--- a/jdk/src/share/classes/sun/security/krb5/Credentials.java Wed Jun 02 17:53:54 2010 -0700
+++ b/jdk/src/share/classes/sun/security/krb5/Credentials.java Fri Jun 04 19:28:53 2010 +0800
@@ -356,6 +356,7 @@
* @param princ the client principal. This value cannot be null.
* @param secretKey the secret key of the client principal.This value
* cannot be null.
+ * @param password if null, caller is using a keytab
* @returns the TGT credentials
*/
public static Credentials acquireTGT(PrincipalName princ,
@@ -372,8 +373,18 @@
"Cannot have null secretKey to do AS-Exchange");
KrbAsRep asRep = null;
+
+ // The etype field to be placed in AS-REQ. If caller is using keytab,
+ // it must be limited to etypes in keytab. Otherwise, leave it null,
+ // and KrbAsReq will populate it with all supported etypes.
+
+ int[] eTypes = null;
+ if (password == null) {
+ eTypes = EncryptionKey.getETypes(secretKeys);
+ }
+
try {
- asRep = sendASRequest(princ, secretKeys, null);
+ asRep = sendASRequest(princ, secretKeys, eTypes, null);
} catch (KrbException ke) {
if ((ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) ||
(ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
@@ -396,7 +407,7 @@
princ.getSalt(), true,
error.getEType(), error.getParams());
}
- asRep = sendASRequest(princ, secretKeys, ke.getError());
+ asRep = sendASRequest(princ, secretKeys, eTypes, ke.getError());
} else {
throw ke;
}
@@ -406,17 +417,18 @@
/**
* Sends the AS-REQ
+ * @param eTypes not null if caller using keytab
*/
private static KrbAsRep sendASRequest(PrincipalName princ,
- EncryptionKey[] secretKeys, KRBError error)
+ EncryptionKey[] secretKeys, int[] eTypes, KRBError error)
throws KrbException, IOException {
// %%%
KrbAsReq asReq = null;
if (error == null) {
- asReq = new KrbAsReq(princ, secretKeys);
+ asReq = new KrbAsReq(princ, secretKeys, eTypes);
} else {
- asReq = new KrbAsReq(princ, secretKeys, true,
+ asReq = new KrbAsReq(princ, secretKeys, eTypes, true,
error.getEType(), error.getSalt(), error.getParams());
}