kerberos-kdc代理的高性能asn.1解析器[kkdcp]
kkdcpasn1的Python项目详细描述
kerberos kdc代理的高性能asn.1解析器[ms-kkdcp]
kerberos密钥分发中心代理协议[ms-kkdcp]提供 一种通过https代理kerberos的机制。标准kerberos负载是 以附加的KDC-PROXY-MESSAGE序列包装并作为 向代理服务器发送https post请求。代理服务器将 请求并将其内部请求转发给kdc。代理服务器 通常居住在DMZ。
kkdcpasn1包提供高性能、低内存使用率 用于KDC-PROXY-MESSAGE的解码器和编码器。ASN.1部分已处理 由由asn1c自动生成的C解析器执行。python接口是 在cython中实现。在现代硬件上,只需不到15纳秒 解码请求并包装响应。
作者:christian heimescheimes@redhat.com
https://msdn.microsoft.com/en-us/library/hh553774.aspx
解析请求
>>> import kkdcpasn1 >>> asreq1 = b'''0\x81\xc4\xa0\x81\xb0\x04\x81\xad\x00\x00\x00\xa9j\ \x81\xa60\x81\xa3\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\n\xa3\x0e0\x0c\ 0\n\xa1\x04\x02\x02\x00\x95\xa2\x02\x04\x00\xa4\x81\x860\x81\x83\xa0\ \x07\x03\x05\x00@\x00\x00\x10\xa1\x120\x10\xa0\x03\x02\x01\x01\xa1\ \t0\x07\x1b\x05admin\xa2\x0f\x1b\rFREEIPA.LOCAL\xa3"0 \xa0\x03\x02\ \x01\x02\xa1\x190\x17\x1b\x06krbtgt\x1b\rFREEIPA.LOCAL\xa5\x11\x18\ \x0f20150514104238Z\xa7\x06\x02\x04\x11\xc8c\xb5\xa8\x140\x12\x02\x01\ \x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x19\x02\x01\x1a\xa1\ \x0f\x1b\rFREEIPA.LOCAL''' >>> result = kkdcpasn1.decode_kkdcp_request(asreq1) >>> result.realm 'FREEIPA.LOCAL' >>> result.dclocator_hint 0 >>> result.request_type 'asreq' >>> result.consumed 169 >>> result.offset 4 >>> result.request ...
请求类型是
- asreq验证服务器请求
- tgsreq票证授予服务器请求
- apreqkpasswd更改请求
包裹响应
>>> import kkdcpasn1 >>> wrapped = kkdcpasn1.wrap_kkdcp_response(tcp_data) >>> wrapped = kkdcpasn1.wrap_kkdcp_response(udp_data, add_prefix=True)
ASN.1
KKDCP DEFINITIONS EXPLICIT TAGS ::= BEGIN AS-REQ ::= [APPLICATION 10] KDC-REQ TGS-REQ ::= [APPLICATION 12] KDC-REQ KDC-REQ ::= SEQUENCE { pvno [1] INTEGER, msg-type [2] INTEGER, padata [3] SEQUENCE OF PA-DATA OPTIONAL, req-body [4] KDC-REQ-BODY } PA-DATA ::= SEQUENCE { padata-type [1] INTEGER, pa-data [2] OCTET STRING } KDC-REQ-BODY ::= SEQUENCE { kdc-options [0] KDCOptions, cname [1] PrincipalName OPTIONAL, realm [2] Realm, sname [3] PrincipalName OPTIONAL, from [4] KerberosTime OPTIONAL, till [5] KerberosTime, rtime [6] KerberosTime OPTIONAL, nonce [7] INTEGER, etype [8] SEQUENCE OF INTEGER, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedData OPTIONAL, additional-tickets [11] SEQUENCE OF Ticket OPTIONAL } KDCOptions ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), allow-postdate(5), postdated(6), unused7(7), renewable(8), unused9(9), renewable-ok(27), enc-tkt-in-skey(28), renew(30), validate(31) } PrincipalName ::= SEQUENCE { name-type [0] INTEGER, name-string [1] SEQUENCE OF GeneralString } Realm ::= GeneralString KerberosTime ::= GeneralizedTime HostAddress ::= SEQUENCE { addr-type [0] INTEGER, address [1] OCTET STRING } HostAddresses ::= SEQUENCE OF HostAddress EncryptedData ::= SEQUENCE { etype [0] INTEGER, kvno [1] INTEGER OPTIONAL, cipher [2] OCTET STRING } Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER, realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedData } AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno [0] INTEGER, msg-type [1] INTEGER, ap-options [2] APOptions, ticket [3] Ticket, authenticator [4] EncryptedData } APOptions ::= BIT STRING { reserved(0), use-session-key(1), mutual-required(2) } KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno [0] INTEGER, msg-type [1] INTEGER, enc-part [3] EncryptedData } KDC-PROXY-MESSAGE ::= SEQUENCE { kerb-message [0] OCTET STRING, target-domain [1] Realm OPTIONAL, dclocator-hint [2] INTEGER OPTIONAL } END