--- a/jdk/test/sun/security/krb5/auto/KDC.java Fri Jul 29 10:55:21 2011 -0700
+++ b/jdk/test/sun/security/krb5/auto/KDC.java Thu Aug 04 18:18:45 2011 +0800
@@ -170,6 +170,10 @@
* Use only one preauth, so that some keys are not easy to generate
*/
ONLY_ONE_PREAUTH,
+ /**
+ * Set all name-type to a value in response
+ */
+ RESP_NT,
};
static {
@@ -637,10 +641,16 @@
*/
private byte[] processTgsReq(byte[] in) throws Exception {
TGSReq tgsReq = new TGSReq(in);
+ PrincipalName service = tgsReq.reqBody.sname;
+ if (options.containsKey(KDC.Option.RESP_NT)) {
+ service = new PrincipalName(service.getNameStrings(),
+ (int)options.get(KDC.Option.RESP_NT));
+ service.setRealm(service.getRealm());
+ }
try {
System.out.println(realm + "> " + tgsReq.reqBody.cname +
" sends TGS-REQ for " +
- tgsReq.reqBody.sname);
+ service);
KDCReqBody body = tgsReq.reqBody;
int[] eTypes = KDCReqBodyDotEType(body);
int e2 = eTypes[0]; // etype for outgoing session key
@@ -708,7 +718,7 @@
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
}
- if (configMatch("", body.sname.getNameString(), "ok-as-delegate")) {
+ if (configMatch("", service.getNameString(), "ok-as-delegate")) {
bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
@@ -728,13 +738,13 @@
: new HostAddresses(
new InetAddress[]{InetAddress.getLocalHost()}),
null);
- EncryptionKey skey = keyForUser(body.sname, e3, true);
+ EncryptionKey skey = keyForUser(service, e3, true);
if (skey == null) {
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
}
Ticket t = new Ticket(
body.crealm,
- body.sname,
+ service,
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
);
EncTGSRepPart enc_part = new EncTGSRepPart(
@@ -750,7 +760,7 @@
body.from,
till, body.rtime,
body.crealm,
- body.sname,
+ service,
body.addresses != null // always set caddr
? body.addresses
: new HostAddresses(
@@ -781,7 +791,7 @@
0,
ke.returnCode(),
body.crealm, body.cname,
- new Realm(getRealm()), body.sname,
+ new Realm(getRealm()), service,
KrbException.errorMessage(ke.returnCode()),
null);
}
@@ -800,10 +810,16 @@
int[] eTypes = null;
List<PAData> outPAs = new ArrayList<>();
+ PrincipalName service = asReq.reqBody.sname;
+ if (options.containsKey(KDC.Option.RESP_NT)) {
+ service = new PrincipalName(service.getNameStrings(),
+ (int)options.get(KDC.Option.RESP_NT));
+ service.setRealm(service.getRealm());
+ }
try {
System.out.println(realm + "> " + asReq.reqBody.cname +
" sends AS-REQ for " +
- asReq.reqBody.sname);
+ service);
KDCReqBody body = asReq.reqBody;
body.cname.setRealm(getRealm());
@@ -812,7 +828,7 @@
int eType = eTypes[0];
EncryptionKey ckey = keyForUser(body.cname, eType, false);
- EncryptionKey skey = keyForUser(body.sname, eType, true);
+ EncryptionKey skey = keyForUser(service, eType, true);
if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
@@ -826,7 +842,7 @@
if (!found) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
}
- skey = keyForUser(body.sname, tgtEType, true);
+ skey = keyForUser(service, tgtEType, true);
}
if (ckey == null) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
@@ -943,7 +959,7 @@
null);
Ticket t = new Ticket(
body.crealm,
- body.sname,
+ service,
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
);
EncASRepPart enc_part = new EncASRepPart(
@@ -959,7 +975,7 @@
body.from,
till, body.rtime,
body.crealm,
- body.sname,
+ service,
body.addresses
);
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
@@ -1023,7 +1039,7 @@
0,
ke.returnCode(),
body.crealm, body.cname,
- new Realm(getRealm()), body.sname,
+ new Realm(getRealm()), service,
KrbException.errorMessage(ke.returnCode()),
eData);
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/PrincipalNameEquals.java Thu Aug 04 18:18:45 2011 +0800
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7061379
+ * @summary [Kerberos] Cross-realm authentication fails, due to nameType problem
+ * @compile -XDignore.symbol.file PrincipalNameEquals.java
+ * @run main/othervm PrincipalNameEquals
+ */
+
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.PrincipalName;
+
+public class PrincipalNameEquals {
+
+ public static void main(String[] args) throws Exception {
+
+ OneKDC kdc = new OneKDC(null);
+ kdc.writeJAASConf();
+ kdc.setOption(KDC.Option.RESP_NT, PrincipalName.KRB_NT_PRINCIPAL);
+
+ Context c, s;
+ c = Context.fromJAAS("client");
+ s = Context.fromJAAS("server");
+
+ c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+ s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+ Context.handshake(c, s);
+
+ Context.transmit("i say high --", c, s);
+ Context.transmit(" you say low", s, c);
+
+ s.dispose();
+ c.dispose();
+ }
+}