Google Git
Sign in
apache / directory-kerby / refs/heads/test-enc-message
commit0cde8429e78828e8027f0f72488f772345bb4869[log] [tgz]
authorLin <linchen7@foxmail.com>Mon Feb 09 23:18:04 2015 +0800
committerLin <linchen7@foxmail.com>Mon Feb 09 23:18:04 2015 +0800
tree29883a1863d2408b95623248056bb7e33d30cc51
parentae88677b911087d9929e63c09756734fbb477294 [diff]
Add missing file.
1 file changed
tree: 29883a1863d2408b95623248056bb7e33d30cc51
  1. 3rdparty/
  2. benchmark/
  3. docs/
  4. kdc-backend/
  5. kerby-asn1/
  6. kerby-kdc/
  7. kerby-kerb/
  8. lib/
  9. tool/
  10. .gitignore
  11. LICENSE
  12. pom.xml
  13. README.md
README.md

Licensed to the Apache Software Foundation (ASF) under one

or more contributor license agreements. See the NOTICE file

distributed with this work for additional information

regarding copyright ownership. The ASF licenses this file

to you under the Apache License, Version 2.0 (the

“License”); you may not use this file except in compliance

with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,

software distributed under the License is distributed on an

“AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

KIND, either express or implied. See the License for the

specific language governing permissions and limitations

under the License.

Apache Kerby

Apache Kerby is a Java Kerberos binding. It provides a rich, intuitive and interoperable implementation, library and various facilities that integrate Kerberos, PKI and token (OAuth) as desired in modern environments such as mobile, cloud and Hadoop.

The Initiatives/Goals

  • Aims as a Java Kerberos binding, with rich and integrated facilities that integrate Kerberos, PKI and token (OAuth) for both client and server sides.
  • Provides client APIs at the Kerberos protocol level to interact with a KDC server through AS and TGS exchanges.
  • Provides an embedded KDC server that applications can easily integrate into products, unit tests or integration tests.
  • Supports FAST/Preauthentication framework to allow popular and useful authentication mechanisms.
  • Supports PKINIT mechanism to allow clients to request tickets using x509 certificate credentials.
  • Supports Token Preauth mechanism to allow clients to request tickets using JWT tokens.
  • Provides support for JAAS, GSSAPI and SASL frameworks that applications can leverage.
  • Minimal dependencies, the core part is ensured to depend only on JRE, for easy use and maintenance.

Update

We’re collaborating with ApacheDS community and preparing this project to be ready for a sub project. Feedback is welcome.

Status

As follows, with the core and critical parts done, important features are still ongoing. The 0.1 version will be released early next year. We do not suggest production usage prior to the release.

Desired KrbClient APIs (partially done)

  • Initiate a KrbClient
  • Request a TGT with user plain password credential
  • Request a TGT with user x509 certificate credential
  • Request a TGT with user token credential
  • Request a service ticket with user TGT credential for a server
  • Request a service ticket with user AccessToken credential for a server

ASN-1 support

Please look at kerby-asn1 for details.

Kerberos Crypto and Encryption Types

Implementing des, des3, rc4, aes, camellia encryption and corresponding checksum types Interoperates with MIT Kerberos and Microsoft AD Independent of Kerberos code in JRE, but rely on JCE

Encryption TypeDescription
des-cbc-crcDES cbc mode with CRC-32 (weak)
des-cbc-md4DES cbc mode with RSA-MD4 (weak)
des-cbc-md5DES cbc mode with RSA-MD5 (weak)
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kdTriple DES cbc mode with HMAC/sha1
des-hmac-sha1DES with HMAC/sha1 (weak)
aes256-cts-hmac-sha1-96 aes256-cts AES-256CTS mode with 96-bit SHA-1 HMAC
aes128-cts-hmac-sha1-96 aes128-cts AES-128CTS mode with 96-bit SHA-1 HMAC
arcfour-hmac rc4-hmac arcfour-hmac-md5RC4 with HMAC/MD5
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-expExportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-ctsCamellia-256 CTS mode with CMAC
camellia128-cts-cmac camellia128-ctsCamellia-128 CTS mode with CMAC
desThe DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3The triple DES family: des3-cbc-sha1
aesThe AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
rc4The RC4 family: arcfour-hmac
camelliaThe Camellia family: camellia256-cts-cmac and camellia128-cts-cmac

Dependency

The core part is ensured to only depend on the JRE. Every external dependency is taken carefully and maintained separately.

Contrib Projects
  • kerby-asn1. A model driven ASN-1 encoding and decoding framework
  • kerby-event. A pure event driven application framework aiming to construct applications of asynchronous and concurrent handlers. It includes UDP and TCP transports based on pure Java NIO and concurrency pattern.
  • kerby-config. A unified configuration API that aims to support various configuration file formats, like XML, JNI, CSV and Java Properties file.
  • kerby-token. Implements a JWT token API for Kerberos that's defined in TokenPreauth drafts.

License

Apache License V2.0