diff -r 13588c901957 -r 9cf78a70fa4f src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java Thu Oct 17 20:27:44 2019 +0100 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java Thu Oct 17 20:53:35 2019 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,13 +53,18 @@ private static final long serialVersionUID = 7723415700837898232L; + @SuppressWarnings("serial") // Not statically typed as Serializable private Krb5NameElement name; + @SuppressWarnings("serial") // Not statically typed as Serializable private Credentials krb5Credentials; + public KerberosTicket proxyTicket; private Krb5InitCredential(Krb5NameElement name, byte[] asn1Encoding, KerberosPrincipal client, + KerberosPrincipal clientAlias, KerberosPrincipal server, + KerberosPrincipal serverAlias, byte[] sessionKey, int keyType, boolean[] flags, @@ -80,14 +85,21 @@ endTime, renewTill, clientAddresses); - + KerberosSecrets.getJavaxSecurityAuthKerberosAccess() + .kerberosTicketSetClientAlias(this, clientAlias); + KerberosSecrets.getJavaxSecurityAuthKerberosAccess() + .kerberosTicketSetServerAlias(this, serverAlias); this.name = name; try { // Cache this for later use by the sun.security.krb5 package. krb5Credentials = new Credentials(asn1Encoding, client.getName(), + (clientAlias != null ? + clientAlias.getName() : null), server.getName(), + (serverAlias != null ? + serverAlias.getName() : null), sessionKey, keyType, flags, @@ -110,7 +122,9 @@ Credentials delegatedCred, byte[] asn1Encoding, KerberosPrincipal client, + KerberosPrincipal clientAlias, KerberosPrincipal server, + KerberosPrincipal serverAlias, byte[] sessionKey, int keyType, boolean[] flags, @@ -131,7 +145,10 @@ endTime, renewTill, clientAddresses); - + KerberosSecrets.getJavaxSecurityAuthKerberosAccess() + .kerberosTicketSetClientAlias(this, clientAlias); + KerberosSecrets.getJavaxSecurityAuthKerberosAccess() + .kerberosTicketSetServerAlias(this, serverAlias); this.name = name; // A delegated cred does not have all fields set. So do not try to // creat new Credentials out of the delegatedCred. @@ -153,10 +170,18 @@ Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); } - return new Krb5InitCredential(name, + KerberosPrincipal clientAlias = KerberosSecrets + .getJavaxSecurityAuthKerberosAccess() + .kerberosTicketGetClientAlias(tgt); + KerberosPrincipal serverAlias = KerberosSecrets + .getJavaxSecurityAuthKerberosAccess() + .kerberosTicketGetServerAlias(tgt); + Krb5InitCredential result = new Krb5InitCredential(name, tgt.getEncoded(), tgt.getClient(), + clientAlias, tgt.getServer(), + serverAlias, tgt.getSessionKey().getEncoded(), tgt.getSessionKeyType(), tgt.getFlags(), @@ -165,6 +190,9 @@ tgt.getEndTime(), tgt.getRenewTill(), tgt.getClientAddresses()); + result.proxyTicket = KerberosSecrets.getJavaxSecurityAuthKerberosAccess(). + kerberosTicketGetProxy(tgt); + return result; } static Krb5InitCredential getInstance(Krb5NameElement name, @@ -179,10 +207,14 @@ */ PrincipalName cPrinc = delegatedCred.getClient(); + PrincipalName cAPrinc = delegatedCred.getClientAlias(); PrincipalName sPrinc = delegatedCred.getServer(); + PrincipalName sAPrinc = delegatedCred.getServerAlias(); KerberosPrincipal client = null; + KerberosPrincipal clientAlias = null; KerberosPrincipal server = null; + KerberosPrincipal serverAlias = null; Krb5NameElement credName = null; @@ -193,6 +225,10 @@ client = new KerberosPrincipal(fullName); } + if (cAPrinc != null) { + clientAlias = new KerberosPrincipal(cAPrinc.getName()); + } + // XXX Compare name to credName if (sPrinc != null) { @@ -201,11 +237,17 @@ KerberosPrincipal.KRB_NT_SRV_INST); } + if (sAPrinc != null) { + serverAlias = new KerberosPrincipal(sAPrinc.getName()); + } + return new Krb5InitCredential(credName, delegatedCred, delegatedCred.getEncoded(), client, + clientAlias, server, + serverAlias, sessionKey.getBytes(), sessionKey.getEType(), delegatedCred.getFlags(), @@ -333,9 +375,9 @@ public KerberosTicket run() throws Exception { // It's OK to use null as serverPrincipal. TGT is almost // the first ticket for a principal and we use list. - return Krb5Util.getTicket( + return Krb5Util.getInitialTicket( realCaller, - clientPrincipal, null, acc); + clientPrincipal, acc); }}); } catch (PrivilegedActionException e) { GSSException ge =