Skip to content

drankye/haox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

305 Commits
3rdparty
3rdparty
 
 
benchmark
benchmark
 
 
contrib
contrib
 
 
docs
docs
 
 
haox-kdc
haox-kdc
 
 
haox-kerb
haox-kerb
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Haox (now Apache Kerby)

Haox aims for a Java Kerberos binding, and provides richful, inituitive and interoperable implementation, library and various facilities that integrate Kerberos, PKI and token (OAuth) as desired in modern environments such as mobile, cloud and Hadoop.

The Initiatives/Goals

  • Aims as a Java Kerberos binding, with richful and integrated facilities that integrate Kerberos, PKI and token (OAuth) for both client and server sides.
  • Provides client APIs in Kerberos protocol level to interact with a KDC server thru AS and TGS exchanges.
  • Provides an embeded KDC server that applications can easily integrate into products, unit tests or integration tests.
  • Supports FAST/Preauthentication framework to allow popular and useful authentication mechanisms.
  • Supports PKINIT mechanism to allow clients to request tickets using x509 certificate credential.
  • Supports Token Preauth mechanism to allow clients to request tickets using JWT tokens.
  • Provides support for JAAS, GSSAPI and SASL frameworks that applications can leverage.
  • Least dependency, the core part is ensured to depend only on JRE, for easy use and maintain.

Update

Haox project was contributed to ApacheDS community as a sub-project named as "Apache Kerby". It's still ongoing, ref. https://issues.apache.org/jira/browse/DIRKRB-102 Contribution is welcome.

Status

As follows, with the core and critical parts done, important features are still ongoing. It's going to release 0.1 version in the early next year. We do not suggest production usage prior to the release.

ASN-1 (done)
Kerberos core and codec (done)
Kerberos Crypto (done)
Embedded KDC (the core done)
KrbClient (partial APIs done and available)
Preauth/FAST framework (partially done)
Token Preauth (ongoing)
PKINIT (ongoing)
Keytab util (credential cache and keytab support, done)

Desired KrbClient APIs (partialy done)

  • Initiate a KrbClient
KrbClient krbClient = new KrbClient(kdcHost, kdcPort);
  • Request a TGT with user plain password credential
krbClient.requestTgtTicket(principal, password);
  • Request a TGT with user x509 certificate credential
krbClient.requestTgtTicket(principal, certificate);
  • Request a TGT with user token credential
krbClient.requestTgtTicket(principal, kerbToken);
  • Request a service ticket with user TGT credential for a server
krbClient.requestServiceTicket(tgt, serverPrincipal);
  • Request a service ticket with user AccessToken credential for a server
krbClient.requestServiceTicket(accessToken, serverPrincipal);

The ASN-1 support

Please look at haox-asn1 for details.

Kerberos Crypto and Encryption Types

Implementing des, des3, rc4, aes, camellia encryption and corresponding checksum types Interoperates with MIT Kerberos and Microsoft AD Independent with Kerberos codes in JRE, but rely on JCE

Encryption Type Description
des-cbc-crc DES cbc mode with CRC-32 (weak)
des-cbc-md4 DES cbc mode with RSA-MD4 (weak)
des-cbc-md5 DES cbc mode with RSA-MD5 (weak)
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1
des-hmac-sha1 DES with HMAC/sha1 (weak)
aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC
aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC
arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3 The triple DES family: des3-cbc-sha1
aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
rc4 The RC4 family: arcfour-hmac
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac

Dependency

The core part is ensured to only depend on JRE. Every external dependency is taken carefully and maintained separately.

Contrib Projects
  • haox-asn1. A model driven ASN-1 encoding and decoding framework
  • haox-event. A pure event driven application framework aiming to construct applications of asynchronous and concurrent handlers. It includes UDP and TCP transport based on pure Java NIO and concurrency pattern.
  • haox-config. A unified configuration API that aims to support various configuration file formats, like XML, JNI, CSV and Java Properties file.
  • haox-token. Implements a JWT token API for Kerberos that's defined in TokenPreauth drafts.

License

Apache License V2.0

About

A Kerberos implementation in Java

Resources

Readme

License

Apache-2.0 license
Activity

Stars

13 stars

Watchers

9 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages