krbconverter 0.1.0__tar.gz

krbconverter-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 pengfei liu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

krbconverter-0.1.0/PKG-INFO

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: krbconverter
+Version: 0.1.0
+Summary: This tool can convert kerberos ticket of format .kirbi to standard MIT CCACHE format
+Author-email: Pengfei Liu <pengfei.liu@casd.eu>
+License: MIT
+Keywords: kerberos,ccache
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pyasn1
+Requires-Dist: minikerberos
+Requires-Dist: asn1crypto
+Requires-Dist: typer
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0; extra == "dev"
+Requires-Dist: black>=23.0; extra == "dev"
+Requires-Dist: isort>=5.12; extra == "dev"
+Dynamic: license-file
+
+# krbTicketConvertor
+
+The objective of this project is 
+1. to get a kerberos ticket(delegable TGT) with tool such as [rubeus](https://github.com/ghostpack/rubeus) or homemade.
+2. to convert a kerberos ticket from format `.kirbi` to MIT Kerberos cache file. 
+
+## Get a delegated TGT
+
+The first step is to get a TGT. We use a tool called `rubeus`, https://github.com/ghostpack/rubeus
+
+The main code of how rubeus get the TGT is in class [LSA.cs](https://github.com/GhostPack/Rubeus/blob/master/Rubeus/lib/LSA.cs)
+
+The function is called `RequestFakeDelegTicket`
+
+
+## tgtdeleg of LSA
+
+The `tgtdeleg` using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the `Kerberos GSS-API` to retrieve a 
+usable TGT for the current user without needing elevation on the host. `AcquireCredentialsHandle()` is used to get 
+a handle to the current user's Kerberos security credentials, and `InitializeSecurityContext()` with the `ISC_REQ_DELEGATE` 
+flag and a target `SPN of HOST/DC.domain.com` to prepare a fake delegate context to send to the DC. 
+This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator checksum. 
+
+The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the `KRB_CRED` in the 
+authenticator, resulting in a usable TGT `.kirbi`.
+
+If automatic `target/domain` extraction is failing, a known SPN of a service configured with unconstrained delegation can be specified with /target:SPN.
+
+
+## .kirbi vs CCACHE
+
+As you can notice, the output of the `Kerberos ticket` is in format `.kirbi` which is not the standard MIT cache format.
+And many tools only support MIT cache format.
+
+| Feature	   | KIRBI (Windows/Internal)           | 	CCACHE (MIT/Linux)          |
+|------------|------------------------------------|------------------------------|
+| Encoding   | 	ASN.1 DER (usually)	              | Specialized Binary Format    |
+| Origin     | 	Microsoft KRB-CRED                | 	MIT Kerberos V5             |
+| Usage      | 	Pass-the-Ticket (Rubeus/Mimikatz) | 	Standard Linux Auth (kinit) |
+| Structure	 | Nested ASN.1 Sequences	            | Header + Credential List     |
+
+## The python implementation
+
+This folder shows an implementation in python. 
+
+We use the `ccache.py` of the project [minikerberos](https://github.com/skelsec/minikerberos/blob/main/minikerberos/common/ccache.py)
+
+
+## The TGT deleg of ssh
+
+Here is the step-by-step breakdown of how that `TGT` travels from your `Windows machine` to the Linux server.
+
+### The TGT Generation (On your Windows Machine)
+
+When you log in to your Windows server, a TGT is generated and stored in your local cache (i.e. LSASS).
+When you run `ssh -k user@srv1.example.com`: 
+1. `Requesting a Service Ticket`: Your SSH client asks your local Kerberos implementation for a Service Ticket for the remote server (host/srv1.example.com).
+2. The "Forwardable" Flag: Because you specified delegation, your client asks the Key Distribution Center (KDC) for 
+       a `new, forwardable TGT`.
+3. The Package: The KDC sends back a TGT encrypted in a way that only you can open. Your `Windows machine` then wraps 
+           this TGT inside the `GSSAPI authentication layer of the SSH protocol.2`. 
+
+### The TGT Forwarding
+
+The TGT is sent over the encrypted SSH tunnel. It is never sent in the clear.It is bundled inside the SSH 
+"User Authentication" packet. It travels from your `Windows machine` to the `sshd daemon on the Linux server`.
+
+### The CCache file creation
+
+(On the Linux Server)Once the Linux server receives your delegated credentials, the `SSH Daemon (sshd)` manage the rest.
+1. The sshd process receives the GSSAPI data containing the TGT
+2. The sshd (which usually runs as root initially) creates a new, temporary file. By default, this is usually located in /tmp/krb5cc_UID_XXXXXX
+3. The sshd changes the ownership of this file to your user account and sets permissions so only you can read it (600).
+4. The sshd sets the `KRB5CCNAME environment variable` in your shell session. This tells other tools (e.g. klist, nfs, or ldapsearch) 
+      exactly where to find that ticket.

krbconverter-0.1.0/README.md

@@ -0,0 +1,75 @@
+# krbTicketConvertor
+
+The objective of this project is 
+1. to get a kerberos ticket(delegable TGT) with tool such as [rubeus](https://github.com/ghostpack/rubeus) or homemade.
+2. to convert a kerberos ticket from format `.kirbi` to MIT Kerberos cache file. 
+
+## Get a delegated TGT
+
+The first step is to get a TGT. We use a tool called `rubeus`, https://github.com/ghostpack/rubeus
+
+The main code of how rubeus get the TGT is in class [LSA.cs](https://github.com/GhostPack/Rubeus/blob/master/Rubeus/lib/LSA.cs)
+
+The function is called `RequestFakeDelegTicket`
+
+
+## tgtdeleg of LSA
+
+The `tgtdeleg` using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the `Kerberos GSS-API` to retrieve a 
+usable TGT for the current user without needing elevation on the host. `AcquireCredentialsHandle()` is used to get 
+a handle to the current user's Kerberos security credentials, and `InitializeSecurityContext()` with the `ISC_REQ_DELEGATE` 
+flag and a target `SPN of HOST/DC.domain.com` to prepare a fake delegate context to send to the DC. 
+This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator checksum. 
+
+The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the `KRB_CRED` in the 
+authenticator, resulting in a usable TGT `.kirbi`.
+
+If automatic `target/domain` extraction is failing, a known SPN of a service configured with unconstrained delegation can be specified with /target:SPN.
+
+
+## .kirbi vs CCACHE
+
+As you can notice, the output of the `Kerberos ticket` is in format `.kirbi` which is not the standard MIT cache format.
+And many tools only support MIT cache format.
+
+| Feature	   | KIRBI (Windows/Internal)           | 	CCACHE (MIT/Linux)          |
+|------------|------------------------------------|------------------------------|
+| Encoding   | 	ASN.1 DER (usually)	              | Specialized Binary Format    |
+| Origin     | 	Microsoft KRB-CRED                | 	MIT Kerberos V5             |
+| Usage      | 	Pass-the-Ticket (Rubeus/Mimikatz) | 	Standard Linux Auth (kinit) |
+| Structure	 | Nested ASN.1 Sequences	            | Header + Credential List     |
+
+## The python implementation
+
+This folder shows an implementation in python. 
+
+We use the `ccache.py` of the project [minikerberos](https://github.com/skelsec/minikerberos/blob/main/minikerberos/common/ccache.py)
+
+
+## The TGT deleg of ssh
+
+Here is the step-by-step breakdown of how that `TGT` travels from your `Windows machine` to the Linux server.
+
+### The TGT Generation (On your Windows Machine)
+
+When you log in to your Windows server, a TGT is generated and stored in your local cache (i.e. LSASS).
+When you run `ssh -k user@srv1.example.com`: 
+1. `Requesting a Service Ticket`: Your SSH client asks your local Kerberos implementation for a Service Ticket for the remote server (host/srv1.example.com).
+2. The "Forwardable" Flag: Because you specified delegation, your client asks the Key Distribution Center (KDC) for 
+       a `new, forwardable TGT`.
+3. The Package: The KDC sends back a TGT encrypted in a way that only you can open. Your `Windows machine` then wraps 
+           this TGT inside the `GSSAPI authentication layer of the SSH protocol.2`. 
+
+### The TGT Forwarding
+
+The TGT is sent over the encrypted SSH tunnel. It is never sent in the clear.It is bundled inside the SSH 
+"User Authentication" packet. It travels from your `Windows machine` to the `sshd daemon on the Linux server`.
+
+### The CCache file creation
+
+(On the Linux Server)Once the Linux server receives your delegated credentials, the `SSH Daemon (sshd)` manage the rest.
+1. The sshd process receives the GSSAPI data containing the TGT
+2. The sshd (which usually runs as root initially) creates a new, temporary file. By default, this is usually located in /tmp/krb5cc_UID_XXXXXX
+3. The sshd changes the ownership of this file to your user account and sets permissions so only you can read it (600).
+4. The sshd sets the `KRB5CCNAME environment variable` in your shell session. This tells other tools (e.g. klist, nfs, or ldapsearch) 
+      exactly where to find that ticket.

krbconverter-0.1.0/pyproject.toml

@@ -0,0 +1,37 @@
+[project]
+name = "krbconverter"
+version = "0.1.0"
+description = "This tool can convert kerberos ticket of format .kirbi to standard MIT CCACHE format"
+readme = "README.md"
+requires-python = ">=3.11"
+
+authors = [
+    { name = "Pengfei Liu", email = "pengfei.liu@casd.eu" }
+]
+license = { text = "MIT" }
+
+keywords = ["kerberos", "ccache", ]
+
+dependencies = ["pyasn1", "minikerberos","asn1crypto", "typer"
+]
+
+[project.optional-dependencies]
+# Development dependencies (install with: pip install -e ".[dev]")
+dev = [
+    "pytest>=7.0",
+    "pytest-cov>=4.0",
+    "black>=23.0", # Code formatter
+    "isort>=5.12", # Import sorter
+]
+
+[project.scripts]
+# This allows the user to run 'convert-tgt' directly in the terminal
+convert-tgt = "krb.main:main"
+
+[build-system]
+requires = ["setuptools>=61.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = "test_*.py"

krbconverter-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

krbconverter-0.1.0/src/krb/convertor.py

@@ -0,0 +1,115 @@
+import base64
+import getpass
+import os
+import sys
+from pathlib import Path
+from typing import Optional
+
+from asn1crypto import core
+from minikerberos.common.ccache import CCACHE, Credential, CCACHEPrincipal, Times, Keyblock, CCACHEOctetString
+from minikerberos.common.kirbi import Kirbi
+from minikerberos.protocol.asn1_structs import EncKrbCredPart, TicketFlags, Ticket
+
+
+def from_kirbi(kirbi: Kirbi):
+    krbcred = kirbi.kirbiobj.native
+    c = Credential()
+    enc_credinfo = EncKrbCredPart.load(krbcred['enc-part']['cipher']).native
+    ticket_info = enc_credinfo['ticket-info'][0]
+
+    c.client = CCACHEPrincipal.from_asn1(ticket_info['pname'], ticket_info['prealm'])
+    # yaaaaay 4 additional weirdness!!!!
+    # if sname name-string contains a realm as well htne impacket will crash miserably :(
+    if len(ticket_info['sname']['name-string']) > 2 and ticket_info['sname']['name-string'][-1].upper() == ticket_info[
+        'srealm'].upper():
+        print('SNAME contains the realm as well, trimming it')
+        t = ticket_info['sname']
+        t['name-string'] = t['name-string'][:-1]
+        c.server = CCACHEPrincipal.from_asn1(t, ticket_info['srealm'])
+    else:
+        c.server = CCACHEPrincipal.from_asn1(ticket_info['sname'], ticket_info['srealm'])
+
+    c.time = Times.from_asn1(ticket_info)
+    c.key = Keyblock.from_asn1(ticket_info['key'])
+    c.is_skey = 0  # not sure!
+
+    c.tktflags = TicketFlags(ticket_info['flags']).cast(core.IntegerBitString).native
+    c.num_address = 0
+    c.num_authdata = 0
+    c.ticket = CCACHEOctetString.from_asn1(
+        Ticket(krbcred['tickets'][0]).dump())  # kirbi only stores one ticket per file
+    c.second_ticket = CCACHEOctetString.empty()
+
+    return c
+
+
+def gen_cache_path(user: Optional[str] = None) -> str:
+    """
+    Generate MIT Kerberos ccache file path following OS-specific standards.
+
+    Refined to prioritize XDG specs on Linux and robust path handling on Windows.
+    """
+    if sys.platform == "darwin":
+        # macOS typically uses API-based credential caches (KCM), not flat files.
+        raise NotImplementedError("macOS uses CCAPI; file-based paths are non-standard.")
+
+    if os.name == "nt":
+        # Windows best practice: Use USERPROFILE or LOCALAPPDATA for caches
+        user = user or getpass.getuser()
+        base = Path(os.environ.get("USERPROFILE", f"C:/Users/{user}"))
+        return (base / f"krb5cc_{user}").as_posix()
+
+    # Linux / Unix / POSIX
+    # 1. Check for XDG_RUNTIME_DIR (Modern Linux standard, e.g., /run/user/1000)
+    # 2. Fallback to /tmp with UID
+    uid = os.getuid()
+    runtime_dir = os.environ.get("XDG_RUNTIME_DIR")
+
+    if runtime_dir:
+        base_path = Path(runtime_dir)
+    else:
+        base_path = Path("/tmp")
+
+    return (base_path / f"krb5cc_{uid}").as_posix()
+
+
+def convert_kirbi(src:str, dest:str=None)->None:
+    """
+     This function convert the kirbi format to MIT ccache format.
+    :param src: The path of source .kirbi file which contains the tgt binary in base64 format
+    :param dest: The path of converted MIT ccache file
+    :return:
+    """
+    # 1. Standardize path handling using Pathlib
+    # This handles ../, ./, absolute paths, and OS-specific separators ( \ vs / )
+    src_path = Path(src).expanduser().resolve()
+
+    if not src_path.exists():
+        raise FileNotFoundError(f"Source kirbi file not found: {src_path}")
+
+    # 2. Use context managers for safe File I/O
+    # This ensures the file handle is closed even if decoding fails
+    try:
+        with src_path.open("rb") as f:
+            kirbi_b64 = f.read()
+
+        # 3. Decode Base64 to raw bytes
+        kirbi_bytes = base64.b64decode(kirbi_b64)
+    except Exception as e:
+        raise ValueError(f"Failed to read or decode kirbi file: {e}")
+
+    # 4. Process the credential cache
+    cc = CCACHE.from_bytes(kirbi_bytes)
+
+    # 5. Determine destination
+    if dest:
+        dest_path = Path(dest).expanduser().resolve()
+    else:
+        # Fallback to our logic from the previous gen_cache_path function
+        dest_path = Path(gen_cache_path())
+
+    # Ensure the parent directory for the destination exists
+    dest_path.parent.mkdir(parents=True, exist_ok=True)
+
+    # 6. Write ticket to the file path
+    cc.to_file(str(dest_path))

krbconverter-0.1.0/src/krbconverter.egg-info/PKG-INFO

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: krbconverter
+Version: 0.1.0
+Summary: This tool can convert kerberos ticket of format .kirbi to standard MIT CCACHE format
+Author-email: Pengfei Liu <pengfei.liu@casd.eu>
+License: MIT
+Keywords: kerberos,ccache
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pyasn1
+Requires-Dist: minikerberos
+Requires-Dist: asn1crypto
+Requires-Dist: typer
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0; extra == "dev"
+Requires-Dist: black>=23.0; extra == "dev"
+Requires-Dist: isort>=5.12; extra == "dev"
+Dynamic: license-file
+
+# krbTicketConvertor
+
+The objective of this project is 
+1. to get a kerberos ticket(delegable TGT) with tool such as [rubeus](https://github.com/ghostpack/rubeus) or homemade.
+2. to convert a kerberos ticket from format `.kirbi` to MIT Kerberos cache file. 
+
+## Get a delegated TGT
+
+The first step is to get a TGT. We use a tool called `rubeus`, https://github.com/ghostpack/rubeus
+
+The main code of how rubeus get the TGT is in class [LSA.cs](https://github.com/GhostPack/Rubeus/blob/master/Rubeus/lib/LSA.cs)
+
+The function is called `RequestFakeDelegTicket`
+
+
+## tgtdeleg of LSA
+
+The `tgtdeleg` using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the `Kerberos GSS-API` to retrieve a 
+usable TGT for the current user without needing elevation on the host. `AcquireCredentialsHandle()` is used to get 
+a handle to the current user's Kerberos security credentials, and `InitializeSecurityContext()` with the `ISC_REQ_DELEGATE` 
+flag and a target `SPN of HOST/DC.domain.com` to prepare a fake delegate context to send to the DC. 
+This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator checksum. 
+
+The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the `KRB_CRED` in the 
+authenticator, resulting in a usable TGT `.kirbi`.
+
+If automatic `target/domain` extraction is failing, a known SPN of a service configured with unconstrained delegation can be specified with /target:SPN.
+
+
+## .kirbi vs CCACHE
+
+As you can notice, the output of the `Kerberos ticket` is in format `.kirbi` which is not the standard MIT cache format.
+And many tools only support MIT cache format.
+
+| Feature	   | KIRBI (Windows/Internal)           | 	CCACHE (MIT/Linux)          |
+|------------|------------------------------------|------------------------------|
+| Encoding   | 	ASN.1 DER (usually)	              | Specialized Binary Format    |
+| Origin     | 	Microsoft KRB-CRED                | 	MIT Kerberos V5             |
+| Usage      | 	Pass-the-Ticket (Rubeus/Mimikatz) | 	Standard Linux Auth (kinit) |
+| Structure	 | Nested ASN.1 Sequences	            | Header + Credential List     |
+
+## The python implementation
+
+This folder shows an implementation in python. 
+
+We use the `ccache.py` of the project [minikerberos](https://github.com/skelsec/minikerberos/blob/main/minikerberos/common/ccache.py)
+
+
+## The TGT deleg of ssh
+
+Here is the step-by-step breakdown of how that `TGT` travels from your `Windows machine` to the Linux server.
+
+### The TGT Generation (On your Windows Machine)
+
+When you log in to your Windows server, a TGT is generated and stored in your local cache (i.e. LSASS).
+When you run `ssh -k user@srv1.example.com`: 
+1. `Requesting a Service Ticket`: Your SSH client asks your local Kerberos implementation for a Service Ticket for the remote server (host/srv1.example.com).
+2. The "Forwardable" Flag: Because you specified delegation, your client asks the Key Distribution Center (KDC) for 
+       a `new, forwardable TGT`.
+3. The Package: The KDC sends back a TGT encrypted in a way that only you can open. Your `Windows machine` then wraps 
+           this TGT inside the `GSSAPI authentication layer of the SSH protocol.2`. 
+
+### The TGT Forwarding
+
+The TGT is sent over the encrypted SSH tunnel. It is never sent in the clear.It is bundled inside the SSH 
+"User Authentication" packet. It travels from your `Windows machine` to the `sshd daemon on the Linux server`.
+
+### The CCache file creation
+
+(On the Linux Server)Once the Linux server receives your delegated credentials, the `SSH Daemon (sshd)` manage the rest.
+1. The sshd process receives the GSSAPI data containing the TGT
+2. The sshd (which usually runs as root initially) creates a new, temporary file. By default, this is usually located in /tmp/krb5cc_UID_XXXXXX
+3. The sshd changes the ownership of this file to your user account and sets permissions so only you can read it (600).
+4. The sshd sets the `KRB5CCNAME environment variable` in your shell session. This tells other tools (e.g. klist, nfs, or ldapsearch) 
+      exactly where to find that ticket.

krbconverter-0.1.0/src/krbconverter.egg-info/SOURCES.txt

@@ -0,0 +1,14 @@
+LICENSE
+README.md
+pyproject.toml
+src/main.py
+src/krb/__init__.py
+src/krb/convertor.py
+src/krbconverter.egg-info/PKG-INFO
+src/krbconverter.egg-info/SOURCES.txt
+src/krbconverter.egg-info/dependency_links.txt
+src/krbconverter.egg-info/entry_points.txt
+src/krbconverter.egg-info/requires.txt
+src/krbconverter.egg-info/top_level.txt
+tests/test_convertor.py
+tests/test_genCachePath.py

krbconverter-0.1.0/src/krbconverter.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

krbconverter-0.1.0/src/krbconverter.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+convert-tgt = krb.main:main

krbconverter-0.1.0/src/krbconverter.egg-info/requires.txt

@@ -0,0 +1,10 @@
+pyasn1
+minikerberos
+asn1crypto
+typer
+
+[dev]
+pytest>=7.0
+pytest-cov>=4.0
+black>=23.0
+isort>=5.12

krbconverter-0.1.0/src/krbconverter.egg-info/top_level.txt

@@ -0,0 +1,2 @@
+krb
+main

krbconverter-0.1.0/src/main.py

@@ -0,0 +1,22 @@
+import typer
+
+from krb.convertor import convert_kirbi
+
+app = typer.Typer()
+
+
+@app.command()
+def main(
+    kirbi_path: str = typer.Argument(..., help="Path to the input .kirbi ticket file"),
+    ccache_path: str = typer.Argument(..., help="Path for the output .ccache file"),
+):
+    # Convert a Kerberos .kirbi ticket to .ccache format.
+    try:
+        convert_kirbi(kirbi_path, ccache_path)
+        typer.echo(f"[+] Success: {ccache_path}")
+    except Exception as e:
+        typer.echo(f"[-] Error: {e}")
+
+
+if __name__ == "__main__":
+    app()

krbconverter-0.1.0/tests/test_convertor.py

@@ -0,0 +1,16 @@
+from krb.convertor import convert_kirbi
+
+
+def test_convertor_with_given_path():
+    kirbi = "C:/Users/pliu/Documents/git/krbTicketConvertor/tests/tmp/tgt.kirbi"
+    ccache = "C:/Users/pliu/Documents/git/krbTicketConvertor/tests/tmp/tgt.ccache"
+
+    convert_kirbi(kirbi, ccache)
+
+def test_convertor_with_default_path():
+    kirbi = "C:/Users/pliu/Documents/git/krbTicketConvertor/tests/tmp/tgt.kirbi"
+    convert_kirbi(kirbi)
+
+def test_convertor_with_relative_path():
+    kirbi = "./tests/tmp/tgt.kirbi"
+    convert_kirbi(kirbi)

krbconverter-0.1.0/tests/test_genCachePath.py

@@ -0,0 +1,56 @@
+import os
+import sys
+import pytest
+from unittest.mock import patch, MagicMock
+from pathlib import Path
+
+import krb
+from krb import convertor
+from krb.convertor import gen_cache_path
+
+
+class TestGenCachePath:
+
+    @patch("sys.platform", "darwin")
+    def test_macos_raises_error(self):
+        """Ensure macOS triggers the expected NotImplementedError."""
+        with pytest.raises(NotImplementedError, match="macOS uses CCAPI"):
+            gen_cache_path()
+
+    @patch("os.name", "nt")
+    @patch("getpass.getuser", return_value="alice")
+    @patch.dict(os.environ, {"USERPROFILE": "C:\\Users\\alice"})
+    def test_windows_path_generation(self, mock_getuser):
+        """Verify Windows path logic using environment variables."""
+        path = gen_cache_path()
+        # Pathlib handles the slash conversion, .as_posix() ensures forward slashes
+        assert path == "C:/Users/alice/krb5cc_alice"
+
+
+    @patch("os.name", "nt")
+    @patch.dict(os.environ, {"USERPROFILE": "C:\\Users\\bob"})
+    def test_explicit_user_override(self):
+        """Ensure providing a 'user' argument overrides the system user."""
+        path = gen_cache_path(user="admin")
+        assert path == "C:/Users/bob/krb5cc_admin"
+
+####### The linux os test will fail if you run under windows ###############
+# the os module is dynamic; attributes like getuid or setuid simply do not exist when Python runs on Windows.
+    @patch("os.name", "posix")
+    @patch("sys.platform", "linux")
+    @patch("os.getuid", return_value=1000)
+    @patch.dict(os.environ, {}, clear=True)
+    def test_linux_fallback_path(self, mock_uid):
+        """Verify fallback to /tmp when XDG_RUNTIME_DIR is missing.
+        """
+        path = gen_cache_path()
+        assert path == "/tmp/krb5cc_1000"
+
+    @patch("os.name", "posix")
+    @patch("sys.platform", "linux")
+    @patch("os.getuid", return_value=1000)
+    @patch.dict(os.environ, {"XDG_RUNTIME_DIR": "/run/user/1000"})
+    def test_linux_xdg_path(self, mock_uid):
+        """Verify preference for XDG_RUNTIME_DIR on modern Linux systems."""
+        path = gen_cache_path()
+        assert path == "/run/user/1000/krb5cc_1000"