jdk/test/sun/security/krb5/auto/W83.java
author weijun
Thu, 17 Jun 2010 13:46:15 +0800
changeset 5802 ea99d72d3c19
parent 5774 4b9857e483c1
child 7172 01308fd663b3
permissions -rw-r--r--
6959292: regression: cannot login if session key and preauth does not use the same etype Reviewed-by: xuelei, valeriep

/*
 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

/*
 * @test
 * @bug 6932525 6951366 6959292
 * @summary kerberos login failure on win2008 with AD set to win2000 compat mode
 * and cannot login if session key and preauth does not use the same etype
 */
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.File;
import sun.security.krb5.Config;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.crypto.EType;
import sun.security.krb5.internal.ktab.KeyTab;

public class W83 {
    public static void main(String[] args) throws Exception {

        W83 x = new W83();

        // Cannot use OneKDC. kinit command cannot resolve
        // hostname kdc.rabbit.hole
        KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true);
        kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
        kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
        KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
        System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
        Config.refresh();

        kdc.writeKtab(OneKDC.KTAB);
        new File(OneKDC.KRB5_CONF).deleteOnExit();
        new File(OneKDC.KTAB).deleteOnExit();

        KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB);
        for (int etype: EType.getBuiltInDefaults()) {
            if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) {
                ktab.deleteEntry(new PrincipalName(OneKDC.USER), etype);
            }
        }
        ktab.save();

        // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ
        // is not restricted to that of preauth
        kdc.setOption(KDC.Option.ONLY_RC4_TGT, true);
        x.go();

        // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ
        // is different from that of preauth, client can still decrypt it
        kdc.setOption(KDC.Option.ONLY_RC4_PREAUTH, true);
        x.go();
    }

    void go() throws Exception {
        Krb5LoginModule krb5 = new Krb5LoginModule();
        StringBuffer error = new StringBuffer();
        try {
            Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
        } catch (Exception e) {
            error.append("Krb5LoginModule password login error\n");
        }
        try {
            Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false);
        } catch (Exception e) {
            error.append("Krb5LoginModule keytab login error\n");
        }
        try {
            Class.forName("sun.security.krb5.internal.tools.Kinit");
            String cmd = System.getProperty("java.home") +
                    System.getProperty("file.separator") +
                    "bin" +
                    System.getProperty("file.separator") +
                    "kinit";

            int p = execute(
                cmd,
                "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
                "-c", "cache1",
                OneKDC.USER,
                new String(OneKDC.PASS));
            if (p != 0) {
                error.append("kinit password login error\n");
            }
            p = execute(
                cmd,
                "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
                "-c", "cache2",
                "-k", "-t", OneKDC.KTAB,
                OneKDC.USER);
            if (p != 0) {
                error.append("kinit keytab login error\n");
            }
        } catch (ClassNotFoundException cnfe) {
            System.out.println("No kinit, test ignored.");
            // Ignore, not on windows
        }
        if (error.length() != 0) {
            throw new Exception(error.toString());
        }
    }

    private static int execute(String... args) throws Exception {
        for (String arg: args) {
            System.out.printf("%s ", arg);
        }
        System.out.println();
        Process p = Runtime.getRuntime().exec(args);
        return p.waitFor();
    }
}