From d7d1d42b67bcc8e6fe98e936b10e43edfd4989a2 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Mon, 2 Oct 2023 19:55:22 +0000 Subject: [PATCH] 8316771: Krb5.java has not defined messages for all error codes Reviewed-by: mullan --- .../krb5/internal/CredentialsUtil.java | 3 +- .../sun/security/krb5/internal/Krb5.java | 17 +++-- test/jdk/sun/security/krb5/ErrorMessages.java | 63 +++++++++++++++++++ 3 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 test/jdk/sun/security/krb5/ErrorMessages.java diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java b/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java index f2c7dbc956f..04c9647e7aa 100644 --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java @@ -463,8 +463,7 @@ public class CredentialsUtil { Credentials newTgt = getTGTforRealm(tgtRealm, serviceRealm, asCreds, okAsDelegate); if (newTgt == null) { - throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED, - "No service creds"); + throw new KrbException("No service creds"); } if (DEBUG) { System.out.println(">>> Cross-realm TGT Credentials" + diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java b/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java index fabff57ae64..4b3d3910b28 100644 --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java @@ -250,6 +250,9 @@ public class Krb5 { public static final int KDC_ERR_KEY_EXPIRED = 23; //Password has expired - change password to reset public static final int KDC_ERR_PREAUTH_FAILED = 24; //Pre-authentication information was invalid public static final int KDC_ERR_PREAUTH_REQUIRED = 25; //Additional pre-authentication required + public static final int KDC_ERR_SERVER_NOMATCH = 26; //Requested server and ticket don't match + public static final int KDC_ERR_MUST_USE_USER2USER = 27; //Server principal valid for user2user only + public static final int KDC_ERR_PATH_NOT_ACCEPTED = 28; //KDC Policy rejects transited path public static final int KDC_ERR_SVC_UNAVAILABLE = 29; //A service is not available public static final int KRB_AP_ERR_BAD_INTEGRITY = 31; //Integrity check on decrypted field failed public static final int KRB_AP_ERR_TKT_EXPIRED = 32; //Ticket expired @@ -270,13 +273,13 @@ public class Krb5 { public static final int KRB_AP_ERR_METHOD = 48; //Alternative authentication method required public static final int KRB_AP_ERR_BADSEQ = 49; //Incorrect sequence number in message public static final int KRB_AP_ERR_INAPP_CKSUM = 50; //Inappropriate type of checksum in message + public static final int KRB_AP_PATH_NOT_ACCEPTED = 51; //Policy rejects transited path public static final int KRB_ERR_RESPONSE_TOO_BIG = 52; //Response too big for UDP, retry with TCP public static final int KRB_ERR_GENERIC = 60; //Generic error (description in e-text) public static final int KRB_ERR_FIELD_TOOLONG = 61; //Field is too long for this implementation public static final int KRB_ERR_WRONG_REALM = 68; //Wrong realm - public static final int KRB_CRYPTO_NOT_SUPPORT = 100; //Client does not support this crypto type - public static final int KRB_AP_ERR_NOREALM = 62; - public static final int KRB_AP_ERR_GEN_CRED = 63; + + public static final int KRB_CRYPTO_NOT_SUPPORT = 100; //Client does not support this crypto type // public static final int KRB_AP_ERR_CKSUM_NOKEY =101; //Lack of the key to generate the checksum // error codes specific to this implementation public static final int KRB_AP_ERR_REQ_OPTIONS = 101; //Invalid TGS_REQ @@ -346,6 +349,10 @@ public class Krb5 { errMsgList.put(KDC_ERR_KEY_EXPIRED, "Password has expired - change password to reset"); errMsgList.put(KDC_ERR_PREAUTH_FAILED, "Pre-authentication information was invalid"); errMsgList.put(KDC_ERR_PREAUTH_REQUIRED, "Additional pre-authentication required"); + errMsgList.put(KDC_ERR_SERVER_NOMATCH, "Requested server and ticket don't match"); + errMsgList.put(KDC_ERR_MUST_USE_USER2USER, "Server principal valid for user2user only"); + errMsgList.put(KDC_ERR_PATH_NOT_ACCEPTED, "KDC Policy rejects transited path"); + errMsgList.put(KDC_ERR_SVC_UNAVAILABLE, "A service is not available"); errMsgList.put(KRB_AP_ERR_BAD_INTEGRITY, "Integrity check on decrypted field failed"); errMsgList.put(KRB_AP_ERR_TKT_EXPIRED, "Ticket expired"); errMsgList.put(KRB_AP_ERR_TKT_NYV, "Ticket not yet valid"); @@ -365,10 +372,11 @@ public class Krb5 { errMsgList.put(KRB_AP_ERR_METHOD, "Alternative authentication method required"); errMsgList.put(KRB_AP_ERR_BADSEQ, "Incorrect sequence number in message"); errMsgList.put(KRB_AP_ERR_INAPP_CKSUM, "Inappropriate type of checksum in message"); + errMsgList.put(KRB_AP_PATH_NOT_ACCEPTED, "Policy rejects transited path"); errMsgList.put(KRB_ERR_RESPONSE_TOO_BIG, "Response too big for UDP, retry with TCP"); errMsgList.put(KRB_ERR_GENERIC, "Generic error (description in e-text)"); errMsgList.put(KRB_ERR_FIELD_TOOLONG, "Field is too long for this implementation"); - errMsgList.put(KRB_AP_ERR_NOREALM, "Realm name not available"); //used in setDefaultCreds() in sun.security.krb5.Credentials + errMsgList.put(KRB_ERR_WRONG_REALM, "Wrong realm"); // error messages specific to this implementation @@ -398,7 +406,6 @@ public class Krb5 { errMsgList.put(ASN1_CANNOT_ENCODE, "Encoding failed due to invalid parameter(s)"); errMsgList.put(KRB_CRYPTO_NOT_SUPPORT, "Client has no support for crypto type"); errMsgList.put(KRB_AP_ERR_REQ_OPTIONS, "Invalid option setting in ticket request."); - errMsgList.put(KRB_AP_ERR_GEN_CRED, "Fail to create credential."); } } diff --git a/test/jdk/sun/security/krb5/ErrorMessages.java b/test/jdk/sun/security/krb5/ErrorMessages.java new file mode 100644 index 00000000000..b233e3d290e --- /dev/null +++ b/test/jdk/sun/security/krb5/ErrorMessages.java @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +/* + * @test + * @bug 8316771 + * @library /test/lib + * @modules java.security.jgss/sun.security.krb5.internal:+open + * @summary make sure each error code has a message + */ + +import jdk.test.lib.Asserts; +import sun.security.krb5.internal.Krb5; + +import java.lang.reflect.Field; +import java.util.Hashtable; + +public class ErrorMessages { + public static void main(String[] args) throws Exception { + boolean isError = false; + int count = 0; + int size = -1; + for (Field v : Krb5.class.getDeclaredFields()) { + // The spec of the Class::getDeclaredFields method claims + // "The elements in the returned array are not sorted and + // are not in any particular order". However, the current + // implementation seems to be listing them in the order + // they appear in the code. + if (v.getName().equals("errMsgList")) { + v.setAccessible(true); + size = ((Hashtable)v.get(null)).size(); + break; + } + if (v.getName().equals("KDC_ERR_NONE")) { + isError = true; + } + if (!isError) continue; + Asserts.assertNotEquals(Krb5.getErrorMessage((int)v.get(null)), + null, "No msg for " + v); + count++; + } + Asserts.assertEQ(count, size, "Different size"); + } +}