javax.security.auth.kerberos.KerberosKey Java Examples

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

public KerberosRelevantAuthData ( byte[] token, Map<Integer, KerberosKey> keys ) throws PACDecodingException {
    DLSequence authSequence;
    try {
        try ( ASN1InputStream stream = new ASN1InputStream(new ByteArrayInputStream(token)) ) {
            authSequence = ASN1Util.as(DLSequence.class, stream);
        }
    }
    catch ( IOException e ) {
        throw new PACDecodingException("Malformed kerberos ticket", e);
    }

    this.authorizations = new ArrayList<>();
    Enumeration<?> authElements = authSequence.getObjects();
    while ( authElements.hasMoreElements() ) {
        DLSequence authElement = ASN1Util.as(DLSequence.class, authElements);
        ASN1Integer authType = ASN1Util.as(ASN1Integer.class, ASN1Util.as(DERTaggedObject.class, authElement, 0));
        DEROctetString authData = ASN1Util.as(DEROctetString.class, ASN1Util.as(DERTaggedObject.class, authElement, 1));

        this.authorizations.addAll(KerberosAuthData.parse(authType.getValue().intValue(), authData.getOctets(), keys));
    }
}
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

public static List<KerberosAuthData> parse ( int authType, byte[] token, Map<Integer, KerberosKey> keys ) throws PACDecodingException {

        List<KerberosAuthData> authorizations = new ArrayList<>();

        switch ( authType ) {
        case KerberosConstants.AUTH_DATA_RELEVANT:
            authorizations = new KerberosRelevantAuthData(token, keys).getAuthorizations();
            break;
        case KerberosConstants.AUTH_DATA_PAC:
            authorizations.add(new KerberosPacAuthData(token, keys));
            break;
        default:
        }

        return authorizations;
    }
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

public static byte[] deriveKeyAES ( KerberosKey key, byte[] constant ) throws GeneralSecurityException {
    byte[] keybytes = key.getEncoded();
    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(keybytes, "AES"), new IvParameterSpec(ZERO_IV, 0, ZERO_IV.length));
    if ( constant.length != cipher.getBlockSize() ) {
        constant = expandNFold(constant, cipher.getBlockSize());
    }
    byte[] enc = constant;
    int klen = keybytes.length;
    byte[] dk = new byte[klen];
    for ( int n = 0; n < klen; ) {
        byte[] block = cipher.doFinal(enc);
        int len = Math.min(klen - n, block.length);
        System.arraycopy(block, 0, dk, n, len);
        n += len;
        enc = block;
    }
    return dk;
}
 

public static byte[] calculateMacHMACAES ( int usage, KerberosKey baseKey, byte[] input ) throws GeneralSecurityException {
    byte[] cst = new byte[] {
        (byte) ( ( usage >> 24 ) & 0xFF ), (byte) ( ( usage >> 16 ) & 0xFF ), (byte) ( ( usage >> 8 ) & 0xFF ), (byte) ( usage & 0xFF ),
        (byte) 0x99
    };

    byte[] output = new byte[12];
    byte[] dk = deriveKeyAES(baseKey, cst); // Checksum key
    try {
        Mac m = Mac.getInstance("HmacSHA1");
        m.init(new SecretKeySpec(dk, HMAC_KEY));
        System.arraycopy(m.doFinal(input), 0, output, 0, 12);
        return output;
    }
    finally {
        Arrays.fill(dk, 0, dk.length, (byte) 0);
    }
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

public static byte[] deriveKeyAES ( KerberosKey key, byte[] constant ) throws GeneralSecurityException {
    byte[] keybytes = key.getEncoded();
    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(keybytes, "AES"), new IvParameterSpec(ZERO_IV, 0, ZERO_IV.length));
    if ( constant.length != cipher.getBlockSize() ) {
        constant = expandNFold(constant, cipher.getBlockSize());
    }
    byte[] enc = constant;
    int klen = keybytes.length;
    byte[] dk = new byte[klen];
    for ( int n = 0; n < klen; ) {
        byte[] block = cipher.doFinal(enc);
        int len = Math.min(klen - n, block.length);
        System.arraycopy(block, 0, dk, n, len);
        n += len;
        enc = block;
    }
    return dk;
}
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    kkeys[i].getVersionNumber());
    }
    return ekeys;
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

public static byte[] calculateMacHMACAES ( int usage, KerberosKey baseKey, byte[] input ) throws GeneralSecurityException {
    byte[] cst = new byte[] {
        (byte) ( ( usage >> 24 ) & 0xFF ), (byte) ( ( usage >> 16 ) & 0xFF ), (byte) ( ( usage >> 8 ) & 0xFF ), (byte) ( usage & 0xFF ),
        (byte) 0x99
    };

    byte[] output = new byte[12];
    byte[] dk = deriveKeyAES(baseKey, cst); // Checksum key
    try {
        Mac m = Mac.getInstance("HmacSHA1");
        m.init(new SecretKeySpec(dk, HMAC_KEY));
        System.arraycopy(m.doFinal(input), 0, output, 0, 12);
        return output;
    }
    finally {
        Arrays.fill(dk, 0, dk.length, (byte) 0);
    }
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

/**
 * Gets EKeys for a principal.
 * @param princ the target name initiator requests. Not null.
 * @return keys for the princ, never null, might be empty
 */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i=0; i<ekeys.length; i++) {
        ekeys[i] =  new EncryptionKey(
                    kkeys[i].getEncoded(), kkeys[i].getKeyType(),
                    new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
 

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }
 

public static void main(String[] args)
        throws Exception {
    OneKDC kdc = new OneKDC("aes128-cts");
    kdc.writeJAASConf();
    kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
    kdc.writeKtab(OneKDC.KTAB);

    Context c, s;

    // Part 1
    c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
    s = Context.fromUserPass(OneKDC.USER2, OneKDC.PASS2, true);

    s.s().getPrincipals().clear();

    c.startAsClient(OneKDC.USER2, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);

    Context.handshake(c, s);

    // Part 2
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("server");

    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.status();

    if (s.s().getPrivateCredentials(KerberosKey.class).size() != 0) {
        throw new Exception("There should be no KerberosKey");
    }
}
 

public static void main(String[] args)
        throws Exception {
    OneKDC kdc = new OneKDC("aes128-cts");
    kdc.writeJAASConf();
    kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
    kdc.writeKtab(OneKDC.KTAB);

    Context c, s;

    // Part 1
    c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
    s = Context.fromUserPass(OneKDC.USER2, OneKDC.PASS2, true);

    s.s().getPrincipals().clear();

    c.startAsClient(OneKDC.USER2, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);

    Context.handshake(c, s);

    // Part 2
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("server");

    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.status();

    if (s.s().getPrivateCredentials(KerberosKey.class).size() != 0) {
        throw new Exception("There should be no KerberosKey");
    }
}
 

private static void checkByEType(int i, String n) throws Exception {
    System.out.println("CheckByInt " + i);
    KerberosKey k = new KerberosKey(kp, keyBytes, i, 13);
    if (!k.getAlgorithm().equals(n)) throw new Exception("" + i);
    if (k.getKeyType() != i) throw new Exception("" + i);
    if (k.getVersionNumber() != 13) throw new Exception("" + i);
}
 

public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    Context c = Context.fromJAAS("client");
    Context s = Context.fromThinAir();
    KerberosPrincipal kp = new KerberosPrincipal(
            OneKDC.SERVER + "@" + OneKDC.REALM,
            KerberosPrincipal.KRB_NT_SRV_INST);
    s.s().getPrincipals().add(kp);
    for (KerberosKey k: KeyTab.getInstance(kp).getKeys(kp)) {
        s.s().getPrivateCredentials().add(k);
    }
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    Context.handshake(c, s);
}
 

public static void main(String[] args)
        throws Exception {
    OneKDC kdc = new OneKDC("aes128-cts");
    kdc.writeJAASConf();
    kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
    kdc.writeKtab(OneKDC.KTAB);

    Context c, s;

    // Part 1
    c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
    s = Context.fromUserPass(OneKDC.USER2, OneKDC.PASS2, true);

    s.s().getPrincipals().clear();

    c.startAsClient(OneKDC.USER2, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);

    Context.handshake(c, s);

    // Part 2
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("server");

    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.status();

    if (s.s().getPrivateCredentials(KerberosKey.class).size() != 0) {
        throw new Exception("There should be no KerberosKey");
    }
}
 

private static void checkByName(String n, EncType e) throws Exception {
    System.out.println("CheckByName " + n);
    KerberosKey k = new KerberosKey(kp, pass, n);
    if (!k.getAlgorithm().equals(e.name)) throw new Exception(n);
    if (k.getKeyType() != e.etype) throw new Exception(n);
    if (k.getVersionNumber() != 0) throw new Exception(n);
}