Hi, I'm working on building an Android Authenticator for SPNEGO/Kerberos using Apache Directory's KdcConnection API for communication with the KDC
I wanted to share my experience. So far I've been able to implement a proof of concept, however I did have to make a few changes to the Apache DS code to make it work on Android: *KerberosKeyFactory.string2Key: * This uses KerberosKey and KerberosPrincipal from javax.security.auth.kerberos. This package does not exist on Android. Luckily, ApacheDs and Java/Android already includes most of what is needed to replace the usage of KerberosKey, without having to write a lot of code: Get base key with PBKDF2: Easy to do using SecretKeyFactory with "PBKDF2WithHmacSHA1" Get encryption key: Calling AesCtsSha1Encryption.deriveKey with the base key, the usage bytes and correct n and k parameters produces the correct key. At first, I just changed string2Key to use these API's instead of KerberosKey. Later, I tried making my changes less intrusive by introducing a new protected method in KdcConnection which I could override to produce client keys. However, AesCtsSha1Encryption.deriveKey is protected, so I can't access it from my code. *ChecksumType in org.apache.directory.shared.kerberos.crypto.checksum:* In order to produce a valid KRB_AP_REQ message for use in an SPNEGO token, an GSSAPI 0x8003 checksum needs to be set on the AP_REQ's Authenticator. The ChecksumType enum is missing a value for this checksum type. I added one looking like this: KRB_AP_REQ_AUTHN(0x8003, "krb-ap-req-authn"); (Not that this isn't really a checksum, GSSAPI just uses that field for passing some bytes containing flags and delegation info) If there's interest in the Apache Directory project for improving support for KdcConnection on Android, I'd be happy to supply patches. What's the easiest way to do that these days? Cheers, Eirik.
