High performance ASN.1 parser for Kerberos KDC Proxy [KKDCP]
Project description
High performance ASN.1 parser for Kerberos KDC Proxy [MS-KKDCP]
The Kerberos Key Distribution Center Proxy Protocol [MS-KKDCP] provides a mechanism to proxy Kerberos over HTTPS. Standard Kerberos payload is wrapped in an additional KDC-PROXY-MESSAGE sequence and sent as HTTPS POST request to a proxy server. The proxy server unwraps the request and forwards its inner request to a KDC. The proxy server usually resides in the DMZ.
The kkdcpasn1 package provides a high performance, low memory usage decoder and encoder for KDC-PROXY-MESSAGE. The ASN.1 part is handled by a C parser auto-generated by asn1c. The Python interface is implemented in Cython. On modern hardware it takes less than 15ns to decode a request and wrap a response.
Author: Christian Heimes cheimes@redhat.com
https://msdn.microsoft.com/en-us/library/hh553774.aspx
Parse request
>>> import kkdcpasn1 >>> asreq1 = b'''0\x81\xc4\xa0\x81\xb0\x04\x81\xad\x00\x00\x00\xa9j\ \x81\xa60\x81\xa3\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\n\xa3\x0e0\x0c\ 0\n\xa1\x04\x02\x02\x00\x95\xa2\x02\x04\x00\xa4\x81\x860\x81\x83\xa0\ \x07\x03\x05\x00@\x00\x00\x10\xa1\x120\x10\xa0\x03\x02\x01\x01\xa1\ \t0\x07\x1b\x05admin\xa2\x0f\x1b\rFREEIPA.LOCAL\xa3"0 \xa0\x03\x02\ \x01\x02\xa1\x190\x17\x1b\x06krbtgt\x1b\rFREEIPA.LOCAL\xa5\x11\x18\ \x0f20150514104238Z\xa7\x06\x02\x04\x11\xc8c\xb5\xa8\x140\x12\x02\x01\ \x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x19\x02\x01\x1a\xa1\ \x0f\x1b\rFREEIPA.LOCAL''' >>> result = kkdcpasn1.decode_kkdcp_request(asreq1) >>> result.realm 'FREEIPA.LOCAL' >>> result.dclocator_hint 0 >>> result.request_type 'asreq' >>> result.consumed 169 >>> result.offset 4 >>> result.request ...
Request types are
asreq authentication server request
tgsreq ticket granting server Request
apreq kpasswd change request
Wrap response
>>> import kkdcpasn1 >>> wrapped = kkdcpasn1.wrap_kkdcp_response(tcp_data) >>> wrapped = kkdcpasn1.wrap_kkdcp_response(udp_data, add_prefix=True)
ASN.1
KKDCP DEFINITIONS EXPLICIT TAGS ::=
BEGIN
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
KDC-REQ ::= SEQUENCE {
pvno [1] INTEGER,
msg-type [2] INTEGER,
padata [3] SEQUENCE OF PA-DATA OPTIONAL,
req-body [4] KDC-REQ-BODY
}
PA-DATA ::= SEQUENCE {
padata-type [1] INTEGER,
pa-data [2] OCTET STRING
}
KDC-REQ-BODY ::= SEQUENCE {
kdc-options [0] KDCOptions,
cname [1] PrincipalName OPTIONAL,
realm [2] Realm,
sname [3] PrincipalName OPTIONAL,
from [4] KerberosTime OPTIONAL,
till [5] KerberosTime,
rtime [6] KerberosTime OPTIONAL,
nonce [7] INTEGER,
etype [8] SEQUENCE OF INTEGER,
addresses [9] HostAddresses OPTIONAL,
enc-authorization-data [10] EncryptedData OPTIONAL,
additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
}
KDCOptions ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
PrincipalName ::= SEQUENCE {
name-type [0] INTEGER,
name-string [1] SEQUENCE OF GeneralString
}
Realm ::= GeneralString
KerberosTime ::= GeneralizedTime
HostAddress ::= SEQUENCE {
addr-type [0] INTEGER,
address [1] OCTET STRING
}
HostAddresses ::= SEQUENCE OF HostAddress
EncryptedData ::= SEQUENCE {
etype [0] INTEGER,
kvno [1] INTEGER OPTIONAL,
cipher [2] OCTET STRING
}
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER,
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData
}
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER,
msg-type [1] INTEGER,
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData
}
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
mutual-required(2)
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno [0] INTEGER,
msg-type [1] INTEGER,
enc-part [3] EncryptedData
}
KDC-PROXY-MESSAGE ::= SEQUENCE {
kerb-message [0] OCTET STRING,
target-domain [1] Realm OPTIONAL,
dclocator-hint [2] INTEGER OPTIONAL
}
END
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
