8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
Reviewed-by: xuelei
--- a/jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosTicket.java Thu Aug 24 16:52:21 2017 -0700
+++ b/jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosTicket.java Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -307,11 +307,7 @@
this.flags = new boolean[NUM_FLAGS];
}
- if (this.flags[RENEWABLE_TICKET_FLAG]) {
- if (renewTill == null) {
- throw new IllegalArgumentException("The renewable period "
- + "end time cannot be null for renewable tickets.");
- }
+ if (this.flags[RENEWABLE_TICKET_FLAG] && renewTill != null) {
this.renewTill = new Date(renewTill.getTime());
}
@@ -579,6 +575,12 @@
if (!isRenewable()) {
throw new RefreshFailedException("This ticket is not renewable");
}
+
+ if (getRenewTill() == null) {
+ // Renewable ticket without renew-till. Illegal and ignored.
+ return;
+ }
+
if (System.currentTimeMillis() > getRenewTill().getTime()) {
throw new RefreshFailedException("This ticket is past "
+ "its last renewal time.");
--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java Thu Aug 24 16:52:21 2017 -0700
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,7 @@
import sun.security.krb5.internal.crypto.*;
import java.io.IOException;
import java.net.UnknownHostException;
+import java.time.Instant;
/**
* This class encapsulates a Kerberos TGS-REQ that is sent from the
@@ -285,7 +286,12 @@
throws IOException, KrbException, UnknownHostException {
KerberosTime req_till = null;
if (till == null) {
- req_till = new KerberosTime(0);
+ String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
+ if (d != null) {
+ req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
+ } else {
+ req_till = new KerberosTime(0); // Choose KDC maximum allowed
+ }
} else {
req_till = till;
}
--- a/jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java Thu Aug 24 16:52:21 2017 -0700
+++ b/jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -994,6 +994,10 @@
if (!creds.isRenewable())
throw new RefreshFailedException("This ticket" +
" is not renewable");
+ if (creds.getRenewTill() == null) {
+ // Renewable ticket without renew-till. Illegal and ignored.
+ return creds;
+ }
if (System.currentTimeMillis() > cred.getRenewTill().getTime())
throw new RefreshFailedException("This ticket is past "
+ "its last renewal time.");
--- a/jdk/test/sun/security/krb5/auto/KDC.java Thu Aug 24 16:52:21 2017 -0700
+++ b/jdk/test/sun/security/krb5/auto/KDC.java Fri Aug 25 09:28:10 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,8 +30,6 @@
import java.security.SecureRandom;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
-import java.time.temporal.TemporalAmount;
-import java.time.temporal.TemporalUnit;
import java.util.*;
import java.util.concurrent.*;
@@ -734,7 +732,7 @@
if (till == null) {
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
} else if (till.isZero()) {
- till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
+ till = new KerberosTime(new Date().getTime() + 1000 * DEFAULT_LIFETIME);
}
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
@@ -811,6 +809,18 @@
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
+ KerberosTime renewTill = etp.renewTill;
+ if (renewTill != null && body.kdcOptions.get(KDCOptions.RENEW)) {
+ // till should never pass renewTill
+ if (till.greaterThan(renewTill)) {
+ till = renewTill;
+ }
+ if (System.getProperty("test.set.null.renew") != null) {
+ // Testing 8186576, see NullRenewUntil.java.
+ renewTill = null;
+ }
+ }
+
TicketFlags tFlags = new TicketFlags(bFlags);
EncTicketPart enc = new EncTicketPart(
tFlags,
@@ -819,7 +829,7 @@
new TransitedEncoding(1, new byte[0]), // TODO
new KerberosTime(new Date()),
body.from,
- till, etp.renewTill,
+ till, renewTill,
body.addresses != null ? body.addresses
: etp.caddr,
null);
@@ -844,7 +854,7 @@
tFlags,
new KerberosTime(new Date()),
body.from,
- till, etp.renewTill,
+ till, renewTill,
service,
body.addresses
);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/NullRenewUntil.java Fri Aug 25 09:28:10 2017 +0800
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8186576
+ * @summary KerberosTicket does not properly handle renewable tickets
+ * at the end of their lifetime
+ * @library /test/lib
+ * @compile -XDignore.symbol.file NullRenewUntil.java
+ * @run main/othervm -Dtest.set.null.renew NullRenewUntil
+ */
+
+import jdk.test.lib.Asserts;
+import sun.security.krb5.Config;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public class NullRenewUntil {
+
+ public static void main(String[] args) throws Exception {
+
+ OneKDC kdc = new OneKDC(null);
+
+ KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
+ "ticket_lifetime = 10s",
+ "renew_lifetime = 11s");
+ Config.refresh();
+
+ KerberosTicket ticket = Context
+ .fromUserPass(OneKDC.USER, OneKDC.PASS, false).s()
+ .getPrivateCredentials(KerberosTicket.class).iterator().next();
+
+ System.out.println(ticket);
+ Asserts.assertTrue(ticket.getRenewTill() != null, ticket.toString());
+
+ Thread.sleep(2000);
+
+ ticket.refresh();
+ System.out.println(ticket);
+ Asserts.assertTrue(ticket.getRenewTill() == null, ticket.toString());
+
+ Thread.sleep(2000);
+ ticket.refresh();
+ System.out.println(ticket);
+ }
+}