infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-02-19 23:05:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

8014310: JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679

Browse Source 
Reviewed-by: valeriep
This commit is contained in:
Weijun Wang 2013-06-13 09:59:29 +08:00
parent 5a6e3cdfde
commit 77e684366c
9 changed files with 96 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
jdk/src/share/classes/sun/security/krb5/Config.java
View File

@ -761,22 +761,23 @@ public class Config {
}
/**
* Returns the default encryption types.
*
* Returns all etypes specified in krb5.conf for the given configName,
* or all the builtin defaults. This result is always non-empty.
* If no etypes are found, an exception is thrown.
*/
public int[] defaultEtype(String enctypes) {
public int[] defaultEtype(String configName) throws KrbException {
String default_enctypes;
default_enctypes = get("libdefaults", enctypes);
String delim = " ";
StringTokenizer st;
default_enctypes = get("libdefaults", configName);
int[] etype;
if (default_enctypes == null) {
if (DEBUG) {
System.out.println("Using builtin default etypes for " +
enctypes);
configName);
}
etype = EType.getBuiltInDefaults();
} else {
String delim = " ";
StringTokenizer st;
for (int j = 0; j < default_enctypes.length(); j++) {
if (default_enctypes.substring(j, j + 1).equals(",")) {
// only two delimiters are allowed to use
@ -791,17 +792,13 @@ public class Config {
int type;
for (int i = 0; i < len; i++) {
type = Config.getType(st.nextToken());
if ((type != -1) &&
(EType.isSupported(type))) {
if (type != -1 && EType.isSupported(type)) {
ls.add(type);
}
}
if (ls.isEmpty()) {
if (DEBUG) {
System.out.println(
"no supported default etypes for " + enctypes);
}
return null;
throw new KrbException("no supported default etypes for "
+ configName);
} else {
etype = new int[ls.size()];
for (int i = 0; i < etype.length; i++) {
@ -811,7 +808,7 @@ public class Config {
}
if (DEBUG) {
System.out.print("default etypes for " + enctypes + ":");
System.out.print("default etypes for " + configName + ":");
for (int i = 0; i < etype.length; i++) {
System.out.print(" " + etype[i]);
}

33
jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
View File

@ -97,36 +97,6 @@ public class EncryptionKey
return new EncryptionKey(keyValue, keyType, kvno);
}
/**
* Obtains the latest version of the secret key of
* the principal from a keytab.
*
* @param princ the principal whose secret key is desired
* @param keytab the path to the keytab file. A value of null
* will be accepted to indicate that the default path should be
* searched.
* @returns the secret key or null if none was found.
*/
/*
// Replaced by acquireSecretKeys
public static EncryptionKey acquireSecretKey(PrincipalName princ,
String keytab)
throws KrbException, IOException {
if (princ == null) {
throw new IllegalArgumentException(
"Cannot have null pricipal name to look in keytab.");
}
KeyTab ktab = KeyTab.getInstance(keytab);
if (ktab == null)
return null;
return ktab.readServiceKey(princ);
}
*/
/**
* Obtains all versions of the secret key of the principal from a
* keytab.
@ -208,9 +178,6 @@ public class EncryptionKey
String salt) throws KrbException {
int[] etypes = EType.getDefaults("default_tkt_enctypes");
if (etypes == null) {
etypes = EType.getBuiltInDefaults();
}
EncryptionKey[] encKeys = new EncryptionKey[etypes.length];
for (int i = 0; i < etypes.length; i++) {

4
jdk/src/share/classes/sun/security/krb5/KrbApReq.java
View File

@ -490,10 +490,6 @@ public class KrbApReq {
// Check that key is one of the permitted types
private static void checkPermittedEType(int target) throws KrbException {
int[] etypes = EType.getDefaults("permitted_enctypes");
if (etypes == null) {
throw new KrbException(
"No supported encryption types listed in permitted_enctypes");
}
if (!EType.isSupported(target, etypes)) {
throw new KrbException(EType.toString(target) +
" encryption type not in permitted_enctypes list");

7
jdk/src/share/classes/sun/security/krb5/KrbTgsReq.java
View File

@ -291,8 +291,7 @@ public class KrbTgsReq {
Ticket[] additionalTickets,
EncryptionKey subKey,
PAData extraPA)
throws Asn1Exception, IOException, KdcErrException, KrbApErrException,
UnknownHostException, KrbCryptoException {
throws IOException, KrbException, UnknownHostException {
KerberosTime req_till = null;
if (till == null) {
req_till = new KerberosTime(0);
@ -314,10 +313,6 @@ public class KrbTgsReq {
int[] req_eTypes = null;
if (eTypes == null) {
req_eTypes = EType.getDefaults("default_tgs_enctypes");
if (req_eTypes == null) {
throw new KrbCryptoException(
"No supported encryption types listed in default_tgs_enctypes");
}
} else {
req_eTypes = eTypes;
}

16
jdk/src/share/classes/sun/security/krb5/internal/crypto/EType.java
View File

@ -230,11 +230,14 @@ public abstract class EType {
/**
* Retrieves the default etypes from the configuration file, or
* if that's not available, return the built-in list of default etypes.
* This result is always non-empty. If no etypes are found,
* an exception is thrown.
*/
// used in KrbAsReq, KeyTab
public static int[] getDefaults(String configName) {
public static int[] getDefaults(String configName)
throws KrbException {
Config config = null;
try {
return Config.getInstance().defaultEtype(configName);
config = Config.getInstance();
} catch (KrbException exc) {
if (DEBUG) {
System.out.println("Exception while getting " +
@ -243,6 +246,7 @@ public abstract class EType {
}
return getBuiltInDefaults();
}
return config.defaultEtype(configName);
}
/**
@ -254,12 +258,8 @@ public abstract class EType {
* we have keys.
*/
public static int[] getDefaults(String configName, EncryptionKey[] keys)
throws KrbException {
throws KrbException {
int[] answer = getDefaults(configName);
if (answer == null) {
throw new KrbException("No supported encryption types listed in "
+ configName);
}
List<Integer> list = new ArrayList<>(answer.length);
for (int i = 0; i < answer.length; i++) {

32
jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
View File

@ -279,8 +279,7 @@ public class KeyTab implements KeyTabConstants {
/**
* Reads all keys for a service from the keytab file that have
* etypes that have been configured for use. If there are multiple
* keys with same etype, the one with the highest kvno is returned.
* etypes that have been configured for use.
* @param service the PrincipalName of the requested service
* @return an array containing all the service keys, never null
*/
@ -313,35 +312,12 @@ public class KeyTab implements KeyTabConstants {
size = keys.size();
EncryptionKey[] retVal = keys.toArray(new EncryptionKey[size]);
// Sort keys according to default_tkt_enctypes
if (DEBUG) {
System.out.println("Ordering keys wrt default_tkt_enctypes list");
}
final int[] etypes = EType.getDefaults("default_tkt_enctypes");
// Sort the keys, k1 is preferred than k2 if:
// 1. k1's etype appears earlier in etypes than k2's
// 2. If same, k1's KVNO is higher
// Sort the keys by kvno. Sometimes we must choose a single key (say,
// generate encrypted timestamp in AS-REQ). A key with a higher KVNO
// sounds like a newer one.
Arrays.sort(retVal, new Comparator<EncryptionKey>() {
@Override
public int compare(EncryptionKey o1, EncryptionKey o2) {
if (etypes != null) {
int o1EType = o1.getEType();
int o2EType = o2.getEType();
if (o1EType != o2EType) {
for (int i=0; i<etypes.length; i++) {
if (etypes[i] == o1EType) {
return -1;
} else if (etypes[i] == o2EType) {
return 1;
}
}
// Neither o1EType nor o2EType in default_tkt_enctypes,
// therefore won't be used in AS-REQ. We do not care
// about their order, use kvno is OK.
}
}
return o2.getKeyVersionNumber().intValue()
- o1.getKeyVersionNumber().intValue();
}

11
jdk/test/sun/security/krb5/auto/BasicKrb5Test.java
View File

@ -59,6 +59,7 @@
import org.ietf.jgss.GSSName;
import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config;
import sun.security.krb5.KrbException;
import sun.security.krb5.internal.crypto.EType;
/**
@ -84,12 +85,10 @@ public class BasicKrb5Test {
// Creates and starts the KDC. This line must be put ahead of etype check
// since the check needs a krb5.conf.
new OneKDC(etype).writeJAASConf();
System.out.println("Testing etype " + etype);
if (etype != null && !EType.isSupported(Config.getType(etype))) {
// aes256 is not enabled on all systems
System.out.println("Not supported.");
try {
new OneKDC(etype).writeJAASConf();
} catch (KrbException ke) {
System.out.println("Testing etype " + etype + "Not supported.");
return;
}

11
jdk/test/sun/security/krb5/auto/OneKDC.java
View File

@ -67,10 +67,19 @@ public class OneKDC extends KDC {
addPrincipalRandKey("krbtgt/" + REALM);
addPrincipalRandKey(SERVER);
addPrincipalRandKey(BACKEND);
String extraConfig = "";
if (etype != null) {
extraConfig += "default_tkt_enctypes=" + etype
+ "\ndefault_tgs_enctypes=" + etype;
if (etype.startsWith("des")) {
extraConfig += "\nallow_weak_crypto = true";
}
}
KDC.saveConfig(KRB5_CONF, this,
"forwardable = true",
"default_keytab_name = " + KTAB,
etype == null ? "" : "default_tkt_enctypes=" + etype + "\ndefault_tgs_enctypes=" + etype);
extraConfig);
System.setProperty("java.security.krb5.conf", KRB5_CONF);
// Whatever krb5.conf had been loaded before, we reload ours now.
Config.refresh();

56
jdk/test/sun/security/krb5/auto/OnlyDesLogin.java Normal file
View File

@ -0,0 +1,56 @@
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8014310
* @summary JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679
* @compile -XDignore.symbol.file OnlyDesLogin.java
* @run main/othervm OnlyDesLogin
*/
import sun.security.krb5.Config;
import javax.security.auth.login.LoginException;
public class OnlyDesLogin {
public static void main(String[] args) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"default_tkt_enctypes=des-cbc-md5",
"default_tgs_enctypes=des-cbc-md5",
"permitted_enctypes=des-cbc-md5");
Config.refresh();
try {
Context.fromJAAS("client");
throw new Exception("What?");
} catch (LoginException le) {
// This is OK
}
}
}