From 9b3b87dab8d414f246bab9fbe9e95b33947c4ae5 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 28 Oct 2009 15:32:30 +0800 Subject: [PATCH] 6893158: AP_REQ check should use key version number Reviewed-by: valeriep, xuelei --- .../sun/security/krb5/EncryptionKey.java | 24 +++++-- .../classes/sun/security/krb5/KrbApReq.java | 3 +- .../security/krb5/internal/ktab/KeyTab.java | 22 ++++++ jdk/test/sun/security/krb5/auto/KDC.java | 12 +++- jdk/test/sun/security/krb5/auto/MoreKvno.java | 70 +++++++++++++++++++ 5 files changed, 125 insertions(+), 6 deletions(-) create mode 100644 jdk/test/sun/security/krb5/auto/MoreKvno.java diff --git a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java index f7a8591646a..adf2cd8ace1 100644 --- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java +++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java @@ -1,5 +1,5 @@ /* - * Portions Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved. + * Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -503,7 +503,19 @@ public class EncryptionKey + '\n')); } + /** + * Find a key with given etype + */ public static EncryptionKey findKey(int etype, EncryptionKey[] keys) + throws KrbException { + return findKey(etype, null, keys); + } + + /** + * Find a key with given etype and kvno + * @param kvno if null, return any (first?) key + */ + public static EncryptionKey findKey(int etype, Integer kvno, EncryptionKey[] keys) throws KrbException { // check if encryption type is supported @@ -516,7 +528,8 @@ public class EncryptionKey for (int i = 0; i < keys.length; i++) { ktype = keys[i].getEType(); if (EType.isSupported(ktype)) { - if (etype == ktype) { + Integer kv = keys[i].getKeyVersionNumber(); + if (etype == ktype && (kvno == null || kvno.equals(kv))) { return keys[i]; } } @@ -528,8 +541,11 @@ public class EncryptionKey for (int i = 0; i < keys.length; i++) { ktype = keys[i].getEType(); if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || - ktype == EncryptedData.ETYPE_DES_CBC_MD5) { - return new EncryptionKey(etype, keys[i].getBytes()); + ktype == EncryptedData.ETYPE_DES_CBC_MD5) { + Integer kv = keys[i].getKeyVersionNumber(); + if (kvno == null || kvno.equals(kv)) { + return new EncryptionKey(etype, keys[i].getBytes()); + } } } } diff --git a/jdk/src/share/classes/sun/security/krb5/KrbApReq.java b/jdk/src/share/classes/sun/security/krb5/KrbApReq.java index 696762b6cd0..e3c21af0d7f 100644 --- a/jdk/src/share/classes/sun/security/krb5/KrbApReq.java +++ b/jdk/src/share/classes/sun/security/krb5/KrbApReq.java @@ -268,7 +268,8 @@ public class KrbApReq { private void authenticate(EncryptionKey[] keys, InetAddress initiator) throws KrbException, IOException { int encPartKeyType = apReqMessg.ticket.encPart.getEType(); - EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys); + Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber(); + EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys); if (dkey == null) { throw new KrbException(Krb5.API_INVALID_ARG, diff --git a/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java b/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java index 388548b2eeb..edca23322a4 100644 --- a/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java +++ b/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java @@ -395,6 +395,28 @@ public class KeyTab implements KeyTabConstants { } } + /** + * Only used by KDC test. This method can specify kvno and does not + * remove any old keys. + */ + public void addEntry(PrincipalName service, char[] psswd, int kvno) + throws KrbException { + + EncryptionKey[] encKeys = EncryptionKey.acquireSecretKeys( + psswd, service.getSalt()); + + for (int i = 0; encKeys != null && i < encKeys.length; i++) { + int keyType = encKeys[i].getEType(); + byte[] keyValue = encKeys[i].getBytes(); + KeyTabEntry newEntry = new KeyTabEntry(service, + service.getRealm(), + new KerberosTime(System.currentTimeMillis()), + kvno, keyType, keyValue); + if (entries == null) + entries = new Vector (); + entries.addElement(newEntry); + } + } /** * Retrieves the key table entry with the specified service name. diff --git a/jdk/test/sun/security/krb5/auto/KDC.java b/jdk/test/sun/security/krb5/auto/KDC.java index 601eda50707..586d8b23e61 100644 --- a/jdk/test/sun/security/krb5/auto/KDC.java +++ b/jdk/test/sun/security/krb5/auto/KDC.java @@ -466,7 +466,17 @@ public class KDC { // the krb5.conf config file would be loaded. Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE); stringToKey.setAccessible(true); - return new EncryptionKey((byte[]) stringToKey.invoke(null, getPassword(p), getSalt(p), null, etype), etype, null); + Integer kvno = null; + // For service whose password ending with a number, use it as kvno + if (p.toString().indexOf('/') >= 0) { + char[] pass = getPassword(p); + if (Character.isDigit(pass[pass.length-1])) { + kvno = pass[pass.length-1] - '0'; + } + } + return new EncryptionKey((byte[]) stringToKey.invoke( + null, getPassword(p), getSalt(p), null, etype), + etype, kvno); } catch (InvocationTargetException ex) { KrbException ke = (KrbException)ex.getCause(); throw ke; diff --git a/jdk/test/sun/security/krb5/auto/MoreKvno.java b/jdk/test/sun/security/krb5/auto/MoreKvno.java new file mode 100644 index 00000000000..66740a8b799 --- /dev/null +++ b/jdk/test/sun/security/krb5/auto/MoreKvno.java @@ -0,0 +1,70 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/* + * @test + * @bug 6893158 + * @summary AP_REQ check should use key version number + */ + +import sun.security.jgss.GSSUtil; +import sun.security.krb5.PrincipalName; +import sun.security.krb5.internal.ktab.KeyTab; + +public class MoreKvno { + + public static void main(String[] args) + throws Exception { + + OneKDC kdc = new OneKDC(null); + kdc.writeJAASConf(); + + // Rewrite keytab, 3 set of keys with different kvno + KeyTab ktab = KeyTab.create(OneKDC.KTAB); + PrincipalName p = new PrincipalName(OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST); + ktab.addEntry(p, "pass0".toCharArray(), 0); + ktab.addEntry(p, "pass2".toCharArray(), 2); + ktab.addEntry(p, "pass1".toCharArray(), 1); + ktab.save(); + + kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray()); + go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept"); + kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray()); + // "server" initiate also, check pass2 is used at authentication + go(OneKDC.SERVER, "server"); + } + + static void go(String server, String entry) throws Exception { + Context c, s; + c = Context.fromUserPass("dummy", "bogus".toCharArray(), false); + s = Context.fromJAAS(entry); + + c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + + Context.handshake(c, s); + + s.dispose(); + c.dispose(); + } +}