高性能的Kerberos KDC代理(KKDCP)ASN.1解析器
项目描述
高性能的Kerberos KDC代理(MS-KKDCP)ASN.1解析器
MS-KKDCP Kerberos密钥分发中心代理协议提供了一种通过HTTPS代理Kerberos的机制。标准的Kerberos有效负载被包装在额外的KDC-PROXY-MESSAGE序列中,并作为HTTPS POST请求发送到代理服务器。代理服务器解开请求并将内部请求转发给KDC。代理服务器通常位于DMZ中。
kkdcpasn1软件包提供了一个高性能、低内存使用的解码器和编码器,用于KDC-PROXY-MESSAGE。ASN.1部分由asn1c自动生成的C解析器处理。Python接口由Cython实现。在现代硬件上,解码请求和包装响应的时间不到15纳秒。
作者:Christian Heimes cheimes@redhat.com
https://msdn.microsoft.com/en-us/library/hh553774.aspx
解析请求
>>> import kkdcpasn1 >>> asreq1 = b'''0\x81\xc4\xa0\x81\xb0\x04\x81\xad\x00\x00\x00\xa9j\ \x81\xa60\x81\xa3\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\n\xa3\x0e0\x0c\ 0\n\xa1\x04\x02\x02\x00\x95\xa2\x02\x04\x00\xa4\x81\x860\x81\x83\xa0\ \x07\x03\x05\x00@\x00\x00\x10\xa1\x120\x10\xa0\x03\x02\x01\x01\xa1\ \t0\x07\x1b\x05admin\xa2\x0f\x1b\rFREEIPA.LOCAL\xa3"0 \xa0\x03\x02\ \x01\x02\xa1\x190\x17\x1b\x06krbtgt\x1b\rFREEIPA.LOCAL\xa5\x11\x18\ \x0f20150514104238Z\xa7\x06\x02\x04\x11\xc8c\xb5\xa8\x140\x12\x02\x01\ \x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x19\x02\x01\x1a\xa1\ \x0f\x1b\rFREEIPA.LOCAL''' >>> result = kkdcpasn1.decode_kkdcp_request(asreq1) >>> result.realm 'FREEIPA.LOCAL' >>> result.dclocator_hint 0 >>> result.request_type 'asreq' >>> result.consumed 169 >>> result.offset 4 >>> result.request ...
请求类型包括
asreq 身份验证服务器请求
tgsreq 票据授予服务器请求
apreq kpasswd更改请求
包装响应
>>> import kkdcpasn1 >>> wrapped = kkdcpasn1.wrap_kkdcp_response(tcp_data) >>> wrapped = kkdcpasn1.wrap_kkdcp_response(udp_data, add_prefix=True)
ASN.1
KKDCP DEFINITIONS EXPLICIT TAGS ::=
BEGIN
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
KDC-REQ ::= SEQUENCE {
pvno [1] INTEGER,
msg-type [2] INTEGER,
padata [3] SEQUENCE OF PA-DATA OPTIONAL,
req-body [4] KDC-REQ-BODY
}
PA-DATA ::= SEQUENCE {
padata-type [1] INTEGER,
pa-data [2] OCTET STRING
}
KDC-REQ-BODY ::= SEQUENCE {
kdc-options [0] KDCOptions,
cname [1] PrincipalName OPTIONAL,
realm [2] Realm,
sname [3] PrincipalName OPTIONAL,
from [4] KerberosTime OPTIONAL,
till [5] KerberosTime,
rtime [6] KerberosTime OPTIONAL,
nonce [7] INTEGER,
etype [8] SEQUENCE OF INTEGER,
addresses [9] HostAddresses OPTIONAL,
enc-authorization-data [10] EncryptedData OPTIONAL,
additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
}
KDCOptions ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
PrincipalName ::= SEQUENCE {
name-type [0] INTEGER,
name-string [1] SEQUENCE OF GeneralString
}
Realm ::= GeneralString
KerberosTime ::= GeneralizedTime
HostAddress ::= SEQUENCE {
addr-type [0] INTEGER,
address [1] OCTET STRING
}
HostAddresses ::= SEQUENCE OF HostAddress
EncryptedData ::= SEQUENCE {
etype [0] INTEGER,
kvno [1] INTEGER OPTIONAL,
cipher [2] OCTET STRING
}
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER,
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData
}
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER,
msg-type [1] INTEGER,
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData
}
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
mutual-required(2)
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno [0] INTEGER,
msg-type [1] INTEGER,
enc-part [3] EncryptedData
}
KDC-PROXY-MESSAGE ::= SEQUENCE {
kerb-message [0] OCTET STRING,
target-domain [1] Realm OPTIONAL,
dclocator-hint [2] INTEGER OPTIONAL
}
END
关闭
kkdcpasn1-0.2.tar.gz 的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | 69e88fcc0ca6b0145da7113349bba93a507e63a2fd82596bfeff0d514235d616 |
|
| MD5 | 78f47fe8a0a551a772ea1dcf23ecf1c4 |
|
| BLAKE2b-256 | a9987873b74b174cb84af2a1b1783ee13693f08fab8e30e5a1b515e64b2fbdb5 |