remove more references of KRB5 and move the existing cipher suites to unsupported JDK-8145252-TLS13-branch
authorweijun
Thu, 07 Jun 2018 23:19:25 +0800
branchJDK-8145252-TLS13-branch
changeset 56692 7b0bde908f58
parent 56686 07dc566630ee
child 56693 64aa781522be
remove more references of KRB5 and move the existing cipher suites to unsupported
src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java
src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java
src/java.base/share/classes/sun/security/ssl/CipherSuite.java
src/java.base/share/classes/sun/security/ssl/JsseJce.java
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
src/java.base/share/classes/sun/security/util/HostnameChecker.java
--- a/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java	Thu Jun 07 23:19:25 2018 +0800
@@ -95,7 +95,7 @@
             premasterMajor = premaster[0] & 0xff;
             premasterMinor = premaster[1] & 0xff;
         } else {
-            // DH, KRB5, others
+            // DH, others
             premasterMajor = -1;
             premasterMinor = -1;
         }
--- a/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java	Thu Jun 07 23:19:25 2018 +0800
@@ -113,27 +113,19 @@
      * In com.sun.net.ssl.HostnameVerifier the method is defined
      * as verify(String urlHostname, String certHostname).
      * This means we need to extract the hostname from the X.509 certificate
-     * or from the Kerberos principal name, in this wrapper.
+     * in this wrapper.
      */
     public boolean verify(String hostname, javax.net.ssl.SSLSession session) {
         try {
-            String serverName;
-            // Use ciphersuite to determine whether Kerberos is active.
-            if (session.getCipherSuite().startsWith("TLS_KRB5")) {
-                serverName =
-                    HostnameChecker.getServerName(getPeerPrincipal(session));
-
-            } else { // X.509
-                Certificate[] serverChain = session.getPeerCertificates();
-                if ((serverChain == null) || (serverChain.length == 0)) {
-                    return false;
-                }
-                if (serverChain[0] instanceof X509Certificate == false) {
-                    return false;
-                }
-                X509Certificate serverCert = (X509Certificate)serverChain[0];
-                serverName = getServername(serverCert);
+            Certificate[] serverChain = session.getPeerCertificates();
+            if ((serverChain == null) || (serverChain.length == 0)) {
+                return false;
             }
+            if (serverChain[0] instanceof X509Certificate == false) {
+                return false;
+            }
+            X509Certificate serverCert = (X509Certificate)serverChain[0];
+            String serverName = getServername(serverCert);
             if (serverName == null) {
                 return false;
             }
@@ -144,23 +136,6 @@
     }
 
     /*
-     * Get the peer principal from the session
-     */
-    private Principal getPeerPrincipal(javax.net.ssl.SSLSession session)
-        throws javax.net.ssl.SSLPeerUnverifiedException
-    {
-        Principal principal;
-        try {
-            principal = session.getPeerPrincipal();
-        } catch (AbstractMethodError e) {
-            // if the provider does not support it, return null, since
-            // we need it only for Kerberos.
-            principal = null;
-        }
-        return principal;
-    }
-
-    /*
      * Extract the name of the SSL server from the certificate.
      *
      * Note this code is essentially a subset of the hostname extraction
--- a/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java	Thu Jun 07 23:19:25 2018 +0800
@@ -608,26 +608,17 @@
             HostnameChecker checker = HostnameChecker.getInstance(
                                                 HostnameChecker.TYPE_TLS);
 
-            // Use ciphersuite to determine whether Kerberos is present.
-            if (cipher.startsWith("TLS_KRB5")) {
-                if (!HostnameChecker.match(host, getPeerPrincipal())) {
-                    throw new SSLPeerUnverifiedException("Hostname checker" +
-                                " failed for Kerberos");
-                }
-            } else { // X.509
+            // get the subject's certificate
+            peerCerts = session.getPeerCertificates();
 
-                // get the subject's certificate
-                peerCerts = session.getPeerCertificates();
-
-                X509Certificate peerCert;
-                if (peerCerts[0] instanceof
-                        java.security.cert.X509Certificate) {
-                    peerCert = (java.security.cert.X509Certificate)peerCerts[0];
-                } else {
-                    throw new SSLPeerUnverifiedException("");
-                }
-                checker.match(host, peerCert);
+            X509Certificate peerCert;
+            if (peerCerts[0] instanceof
+                    java.security.cert.X509Certificate) {
+                peerCert = (java.security.cert.X509Certificate)peerCerts[0];
+            } else {
+                throw new SSLPeerUnverifiedException("");
             }
+            checker.match(host, peerCert);
 
             // if it doesn't throw an exception, we passed. Return.
             return;
--- a/src/java.base/share/classes/sun/security/ssl/CipherSuite.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/CipherSuite.java	Thu Jun 07 23:19:25 2018 +0800
@@ -290,17 +290,13 @@
     // by default.
     // They are listed in preference order, preferred first, using the
     // following criteria:
-    // 1. CipherSuites for KRB5 need additional KRB5 service
-    //    configuration, and these suites are not common in practice,
-    //    so we put KRB5 based cipher suites at the end of the supported
-    //    list.
-    // 2. If a cipher suite has been obsoleted, we put it at the end of
+    // 1. If a cipher suite has been obsoleted, we put it at the end of
     //    the list.
-    // 3. Prefer the stronger bulk cipher, in the order of AES_256,
+    // 2. Prefer the stronger bulk cipher, in the order of AES_256,
     //    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
-    // 4. Prefer the stronger MAC algorithm, in the order of SHA384,
+    // 3. Prefer the stronger MAC algorithm, in the order of SHA384,
     //    SHA256, SHA, MD5.
-    // 5. Prefer the better performance of key exchange and digital
+    // 4. Prefer the better performance of key exchange and digital
     //    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
     //    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.
     TLS_DH_anon_WITH_AES_256_GCM_SHA384(
@@ -456,48 +452,6 @@
             ProtocolVersion.PROTOCOLS_TO_12,
             K_RSA, B_NULL, M_MD5, H_SHA256),
 
-    // supported Kerberos ciphersuites from RFC2712
-    TLS_KRB5_WITH_3DES_EDE_CBC_SHA(
-            0x001F, false, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "",
-            ProtocolVersion.PROTOCOLS_TO_T12,
-            K_KRB5, B_3DES, M_SHA, H_SHA256),
-    TLS_KRB5_WITH_3DES_EDE_CBC_MD5(
-            0x0023, false, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "",
-            ProtocolVersion.PROTOCOLS_TO_T12,
-            K_KRB5, B_3DES, M_MD5, H_SHA256),
-    TLS_KRB5_WITH_RC4_128_SHA(
-            0x0020, false, "TLS_KRB5_WITH_RC4_128_SHA", "",
-            ProtocolVersion.PROTOCOLS_TO_T12,
-            K_KRB5, B_RC4_128, M_SHA, H_SHA256),
-    TLS_KRB5_WITH_RC4_128_MD5(
-            0x0024, false, "TLS_KRB5_WITH_RC4_128_MD5", "",
-            ProtocolVersion.PROTOCOLS_TO_T12,
-            K_KRB5, B_RC4_128, M_MD5, H_SHA256),
-    TLS_KRB5_WITH_DES_CBC_SHA(
-            0x001e, false, "TLS_KRB5_WITH_DES_CBC_SHA", "",
-            ProtocolVersion.PROTOCOLS_TO_T11,
-            K_KRB5, B_DES, M_SHA, H_NONE),
-    TLS_KRB5_WITH_DES_CBC_MD5(
-            0x0022, false, "TLS_KRB5_WITH_DES_CBC_MD5", "",
-            ProtocolVersion.PROTOCOLS_TO_T11,
-            K_KRB5, B_DES, M_MD5, H_NONE),
-    TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA(
-            0x0026, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "",
-            ProtocolVersion.PROTOCOLS_TO_T10,
-            K_KRB5_EXPORT, B_DES_40, M_SHA, H_NONE),
-    TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5(
-            0x0029, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "",
-            ProtocolVersion.PROTOCOLS_TO_T10,
-            K_KRB5_EXPORT, B_DES_40, M_MD5, H_NONE),
-    TLS_KRB5_EXPORT_WITH_RC4_40_SHA(
-            0x0028, false, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "",
-            ProtocolVersion.PROTOCOLS_TO_T10,
-            K_KRB5_EXPORT, B_RC4_40, M_SHA, H_NONE),
-    TLS_KRB5_EXPORT_WITH_RC4_40_MD5(
-            0x002B, false, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "",
-            ProtocolVersion.PROTOCOLS_TO_T10,
-            K_KRB5_EXPORT, B_RC4_40, M_MD5, H_NONE),
-
     // Other values from the TLS Cipher Suite Registry, as of August 2010.
     //
     // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
@@ -543,10 +497,20 @@
     CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",           0xfeff),
 
     // Unsupported Kerberos cipher suites from RFC 2712
+    CS_001E("TLS_KRB5_WITH_DES_CBC_SHA",                    0x001E),
+    CS_001F("TLS_KRB5_WITH_3DES_EDE_CBC_SHA",               0x001F),
+    CS_0020("TLS_KRB5_WITH_RC4_128_SHA",                    0x0020),
     CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA",                   0x0021),
+    CS_0022("TLS_KRB5_WITH_DES_CBC_MD5",                    0x0022),
+    CS_0023("TLS_KRB5_WITH_3DES_EDE_CBC_MD5",               0x0023),
+    CS_0024("TLS_KRB5_WITH_RC4_128_MD5",                    0x0024),
     CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5",                   0x0025),
+    CS_0026("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",          0x0026),
     CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",          0x0027),
+    CS_0028("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",              0x0028),
+    CS_0029("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",          0x0029),
     CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",          0x002a),
+    CS_002B("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",              0x002B),
 
     // Unsupported cipher suites from RFC 4162
     CS_0096("TLS_RSA_WITH_SEED_CBC_SHA",                    0x0096),
@@ -1046,10 +1010,6 @@
         K_ECDHE_RSA  ("ECDHE_RSA",   true,      false,  NAMED_GROUP_ECDHE),
         K_ECDH_ANON  ("ECDH_anon",   true,      true,   NAMED_GROUP_ECDHE),
 
-        // Kerberos cipher suites
-        K_KRB5       ("KRB5", true,             false,  NAMED_GROUP_NONE),
-        K_KRB5_EXPORT("KRB5_EXPORT", true,      false,  NAMED_GROUP_NONE),
-
         // renegotiation protection request signaling cipher suite
         K_SCSV       ("SCSV",        true,      true,   NAMED_GROUP_NONE);
 
@@ -1069,8 +1029,7 @@
                 this.allowed = allowed;
             }
             this.groupType = groupType;
-            this.alwaysAvailable = allowed &&
-                (!name.startsWith("EC")) && (!name.startsWith("KRB"));
+            this.alwaysAvailable = allowed && (!name.startsWith("EC"));
             this.isAnonymous = isAnonymous;
         }
 
@@ -1081,8 +1040,6 @@
 
             if (groupType == NAMED_GROUP_ECDHE) {
                 return (allowed && JsseJce.isEcAvailable());
-            } else if (name.startsWith("KRB")) {
-                return (allowed && JsseJce.isKerberosAvailable());
             } else {
                 return allowed;
             }
--- a/src/java.base/share/classes/sun/security/ssl/JsseJce.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/JsseJce.java	Thu Jun 07 23:19:25 2018 +0800
@@ -164,10 +164,6 @@
         return EcAvailability.isAvailable;
     }
 
-    static boolean isKerberosAvailable() {
-        return false;
-    }
-
     /**
      * Return an JCE cipher implementation for the specified algorithm.
      */
--- a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java	Thu Jun 07 23:19:25 2018 +0800
@@ -558,8 +558,8 @@
      * Return the cert chain presented by the peer in the
      * java.security.cert format.
      * Note: This method can be used only when using certificate-based
-     * cipher suites; using it with non-certificate-based cipher suites,
-     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * cipher suites; using it with non-certificate-based cipher suites
+     * will throw an SSLPeerUnverifiedException.
      *
      * @return array of peer X.509 certs, with the peer's own cert
      *  first in the chain, and with the "root" CA last.
@@ -604,8 +604,8 @@
      * Return the cert chain presented by the peer in the
      * javax.security.cert format.
      * Note: This method can be used only when using certificate-based
-     * cipher suites; using it with non-certificate-based cipher suites,
-     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * cipher suites; using it with non-certificate-based cipher suites
+     * will throw an SSLPeerUnverifiedException.
      *
      * @return array of peer X.509 certs, with the peer's own cert
      *  first in the chain, and with the "root" CA last.
@@ -646,8 +646,8 @@
     /**
      * Return the cert chain presented by the peer.
      * Note: This method can be used only when using certificate-based
-     * cipher suites; using it with non-certificate-based cipher suites,
-     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * cipher suites; using it with non-certificate-based cipher suites
+     * will throw an SSLPeerUnverifiedException.
      *
      * @return array of peer X.509 certs, with the peer's own cert
      *  first in the chain, and with the "root" CA last.
@@ -695,8 +695,7 @@
      * defining the session.
      *
      * @return the peer's principal. Returns an X500Principal of the
-     * end-entity certificate for X509-based cipher suites, and
-     * Principal for Kerberos cipher suites, etc.
+     * end-entity certificate for X509-based cipher suites.
      *
      * @throws SSLPeerUnverifiedException if the peer's identity has not
      *          been verified
@@ -715,9 +714,8 @@
      * Returns the principal that was sent to the peer during handshaking.
      *
      * @return the principal sent to the peer. Returns an X500Principal
-     * of the end-entity certificate for X509-based cipher suites, and
-     * Principal for Kerberos cipher suites, etc. If no principal was
-     * sent, then null is returned.
+     * of the end-entity certificate for X509-based cipher suites.
+     * If no principal was sent, then null is returned.
      */
     @Override
     public Principal getLocalPrincipal() {
--- a/src/java.base/share/classes/sun/security/util/HostnameChecker.java	Wed Jun 06 23:53:47 2018 -0700
+++ b/src/java.base/share/classes/sun/security/util/HostnameChecker.java	Thu Jun 07 23:19:25 2018 +0800
@@ -104,29 +104,6 @@
     }
 
     /**
-     * Perform the check for Kerberos.
-     */
-    public static boolean match(String expectedName, Principal principal) {
-        String hostName = getServerName(principal);
-        return (expectedName.equalsIgnoreCase(hostName));
-    }
-
-    /**
-     * Return the Server name from Kerberos principal.
-     */
-    public static String getServerName(Principal principal) {
-/*
-        ClientKeyExchangeService p =
-                ClientKeyExchangeService.find("KRB5");
-        if (p == null) {
-            throw new AssertionError("Kerberos should have been available");
-        }
-        return p.getServiceHostName(principal);
-*/
-        return null;
-    }
-
-    /**
      * Test whether the given hostname looks like a literal IPv4 or IPv6
      * address. The hostname does not need to be a fully qualified name.
      *