Description
Here is an example:
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.crypto.encryption.*;
public static void main(String[] args) throws Exception{
final char[] PASSWORD = "PASSWORD".toCharArray();
KerberosKey key = new KerberosKey(new KerberosPrincipal("servicetest@EXAMPLE.COM"),PASSWORD, "DES");
byte[] keyBytes = key.getEncoded();
EncryptionKey encryptionKey = new EncryptionKey(EncryptionType.DES_CBC_CRC, keyBytes);
byte[] plainText =
;
DesCbcCrcEncryption encryption = new DesCbcCrcEncryption();
EncryptedData encryptionData = encryption.getEncryptedData(encryptionKey, plainText, KeyUsage.NUMBER1); // I am not sure of which KeyUsage should use here, but it is not referenced in source code. So I think any will work.
encryption.getDecryptedData(encryptionKey, encryptionData, KeyUsage.NUMBER1);
System.out.println("Succeed!");
}
But it fails with such complain:
Exception in thread "main" org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity check on decrypted field failed
at org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcCrcEncryption.getDecryptedData(DesCbcCrcEncryption.java:113)
at TestDESCBCCRC.main(TestDESCBCCRC.java:21)
After I look a further into it, it is due to current implementation (r595192) there is two paddings in DesCbcCrcEncryption.getEncryptedData:
LINE 126:
byte[] paddedPlainText = padString( plainText );
byte[] dataBytes = concatenateBytes( conFounder, concatenateBytes( zeroedChecksum, paddedPlainText ) );
byte[] checksumBytes = calculateIntegrity( dataBytes, null, usage );
byte[] paddedDataBytes = padString( dataBytes );
But RFC 3961
"One generates a random confounder of one block, placing it in
'confounder'; zeros out the 'checksum' field (of length appropriate
to exactly hold the checksum to be computed); adds the necessary
padding; calculates the appropriate checksum over the whole sequence,
placing the result in 'checksum'; and then encrypts using the
specified encryption type and the appropriate key."
So the checksum should be calculated after all padding for encryption has finished.
It seems that the same problem occurs in other Encryption classes.