6979329: CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1
authorweijun
Mon, 22 Nov 2010 09:43:58 +0800
changeset 7288 a38f3099e518
parent 7287 fe038b724bcb
child 7290 15905ab1a64a
child 7292 ff70dc612d95
6979329: CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1 Reviewed-by: valeriep
jdk/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java
jdk/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java
jdk/test/sun/security/krb5/UnknownCCEntry.java
--- a/jdk/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java	Sat Nov 20 07:00:31 2010 -0800
+++ b/jdk/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java	Mon Nov 22 09:43:58 2010 +0800
@@ -250,16 +250,16 @@
         else return null;
     }
 
-    Ticket readData() throws IOException, RealmException, KrbApErrException, Asn1Exception {
+    byte[] readData() throws IOException {
         int length;
         length = read(4);
-        if (length > 0) {
+        if (length == 0) {
+            return null;
+        } else {
             byte[] bytes = new byte[length];
             read(bytes, 0, length);
-            Ticket ticket = new Ticket(bytes);
-            return ticket;
+            return bytes;
         }
-        else return null;
     }
 
     boolean[] readFlags() throws IOException {
@@ -328,6 +328,17 @@
         }
         return flags;
     }
+
+    /**
+     * Reads the next cred in stream.
+     * @return the next cred, null if ticket or second_ticket unparseable.
+     *
+     * Note: MIT krb5 1.8.1 might generate a config entry with server principal
+     * X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/REALM@REALM. The
+     * entry is used by KDC to inform the client that it support certain
+     * features. Its ticket is not a valid krb5 ticket and thus this method
+     * returns null.
+     */
     Credentials readCred(int version) throws IOException,RealmException, KrbApErrException, Asn1Exception {
         PrincipalName cpname = readPrincipal(version);
         if (DEBUG)
@@ -367,17 +378,17 @@
         if (auData != null) {
             auData = new AuthorizationData(auDataEntry);
         }
-        Ticket ticket = readData();
-        if (DEBUG) {
-            System.out.println(">>>DEBUG <CCacheInputStream>");
-            if (ticket == null) {
-                System.out.println("///ticket is null");
-            }
+        byte[] ticketData = readData();
+        byte[] ticketData2 = readData();
+
+        try {
+            return new Credentials(cpname, spname, key, authtime, starttime,
+                endtime, renewTill, skey, tFlags,
+                addrs, auData,
+                ticketData != null ? new Ticket(ticketData) : null,
+                ticketData2 != null ? new Ticket(ticketData2) : null);
+        } catch (Exception e) {     // If any of new Ticket(*) fails.
+            return null;
         }
-        Ticket secTicket = readData();
-        Credentials cred = new Credentials(cpname, spname, key, authtime, starttime,
-                                           endtime, renewTill, skey, tFlags,
-                                           addrs, auData, ticket, secTicket);
-        return cred;
     }
 }
--- a/jdk/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java	Sat Nov 20 07:00:31 2010 -0800
+++ b/jdk/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java	Mon Nov 22 09:43:58 2010 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -186,7 +186,10 @@
         primaryRealm = primaryPrincipal.getRealm();
         credentialsList = new Vector<Credentials> ();
         while (cis.available() > 0) {
-            credentialsList.addElement(cis.readCred(version));
+            Credentials cred = cis.readCred(version);
+            if (cred != null) {
+                credentialsList.addElement(cred);
+            }
         }
         cis.close();
     }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/UnknownCCEntry.java	Mon Nov 22 09:43:58 2010 +0800
@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+/*
+ * @test
+ * @bug 6979329
+ * @summary CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import sun.security.krb5.internal.ccache.CCacheInputStream;
+import sun.security.krb5.internal.ccache.CredentialsCache;
+
+public class UnknownCCEntry {
+    public static void main(String[] args) throws Exception {
+        // This is a ccache file generated on a test machine:
+        // Default principal: dummy@MAX.LOCAL
+        // Valid starting     Expires            Service principal
+        // 08/24/10 10:37:28  08/25/10 10:37:28  krbtgt/MAX.LOCAL@MAX.LOCAL
+        // Flags: FI, Etype (skey, tkt): AES-128 CTS mode with 96-bit SHA-1
+        //        HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
+        byte[] krb5cc = {
+            (byte)0x05, (byte)0x04, (byte)0x00, (byte)0x0C,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x08,
+            (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFA,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x58, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x05, (byte)0x64, (byte)0x75, (byte)0x6D,
+            (byte)0x6D, (byte)0x79, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x58, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x64,
+            (byte)0x75, (byte)0x6D, (byte)0x6D, (byte)0x79,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x58, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x06, (byte)0x6B, (byte)0x72, (byte)0x62,
+            (byte)0x74, (byte)0x67, (byte)0x74, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x09, (byte)0x4D,
+            (byte)0x41, (byte)0x58, (byte)0x2E, (byte)0x4C,
+            (byte)0x4F, (byte)0x43, (byte)0x41, (byte)0x4C,
+            (byte)0x00, (byte)0x11, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x10, (byte)0x92, (byte)0x1D,
+            (byte)0x1A, (byte)0x0C, (byte)0x7F, (byte)0xB8,
+            (byte)0x01, (byte)0x2E, (byte)0xC9, (byte)0xF5,
+            (byte)0x7B, (byte)0x92, (byte)0x81, (byte)0xCA,
+            (byte)0x49, (byte)0xC5, (byte)0x4C, (byte)0x73,
+            (byte)0x30, (byte)0x68, (byte)0x4C, (byte)0x73,
+            (byte)0x30, (byte)0x68, (byte)0x4C, (byte)0x74,
+            (byte)0x81, (byte)0xE8, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x40,
+            (byte)0x41, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x01, (byte)0x29, (byte)0x61,
+            (byte)0x82, (byte)0x01, (byte)0x25, (byte)0x30,
+            (byte)0x82, (byte)0x01, (byte)0x21, (byte)0xA0,
+            (byte)0x03, (byte)0x02, (byte)0x01, (byte)0x05,
+            (byte)0xA1, (byte)0x0B, (byte)0x1B, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x58, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0xA2, (byte)0x1E, (byte)0x30,
+            (byte)0x1C, (byte)0xA0, (byte)0x03, (byte)0x02,
+            (byte)0x01, (byte)0x00, (byte)0xA1, (byte)0x15,
+            (byte)0x30, (byte)0x13, (byte)0x1B, (byte)0x06,
+            (byte)0x6B, (byte)0x72, (byte)0x62, (byte)0x74,
+            (byte)0x67, (byte)0x74, (byte)0x1B, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x58, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0xA3, (byte)0x81, (byte)0xEC,
+            (byte)0x30, (byte)0x81, (byte)0xE9, (byte)0xA0,
+            (byte)0x03, (byte)0x02, (byte)0x01, (byte)0x12,
+            (byte)0xA1, (byte)0x03, (byte)0x02, (byte)0x01,
+            (byte)0x01, (byte)0xA2, (byte)0x81, (byte)0xDC,
+            (byte)0x04, (byte)0x81, (byte)0xD9, (byte)0xFB,
+            (byte)0x4B, (byte)0xD2, (byte)0x55, (byte)0x33,
+            (byte)0xA8, (byte)0x1A, (byte)0xE6, (byte)0xB5,
+            (byte)0x3D, (byte)0x67, (byte)0x46, (byte)0x69,
+            (byte)0x6F, (byte)0x0A, (byte)0x64, (byte)0xE7,
+            (byte)0x3D, (byte)0xEF, (byte)0x22, (byte)0xBE,
+            (byte)0x81, (byte)0x32, (byte)0xF3, (byte)0x72,
+            (byte)0xB4, (byte)0x50, (byte)0xE3, (byte)0xC3,
+            (byte)0xDB, (byte)0xE5, (byte)0x38, (byte)0x3C,
+            (byte)0x60, (byte)0xC8, (byte)0x08, (byte)0x53,
+            (byte)0x44, (byte)0x6F, (byte)0xDF, (byte)0x55,
+            (byte)0x67, (byte)0x32, (byte)0x02, (byte)0xDD,
+            (byte)0x6B, (byte)0xFB, (byte)0x23, (byte)0x1A,
+            (byte)0x88, (byte)0x71, (byte)0xE0, (byte)0xF8,
+            (byte)0xBB, (byte)0x51, (byte)0x1E, (byte)0x76,
+            (byte)0xC9, (byte)0x1F, (byte)0x45, (byte)0x9B,
+            (byte)0xA0, (byte)0xA5, (byte)0x61, (byte)0x45,
+            (byte)0x9E, (byte)0x65, (byte)0xB8, (byte)0xD6,
+            (byte)0x0E, (byte)0x3C, (byte)0xD9, (byte)0x56,
+            (byte)0xD6, (byte)0xA6, (byte)0xDD, (byte)0x36,
+            (byte)0x21, (byte)0x25, (byte)0x0E, (byte)0xE6,
+            (byte)0xAD, (byte)0xA0, (byte)0x3A, (byte)0x9B,
+            (byte)0x21, (byte)0x87, (byte)0xE2, (byte)0xAF,
+            (byte)0x3A, (byte)0xEF, (byte)0x75, (byte)0x85,
+            (byte)0xA8, (byte)0xD7, (byte)0xE5, (byte)0x46,
+            (byte)0xD8, (byte)0x5C, (byte)0x17, (byte)0x4E,
+            (byte)0x64, (byte)0x51, (byte)0xDB, (byte)0x38,
+            (byte)0x8E, (byte)0x6B, (byte)0x02, (byte)0x05,
+            (byte)0x46, (byte)0x77, (byte)0xD0, (byte)0x75,
+            (byte)0x8A, (byte)0xE0, (byte)0x42, (byte)0x5E,
+            (byte)0x8D, (byte)0x49, (byte)0x86, (byte)0xDE,
+            (byte)0x6C, (byte)0xBC, (byte)0xAF, (byte)0x10,
+            (byte)0x9A, (byte)0x97, (byte)0x64, (byte)0xA6,
+            (byte)0xBD, (byte)0xDB, (byte)0x01, (byte)0x40,
+            (byte)0xA9, (byte)0x3D, (byte)0x74, (byte)0x99,
+            (byte)0xDC, (byte)0x63, (byte)0x34, (byte)0x40,
+            (byte)0x31, (byte)0x57, (byte)0xC7, (byte)0x70,
+            (byte)0x9F, (byte)0xCE, (byte)0xC6, (byte)0x7B,
+            (byte)0x00, (byte)0x5B, (byte)0x02, (byte)0x5C,
+            (byte)0xC7, (byte)0x81, (byte)0x40, (byte)0x4D,
+            (byte)0xA7, (byte)0xB1, (byte)0xD2, (byte)0xEA,
+            (byte)0x8E, (byte)0xEC, (byte)0xA0, (byte)0xB3,
+            (byte)0x03, (byte)0x29, (byte)0xB8, (byte)0x44,
+            (byte)0xD7, (byte)0xA1, (byte)0x2B, (byte)0x37,
+            (byte)0x9D, (byte)0x19, (byte)0x11, (byte)0x1D,
+            (byte)0x58, (byte)0xE8, (byte)0x06, (byte)0xE7,
+            (byte)0x06, (byte)0xE3, (byte)0xF7, (byte)0xEF,
+            (byte)0x05, (byte)0xA9, (byte)0x05, (byte)0x93,
+            (byte)0x42, (byte)0x94, (byte)0x5A, (byte)0xD6,
+            (byte)0xA0, (byte)0x24, (byte)0x3A, (byte)0x52,
+            (byte)0x92, (byte)0xA3, (byte)0x79, (byte)0x98,
+            (byte)0x3C, (byte)0x68, (byte)0x55, (byte)0x1B,
+            (byte)0x6A, (byte)0xC5, (byte)0x83, (byte)0x89,
+            (byte)0x5A, (byte)0x79, (byte)0x5C, (byte)0x52,
+            (byte)0xBA, (byte)0xB8, (byte)0xF7, (byte)0x72,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x58, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x05, (byte)0x64, (byte)0x75, (byte)0x6D,
+            (byte)0x6D, (byte)0x79, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x03, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x0C, (byte)0x58, (byte)0x2D,
+            (byte)0x43, (byte)0x41, (byte)0x43, (byte)0x48,
+            (byte)0x45, (byte)0x43, (byte)0x4F, (byte)0x4E,
+            (byte)0x46, (byte)0x3A, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x15, (byte)0x6B, (byte)0x72,
+            (byte)0x62, (byte)0x35, (byte)0x5F, (byte)0x63,
+            (byte)0x63, (byte)0x61, (byte)0x63, (byte)0x68,
+            (byte)0x65, (byte)0x5F, (byte)0x63, (byte)0x6F,
+            (byte)0x6E, (byte)0x66, (byte)0x5F, (byte)0x64,
+            (byte)0x61, (byte)0x74, (byte)0x61, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x0A, (byte)0x66,
+            (byte)0x61, (byte)0x73, (byte)0x74, (byte)0x5F,
+            (byte)0x61, (byte)0x76, (byte)0x61, (byte)0x69,
+            (byte)0x6C, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x1A, (byte)0x6B, (byte)0x72, (byte)0x62,
+            (byte)0x74, (byte)0x67, (byte)0x74, (byte)0x2F,
+            (byte)0x4D, (byte)0x41, (byte)0x58, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x40, (byte)0x4D, (byte)0x41,
+            (byte)0x58, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x03, (byte)0x79, (byte)0x65,
+            (byte)0x73, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00,
+        };
+
+        File f = File.createTempFile("ccache", "cc", new File("."));
+        FileOutputStream fout = new FileOutputStream(f);
+        fout.write(krb5cc);
+        fout.close();
+
+        CredentialsCache cc = CredentialsCache.getInstance(f.getPath());
+        if (!cc.getDefaultCreds().getServicePrincipal().getNameStrings()[0]
+                .equals("krbtgt")) {
+            throw new Exception("No TGT found");
+        }
+    }
+}