Skip to main content
Join the official 2019 Python Developers SurveyStart the survey!

High performance ASN.1 parser for Kerberos KDC Proxy [KKDCP]

Project description

High performance ASN.1 parser for Kerberos KDC Proxy [MS-KKDCP]

https://travis-ci.org/tiran/kkdcpasn1.svg?branch=master

The Kerberos Key Distribution Center Proxy Protocol [MS-KKDCP] provides a mechanism to proxy Kerberos over HTTPS. Standard Kerberos payload is wrapped in an additional KDC-PROXY-MESSAGE sequence and sent as HTTPS POST request to a proxy server. The proxy server unwraps the request and forwards its inner request to a KDC. The proxy server usually resides in the DMZ.

The kkdcpasn1 package provides a high performance, low memory usage decoder and encoder for KDC-PROXY-MESSAGE. The ASN.1 part is handled by a C parser auto-generated by asn1c. The Python interface is implemented in Cython. On modern hardware it takes less than 15ns to decode a request and wrap a response.

Author: Christian Heimes cheimes@redhat.com

https://msdn.microsoft.com/en-us/library/hh553774.aspx

Parse request

>>> import kkdcpasn1
>>> asreq1 = b'''0\x81\xc4\xa0\x81\xb0\x04\x81\xad\x00\x00\x00\xa9j\
\x81\xa60\x81\xa3\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\n\xa3\x0e0\x0c\
0\n\xa1\x04\x02\x02\x00\x95\xa2\x02\x04\x00\xa4\x81\x860\x81\x83\xa0\
\x07\x03\x05\x00@\x00\x00\x10\xa1\x120\x10\xa0\x03\x02\x01\x01\xa1\
\t0\x07\x1b\x05admin\xa2\x0f\x1b\rFREEIPA.LOCAL\xa3"0 \xa0\x03\x02\
\x01\x02\xa1\x190\x17\x1b\x06krbtgt\x1b\rFREEIPA.LOCAL\xa5\x11\x18\
\x0f20150514104238Z\xa7\x06\x02\x04\x11\xc8c\xb5\xa8\x140\x12\x02\x01\
\x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x19\x02\x01\x1a\xa1\
\x0f\x1b\rFREEIPA.LOCAL'''
>>> result = kkdcpasn1.decode_kkdcp_request(asreq1)
>>> result.realm
'FREEIPA.LOCAL'
>>> result.dclocator_hint
0
>>> result.request_type
'asreq'
>>> result.consumed
169
>>> result.offset
4
>>> result.request
...

Request types are

  • asreq authentication server request
  • tgsreq ticket granting server Request
  • apreq kpasswd change request

Wrap response

>>> import kkdcpasn1
>>> wrapped = kkdcpasn1.wrap_kkdcp_response(tcp_data)
>>> wrapped = kkdcpasn1.wrap_kkdcp_response(udp_data, add_prefix=True)

ASN.1

KKDCP DEFINITIONS EXPLICIT TAGS ::=
BEGIN

AS-REQ ::= [APPLICATION 10] KDC-REQ

TGS-REQ ::= [APPLICATION 12] KDC-REQ

KDC-REQ ::= SEQUENCE {
    pvno         [1] INTEGER,
    msg-type     [2] INTEGER,
    padata       [3] SEQUENCE OF PA-DATA OPTIONAL,
    req-body     [4] KDC-REQ-BODY
}

PA-DATA ::= SEQUENCE {
    padata-type  [1] INTEGER,
    pa-data      [2] OCTET STRING
}

KDC-REQ-BODY ::= SEQUENCE {
    kdc-options  [0] KDCOptions,
    cname        [1] PrincipalName OPTIONAL,
    realm        [2] Realm,
    sname        [3] PrincipalName OPTIONAL,
    from         [4] KerberosTime OPTIONAL,
    till         [5] KerberosTime,
    rtime        [6] KerberosTime OPTIONAL,
    nonce        [7] INTEGER,
    etype        [8] SEQUENCE OF INTEGER,
    addresses    [9] HostAddresses OPTIONAL,
    enc-authorization-data       [10] EncryptedData OPTIONAL,
    additional-tickets   [11] SEQUENCE OF Ticket OPTIONAL
}

KDCOptions ::= BIT STRING {
    reserved(0),
    forwardable(1),
    forwarded(2),
    proxiable(3),
    proxy(4),
    allow-postdate(5),
    postdated(6),
    unused7(7),
    renewable(8),
    unused9(9),
    renewable-ok(27),
    enc-tkt-in-skey(28),
    renew(30),
    validate(31)
}

PrincipalName ::= SEQUENCE {
    name-type    [0] INTEGER,
    name-string  [1] SEQUENCE OF GeneralString
}

Realm ::= GeneralString

KerberosTime ::= GeneralizedTime

HostAddress ::= SEQUENCE {
        addr-type        [0] INTEGER,
        address  [1] OCTET STRING
}

HostAddresses ::= SEQUENCE OF HostAddress

EncryptedData ::= SEQUENCE {
    etype        [0] INTEGER,
    kvno         [1] INTEGER OPTIONAL,
    cipher       [2] OCTET STRING
}

Ticket ::= [APPLICATION 1] SEQUENCE {
    tkt-vno      [0] INTEGER,
    realm        [1] Realm,
    sname        [2] PrincipalName,
    enc-part     [3] EncryptedData
}

AP-REQ ::= [APPLICATION 14] SEQUENCE {
    pvno         [0] INTEGER,
    msg-type     [1] INTEGER,
    ap-options   [2] APOptions,
    ticket       [3] Ticket,
    authenticator        [4] EncryptedData
}

APOptions ::= BIT STRING {
    reserved(0),
    use-session-key(1),
    mutual-required(2)
}

KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
    pvno         [0] INTEGER,
    msg-type     [1] INTEGER,
    enc-part     [3] EncryptedData
}

KDC-PROXY-MESSAGE ::= SEQUENCE {
    kerb-message         [0] OCTET STRING,
    target-domain        [1] Realm OPTIONAL,
    dclocator-hint       [2] INTEGER OPTIONAL
}

END

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for kkdcpasn1, version 0.2
Filename, size File type Python version Upload date Hashes
Filename, size kkdcpasn1-0.2.tar.gz (146.5 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page