changeset 17713:fa7582840977

8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime Reviewed-by: xuelei
author weijun
date Fri, 25 Aug 2017 09:28:10 +0800
parents a483aac4000b
children 40dec428648e
files src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosTicket.java src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java test/sun/security/krb5/auto/KDC.java test/sun/security/krb5/auto/NullRenewUntil.java
diffstat 5 files changed, 104 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosTicket.java	Thu Aug 24 16:52:21 2017 -0700
+++ b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosTicket.java	Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -307,11 +307,7 @@
             this.flags = new boolean[NUM_FLAGS];
         }
 
-        if (this.flags[RENEWABLE_TICKET_FLAG]) {
-           if (renewTill == null) {
-               throw new IllegalArgumentException("The renewable period "
-                       + "end time cannot be null for renewable tickets.");
-           }
+        if (this.flags[RENEWABLE_TICKET_FLAG] && renewTill != null) {
            this.renewTill = new Date(renewTill.getTime());
         }
 
@@ -579,6 +575,12 @@
         if (!isRenewable()) {
             throw new RefreshFailedException("This ticket is not renewable");
         }
+
+        if (getRenewTill() == null) {
+            // Renewable ticket without renew-till. Illegal and ignored.
+            return;
+        }
+
         if (System.currentTimeMillis() > getRenewTill().getTime()) {
             throw new RefreshFailedException("This ticket is past "
                                            + "its last renewal time.");
--- a/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java	Thu Aug 24 16:52:21 2017 -0700
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java	Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,7 @@
 import sun.security.krb5.internal.crypto.*;
 import java.io.IOException;
 import java.net.UnknownHostException;
+import java.time.Instant;
 
 /**
  * This class encapsulates a Kerberos TGS-REQ that is sent from the
@@ -285,7 +286,12 @@
         throws IOException, KrbException, UnknownHostException {
         KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime(0);
+            String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
+            if (d != null) {
+                req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
+            } else {
+                req_till = new KerberosTime(0); // Choose KDC maximum allowed
+            }
         } else {
             req_till = till;
         }
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Thu Aug 24 16:52:21 2017 -0700
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -994,6 +994,10 @@
             if (!creds.isRenewable())
                 throw new RefreshFailedException("This ticket" +
                                 " is not renewable");
+            if (creds.getRenewTill() == null) {
+                // Renewable ticket without renew-till. Illegal and ignored.
+                return creds;
+            }
             if (System.currentTimeMillis() > cred.getRenewTill().getTime())
                 throw new RefreshFailedException("This ticket is past "
                                              + "its last renewal time.");
--- a/test/sun/security/krb5/auto/KDC.java	Thu Aug 24 16:52:21 2017 -0700
+++ b/test/sun/security/krb5/auto/KDC.java	Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,8 +30,6 @@
 import java.security.SecureRandom;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.time.temporal.TemporalAmount;
-import java.time.temporal.TemporalUnit;
 import java.util.*;
 import java.util.concurrent.*;
 
@@ -734,7 +732,7 @@
             if (till == null) {
                 throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
             } else if (till.isZero()) {
-                till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
+                till = new KerberosTime(new Date().getTime() + 1000 * DEFAULT_LIFETIME);
             }
 
             boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
@@ -811,6 +809,18 @@
             }
             bFlags[Krb5.TKT_OPTS_INITIAL] = true;
 
+            KerberosTime renewTill = etp.renewTill;
+            if (renewTill != null && body.kdcOptions.get(KDCOptions.RENEW)) {
+                // till should never pass renewTill
+                if (till.greaterThan(renewTill)) {
+                    till = renewTill;
+                }
+                if (System.getProperty("test.set.null.renew") != null) {
+                    // Testing 8186576, see NullRenewUntil.java.
+                    renewTill = null;
+                }
+            }
+
             TicketFlags tFlags = new TicketFlags(bFlags);
             EncTicketPart enc = new EncTicketPart(
                     tFlags,
@@ -819,7 +829,7 @@
                     new TransitedEncoding(1, new byte[0]),  // TODO
                     new KerberosTime(new Date()),
                     body.from,
-                    till, etp.renewTill,
+                    till, renewTill,
                     body.addresses != null ? body.addresses
                             : etp.caddr,
                     null);
@@ -844,7 +854,7 @@
                     tFlags,
                     new KerberosTime(new Date()),
                     body.from,
-                    till, etp.renewTill,
+                    till, renewTill,
                     service,
                     body.addresses
                     );
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/NullRenewUntil.java	Fri Aug 25 09:28:10 2017 +0800
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8186576
+ * @summary KerberosTicket does not properly handle renewable tickets
+ *          at the end of their lifetime
+ * @library /test/lib
+ * @compile -XDignore.symbol.file NullRenewUntil.java
+ * @run main/othervm -Dtest.set.null.renew NullRenewUntil
+ */
+
+import jdk.test.lib.Asserts;
+import sun.security.krb5.Config;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public class NullRenewUntil {
+
+    public static void main(String[] args) throws Exception {
+
+        OneKDC kdc = new OneKDC(null);
+
+        KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
+                "ticket_lifetime = 10s",
+                "renew_lifetime = 11s");
+        Config.refresh();
+
+        KerberosTicket ticket = Context
+                .fromUserPass(OneKDC.USER, OneKDC.PASS, false).s()
+                .getPrivateCredentials(KerberosTicket.class).iterator().next();
+
+        System.out.println(ticket);
+        Asserts.assertTrue(ticket.getRenewTill() != null, ticket.toString());
+
+        Thread.sleep(2000);
+
+        ticket.refresh();
+        System.out.println(ticket);
+        Asserts.assertTrue(ticket.getRenewTill() == null, ticket.toString());
+
+        Thread.sleep(2000);
+        ticket.refresh();
+        System.out.println(ticket);
+    }
+}