kerberos-kdc代理的高性能asn.1解析器[kkdcp]
kkdcpasn1的Python项目详细描述
kerberos kdc代理的高性能asn.1解析器[ms-kkdcp]
kerberos密钥分发中心代理协议[ms-kkdcp]提供 一种通过https代理kerberos的机制。标准kerberos负载是 以附加的KDC-PROXY-MESSAGE序列包装并作为 向代理服务器发送https post请求。代理服务器将 请求并将其内部请求转发给kdc。代理服务器 通常居住在DMZ。
kkdcpasn1包提供高性能、低内存使用率 用于KDC-PROXY-MESSAGE的解码器和编码器。ASN.1部分已处理 由由asn1c自动生成的C解析器执行。python接口是 在cython中实现。在现代硬件上,只需不到15纳秒 解码请求并包装响应。
作者:christian heimescheimes@redhat.com
https://msdn.microsoft.com/en-us/library/hh553774.aspx
解析请求
>>> import kkdcpasn1 >>> asreq1 = b'''0\x81\xc4\xa0\x81\xb0\x04\x81\xad\x00\x00\x00\xa9j\ \x81\xa60\x81\xa3\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\n\xa3\x0e0\x0c\ 0\n\xa1\x04\x02\x02\x00\x95\xa2\x02\x04\x00\xa4\x81\x860\x81\x83\xa0\ \x07\x03\x05\x00@\x00\x00\x10\xa1\x120\x10\xa0\x03\x02\x01\x01\xa1\ \t0\x07\x1b\x05admin\xa2\x0f\x1b\rFREEIPA.LOCAL\xa3"0 \xa0\x03\x02\ \x01\x02\xa1\x190\x17\x1b\x06krbtgt\x1b\rFREEIPA.LOCAL\xa5\x11\x18\ \x0f20150514104238Z\xa7\x06\x02\x04\x11\xc8c\xb5\xa8\x140\x12\x02\x01\ \x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x19\x02\x01\x1a\xa1\ \x0f\x1b\rFREEIPA.LOCAL''' >>> result = kkdcpasn1.decode_kkdcp_request(asreq1) >>> result.realm 'FREEIPA.LOCAL' >>> result.dclocator_hint 0 >>> result.request_type 'asreq' >>> result.consumed 169 >>> result.offset 4 >>> result.request ...
请求类型是
- asreq验证服务器请求
- tgsreq票证授予服务器请求
- apreqkpasswd更改请求
包裹响应
>>> import kkdcpasn1 >>> wrapped = kkdcpasn1.wrap_kkdcp_response(tcp_data) >>> wrapped = kkdcpasn1.wrap_kkdcp_response(udp_data, add_prefix=True)
ASN.1
KKDCP DEFINITIONS EXPLICIT TAGS ::=
BEGIN
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
KDC-REQ ::= SEQUENCE {
pvno [1] INTEGER,
msg-type [2] INTEGER,
padata [3] SEQUENCE OF PA-DATA OPTIONAL,
req-body [4] KDC-REQ-BODY
}
PA-DATA ::= SEQUENCE {
padata-type [1] INTEGER,
pa-data [2] OCTET STRING
}
KDC-REQ-BODY ::= SEQUENCE {
kdc-options [0] KDCOptions,
cname [1] PrincipalName OPTIONAL,
realm [2] Realm,
sname [3] PrincipalName OPTIONAL,
from [4] KerberosTime OPTIONAL,
till [5] KerberosTime,
rtime [6] KerberosTime OPTIONAL,
nonce [7] INTEGER,
etype [8] SEQUENCE OF INTEGER,
addresses [9] HostAddresses OPTIONAL,
enc-authorization-data [10] EncryptedData OPTIONAL,
additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
}
KDCOptions ::= BIT STRING {
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
PrincipalName ::= SEQUENCE {
name-type [0] INTEGER,
name-string [1] SEQUENCE OF GeneralString
}
Realm ::= GeneralString
KerberosTime ::= GeneralizedTime
HostAddress ::= SEQUENCE {
addr-type [0] INTEGER,
address [1] OCTET STRING
}
HostAddresses ::= SEQUENCE OF HostAddress
EncryptedData ::= SEQUENCE {
etype [0] INTEGER,
kvno [1] INTEGER OPTIONAL,
cipher [2] OCTET STRING
}
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER,
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData
}
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER,
msg-type [1] INTEGER,
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData
}
APOptions ::= BIT STRING {
reserved(0),
use-session-key(1),
mutual-required(2)
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno [0] INTEGER,
msg-type [1] INTEGER,
enc-part [3] EncryptedData
}
KDC-PROXY-MESSAGE ::= SEQUENCE {
kerb-message [0] OCTET STRING,
target-domain [1] Realm OPTIONAL,
dclocator-hint [2] INTEGER OPTIONAL
}
END
欢迎加入QQ群-->: 979659372
