Hi,
I'm continuing my review of the kerby-core module (and I'll try to
review a few classes every day if I have some time at night...).
I have a question regarding the APOptions implementation. RFC 4120
defines it as :
APOptions ::= KerberosFlags
-- reserved(0),
-- use-session-key(1),
-- mutual-required(2)
This element is used in the AP-REQ structure :
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (14),
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData -- Authenticator
}
We currently have 2 classes for that : ApOptions and ApOption (actually,
this is an Enum).
- first, what is the ApOption Enum good for ? It's used in one place, in
the TgsRequest class, in the verifyAuthenticator() method :
...
apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
setTgtSessionKey(tgtTicket.getEncPart().getKey());
}
- second, assuming the ApOptions class is just a container, and the
ApOption the values that it can contain, then where are the last 2 value
coming from ? :
public enum ApOption implements EnumType {
NONE(-1),
RESERVED(0x80000000),
USE_SESSION_KEY(0x40000000),
MUTUAL_REQUIRED(0x20000000),
ETYPE_NEGOTIATION(0x00000002), // Where is it coming from ?
USE_SUBKEY(0x00000001); // Where is it coming from ?
- AFAICT, The ApOptions class extend the Asn1Flags class, which header
is quite weird :
/**
KrbFlags ::= BIT STRING (SIZE (32..MAX))
-- minimum number of bits shall be sent,
-- but no fewer than 32
*/
public class Asn1Flags extends Asn1BitString {
...
IMO, this class should be part of the Kerby-core module, and its name
should be KerberosFlags.
Thoights ?
