RE: [VOTE] - Release Apache Kerby 1.0.0 (take II)
Build successfully from source code. Nonbinding + 1 -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, May 10, 2017 6:14 PM To: kerby@directory.apache.org; Apache Directory Developers List Subject: [VOTE] - Release Apache Kerby 1.0.0 (take II) This is (the second) vote to release Apache Kerby 1.0.0. We had to cancel the first vote after Emmanuel identified some issues with the NOTICE + licenses for the two Kerby distributions. The distributions now correctly include the Netty NOTICEs and licenses of modified components, and SLF4J copyright notice + license. Issues fixed: https://issues.apache.org/jira/browse/DIRKRB/fixforversion/12332775 Maven Artifacts: https://repository.apache.org/content/repositories/orgapachedirectory-1130/ In particular the source: https://repository.apache.org/content/repositories/orgapachedirectory-1130/org/apache/kerby/kerby-all/1.0.0/ Git tag: https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=b0e8f9da3cdb494c82d62c956ee35a53a52ac0ce +1 from me. Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
RE: Kerby
Hi Jim, Not yet. The investigation is ongoing. Regards, Sammi From: Jim Shi [mailto:hj...@yahoo.com] Sent: Friday, November 11, 2016 2:41 AM To: Chen, Sammi ; Kerby Subject: Re: Kerby Hi, chen, Do you have any update on this? Thanks. Jim On Thursday, November 3, 2016 12:47 AM, "Chen, Sammi" mailto:sammi.c...@intel.com>> wrote: Hi Jim, Thanks for provide the detail information. I will try to reproduce the case and find out the result. Regards, Sammi From: Jim Shi [mailto:hj...@yahoo.com] Sent: Thursday, November 03, 2016 12:53 AM To: Chen, Sammi mailto:sammi.c...@intel.com>>; cohei...@apache.org<mailto:cohei...@apache.org>; kerby@directory.apache.org<mailto:kerby@directory.apache.org> Subject: Re: Kerby Hi, Sammi, I set up a kerbery server, with ticket life time 2 hours, max renew life time 10 hours. I use MIT KDC kinit client to get the TGT and renew TGT 1. kinit test@TEST_REALM got back a TGT with 2 hours life time correctly. However, it says renew until <...time...>, the time is NOT 10 hours from the current time 2. renew ticket with knit -R test@TEST_REALM the TGT is renewed with life time LESS THAN two hours. Let me know if you want to more details. On Wednesday, November 2, 2016 5:04 AM, "Chen, Sammi" mailto:sammi.c...@intel.com>> wrote: Hi Jim, Sorry for the late response. As Colm has advised, if you sure it’s a bug, please fire a JIRA. Otherwise, would you please explain your point in detail? Thanks, Sammi From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, November 02, 2016 5:51 PM To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Jim Shi Cc: Chen, Sammi Subject: Re: Kerby What's the issue exactly? If you have identified a bug then please create a JIRA here: https://issues.apache.org/jira/browse/DIRKRB Colm. On Tue, Nov 1, 2016 at 5:15 PM, Jim Shi mailto:hj...@yahoo.com.invalid>> wrote: Hi, Sammi, Looks ticket renew until time and ticked ending time is not correct? Is the code actually used in any prod env? Thanks a lot. Jim -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com<http://coders.talend.com/>
RE: Kerby
Hi Jim, Sorry for the late response. As Colm has advised, if you sure it’s a bug, please fire a JIRA. Otherwise, would you please explain your point in detail? Thanks, Sammi From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, November 02, 2016 5:51 PM To: kerby@directory.apache.org; Jim Shi Cc: Chen, Sammi Subject: Re: Kerby What's the issue exactly? If you have identified a bug then please create a JIRA here: https://issues.apache.org/jira/browse/DIRKRB Colm. On Tue, Nov 1, 2016 at 5:15 PM, Jim Shi mailto:hj...@yahoo.com.invalid>> wrote: Hi, Sammi, Looks ticket renew until time and ticked ending time is not correct? Is the code actually used in any prod env? Thanks a lot. Jim -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Hello
RE: Prepare for 1.0.0-RC3
Hi All, Since there are no more suggestions, I 'm going to start the RC3 release progress. Regards, Sammi -Original Message- From: Chen, Sammi Sent: Tuesday, September 27, 2016 10:23 AM To: kerby@directory.apache.org Subject: RE: Prepare for 1.0.0-RC3 Hi All, Since Jiajia is taking leave, I will help to move on Kerby 1.0 release. Thanks for all your support. So far, following items are done, 1. Update the readme and Javadoc Done 2. Do some test of tools Done 3. Add logs to improve exception handle Done Please suggest if anything missed or should be handled before the release. Thanks, Sammi -Original Message- From: Li, Jiajia [mailto:jiajia...@intel.com] Sent: Wednesday, July 27, 2016 2:53 PM To: kerby@directory.apache.org Subject: Prepare for 1.0.0-RC3 Hi all, March 13, the 1.0.0-RC2 of Kerby was released. We're thinking about a new Kerby release(RC3). >From Mar 13 to Jul 27, 60 JIRA issues were resolved, including following >important features: 1. Kerby authorization support. Gerard and Richard provided the large patch 2. XDR support 3. Some remote kadmin API(add, delete and list) 4. Some important fixes for JWT pre-authentication and SimpleKdcServer I thinks the following issues should be solved before release: 1. Update the readme and javadoc 2. Do some tests of tools. What else did I miss here? How do you think about this? Thanks Jiajia
RE: Anonymous PKINIT signatures
Hi Colm,
OK. Will do.
Thanks,
Sammi
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Tuesday, September 27, 2016 8:23 PM
To: Chen, Sammi
Cc: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT signatures
Hi Sammi,
Yes let's release RC3 soon if it's needed, and look at the anonymous PKINIT
work afterwards.
Colm.
On Tue, Sep 27, 2016 at 8:08 AM, Chen, Sammi wrote:
> Hi Colm,
>
> I'm ramping up on this anonymous PKINIT signature issue. I may take a
> while to understand the question and figure out the solution and would
> like to discuss with you when I have some thoughts.
>
> In the meantime, I'm trying to move on the Kerby 1.0.0-RC3 release.
> The community has implemented new features, made a lot of improvements
> and bug fix since the RC2 release. With Hadoop 3.0 is about to release
> soon, It would be better if we can have a Kerby release in the near
> future. I'm afraid that it will take me a longer time, and can't catch
> up the RC3 release. So I wonder if we can release RC3 first, and
> investigate and fix this issue at the same time.
> The solution can goes to next release. Your thoughts?
>
> Thanks,
> Sammi
> -Original Message-
> From: Li, Jiajia [mailto:jiajia...@intel.com]
> Sent: Thursday, July 28, 2016 9:46 AM
> To: kerby@directory.apache.org; cohei...@apache.org
> Subject: RE: Anonymous PKINIT signatures
>
> Hi Colm,
>
> When I looking at the krb5 source code, I found the function
> cms_signeddata_verify in pkinit_crypto_openssl.c with the following
> comments:
> " if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
> ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
> /* Not actually signed; anonymous case */
> if (!is_signed)
> goto cleanup;
> "
> When the client parsing PA-PK-AS-REP message, it will call
> cms_signeddata_verify function. So my point from here.
> But what you said let me doubt myself, I will take some time to dig
> into this issue.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Wednesday, July 27, 2016 8:59 PM
> To: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT signatures
>
> Hi Jiajia,
>
> It's the client that's anonymous here, and not the KDC. This page
> leads me to believe that the KDC does in fact sign the response to the client:
>
> http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html
>
> " For anonymous PKINIT, a KDC certificate is required, but client
> certificates are not.".
> "The result of this operation will be in two files, kdckey.pem and kdc.pem.
> Both files must be placed in the KDC’s filesystem. kdckey.pem, which
> contains the KDC’s private key, must be carefully protected."
>
> Colm.
>
> On Tue, Jul 26, 2016 at 3:08 AM, Li, Jiajia wrote:
>
> > Hi Colm,
> > >> However, the client doesn't use the certificate to verify a
> > >> signature,
> > and thus proving that the KDC knows the private key associated with
> > the cert. Is this correct?
> > You are right. I think anonymous case, not actually signed.
> > Thanks,
> > Jiajia
> >
> >
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, July 22, 2016 11:22 PM
> > To: Li, Jiajia
> > Cc: kerby@directory.apache.org
> > Subject: Re: Anonymous PKINIT signatures
> >
> > Hi Jiajia,
> > So if I understand you correctly, what you are saying is that it is
> > sufficient to verify that the Subject (alternative name) of the
> > Certificate matches that of the "known principal" of the KDC? In
> > other words, the KDC is not doing any asymmetric signature, it is
> > just "presenting" the certificate to the client. The client verifies
> > that the certificate is trusted, and then verifies that the KDC
> > principal
> matches the certificate.
> > However, the client doesn't use the certificate to verify a
> > signature, and thus proving that the KDC knows the private key
> > associated with the
> cert.
> > Is this correct?
> > It's a bit unusual from a security POV but I think it's ok. We're
> > verifying trust in the certificate path and we're putting a hard
> > constraint on the Subject of the certificate. A malicious KDC/MITM
> > could forge a certificate, but then trust validation would fail, or
> > else get a certificate for another KDC, but then the constraint
> > would fail. So I think it's ok.
> >
> > Colm.
&
RE: Anonymous PKINIT signatures
Hi Colm,
I'm ramping up on this anonymous PKINIT signature issue. I may take a while to
understand the question and figure out the solution and would like to discuss
with you when I have some thoughts.
In the meantime, I'm trying to move on the Kerby 1.0.0-RC3 release. The
community has implemented new features, made a lot of improvements and bug fix
since the RC2 release. With Hadoop 3.0 is about to release soon,
It would be better if we can have a Kerby release in the near future. I'm
afraid that it will take me a longer time, and can't catch up the RC3 release.
So I wonder if we can release RC3 first, and investigate and fix this issue at
the same time.
The solution can goes to next release. Your thoughts?
Thanks,
Sammi
-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Thursday, July 28, 2016 9:46 AM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: RE: Anonymous PKINIT signatures
Hi Colm,
When I looking at the krb5 source code, I found the function
cms_signeddata_verify in pkinit_crypto_openssl.c with the following comments:
" if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
/* Not actually signed; anonymous case */
if (!is_signed)
goto cleanup;
"
When the client parsing PA-PK-AS-REP message, it will call
cms_signeddata_verify function. So my point from here.
But what you said let me doubt myself, I will take some time to dig into this
issue.
Thanks
Jiajia
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, July 27, 2016 8:59 PM
To: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT signatures
Hi Jiajia,
It's the client that's anonymous here, and not the KDC. This page leads me to
believe that the KDC does in fact sign the response to the client:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html
" For anonymous PKINIT, a KDC certificate is required, but client certificates
are not.".
"The result of this operation will be in two files, kdckey.pem and kdc.pem.
Both files must be placed in the KDC’s filesystem. kdckey.pem, which contains
the KDC’s private key, must be carefully protected."
Colm.
On Tue, Jul 26, 2016 at 3:08 AM, Li, Jiajia wrote:
> Hi Colm,
> >> However, the client doesn't use the certificate to verify a
> >> signature,
> and thus proving that the KDC knows the private key associated with
> the cert. Is this correct?
> You are right. I think anonymous case, not actually signed.
> Thanks,
> Jiajia
>
>
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, July 22, 2016 11:22 PM
> To: Li, Jiajia
> Cc: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT signatures
>
> Hi Jiajia,
> So if I understand you correctly, what you are saying is that it is
> sufficient to verify that the Subject (alternative name) of the
> Certificate matches that of the "known principal" of the KDC? In other
> words, the KDC is not doing any asymmetric signature, it is just
> "presenting" the certificate to the client. The client verifies that
> the certificate is trusted, and then verifies that the KDC principal matches
> the certificate.
> However, the client doesn't use the certificate to verify a signature,
> and thus proving that the KDC knows the private key associated with the cert.
> Is this correct?
> It's a bit unusual from a security POV but I think it's ok. We're
> verifying trust in the certificate path and we're putting a hard
> constraint on the Subject of the certificate. A malicious KDC/MITM
> could forge a certificate, but then trust validation would fail, or
> else get a certificate for another KDC, but then the constraint would
> fail. So I think it's ok.
>
> Colm.
>
> On Fri, Jul 22, 2016 at 3:40 AM, Li, Jiajia jiajia...@intel.com>> wrote:
> Hi Colm,
> >> >However, I can't see where it is signing the response with the
> >> >private
> key associated with the KDC. This is a requirement for anonymous
> PKINIT
>
> Yes, you are right. The "Identity" should be used in anonymous PKINIT.
> But now in client PkinitPreauth, start from line 393, we skip to use
> the certificateSet which is returned by server, so now the code can't
> verify the kdc sans, edu and so on. Such as the function
> cryptoRetrieveX509Sans#PkinitCrypto is marked as TODO.
>
>
> Thanks
> Jiajia
>
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org cohei...@apache.org>]
> Sent: Thursday, July 21, 2016 7:27 PM
> To: kerby@directory.apache.org
> Subject: Anonymous PKINIT signatures
>
> Hi all,
>
> I'm continuing to look at anonymous PKINIT as implemented in Kerby.
> I'm a bit puzzled by a few things relating to signatures and would
> welcome some feedback.
>
> Looking at the server PkinitPreauth, it appears that Diffie-Hellman is
> used to establish a shared secret key with the client. However,
RE: Prepare for 1.0.0-RC3
Hi All, Since Jiajia is taking leave, I will help to move on Kerby 1.0 release. Thanks for all your support. So far, following items are done, 1. Update the readme and Javadoc Done 2. Do some test of tools Done 3. Add logs to improve exception handle Done Please suggest if anything missed or should be handled before the release. Thanks, Sammi -Original Message- From: Li, Jiajia [mailto:jiajia...@intel.com] Sent: Wednesday, July 27, 2016 2:53 PM To: kerby@directory.apache.org Subject: Prepare for 1.0.0-RC3 Hi all, March 13, the 1.0.0-RC2 of Kerby was released. We're thinking about a new Kerby release(RC3). >From Mar 13 to Jul 27, 60 JIRA issues were resolved, including following >important features: 1. Kerby authorization support. Gerard and Richard provided the large patch 2. XDR support 3. Some remote kadmin API(add, delete and list) 4. Some important fixes for JWT pre-authentication and SimpleKdcServer I thinks the following issues should be solved before release: 1. Update the readme and javadoc 2. Do some tests of tools. What else did I miss here? How do you think about this? Thanks Jiajia
RE: Sync up
Congratulations to Jiajia! And thanks all for the support. -Original Message- From: Gerard Gagliano [mailto:gera...@prodentity.com] Sent: Wednesday, September 21, 2016 10:53 PM To: Apache Directory Developers List Cc: kerby@directory.apache.org; Chen, Sammi ; Li, Jiajia Subject: Re: Sync up Congratulations JiaJia! And welcome Sammi. Regards, Gerard -- > On Sep 21, 2016, at 2:45 AM, Zheng, Kai wrote: > > Hi folks, > > I’d like to update that our tech lead Jiajia on Kerby project is taking a > long leave from the team and has delivered a very cute baby. Congratulations > to Jiajia! After some basic ramp up, Sammi will help with her role in my side > and try to move on. Thanks for the support. > > Regards, > Kai
