6893158: AP_REQ check should use key version number

Reviewed-by: valeriep, xuelei

jdk/src/share/classes/sun/security/krb5/EncryptionKey.java

@@ -1,5 +1,5 @@
 /*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -503,7 +503,19 @@ public class EncryptionKey
                              + '\n'));
     }
 
+    /**
+     * Find a key with given etype
+     */
     public static EncryptionKey findKey(int etype, EncryptionKey[] keys)
+            throws KrbException {
+        return findKey(etype, null, keys);
+    }
+
+    /**
+     * Find a key with given etype and kvno
+     * @param kvno if null, return any (first?) key
+     */
+    public static EncryptionKey findKey(int etype, Integer kvno, EncryptionKey[] keys)
         throws KrbException {
 
         // check if encryption type is supported
@@ -516,7 +528,8 @@ public class EncryptionKey
         for (int i = 0; i < keys.length; i++) {
             ktype = keys[i].getEType();
             if (EType.isSupported(ktype)) {
-                if (etype == ktype) {
+                Integer kv = keys[i].getKeyVersionNumber();
+                if (etype == ktype && (kvno == null || kvno.equals(kv))) {
                     return keys[i];
                 }
             }
@@ -528,8 +541,11 @@ public class EncryptionKey
             for (int i = 0; i < keys.length; i++) {
                 ktype = keys[i].getEType();
                 if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
-                    ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
-                    return new EncryptionKey(etype, keys[i].getBytes());
+                        ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
+                    Integer kv = keys[i].getKeyVersionNumber();
+                    if (kvno == null || kvno.equals(kv)) {
+                        return new EncryptionKey(etype, keys[i].getBytes());
+                    }
                 }
             }
         }

jdk/src/share/classes/sun/security/krb5/KrbApReq.java

@@ -268,7 +268,8 @@ public class KrbApReq {
     private void authenticate(EncryptionKey[] keys, InetAddress initiator)
         throws KrbException, IOException {
         int encPartKeyType = apReqMessg.ticket.encPart.getEType();
-        EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
+        Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber();
+        EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys);
 
         if (dkey == null) {
             throw new KrbException(Krb5.API_INVALID_ARG,

jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java

@@ -395,6 +395,28 @@ public class KeyTab implements KeyTabConstants {
         }
     }
 
+    /**
+     * Only used by KDC test. This method can specify kvno and does not
+     * remove any old keys.
+     */
+    public void addEntry(PrincipalName service, char[] psswd, int kvno)
+         throws KrbException {
+
+        EncryptionKey[] encKeys = EncryptionKey.acquireSecretKeys(
+            psswd, service.getSalt());
+
+        for (int i = 0; encKeys != null && i < encKeys.length; i++) {
+            int keyType = encKeys[i].getEType();
+            byte[] keyValue = encKeys[i].getBytes();
+            KeyTabEntry newEntry = new KeyTabEntry(service,
+                            service.getRealm(),
+                            new KerberosTime(System.currentTimeMillis()),
+                                               kvno, keyType, keyValue);
+            if (entries == null)
+                entries = new Vector<KeyTabEntry> ();
+            entries.addElement(newEntry);
+        }
+    }
 
     /**
      * Retrieves the key table entry with the specified service name.

jdk/test/sun/security/krb5/auto/KDC.java

@@ -466,7 +466,17 @@ public class KDC {
             // the krb5.conf config file would be loaded.
             Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE);
             stringToKey.setAccessible(true);
-            return new EncryptionKey((byte[]) stringToKey.invoke(null, getPassword(p), getSalt(p), null, etype), etype, null);
+            Integer kvno = null;
+            // For service whose password ending with a number, use it as kvno
+            if (p.toString().indexOf('/') >= 0) {
+                char[] pass = getPassword(p);
+                if (Character.isDigit(pass[pass.length-1])) {
+                    kvno = pass[pass.length-1] - '0';
+                }
+            }
+            return new EncryptionKey((byte[]) stringToKey.invoke(
+                    null, getPassword(p), getSalt(p), null, etype),
+                    etype, kvno);
         } catch (InvocationTargetException ex) {
             KrbException ke = (KrbException)ex.getCause();
             throw ke;

jdk/test/sun/security/krb5/auto/MoreKvno.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6893158
+ * @summary AP_REQ check should use key version number
+ */
+
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.PrincipalName;
+import sun.security.krb5.internal.ktab.KeyTab;
+
+public class MoreKvno {
+
+    public static void main(String[] args)
+            throws Exception {
+
+        OneKDC kdc = new OneKDC(null);
+        kdc.writeJAASConf();
+
+        // Rewrite keytab, 3 set of keys with different kvno
+        KeyTab ktab = KeyTab.create(OneKDC.KTAB);
+        PrincipalName p = new PrincipalName(OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
+        ktab.addEntry(p, "pass0".toCharArray(), 0);
+        ktab.addEntry(p, "pass2".toCharArray(), 2);
+        ktab.addEntry(p, "pass1".toCharArray(), 1);
+        ktab.save();
+
+        kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
+        go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept");
+        kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
+        // "server" initiate also, check pass2 is used at authentication
+        go(OneKDC.SERVER, "server");
+    }
+
+    static void go(String server, String entry) throws Exception {
+        Context c, s;
+        c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
+        s = Context.fromJAAS(entry);
+
+        c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+        Context.handshake(c, s);
+
+        s.dispose();
+        c.dispose();
+    }
+}