--- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java Thu Oct 17 20:27:44 2019 +0100
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java Thu Oct 17 20:53:35 2019 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -53,13 +53,18 @@
private static final long serialVersionUID = 7723415700837898232L;
+ @SuppressWarnings("serial") // Not statically typed as Serializable
private Krb5NameElement name;
+ @SuppressWarnings("serial") // Not statically typed as Serializable
private Credentials krb5Credentials;
+ public KerberosTicket proxyTicket;
private Krb5InitCredential(Krb5NameElement name,
byte[] asn1Encoding,
KerberosPrincipal client,
+ KerberosPrincipal clientAlias,
KerberosPrincipal server,
+ KerberosPrincipal serverAlias,
byte[] sessionKey,
int keyType,
boolean[] flags,
@@ -80,14 +85,21 @@
endTime,
renewTill,
clientAddresses);
-
+ KerberosSecrets.getJavaxSecurityAuthKerberosAccess()
+ .kerberosTicketSetClientAlias(this, clientAlias);
+ KerberosSecrets.getJavaxSecurityAuthKerberosAccess()
+ .kerberosTicketSetServerAlias(this, serverAlias);
this.name = name;
try {
// Cache this for later use by the sun.security.krb5 package.
krb5Credentials = new Credentials(asn1Encoding,
client.getName(),
+ (clientAlias != null ?
+ clientAlias.getName() : null),
server.getName(),
+ (serverAlias != null ?
+ serverAlias.getName() : null),
sessionKey,
keyType,
flags,
@@ -110,7 +122,9 @@
Credentials delegatedCred,
byte[] asn1Encoding,
KerberosPrincipal client,
+ KerberosPrincipal clientAlias,
KerberosPrincipal server,
+ KerberosPrincipal serverAlias,
byte[] sessionKey,
int keyType,
boolean[] flags,
@@ -131,7 +145,10 @@
endTime,
renewTill,
clientAddresses);
-
+ KerberosSecrets.getJavaxSecurityAuthKerberosAccess()
+ .kerberosTicketSetClientAlias(this, clientAlias);
+ KerberosSecrets.getJavaxSecurityAuthKerberosAccess()
+ .kerberosTicketSetServerAlias(this, serverAlias);
this.name = name;
// A delegated cred does not have all fields set. So do not try to
// creat new Credentials out of the delegatedCred.
@@ -153,10 +170,18 @@
Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);
}
- return new Krb5InitCredential(name,
+ KerberosPrincipal clientAlias = KerberosSecrets
+ .getJavaxSecurityAuthKerberosAccess()
+ .kerberosTicketGetClientAlias(tgt);
+ KerberosPrincipal serverAlias = KerberosSecrets
+ .getJavaxSecurityAuthKerberosAccess()
+ .kerberosTicketGetServerAlias(tgt);
+ Krb5InitCredential result = new Krb5InitCredential(name,
tgt.getEncoded(),
tgt.getClient(),
+ clientAlias,
tgt.getServer(),
+ serverAlias,
tgt.getSessionKey().getEncoded(),
tgt.getSessionKeyType(),
tgt.getFlags(),
@@ -165,6 +190,9 @@
tgt.getEndTime(),
tgt.getRenewTill(),
tgt.getClientAddresses());
+ result.proxyTicket = KerberosSecrets.getJavaxSecurityAuthKerberosAccess().
+ kerberosTicketGetProxy(tgt);
+ return result;
}
static Krb5InitCredential getInstance(Krb5NameElement name,
@@ -179,10 +207,14 @@
*/
PrincipalName cPrinc = delegatedCred.getClient();
+ PrincipalName cAPrinc = delegatedCred.getClientAlias();
PrincipalName sPrinc = delegatedCred.getServer();
+ PrincipalName sAPrinc = delegatedCred.getServerAlias();
KerberosPrincipal client = null;
+ KerberosPrincipal clientAlias = null;
KerberosPrincipal server = null;
+ KerberosPrincipal serverAlias = null;
Krb5NameElement credName = null;
@@ -193,6 +225,10 @@
client = new KerberosPrincipal(fullName);
}
+ if (cAPrinc != null) {
+ clientAlias = new KerberosPrincipal(cAPrinc.getName());
+ }
+
// XXX Compare name to credName
if (sPrinc != null) {
@@ -201,11 +237,17 @@
KerberosPrincipal.KRB_NT_SRV_INST);
}
+ if (sAPrinc != null) {
+ serverAlias = new KerberosPrincipal(sAPrinc.getName());
+ }
+
return new Krb5InitCredential(credName,
delegatedCred,
delegatedCred.getEncoded(),
client,
+ clientAlias,
server,
+ serverAlias,
sessionKey.getBytes(),
sessionKey.getEType(),
delegatedCred.getFlags(),
@@ -333,9 +375,9 @@
public KerberosTicket run() throws Exception {
// It's OK to use null as serverPrincipal. TGT is almost
// the first ticket for a principal and we use list.
- return Krb5Util.getTicket(
+ return Krb5Util.getInitialTicket(
realCaller,
- clientPrincipal, null, acc);
+ clientPrincipal, acc);
}});
} catch (PrivilegedActionException e) {
GSSException ge =