Le 07/11/16 à 16:37, Eirik Bjørsnøs a écrit : > Hi, > > I'm working on building an Android Authenticator for SPNEGO/Kerberos using > Apache Directory's KdcConnection API for communication with the KDC > > I wanted to share my experience. So far I've been able to implement a proof > of concept, however I did have to make a few changes to the Apache DS code > to make it work on Android: > > *KerberosKeyFactory.string2Key: * > > This uses KerberosKey and KerberosPrincipal > from javax.security.auth.kerberos. This package does not exist on Android. > > Luckily, ApacheDs and Java/Android already includes most of what is needed > to replace the usage of KerberosKey, without having to write a lot of code: > > Get base key with PBKDF2: Easy to do using SecretKeyFactory with > "PBKDF2WithHmacSHA1" > > Get encryption key: Calling AesCtsSha1Encryption.deriveKey with the base > key, the usage bytes and correct n and k parameters produces the correct > key. > > At first, I just changed string2Key to use these API's instead of > KerberosKey. Later, I tried making my changes less intrusive by introducing > a new protected method in KdcConnection which I could override to produce > client keys. However, AesCtsSha1Encryption.deriveKey is protected, so I > can't access it from my code.
Question : wouldn't it better to simply implement those two classes in our project ? KerberosPrincipal is far from being complex, nor is KerberosKey. > > *ChecksumType in org.apache.directory.shared.kerberos.crypto.checksum:* > > In order to produce a valid KRB_AP_REQ message for use in an SPNEGO token, > an GSSAPI 0x8003 checksum needs to be set on the AP_REQ's Authenticator. > > The ChecksumType enum is missing a value for this checksum type. I added > one looking like this: KRB_AP_REQ_AUTHN(0x8003, "krb-ap-req-authn"); > > (Not that this isn't really a checksum, GSSAPI just uses that field for > passing some bytes containing flags and delegation info) > > If there's interest in the Apache Directory project for improving support > for KdcConnection on Android, I'd be happy to supply patches. Sure ! > > What's the easiest way to do that these days? We are still using Subversion, so teh best way is to run a "svn diff . > patch.txt" from the root of the project, and attach teh file to a JIRA ticket. Thanks !
