8284688: Minor cleanup could be done in java.security.jgss

Reviewed-by: weijun
This commit is contained in:
Mark Powers 2022-05-19 13:13:48 +00:00 committed by Weijun Wang
parent 6e386669e3
commit db19dc6bb9
72 changed files with 701 additions and 798 deletions

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,10 +25,7 @@
package javax.security.auth.kerberos;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamField;
import java.io.*;
import java.security.BasicPermission;
import java.security.Permission;
import java.security.PermissionCollection;
@ -67,6 +64,7 @@ import java.util.concurrent.ConcurrentHashMap;
public final class DelegationPermission extends BasicPermission
implements java.io.Serializable {
@Serial
private static final long serialVersionUID = 883133252142523922L;
private transient String subordinate, service;
@ -177,12 +175,10 @@ public final class DelegationPermission extends BasicPermission
return true;
}
if (!(obj instanceof DelegationPermission)) {
if (!(obj instanceof DelegationPermission that)) {
return false;
}
DelegationPermission that = (DelegationPermission) obj;
return this.subordinate.equals(that.subordinate) &&
this.service.equals(that.service);
}
@ -222,6 +218,7 @@ public final class DelegationPermission extends BasicPermission
* @param s the {@code ObjectOutputStream} to which data is written
* @throws IOException if an I/O error occurs
*/
@Serial
private synchronized void writeObject(java.io.ObjectOutputStream s)
throws IOException
{
@ -236,6 +233,7 @@ public final class DelegationPermission extends BasicPermission
* @throws IOException if an I/O error occurs
* @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@Serial
private synchronized void readObject(java.io.ObjectInputStream s)
throws IOException, ClassNotFoundException
{
@ -309,6 +307,7 @@ final class KrbDelegationPermissionCollection extends PermissionCollection
return perms.keys();
}
@Serial
private static final long serialVersionUID = -3383936936589966948L;
// Need to maintain serialization interoperability with earlier releases,
@ -318,6 +317,7 @@ final class KrbDelegationPermissionCollection extends PermissionCollection
* @serialField permissions java.util.Vector
* A list of DelegationPermission objects.
*/
@Serial
private static final ObjectStreamField[] serialPersistentFields = {
new ObjectStreamField("permissions", Vector.class),
};
@ -329,6 +329,7 @@ final class KrbDelegationPermissionCollection extends PermissionCollection
* Writes the contents of the perms field out as a Vector for
* serialization compatibility with earlier releases.
*/
@Serial
private void writeObject(ObjectOutputStream out) throws IOException {
// Don't call out.defaultWriteObject()
@ -343,6 +344,7 @@ final class KrbDelegationPermissionCollection extends PermissionCollection
/*
* Reads in a Vector of DelegationPermissions and saves them in the perms field.
*/
@Serial
@SuppressWarnings("unchecked")
private void readObject(ObjectInputStream in)
throws IOException, ClassNotFoundException

@ -1,5 +1,5 @@
/*
* Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2014, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,7 @@
package javax.security.auth.kerberos;
import java.io.Serial;
import java.util.Arrays;
import java.util.Objects;
import javax.crypto.SecretKey;
@ -48,6 +49,7 @@ import javax.security.auth.DestroyFailedException;
*/
public final class EncryptionKey implements SecretKey {
@Serial
private static final long serialVersionUID = 9L;
/**
@ -205,11 +207,10 @@ public final class EncryptionKey implements SecretKey {
if (other == this)
return true;
if (! (other instanceof EncryptionKey)) {
if (! (other instanceof EncryptionKey otherKey)) {
return false;
}
EncryptionKey otherKey = ((EncryptionKey) other);
if (isDestroyed() || otherKey.isDestroyed()) {
return false;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2014, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -178,11 +178,10 @@ public final class KerberosCredMessage implements Destroyable {
return true;
}
if (! (other instanceof KerberosCredMessage)) {
if (! (other instanceof KerberosCredMessage otherMessage)) {
return false;
}
KerberosCredMessage otherMessage = ((KerberosCredMessage) other);
if (isDestroyed() || otherMessage.isDestroyed()) {
return false;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,7 @@
package javax.security.auth.kerberos;
import java.io.Serial;
import java.util.Arrays;
import javax.crypto.SecretKey;
import javax.security.auth.DestroyFailedException;
@ -86,6 +87,7 @@ import javax.security.auth.DestroyFailedException;
*/
public class KerberosKey implements SecretKey {
@Serial
private static final long serialVersionUID = -4625402278148246993L;
/**
@ -108,7 +110,7 @@ public class KerberosKey implements SecretKey {
*
* @serial
*/
private KeyImpl key;
private final KeyImpl key;
private transient boolean destroyed = false;
@ -312,11 +314,10 @@ public class KerberosKey implements SecretKey {
return true;
}
if (! (other instanceof KerberosKey)) {
if (! (other instanceof KerberosKey otherKey)) {
return false;
}
KerberosKey otherKey = ((KerberosKey) other);
if (isDestroyed() || otherKey.isDestroyed()) {
return false;
}
@ -328,15 +329,9 @@ public class KerberosKey implements SecretKey {
}
if (principal == null) {
if (otherKey.getPrincipal() != null) {
return false;
}
return otherKey.getPrincipal() == null;
} else {
if (!principal.equals(otherKey.getPrincipal())) {
return false;
}
return principal.equals(otherKey.getPrincipal());
}
return true;
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -41,6 +41,7 @@ import sun.security.util.*;
public final class KerberosPrincipal
implements java.security.Principal, java.io.Serializable {
@Serial
private static final long serialVersionUID = -7374788026156829911L;
//name types
@ -190,7 +191,7 @@ public final class KerberosPrincipal
public KerberosPrincipal(String name, int nameType) {
PrincipalName krb5Principal = null;
PrincipalName krb5Principal;
try {
// Appends the default realm if it is missing
@ -274,6 +275,7 @@ public final class KerberosPrincipal
* Realm in their DER-encoded form as specified in Section 5.2.2 of
* <a href=http://www.ietf.org/rfc/rfc4120.txt> RFC4120</a>.
*/
@Serial
private void writeObject(ObjectOutputStream oos)
throws IOException {
@ -294,6 +296,7 @@ public final class KerberosPrincipal
* @throws IOException if an I/O error occurs
* @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@Serial
private void readObject(ObjectInputStream ois)
throws IOException, ClassNotFoundException {
byte[] asn1EncPrincipal = (byte [])ois.readObject();

@ -82,6 +82,7 @@ import sun.security.util.HexDumpEncoder;
public class KerberosTicket implements Destroyable, Refreshable,
java.io.Serializable {
@Serial
private static final long serialVersionUID = 7395334370157380539L;
// XXX Make these flag indices public
@ -311,9 +312,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
} else {
this.flags = new boolean[NUM_FLAGS];
// Fill in whatever we have
for (int i = 0; i < flags.length; i++) {
this.flags[i] = flags[i];
}
System.arraycopy(flags, 0, this.flags, 0, flags.length);
}
} else {
this.flags = new boolean[NUM_FLAGS];
@ -400,7 +399,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* or destroyed.
*/
public final boolean isForwardable() {
return flags == null? false: flags[FORWARDABLE_TICKET_FLAG];
return flags != null && flags[FORWARDABLE_TICKET_FLAG];
}
/**
@ -412,7 +411,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* or false otherwise or destroyed.
*/
public final boolean isForwarded() {
return flags == null? false: flags[FORWARDED_TICKET_FLAG];
return flags != null && flags[FORWARDED_TICKET_FLAG];
}
/**
@ -422,7 +421,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* or destroyed.
*/
public final boolean isProxiable() {
return flags == null? false: flags[PROXIABLE_TICKET_FLAG];
return flags != null && flags[PROXIABLE_TICKET_FLAG];
}
/**
@ -432,7 +431,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* a proxy-ticket or destroyed.
*/
public final boolean isProxy() {
return flags == null? false: flags[PROXY_TICKET_FLAG];
return flags != null && flags[PROXY_TICKET_FLAG];
}
@ -443,7 +442,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* or destroyed.
*/
public final boolean isPostdated() {
return flags == null? false: flags[POSTDATED_TICKET_FLAG];
return flags != null && flags[POSTDATED_TICKET_FLAG];
}
/**
@ -455,7 +454,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* or destroyed.
*/
public final boolean isRenewable() {
return flags == null? false: flags[RENEWABLE_TICKET_FLAG];
return flags != null && flags[RENEWABLE_TICKET_FLAG];
}
/**
@ -466,7 +465,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* protocol, or false if not issued this way or destroyed.
*/
public final boolean isInitial() {
return flags == null? false: flags[INITIAL_TICKET_FLAG];
return flags != null && flags[INITIAL_TICKET_FLAG];
}
/**
@ -555,7 +554,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* or destroyed.
*/
public boolean isCurrent() {
return endTime == null? false: (System.currentTimeMillis() <= endTime.getTime());
return endTime != null && (System.currentTimeMillis() <= endTime.getTime());
}
/**
@ -775,11 +774,10 @@ public class KerberosTicket implements Destroyable, Refreshable,
return true;
}
if (! (other instanceof KerberosTicket)) {
if (! (other instanceof KerberosTicket otherTicket)) {
return false;
}
KerberosTicket otherTicket = ((KerberosTicket) other);
if (isDestroyed() || otherTicket.isDestroyed()) {
return false;
}
@ -826,11 +824,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
}
}
if (!Objects.equals(proxy, otherTicket.proxy)) {
return false;
}
return true;
return Objects.equals(proxy, otherTicket.proxy);
}
/**
@ -840,6 +834,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
* @throws IOException if an I/O error occurs
* @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@Serial
private void readObject(ObjectInputStream s)
throws IOException, ClassNotFoundException {
s.defaultReadObject();

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -49,6 +49,7 @@ import sun.security.util.DerValue;
*/
class KeyImpl implements SecretKey, Destroyable, Serializable {
@Serial
private static final long serialVersionUID = -7889313790214321193L;
private transient byte[] keyBytes;
@ -189,6 +190,7 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
* @throws IOException if an I/O error occurs
* }
*/
@Serial
private void writeObject(ObjectOutputStream oos)
throws IOException {
if (destroyed) {
@ -209,6 +211,7 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
* @throws IOException if an I/O error occurs
* @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@Serial
private void readObject(ObjectInputStream ois)
throws IOException, ClassNotFoundException {
try {
@ -247,20 +250,15 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
if (other == this)
return true;
if (! (other instanceof KeyImpl)) {
if (! (other instanceof KeyImpl otherKey)) {
return false;
}
KeyImpl otherKey = ((KeyImpl) other);
if (isDestroyed() || otherKey.isDestroyed()) {
return false;
}
if(keyType != otherKey.getKeyType() ||
!Arrays.equals(keyBytes, otherKey.getEncoded())) {
return false;
}
return true;
return keyType == otherKey.getKeyType() &&
Arrays.equals(keyBytes, otherKey.getEncoded());
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2011, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2011, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -349,11 +349,10 @@ public final class KeyTab {
if (other == this)
return true;
if (! (other instanceof KeyTab)) {
if (! (other instanceof KeyTab otherKtab)) {
return false;
}
KeyTab otherKtab = (KeyTab) other;
return Objects.equals(otherKtab.princ, princ) &&
Objects.equals(otherKtab.file, file) &&
bound == otherKtab.bound;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,10 +25,7 @@
package javax.security.auth.kerberos;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamField;
import java.io.*;
import java.security.Permission;
import java.security.PermissionCollection;
import java.util.*;
@ -38,7 +35,7 @@ import java.util.concurrent.ConcurrentHashMap;
* This class is used to protect Kerberos services and the
* credentials necessary to access those services. There is a one to
* one mapping of a service principal and the credentials necessary
* to access the service. Therefore granting access to a service
* to access the service. Therefore, granting access to a service
* principal implicitly grants access to the credential necessary to
* establish a security context with the service principal. This
* applies regardless of whether the credentials are in a cache
@ -105,6 +102,7 @@ import java.util.concurrent.ConcurrentHashMap;
public final class ServicePermission extends Permission
implements java.io.Serializable {
@Serial
private static final long serialVersionUID = -1227585031618624935L;
/**
@ -186,7 +184,7 @@ public final class ServicePermission extends Permission
* Checks if this Kerberos service permission object "implies" the
* specified permission.
* <P>
* More specifically, this method returns true if all of the following
* More specifically, this method returns true if all the following
* are true (and returns false if any of them are not):
* <ul>
* <li> <i>p</i> is an instanceof {@code ServicePermission},
@ -203,11 +201,9 @@ public final class ServicePermission extends Permission
*/
@Override
public boolean implies(Permission p) {
if (!(p instanceof ServicePermission))
if (!(p instanceof ServicePermission that))
return false;
ServicePermission that = (ServicePermission) p;
return ((this.mask & that.mask) == that.mask) &&
impliesIgnoreMask(that);
}
@ -234,10 +230,9 @@ public final class ServicePermission extends Permission
if (obj == this)
return true;
if (! (obj instanceof ServicePermission))
if (! (obj instanceof ServicePermission that))
return false;
ServicePermission that = (ServicePermission) obj;
return (this.mask == that.mask) &&
this.getName().equals(that.getName());
@ -270,14 +265,12 @@ public final class ServicePermission extends Permission
boolean comma = false;
if ((mask & INITIATE) == INITIATE) {
if (comma) sb.append(',');
else comma = true;
comma = true;
sb.append("initiate");
}
if ((mask & ACCEPT) == ACCEPT) {
if (comma) sb.append(',');
else comma = true;
sb.append("accept");
}
@ -429,6 +422,7 @@ public final class ServicePermission extends Permission
* @param s the {@code ObjectOutputStream} to which data is written
* @throws IOException if an I/O error occurs
*/
@Serial
private void writeObject(java.io.ObjectOutputStream s)
throws IOException
{
@ -447,6 +441,7 @@ public final class ServicePermission extends Permission
* @throws IOException if an I/O error occurs
* @throws ClassNotFoundException if a serialized class cannot be loaded
*/
@Serial
private void readObject(java.io.ObjectInputStream s)
throws IOException, ClassNotFoundException
{
@ -516,10 +511,9 @@ final class KrbServicePermissionCollection extends PermissionCollection
*/
@Override
public boolean implies(Permission permission) {
if (! (permission instanceof ServicePermission))
if (! (permission instanceof ServicePermission np))
return false;
ServicePermission np = (ServicePermission) permission;
int desired = np.getMask();
if (desired == 0) {
@ -545,9 +539,7 @@ final class KrbServicePermissionCollection extends PermissionCollection
x = (ServicePermission)perms.get(np.getName());
if (x != null) {
//System.out.println(" trying "+x);
if ((x.getMask() & desired) == desired) {
return true;
}
return (x.getMask() & desired) == desired;
}
return false;
}
@ -566,13 +558,12 @@ final class KrbServicePermissionCollection extends PermissionCollection
*/
@Override
public void add(Permission permission) {
if (! (permission instanceof ServicePermission))
if (! (permission instanceof ServicePermission sp))
throw new IllegalArgumentException("invalid permission: "+
permission);
if (isReadOnly())
throw new SecurityException("attempt to add a Permission to a readonly PermissionCollection");
ServicePermission sp = (ServicePermission)permission;
String princName = sp.getName();
// Add permission to map if it is absent, or replace with new
@ -583,8 +574,8 @@ final class KrbServicePermissionCollection extends PermissionCollection
@Override
public Permission apply(Permission existingVal,
Permission newVal) {
int oldMask = ((ServicePermission)existingVal).getMask();
int newMask = ((ServicePermission)newVal).getMask();
int oldMask = ((ServicePermission) existingVal).getMask();
int newMask = ((ServicePermission) newVal).getMask();
if (oldMask != newMask) {
int effective = oldMask | newMask;
if (effective == newMask) {
@ -611,6 +602,7 @@ final class KrbServicePermissionCollection extends PermissionCollection
return perms.elements();
}
@Serial
private static final long serialVersionUID = -4118834211490102011L;
// Need to maintain serialization interoperability with earlier releases,
@ -621,6 +613,7 @@ final class KrbServicePermissionCollection extends PermissionCollection
* @serialField permissions java.util.Vector
* A list of ServicePermission objects.
*/
@Serial
private static final ObjectStreamField[] serialPersistentFields = {
new ObjectStreamField("permissions", Vector.class),
};
@ -632,6 +625,7 @@ final class KrbServicePermissionCollection extends PermissionCollection
* Writes the contents of the perms field out as a Vector for
* serialization compatibility with earlier releases.
*/
@Serial
private void writeObject(ObjectOutputStream out) throws IOException {
// Don't call out.defaultWriteObject()
@ -646,6 +640,7 @@ final class KrbServicePermissionCollection extends PermissionCollection
/*
* Reads in a Vector of ServicePermissions and saves them in the perms field.
*/
@Serial
@SuppressWarnings("unchecked")
private void readObject(ObjectInputStream in)
throws IOException, ClassNotFoundException

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -79,8 +79,8 @@ import java.util.Arrays;
*/
public class ChannelBinding {
private InetAddress initiator;
private InetAddress acceptor;
private final InetAddress initiator;
private final InetAddress acceptor;
private byte[] appData;
/**
@ -172,11 +172,9 @@ public class ChannelBinding {
if (this == obj)
return true;
if (! (obj instanceof ChannelBinding))
if (! (obj instanceof ChannelBinding cb))
return false;
ChannelBinding cb = (ChannelBinding) obj;
if ((initiator != null && cb.initiator == null) ||
(initiator == null && cb.initiator != null))
return false;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -216,14 +216,14 @@ public interface GSSContext {
* A lifetime constant representing the default context lifetime. This
* value is set to 0.
*/
public static final int DEFAULT_LIFETIME = 0;
int DEFAULT_LIFETIME = 0;
/**
* A lifetime constant representing indefinite context lifetime.
* This value must is set to the maximum integer value in Java -
* {@link java.lang.Integer#MAX_VALUE Integer.MAX_VALUE}.
*/
public static final int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
/**
* Called by the context initiator to start the context creation
@ -272,7 +272,7 @@ public interface GSSContext {
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte[] initSecContext(byte inputBuf[], int offset, int len)
byte[] initSecContext(byte inputBuf[], int offset, int len)
throws GSSException;
/**
@ -360,8 +360,8 @@ public interface GSSContext {
* Use {@link #initSecContext(byte[], int, int)} instead.
*/
@Deprecated(since="11")
public int initSecContext(InputStream inStream,
OutputStream outStream) throws GSSException;
int initSecContext(InputStream inStream,
OutputStream outStream) throws GSSException;
/**
* Called by the context acceptor upon receiving a token from the
@ -427,7 +427,7 @@ public interface GSSContext {
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte[] acceptSecContext(byte inToken[], int offset, int len)
byte[] acceptSecContext(byte inToken[], int offset, int len)
throws GSSException;
/**
@ -519,8 +519,8 @@ public interface GSSContext {
* sent.</strong>
*/
@Deprecated(since="11")
public void acceptSecContext(InputStream inStream,
OutputStream outStream) throws GSSException;
void acceptSecContext(InputStream inStream,
OutputStream outStream) throws GSSException;
/**
* Used during context establishment to determine the state of the
@ -529,7 +529,7 @@ public interface GSSContext {
* @return <code>true</code> if this is a fully established context on
* the caller's side and no more tokens are needed from the peer.
*/
public boolean isEstablished();
boolean isEstablished();
/**
* Releases any system resources and cryptographic information stored in
@ -540,7 +540,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void dispose() throws GSSException;
void dispose() throws GSSException;
/**
* Used to determine limits on the size of the message
@ -573,8 +573,8 @@ public interface GSSContext {
* {@link GSSException#BAD_QOP GSSException.BAD_QOP},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public int getWrapSizeLimit(int qop, boolean confReq,
int maxTokenSize) throws GSSException;
int getWrapSizeLimit(int qop, boolean confReq,
int maxTokenSize) throws GSSException;
/**
* Applies per-message security services over the established security
@ -614,8 +614,8 @@ public interface GSSContext {
* {@link GSSException#BAD_QOP GSSException.BAD_QOP},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte[] wrap(byte inBuf[], int offset, int len,
MessageProp msgProp) throws GSSException;
byte[] wrap(byte inBuf[], int offset, int len,
MessageProp msgProp) throws GSSException;
/**
* Applies per-message security services over the established security
@ -645,7 +645,7 @@ public interface GSSContext {
* support the wrapping of zero-length messages.
*
* @param inStream an InputStream containing the application data to be
* protected. All of the data that is available in
* protected. All the data that is available in
* inStream is used.
* @param outStream an OutputStream to write the protected message
* to.
@ -665,8 +665,8 @@ public interface GSSContext {
* Use {@link #wrap(byte[], int, int, MessageProp)} instead.
*/
@Deprecated(since="11")
public void wrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException;
void wrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException;
/**
* Used to process tokens generated by the <code>wrap</code> method on
@ -701,8 +701,8 @@ public interface GSSContext {
* {@link GSSException#CONTEXT_EXPIRED GSSException.CONTEXT_EXPIRED},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte [] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException;
byte [] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException;
/**
* Uses streams to process tokens generated by the <code>wrap</code>
@ -752,8 +752,8 @@ public interface GSSContext {
* Use {@link #unwrap(byte[], int, int, MessageProp)} instead.
*/
@Deprecated(since="11")
public void unwrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException;
void unwrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException;
/**
* Returns a token containing a cryptographic Message Integrity Code
@ -784,8 +784,8 @@ public interface GSSContext {
* {@link GSSException#BAD_QOP GSSException.BAD_QOP},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte[] getMIC(byte []inMsg, int offset, int len,
MessageProp msgProp) throws GSSException;
byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException;
/**
* Uses streams to produce a token containing a cryptographic MIC for
@ -802,7 +802,7 @@ public interface GSSContext {
* derivation of MICs from zero-length messages.
*
* @param inStream an InputStream containing the message to generate the
* MIC over. All of the data that is available in
* MIC over. All the data that is available in
* inStream is used.
* @param outStream an OutputStream to write the output token to.
* @param msgProp an instance of <code>MessageProp</code> that is used
@ -821,8 +821,8 @@ public interface GSSContext {
* Use {@link #getMIC(byte[], int, int, MessageProp)} instead.
*/
@Deprecated(since="11")
public void getMIC(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException;
void getMIC(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException;
/**
* Verifies the cryptographic MIC, contained in the token parameter,
@ -856,9 +856,9 @@ public interface GSSContext {
* {@link GSSException#CONTEXT_EXPIRED GSSException.CONTEXT_EXPIRED}
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void verifyMIC(byte[] inToken, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException;
void verifyMIC(byte[] inToken, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException;
/**
* Uses streams to verify the cryptographic MIC, contained in the token
@ -891,7 +891,7 @@ public interface GSSContext {
* @param tokStream an InputStream containing the token generated by the
* peer's getMIC method.
* @param msgStream an InputStream containing the application message to
* verify the cryptographic MIC over. All of the data
* verify the cryptographic MIC over. All the data
* that is available in msgStream is used.
* @param msgProp upon return from the method, this object will contain
* the applied QOP and supplementary information stating if the token
@ -909,12 +909,12 @@ public interface GSSContext {
* instead.
*/
@Deprecated(since="11")
public void verifyMIC(InputStream tokStream, InputStream msgStream,
MessageProp msgProp) throws GSSException;
void verifyMIC(InputStream tokStream, InputStream msgStream,
MessageProp msgProp) throws GSSException;
/**
* Exports this context so that another process may
* import it.. Provided to support the sharing of work between
* import it. Provided to support the sharing of work between
* multiple processes. This routine will typically be used by the
* context-acceptor, in an application where a single process receives
* incoming connection requests and accepts security contexts over
@ -941,7 +941,7 @@ public interface GSSContext {
* to either avoid placing such sensitive information within
* interprocess tokens, or to encrypt the token before returning it to
* the application, in a typical GSS-API implementation this may not be
* possible. Thus the application must take care to protect the
* possible. Thus, the application must take care to protect the
* interprocess token, and ensure that any process to which the token
* is transferred is trustworthy. <p>
*
@ -965,12 +965,12 @@ public interface GSSContext {
* {@link GSSException#NO_CONTEXT GSSException.NO_CONTEXT},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte [] export() throws GSSException;
byte [] export() throws GSSException;
/**
* Requests that mutual authentication be done during
* context establishment. This request can only be made on the context
* initiator's side and it has to be done prior to the first call to
* initiator's side, and it has to be done prior to the first call to
* <code>initSecContext</code>.<p>
*
* Not all mechanisms support mutual authentication and some mechanisms
@ -987,12 +987,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestMutualAuth(boolean state) throws GSSException;
void requestMutualAuth(boolean state) throws GSSException;
/**
* Requests that replay detection be enabled for the
* per-message security services after context establishment. This
* request can only be made on the context initiator's side and it has
* request can only be made on the context initiator's side, and it has
* to be done prior to the first call to
* <code>initSecContext</code>. During context establishment replay
* detection is not an option and is a function of the underlying
@ -1017,12 +1017,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestReplayDet(boolean state) throws GSSException;
void requestReplayDet(boolean state) throws GSSException;
/**
* Requests that sequence checking be enabled for the
* per-message security services after context establishment. This
* request can only be made on the context initiator's side and it has
* request can only be made on the context initiator's side, and it has
* to be done prior to the first call to
* <code>initSecContext</code>. During context establishment sequence
* checking is not an option and is a function of the underlying
@ -1049,12 +1049,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestSequenceDet(boolean state) throws GSSException;
void requestSequenceDet(boolean state) throws GSSException;
/**
* Requests that the initiator's credentials be
* delegated to the acceptor during context establishment. This
* request can only be made on the context initiator's side and it has
* request can only be made on the context initiator's side, and it has
* to be done prior to the first call to
* <code>initSecContext</code>.
*
@ -1075,12 +1075,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestCredDeleg(boolean state) throws GSSException;
void requestCredDeleg(boolean state) throws GSSException;
/**
* Requests that the initiator's identity not be
* disclosed to the acceptor. This request can only be made on the
* context initiator's side and it has to be done prior to the first
* context initiator's side, and it has to be done prior to the first
* call to <code>initSecContext</code>.
*
* Not all mechanisms support anonymity for the initiator. Therefore, the
@ -1095,12 +1095,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestAnonymity(boolean state) throws GSSException;
void requestAnonymity(boolean state) throws GSSException;
/**
* Requests that data confidentiality be enabled
* for the <code>wrap</code> method. This request can only be made on
* the context initiator's side and it has to be done prior to the
* the context initiator's side, and it has to be done prior to the
* first call to <code>initSecContext</code>.
*
* Not all mechanisms support confidentiality and other mechanisms
@ -1125,12 +1125,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestConf(boolean state) throws GSSException;
void requestConf(boolean state) throws GSSException;
/**
* Requests that data integrity be enabled
* for the <code>wrap</code> and <code>getMIC</code>methods. This
* request can only be made on the context initiator's side and it has
* request can only be made on the context initiator's side, and it has
* to be done prior to the first call to <code>initSecContext</code>.
*
* Not all mechanisms support integrity and other mechanisms
@ -1149,12 +1149,12 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestInteg(boolean state) throws GSSException;
void requestInteg(boolean state) throws GSSException;
/**
* Requests a lifetime in seconds for the
* context. This method can only be called on the context initiator's
* side and it has to be done prior to the first call to
* side, and it has to be done prior to the first call to
* <code>initSecContext</code>.<p>
*
* The actual lifetime of the context will depend on the capabilities of
@ -1170,7 +1170,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void requestLifetime(int lifetime) throws GSSException;
void requestLifetime(int lifetime) throws GSSException;
/**
* Sets the channel bindings to be used during context
@ -1187,7 +1187,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void setChannelBinding(ChannelBinding cb) throws GSSException;
void setChannelBinding(ChannelBinding cb) throws GSSException;
/**
* Determines if credential delegation is enabled on
@ -1202,7 +1202,7 @@ public interface GSSContext {
* @return true if delegation is enabled, false otherwise.
* @see #requestCredDeleg(boolean)
*/
public boolean getCredDelegState();
boolean getCredDelegState();
/**
* Determines if mutual authentication is enabled on
@ -1216,7 +1216,7 @@ public interface GSSContext {
* @return true if mutual authentication is enabled, false otherwise.
* @see #requestMutualAuth(boolean)
*/
public boolean getMutualAuthState();
boolean getMutualAuthState();
/**
* Determines if replay detection is enabled for the
@ -1230,7 +1230,7 @@ public interface GSSContext {
* @return true if replay detection is enabled, false otherwise.
* @see #requestReplayDet(boolean)
*/
public boolean getReplayDetState();
boolean getReplayDetState();
/**
* Determines if sequence checking is enabled for the
@ -1244,7 +1244,7 @@ public interface GSSContext {
* @return true if sequence checking is enabled, false otherwise.
* @see #requestSequenceDet(boolean)
*/
public boolean getSequenceDetState();
boolean getSequenceDetState();
/**
* Determines if the context initiator is
@ -1265,7 +1265,7 @@ public interface GSSContext {
* otherwise.
* @see #requestAnonymity(boolean)
*/
public boolean getAnonymityState();
boolean getAnonymityState();
/**
* Determines if the context is transferable to other processes
@ -1278,7 +1278,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public boolean isTransferable() throws GSSException;
boolean isTransferable() throws GSSException;
/**
* Determines if the context is ready for per message operations to be
@ -1290,7 +1290,7 @@ public interface GSSContext {
* this context at the current stage of context establishment, false
* otherwise.
*/
public boolean isProtReady();
boolean isProtReady();
/**
* Determines if data confidentiality is available
@ -1305,7 +1305,7 @@ public interface GSSContext {
* otherwise.
* @see #requestConf(boolean)
*/
public boolean getConfState();
boolean getConfState();
/**
* Determines if data integrity is available
@ -1319,7 +1319,7 @@ public interface GSSContext {
* @return true if integrity services are available, false otherwise.
* @see #requestInteg(boolean)
*/
public boolean getIntegState();
boolean getIntegState();
/**
* Determines what the remaining lifetime for this
@ -1331,7 +1331,7 @@ public interface GSSContext {
* @return the remaining lifetime in seconds
* @see #requestLifetime(int)
*/
public int getLifetime();
int getLifetime();
/**
* Returns the name of the context initiator. This call is valid only
@ -1346,7 +1346,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public GSSName getSrcName() throws GSSException;
GSSName getSrcName() throws GSSException;
/**
* Returns the name of the context acceptor. This call is valid only
@ -1360,7 +1360,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public GSSName getTargName() throws GSSException;
GSSName getTargName() throws GSSException;
/**
* Determines what mechanism is being used for this
@ -1374,7 +1374,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public Oid getMech() throws GSSException;
Oid getMech() throws GSSException;
/**
* Obtains the credentials delegated by the context
@ -1392,7 +1392,7 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public GSSCredential getDelegCred() throws GSSException;
GSSCredential getDelegCred() throws GSSException;
/**
* Determines if this is the context initiator. This
@ -1406,5 +1406,5 @@ public interface GSSContext {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public boolean isInitiator() throws GSSException;
boolean isInitiator() throws GSSException;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -98,7 +98,7 @@ public interface GSSCredential extends Cloneable{
* for both context initiation and acceptance.
*
*/
public static final int INITIATE_AND_ACCEPT = 0;
int INITIATE_AND_ACCEPT = 0;
/**
@ -106,7 +106,7 @@ public interface GSSCredential extends Cloneable{
* for context initiation only.
*
*/
public static final int INITIATE_ONLY = 1;
int INITIATE_ONLY = 1;
/**
@ -114,21 +114,21 @@ public interface GSSCredential extends Cloneable{
* for context acceptance only.
*
*/
public static final int ACCEPT_ONLY = 2;
int ACCEPT_ONLY = 2;
/**
* A lifetime constant representing the default credential lifetime. This
* value it set to 0.
*/
public static final int DEFAULT_LIFETIME = 0;
int DEFAULT_LIFETIME = 0;
/**
* A lifetime constant representing indefinite credential lifetime.
* This value must is set to the maximum integer value in Java -
* {@link java.lang.Integer#MAX_VALUE Integer.MAX_VALUE}.
*/
public static final int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
/**
* Releases any sensitive information that the GSSCredential object may
@ -140,7 +140,7 @@ public interface GSSCredential extends Cloneable{
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void dispose() throws GSSException;
void dispose() throws GSSException;
/**
* Retrieves the name of the entity that the credential asserts.
@ -151,7 +151,7 @@ public interface GSSCredential extends Cloneable{
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public GSSName getName() throws GSSException;
GSSName getName() throws GSSException;
/**
* Retrieves a Mechanism Name of the entity that the credential
@ -169,11 +169,11 @@ public interface GSSCredential extends Cloneable{
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public GSSName getName(Oid mech) throws GSSException;
GSSName getName(Oid mech) throws GSSException;
/**
* Returns the remaining lifetime in seconds for a credential. The
* remaining lifetime is the minimum lifetime amongst all of the underlying
* remaining lifetime is the minimum lifetime amongst all the underlying
* mechanism specific credential elements.
*
* @return the minimum remaining lifetime in seconds for this
@ -189,7 +189,7 @@ public interface GSSCredential extends Cloneable{
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public int getRemainingLifetime() throws GSSException;
int getRemainingLifetime() throws GSSException;
/**
* Returns the lifetime in seconds for the credential to remain capable
@ -211,7 +211,7 @@ public interface GSSCredential extends Cloneable{
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public int getRemainingInitLifetime(Oid mech) throws GSSException;
int getRemainingInitLifetime(Oid mech) throws GSSException;
/**
* Returns the lifetime in seconds for the credential to remain capable
@ -233,7 +233,7 @@ public interface GSSCredential extends Cloneable{
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public int getRemainingAcceptLifetime(Oid mech) throws GSSException;
int getRemainingAcceptLifetime(Oid mech) throws GSSException;
/**
* Returns the credential usage mode. In other words, it
@ -250,7 +250,7 @@ public interface GSSCredential extends Cloneable{
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public int getUsage() throws GSSException;
int getUsage() throws GSSException;
/**
* Returns the credential usage mode for a specific mechanism. In other
@ -269,7 +269,7 @@ public interface GSSCredential extends Cloneable{
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public int getUsage(Oid mech) throws GSSException;
int getUsage(Oid mech) throws GSSException;
/**
* Returns a list of mechanisms supported by this credential. It does
@ -285,7 +285,7 @@ public interface GSSCredential extends Cloneable{
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public Oid[] getMechs() throws GSSException;
Oid[] getMechs() throws GSSException;
/**
* Adds a mechanism specific credential-element to an existing
@ -346,8 +346,8 @@ public interface GSSCredential extends Cloneable{
* GSSException.CREDENTIALS_EXPIRED},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public void add(GSSName name, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException;
void add(GSSName name, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException;
/**
* Tests if this GSSCredential asserts the same entity as the supplied
@ -358,13 +358,13 @@ public interface GSSCredential extends Cloneable{
* entity; {@code false} otherwise.
* @param another another GSSCredential for comparison to this one
*/
public boolean equals(Object another);
boolean equals(Object another);
/**
* Returns a hashcode value for this GSSCredential.
*
* @return a hashCode value
*/
public int hashCode();
int hashCode();
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,9 @@
package org.ietf.jgss;
import java.io.Serial;
import java.util.Objects;
/**
* This exception is thrown whenever a GSS-API error occurs, including
* any mechanism specific error. It may contain both the major and the
@ -41,6 +44,7 @@ package org.ietf.jgss;
*/
public class GSSException extends Exception {
@Serial
private static final long serialVersionUID = -2706218945227726672L;
/**
@ -175,7 +179,7 @@ public class GSSException extends Exception {
public static final int GAP_TOKEN = 22;
private static String[] messages = {
private static final String[] messages = {
"Channel binding mismatch", // BAD_BINDINGS
"Unsupported mechanism requested", // BAD_MECH
"Invalid name provided", // BAD_NAME
@ -206,7 +210,7 @@ public class GSSException extends Exception {
*
* @serial
*/
private int major;
private final int major;
/**
* The minor code for this exception
@ -233,7 +237,7 @@ public class GSSException extends Exception {
/**
* Creates a GSSException object with a specified major code.
*
* @param majorCode the The GSS error code for the problem causing this
* @param majorCode the GSS error code for the problem causing this
* exception to be thrown.
*/
public GSSException (int majorCode) {
@ -326,10 +330,7 @@ public class GSSException extends Exception {
*/
public String getMajorString() {
if (majorString != null)
return majorString;
else
return messages[major - 1];
return Objects.requireNonNullElseGet(majorString, () -> messages[major - 1]);
}
@ -395,9 +396,6 @@ public class GSSException extends Exception {
*/
private boolean validateMajor(int major) {
if (major > 0 && major <= messages.length)
return (true);
return (false);
return major > 0 && major <= messages.length;
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -276,7 +276,7 @@ public abstract class GSSManager {
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public abstract GSSName createName(byte name[], Oid nameType)
public abstract GSSName createName(byte[] name, Oid nameType)
throws GSSException;
/**
@ -339,7 +339,7 @@ public abstract class GSSManager {
* {@link GSSException#BAD_MECH GSSException.BAD_MECH},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public abstract GSSName createName(byte name[], Oid nameType, Oid mech)
public abstract GSSName createName(byte[] name, Oid nameType, Oid mech)
throws GSSException;
/**
@ -482,7 +482,7 @@ public abstract class GSSManager {
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public abstract GSSCredential createCredential(GSSName name,
int lifetime, Oid mechs[], int usage)
int lifetime, Oid[] mechs, int usage)
throws GSSException;
/**
@ -674,7 +674,7 @@ public abstract class GSSManager {
*
* Calling this method repeatedly preserves the older settings but
* raises them above newer ones in preference thus forming an ordered
* list of providers and Oid pairs that grows at the bottom. Thus the
* list of providers and Oid pairs that grows at the bottom. Thus, the
* older provider settings will be utilized first before this one is.<p>
*
* If there are any previously existing preferences that conflict with

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -115,7 +115,7 @@ public interface GSSName {
* States(840) mit(113554) infosys(1) gssapi(2) generic(1) service_name(4)
* }</code>
*/
public static final Oid NT_HOSTBASED_SERVICE
Oid NT_HOSTBASED_SERVICE
= Oid.getInstance("1.2.840.113554.1.2.1.4");
/**
@ -125,7 +125,7 @@ public interface GSSName {
* States(840) mit(113554) infosys(1) gssapi(2) generic(1) user_name(1)
* }</code>
*/
public static final Oid NT_USER_NAME
Oid NT_USER_NAME
= Oid.getInstance("1.2.840.113554.1.2.1.1");
/**
@ -136,7 +136,7 @@ public interface GSSName {
* <code>{ iso(1) member-body(2) United States(840) mit(113554)
* infosys(1) gssapi(2) generic(1) machine_uid_name(2) }</code>
*/
public static final Oid NT_MACHINE_UID_NAME
Oid NT_MACHINE_UID_NAME
= Oid.getInstance("1.2.840.113554.1.2.1.2");
/**
@ -148,7 +148,7 @@ public interface GSSName {
* States(840) mit(113554) infosys(1) gssapi(2) generic(1)
* string_uid_name(3) }</code>
*/
public static final Oid NT_STRING_UID_NAME
Oid NT_STRING_UID_NAME
= Oid.getInstance("1.2.840.113554.1.2.1.3");
/**
@ -157,7 +157,7 @@ public interface GSSName {
* <code>{ 1(iso), 3(org), 6(dod), 1(internet),
* 5(security), 6(nametypes), 3(gss-anonymous-name) }</code>
*/
public static final Oid NT_ANONYMOUS
Oid NT_ANONYMOUS
= Oid.getInstance("1.3.6.1.5.6.3");
/**
@ -168,7 +168,7 @@ public interface GSSName {
* 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
* 4(gss-api-exported-name) }</code>
*/
public static final Oid NT_EXPORT_NAME
Oid NT_EXPORT_NAME
= Oid.getInstance("1.3.6.1.5.6.4");
/**
@ -185,7 +185,7 @@ public interface GSSName {
* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public boolean equals(GSSName another) throws GSSException;
boolean equals(GSSName another) throws GSSException;
/**
* Compares this <code>GSSName</code> object to another Object that might be a
@ -198,14 +198,14 @@ public interface GSSName {
* @param another the object to compare this name to
* @see #equals(GSSName)
*/
public boolean equals(Object another);
boolean equals(Object another);
/**
* Returns a hashcode value for this GSSName.
*
* @return a hashCode value
*/
public int hashCode();
int hashCode();
/**
* Creates a name that is canonicalized for some
@ -224,7 +224,7 @@ public interface GSSName {
* {@link GSSException#BAD_NAME GSSException.BAD_NAME},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public GSSName canonicalize(Oid mech) throws GSSException;
GSSName canonicalize(Oid mech) throws GSSException;
/**
* Returns a canonical contiguous byte representation of a mechanism name
@ -259,7 +259,7 @@ public interface GSSName {
* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public byte[] export() throws GSSException;
byte[] export() throws GSSException;
/**
* Returns a textual representation of the <code>GSSName</code> object. To retrieve
@ -269,7 +269,7 @@ public interface GSSName {
*
* @return a String representing this name in printable form.
*/
public String toString();
String toString();
/**
* Returns the name type of the printable
@ -283,14 +283,14 @@ public interface GSSName {
* major error codes:
* {@link GSSException#FAILURE GSSException.FAILURE}
*/
public Oid getStringNameType() throws GSSException;
Oid getStringNameType() throws GSSException;
/**
* Tests if this name object represents an anonymous entity.
*
* @return true if this is an anonymous name, false otherwise.
*/
public boolean isAnonymous();
boolean isAnonymous();
/**
* Tests if this name object represents a Mechanism Name (MN). An MN is
@ -299,6 +299,6 @@ public interface GSSName {
*
* @return true if this is an MN, false otherwise.
*/
public boolean isMN();
boolean isMN();
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -50,7 +50,7 @@ import sun.security.util.ObjectIdentifier;
*/
public class Oid {
private ObjectIdentifier oid;
private final ObjectIdentifier oid;
private byte[] derEncoding;
/**
@ -100,7 +100,7 @@ public class Oid {
* Creates an Oid object from its ASN.1 DER encoding. This refers to
* the full encoding including tag and length. The structure and
* encoding of Oids is defined in ISOIEC-8824 and ISOIEC-8825. This
* method is identical in functionality to its InputStream conterpart.
* method is identical in functionality to its InputStream counterpart.
*
* @param data byte array containing the DER encoded oid
* @exception GSSException may be thrown when the DER encoding does not

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -65,7 +65,7 @@
* mechanism will search for the required INITIATE and ACCEPT credentials
* ({@link javax.security.auth.kerberos.KerberosTicket KerberosTicket} and
* {@link javax.security.auth.kerberos.KerberosKey KerberosKey}) in
* the private credential set where as some other mechanism might look
* the private credential set whereas some other mechanism might look
* in the public set or in both. If the desired credential is not
* present in the appropriate sets of the current Subject, the GSS-API
* call must fail.<p>

@ -36,7 +36,7 @@ public sealed class GSSCaller permits HttpCaller {
public static final GSSCaller CALLER_INITIATE = new GSSCaller("INITIATE");
public static final GSSCaller CALLER_ACCEPT = new GSSCaller("ACCEPT");
private String name;
private final String name;
GSSCaller(String s) {
name = s;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -145,7 +145,7 @@ public class GSSContextImpl implements GSSContext {
public GSSContextImpl(GSSManagerImpl gssManager, GSSName peer, Oid mech,
GSSCredential myCred, int lifetime)
throws GSSException {
if ((peer == null) || !(peer instanceof GSSNameImpl)) {
if (!(peer instanceof GSSNameImpl)) {
throw new GSSException(GSSException.BAD_NAME);
}
if (mech == null) mech = ProviderList.DEFAULT_MECH_OID;
@ -182,7 +182,7 @@ public class GSSContextImpl implements GSSContext {
this.mechOid = mechCtxt.getMech();
}
public byte[] initSecContext(byte inputBuf[], int offset, int len)
public byte[] initSecContext(byte[] inputBuf, int offset, int len)
throws GSSException {
/*
* Size of ByteArrayOutputStream will double each time that extra
@ -206,7 +206,7 @@ public class GSSContextImpl implements GSSContext {
"Illegal call to initSecContext");
}
GSSHeader gssHeader = null;
GSSHeader gssHeader;
int inTokenLen = -1;
GSSCredentialSpi credElement = null;
boolean firstToken = false;
@ -292,7 +292,7 @@ public class GSSContextImpl implements GSSContext {
}
}
public byte[] acceptSecContext(byte inTok[], int offset, int len)
public byte[] acceptSecContext(byte[] inTok, int offset, int len)
throws GSSException {
/*
@ -315,7 +315,7 @@ public class GSSContextImpl implements GSSContext {
"Illegal call to acceptSecContext");
}
GSSHeader gssHeader = null;
GSSHeader gssHeader;
int inTokenLen = -1;
GSSCredentialSpi credElement = null;
@ -361,14 +361,13 @@ public class GSSContextImpl implements GSSContext {
byte[] obuf = mechCtxt.acceptSecContext(inStream, inTokenLen);
if (obuf != null) {
int retVal = obuf.length;
if (mechCtxt.getProvider().getName().equals("SunNativeGSS") ||
(GSSUtil.isSpNegoMech(mechOid))) {
// do not add GSS header for native provider and SPNEGO
} else {
// add GSS header
gssHeader = new GSSHeader(objId, obuf.length);
retVal += gssHeader.encode(outStream);
gssHeader.encode(outStream);
}
outStream.write(obuf);
}
@ -398,7 +397,7 @@ public class GSSContextImpl implements GSSContext {
"No mechanism context yet!");
}
public byte[] wrap(byte inBuf[], int offset, int len,
public byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException {
if (mechCtxt != null)
return mechCtxt.wrap(inBuf, offset, len, msgProp);

@ -172,8 +172,8 @@ public class GSSCredentialImpl implements GSSCredential {
"no longer valid");
}
SearchKey key = null;
GSSCredentialSpi element = null;
SearchKey key;
GSSCredentialSpi element;
if (mech == null) mech = ProviderList.DEFAULT_MECH_OID;
@ -213,7 +213,7 @@ public class GSSCredentialImpl implements GSSCredential {
SearchKey tempKey;
GSSCredentialSpi tempCred;
int tempLife = 0, tempInitLife = 0, tempAcceptLife = 0;
int tempLife, tempInitLife, tempAcceptLife;
int min = INDEFINITE_LIFETIME;
for (Enumeration<SearchKey> e = hashtable.keys();
@ -227,9 +227,7 @@ public class GSSCredentialImpl implements GSSCredential {
else {
tempInitLife = tempCred.getInitLifetime();
tempAcceptLife = tempCred.getAcceptLifetime();
tempLife = (tempInitLife < tempAcceptLife ?
tempInitLife:
tempAcceptLife);
tempLife = (Math.min(tempInitLife, tempAcceptLife));
}
if (min > tempLife)
min = tempLife;
@ -245,8 +243,8 @@ public class GSSCredentialImpl implements GSSCredential {
"no longer valid");
}
GSSCredentialSpi element = null;
SearchKey key = null;
GSSCredentialSpi element;
SearchKey key;
boolean found = false;
int max = 0;
@ -285,8 +283,8 @@ public class GSSCredentialImpl implements GSSCredential {
"no longer valid");
}
GSSCredentialSpi element = null;
SearchKey key = null;
GSSCredentialSpi element;
SearchKey key;
boolean found = false;
int max = 0;
@ -361,8 +359,8 @@ public class GSSCredentialImpl implements GSSCredential {
"no longer valid");
}
GSSCredentialSpi element = null;
SearchKey key = null;
GSSCredentialSpi element;
SearchKey key;
boolean initiate = false;
boolean accept = false;
@ -618,7 +616,7 @@ public class GSSCredentialImpl implements GSSCredential {
Set<GSSCredentialSpi> getElements() {
HashSet<GSSCredentialSpi> retVal =
new HashSet<GSSCredentialSpi>(hashtable.size());
new HashSet<>(hashtable.size());
Enumeration<GSSCredentialSpi> values = hashtable.elements();
while (values.hasMoreElements()) {
GSSCredentialSpi o = values.nextElement();
@ -649,7 +647,7 @@ public class GSSCredentialImpl implements GSSCredential {
"no longer valid");
}
GSSCredentialSpi element = null;
GSSCredentialSpi element;
StringBuilder sb = new StringBuilder("[GSSCredential: ");
Object[] elements = hashtable.entrySet().toArray();
for (int i = 0; i < elements.length; i++) {
@ -676,7 +674,7 @@ public class GSSCredentialImpl implements GSSCredential {
}
static class SearchKey {
private Oid mechOid = null;
private final Oid mechOid;
private int usage = GSSCredential.INITIATE_AND_ACCEPT;
public SearchKey(Oid mechOid, int usage) {
@ -690,9 +688,8 @@ public class GSSCredentialImpl implements GSSCredential {
return usage;
}
public boolean equals(Object other) {
if (! (other instanceof SearchKey))
if (! (other instanceof SearchKey that))
return false;
SearchKey that = (SearchKey) other;
return ((this.mechOid.equals(that.mechOid)) &&
(this.usage == that.usage));
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,6 +27,8 @@ package sun.security.jgss;
import org.ietf.jgss.*;
import java.io.Serial;
/**
* This class helps overcome a limitation of the org.ietf.jgss.GSSException
* class that does not allow the thrower to set a string corresponding to
@ -34,6 +36,7 @@ import org.ietf.jgss.*;
*/
public class GSSExceptionImpl extends GSSException {
@Serial
private static final long serialVersionUID = 4251197939069005575L;
private String majorMessage;

@ -52,9 +52,9 @@ import sun.security.util.*;
public class GSSHeader {
private ObjectIdentifier mechOid = null;
private byte[] mechOidBytes = null;
private int mechTokenLength = 0;
private final ObjectIdentifier mechOid;
private final byte[] mechOidBytes;
private final int mechTokenLength;
/**
* The tag defined in the GSS-API mechanism independent token
@ -80,7 +80,7 @@ public class GSSHeader {
}
/**
* Reads in a GSSHeader from an InputStream. Typically this would be
* Reads in a GSSHeader from an InputStream. Typically, this would be
* used as part of reading the complete token from an InputStream
* that is obtained from a socket.
*/
@ -159,7 +159,7 @@ public class GSSHeader {
DerOutputStream temp = new DerOutputStream();
temp.putOID(mechOid);
mechOidBytesSize = temp.toByteArray().length;
} catch (IOException e) {
} catch (IOException ignored) {
}
// Subtract bytes needed for 0x60 tag and mechOidBytes
@ -196,7 +196,7 @@ public class GSSHeader {
* the length field of the GSSHeader.
*/
private int getLenFieldSize(int len) {
int retVal = 1;
int retVal;
if (len < 128) {
retVal=1;
} else if (len < (1 << 8)) {
@ -261,10 +261,9 @@ public class GSSHeader {
*/
if (tmp == 0)
return -1;
if (tmp < 0 || tmp > 4)
if (tmp > 4)
throw new IOException("DerInputStream.getLength(): lengthTag="
+ tmp + ", "
+ ((tmp < 0) ? "incorrect DER encoding." : "too big."));
+ tmp + ", too big.");
for (value = 0; tmp > 0; tmp --) {
value <<= 8;
@ -287,7 +286,7 @@ public class GSSHeader {
*/
// Shameless lifted from sun.security.util.DerOutputStream.
private int putLength(int len, OutputStream out) throws IOException {
int retVal = 0;
int retVal;
if (len < 128) {
out.write((byte)len);
retVal=1;
@ -333,7 +332,7 @@ public class GSSHeader {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < len; i++) {
int b1 = (bytes[i]>>4) & 0x0f;
int b1 = (bytes[i] >> 4) & 0x0f;
int b2 = bytes[i] & 0x0f;
sb.append(Integer.toHexString(b1));

@ -40,7 +40,7 @@ public class GSSManagerImpl extends GSSManager {
private static final Boolean USE_NATIVE = GetBooleanAction
.privilegedGetProperty("sun.security.jgss.native");
private ProviderList list;
private final ProviderList list;
// Used by java SPNEGO impl to make sure native is disabled
public GSSManagerImpl(GSSCaller caller, boolean useNative) {
@ -76,7 +76,7 @@ public class GSSManagerImpl extends GSSManager {
nameType = GSSName.NT_HOSTBASED_SERVICE;
}
// Iterate thru all mechs in GSS
// Iterate through all mechs in GSS
for (int i = 0; i < mechs.length; i++) {
// what nametypes does this mech support?
Oid mech = mechs[i];
@ -98,8 +98,7 @@ public class GSSManagerImpl extends GSSManager {
// Trim the list if needed
if (pos < retVal.length) {
Oid[] temp = new Oid[pos];
for (int i = 0; i < pos; i++)
temp[i] = retVal[i];
System.arraycopy(retVal, 0, temp, 0, pos);
retVal = temp;
}

@ -54,7 +54,7 @@ import static java.nio.charset.StandardCharsets.UTF_8;
* mechanisms are required to be handed out. (Generally, other GSS
* classes like GSSContext and GSSCredential request specific
* elements depending on the mechanisms that they are dealing with.)
* Assume that getting a mechanism to parse the applciation specified
* Assume that getting a mechanism to parse the application specified
* bytes is an expensive call.
*
* When a GSSName is canonicalized wrt some mechanism, it is supposed
@ -225,7 +225,7 @@ public final class GSSNameImpl implements GSSName {
throws GSSException {
int pos = 0;
byte[] bytes = null;
byte[] bytes;
if (appName instanceof String) {
bytes = ((String) appName).getBytes(UTF_8);
@ -240,7 +240,7 @@ public final class GSSNameImpl implements GSSName {
int oidLen = (((0xFF & bytes[pos++]) << 8) |
(0xFF & bytes[pos++]));
ObjectIdentifier temp = null;
ObjectIdentifier temp;
try {
DerInputStream din = new DerInputStream(bytes, pos,
oidLen);
@ -285,7 +285,7 @@ public final class GSSNameImpl implements GSSName {
if (other == this)
return true;
if (! (other instanceof GSSNameImpl))
if (! (other instanceof GSSNameImpl that))
return equals(gssManager.createName(other.toString(),
other.getStringNameType()));
@ -294,8 +294,6 @@ public final class GSSNameImpl implements GSSName {
* available. If that fails, then proceed with this test.
*/
GSSNameImpl that = (GSSNameImpl) other;
GSSNameSpi myElement = this.mechElement;
GSSNameSpi element = that.mechElement;
@ -399,8 +397,8 @@ public final class GSSNameImpl implements GSSName {
}
byte[] mechPortion = mechElement.export();
byte[] oidBytes = null;
ObjectIdentifier oid = null;
byte[] oidBytes;
ObjectIdentifier oid;
try {
oid = ObjectIdentifier.of

@ -25,11 +25,10 @@
package sun.security.jgss;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException;
import java.io.EOFException;
import sun.security.util.*;
/**
* Utilities for processing GSS Tokens.
@ -70,7 +69,7 @@ public abstract class GSSToken {
}
public static final void writeBigEndian(int value, byte[] array,
int pos) {
int pos) {
array[pos++] = (byte)((value>>>24));
array[pos++] = (byte)((value>>>16));
array[pos++] = (byte)((value>>>8));
@ -153,7 +152,7 @@ public abstract class GSSToken {
/**
* Reads a two byte integer value from a byte array.
*
* @param src the byte arra to read from
* @param src the byte array to read from
* @param pos the offset to start reading from
* @return the integer value
*/
@ -203,11 +202,11 @@ public abstract class GSSToken {
}
}
public static final String getHexBytes(byte[] bytes) {
public static final String getHexBytes(byte[] bytes) {
return getHexBytes(bytes, 0, bytes.length);
}
public static final String getHexBytes(byte[] bytes, int len) {
public static final String getHexBytes(byte[] bytes, int len) {
return getHexBytes(bytes, 0, len);
}

@ -118,13 +118,13 @@ public class GSSUtil {
public static Subject getSubject(GSSName name,
GSSCredential creds) {
HashSet<Object> privCredentials = null;
HashSet<Object> pubCredentials = new HashSet<Object>(); // empty Set
HashSet<Object> privCredentials;
HashSet<Object> pubCredentials = new HashSet<>(); // empty Set
Set<GSSCredentialSpi> gssCredentials = null;
Set<GSSCredentialSpi> gssCredentials;
Set<KerberosPrincipal> krb5Principals =
new HashSet<KerberosPrincipal>();
new HashSet<>();
if (name instanceof GSSNameImpl) {
try {
@ -146,10 +146,10 @@ public class GSSUtil {
if (creds instanceof GSSCredentialImpl) {
gssCredentials = ((GSSCredentialImpl) creds).getElements();
privCredentials = new HashSet<Object>(gssCredentials.size());
privCredentials = new HashSet<>(gssCredentials.size());
populateCredentials(privCredentials, gssCredentials);
} else {
privCredentials = new HashSet<Object>(); // empty Set
privCredentials = new HashSet<>(); // empty Set
}
if (DEBUG) {
debug("Created Subject with the following");
@ -233,7 +233,7 @@ public class GSSUtil {
*/
public static Subject login(GSSCaller caller, Oid mech) throws LoginException {
CallbackHandler cb = null;
CallbackHandler cb;
if (caller instanceof HttpCaller) {
cb = new sun.net.www.protocol.http.spnego.NegotiateCallbackHandler(
((HttpCaller)caller).info());
@ -259,7 +259,7 @@ public class GSSUtil {
/**
* Determines if the application doesn't mind if the mechanism obtains
* the required credentials from outside of the current Subject. Our
* the required credentials from outside the current Subject. Our
* Kerberos v5 mechanism would do a JAAS login on behalf of the
* application if this were the case.
*
@ -324,46 +324,44 @@ public class GSSUtil {
@SuppressWarnings("removal")
Vector<T> creds =
AccessController.doPrivilegedWithCombiner
(new PrivilegedExceptionAction<Vector<T>>() {
public Vector<T> run() throws Exception {
Subject currSubj = Subject.current();
Vector<T> result = null;
if (currSubj != null) {
result = new Vector<T>();
Iterator<GSSCredentialImpl> iterator =
currSubj.getPrivateCredentials
(GSSCredentialImpl.class).iterator();
while (iterator.hasNext()) {
GSSCredentialImpl cred = iterator.next();
((PrivilegedExceptionAction<Vector<T>>) () -> {
Subject currSubj = Subject.current();
Vector<T> result = null;
if (currSubj != null) {
result = new Vector<>();
Iterator<GSSCredentialImpl> iterator =
currSubj.getPrivateCredentials
(GSSCredentialImpl.class).iterator();
while (iterator.hasNext()) {
GSSCredentialImpl cred = iterator.next();
if (DEBUG) {
debug("...Found cred" + cred);
}
try {
GSSCredentialSpi ce =
cred.getElement(mech, initiate);
if (DEBUG) {
debug("...Found cred" + cred);
debug("......Found element: " + ce);
}
try {
GSSCredentialSpi ce =
cred.getElement(mech, initiate);
if (ce.getClass().equals(credCls) &&
(name == null ||
name.equals((Object) ce.getName()))) {
result.add(credCls.cast(ce));
} else {
if (DEBUG) {
debug("......Found element: " + ce);
}
if (ce.getClass().equals(credCls) &&
(name == null ||
name.equals((Object) ce.getName()))) {
result.add(credCls.cast(ce));
} else {
if (DEBUG) {
debug("......Discard element");
}
}
} catch (GSSException ge) {
if (DEBUG) {
debug("...Discard cred (" + ge + ")");
debug("......Discard element");
}
}
} catch (GSSException ge) {
if (DEBUG) {
debug("...Discard cred (" + ge + ")");
}
}
} else if (DEBUG) {
debug("No Subject");
}
return result;
} else if (DEBUG) {
debug("No Subject");
}
return result;
});
return creds;
} catch (PrivilegedActionException pae) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2014, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -31,7 +31,7 @@ import org.ietf.jgss.GSSCredential;
/**
* The extending point of basic JGSS-API.
* <p>
* If a module wants to extend basic JGSS-API classes, it should extends this
* If a module wants to extend basic JGSS-API classes, it should extend this
* class and register itself as "the extender" using the setExtender method.
* When various GSSManager.createXXX methods are called, they will call
* "the extender"'s wrap methods to create objects of extended types

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,7 @@
package sun.security.jgss;
import java.security.PrivilegedAction;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
@ -72,11 +73,7 @@ public class LoginConfigImpl extends Configuration {
throw new IllegalArgumentException(mech.toString() + " not supported");
}
config = java.security.AccessController.doPrivileged
(new java.security.PrivilegedAction <Configuration> () {
public Configuration run() {
return Configuration.getConfiguration();
}
});
((PrivilegedAction<Configuration>) Configuration::getConfiguration);
}
/**
@ -166,7 +163,7 @@ public class LoginConfigImpl extends Configuration {
* the system-wide Configuration object.
*/
private AppConfigurationEntry[] getDefaultConfigurationEntry() {
HashMap <String, String> options = new HashMap <String, String> (2);
HashMap <String, String> options = new HashMap<>(2);
if (mechName == null || mechName.equals("krb5")) {
if (isServerSide(caller)) {

@ -51,7 +51,7 @@ import sun.security.action.GetPropertyAction;
* mechanisms.) When it finds such an entry, the corresponding
* provider is approached for the mechanism's factory class.
* At instantiation time this list in initialized to contain those
* system wide providers that contain a property of the form
* system-wide providers that contain a property of the form
* "GssApiMechanism.x.y.z..." where "x.y.z..." is a numeric object
* identifier with numbers x, y, z, etc. Such a property is defined
* to map to that provider's implementation of the MechanismFactory
@ -73,9 +73,9 @@ import sun.security.action.GetPropertyAction;
* the system ones don't suffice.<p>
*
* If a mechanism's factory is being obtained from a provider as a
* result of encountering a entryof the form {@code <provider, oid>} where
* result of encountering an entry of the form {@code <provider, oid>} where
* oid is non-null, then the assumption is that the application added
* this entry and it wants this mechanism to be obtained from this
* this entry, and it wants this mechanism to be obtained from this
* provider. Thus is the provider does not actually contain the
* requested mechanism, an exception will be thrown. However, if the
* entry were of the form {@code <provider, null>}, then it is viewed more
@ -110,11 +110,11 @@ public final class ProviderList {
(defOid == null ? GSSUtil.GSS_KRB5_MECH_OID : defOid);
}
private ArrayList<PreferencesEntry> preferences =
new ArrayList<PreferencesEntry>(5);
private HashMap<PreferencesEntry, MechanismFactory> factories =
new HashMap<PreferencesEntry, MechanismFactory>(5);
private HashSet<Oid> mechs = new HashSet<Oid>(5);
private final ArrayList<PreferencesEntry> preferences =
new ArrayList<>(5);
private final HashMap<PreferencesEntry, MechanismFactory> factories =
new HashMap<>(5);
private final HashSet<Oid> mechs = new HashSet<>(5);
private final GSSCaller caller;
@ -186,8 +186,7 @@ public final class ProviderList {
if (mechOid == null) mechOid = ProviderList.DEFAULT_MECH_OID;
if (p == null) {
// Iterate thru all preferences to find right provider
String className;
// Iterate through all preferences to find right provider
PreferencesEntry entry;
Iterator<PreferencesEntry> list = preferences.iterator();
@ -200,7 +199,7 @@ public final class ProviderList {
} // end of while loop
throw new GSSExceptionImpl(GSSException.BAD_MECH, mechOid);
} else {
// Use the impl from the specified provider; return null if the
// Use the impl from the specified provider; return null if
// the mech is unsupported by the specified provider.
PreferencesEntry entry = new PreferencesEntry(p, mechOid);
return getMechFactory(entry, mechOid);
@ -396,7 +395,7 @@ public final class ProviderList {
}
/**
* Helper routine to go through all properties continued in a
* Helper routine to go through all properties contained in a
* provider and add its mechanisms to the list of supported
* mechanisms. If no default mechanism has been assigned so far,
* it sets the default MechanismFactory and Oid as well.
@ -440,9 +439,9 @@ public final class ProviderList {
* provider should be used for the mechanism. If the mechanism
* Oid is null, then it indicates that this preference holds for
* any mechanism.<p>
*
* <p>
* The ProviderList maintains an ordered list of
* PreferencesEntry's and iterates thru them as it tries to
* PreferencesEntry's and iterates through them as it tries to
* instantiate MechanismFactory's.
*/
private static final class PreferencesEntry {
@ -458,11 +457,10 @@ public final class ProviderList {
return true;
}
if (!(other instanceof PreferencesEntry)) {
if (!(other instanceof PreferencesEntry that)) {
return false;
}
PreferencesEntry that = (PreferencesEntry)other;
if (this.p.getName().equals(that.p.getName())) {
if (this.oid != null && that.oid != null) {
return this.oid.equals(that.oid);
@ -494,11 +492,10 @@ public final class ProviderList {
*/
boolean implies(Object other) {
if (other instanceof PreferencesEntry) {
PreferencesEntry temp = (PreferencesEntry) other;
if (other instanceof PreferencesEntry temp) {
return (equals(temp) ||
p.getName().equals(temp.p.getName()) &&
oid == null);
oid == null);
} else {
return false;
}
@ -517,6 +514,7 @@ public final class ProviderList {
* mechanism. The entry is applicable to the desired mech if
* it contains the same oid or if it contains a null oid
* indicating that it is applicable to all mechs.
*
* @param mechOid the desired mechanism
* @return true if the provider in this entry should be
* queried for this mechanism.
@ -527,12 +525,10 @@ public final class ProviderList {
// For debugging
public String toString() {
StringBuilder sb = new StringBuilder("<");
sb.append(p.getName());
sb.append(", ");
sb.append(oid);
sb.append(">");
return sb.toString();
return "<" + p.getName() +
", " +
oid +
">";
}
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,7 @@
package sun.security.jgss;
import java.io.Serial;
import java.security.Provider;
import java.security.AccessController;
import java.security.PrivilegedAction;
@ -59,6 +60,7 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
public final class SunProvider extends Provider {
@Serial
private static final long serialVersionUID = -238911724858694198L;
private static final String INFO = "Sun " +
@ -104,16 +106,14 @@ public final class SunProvider extends Provider {
super("SunJGSS", PROVIDER_VER, INFO);
final Provider p = this;
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
putService(new ProviderService(p, "GssApiMechanism",
"1.2.840.113554.1.2.2",
"sun.security.jgss.krb5.Krb5MechFactory"));
putService(new ProviderService(p, "GssApiMechanism",
"1.3.6.1.5.5.2",
"sun.security.jgss.spnego.SpNegoMechFactory"));
return null;
}
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
putService(new ProviderService(p, "GssApiMechanism",
"1.2.840.113554.1.2.2",
"sun.security.jgss.krb5.Krb5MechFactory"));
putService(new ProviderService(p, "GssApiMechanism",
"1.3.6.1.5.5.2",
"sun.security.jgss.spnego.SpNegoMechFactory"));
return null;
});
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -36,12 +36,12 @@ import java.util.LinkedList;
* Each element of the list is an interval [a, b]. Its existence in the
* list implies that all token numbers in the range a, a+1, ..., b-1, b
* have arrived. Gaps in arrived token numbers are represented by the
* numbers that fall in between two elements of the list. eg. {[a,b],
* numbers that fall in between two elements of the list. e.g. {[a,b],
* [c,d]} indicates that the token numbers b+1, ..., c-1 have not arrived
* yet.
*
* The maximum number of intervals that we keep track of is
* MAX_INTERVALS. Thus if there are too many gaps, then some of the older
* MAX_INTERVALS. Thus, if there are too many gaps, then some older
* sequence numbers are deleted from the list. The earliest sequence number
* that exists in the list is the windowStart. The next expected sequence
* number, or expectedNumber, is one greater than the latest sequence
@ -63,13 +63,13 @@ public class TokenTracker {
static final int MAX_INTERVALS = 5;
private int initNumber;
private final int initNumber;
private int windowStart;
private int expectedNumber;
private int windowStartIndex = 0;
private LinkedList<Entry> list = new LinkedList<Entry>();
private final LinkedList<Entry> list = new LinkedList<>();
public TokenTracker(int initNumber) {
@ -78,7 +78,7 @@ public class TokenTracker {
this.expectedNumber = initNumber;
// Make an entry with one less than the expected first token
Entry entry = new Entry(initNumber-1);
Entry entry = new Entry(initNumber - 1);
list.add(entry);
}
@ -90,7 +90,7 @@ public class TokenTracker {
* a in a new interval ahead of the whole list.
*/
private int getIntervalIndex(int number) {
Entry entry = null;
Entry entry;
int i;
// Start from the rear to optimize for the normal case
for (i = list.size() - 1; i >= 0; i--) {
@ -235,7 +235,7 @@ public class TokenTracker {
Entry entry;
Entry entryBefore = null;
Entry entryAfter = null;
Entry entryAfter;
boolean appended = false;
boolean prepended = false;
@ -329,7 +329,7 @@ public class TokenTracker {
}
}
// Finally we are ready to actually add to the list at index
// Finally, we are ready to actually add to the list at index
// 'prevEntryPos+1'
list.add(prevEntryPos+1, entry);
@ -356,7 +356,7 @@ public class TokenTracker {
* tokens. Each entry is actually an interval of numbers, all of which
* have been received.
*/
class Entry {
static class Entry {
private int start;
private int end;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -76,9 +76,10 @@ class CipherHelper {
private static final byte[] ZERO_IV = new byte[DES_IV_SIZE];
private static final byte[] ZERO_IV_AES = new byte[AES_IV_SIZE];
private int etype;
private int sgnAlg, sealAlg;
private byte[] keybytes;
private final int etype;
private final int sgnAlg;
private final int sealAlg;
private final byte[] keybytes;
CipherHelper(EncryptionKey key) throws GSSException {
etype = key.getEType();
@ -134,11 +135,7 @@ class CipherHelper {
}
boolean isArcFour() {
boolean flag = false;
if (etype == EncryptedData.ETYPE_ARCFOUR_HMAC) {
flag = true;
}
return flag;
return etype == EncryptedData.ETYPE_ARCFOUR_HMAC;
}
@SuppressWarnings("fallthrough")
@ -384,9 +381,8 @@ class CipherHelper {
case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA384_192:
try {
byte[] answer = Aes256Sha2.calculateChecksum(keybytes, key_usage,
return Aes256Sha2.calculateChecksum(keybytes, key_usage,
buf, 0, total);
return answer;
} catch (GeneralSecurityException e) {
GSSException ge = new GSSException(GSSException.FAILURE, -1,
"Could not use AES256 signing algorithm - " +
@ -844,7 +840,7 @@ class CipherHelper {
byte[] plaintext, int pStart, int pLen, byte[] ciphertext, int cStart,
int key_usage) throws GSSException {
byte[] ctext = null;
byte[] ctext;
switch (etype) {
case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96:
ctext = aes128Encrypt(confounder, tokenHeader,
@ -886,7 +882,7 @@ class CipherHelper {
* @param len the length of the data
* @throws GSSException when an error occuse in the encryption
*/
private byte[] getDesCbcChecksum(byte key[],
private byte[] getDesCbcChecksum(byte[] key,
byte[] header,
byte[] data, int offset, int len)
throws GSSException {
@ -954,14 +950,14 @@ class CipherHelper {
* @param key the bytes for the DES key
* @param ivBytes the initial vector bytes
*/
private final Cipher getInitializedDes(boolean encryptMode, byte[] key,
byte[] ivBytes)
private Cipher getInitializedDes(boolean encryptMode, byte[] key,
byte[] ivBytes)
throws GSSException {
try {
IvParameterSpec iv = new IvParameterSpec(ivBytes);
SecretKey jceKey = (SecretKey) (new SecretKeySpec(key, "DES"));
SecretKey jceKey = new SecretKeySpec(key, "DES");
Cipher desCipher = Cipher.getInstance("DES/CBC/NoPadding");
desCipher.init(
@ -986,7 +982,7 @@ class CipherHelper {
* @param offset the offset for the encrypted data
* @param len the length of the encrypted data
* @param dataOutBuf the output buffer where the application data
* should be writte
* should be written
* @param dataOffset the offset where the application data should
* be written.
* @throws GSSException is an error occurs while decrypting the
@ -1077,7 +1073,7 @@ class CipherHelper {
* read
* @param len the length of the ciphertext data
* @param dataOutBuf the output buffer where the application data
* should be writte
* should be written
* @param dataOffset the offset where the application data should
* be written.
* @throws GSSException is an error occurs while decrypting the
@ -1087,12 +1083,12 @@ class CipherHelper {
InputStream is, int len, byte[] dataOutBuf, int dataOffset)
throws GSSException, IOException {
int temp = 0;
int temp;
Cipher des = getInitializedDes(false, key, ZERO_IV);
WrapTokenInputStream truncatedInputStream =
new WrapTokenInputStream(is, len);
new WrapTokenInputStream(is, len);
CipherInputStream cis = new CipherInputStream(truncatedInputStream,
des);
/*
@ -1419,7 +1415,7 @@ class CipherHelper {
int cStart, int cLen, byte[] plaintext, int pStart, int key_usage)
throws GSSException {
byte[] ptext = null;
byte[] ptext;
try {
ptext = Aes128.decryptRaw(keybytes, key_usage,
@ -1456,7 +1452,7 @@ class CipherHelper {
int cStart, int cLen, byte[] plaintext, int pStart, int key_usage)
throws GSSException {
byte[] ptext = null;
byte[] ptext;
try {
ptext = Aes128Sha2.decryptRaw(keybytes, key_usage,
@ -1633,10 +1629,10 @@ class CipherHelper {
* the CipherInputStream from treating the bytes of the following token
* as part fo the ciphertext for this token.
*/
class WrapTokenInputStream extends InputStream {
static class WrapTokenInputStream extends InputStream {
private InputStream is;
private int length;
private final InputStream is;
private final int length;
private int remaining;
private int temp;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -39,7 +39,7 @@ class InitSecContextToken extends InitialToken {
// If non-mutual authentication is requested, there is no AP-REP message.
// The acceptor thus has no chance to send the seq-number field to the
// initiator. In this case, the initiator and acceptor should has an
// initiator. In this case, the initiator and acceptor should have an
// agreement to derive acceptor's initial seq-number if the acceptor wishes
// to send messages to the initiator.
@ -64,7 +64,7 @@ class InitSecContextToken extends InitialToken {
}
}
private KrbApReq apReq = null;
private final KrbApReq apReq;
/**
* For the context initiator to call. It constructs a new

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -68,7 +68,7 @@ abstract class InitialToken extends Krb5Token {
protected class OverloadedChecksum {
private byte[] checksumBytes = null;
private final byte[] checksumBytes;
private Credentials delegCreds = null;
private int flags = 0;
@ -105,7 +105,7 @@ abstract class InitialToken extends Krb5Token {
}
if (context.getCredDelegState()) {
KrbCred krbCred = null;
KrbCred krbCred;
CipherHelper cipherHelper =
context.getCipherHelper(serviceTicket.getSessionKey());
if (useNullKey(cipherHelper)) {
@ -217,8 +217,6 @@ abstract class InitialToken extends Krb5Token {
EncryptionKey key, EncryptionKey subKey)
throws GSSException, KrbException, IOException {
int pos = 0;
if (checksum == null) {
GSSException ge = new GSSException(GSSException.FAILURE, -1,
"No cksum in AP_REQ's authenticator");
@ -296,12 +294,8 @@ abstract class InitialToken extends Krb5Token {
// check if KRB-CRED message should use NULL_KEY for encryption
private boolean useNullKey(CipherHelper ch) {
boolean flag = true;
// for "newer" etypes and RC4-HMAC do not use NULL KEY
if ((ch.getProto() == 1) || ch.isArcFour()) {
flag = false;
}
return flag;
return (ch.getProto() != 1) && !ch.isArcFour();
}
public Checksum getChecksum() throws KrbException {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -64,7 +64,7 @@ public class Krb5AcceptCredential
final String serverPrinc = (name == null? null:
name.getKrb5PrincipalName().getName());
ServiceCreds creds = null;
ServiceCreds creds;
try {
creds = AccessController.doPrivilegedWithCombiner(
new PrivilegedExceptionAction<ServiceCreds>() {
@ -178,7 +178,7 @@ public class Krb5AcceptCredential
/**
* Impersonation is only available on the initiator side. The
* service must starts as an initiator to get an initial TGT to complete
* service must start as an initiator to get an initial TGT to complete
* the S4U2self protocol.
*/
@Override

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -35,11 +35,7 @@ import sun.security.krb5.*;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException;
import java.security.Provider;
import java.security.AccessController;
import java.security.Key;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.*;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.ServicePermission;
import javax.security.auth.kerberos.KerberosCredMessage;
@ -88,7 +84,6 @@ class Krb5Context implements GSSContextSpi {
private boolean isConstrainedDelegationTried = false;
private int mySeqNumber;
private int peerSeqNumber;
private int keySrc;
private TokenTracker peerTokenTracker;
@ -103,14 +98,14 @@ class Krb5Context implements GSSContextSpi {
* checking of per-message tokens is enabled.
*/
private Object mySeqNumberLock = new Object();
private Object peerSeqNumberLock = new Object();
private final Object mySeqNumberLock = new Object();
private final Object peerSeqNumberLock = new Object();
private EncryptionKey key;
private Krb5NameElement myName;
private Krb5NameElement peerName;
private int lifetime;
private boolean initiator;
private final boolean initiator;
private ChannelBinding channelBinding;
private Krb5CredElement myCred;
@ -366,7 +361,7 @@ class Krb5Context implements GSSContextSpi {
* MessageToken.init()
*/
final CipherHelper getCipherHelper(EncryptionKey ckey) throws GSSException {
EncryptionKey cipherKey = null;
EncryptionKey cipherKey;
if (cipherHelper == null) {
cipherKey = (getKey() == null) ? ckey: getKey();
cipherHelper = new CipherHelper(cipherKey);
@ -399,8 +394,7 @@ class Krb5Context implements GSSContextSpi {
+ seqNumber);
}
synchronized (peerSeqNumberLock) {
peerSeqNumber = seqNumber;
peerTokenTracker = new TokenTracker(peerSeqNumber);
peerTokenTracker = new TokenTracker(seqNumber);
}
}
@ -415,7 +409,7 @@ class Krb5Context implements GSSContextSpi {
return keySrc;
}
private final EncryptionKey getKey() {
private EncryptionKey getKey() {
return key;
}
@ -707,11 +701,7 @@ class Krb5Context implements GSSContextSpi {
@SuppressWarnings("removal")
final Subject subject =
AccessController.doPrivilegedWithCombiner(
new java.security.PrivilegedAction<Subject>() {
public Subject run() {
return (Subject.current());
}
});
(PrivilegedAction<Subject>) Subject::current);
if (subject != null &&
!subject.isReadOnly()) {
/*
@ -725,12 +715,10 @@ class Krb5Context implements GSSContextSpi {
Krb5Util.credsToTicket(serviceCreds);
@SuppressWarnings("removal")
var dummy = AccessController.doPrivileged (
new java.security.PrivilegedAction<Void>() {
public Void run() {
subject.getPrivateCredentials().add(kt);
return null;
}
});
(PrivilegedAction<Void>) () -> {
subject.getPrivateCredentials().add(kt);
return null;
});
} else {
// log it for debugging purpose
if (DEBUG) {
@ -904,7 +892,7 @@ class Krb5Context implements GSSContextSpi {
/*
* Per-message calls depend on the sequence number. The sequence number
* synchronization is at a finer granularity because wrap and getMIC
* care about the local sequence number (mySeqNumber) where are unwrap
* care about the local sequence number (mySeqNumber) whereas unwrap
* and verifyMIC care about the remote sequence number (peerSeqNumber).
*/
@ -938,7 +926,6 @@ class Krb5Context implements GSSContextSpi {
}
return encToken;
} catch (IOException e) {
encToken = null;
GSSException gssException =
new GSSException(GSSException.FAILURE, -1, e.getMessage());
gssException.initCause(e);
@ -972,7 +959,6 @@ class Krb5Context implements GSSContextSpi {
}
return retVal;
} catch (IOException e) {
retVal = 0;
GSSException gssException =
new GSSException(GSSException.FAILURE, -1, e.getMessage());
gssException.initCause(e);
@ -1187,7 +1173,6 @@ class Krb5Context implements GSSContextSpi {
}
return retVal;
} catch (IOException e) {
retVal = 0;
GSSException gssException =
new GSSException(GSSException.FAILURE, -1, e.getMessage());
gssException.initCause(e);
@ -1196,7 +1181,7 @@ class Krb5Context implements GSSContextSpi {
}
/*
* Checksum calculation requires a byte[]. Hence might as well pass
* Checksum calculation requires a byte[]. Hence, might as well pass
* a byte[] into the MicToken constructor. However, writing the
* token can be optimized for cases where the application passed in
* an OutputStream.
@ -1385,7 +1370,7 @@ class Krb5Context implements GSSContextSpi {
}
GSSCaller getCaller() {
// Currently used by InitialToken only
// Currently, used by InitialToken only
return caller;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,10 +25,7 @@
package sun.security.jgss.krb5;
import org.ietf.jgss.*;
import sun.security.jgss.spi.*;
import sun.security.krb5.*;
import java.security.Provider;
import sun.security.jgss.spi.GSSCredentialSpi;
/**
* Provides type safety for Krb5 credential elements.

@ -31,6 +31,7 @@ import sun.security.jgss.spi.*;
import sun.security.krb5.*;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KerberosPrincipal;
import java.io.Serial;
import java.net.InetAddress;
import java.io.IOException;
import java.util.Date;
@ -50,12 +51,13 @@ public class Krb5InitCredential
extends KerberosTicket
implements Krb5CredElement {
@Serial
private static final long serialVersionUID = 7723415700837898232L;
@SuppressWarnings("serial") // Not statically typed as Serializable
private Krb5NameElement name;
private final Krb5NameElement name;
@SuppressWarnings("serial") // Not statically typed as Serializable
private Credentials krb5Credentials;
private final Credentials krb5Credentials;
public KerberosTicket proxyTicket;
private Krb5InitCredential(Krb5NameElement name,
@ -198,8 +200,8 @@ public class Krb5InitCredential
EncryptionKey sessionKey = delegatedCred.getSessionKey();
/*
* all of the following data is optional in a KRB-CRED
* messages. This check for each field.
* All the following data is optional in a KRB-CRED
* message. This check for each field.
*/
PrincipalName cPrinc = delegatedCred.getClient();

@ -54,7 +54,7 @@ public final class Krb5MechFactory implements MechanismFactory {
static final Oid NT_GSS_KRB5_PRINCIPAL =
createOid("1.2.840.113554.1.2.2.1");
private static Oid[] nameTypes =
private static final Oid[] nameTypes =
new Oid[] { GSSName.NT_USER_NAME,
GSSName.NT_HOSTBASED_SERVICE,
GSSName.NT_EXPORT_NAME,
@ -214,7 +214,7 @@ public final class Krb5MechFactory implements MechanismFactory {
}
public final Oid getMechanismOid() {
public Oid getMechanismOid() {
return GSS_KRB5_MECH_OID;
}

@ -47,10 +47,10 @@ import static java.nio.charset.StandardCharsets.UTF_8;
public class Krb5NameElement
implements GSSNameSpi {
private PrincipalName krb5PrincipalName;
private final PrincipalName krb5PrincipalName;
private String gssNameStr = null;
private Oid gssNameType = null;
private final String gssNameStr;
private final Oid gssNameType;
private Krb5NameElement(PrincipalName principalName,
String gssNameStr,
@ -185,7 +185,7 @@ public class Krb5NameElement
private static String getHostBasedInstance(String serviceName,
String hostName)
throws GSSException {
StringBuffer temp = new StringBuffer(serviceName);
StringBuilder temp = new StringBuilder(serviceName);
try {
// A lack of "@" defaults to the service being on the local
@ -199,7 +199,7 @@ public class Krb5NameElement
}
hostName = hostName.toLowerCase(Locale.ENGLISH);
temp = temp.append('/').append(hostName);
temp.append('/').append(hostName);
return temp.toString();
}
@ -222,9 +222,8 @@ public class Krb5NameElement
if (other == this)
return true;
if (other instanceof Krb5NameElement) {
Krb5NameElement that = (Krb5NameElement) other;
return (this.krb5PrincipalName.getName().equals(
if (other instanceof Krb5NameElement that) {
return (this.krb5PrincipalName.getName().equals(
that.krb5PrincipalName.getName()));
}
return false;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -144,7 +144,7 @@ public class Krb5Util {
serverAlias.getName(), serverAlias.getNameType()));
}
return kt;
};
}
public static Credentials ticketToCreds(KerberosTicket kerbTicket)
throws KrbException, IOException {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -394,11 +394,10 @@ abstract class MessageToken extends Krb5Token {
if (initiator)
directionByte = (byte) 0xff; // Received token from acceptor
if ((seqNumberData[4] == directionByte) &&
(seqNumberData[5] == directionByte) &&
(seqNumberData[6] == directionByte) &&
(seqNumberData[7] == directionByte))
return true;
return (seqNumberData[4] == directionByte) &&
(seqNumberData[5] == directionByte) &&
(seqNumberData[6] == directionByte) &&
(seqNumberData[7] == directionByte);
}
return false;
@ -406,7 +405,7 @@ abstract class MessageToken extends Krb5Token {
}
public final int getSequenceNumber() {
int sequenceNum = 0;
int sequenceNum;
if (cipherHelper.isArcFour()) {
sequenceNum = readBigEndian(seqNumberData, 0, 4);
} else {
@ -536,7 +535,7 @@ abstract class MessageToken extends Krb5Token {
}
/**
* Obtains the context key that is associated with this token.
* Obtains the context key associated with this token.
* @return the context key
*/
/*
@ -586,18 +585,18 @@ abstract class MessageToken extends Krb5Token {
*/
class MessageTokenHeader {
private int tokenId;
private int signAlg;
private int sealAlg;
private final int tokenId;
private final int signAlg;
private final int sealAlg;
private byte[] bytes = new byte[8];
private final byte[] bytes = new byte[8];
/**
* Constructs a MessageTokenHeader for the specified token type with
* appropriate checksum and encryption algorithms fields.
*
* @param tokenId the token id for this message token
* @param conf true if confidentiality will be resuested with this
* @param conf true if confidentiality will be requested with this
* message token, false otherwise.
* @param qop the value of the quality of protection that will be
* desired.

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,12 +25,13 @@
package sun.security.jgss.krb5;
import org.ietf.jgss.*;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.MessageProp;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.MessageDigest;
import java.util.Arrays;
@ -499,8 +500,8 @@ abstract class MessageToken_v2 extends Krb5Token {
*/
class MessageTokenHeader {
private int tokenId;
private byte[] bytes = new byte[TOKEN_HEADER_SIZE];
private final int tokenId;
private final byte[] bytes = new byte[TOKEN_HEADER_SIZE];
// Writes a new token header
public MessageTokenHeader(int tokenId, boolean conf) throws GSSException {
@ -511,7 +512,7 @@ abstract class MessageToken_v2 extends Krb5Token {
bytes[1] = (byte) (tokenId);
// Flags (Note: MIT impl requires subkey)
int flags = 0;
int flags;
flags = (initiator ? 0 : FLAG_SENDER_IS_ACCEPTOR) |
((conf && tokenId != MIC_ID_v2) ?
FLAG_WRAP_CONFIDENTIAL : 0) |
@ -576,12 +577,8 @@ abstract class MessageToken_v2 extends Krb5Token {
// check for confidentiality
int conf_flag = bytes[TOKEN_FLAG_POS] & FLAG_WRAP_CONFIDENTIAL;
if ((conf_flag == FLAG_WRAP_CONFIDENTIAL) &&
(tokenId == WRAP_ID_v2)) {
prop.setPrivacy(true);
} else {
prop.setPrivacy(false);
}
prop.setPrivacy((conf_flag == FLAG_WRAP_CONFIDENTIAL) &&
(tokenId == WRAP_ID_v2));
if (tokenId == WRAP_ID_v2) {
// validate filler

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,12 +25,12 @@
package sun.security.jgss.krb5;
import org.ietf.jgss.*;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException;
import java.io.ByteArrayInputStream;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.MessageProp;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
class MicToken extends MessageToken {
@ -54,7 +54,7 @@ class MicToken extends MessageToken {
}
public void verify(InputStream data) throws GSSException {
byte[] dataBytes = null;
byte[] dataBytes;
try {
dataBytes = new byte[data.available()];
data.read(dataBytes);

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -62,7 +62,7 @@ class MicToken_v2 extends MessageToken_v2 {
}
public void verify(InputStream data) throws GSSException {
byte[] dataBytes = null;
byte[] dataBytes;
try {
dataBytes = new byte[data.available()];
data.read(dataBytes);

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -36,6 +36,7 @@ import sun.security.krb5.EncryptionKey;
import sun.security.krb5.KrbException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import sun.security.krb5.*;
@ -201,11 +202,9 @@ public final class ServiceCreds {
continue; // skip this legacy bound keytab
}
}
for (KerberosKey k: ktab.getKeys(princ)) {
keys.add(k);
}
Collections.addAll(keys, ktab.getKeys(princ));
}
return keys.toArray(new KerberosKey[keys.size()]);
return keys.toArray(new KerberosKey[0]);
}
/**

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -86,7 +86,7 @@ class SubjectComber {
if (subject == null) {
return null;
} else {
List<T> answer = (oneOnly ? null : new ArrayList<T>());
List<T> answer = (oneOnly ? null : new ArrayList<>());
if (credClass == KeyTab.class) {
Iterator<KeyTab> iterator =
@ -151,11 +151,10 @@ class SubjectComber {
Iterator<Object> iterator = pcs.iterator();
while (iterator.hasNext()) {
Object obj = iterator.next();
if (!(obj instanceof KerberosTicket)) {
if (!(obj instanceof @SuppressWarnings("unchecked")
KerberosTicket ticket)) {
continue;
}
@SuppressWarnings("unchecked")
KerberosTicket ticket = (KerberosTicket)obj;
if (DEBUG) {
System.out.println("Found ticket for "
+ ticket.getClient()

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -74,7 +74,7 @@ class WrapToken extends MessageToken {
/*
* A token may come in either in an InputStream or as a
* byte[]. Store a reference to it in either case and process
* it's data only later when getData() is called and
* its data only later when getData() is called and
* decryption/copying is needed to be done. Note that JCE can
* decrypt both from a byte[] and from an InputStream.
*/
@ -96,13 +96,13 @@ class WrapToken extends MessageToken {
private int dataLen = 0;
// the len of the token data: (confounder || data || padding)
private int dataSize = 0;
private final int dataSize;
// Accessed by CipherHelper
byte[] confounder = null;
byte[] padding = null;
private boolean privacy = false;
private final boolean privacy;
/**
* Constructs a WrapToken from token bytes obtained from the
@ -303,8 +303,6 @@ class WrapToken extends MessageToken {
private void getDataFromStream(byte[] dataBuf, int dataBufOffset)
throws GSSException {
GSSHeader gssHeader = getGSSHeader();
// Don't check the token length. Data will be read on demand from
// the InputStream.
@ -385,7 +383,7 @@ class WrapToken extends MessageToken {
* @return the padding to be applied
*/
private byte[] getPadding(int len) {
int padSize = 0;
int padSize;
// For RC4-HMAC, all padding is rounded up to 1 byte.
// One byte is needed to say that there is 1 byte of padding.
if (cipherHelper.isArcFour()) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -220,7 +220,7 @@ class WrapToken_v2 extends MessageToken_v2 {
return token.length;
}
// This implementation is way to conservative. And it certainly
// This implementation is way too conservative. And it certainly
// doesn't return the maximum limit.
static int getSizeLimit(int qop, boolean confReq, int maxTokenSize,
CipherHelper ch) throws GSSException {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -89,65 +89,65 @@ import java.security.Provider;
public interface GSSContextSpi {
public Provider getProvider();
Provider getProvider();
// The specification for the following methods mirrors the
// specification of the same methods in the GSSContext interface, as
// defined in RFC 2853.
public void requestLifetime(int lifetime) throws GSSException;
void requestLifetime(int lifetime) throws GSSException;
public void requestMutualAuth(boolean state) throws GSSException;
void requestMutualAuth(boolean state) throws GSSException;
public void requestReplayDet(boolean state) throws GSSException;
void requestReplayDet(boolean state) throws GSSException;
public void requestSequenceDet(boolean state) throws GSSException;
void requestSequenceDet(boolean state) throws GSSException;
public void requestCredDeleg(boolean state) throws GSSException;
void requestCredDeleg(boolean state) throws GSSException;
public void requestAnonymity(boolean state) throws GSSException;
void requestAnonymity(boolean state) throws GSSException;
public void requestConf(boolean state) throws GSSException;
void requestConf(boolean state) throws GSSException;
public void requestInteg(boolean state) throws GSSException;
void requestInteg(boolean state) throws GSSException;
public void requestDelegPolicy(boolean state) throws GSSException;
void requestDelegPolicy(boolean state) throws GSSException;
public void setChannelBinding(ChannelBinding cb) throws GSSException;
void setChannelBinding(ChannelBinding cb) throws GSSException;
public boolean getCredDelegState();
boolean getCredDelegState();
public boolean getMutualAuthState();
boolean getMutualAuthState();
public boolean getReplayDetState();
boolean getReplayDetState();
public boolean getSequenceDetState();
boolean getSequenceDetState();
public boolean getAnonymityState();
boolean getAnonymityState();
public boolean getDelegPolicyState();
boolean getDelegPolicyState();
public boolean isTransferable() throws GSSException;
boolean isTransferable() throws GSSException;
public boolean isProtReady();
boolean isProtReady();
public boolean isInitiator();
boolean isInitiator();
public boolean getConfState();
boolean getConfState();
public boolean getIntegState();
boolean getIntegState();
public int getLifetime();
int getLifetime();
public boolean isEstablished();
boolean isEstablished();
public GSSNameSpi getSrcName() throws GSSException;
GSSNameSpi getSrcName() throws GSSException;
public GSSNameSpi getTargName() throws GSSException;
GSSNameSpi getTargName() throws GSSException;
public Oid getMech() throws GSSException;
Oid getMech() throws GSSException;
public GSSCredentialSpi getDelegCred() throws GSSException;
GSSCredentialSpi getDelegCred() throws GSSException;
/**
* Initiator context establishment call. This method may be
@ -163,9 +163,9 @@ public interface GSSContextSpi {
* with this mechanism level initSecContext. Since the output token
* from this method is a fixed size, not exceedingly large, and a one
* time deal, an overloaded form that takes an OutputStream has not
* been defined. The GSS-Framwork can write the returned byte[] to any
* been defined. The GSS-Framework can write the returned byte[] to any
* application provided OutputStream. Similarly, any application input
* int he form of byte arrays will be wrapped in an input stream by the
* in the form of byte arrays will be wrapped in an input stream by the
* GSS-Framework and then passed here.
* <p>
* <strong>
@ -187,7 +187,7 @@ public interface GSSContextSpi {
* the way out.
* @exception GSSException may be thrown
*/
public byte[] initSecContext(InputStream is, int mechTokenSize)
byte[] initSecContext(InputStream is, int mechTokenSize)
throws GSSException;
/**
@ -204,9 +204,9 @@ public interface GSSContextSpi {
* with this mechanism level acceptSecContext. Since the output token
* from this method is a fixed size, not exceedingly large, and a one
* time deal, an overloaded form that takes an OutputStream has not
* been defined. The GSS-Framwork can write the returned byte[] to any
* been defined. The GSS-Framework can write the returned byte[] to any
* application provided OutputStream. Similarly, any application input
* int he form of byte arrays will be wrapped in an input stream by the
* in the form of byte arrays will be wrapped in an input stream by the
* GSS-Framework and then passed here.
* <p>
* <strong>
@ -227,12 +227,12 @@ public interface GSSContextSpi {
* the way out.
* @exception GSSException may be thrown
*/
public byte[] acceptSecContext(InputStream is, int mechTokenSize)
byte[] acceptSecContext(InputStream is, int mechTokenSize)
throws GSSException;
/**
* Queries the context for largest data size to accommodate
* the specified protection and for the token to remain less then
* the specified protection and for the token to remain less than
* maxTokSize.
*
* @param qop the quality of protection that the context will be
@ -245,28 +245,28 @@ public interface GSSContextSpi {
* requirements are met.
* @exception GSSException may be thrown
*/
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
throws GSSException;
/**
* Provides per-message token encapsulation.
*
* @param is the user-provided message to be protected
* @param os the token to be sent to the peer. It includes
* @param is the token to be sent to the peer. It includes
* the message from <i>is</i> with the requested protection.
* @param msgProp on input it contains the requested qop and
* @param msgProp on input, contains the requested qop and
* confidentiality state, on output, the applied values
* @exception GSSException may be thrown
* @see unwrap
*/
public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
void wrap(InputStream is, OutputStream os, MessageProp msgProp)
throws GSSException;
/**
* For apps that want simplicity and don't care about buffer copies.
*/
public byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException;
byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException;
/**
* For apps that care about buffer copies but either cannot use streams
@ -308,14 +308,14 @@ public interface GSSContextSpi {
* @exception GSSException may be thrown
* @see wrap
*/
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException;
void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException;
/**
* For apps that want simplicity and don't care about buffer copies.
*/
public byte[] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException;
byte[] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException;
/**
* For apps that care about buffer copies but either cannot use streams
@ -352,12 +352,12 @@ public interface GSSContextSpi {
* @param msgProp on input the desired QOP and output the applied QOP
* @exception GSSException
*/
public void getMIC(InputStream is, OutputStream os,
MessageProp msgProp)
void getMIC(InputStream is, OutputStream os,
MessageProp msgProp)
throws GSSException;
public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException;
byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException;
/**
* Checks the integrity of the supplied tokens.
@ -369,12 +369,12 @@ public interface GSSContextSpi {
* states of the token as well as any informatory status codes
* @exception GSSException may be thrown
*/
public void verifyMIC(InputStream is, InputStream msgStr,
MessageProp mProp) throws GSSException;
void verifyMIC(InputStream is, InputStream msgStr,
MessageProp mProp) throws GSSException;
public void verifyMIC(byte[] inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException;
void verifyMIC(byte[] inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException;
/**
* Produces a token representing this context. After this call
@ -384,7 +384,7 @@ public interface GSSContextSpi {
* @return exported context token
* @exception GSSException may be thrown
*/
public byte[] export() throws GSSException;
byte[] export() throws GSSException;
/**
* Releases context resources and terminates the
@ -392,7 +392,7 @@ public interface GSSContextSpi {
*
* @exception GSSException may be thrown
*/
public void dispose() throws GSSException;
void dispose() throws GSSException;
/**
* Return the mechanism-specific attribute associated with {@code type}.
@ -402,6 +402,6 @@ public interface GSSContextSpi {
* @throws GSSException see {@link ExtendedGSSContext#inquireSecContext}
* for details
*/
public Object inquireSecContext(String type)
Object inquireSecContext(String type)
throws GSSException;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -37,7 +37,7 @@ import java.security.Provider;
*/
public interface GSSCredentialSpi {
public Provider getProvider();
Provider getProvider();
/**
* Called to invalidate this credential element and release
@ -46,7 +46,7 @@ public interface GSSCredentialSpi {
*
* @exception GSSException with major codes NO_CRED and FAILURE
*/
public void dispose() throws GSSException;
void dispose() throws GSSException;
/**
* Returns the principal name for this credential. The name
@ -55,7 +55,7 @@ public interface GSSCredentialSpi {
* @return GSSNameSpi representing principal name of this credential
* @exception GSSException may be thrown
*/
public GSSNameSpi getName() throws GSSException;
GSSNameSpi getName() throws GSSException;
/**
* Returns the init lifetime remaining.
@ -63,7 +63,7 @@ public interface GSSCredentialSpi {
* @return the init lifetime remaining in seconds
* @exception GSSException may be thrown
*/
public int getInitLifetime() throws GSSException;
int getInitLifetime() throws GSSException;
/**
@ -72,21 +72,21 @@ public interface GSSCredentialSpi {
* @return the accept lifetime remaining in seconds
* @exception GSSException may be thrown
*/
public int getAcceptLifetime() throws GSSException;
int getAcceptLifetime() throws GSSException;
/**
* Determines if this credential element can be used by a context
* initiator.
* @return true if it can be used for initiating contexts
*/
public boolean isInitiatorCredential() throws GSSException;
boolean isInitiatorCredential() throws GSSException;
/**
* Determines if this credential element can be used by a context
* acceptor.
* @return true if it can be used for accepting contexts
*/
public boolean isAcceptorCredential() throws GSSException;
boolean isAcceptorCredential() throws GSSException;
/**
* Returns the oid representing the underlying credential
@ -95,7 +95,7 @@ public interface GSSCredentialSpi {
* @return the Oid for this credential mechanism
* @exception GSSException may be thrown
*/
public Oid getMechanism();
Oid getMechanism();
/**
* Impersonates another client.
@ -104,5 +104,5 @@ public interface GSSCredentialSpi {
* @return the new credential
* @exception GSSException may be thrown
*/
public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException;
GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2005, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -38,7 +38,7 @@ import java.security.Provider;
public interface GSSNameSpi {
public Provider getProvider();
Provider getProvider();
/**
* Equals method for the GSSNameSpi objects.
@ -50,7 +50,7 @@ public interface GSSNameSpi {
* @exception GSSException with major codes of BAD_NAMETYPE,
* BAD_NAME, FAILURE
*/
public boolean equals(GSSNameSpi name) throws GSSException;
boolean equals(GSSNameSpi name) throws GSSException;
/**
* Compares this <code>GSSNameSpi</code> object to another Object
@ -63,14 +63,14 @@ public interface GSSNameSpi {
* @return true if they both refer to the same entity, else false
* @see #equals(GSSNameSpi)
*/
public boolean equals(Object another);
boolean equals(Object another);
/**
* Returns a hashcode value for this GSSNameSpi.
*
* @return a hashCode value
*/
public int hashCode();
int hashCode();
/**
* Returns a flat name representation for this object. The name
@ -80,7 +80,7 @@ public interface GSSNameSpi {
* @exception GSSException with major codes NAME_NOT_MN, BAD_NAME,
* BAD_NAME, FAILURE.
*/
public byte[] export() throws GSSException;
byte[] export() throws GSSException;
/**
@ -88,7 +88,7 @@ public interface GSSNameSpi {
*
* @return the Oid of the mechanism type
*/
public Oid getMechanism();
Oid getMechanism();
/**
* Returns a string representation for this name. The printed
@ -98,7 +98,7 @@ public interface GSSNameSpi {
* @see #getStringNameType()
* @overrides Object#toString
*/
public String toString();
String toString();
/**
@ -106,10 +106,10 @@ public interface GSSNameSpi {
*
* @return the Oid for the format of the printed name
*/
public Oid getStringNameType();
Oid getStringNameType();
/**
* Indicates if this name object represents an Anonymous name.
*/
public boolean isAnonymousName();
boolean isAnonymousName();
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -37,7 +37,7 @@ import java.security.Provider;
* property "GssApiMechanism.x.y.z" to an implementation class that serves
* as the factory for that mechanism.
* <p>
* e.g., If a provider master file contained the a mapping from the
* e.g., If a provider master file contained a mapping from the
* property "GssApiMechanism.1.2.840.113554.1.2.2" to the class name
* "com.foo.krb5.Krb5GssFactory", then the GSS-API framework would assume
* that com.foo.krb5.Krb5GssFactory implements the MechanismFactory
@ -53,13 +53,13 @@ public interface MechanismFactory {
* Returns the Oid of the mechanism that this factory supports.
* @return the Oid
*/
public Oid getMechanismOid();
Oid getMechanismOid();
/**
* Returns the provider that this factory came from.
* @return the provider
*/
public Provider getProvider();
Provider getProvider();
/**
* Returns the GSS-API nametypes that this mechanism can
@ -69,7 +69,7 @@ public interface MechanismFactory {
* nametypes supported
* @see org.ietf.jgss.GSSName
*/
public Oid[] getNameTypes() throws GSSException;
Oid[] getNameTypes() throws GSSException;
/**
* Creates a credential element for this mechanism to be included as
@ -115,8 +115,8 @@ public interface MechanismFactory {
* @throws GSSException if one of the error situations described in RFC
* 2743 with the GSS_Acquire_Cred or GSS_Add_Cred calls occurs.
*/
public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
int initLifetime, int acceptLifetime, int usage) throws GSSException;
GSSCredentialSpi getCredentialElement(GSSNameSpi name,
int initLifetime, int acceptLifetime, int usage) throws GSSException;
/**
* Creates a name element for this mechanism to be included as part of
@ -134,7 +134,7 @@ public interface MechanismFactory {
* @throws GSSException if any of the errors described in RFC 2743 for
* the GSS_Import_Name or GSS_Canonicalize_Name calls occur.
*/
public GSSNameSpi getNameElement(String nameStr, Oid nameType)
GSSNameSpi getNameElement(String nameStr, Oid nameType)
throws GSSException;
/**
@ -153,7 +153,7 @@ public interface MechanismFactory {
* @throws GSSException if any of the errors described in RFC 2743 for
* the GSS_Import_Name or GSS_Canonicalize_Name calls occur.
*/
public GSSNameSpi getNameElement(byte[] name, Oid nameType)
GSSNameSpi getNameElement(byte[] name, Oid nameType)
throws GSSException;
/**
@ -174,12 +174,12 @@ public interface MechanismFactory {
* @throws GSSException if any of the errors described in RFC 2743 in
* the GSS_Init_Sec_Context call occur.
*/
public GSSContextSpi getMechanismContext(GSSNameSpi peer,
GSSCredentialSpi myInitiatorCred,
int lifetime) throws GSSException;
GSSContextSpi getMechanismContext(GSSNameSpi peer,
GSSCredentialSpi myInitiatorCred,
int lifetime) throws GSSException;
/**
* Creates a security context for this mechanism so thatit can be used
* Creates a security context for this mechanism so that it can be used
* on the context acceptor's side.
*
* @param myAcceptorCred a credential element for the context acceptor
@ -192,7 +192,7 @@ public interface MechanismFactory {
* @throws GSSException if any of the errors described in RFC 2743 in
* the GSS_Accept_Sec_Context call occur.
*/
public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
throws GSSException;
/**
@ -208,7 +208,7 @@ public interface MechanismFactory {
* @throws GSSException is any of the errors described in RFC 2743 in
* the GSS_Import_Sec_Context call occur.
*/
public GSSContextSpi getMechanismContext(byte[] exportedContext)
GSSContextSpi getMechanismContext(byte[] exportedContext)
throws GSSException;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,12 +25,13 @@
package sun.security.jgss.spnego;
import java.io.*;
import java.util.*;
import org.ietf.jgss.*;
import sun.security.jgss.*;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;
import sun.security.jgss.GSSUtil;
import sun.security.util.*;
import java.io.IOException;
/**
* Implements the SPNEGO NegTokenInit token
* as specified in RFC 2478
@ -165,7 +166,7 @@ public class NegTokenInit extends SpNegoToken {
// read all the mechTypes
DerValue[] mList = mValue.getSequence(0);
mechTypeList = new Oid[mList.length];
ObjectIdentifier mech = null;
ObjectIdentifier mech;
for (int i = 0; i < mList.length; i++) {
mech = mList[i].getOID();
if (DEBUG) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,6 +27,8 @@ package sun.security.jgss.spnego;
import java.io.*;
import java.security.Provider;
import java.util.Objects;
import org.ietf.jgss.*;
import sun.security.action.GetBooleanAction;
import sun.security.jgss.*;
@ -66,14 +68,14 @@ public class SpNegoContext implements GSSContextSpi {
private GSSNameSpi peerName = null;
private GSSNameSpi myName = null;
private SpNegoCredElement myCred = null;
private final SpNegoCredElement myCred;
private GSSContext mechContext = null;
private byte[] DER_mechTypes = null;
private int lifetime;
private ChannelBinding channelBinding;
private boolean initiator;
private final boolean initiator;
// the underlying negotiated mechanism
private Oid internal_mech = null;
@ -285,7 +287,7 @@ public class SpNegoContext implements GSSContextSpi {
throws GSSException {
byte[] retVal = null;
NegTokenInit initToken = null;
NegTokenInit initToken;
byte[] mechToken = null;
int errorCode = GSSException.FAILURE;
@ -582,7 +584,6 @@ public class SpNegoContext implements GSSContextSpi {
state = STATE_IN_PROCESS;
}
} else {
negoResult = SpNegoToken.NegoResult.REJECT;
state = STATE_DELETED;
throw new GSSException(GSSException.FAILURE);
}
@ -642,7 +643,6 @@ public class SpNegoContext implements GSSContextSpi {
state = STATE_IN_PROCESS;
}
} else {
negoResult = SpNegoToken.NegoResult.REJECT;
state = STATE_DELETED;
throw new GSSException(GSSException.FAILURE);
}
@ -709,8 +709,7 @@ public class SpNegoContext implements GSSContextSpi {
// insert in SEQUENCE
DerOutputStream mechTypeList = new DerOutputStream();
mechTypeList.write(DerValue.tag_Sequence, mech);
byte[] encoded = mechTypeList.toByteArray();
return encoded;
return mechTypeList.toByteArray();
}
/**
@ -730,7 +729,7 @@ public class SpNegoContext implements GSSContextSpi {
}
// Only called on acceptor side. On the initiator side, most flags
// are already set at request. For those that might get chanegd,
// are already set at request. For those that might get changed,
// state from mech below is used.
private void setContextFlags() {
@ -824,7 +823,7 @@ public class SpNegoContext implements GSSContextSpi {
}
// now verify the token
boolean valid = false;
boolean valid;
try {
MessageProp prop = new MessageProp(0, true);
verifyMIC(token, 0, token.length, mechTypes,
@ -844,7 +843,7 @@ public class SpNegoContext implements GSSContextSpi {
* call gss_init_sec_context for the corresponding underlying mechanism
*/
private byte[] GSS_initSecContext(byte[] token) throws GSSException {
byte[] tok = null;
byte[] tok;
if (mechContext == null) {
// initialize mech context
@ -874,11 +873,7 @@ public class SpNegoContext implements GSSContextSpi {
}
// pass token
if (token != null) {
tok = token;
} else {
tok = new byte[0];
}
tok = Objects.requireNonNullElseGet(token, () -> new byte[0]);
// pass token to mechanism initSecContext
byte[] init_token = mechContext.initSecContext(tok, 0, tok.length);
@ -1099,10 +1094,7 @@ public class SpNegoContext implements GSSContextSpi {
return null;
}
// determine delegated cred element usage
boolean initiate = false;
if (delegCred.getUsage() == GSSCredential.INITIATE_ONLY) {
initiate = true;
}
boolean initiate = delegCred.getUsage() == GSSCredential.INITIATE_ONLY;
GSSCredentialSpi mechCred =
delegCred.getElement(internal_mech, initiate);
SpNegoCredElement cred = new SpNegoCredElement(mechCred);
@ -1123,7 +1115,7 @@ public class SpNegoContext implements GSSContextSpi {
}
}
public final byte[] wrap(byte inBuf[], int offset, int len,
public final byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException {
if (mechContext != null) {
return mechContext.wrap(inBuf, offset, len, msgProp);
@ -1144,7 +1136,7 @@ public class SpNegoContext implements GSSContextSpi {
}
}
public final byte[] unwrap(byte inBuf[], int offset, int len,
public final byte[] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp)
throws GSSException {
if (mechContext != null) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -40,7 +40,7 @@ import sun.security.jgss.spi.GSSCredentialSpi;
*/
public class SpNegoCredElement implements GSSCredentialSpi {
private GSSCredentialSpi cred = null;
private final GSSCredentialSpi cred;
public SpNegoCredElement(GSSCredentialSpi cred) throws GSSException {
this.cred = cred;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -52,7 +52,7 @@ public final class SpNegoMechFactory implements MechanismFactory {
static final Oid GSS_SPNEGO_MECH_OID =
GSSUtil.createOid("1.3.6.1.5.5.2");
private static Oid[] nameTypes =
private static final Oid[] nameTypes =
new Oid[] { GSSName.NT_USER_NAME,
GSSName.NT_HOSTBASED_SERVICE,
GSSName.NT_EXPORT_NAME};
@ -182,7 +182,7 @@ public final class SpNegoMechFactory implements MechanismFactory {
return new SpNegoContext(this, exportedContext);
}
public final Oid getMechanismOid() {
public Oid getMechanismOid() {
return GSS_SPNEGO_MECH_OID;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,14 +25,16 @@
package sun.security.jgss.spnego;
import java.io.*;
import java.util.*;
import org.ietf.jgss.*;
import sun.security.util.*;
import sun.security.jgss.*;
import org.ietf.jgss.GSSException;
import sun.security.jgss.GSSToken;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;
import java.io.IOException;
/**
* Astract class for SPNEGO tokens.
* Abstract class for SPNEGO tokens.
* Implementation is based on RFC 2478
*
* NegotiationToken ::= CHOICE {
@ -49,13 +51,13 @@ abstract class SpNegoToken extends GSSToken {
static final int NEG_TOKEN_INIT_ID = 0x00;
static final int NEG_TOKEN_TARG_ID = 0x01;
static enum NegoResult {
enum NegoResult {
ACCEPT_COMPLETE,
ACCEPT_INCOMPLETE,
REJECT,
};
}
private int tokenType;
private final int tokenType;
// property
static final boolean DEBUG = SpNegoContext.DEBUG;
@ -149,26 +151,6 @@ abstract class SpNegoToken extends GSSToken {
}
}
/**
* Returns the enumerated type of the Negotiation result.
*
* @param result the negotiated result represented by integer
* @return the enumerated type of Negotiated result
*/
static NegoResult getNegoResultType(int result) {
switch (result) {
case 0:
return NegoResult.ACCEPT_COMPLETE;
case 1:
return NegoResult.ACCEPT_INCOMPLETE;
case 2:
return NegoResult.REJECT;
default:
// unknown - return optimistic result
return NegoResult.ACCEPT_COMPLETE;
}
}
/**
* Returns a string representing the negotiation result.
*

@ -40,9 +40,9 @@ import sun.security.jgss.spi.GSSNameSpi;
public class GSSCredElement implements GSSCredentialSpi {
private final Cleaner.Cleanable cleanable;
private int usage;
private final int usage;
final long pCred; // Pointer to the gss_cred_id_t structure
private GSSNameElement name = null;
private GSSNameElement name;
private final GSSLibStub cStub;
// Perform the necessary ServicePermission check on this cred

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,13 +25,12 @@
package sun.security.jgss.wrapper;
import java.util.Hashtable;
import org.ietf.jgss.Oid;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.ChannelBinding;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.GSSException;
import sun.security.jgss.GSSUtil;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
import java.util.Hashtable;
/**
* This class is essentially a JNI calling stub for all wrapper classes.
@ -42,7 +41,7 @@ import sun.security.jgss.GSSUtil;
class GSSLibStub {
private Oid mech;
private final Oid mech;
private long pMech; // Warning: used by NativeUtil.c
/**
@ -94,8 +93,8 @@ class GSSLibStub {
native byte[] wrap(long pContext, byte[] msg, MessageProp prop);
native byte[] unwrap(long pContext, byte[] msgToken, MessageProp prop);
private static Hashtable<Oid, GSSLibStub>
table = new Hashtable<Oid, GSSLibStub>(5);
private static final Hashtable<Oid, GSSLibStub>
table = new Hashtable<>(5);
static GSSLibStub getInstance(Oid mech) throws GSSException {
GSSLibStub s = table.get(mech);

@ -25,21 +25,21 @@
package sun.security.jgss.wrapper;
import org.ietf.jgss.*;
import java.lang.ref.Cleaner;
import java.security.Provider;
import java.security.Security;
import java.io.IOException;
import sun.security.krb5.Realm;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import sun.security.jgss.GSSExceptionImpl;
import sun.security.jgss.GSSUtil;
import sun.security.util.ObjectIdentifier;
import sun.security.jgss.spi.GSSNameSpi;
import sun.security.krb5.Realm;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.jgss.GSSUtil;
import sun.security.jgss.GSSExceptionImpl;
import sun.security.jgss.spi.GSSNameSpi;
import sun.security.util.ObjectIdentifier;
import javax.security.auth.kerberos.ServicePermission;
import java.io.IOException;
import java.lang.ref.Cleaner;
import java.security.Provider;
/**
* This class is essentially a wrapper class for the gss_name_t
@ -133,7 +133,7 @@ public class GSSNameElement implements GSSNameSpi {
// Need to add back the mech Oid portion (stripped
// off by GSSNameImpl class prior to calling this
// method) for "NT_EXPORT_NAME"
byte[] mechBytes = null;
byte[] mechBytes;
DerOutputStream dout = new DerOutputStream();
Oid mech = cStub.getMech();
try {
@ -190,7 +190,7 @@ public class GSSNameElement implements GSSNameSpi {
}
private void setPrintables() throws GSSException {
Object[] printables = null;
Object[] printables;
printables = cStub.displayName(pName);
assert((printables != null) && (printables.length == 2));
printableName = (String) printables[0];
@ -203,7 +203,7 @@ public class GSSNameElement implements GSSNameSpi {
// Need to be public for GSSUtil.getSubject()
public String getKrbName() throws GSSException {
long mName = 0;
long mName;
GSSLibStub stub = cStub;
if (!GSSUtil.isKerberosMech(cStub.getMech())) {
stub = GSSLibStub.getInstance(GSSUtil.GSS_KRB5_MECH_OID);
@ -253,7 +253,7 @@ public class GSSNameElement implements GSSNameSpi {
int mechOidLen = (((0xFF & nameVal[pos++]) << 8) |
(0xFF & nameVal[pos++]));
ObjectIdentifier temp = null;
ObjectIdentifier temp;
try {
DerInputStream din = new DerInputStream(nameVal, pos,
mechOidLen);

@ -29,7 +29,7 @@ import java.lang.ref.Cleaner;
import javax.security.auth.kerberos.ServicePermission;
/**
* This class is an utility class for Kerberos related stuff.
* This class is a utility class for Kerberos related stuff.
* @author Valerie Peng
* @since 1.6
*/
@ -44,9 +44,7 @@ class Krb5Util {
String krbPrinc = name.getKrbName();
int atIndex = krbPrinc.indexOf('@');
String realm = krbPrinc.substring(atIndex + 1);
StringBuilder sb = new StringBuilder("krbtgt/");
sb.append(realm).append('@').append(realm);
return sb.toString();
return "krbtgt/" + realm + '@' + realm;
}
// Perform the Service Permission check using the specified

@ -65,7 +65,7 @@ class NativeGSSContext implements GSSContextSpi {
private long pContext = 0; // Pointer to the gss_ctx_id_t structure
private GSSNameElement srcName;
private GSSNameElement targetName;
private boolean isInitiator;
private final boolean isInitiator;
private boolean isEstablished;
private GSSCredElement delegatedCred;
private int flags;
@ -89,7 +89,7 @@ class NativeGSSContext implements GSSContextSpi {
throws GSSException {
Oid mech = null;
if (isInitiator) {
GSSHeader header = null;
GSSHeader header;
try {
header = new GSSHeader(new ByteArrayInputStream(token));
} catch (IOException ioe) {
@ -146,10 +146,8 @@ class NativeGSSContext implements GSSContextSpi {
if (sm != null) {
String targetStr = targetName.getKrbName();
String tgsStr = Krb5Util.getTGSName(targetName);
StringBuilder sb = new StringBuilder("\"");
sb.append(targetStr).append("\" \"");
sb.append(tgsStr).append('\"');
String krbPrincPair = sb.toString();
String krbPrincPair = "\"" + targetStr + "\" \"" +
tgsStr + '\"';
SunNativeProvider.debug("Checking DelegationPermission (" +
krbPrincPair + ")");
DelegationPermission perm =
@ -162,7 +160,7 @@ class NativeGSSContext implements GSSContextSpi {
private byte[] retrieveToken(InputStream is, int mechTokenLen)
throws GSSException {
try {
byte[] result = null;
byte[] result;
if (mechTokenLen != -1) {
// Need to add back the GSS header for a complete GSS token
SunNativeProvider.debug("Precomputed mechToken length: " +
@ -461,7 +459,7 @@ class NativeGSSContext implements GSSContextSpi {
public int unwrap(byte[] inBuf, int inOffset, int len,
byte[] outBuf, int outOffset,
MessageProp msgProp) throws GSSException {
byte[] result = null;
byte[] result;
if ((inOffset != 0) || (len != inBuf.length)) {
byte[] temp = new byte[len];
System.arraycopy(inBuf, inOffset, temp, 0, len);
@ -488,8 +486,8 @@ class NativeGSSContext implements GSSContextSpi {
public int unwrap(InputStream inStream,
byte[] outBuf, int outOffset,
MessageProp msgProp) throws GSSException {
byte[] wrapped = null;
int wLength = 0;
byte[] wrapped;
int wLength;
try {
wrapped = new byte[inStream.available()];
wLength = inStream.read(wrapped);
@ -516,7 +514,7 @@ class NativeGSSContext implements GSSContextSpi {
public void getMIC(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException {
try {
int length = 0;
int length;
byte[] msg = new byte[inStream.available()];
length = inStream.read(msg);

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,13 +25,18 @@
package sun.security.jgss.wrapper;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;
import sun.security.jgss.GSSCaller;
import sun.security.jgss.GSSUtil;
import sun.security.jgss.spi.GSSContextSpi;
import sun.security.jgss.spi.GSSCredentialSpi;
import sun.security.jgss.spi.GSSNameSpi;
import sun.security.jgss.spi.MechanismFactory;
import java.security.Provider;
import java.util.Vector;
import org.ietf.jgss.*;
import sun.security.jgss.GSSUtil;
import sun.security.jgss.GSSCaller;
import sun.security.jgss.GSSExceptionImpl;
import sun.security.jgss.spi.*;
import static java.nio.charset.StandardCharsets.UTF_8;
@ -72,7 +77,7 @@ public final class NativeGSSFactory implements MechanismFactory {
public NativeGSSFactory(GSSCaller caller) {
this.caller = caller;
// Have to call setMech(Oid) explicitly before calling other
// methods. Otherwise, NPE may be thrown unexpectantly
// methods. Otherwise, NPE may be thrown unexpectedly
}
public void setMech(Oid mech) throws GSSException {
@ -96,14 +101,14 @@ public final class NativeGSSFactory implements MechanismFactory {
int acceptLifetime,
int usage)
throws GSSException {
GSSNameElement nname = null;
GSSNameElement nname;
if (name != null && !(name instanceof GSSNameElement)) {
nname = (GSSNameElement)
getNameElement(name.toString(), name.getStringNameType());
} else nname = (GSSNameElement) name;
if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
// Force separate acqusition of cred element since
// Force separate acquisition of cred element since
// MIT's impl does not correctly report NO_CRED error.
usage = GSSCredential.INITIATE_ONLY;
}
@ -137,8 +142,7 @@ public final class NativeGSSFactory implements MechanismFactory {
if (peer == null) {
throw new GSSException(GSSException.BAD_NAME);
} else if (!(peer instanceof GSSNameElement)) {
peer = (GSSNameElement)
getNameElement(peer.toString(), peer.getStringNameType());
peer = getNameElement(peer.toString(), peer.getStringNameType());
}
if (myCred == null) {
myCred = getCredFromSubject(null, true);
@ -165,7 +169,7 @@ public final class NativeGSSFactory implements MechanismFactory {
return cStub.importContext(exportedContext);
}
public final Oid getMechanismOid() {
public Oid getMechanismOid() {
return cStub.getMech();
}

@ -25,6 +25,7 @@
package sun.security.jgss.wrapper;
import java.io.Serial;
import java.util.HashMap;
import java.security.Provider;
import java.security.AccessController;
@ -46,6 +47,7 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
public final class SunNativeProvider extends Provider {
@Serial
private static final long serialVersionUID = -238911724858694204L;
private static final String NAME = "SunNativeGSS";

@ -1,4 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -66,7 +67,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
*/
/* V4 of the credentials cache format allows for header tags */
private static boolean DEBUG = Krb5.DEBUG;
private static final boolean DEBUG = Krb5.DEBUG;
public CCacheInputStream(InputStream is){
super(is);
@ -109,8 +110,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
*/
// made public for KinitOptions to call directly
public PrincipalName readPrincipal(int version) throws IOException, RealmException {
int type, length, namelength, kret;
String[] pname = null;
int type, length, namelength;
String realm;
/* Read principal type */
if (version == KRB5_FCC_FVNO_1) {
@ -119,7 +119,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
type = read(4);
}
length = readLength4();
List<String> result = new ArrayList<String>();
List<String> result = new ArrayList<>();
/*
* DCE includes the principal's realm in the count; the new format
* does not.
@ -141,13 +141,13 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
}
return new PrincipalName(
type,
result.toArray(new String[result.size()]),
result.toArray(new String[0]),
new Realm(realm));
}
try {
return new PrincipalName(
type,
result.toArray(new String[result.size()]),
result.toArray(new String[0]),
Realm.getDefault());
} catch (RealmException re) {
return null;
@ -200,10 +200,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
}
boolean readskey() throws IOException {
if (read() == 0) {
return false;
}
else return true;
return read() != 0;
}
HostAddress[] readAddr() throws IOException, KrbApErrException {
@ -225,7 +222,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
result[j] = (byte)read(1);
addrs.add(new HostAddress(addrType, result));
}
return addrs.toArray(new HostAddress[addrs.size()]);
return addrs.toArray(new HostAddress[0]);
}
return null;
}
@ -235,14 +232,14 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
num = readLength4();
if (num > 0) {
List<AuthorizationDataEntry> auData = new ArrayList<>();
byte[] data = null;
byte[] data;
for (int i = 0; i < num; i++) {
adtype = read(2);
adlength = readLength4();
data = IOUtils.readExactlyNBytes(this, adlength);
auData.add(new AuthorizationDataEntry(adtype, data));
}
return auData.toArray(new AuthorizationDataEntry[auData.size()]);
return auData.toArray(new AuthorizationDataEntry[0]);
}
else return null;
}
@ -329,9 +326,9 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
* @return the next cred or config entry, null if data unparseable.
*
* When data is unparseable, this method makes sure the correct number of
* bytes are consumed so it's safe to start reading the next element.
* bytes are consumed, so it's safe to start reading the next element.
*/
Object readCred(int version) throws IOException,RealmException, KrbApErrException, Asn1Exception {
Object readCred(int version) throws IOException, RealmException, KrbApErrException, Asn1Exception {
PrincipalName cpname = null;
try {
cpname = readPrincipal(version);

@ -1,4 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -189,7 +190,7 @@ public class Credentials {
//
// This class is for the initiator side. Also, authdata inside a ccache
// is most likely to be the one in Authenticator in PA-TGS-REQ encoded
// in TGS-REQ, therefore only stored with a service ticket. Currently
// in TGS-REQ, therefore only stored with a service ticket. Currently,
// in Java, we only reads TGTs.
return new sun.security.krb5.Credentials(ticket, cname, null, sname,
null, key, flags, authtime, starttime, endtime, renewTill,

@ -1,4 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -37,13 +38,12 @@ import java.util.List;
import java.io.IOException;
/**
* CredentialsCache stores credentials(tickets, session keys, etc) in a semi-permanent store
* CredentialsCache stores credentials(tickets, session keys, etc.) in a semi-permanent store
* for later use by different program.
*
* @author Yanni Zhang
*/
public abstract class CredentialsCache {
static CredentialsCache singleton = null;
static String cacheName;
public static CredentialsCache getInstance(PrincipalName principal) {

@ -1,4 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -43,21 +44,21 @@ public interface FileCCacheConstants {
*
* FCC version 3 contains keyblock encryption type information, and is
* architecture independent. Previous versions are not. */
public final int KRB5_FCC_FVNO_1 = 0x501;
public final int KRB5_FCC_FVNO_2 = 0x502;
public final int KRB5_FCC_FVNO_3 = 0x503;
public final int KRB5_FCC_FVNO_4 = 0x504;
public final int FCC_TAG_DELTATIME = 1;
public final int KRB5_NT_UNKNOWN = 0;
public final int TKT_FLG_FORWARDABLE = 0x40000000;
public final int TKT_FLG_FORWARDED = 0x20000000;
public final int TKT_FLG_PROXIABLE = 0x10000000;
public final int TKT_FLG_PROXY = 0x08000000;
public final int TKT_FLG_MAY_POSTDATE = 0x04000000;
public final int TKT_FLG_POSTDATED = 0x02000000;
public final int TKT_FLG_INVALID = 0x01000000;
public final int TKT_FLG_RENEWABLE = 0x00800000;
public final int TKT_FLG_INITIAL = 0x00400000;
public final int TKT_FLG_PRE_AUTH = 0x00200000;
public final int TKT_FLG_HW_AUTH = 0x00100000;
int KRB5_FCC_FVNO_1 = 0x501;
int KRB5_FCC_FVNO_2 = 0x502;
int KRB5_FCC_FVNO_3 = 0x503;
int KRB5_FCC_FVNO_4 = 0x504;
int FCC_TAG_DELTATIME = 1;
int KRB5_NT_UNKNOWN = 0;
int TKT_FLG_FORWARDABLE = 0x40000000;
int TKT_FLG_FORWARDED = 0x20000000;
int TKT_FLG_PROXIABLE = 0x10000000;
int TKT_FLG_PROXY = 0x08000000;
int TKT_FLG_MAY_POSTDATE = 0x04000000;
int TKT_FLG_POSTDATED = 0x02000000;
int TKT_FLG_INVALID = 0x01000000;
int TKT_FLG_RENEWABLE = 0x00800000;
int TKT_FLG_INITIAL = 0x00400000;
int TKT_FLG_PRE_AUTH = 0x00200000;
int TKT_FLG_HW_AUTH = 0x00100000;
}

@ -39,6 +39,7 @@ import sun.security.krb5.internal.*;
import sun.security.util.SecurityProperties;
import java.nio.charset.StandardCharsets;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@ -54,7 +55,7 @@ import java.io.InputStreamReader;
import static java.nio.charset.StandardCharsets.ISO_8859_1;
/**
* CredentialsCache stores credentials(tickets, session keys, etc) in a
* CredentialsCache stores credentials(tickets, session keys, etc.) in a
* semi-permanent store
* for later use by different program.
*
@ -68,8 +69,7 @@ public class FileCredentialsCache extends CredentialsCache
public Tag tag; // optional
public PrincipalName primaryPrincipal;
private Vector<Credentials> credentialsList;
private static String dir;
private static boolean DEBUG = Krb5.DEBUG;
private static final boolean DEBUG = Krb5.DEBUG;
public static synchronized FileCredentialsCache acquireInstance(
PrincipalName principal, String cache) {
@ -139,9 +139,7 @@ public class FileCredentialsCache extends CredentialsCache
boolean exists(String cache) {
File file = new File(cache);
if (file.exists()) {
return true;
} else return false;
return file.exists();
}
synchronized void init(PrincipalName principal, String name)
@ -176,7 +174,7 @@ public class FileCredentialsCache extends CredentialsCache
}
} else
primaryPrincipal = p;
credentialsList = new Vector<Credentials>();
credentialsList = new Vector<>();
while (cis.available() > 0) {
Object cred = cis.readCred(version);
if (cred != null) {
@ -203,7 +201,7 @@ public class FileCredentialsCache extends CredentialsCache
if (credentialsList.isEmpty()) {
credentialsList.addElement(c);
} else {
Credentials tmp = null;
Credentials tmp;
boolean matched = false;
for (int i = 0; i < credentialsList.size(); i++) {
@ -224,7 +222,7 @@ public class FileCredentialsCache extends CredentialsCache
}
}
}
if (matched == false) {
if (!matched) {
if (DEBUG) {
System.out.println(" >>> FileCredentialsCache Ticket "
+ "not exactly matched, "
@ -249,7 +247,7 @@ public class FileCredentialsCache extends CredentialsCache
try (FileOutputStream fos = new FileOutputStream(cacheName);
CCacheOutputStream cos = new CCacheOutputStream(fos)) {
cos.writeHeader(primaryPrincipal, version);
Credentials[] tmp = null;
Credentials[] tmp;
if ((tmp = getCredsList()) != null) {
for (int i = 0; i < tmp.length; i++) {
cos.addCreds(tmp[i]);
@ -310,7 +308,7 @@ public class FileCredentialsCache extends CredentialsCache
}
}
private List<ConfigEntry> configEntries = new ArrayList<>();
private final List<ConfigEntry> configEntries = new ArrayList<>();
@Override
public void addConfigEntry(ConfigEntry e) {
@ -451,18 +449,15 @@ public class FileCredentialsCache extends CredentialsCache
// http://docs.oracle.com/cd/E19082-01/819-2252/6n4i8rtr3/index.html
@SuppressWarnings("removal")
String name = java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<String>() {
@Override
public String run() {
String cache = System.getenv("KRB5CCNAME");
if (cache != null &&
(cache.length() >= 5) &&
cache.regionMatches(true, 0, "FILE:", 0, 5)) {
cache = cache.substring(5);
}
return cache;
}
});
(PrivilegedAction<String>) () -> {
String cache = System.getenv("KRB5CCNAME");
if (cache != null &&
(cache.length() >= 5) &&
cache.regionMatches(true, 0, "FILE:", 0, 5)) {
cache = cache.substring(5);
}
return cache;
});
if (name != null) {
if (DEBUG) {
System.out.println(">>>KinitOptions cache name is " + name);
@ -528,7 +523,7 @@ public class FileCredentialsCache extends CredentialsCache
}
public static String checkValidation(String name) {
String fullname = null;
String fullname;
if (name == null) {
return null;
}
@ -565,18 +560,16 @@ public class FileCredentialsCache extends CredentialsCache
@SuppressWarnings("removal")
Process p =
java.security.AccessController.doPrivileged
(new java.security.PrivilegedAction<Process> () {
public Process run() {
try {
return (Runtime.getRuntime().exec(command));
} catch (java.io.IOException e) {
if (DEBUG) {
e.printStackTrace();
}
return null;
}
((PrivilegedAction<Process>) () -> {
try {
return (Runtime.getRuntime().exec(command));
} catch (IOException e) {
if (DEBUG) {
e.printStackTrace();
}
});
return null;
}
});
if (p == null) {
// exception occurred during executing the command
return null;
@ -585,7 +578,7 @@ public class FileCredentialsCache extends CredentialsCache
BufferedReader commandResult =
new BufferedReader
(new InputStreamReader(p.getInputStream(), ISO_8859_1));
String s1 = null;
String s1;
if ((command.length == 1) &&
(command[0].equals("/usr/bin/env"))) {
while ((s1 = commandResult.readLine()) != null) {

@ -1,4 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,10 +31,11 @@
package sun.security.krb5.internal.ccache;
import sun.security.krb5.*;
import sun.security.krb5.internal.*;
import java.io.IOException;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import java.io.File;
import java.io.IOException;
//Windows supports the "API: cache" type, which is a shared memory cache. This is
//implemented by krbcc32.dll as part of the MIT Kerberos for Win32 distribution.

@ -1,4 +1,5 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,7 +31,6 @@
package sun.security.krb5.internal.ccache;
import sun.security.krb5.*;
import java.io.ByteArrayOutputStream;
/**