Merge

7ec8dba2 · ohair · 46a26da4 · 2c94c689 · 7ec8dba2 · 7ec8dba2
8 changed file
--- a/src/share/classes/org/ietf/jgss/GSSName.java
+++ b/src/share/classes/org/ietf/jgss/GSSName.java
 /*
- * Copyright 2000 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -103,11 +103,12 @@ public interface GSSName {
     * follows: service@hostname.<p>
     *
     * It represents the following Oid value:<br>
-     * <code>{ 1(iso), 3(org), 6(dod), 1(internet), 5(security),
-     * 6(nametypes), 2(gss-host-based-services) }</code>
+     *  <code>{ iso(1) member-body(2) United
+     * States(840) mit(113554) infosys(1) gssapi(2) generic(1) service_name(4)
+     * }</code>
     */
    public static final Oid NT_HOSTBASED_SERVICE
-        = Oid.getInstance("1.3.6.1.5.6.2");
+        = Oid.getInstance("1.2.840.113554.1.2.1.4");

    /**
     * Name type to indicate a named user on a local system.<p>

--- a/src/share/classes/sun/security/jgss/GSSManagerImpl.java
+++ b/src/share/classes/sun/security/jgss/GSSManagerImpl.java
 /*
- * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -89,6 +89,11 @@ public class GSSManagerImpl extends GSSManager {
        Oid[] retVal = new Oid[mechs.length];
        int pos = 0;

+        // Compatibility with RFC 2853 old NT_HOSTBASED_SERVICE value.
+        if (nameType.equals(GSSNameImpl.oldHostbasedServiceName)) {
+            nameType = GSSName.NT_HOSTBASED_SERVICE;
+        }
+
        // Iterate thru all mechs in GSS
        for (int i = 0; i < mechs.length; i++) {
            // what nametypes does this mech support?

--- a/src/share/classes/sun/security/jgss/GSSNameImpl.java
+++ b/src/share/classes/sun/security/jgss/GSSNameImpl.java
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -81,6 +81,29 @@ import sun.security.util.DerOutputStream;

 public class GSSNameImpl implements GSSName {

+    /**
+     * The old Oid used in RFC 2853. Now supported as
+     * input parameters in:
+     *
+     * 1. The four overloaded GSSManager.createName(*) methods
+     * 2. GSSManager.getMechsForName(Oid)
+     *
+     * Note that even if a GSSName is created with this old Oid,
+     * its internal name type and getStringNameType() output are
+     * always the new value.
+     */
+    final static Oid oldHostbasedServiceName;
+
+    static {
+        Oid tmp = null;
+        try {
+            tmp = new Oid("1.3.6.1.5.6.2");
+        } catch (Exception e) {
+            // should never happen
+        }
+        oldHostbasedServiceName = tmp;
+    }
+
    private GSSManagerImpl gssManager = null;

    /*
@@ -134,6 +157,9 @@ public class GSSNameImpl implements GSSName {
                        Oid mech)
        throws GSSException {

+        if (oldHostbasedServiceName.equals(appNameType)) {
+            appNameType = GSSName.NT_HOSTBASED_SERVICE;
+        }
        if (appName == null)
            throw new GSSExceptionImpl(GSSException.BAD_NAME,
                                   "Cannot import null name");

--- a/src/share/classes/sun/security/jgss/GSSUtil.java
+++ b/src/share/classes/sun/security/jgss/GSSUtil.java
 /*
- * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -66,9 +66,6 @@ public class GSSUtil {
    public static final Oid NT_GSS_KRB5_PRINCIPAL =
                GSSUtil.createOid("1.2.840.113554.1.2.2.1");

-    public static final Oid NT_HOSTBASED_SERVICE2 =
-                GSSUtil.createOid("1.2.840.113554.1.2.1.4");
-
    private static final String DEFAULT_HANDLER =
            "auth.login.defaultCallbackHandler";


--- a/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java
+++ b/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java
 /*
- * Copyright 2005-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -55,8 +55,7 @@ public class GSSNameElement implements GSSNameSpi {
    static final GSSNameElement DEF_ACCEPTOR = new GSSNameElement();

    private static Oid getNativeNameType(Oid nameType, GSSLibStub stub) {
-        if (GSSUtil.NT_GSS_KRB5_PRINCIPAL.equals(nameType) ||
-            GSSName.NT_HOSTBASED_SERVICE.equals(nameType)) {
+        if (GSSUtil.NT_GSS_KRB5_PRINCIPAL.equals(nameType)) {
            Oid[] supportedNTs = null;
            try {
                supportedNTs = stub.inquireNamesForMech();
@@ -83,15 +82,9 @@ public class GSSNameElement implements GSSNameSpi {
                    if (supportedNTs[i].equals(nameType)) return nameType;
                }
                // Special handling the specified name type
-                if (GSSUtil.NT_GSS_KRB5_PRINCIPAL.equals(nameType)) {
-                    SunNativeProvider.debug("Override " + nameType +
-                        " with mechanism default(null)");
-                    return null; // Use mechanism specific default
-                } else {
-                    SunNativeProvider.debug("Override " + nameType +
-                        " with " + GSSUtil.NT_HOSTBASED_SERVICE2);
-                    return GSSUtil.NT_HOSTBASED_SERVICE2;
-                }
+                SunNativeProvider.debug("Override " + nameType +
+                    " with mechanism default(null)");
+                return null; // Use mechanism specific default
            }
        }
        return nameType;

--- a/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
+++ b/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
 /*
- * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -50,11 +50,12 @@ import sun.security.krb5.internal.EncTicketPart;
 import sun.security.krb5.internal.crypto.KeyUsage;

 import sun.security.jgss.krb5.Krb5Util;
+import sun.security.krb5.KrbException;
+import sun.security.krb5.internal.Krb5;

 import sun.security.ssl.Debug;
 import sun.security.ssl.HandshakeInStream;
 import sun.security.ssl.HandshakeOutStream;
-import sun.security.ssl.KerberosClientKeyExchange;
 import sun.security.ssl.ProtocolVersion;

 /**
@@ -188,7 +189,14 @@ public final class KerberosClientKeyExchangeImpl
            // See if we have the right key to decrypt the ticket to get
            // the session key.
            int encPartKeyType = encPart.getEType();
-            KerberosKey dkey = findKey(encPartKeyType, serverKeys);
+            Integer encPartKeyVersion = encPart.getKeyVersionNumber();
+            KerberosKey dkey = null;
+            try {
+                dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
+            } catch (KrbException ke) { // a kvno mismatch
+                throw new IOException(
+                        "Cannot find key matching version number", ke);
+            }
            if (dkey == null) {
                // %%% Should print string repr of etype
                throw new IOException(
@@ -355,12 +363,34 @@ public final class KerberosClientKeyExchangeImpl
        return localPrincipal;
    }

-    private static KerberosKey findKey(int etype, KerberosKey[] keys) {
+    /**
+     * Determines if a kvno matches another kvno. Used in the method
+     * findKey(etype, version, keys). Always returns true if either input
+     * is null or zero, in case any side does not have kvno info available.
+     *
+     * Note: zero is included because N/A is not a legal value for kvno
+     * in javax.security.auth.kerberos.KerberosKey. Therefore, the info
+     * that the kvno is N/A might be lost when converting between
+     * EncryptionKey and KerberosKey.
+     */
+    private static boolean versionMatches(Integer v1, int v2) {
+        if (v1 == null || v1 == 0 || v2 == 0) {
+            return true;
+        }
+        return v1.equals(v2);
+    }
+
+    private static KerberosKey findKey(int etype, Integer version,
+            KerberosKey[] keys) throws KrbException {
        int ktype;
+        boolean etypeFound = false;
        for (int i = 0; i < keys.length; i++) {
            ktype = keys[i].getKeyType();
            if (etype == ktype) {
-                return keys[i];
+                etypeFound = true;
+                if (versionMatches(version, keys[i].getVersionNumber())) {
+                    return keys[i];
+                }
            }
        }
        // Key not found.
@@ -370,14 +400,20 @@ public final class KerberosClientKeyExchangeImpl
            for (int i = 0; i < keys.length; i++) {
                ktype = keys[i].getKeyType();
                if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
-                    ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
-                    return new KerberosKey(keys[i].getPrincipal(),
-                        keys[i].getEncoded(),
-                        etype,
-                        keys[i].getVersionNumber());
+                        ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
+                    etypeFound = true;
+                    if (versionMatches(version, keys[i].getVersionNumber())) {
+                        return new KerberosKey(keys[i].getPrincipal(),
+                            keys[i].getEncoded(),
+                            etype,
+                            keys[i].getVersionNumber());
+                    }
                }
            }
        }
+        if (etypeFound) {
+            throw new KrbException(Krb5.KRB_AP_ERR_BADKEYVER);
+        }
        return null;
    }
 }
--- a/test/sun/security/krb5/auto/SSL.java
+++ b/test/sun/security/krb5/auto/SSL.java
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2009-2010 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@

 /*
 * @test
- * @bug 6894643
+ * @bug 6894643 6913636
 * @summary Test JSSE Kerberos ciphersuite
 */
 import java.io.*;
@@ -32,12 +32,13 @@ import javax.net.ssl.*;
 import java.security.Principal;
 import java.util.Date;
 import sun.security.jgss.GSSUtil;
+import sun.security.krb5.PrincipalName;
+import sun.security.krb5.internal.ktab.KeyTab;

 public class SSL {

    private static final String KRB5_CIPHER = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA";
    private static final int LOOP_LIMIT = 1;
-    private static final char[] PASS = "secret".toCharArray();
    private static int loopCount = 0;
    private static volatile String server;
    private static volatile int port;
@@ -54,12 +55,39 @@ public class SSL {

        kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
        kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
-        kdc.addPrincipal("host/" + server, PASS);
        KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
        System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);

+        // Add 3 versions of keys into keytab
+        KeyTab ktab = KeyTab.create(OneKDC.KTAB);
+        PrincipalName service = new PrincipalName(
+                "host/" + server, PrincipalName.KRB_NT_SRV_HST);
+        ktab.addEntry(service, "pass1".toCharArray(), 1);
+        ktab.addEntry(service, "pass2".toCharArray(), 2);
+        ktab.addEntry(service, "pass3".toCharArray(), 3);
+        ktab.save();
+
+        // and use the middle one as the real key
+        kdc.addPrincipal("host/" + server, "pass2".toCharArray());
+
+        // JAAS config entry name ssl
+        System.setProperty("java.security.auth.login.config", OneKDC.JAAS_CONF);
+        File f = new File(OneKDC.JAAS_CONF);
+        FileOutputStream fos = new FileOutputStream(f);
+        fos.write((
+                "ssl {\n" +
+                "    com.sun.security.auth.module.Krb5LoginModule required\n" +
+                "    principal=\"host/" + server + "\"\n" +
+                "    useKeyTab=true\n" +
+                "    keyTab=" + OneKDC.KTAB + "\n" +
+                "    isInitiator=false\n" +
+                "    storeKey=true;\n};\n"
+                ).getBytes());
+        fos.close();
+        f.deleteOnExit();
+
        final Context c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
-        final Context s = Context.fromUserPass("host/" + server, PASS, true);
+        final Context s = Context.fromJAAS("ssl");

        c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID);
        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);

--- a/test/sun/security/krb5/auto/Test5653.java
+++ b/test/sun/security/krb5/auto/Test5653.java
+/*
+ * Copyright 2010 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6895424
+ * @summary RFC 5653
+ */
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSUtil;
+
+public class Test5653 {
+
+    public static void main(String[] args)
+            throws Exception {
+
+        Oid oldOid = new Oid("1.3.6.1.5.6.2");
+        new OneKDC(null).writeJAASConf();
+
+        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
+        GSSManager m = GSSManager.getInstance();
+        boolean found = false;
+
+        // Test 1: the getMechsForName() method accepts it.
+        for (Oid tmp: m.getMechsForName(oldOid)) {
+            if (tmp.equals(GSSUtil.GSS_KRB5_MECH_OID)) {
+                found = true;
+                break;
+            }
+        }
+        if (!found) {
+            throw new Exception("Cannot found krb5 mech for old name type");
+        }
+
+        // Test 2: the createName() method accepts it.
+        GSSName name = m.createName("server@host.rabbit.hole", oldOid);
+
+        // Test 3: its getStringNameType() output is correct
+        if (!name.getStringNameType().equals(GSSName.NT_HOSTBASED_SERVICE)) {
+            throw new Exception("GSSName not correct name type");
+        }
+
+        // Test 4: everything still works.
+        GSSContext c1 = m.createContext(
+                name,
+                GSSUtil.GSS_KRB5_MECH_OID,
+                null,
+                GSSContext.DEFAULT_LIFETIME);
+        byte[] token = c1.initSecContext(new byte[0], 0, 0);
+
+        Context s;
+        s = Context.fromJAAS("server");
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.x().acceptSecContext(token, 0, token.length);
+    }
+}