diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java index 5c8b65f2703..a8d12131aaf 100644 --- a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java +++ b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java @@ -52,7 +52,20 @@ import javax.security.auth.DestroyFailedException; * application depends on the default JGSS Kerberos mechanism to access the * KerberosKey. In that case, however, the application will need an * appropriate - * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. + * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.

+ * + * When creating a {@code KerberosKey} using the + * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor, + * an implementation may accept non-IANA algorithm names (For example, + * "ArcFourMac" for "rc4-hmac"), but the {@link #getAlgorithm} method + * must always return the IANA algorithm name.

+ * + * @implNote Old algorithm names used before JDK 9 are supported in the + * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor in this + * implementation for compatibility reasons, which are "DES" (and null) for + * "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac", + * "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for + * "aes256-cts-hmac-sha1-96". * * @author Mayank Upadhyay * @since 1.4 @@ -73,7 +86,7 @@ public class KerberosKey implements SecretKey, Destroyable { * * @serial */ - private int versionNum; + private final int versionNum; /** * {@code KeyImpl} is serialized by writing out the ASN1 Encoded bytes @@ -113,13 +126,16 @@ public class KerberosKey implements SecretKey, Destroyable { } /** - * Constructs a KerberosKey from a principal's password. + * Constructs a KerberosKey from a principal's password using the specified + * algorithm name. The algorithm name (case insensitive) should be provided + * as the encryption type string defined on the IANA + * Kerberos Encryption Type Numbers + * page. The version number of the key generated will be 0. * * @param principal the principal that this password belongs to * @param password the password that should be used to compute the key * @param algorithm the name for the algorithm that this key will be - * used for. This parameter may be null in which case the default - * algorithm "DES" will be assumed. + * used for * @throws IllegalArgumentException if the name of the * algorithm passed is unsupported. */ @@ -128,6 +144,7 @@ public class KerberosKey implements SecretKey, Destroyable { String algorithm) { this.principal = principal; + this.versionNum = 0; // Pass principal in for salt key = new KeyImpl(principal, password, algorithm); } @@ -170,13 +187,18 @@ public class KerberosKey implements SecretKey, Destroyable { */ /** - * Returns the standard algorithm name for this key. For - * example, "DES" would indicate that this key is a DES key. - * See Appendix A in the - * Java Cryptography Architecture API Specification & Reference - * - * for information about standard algorithm names. + * Returns the standard algorithm name for this key. The algorithm names + * are the encryption type string defined on the IANA + * Kerberos Encryption Type Numbers + * page. + *

+ * This method can return the following value not defined on the IANA page: + *

    + *
  1. none: for etype equal to 0
  2. + *
  3. unknown: for etype greater than 0 but unsupported by + * the implementation
  4. + *
  5. private: for etype smaller than 0
  6. + *
* * @return the name of the algorithm associated with this key. */ diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java index f4ee947212b..9d36d1e9ee1 100644 --- a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java +++ b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java @@ -36,7 +36,6 @@ import sun.security.krb5.PrincipalName; import sun.security.krb5.EncryptionKey; import sun.security.krb5.EncryptedData; import sun.security.krb5.KrbException; -import sun.security.krb5.KrbCryptoException; import sun.security.util.DerValue; /** @@ -86,8 +85,12 @@ class KeyImpl implements SecretKey, Destroyable, Serializable { try { PrincipalName princ = new PrincipalName(principal.getName()); - EncryptionKey key = - new EncryptionKey(password, princ.getSalt(), algorithm); + EncryptionKey key; + if ("none".equalsIgnoreCase(algorithm)) { + key = EncryptionKey.NULL_KEY; + } else { + key = new EncryptionKey(password, princ.getSalt(), algorithm); + } this.keyBytes = key.getBytes(); this.keyType = key.getEType(); } catch (KrbException e) { @@ -118,27 +121,28 @@ class KeyImpl implements SecretKey, Destroyable, Serializable { switch (eType) { case EncryptedData.ETYPE_DES_CBC_CRC: + return "des-cbc-crc"; + case EncryptedData.ETYPE_DES_CBC_MD5: - return "DES"; + return "des-cbc-md5"; case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD: - return "DESede"; + return "des3-cbc-sha1-kd"; case EncryptedData.ETYPE_ARCFOUR_HMAC: - return "ArcFourHmac"; + return "rc4-hmac"; case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96: - return "AES128"; + return "aes128-cts-hmac-sha1-96"; case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96: - return "AES256"; + return "aes256-cts-hmac-sha1-96"; case EncryptedData.ETYPE_NULL: - return "NULL"; + return "none"; default: - throw new IllegalArgumentException( - "Unsupported encryption type: " + eType); + return eType > 0 ? "unknown" : "private"; } } diff --git a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java index b83fe8c8611..6887f85524c 100644 --- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java +++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java @@ -271,15 +271,22 @@ public class EncryptionKey String salt, String algorithm) throws KrbCryptoException { - if (algorithm == null || algorithm.equalsIgnoreCase("DES")) { + if (algorithm == null || algorithm.equalsIgnoreCase("DES") + || algorithm.equalsIgnoreCase("des-cbc-md5")) { keyType = EncryptedData.ETYPE_DES_CBC_MD5; - } else if (algorithm.equalsIgnoreCase("DESede")) { + } else if (algorithm.equalsIgnoreCase("des-cbc-crc")) { + keyType = EncryptedData.ETYPE_DES_CBC_CRC; + } else if (algorithm.equalsIgnoreCase("DESede") + || algorithm.equalsIgnoreCase("des3-cbc-sha1-kd")) { keyType = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD; - } else if (algorithm.equalsIgnoreCase("AES128")) { + } else if (algorithm.equalsIgnoreCase("AES128") + || algorithm.equalsIgnoreCase("aes128-cts-hmac-sha1-96")) { keyType = EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96; - } else if (algorithm.equalsIgnoreCase("ArcFourHmac")) { + } else if (algorithm.equalsIgnoreCase("ArcFourHmac") + || algorithm.equalsIgnoreCase("rc4-hmac")) { keyType = EncryptedData.ETYPE_ARCFOUR_HMAC; - } else if (algorithm.equalsIgnoreCase("AES256")) { + } else if (algorithm.equalsIgnoreCase("AES256") + || algorithm.equalsIgnoreCase("aes256-cts-hmac-sha1-96")) { keyType = EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96; // validate if AES256 is enabled if (!EType.isSupported(keyType)) { diff --git a/jdk/test/javax/security/auth/kerberos/StandardNames.java b/jdk/test/javax/security/auth/kerberos/StandardNames.java new file mode 100644 index 00000000000..40590f6d080 --- /dev/null +++ b/jdk/test/javax/security/auth/kerberos/StandardNames.java @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8035986 + * @summary KerberosKey algorithm names are not specified + */ + +import sun.security.krb5.EncryptedData; + +import javax.crypto.Cipher; +import javax.security.auth.kerberos.KerberosKey; +import javax.security.auth.kerberos.KerberosPrincipal; +import java.util.Locale; + +public class StandardNames { + static KerberosPrincipal kp = new KerberosPrincipal("user@REALM"); + static char[] pass = "secret".toCharArray(); + static byte[] keyBytes = new byte[1]; + + public static void main(String[] args) throws Exception { + for (EncType e: EncType.values()) { + if (e == EncType.e18) { + if (Cipher.getMaxAllowedKeyLength("AES") < 256) { + System.out.println("Skipping aes256-cts-hmac-sha1-96"); + continue; + } + } + checkByName(e.name, e); + checkByName(e.name.toUpperCase(Locale.US), e); + for (String n: e.oldnames) { + checkByName(n, e); + if (n != null) { + checkByName(n.toLowerCase(Locale.US), e); + } + } + checkByEType(e.etype, e.name); + } + checkByEType(100, "unknown"); + checkByEType(-1, "private"); + + try { + System.out.println("unsupported"); + new KerberosKey(kp, pass, "unsupported"); + throw new Exception("unsupported"); + } catch (IllegalArgumentException iae) { + // Expected + } + } + + private static void checkByName(String n, EncType e) throws Exception { + System.out.println("CheckByName " + n); + KerberosKey k = new KerberosKey(kp, pass, n); + if (!k.getAlgorithm().equals(e.name)) throw new Exception(n); + if (k.getKeyType() != e.etype) throw new Exception(n); + if (k.getVersionNumber() != 0) throw new Exception(n); + } + + private static void checkByEType(int i, String n) throws Exception { + System.out.println("CheckByInt " + i); + KerberosKey k = new KerberosKey(kp, keyBytes, i, 13); + if (!k.getAlgorithm().equals(n)) throw new Exception("" + i); + if (k.getKeyType() != i) throw new Exception("" + i); + if (k.getVersionNumber() != 13) throw new Exception("" + i); + } +} + +enum EncType { + e0("none", EncryptedData.ETYPE_NULL), + e1("des-cbc-crc", EncryptedData.ETYPE_DES_CBC_CRC), + e3("des-cbc-md5", EncryptedData.ETYPE_DES_CBC_MD5, "DES", null), + e16("des3-cbc-sha1-kd", EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD, "DESede"), + e17("aes128-cts-hmac-sha1-96", EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, "AES128"), + e18("aes256-cts-hmac-sha1-96", EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96, "AES256"), + e23("rc4-hmac", EncryptedData.ETYPE_ARCFOUR_HMAC, "ArcFourHmac"), + ; + + final String name; + final int etype; + final String[] oldnames; + + EncType(String name, int etype, String... oldnames) { + this.name = name; + this.etype = etype; + this.oldnames = oldnames; + } +}