-pkix/src/test/java/org/apache/kerby/x509/PkiLoaderTest.java
@@ -19,7 +19,7 @@ */ package org.apache.kerby.x509; -import org.apache.kerby.pki.PkiLoader; +import org.apache.kerby.pkix.PkiLoader; import org.junit.Before; import org.junit.Test;
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java index d59867a..7014960 100644 --- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java +++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
@@ -24,6 +24,7 @@ import org.apache.kerby.KOptionInfo; import org.apache.kerby.KOptionType; import org.apache.kerby.KOptions; +import org.apache.kerby.kerberos.kerb.KrbConstant; import org.apache.kerby.kerberos.kerb.KrbException; import org.apache.kerby.kerberos.kerb.client.KrbClient; import org.apache.kerby.kerberos.kerb.client.KrbKdcOption; @@ -188,10 +189,6 @@ return krbClient; } - private static String getAnonymousPrincipal() { - return "WELLKNOWN/ANONYMOUS"; - } - public static void main(String[] args) throws Exception { KOptions ktOptions = new KOptions(); KinitOption kto; @@ -238,7 +235,7 @@ if (principal == null) { if (ktOptions.contains(KinitOption.ANONYMOUS)) { - principal = getAnonymousPrincipal(); + principal = KrbConstant.ANONYMOUS_PRINCIPAL; } else { printUsage("No principal is specified"); }
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java b/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java index 557181e..c0323d1 100644 --- a/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java +++ b/kerby-util/src/main/java/org/apache/kerby/util/ByteArrayReadLine.java
@@ -1,3 +1,23 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + package org.apache.kerby.util; import java.io.ByteArrayInputStream;
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/EncryptoUtil.java b/kerby-util/src/main/java/org/apache/kerby/util/EncryptoUtil.java new file mode 100644 index 0000000..a9e4b7a --- /dev/null +++ b/kerby-util/src/main/java/org/apache/kerby/util/EncryptoUtil.java
@@ -0,0 +1,46 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +package org.apache.kerby.util; + +import javax.crypto.Cipher; + +/** + * This class gives a method to detect if system support AES256 or above. + */ +public class EncryptoUtil { + private static boolean isAES256Enabled = false; + + static { + try { + isAES256Enabled = Cipher.getMaxAllowedKeyLength("AES") >= 256; + } catch (Exception e) { + System.err.println(e); + } + } + + /** + * @return true if aes256 is enabled + */ + public static boolean isAES256Enabled() { + return isAES256Enabled; + } + +}
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java b/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java index 93f6dfd..f682f03 100644 --- a/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java +++ b/kerby-util/src/main/java/org/apache/kerby/util/HexUtil.java
@@ -26,6 +26,53 @@ private static final char[] HEX_CHARS = HEX_CHARS_STR.toCharArray(); /** + * Convert bytes into friendly format as: + * 0x02 02 00 80 + */ + public static String bytesToHexFriendly(byte[] bytes) { + int len = bytes.length * 2; + len += bytes.length; // for ' ' appended for each char + len += 2; // for '0x' prefix + char[] hexChars = new char[len]; + hexChars[0] = '0'; + hexChars[1] = 'x'; + for (int j = 0; j < bytes.length; j++) { + int v = bytes[j] & 0xFF; + hexChars[j * 3 + 2] = HEX_CHARS[v >>> 4]; + hexChars[j * 3 + 3] = HEX_CHARS[v & 0x0F]; + hexChars[j * 3 + 4] = ' '; + } + + return new String(hexChars); + } + + /** + * Convert friendly hex string like follows into byte array + * 0x02 02 00 80 + */ + public static byte[] hex2bytesFriendly(String hexString) { + hexString = hexString.toUpperCase(); + String hexStr = hexString; + if (hexString.startsWith("0X")) { + hexStr = hexString.substring(2); + } + String[] hexParts = hexStr.split(" "); + + byte[] bytes = new byte[hexParts.length]; + char[] hexPart; + for (int i = 0; i < hexParts.length; ++i) { + hexPart = hexParts[i].toCharArray(); + if (hexPart.length != 2) { + throw new IllegalArgumentException("Invalid hex string to convert"); + } + bytes[i] = (byte) ((HEX_CHARS_STR.indexOf(hexPart[0]) << 4) + + HEX_CHARS_STR.indexOf(hexPart[1])); + } + + return bytes; + } + + /** * Convert bytes into format as: * 02020080 * @param bytes The bytes
diff --git a/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java b/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java index 9d30095..f7a1db0 100644 --- a/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java +++ b/kerby-util/src/main/java/org/apache/kerby/util/ReadLine.java
@@ -1,3 +1,22 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ package org.apache.kerby.util; import java.io.IOException;