set key usage for HST name type

gssapi/gssapi.go

@@ -35,8 +35,8 @@ func (s *SPNEGO) Unmarshal(b []byte) error {
 			return fmt.Errorf("not a valid SPNEGO token: %v", err)
 		}
 		// Check the OID is the SPNEGO OID value
-		if !oid.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}) {
-			return errors.New("OID does not match SPNEGO OID 1.3.6.1.5.5.2")
+		if !oid.Equal(SPNEGO_OID) {
+			return fmt.Errorf("OID %s does not match SPNEGO OID %s", oid.String(), SPNEGO_OID.String())
 		}
 	} else {
 		// Could be a NegTokenResp/Targ

messages/APReq.go

@@ -70,13 +70,7 @@ func encryptAuthenticator(a types.Authenticator, sessionKey types.EncryptionKey,
 	if err != nil {
 		return ed, krberror.Errorf(err, krberror.EncodingError, "Marshaling error of EncryptedData form of Authenticator")
 	}
-	var usage int
-	switch tkt.SName.NameType {
-	case nametype.KRB_NT_PRINCIPAL:
-		usage = keyusage.AP_REQ_AUTHENTICATOR
-	case nametype.KRB_NT_SRV_INST:
-		usage = keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
-	}
+	usage := authenticatorKeyUsage(tkt.SName.NameType)
 	ed, err = crypto.GetEncryptedData(m, sessionKey, uint32(usage), tkt.EncPart.KVNO)
 	if err != nil {
 		return ed, krberror.Errorf(err, krberror.EncryptingError, "Error encrypting Authenticator")
@@ -87,14 +81,8 @@ func encryptAuthenticator(a types.Authenticator, sessionKey types.EncryptionKey,
 // DecryptAuthenticator decrypts the Authenticator within the AP_REQ.
 // sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.
 func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) (auth types.Authenticator, err error) {
-	var usage uint32
-	switch a.Ticket.SName.NameType {
-	case nametype.KRB_NT_PRINCIPAL:
-		usage = keyusage.AP_REQ_AUTHENTICATOR
-	case nametype.KRB_NT_SRV_INST:
-		usage = keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
-	}
-	ab, e := crypto.DecryptEncPart(a.Authenticator, sessionKey, usage)
+	usage := authenticatorKeyUsage(a.Ticket.SName.NameType)
+	ab, e := crypto.DecryptEncPart(a.Authenticator, sessionKey, uint32(usage))
 	if e != nil {
 		err = fmt.Errorf("error decrypting authenticator: %v", e)
 		return
@@ -107,6 +95,19 @@ func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) (auth types
 	return
 }
 
+func authenticatorKeyUsage(nt int32) int {
+	switch nt {
+	case nametype.KRB_NT_PRINCIPAL:
+		return keyusage.AP_REQ_AUTHENTICATOR
+	case nametype.KRB_NT_SRV_HST:
+		return keyusage.AP_REQ_AUTHENTICATOR
+	case nametype.KRB_NT_SRV_INST:
+		return keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
+	default:
+		return keyusage.AP_REQ_AUTHENTICATOR
+	}
+}
+
 // Unmarshal bytes b into the APReq struct.
 func (a *APReq) Unmarshal(b []byte) error {
 	var m marshalAPReq

testenv/krb5kdc-vagrant/kdc.conf

@@ -5,8 +5,8 @@
 [realms]
  __REALM__ = {
   master_key_type = aes256-cts-hmac-sha1-96
-  max_life = 20s
-  max_renewable_life = 55s
+  max_life = 1h
+  max_renewable_life = 5h
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab