6893158: AP_REQ check should use key version number
Reviewed-by: valeriep, xuelei
--- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java Tue Oct 27 08:55:35 2009 +0000
+++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java Wed Oct 28 15:32:30 2009 +0800
@@ -1,5 +1,5 @@
/*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -503,7 +503,19 @@
+ '\n'));
}
+ /**
+ * Find a key with given etype
+ */
public static EncryptionKey findKey(int etype, EncryptionKey[] keys)
+ throws KrbException {
+ return findKey(etype, null, keys);
+ }
+
+ /**
+ * Find a key with given etype and kvno
+ * @param kvno if null, return any (first?) key
+ */
+ public static EncryptionKey findKey(int etype, Integer kvno, EncryptionKey[] keys)
throws KrbException {
// check if encryption type is supported
@@ -516,7 +528,8 @@
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getEType();
if (EType.isSupported(ktype)) {
- if (etype == ktype) {
+ Integer kv = keys[i].getKeyVersionNumber();
+ if (etype == ktype && (kvno == null || kvno.equals(kv))) {
return keys[i];
}
}
@@ -528,8 +541,11 @@
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getEType();
if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
- ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
- return new EncryptionKey(etype, keys[i].getBytes());
+ ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
+ Integer kv = keys[i].getKeyVersionNumber();
+ if (kvno == null || kvno.equals(kv)) {
+ return new EncryptionKey(etype, keys[i].getBytes());
+ }
}
}
}
--- a/jdk/src/share/classes/sun/security/krb5/KrbApReq.java Tue Oct 27 08:55:35 2009 +0000
+++ b/jdk/src/share/classes/sun/security/krb5/KrbApReq.java Wed Oct 28 15:32:30 2009 +0800
@@ -268,7 +268,8 @@
private void authenticate(EncryptionKey[] keys, InetAddress initiator)
throws KrbException, IOException {
int encPartKeyType = apReqMessg.ticket.encPart.getEType();
- EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
+ Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber();
+ EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys);
if (dkey == null) {
throw new KrbException(Krb5.API_INVALID_ARG,
--- a/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java Tue Oct 27 08:55:35 2009 +0000
+++ b/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java Wed Oct 28 15:32:30 2009 +0800
@@ -395,6 +395,28 @@
}
}
+ /**
+ * Only used by KDC test. This method can specify kvno and does not
+ * remove any old keys.
+ */
+ public void addEntry(PrincipalName service, char[] psswd, int kvno)
+ throws KrbException {
+
+ EncryptionKey[] encKeys = EncryptionKey.acquireSecretKeys(
+ psswd, service.getSalt());
+
+ for (int i = 0; encKeys != null && i < encKeys.length; i++) {
+ int keyType = encKeys[i].getEType();
+ byte[] keyValue = encKeys[i].getBytes();
+ KeyTabEntry newEntry = new KeyTabEntry(service,
+ service.getRealm(),
+ new KerberosTime(System.currentTimeMillis()),
+ kvno, keyType, keyValue);
+ if (entries == null)
+ entries = new Vector<KeyTabEntry> ();
+ entries.addElement(newEntry);
+ }
+ }
/**
* Retrieves the key table entry with the specified service name.
--- a/jdk/test/sun/security/krb5/auto/KDC.java Tue Oct 27 08:55:35 2009 +0000
+++ b/jdk/test/sun/security/krb5/auto/KDC.java Wed Oct 28 15:32:30 2009 +0800
@@ -466,7 +466,17 @@
// the krb5.conf config file would be loaded.
Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE);
stringToKey.setAccessible(true);
- return new EncryptionKey((byte[]) stringToKey.invoke(null, getPassword(p), getSalt(p), null, etype), etype, null);
+ Integer kvno = null;
+ // For service whose password ending with a number, use it as kvno
+ if (p.toString().indexOf('/') >= 0) {
+ char[] pass = getPassword(p);
+ if (Character.isDigit(pass[pass.length-1])) {
+ kvno = pass[pass.length-1] - '0';
+ }
+ }
+ return new EncryptionKey((byte[]) stringToKey.invoke(
+ null, getPassword(p), getSalt(p), null, etype),
+ etype, kvno);
} catch (InvocationTargetException ex) {
KrbException ke = (KrbException)ex.getCause();
throw ke;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/MoreKvno.java Wed Oct 28 15:32:30 2009 +0800
@@ -0,0 +1,70 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6893158
+ * @summary AP_REQ check should use key version number
+ */
+
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.PrincipalName;
+import sun.security.krb5.internal.ktab.KeyTab;
+
+public class MoreKvno {
+
+ public static void main(String[] args)
+ throws Exception {
+
+ OneKDC kdc = new OneKDC(null);
+ kdc.writeJAASConf();
+
+ // Rewrite keytab, 3 set of keys with different kvno
+ KeyTab ktab = KeyTab.create(OneKDC.KTAB);
+ PrincipalName p = new PrincipalName(OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
+ ktab.addEntry(p, "pass0".toCharArray(), 0);
+ ktab.addEntry(p, "pass2".toCharArray(), 2);
+ ktab.addEntry(p, "pass1".toCharArray(), 1);
+ ktab.save();
+
+ kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
+ go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept");
+ kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
+ // "server" initiate also, check pass2 is used at authentication
+ go(OneKDC.SERVER, "server");
+ }
+
+ static void go(String server, String entry) throws Exception {
+ Context c, s;
+ c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
+ s = Context.fromJAAS(entry);
+
+ c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
+ s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+ Context.handshake(c, s);
+
+ s.dispose();
+ c.dispose();
+ }
+}