diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt index c6e62a55962..7472e4adad2 100644 --- a/test/jdk/ProblemList.txt +++ b/test/jdk/ProblemList.txt @@ -633,9 +633,6 @@ sun/security/smartcardio/TestExclusive.java 8039280 generic- sun/security/smartcardio/TestMultiplePresent.java 8039280 generic-all sun/security/smartcardio/TestPresent.java 8039280 generic-all sun/security/smartcardio/TestTransmit.java 8039280 generic-all -com/sun/security/sasl/gsskerb/AuthOnly.java 8039280 generic-all -com/sun/security/sasl/gsskerb/ConfSecurityLayer.java 8039280 generic-all -com/sun/security/sasl/gsskerb/NoSecurityLayer.java 8039280 generic-all sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 8316183 linux-ppc64le diff --git a/test/jdk/TEST.groups b/test/jdk/TEST.groups index d3b0b3009ca..7c009f557ad 100644 --- a/test/jdk/TEST.groups +++ b/test/jdk/TEST.groups @@ -631,9 +631,6 @@ jdk_security_manual_no_input = \ :jdk_security_infra \ com/sun/crypto/provider/Cipher/AEAD/GCMIncrementByte4.java \ com/sun/crypto/provider/Cipher/AEAD/GCMIncrementDirect4.java \ - com/sun/security/sasl/gsskerb/AuthOnly.java \ - com/sun/security/sasl/gsskerb/ConfSecurityLayer.java \ - com/sun/security/sasl/gsskerb/NoSecurityLayer.java \ sun/security/smartcardio/TestChannel.java \ sun/security/smartcardio/TestConnect.java \ sun/security/smartcardio/TestConnectAgain.java \ diff --git a/test/jdk/com/sun/security/sasl/gsskerb/AuthOnly.java b/test/jdk/com/sun/security/sasl/gsskerb/AuthOnly.java deleted file mode 100644 index c8e906d0ac1..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/AuthOnly.java +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 4634892 - * @summary Ensure authentication via GSS-API/Kerberos v5 works. - * @run main/manual AuthOnly - */ - -/* - * Set logging to FINEST to view exchange. - * See runwjaas.csh for instructions for how to run this test. - */ - -import javax.security.sasl.*; -import javax.security.auth.callback.*; -import javax.security.auth.Subject; -import javax.security.auth.login.*; -import com.sun.security.auth.callback.*; -import java.util.HashMap; -import java.util.concurrent.Callable; - -public class AuthOnly { - private static final String MECH = "GSSAPI"; - private static final String SERVER_FQDN = "machineX.imc.org"; - private static final String PROTOCOL = "sample"; - - private static String namesfile, proxyfile; - private static final byte[] EMPTY = new byte[0]; - private static boolean auto; - private static boolean verbose = false; - - public static void main(String[] args) throws Exception { - if (args.length == 0) { - namesfile = null; - auto = true; - } else { - int i = 0; - if (args[i].equals("-m")) { - i++; - auto = false; - } - if (args.length > i) { - namesfile = args[i++]; - if (args.length > i) { - proxyfile = args[i]; - } - } else { - namesfile = null; - } - } - - CallbackHandler clntCbh = null; - final CallbackHandler srvCbh = new PropertiesFileCallbackHandler( - null, namesfile, proxyfile); - - Subject clntSubj = doLogin("client"); - Subject srvSubj = doLogin("server"); - final HashMap clntprops = new HashMap(); - final HashMap srvprops = new HashMap(); - - clntprops.put(Sasl.QOP, "auth"); - srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf"); - - final SaslClient clnt = (SaslClient) - Subject.callAs(clntSubj, new Callable<>() { - public Object call() throws Exception { - return Sasl.createSaslClient( - new String[]{MECH}, null, PROTOCOL, SERVER_FQDN, - clntprops, null); - } - }); - - if (verbose) { - System.out.println(clntSubj); - System.out.println(srvSubj); - } - final SaslServer srv = (SaslServer) - Subject.callAs(srvSubj, new Callable() { - public Object call() throws Exception { - return Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN, - srvprops, srvCbh); - } - }); - - - if (clnt == null) { - throw new IllegalStateException( - "Unable to find client impl for " + MECH); - } - if (srv == null) { - throw new IllegalStateException( - "Unable to find server impl for " + MECH); - } - - byte[] response; - byte[] challenge; - - response = (byte[]) Subject.callAs(clntSubj, - () -> (clnt.hasInitialResponse()? clnt.evaluateChallenge(EMPTY) : EMPTY)); - - while (!clnt.isComplete() || !srv.isComplete()) { - final byte[] responseCopy = response; - challenge = (byte[]) Subject.callAs(srvSubj, - () -> srv.evaluateResponse(responseCopy)); - - if (challenge != null) { - final byte[] challengeCopy = challenge; - response = (byte[]) Subject.callAs(clntSubj, - () -> clnt.evaluateChallenge(challengeCopy)); - } - } - - if (clnt.isComplete() && srv.isComplete()) { - if (verbose) { - System.out.println("SUCCESS"); - System.out.println("authzid is " + srv.getAuthorizationID()); - } - } else { - throw new IllegalStateException("FAILURE: mismatched state:" + - " client complete? " + clnt.isComplete() + - " server complete? " + srv.isComplete()); - } - } - - private static Subject doLogin(String msg) throws LoginException { - LoginContext lc = null; - if (verbose) { - System.out.println(msg); - } - try { - lc = new LoginContext(msg, new TextCallbackHandler()); - - // Attempt authentication - // You might want to do this in a "for" loop to give - // user more than one chance to enter correct username/password - lc.login(); - - } catch (LoginException le) { - throw le; - } - return lc.getSubject(); - } -} diff --git a/test/jdk/com/sun/security/sasl/gsskerb/ConfSecurityLayer.java b/test/jdk/com/sun/security/sasl/gsskerb/ConfSecurityLayer.java deleted file mode 100644 index 8a699a5920d..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/ConfSecurityLayer.java +++ /dev/null @@ -1,196 +0,0 @@ -/* - * Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 5014493 - * @summary SaslServer.wrap throws NullPointerException when security - * layer negotiated. - * @run main/manual ConfSecurityLayer - */ - -/* - * Set logging to FINEST to view exchange. - * See run-conf-wjaas.csh for instructions for how to run this test. - */ - -import javax.security.sasl.*; -import javax.security.auth.callback.*; -import javax.security.auth.Subject; -import javax.security.auth.login.*; -import com.sun.security.auth.callback.*; -import java.util.HashMap; - -public class ConfSecurityLayer { - private static final String MECH = "GSSAPI"; - private static final String SERVER_FQDN = "machineX.imc.org"; - private static final String PROTOCOL = "sample"; - - private static String namesfile, proxyfile; - private static final byte[] EMPTY = new byte[0]; - private static boolean auto; - private static boolean verbose = false; - - public static void main(String[] args) throws Exception { - if (args.length == 0) { - namesfile = null; - auto = true; - } else { - int i = 0; - if (args[i].equals("-m")) { - i++; - auto = false; - } - if (args.length > i) { - namesfile = args[i++]; - if (args.length > i) { - proxyfile = args[i]; - } - } else { - namesfile = null; - } - } - - CallbackHandler clntCbh = null; - final CallbackHandler srvCbh = new PropertiesFileCallbackHandler( - null, namesfile, proxyfile); - - Subject clntSubj = doLogin("client"); - Subject srvSubj = doLogin("server"); - final HashMap clntprops = new HashMap(); - final HashMap srvprops = new HashMap(); - - clntprops.put(Sasl.QOP, "auth-conf"); - srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf"); - - final SaslClient clnt = (SaslClient) - Subject.callAs(clntSubj, () ->Sasl.createSaslClient( - new String[]{MECH}, null, PROTOCOL, SERVER_FQDN, - clntprops, null)); - - if (verbose) { - System.out.println(clntSubj); - System.out.println(srvSubj); - } - final SaslServer srv = (SaslServer) - Subject.callAs(srvSubj, () -> - Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN, - srvprops, srvCbh)); - - - if (clnt == null) { - throw new IllegalStateException( - "Unable to find client impl for " + MECH); - } - if (srv == null) { - throw new IllegalStateException( - "Unable to find server impl for " + MECH); - } - - byte[] response; - byte[] challenge; - - response = Subject.callAs(clntSubj, - () -> (clnt.hasInitialResponse()? clnt.evaluateChallenge(EMPTY) : EMPTY)); - - while (!clnt.isComplete() || !srv.isComplete()) { - final byte[] responseCopy = response; - challenge = Subject.callAs(srvSubj, - () -> srv.evaluateResponse(responseCopy)); - - if (challenge != null) { - final byte[] challengeCopy = challenge; - response = Subject.callAs(clntSubj, - () -> clnt.evaluateChallenge(challengeCopy)); - } - } - - if (clnt.isComplete() && srv.isComplete()) { - if (verbose) { - System.out.println("SUCCESS"); - System.out.println("authzid is " + srv.getAuthorizationID()); - } - } else { - throw new IllegalStateException("FAILURE: mismatched state:" + - " client complete? " + clnt.isComplete() + - " server complete? " + srv.isComplete()); - } - - if (verbose) { - System.out.println(clnt.getNegotiatedProperty(Sasl.QOP)); - } - - // Now try to use security layer - - byte[] clntBuf = new byte[]{0, 1, 2, 3}; - byte[] wrappedClnt = clnt.wrap(clntBuf, 0, clntBuf.length); - System.out.println("plaintext2: " + bytesToString(clntBuf)); - System.out.println("wrapped2: " + bytesToString(wrappedClnt)); - - byte[] srvBuf = new byte[]{10, 11, 12, 13}; - byte[] wrappedSrv = srv.wrap(srvBuf, 0, srvBuf.length); - System.out.println("plaintext1: " + bytesToString(srvBuf)); - System.out.println("wrapped1: " + bytesToString(wrappedSrv)); - - byte[] unwrapped1 = clnt.unwrap(wrappedSrv, 0, wrappedSrv.length); - System.out.println("unwrapped1: " + bytesToString(unwrapped1)); - - byte[] unwrapped2 = srv.unwrap(wrappedClnt, 0, wrappedClnt.length); - System.out.println("unwrapped2: " + bytesToString(unwrapped2)); - } - - private static Subject doLogin(String msg) throws LoginException { - LoginContext lc = null; - if (verbose) { - System.out.println(msg); - } - try { - lc = new LoginContext(msg, new TextCallbackHandler()); - - // Attempt authentication - // You might want to do this in a "for" loop to give - // user more than one chance to enter correct username/password - lc.login(); - - } catch (LoginException le) { - throw le; - } - return lc.getSubject(); - } - - private static String bytesToString(byte[] digest) { - // Get character representation of digest - StringBuffer digestString = new StringBuffer(); - - for (int i = 0; i < digest.length; i++) { - if ((digest[i] & 0x000000ff) < 0x10) { - digestString.append("0" + - Integer.toHexString(digest[i] & 0x000000ff)); - } else { - digestString.append( - Integer.toHexString(digest[i] & 0x000000ff)); - } - } - return digestString.toString(); - } -} diff --git a/test/jdk/com/sun/security/sasl/gsskerb/NoSecurityLayer.java b/test/jdk/com/sun/security/sasl/gsskerb/NoSecurityLayer.java deleted file mode 100644 index 45d7d1fc1fb..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/NoSecurityLayer.java +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 4873552 - * @summary GSS-API/krb5 SASL mechanism should throw IllegalStateException - * for auth-only - * @run main/manual NoSecurityLayer - */ - -/* - * Set logging to FINEST to view exchange. - * See run-nosec-wjaas.csh for instructions for how to run this test. - */ - -import javax.security.sasl.*; -import javax.security.auth.callback.*; -import javax.security.auth.Subject; -import javax.security.auth.login.*; -import com.sun.security.auth.callback.*; -import java.util.HashMap; - -public class NoSecurityLayer { - private static final String MECH = "GSSAPI"; - private static final String SERVER_FQDN = "anti.imc.org"; - private static final String PROTOCOL = "sample"; - - private static String namesfile, proxyfile; - private static final byte[] EMPTY = new byte[0]; - private static boolean auto; - private static boolean verbose = false; - - public static void main(String[] args) throws Exception { - if (args.length == 0) { - namesfile = null; - auto = true; - } else { - int i = 0; - if (args[i].equals("-m")) { - i++; - auto = false; - } - if (args.length > i) { - namesfile = args[i++]; - if (args.length > i) { - proxyfile = args[i]; - } - } else { - namesfile = null; - } - } - - CallbackHandler clntCbh = null; - final CallbackHandler srvCbh = new PropertiesFileCallbackHandler( - null, namesfile, proxyfile); - - Subject clntSubj = doLogin("client"); - Subject srvSubj = doLogin("server"); - final HashMap clntprops = new HashMap(); - final HashMap srvprops = new HashMap(); - - clntprops.put(Sasl.QOP, "auth"); - srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf"); - - final SaslClient clnt = - Subject.callAs(clntSubj, () -> - Sasl.createSaslClient( - new String[]{MECH}, null, PROTOCOL, SERVER_FQDN, - clntprops, null)); - - if (verbose) { - System.out.println(clntSubj); - System.out.println(srvSubj); - } - final SaslServer srv = - Subject.callAs(srvSubj, () -> - Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN, - srvprops, srvCbh)); - - - if (clnt == null) { - throw new IllegalStateException( - "Unable to find client impl for " + MECH); - } - if (srv == null) { - throw new IllegalStateException( - "Unable to find server impl for " + MECH); - } - - byte[] response; - byte[] challenge; - - response = Subject.callAs(clntSubj, - () -> (clnt.hasInitialResponse()? clnt.evaluateChallenge(EMPTY) : EMPTY)); - - while (!clnt.isComplete() || !srv.isComplete()) { - final byte[] responseCopy = response; - challenge = Subject.callAs(srvSubj, - () -> srv.evaluateResponse(responseCopy)); - - if (challenge != null) { - final byte[] challengeCopy = challenge; - response = Subject.callAs(clntSubj, - () -> clnt.evaluateChallenge(challengeCopy)); - } - } - - if (clnt.isComplete() && srv.isComplete()) { - if (verbose) { - System.out.println("SUCCESS"); - System.out.println("authzid is " + srv.getAuthorizationID()); - } - } else { - throw new IllegalStateException("FAILURE: mismatched state:" + - " client complete? " + clnt.isComplete() + - " server complete? " + srv.isComplete()); - } - - if (verbose) { - System.out.println(clnt.getNegotiatedProperty(Sasl.QOP)); - } - - // Now try to use security layer - - byte[] clntBuf = new byte[]{0, 1, 2, 3}; - try { - byte[] wrapped = clnt.wrap(clntBuf, 0, clntBuf.length); - throw new Exception( - "clnt wrap should not be allowed w/no security layer"); - } catch (IllegalStateException e) { - // expected - } - - byte[] srvBuf = new byte[]{10, 11, 12, 13}; - try { - byte[] wrapped = srv.wrap(srvBuf, 0, srvBuf.length); - throw new Exception( - "srv wrap should not be allowed w/no security layer"); - } catch (IllegalStateException e) { - // expected - } - - try { - byte[] unwrapped = clnt.unwrap(clntBuf, 0, clntBuf.length); - throw new Exception( - "clnt wrap should not be allowed w/no security layer"); - } catch (IllegalStateException e) { - // expected - } - - try { - byte[] unwrapped = srv.unwrap(srvBuf, 0, srvBuf.length); - throw new Exception( - "srv wrap should not be allowed w/no security layer"); - } catch (IllegalStateException e) { - // expected - } - } - - private static Subject doLogin(String msg) throws LoginException { - LoginContext lc = null; - if (verbose) { - System.out.println(msg); - } - try { - lc = new LoginContext(msg, new TextCallbackHandler()); - - // Attempt authentication - // You might want to do this in a "for" loop to give - // user more than one chance to enter correct username/password - lc.login(); - - } catch (LoginException le) { - throw le; - } - return lc.getSubject(); - } -} diff --git a/test/jdk/com/sun/security/sasl/gsskerb/PropertiesFileCallbackHandler.java b/test/jdk/com/sun/security/sasl/gsskerb/PropertiesFileCallbackHandler.java deleted file mode 100644 index 79f19c74f58..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/PropertiesFileCallbackHandler.java +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import javax.security.auth.callback.*; -import java.util.Map; -import java.util.Properties; -import java.io.*; -import javax.security.sasl.AuthorizeCallback; -import javax.security.sasl.RealmCallback; - -public final class PropertiesFileCallbackHandler implements CallbackHandler { - private Properties pwDb, namesDb, proxyDb; - - /** - * Contents of files are in the Properties file format. - * - * @param pwFile name of file containing name/password pairs - * @param namesFile name of file containing name to canonicalized name - * @param proxyFile name of file containing authname to list of authzids - */ - public PropertiesFileCallbackHandler(String pwFile, String namesFile, - String proxyFile) throws IOException { - String dir = System.getProperty("test.src"); - if (dir == null) { - dir = "."; - } - dir = dir + "/"; - - if (pwFile != null) { - pwDb = new Properties(); - pwDb.load(new FileInputStream(dir+pwFile)); - } - - if (namesFile != null) { - namesDb = new Properties(); - namesDb.load(new FileInputStream(dir+namesFile)); - } - - if (proxyFile != null) { - proxyDb = new Properties(); - proxyDb.load(new FileInputStream(dir+proxyFile)); - } - } - - public void handle(Callback[] callbacks) - throws UnsupportedCallbackException { - NameCallback ncb = null; - PasswordCallback pcb = null; - AuthorizeCallback acb = null; - RealmCallback rcb = null; - - for (int i = 0; i < callbacks.length; i++) { - if (callbacks[i] instanceof NameCallback) { - ncb = (NameCallback) callbacks[i]; - } else if (callbacks[i] instanceof PasswordCallback) { - pcb = (PasswordCallback) callbacks[i]; - } else if (callbacks[i] instanceof AuthorizeCallback) { - acb = (AuthorizeCallback) callbacks[i]; - } else if (callbacks[i] instanceof RealmCallback) { - rcb = (RealmCallback) callbacks[i]; - } else { - throw new UnsupportedCallbackException(callbacks[i]); - } - } - - // Process retrieval of password; can get password iff - // username is available in NameCallback - // - // Ignore realm for now; could potentially use different dbs for - // different realms - - if (pcb != null && ncb != null) { - String username = ncb.getDefaultName(); - String pw = pwDb.getProperty(username); - if (pw != null) { - char[] pwchars = pw.toCharArray(); - pcb.setPassword(pwchars); - // Clear pw - for (int i = 0; i = 0) { - // XXX need to search for subtrings or use StringTokenizer - // to avoid incorrectly matching subnames - acb.setAuthorized(true); - } - } - - if (acb.isAuthorized()) { - // Set canonicalized name - String canonAuthzid = (namesDb != null ? - namesDb.getProperty(authzid) : null); - if (canonAuthzid != null) { - acb.setAuthorizedID(canonAuthzid); - } - } - } - } -} diff --git a/test/jdk/com/sun/security/sasl/gsskerb/gsseg_jaas.conf b/test/jdk/com/sun/security/sasl/gsskerb/gsseg_jaas.conf deleted file mode 100644 index 18deaa715d9..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/gsseg_jaas.conf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Login Configuration for JAAS. - * - * Specify that Kerberos v5 is a required login module for the - * example classes: GssExample and Mutual. - */ -other { - com.sun.security.auth.module.Krb5LoginModule required; -}; - -client { - com.sun.security.auth.module.Krb5LoginModule required - principal="john@IMC.ORG"; -}; -server { - com.sun.security.auth.module.Krb5LoginModule required storeKey=true - principal="sample/machineX.imc.org@IMC.ORG" - useKeyTab=true - keyTab=machineX.keytab; -}; - diff --git a/test/jdk/com/sun/security/sasl/gsskerb/log.properties b/test/jdk/com/sun/security/sasl/gsskerb/log.properties deleted file mode 100644 index c301c787474..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/log.properties +++ /dev/null @@ -1,3 +0,0 @@ -javax.security.sasl.level=FINE -#handlers=java.util.logging.ConsoleHandler -#java.util.logging.ConsoleHandler.level=FINE diff --git a/test/jdk/com/sun/security/sasl/gsskerb/run-conf-wjaas.csh b/test/jdk/com/sun/security/sasl/gsskerb/run-conf-wjaas.csh deleted file mode 100644 index f284d3e43e6..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/run-conf-wjaas.csh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/csh -f -# -# @bug 5014493 -# @summary SaslServer.wrap throws NullPointerException when security -# layer negotiated -# -# BEFORE running this test, you need to set up the environment as follows. -# 1. Create a 'sample' service principal in the KDC. -# 2. Create a keytab for the server principal 'sample/fqdn@REALM' -# where 'fqdn' is the fully qualified domain name of the server and -# REALM is the KDC's realm. The principal must be a host-based service. -# For example, a principal name might be -# 'sample/machineX.imc.org@IMC.ORG'. -# On Windows, for example, you use the ktpass utility to create a host keytab -# file. -# c:> ktpass -princ sample/machineX.imc.org@IMC.ORG -mapuser sample \ -# -ptype KRB5_NT_SRV_HST \ -# -pass servertest123 -out machineX.keytab -# 3. Create a user principal in the KDC. -# 4. Set up a JAAS login module configuration file like gsseg_jaas.conf, updating -# the client and server entries according to the principal and machine names -# used. -# 5. Update AuthOnly.SERVER_FQDN with fqdn of server machine. -# 6. To examine exchange, turn on logging by adding -# -Djava.util.logging.config.file=log.properties -# 7. Update the realm and kdc settings in this script. -# -# -$JAVA_HOME/bin/java -Djava.security.krb5.realm=IMC.ORG -Djava.security.krb5.kdc=machineX.imc.org -Djava.security.auth.login.config=gsseg_jaas.conf ConfSecurityLayer diff --git a/test/jdk/com/sun/security/sasl/gsskerb/run-nosec-wjaas.csh b/test/jdk/com/sun/security/sasl/gsskerb/run-nosec-wjaas.csh deleted file mode 100644 index afac8e0eeae..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/run-nosec-wjaas.csh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/csh -f -# -# BEFORE running this test, you need to set up the environment as follows. -# 1. Create a 'sample' service principal in the KDC. -# 2. Create a keytab for the server principal 'sample/fqdn@REALM' -# where 'fqdn' is the fully qualified domain name of the server and -# REALM is the KDC's realm. The principal must be a host-based service. -# For example, a principal name might be -# 'sample/machineX.imc.org@IMC.ORG'. -# On Windows, for example, you use the ktpass utility to create a host keytab -# file. -# c:> ktpass -princ sample/machineX.imc.org@IMC.ORG -mapuser sample \ -# -ptype KRB5_NT_SRV_HST \ -# -pass servertest123 -out machineX.keytab -# 3. Create a user principal in the KDC. -# 4. Set up a JAAS login module configuration file like gsseg_jaas.conf, updating -# the client and server entries according to the principal and machine names -# used. -# 5. Update AuthOnly.SERVER_FQDN with fqdn of server machine. -# 6. To examine exchange, turn on logging by adding -# -Djava.util.logging.config.file=log.properties -# 7. Update the realm and kdc settings in this script. -# -java -Djava.security.krb5.realm=IMC.ORG -Djava.security.krb5.kdc=machineX.imc.org -Djava.security.auth.login.config=gsseg_jaas.conf NoSecurityLayer diff --git a/test/jdk/com/sun/security/sasl/gsskerb/runwjaas.csh b/test/jdk/com/sun/security/sasl/gsskerb/runwjaas.csh deleted file mode 100644 index 9757b818de4..00000000000 --- a/test/jdk/com/sun/security/sasl/gsskerb/runwjaas.csh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/csh -f -# -# BEFORE running this test, you need to set up the environment as follows. -# 1. Create a 'sample' service principal in the KDC. -# 2. Create a keytab for the server principal 'sample/fqdn@REALM' -# where 'fqdn' is the fully qualified domain name of the server and -# REALM is the KDC's realm. The principal must be a host-based service. -# For example, a principal name might be -# 'sample/machineX.imc.org@IMC.ORG'. -# On Windows, for example, you use the ktpass utility to create a host keytab -# file. -# c:> ktpass -princ sample/machineX.imc.org@IMC.ORG -mapuser sample \ -# -ptype KRB5_NT_SRV_HST \ -# -pass servertest123 -out machineX.keytab -# 3. Create a user principal in the KDC. -# 4. Set up a JAAS login module configuration file like gsseg_jaas.conf, updating -# the client and server entries according to the principal and machine names -# used. -# 5. Update AuthOnly.SERVER_FQDN with fqdn of server machine. -# 6. To examine exchange, turn on logging by adding -# -Djava.util.logging.config.file=log.properties -# 7. Update the realm and kdc settings in this script. -# -java -Djava.security.krb5.realm=IMC.ORG -Djava.security.krb5.kdc=machineX.imc.org -Djava.security.auth.login.config=gsseg_jaas.conf AuthOnly diff --git a/test/jdk/sun/security/krb5/auto/SaslBasic.java b/test/jdk/sun/security/krb5/auto/SaslBasic.java index 0aebdefbe04..89eb22383f2 100644 --- a/test/jdk/sun/security/krb5/auto/SaslBasic.java +++ b/test/jdk/sun/security/krb5/auto/SaslBasic.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,12 +32,11 @@ * @run main/othervm -Djdk.net.hosts.file=TestHosts SaslBasic unbound auth-conf * @run main/othervm -Djdk.net.hosts.file=TestHosts SaslBasic bound auth */ -import java.io.IOException; +import static jdk.test.lib.Asserts.assertEquals; + import java.util.Arrays; import java.util.HashMap; import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.sasl.*; // The basic krb5 test skeleton you can copy from @@ -61,15 +60,12 @@ public class SaslBasic { srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf"); SaslServer ss = Sasl.createSaslServer("GSSAPI", "server", bound? name: null, srvprops, - new CallbackHandler() { - public void handle(Callback[] callbacks) - throws IOException, UnsupportedCallbackException { - for (Callback cb : callbacks) { - if (cb instanceof RealmCallback) { - ((RealmCallback) cb).setText(OneKDC.REALM); - } else if (cb instanceof AuthorizeCallback) { - ((AuthorizeCallback) cb).setAuthorized(true); - } + callbacks -> { + for (Callback cb : callbacks) { + if (cb instanceof RealmCallback) { + ((RealmCallback) cb).setText(OneKDC.REALM); + } else if (cb instanceof AuthorizeCallback) { + ((AuthorizeCallback) cb).setAuthorized(true); } } }); @@ -89,28 +85,85 @@ public class SaslBasic { String boundName = (String)ss.getNegotiatedProperty( Sasl.BOUND_SERVER_NAME); if (!boundName.equals(name)) { - throw new Exception("Wrong bound server name"); + throw new RuntimeException("Wrong bound server name"); } } Object key = ss.getNegotiatedProperty( "com.sun.security.jgss.inquiretype.krb5_get_session_key"); if (key == null) { - throw new Exception("Extended negotiated property not read"); + throw new RuntimeException("Extended negotiated property not read"); } if (args[1].equals("auth")) { // 8170732. These are the maximum size bytes after jgss/krb5 wrap. if (lastClientToken[17] != 0 || lastClientToken[18] != 0 || lastClientToken[19] != 0) { - throw new Exception("maximum size for auth must be 0"); + throw new RuntimeException("maximum size for auth must be 0"); } + testWrapUnwrapNoSecLayer(sc, ss); } else { - byte[] hello = "hello".getBytes(); - token = sc.wrap(hello, 0, hello.length); - token = ss.unwrap(token, 0, token.length); - if (!Arrays.equals(hello, token)) { - throw new Exception("Message altered"); - } + testWrapUnwrapWithSecLayer(sc, ss); + } + } + + private static void testWrapUnwrapWithSecLayer(SaslClient sc, SaslServer ss) + throws SaslException { + byte[] token; + byte[] hello = "hello".getBytes(); + + // test client wrap and server unwrap + token = sc.wrap(hello, 0, hello.length); + token = ss.unwrap(token, 0, token.length); + + if (!Arrays.equals(hello, token)) { + throw new RuntimeException("Client message altered"); + } + + // test server wrap and client unwrap + token = ss.wrap(hello, 0, hello.length); + token = sc.unwrap(token, 0, token.length); + + if (!Arrays.equals(hello, token)) { + throw new RuntimeException("Server message altered"); + } + } + + private static void testWrapUnwrapNoSecLayer(SaslClient sc, SaslServer ss) + throws SaslException { + byte[] clntBuf = new byte[]{0, 1, 2, 3}; + byte[] srvBuf = new byte[]{10, 11, 12, 13}; + String expectedError = "No security layer negotiated"; + + try { + sc.wrap(clntBuf, 0, clntBuf.length); + throw new RuntimeException( + "client wrap should not be allowed w/no security layer"); + } catch (IllegalStateException e) { + assertEquals(expectedError, e.getMessage()); + } + + try { + ss.wrap(srvBuf, 0, srvBuf.length); + throw new RuntimeException( + "server wrap should not be allowed w/no security layer"); + } catch (IllegalStateException e) { + assertEquals(expectedError, e.getMessage()); + } + + try { + sc.unwrap(clntBuf, 0, clntBuf.length); + throw new RuntimeException( + "client unwrap should not be allowed w/no security layer"); + } catch (IllegalStateException e) { + assertEquals(expectedError, e.getMessage()); + } + + try { + ss.unwrap(srvBuf, 0, srvBuf.length); + throw new RuntimeException( + "server unwrap should not be allowed w/no security layer"); + } catch (IllegalStateException e) { + assertEquals(expectedError, e.getMessage()); } } }