changeset 2552:1da7dfca3e20

6844907: krb5 etype order should be from strong to weak Reviewed-by: valeriep
author weijun
date Thu, 24 Jun 2010 14:26:28 +0800
parents 706e2d1fc378
children 9c0f542c8b37
files src/share/classes/sun/security/krb5/Credentials.java src/share/classes/sun/security/krb5/internal/crypto/EType.java src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java test/sun/security/krb5/etype/ETypeOrder.java test/sun/security/krb5/ktab/HighestKvno.java
diffstat 5 files changed, 70 insertions(+), 104 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/krb5/Credentials.java	Thu Jun 24 14:26:22 2010 +0800
+++ b/src/share/classes/sun/security/krb5/Credentials.java	Thu Jun 24 14:26:28 2010 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,9 +33,7 @@
 
 import sun.security.krb5.internal.*;
 import sun.security.krb5.internal.ccache.CredentialsCache;
-import sun.security.krb5.internal.ktab.*;
 import sun.security.krb5.internal.crypto.EType;
-import java.io.File;
 import java.io.IOException;
 import java.util.Date;
 import java.net.InetAddress;
@@ -506,59 +504,6 @@
         return result;
     }
 
-
-    /**
-     * Gets service credential from key table. The credential is used to
-     * decrypt the received client message
-     * and authenticate the client by verifying the client's credential.
-     *
-     * @param serviceName the name of service, using format component@realm
-     * @param keyTabFile the file of key table.
-     * @return a <code>KrbCreds</code> object.
-     */
-    public static Credentials getServiceCreds(String serviceName,
-                                              File keyTabFile) {
-        EncryptionKey k = null;
-        PrincipalName service = null;
-        Credentials result = null;
-        try {
-            service = new PrincipalName(serviceName);
-            if (service.getRealm() == null) {
-                String realm = Config.getInstance().getDefaultRealm();
-                if (realm == null) {
-                    return null;
-                } else {
-                    service.setRealm(realm);
-                }
-            }
-        } catch (RealmException e) {
-            if (DEBUG) {
-                e.printStackTrace();
-            }
-            return null;
-        } catch (KrbException e) {
-            if (DEBUG) {
-                e.printStackTrace();
-            }
-            return null;
-        }
-        KeyTab kt;
-        if (keyTabFile == null) {
-            kt = KeyTab.getInstance();
-        } else {
-            kt = KeyTab.getInstance(keyTabFile);
-        }
-        if ((kt != null) && (kt.findServiceEntry(service))) {
-            k = kt.readServiceKey(service);
-            result = new Credentials(null, service, null, null, null,
-                                     null, null, null, null, null);
-            result.serviceKey = k;
-        }
-        return result;
-    }
-
-
-
     /**
      * Acquires credentials for a specified service using initial credential.
      * When the service has a different realm
--- a/src/share/classes/sun/security/krb5/internal/crypto/EType.java	Thu Jun 24 14:26:22 2010 +0800
+++ b/src/share/classes/sun/security/krb5/internal/crypto/EType.java	Thu Jun 24 14:26:28 2010 +0800
@@ -185,20 +185,20 @@
     // is set to false.
 
     private static final int[] BUILTIN_ETYPES = new int[] {
+        EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96,
+        EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
+        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD,
+        EncryptedData.ETYPE_ARCFOUR_HMAC,
+        EncryptedData.ETYPE_DES_CBC_CRC,
         EncryptedData.ETYPE_DES_CBC_MD5,
-        EncryptedData.ETYPE_DES_CBC_CRC,
-        EncryptedData.ETYPE_ARCFOUR_HMAC,
-        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD,
-        EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
-        EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96,
     };
 
     private static final int[] BUILTIN_ETYPES_NOAES256 = new int[] {
+        EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
+        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD,
+        EncryptedData.ETYPE_ARCFOUR_HMAC,
+        EncryptedData.ETYPE_DES_CBC_CRC,
         EncryptedData.ETYPE_DES_CBC_MD5,
-        EncryptedData.ETYPE_DES_CBC_CRC,
-        EncryptedData.ETYPE_ARCFOUR_HMAC,
-        EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD,
-        EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
     };
 
 
@@ -217,8 +217,8 @@
             result = BUILTIN_ETYPES;
         }
         if (!ALLOW_WEAK_CRYPTO) {
-            // The first 2 etypes are now weak ones
-            return Arrays.copyOfRange(result, 2, result.length);
+            // The last 2 etypes are now weak ones
+            return Arrays.copyOfRange(result, 0, result.length - 2);
         }
         return result;
     }
--- a/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	Thu Jun 24 14:26:22 2010 +0800
+++ b/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	Thu Jun 24 14:26:28 2010 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -228,37 +228,6 @@
     }
 
     /**
-     * Reads the service key from the keytab file.
-     * @param service the PrincipalName of the requested service.
-     * @return the last service key in the keytab with the highest kvno
-     */
-    public EncryptionKey readServiceKey(PrincipalName service) {
-        KeyTabEntry entry = null;
-        EncryptionKey key = null;
-        if (entries != null) {
-            // Find latest entry for this service that has an etype
-            // that has been configured for use
-            for (int i = entries.size()-1; i >= 0; i--) {
-                entry = entries.elementAt(i);
-                if (entry.service.match(service)) {
-                    if (EType.isSupported(entry.keyType)) {
-                        if (key == null ||
-                                entry.keyVersion > key.getKeyVersionNumber()) {
-                            key = new EncryptionKey(entry.keyblock,
-                                             entry.keyType,
-                                             new Integer(entry.keyVersion));
-                        }
-                    } else if (DEBUG) {
-                        System.out.println("Found unsupported keytype (" +
-                            entry.keyType + ") for " + service);
-                    }
-                }
-            }
-        }
-        return key;
-    }
-
-    /**
      * Reads all keys for a service from the keytab file that have
      * etypes that have been configured for use. If there are multiple
      * keys with same etype, the one with the highest kvno is returned.
@@ -309,7 +278,7 @@
         Arrays.sort(retVal, new Comparator<EncryptionKey>() {
             @Override
             public int compare(EncryptionKey o1, EncryptionKey o2) {
-                if (etypes != null && etypes != EType.getBuiltInDefaults()) {
+                if (etypes != null) {
                     int o1EType = o1.getEType();
                     int o2EType = o2.getEType();
                     if (o1EType != o2EType) {
@@ -320,6 +289,9 @@
                                 return 1;
                             }
                         }
+                        // Neither o1EType nor o2EType in default_tkt_enctypes,
+                        // therefore won't be used in AS-REQ. We do not care
+                        // about their order, use kvno is OK.
                     }
                 }
                 return o2.getKeyVersionNumber().intValue()
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/etype/ETypeOrder.java	Thu Jun 24 14:26:28 2010 +0800
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+/*
+ * @test
+ * @bug 6844907
+ * @summary krb5 etype order should be from strong to weak
+ */
+
+import sun.security.krb5.internal.crypto.EType;
+
+public class ETypeOrder {
+    public static void main(String[] args) throws Exception {
+
+        // File does not exist, so that the system-default one won't be used
+        System.setProperty("java.security.krb5.conf", "no_such_file");
+        int[] etypes = EType.getBuiltInDefaults();
+
+        // Reference order, note that 2 is not implemented in Java
+        int correct[] = { 18, 17, 16, 23, 1, 3, 2 };
+
+        int match = 0;
+        loopi: for (int i=0; i<etypes.length; i++) {
+            for (; match < correct.length; match++) {
+                if (etypes[i] == correct[match]) {
+                    System.out.println("Find " + etypes[i] + " at #" + match);
+                    continue loopi;
+                }
+            }
+            throw new Exception("No match or bad order for " + etypes[i]);
+        }
+    }
+}
--- a/test/sun/security/krb5/ktab/HighestKvno.java	Thu Jun 24 14:26:22 2010 +0800
+++ b/test/sun/security/krb5/ktab/HighestKvno.java	Thu Jun 24 14:26:28 2010 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -227,9 +227,6 @@
         if (keys[0].getKeyVersionNumber() != 5) {
             throw new Exception("Highest not first");
         }
-        if (ktab.readServiceKey(pn).getKeyVersionNumber() != 5) {
-            throw new Exception("Highest not chosen");
-        }
         new File("kt").delete();
     }
 }