8229951: Better Ticket Granting Services

Reviewed-by: mbalao

src/share/classes/sun/security/krb5/Checksum.java

@@ -69,6 +69,7 @@ public class Checksum {
     // draft-brezak-win2k-krb-rc4-hmac-04.txt
     public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138;
 
+    // default checksum type, -1 if not set
     static int CKSUMTYPE_DEFAULT;
     static int SAFECKSUMTYPE_DEFAULT;
 
@@ -83,26 +84,19 @@ public class Checksum {
         try {
             cfg = Config.getInstance();
             temp = cfg.get("libdefaults", "default_checksum");
-            if (temp != null)
-                {
-                    CKSUMTYPE_DEFAULT = Config.getType(temp);
-                } else {
-                    /*
-                     * If the default checksum is not
-                     * specified in the configuration we
-                     * set it to RSA_MD5. We follow the MIT and
-                     * SEAM implementation.
-                     */
-                    CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5;
-                }
+            if (temp != null) {
+                CKSUMTYPE_DEFAULT = Config.getType(temp);
+            } else {
+                CKSUMTYPE_DEFAULT = -1;
+            }
         } catch (Exception exc) {
             if (DEBUG) {
                 System.out.println("Exception in getting default checksum "+
-                                   "value from the configuration " +
-                                   "Setting default checksum to be RSA-MD5");
+                                   "value from the configuration. " +
+                                   "No default checksum set.");
                 exc.printStackTrace();
             }
-            CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5;
+            CKSUMTYPE_DEFAULT = -1;
         }
 
 
@@ -112,117 +106,100 @@ public class Checksum {
                 {
                     SAFECKSUMTYPE_DEFAULT = Config.getType(temp);
                 } else {
-                    SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES;
+                    SAFECKSUMTYPE_DEFAULT = -1;
                 }
         } catch (Exception exc) {
             if (DEBUG) {
                 System.out.println("Exception in getting safe default " +
                                    "checksum value " +
-                                   "from the configuration Setting  " +
-                                   "safe default checksum to be RSA-MD5");
+                                   "from the configuration Setting.  " +
+                                   "No safe default checksum set.");
                 exc.printStackTrace();
             }
-            SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES;
+            SAFECKSUMTYPE_DEFAULT = -1;
         }
     }
 
     /**
      * Constructs a new Checksum using the raw data and type.
+     *
+     * This constructor is only used by Authenticator Checksum
+     * {@link sun.security.jgss.krb5.InitialToken.OverloadedChecksum}
+     * where the checksum type must be 0x8003
+     * (see https://tools.ietf.org/html/rfc4121#section-4.1.1)
+     * and checksum field/value is used to convey service flags,
+     * channel bindings, and optional delegation information.
+     * This special type does NOT have a {@link CksumType} and has its
+     * own calculating and verification rules. It does has the same
+     * ASN.1 encoding though.
+     *
      * @data the byte array of checksum.
      * @new_cksumType the type of checksum.
-     *
      */
-         // used in InitialToken
     public Checksum(byte[] data, int new_cksumType) {
         cksumType = new_cksumType;
         checksum = data;
     }
 
     /**
-     * Constructs a new Checksum by calculating the checksum over the data
-     * using specified checksum type.
-     * @new_cksumType the type of checksum.
-     * @data the data that needs to be performed a checksum calculation on.
+     * Constructs a new Checksum by calculating over the data using
+     * the specified checksum type. If the checksum is unkeyed, key
+     * and usage are ignored.
+     *
+     * @param new_cksumType the type of checksum. If set to -1, the
+     *      {@linkplain EType#checksumType() mandatory checksum type}
+     *      for the encryption type of {@code key} will be used
+     * @param data the data that needs to be performed a checksum calculation on
+     * @param key the key used by a keyed checksum
+     * @param usage the usage used by a keyed checksum
      */
-    public Checksum(int new_cksumType, byte[] data)
-        throws KdcErrException, KrbCryptoException {
-
-        cksumType = new_cksumType;
-        CksumType cksumEngine = CksumType.getInstance(cksumType);
-        if (!cksumEngine.isSafe()) {
-            checksum = cksumEngine.calculateChecksum(data, data.length);
+    public Checksum(int new_cksumType, byte[] data,
+                    EncryptionKey key, int usage)
+            throws KdcErrException, KrbApErrException, KrbCryptoException {
+        if (new_cksumType == -1) {
+            cksumType = EType.getInstance(key.getEType()).checksumType();
         } else {
-            throw new KdcErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
+            cksumType = new_cksumType;
         }
-    }
-
-    /**
-     * Constructs a new Checksum by calculating the keyed checksum
-     * over the data using specified checksum type.
-     * @new_cksumType the type of checksum.
-     * @data the data that needs to be performed a checksum calculation on.
-     */
-         // KrbSafe, KrbTgsReq
-    public Checksum(int new_cksumType, byte[] data,
-                        EncryptionKey key, int usage)
-        throws KdcErrException, KrbApErrException, KrbCryptoException {
-        cksumType = new_cksumType;
-        CksumType cksumEngine = CksumType.getInstance(cksumType);
-        if (!cksumEngine.isSafe())
-            throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
-        checksum =
-            cksumEngine.calculateKeyedChecksum(data,
-                data.length,
-                key.getBytes(),
-                usage);
+        checksum = CksumType.getInstance(cksumType).calculateChecksum(
+                    data, data.length, key.getBytes(), usage);
     }
 
     /**
      * Verifies the keyed checksum over the data passed in.
      */
-    public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key,
-                                        int usage)
-        throws KdcErrException, KrbApErrException, KrbCryptoException {
+    public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, int usage)
+            throws KdcErrException, KrbApErrException, KrbCryptoException {
         CksumType cksumEngine = CksumType.getInstance(cksumType);
-        if (!cksumEngine.isSafe())
+        if (!cksumEngine.isKeyed()) {
             throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
-        return cksumEngine.verifyKeyedChecksum(data,
-                                               data.length,
-                                               key.getBytes(),
-                                               checksum,
-            usage);
-    }
-
-    // ===============  ATTENTION! Use with care  ==================
-    // According to https://tools.ietf.org/html/rfc3961#section-6.1,
-    // An unkeyed checksum should only be used "in limited circumstances
-    // where the lack of a key does not provide a window for an attack,
-    // preferably as part of an encrypted message".
-    public boolean verifyAnyChecksum(byte[] data, EncryptionKey key,
-            int usage)
-            throws KdcErrException, KrbCryptoException {
-        CksumType cksumEngine = CksumType.getInstance(cksumType);
-        if (!cksumEngine.isSafe()) {
-            return cksumEngine.verifyChecksum(data, checksum);
         } else {
-            return cksumEngine.verifyKeyedChecksum(data,
-                    data.length,
-                    key.getBytes(),
-                    checksum,
-                    usage);
+            return cksumEngine.verifyChecksum(
+                    data, data.length, key.getBytes(), checksum, usage);
         }
     }
 
-    /*
-    public Checksum(byte[] data) throws KdcErrException, KrbCryptoException {
-        this(Checksum.CKSUMTYPE_DEFAULT, data);
+
+    /**
+     * Verifies the checksum over the data passed in. The checksum might
+     * be a keyed or not.
+     *
+     * ===============  ATTENTION! Use with care  ==================
+     * According to https://tools.ietf.org/html/rfc3961#section-6.1,
+     * An unkeyed checksum should only be used "in limited circumstances
+     * where the lack of a key does not provide a window for an attack,
+     * preferably as part of an encrypted message".
+     */
+    public boolean verifyAnyChecksum(byte[] data, EncryptionKey key, int usage)
+            throws KdcErrException, KrbCryptoException {
+        return CksumType.getInstance(cksumType).verifyChecksum(
+                data, data.length, key.getBytes(), checksum, usage);
     }
-    */
 
     boolean isEqual(Checksum cksum) throws KdcErrException {
-        if (cksumType != cksum.cksumType)
+        if (cksumType != cksum.cksumType) {
             return false;
-        CksumType cksumEngine = CksumType.getInstance(cksumType);
+        }
         return CksumType.isChecksumEqual(checksum, cksum.checksum);
     }
 

src/share/classes/sun/security/krb5/KrbTgsReq.java

@@ -320,26 +320,8 @@ public class KrbTgsReq {
         byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ);
         // if the checksum type is one of the keyed checksum types,
         // use session key.
-        Checksum cksum;
-        switch (Checksum.CKSUMTYPE_DEFAULT) {
-        case Checksum.CKSUMTYPE_RSA_MD4_DES:
-        case Checksum.CKSUMTYPE_DES_MAC:
-        case Checksum.CKSUMTYPE_DES_MAC_K:
-        case Checksum.CKSUMTYPE_RSA_MD4_DES_K:
-        case Checksum.CKSUMTYPE_RSA_MD5_DES:
-        case Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD:
-        case Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR:
-        case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128:
-        case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256:
-            cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,
+        Checksum cksum  = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,
                 KeyUsage.KU_PA_TGS_REQ_CKSUM);
-            break;
-        case Checksum.CKSUMTYPE_CRC32:
-        case Checksum.CKSUMTYPE_RSA_MD4:
-        case Checksum.CKSUMTYPE_RSA_MD5:
-        default:
-            cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp);
-        }
 
         // Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR
 

src/share/classes/sun/security/krb5/internal/PAForUserEnc.java

 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -133,6 +133,7 @@ public class PAForUserEnc {
         bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), name.getRealm().asn1Encode());
 
         try {
+            // MS-SFU 2.2.1: use hmac-md5 checksum regardless of key type
             Checksum cks = new Checksum(
                     Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR,
                     getS4UByteArray(),

src/share/classes/sun/security/krb5/internal/crypto/CksumType.java

 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,10 +31,7 @@
 
 package sun.security.krb5.internal.crypto;
 
-import sun.security.krb5.Config;
 import sun.security.krb5.Checksum;
-import sun.security.krb5.EncryptedData;
-import sun.security.krb5.KrbException;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
 
@@ -81,6 +78,7 @@ public abstract class CksumType {
             cksumTypeName =
                 "sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType";
             break;
+
         case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256:
             cksumType = new HmacSha1Aes256CksumType();
             cksumTypeName =
@@ -117,32 +115,11 @@ public abstract class CksumType {
         return cksumType;
     }
 
-
-    /**
-     * Returns default checksum type.
-     */
-    public static CksumType getInstance() throws KdcErrException {
-        // this method provided for Kerberos applications.
-        int cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default
-        try {
-            Config c = Config.getInstance();
-            if ((cksumType = (Config.getType(c.get("libdefaults",
-                    "ap_req_checksum_type")))) == - 1) {
-                if ((cksumType = Config.getType(c.get("libdefaults",
-                        "checksum_type"))) == -1) {
-                    cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default
-                }
-            }
-        } catch (KrbException e) {
-        }
-        return getInstance(cksumType);
-    }
-
     public abstract int confounderSize();
 
     public abstract int cksumType();
 
-    public abstract boolean isSafe();
+    public abstract boolean isKeyed();
 
     public abstract int cksumSize();
 
@@ -150,18 +127,12 @@ public abstract class CksumType {
 
     public abstract int keySize();
 
-    public abstract byte[] calculateChecksum(byte[] data, int size)
-        throws KrbCryptoException;
-
-    public abstract byte[] calculateKeyedChecksum(byte[] data, int size,
+    // Note: key and usage will be ignored for an unkeyed checksum.
+    public abstract byte[] calculateChecksum(byte[] data, int size,
         byte[] key, int usage) throws KrbCryptoException;
 
-    public boolean verifyChecksum(byte[] data, byte[] checksum)
-            throws KrbCryptoException {
-        throw new UnsupportedOperationException("Not supported");
-    }
-
-    public abstract boolean verifyKeyedChecksum(byte[] data, int size,
+    // Note: key and usage will be ignored for an unkeyed checksum.
+    public abstract boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException;
 
     public static boolean isChecksumEqual(byte[] cksum1, byte[] cksum2) {

src/share/classes/sun/security/krb5/internal/crypto/Crc32CksumType.java

@@ -32,7 +32,6 @@ package sun.security.krb5.internal.crypto;
 
 import sun.security.krb5.*;
 import sun.security.krb5.internal.*;
-import java.util.zip.CRC32;
 
 public class Crc32CksumType extends CksumType {
 
@@ -47,7 +46,7 @@ public class Crc32CksumType extends CksumType {
         return Checksum.CKSUMTYPE_CRC32;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return false;
     }
 
@@ -63,18 +62,15 @@ public class Crc32CksumType extends CksumType {
         return 0;
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
+    public byte[] calculateChecksum(byte[] data, int size,
+            byte[] key, int usage) {
         return crc32.byte2crc32sum_bytes(data, size);
     }
 
-    public byte[] calculateKeyedChecksum(byte[] data, int size,
-                                         byte[] key, int usage) {
-                                             return null;
-                                         }
-
-    public boolean verifyKeyedChecksum(byte[] data, int size,
-                                       byte[] key, byte[] checksum, int usage) {
-        return false;
+    public boolean verifyChecksum(byte[] data, int size,
+            byte[] key, byte[] checksum, int usage) {
+        return CksumType.isChecksumEqual(checksum,
+                crc32.byte2crc32sum_bytes(data));
     }
 
     public static byte[] int2quad(long input) {

src/share/classes/sun/security/krb5/internal/crypto/DesCbcCrcEType.java

@@ -53,7 +53,7 @@ public class DesCbcCrcEType extends DesCbcEType {
     }
 
     public int checksumType() {
-        return Checksum.CKSUMTYPE_CRC32;
+        return Checksum.CKSUMTYPE_RSA_MD5;
     }
 
     public int checksumSize() {

src/share/classes/sun/security/krb5/internal/crypto/DesMacCksumType.java

@@ -49,7 +49,7 @@ public class DesMacCksumType extends CksumType {
         return Checksum.CKSUMTYPE_DES_MAC;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -65,10 +65,6 @@ public class DesMacCksumType extends CksumType {
         return 8;
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
-        return null;
-    }
-
     /**
      * Calculates keyed checksum.
      * @param data the data used to generate the checksum.
@@ -78,7 +74,7 @@ public class DesMacCksumType extends CksumType {
      *
      * @modified by Yanni Zhang, 12/08/99.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
         byte[] new_data = new byte[size + confounderSize()];
         byte[] conf = Confounder.bytes(confounderSize());
@@ -130,7 +126,7 @@ public class DesMacCksumType extends CksumType {
      *
      * @modified by Yanni Zhang, 12/08/99.
      */
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
         byte[] cksum = decryptKeyedChecksum(checksum, key);
 

src/share/classes/sun/security/krb5/internal/crypto/DesMacKCksumType.java

@@ -48,7 +48,7 @@ public class DesMacKCksumType extends CksumType {
         return Checksum.CKSUMTYPE_DES_MAC_K;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -64,10 +64,6 @@ public class DesMacKCksumType extends CksumType {
         return 8;
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
-        return null;
-    }
-
     /**
      * Calculates keyed checksum.
      * @param data the data used to generate the checksum.
@@ -77,7 +73,7 @@ public class DesMacKCksumType extends CksumType {
      *
      * @modified by Yanni Zhang, 12/08/99.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
         //check for weak keys
         try {
@@ -93,9 +89,9 @@ public class DesMacKCksumType extends CksumType {
         return cksum;
     }
 
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
-        byte[] new_cksum = calculateKeyedChecksum(data, data.length, key, usage);
+        byte[] new_cksum = calculateChecksum(data, data.length, key, usage);
         return isChecksumEqual(checksum, new_cksum);
     }
 

src/share/classes/sun/security/krb5/internal/crypto/HmacMd5ArcFourCksumType.java

 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
 import sun.security.krb5.Checksum;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
-import javax.crypto.spec.DESKeySpec;
-import java.security.InvalidKeyException;
 import java.security.GeneralSecurityException;
 
 /**
@@ -51,7 +49,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
         return Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -67,10 +65,6 @@ public class HmacMd5ArcFourCksumType extends CksumType {
         return 16;   // bytes
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
-        return null;
-    }
-
     /**
      * Calculates keyed checksum.
      * @param data the data used to generate the checksum.
@@ -78,7 +72,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
      * @param key the key used to encrypt the checksum.
      * @return keyed checksum.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
 
          try {
@@ -98,7 +92,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
      * @param checksum
      * @return true if verification is successful.
      */
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
 
          try {

src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes128CksumType.java

 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
 import sun.security.krb5.Checksum;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
-import javax.crypto.spec.DESKeySpec;
-import java.security.InvalidKeyException;
 import java.security.GeneralSecurityException;
 
 /*
@@ -51,7 +49,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
         return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -67,10 +65,6 @@ public class HmacSha1Aes128CksumType extends CksumType {
         return 16;   // bytes
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
-        return null;
-    }
-
     /**
      * Calculates keyed checksum.
      * @param data the data used to generate the checksum.
@@ -78,7 +72,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
      * @param key the key used to encrypt the checksum.
      * @return keyed checksum.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
 
          try {
@@ -98,7 +92,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
      * @param checksum
      * @return true if verification is successful.
      */
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
 
          try {

src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes256CksumType.java

 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
 import sun.security.krb5.Checksum;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
-import javax.crypto.spec.DESKeySpec;
-import java.security.InvalidKeyException;
 import java.security.GeneralSecurityException;
 
 /*
@@ -51,7 +49,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
         return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -67,10 +65,6 @@ public class HmacSha1Aes256CksumType extends CksumType {
         return 32;   // bytes
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
-        return null;
-    }
-
     /**
      * Calculates keyed checksum.
      * @param data the data used to generate the checksum.
@@ -78,7 +72,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
      * @param key the key used to encrypt the checksum.
      * @return keyed checksum.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
 
          try {
@@ -98,7 +92,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
      * @param checksum
      * @return true if verification is successful.
      */
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
 
          try {

src/share/classes/sun/security/krb5/internal/crypto/HmacSha1Des3KdCksumType.java

 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
 import sun.security.krb5.Checksum;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
-import javax.crypto.spec.DESKeySpec;
-import java.security.InvalidKeyException;
 import java.security.GeneralSecurityException;
 
 public class HmacSha1Des3KdCksumType extends CksumType {
@@ -45,7 +43,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
         return Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -61,10 +59,6 @@ public class HmacSha1Des3KdCksumType extends CksumType {
         return 24;   // bytes
     }
 
-    public byte[] calculateChecksum(byte[] data, int size) {
-        return null;
-    }
-
     /**
      * Calculates keyed checksum.
      * @param data the data used to generate the checksum.
@@ -72,7 +66,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
      * @param key the key used to encrypt the checksum.
      * @return keyed checksum.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
 
          try {
@@ -92,7 +86,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
      * @param checksum
      * @return true if verification is successful.
      */
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
 
          try {

src/share/classes/sun/security/krb5/internal/crypto/RsaMd5CksumType.java

@@ -33,8 +33,6 @@ import sun.security.krb5.Checksum;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
 import java.security.MessageDigest;
-import java.security.Provider;
-import java.security.Security;
 
 public final class RsaMd5CksumType extends CksumType {
 
@@ -49,7 +47,7 @@ public final class RsaMd5CksumType extends CksumType {
         return Checksum.CKSUMTYPE_RSA_MD5;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return false;
     }
 
@@ -74,7 +72,8 @@ public final class RsaMd5CksumType extends CksumType {
      * @modified by Yanni Zhang, 12/08/99.
      */
 
-    public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{
+    public byte[] calculateChecksum(byte[] data, int size,
+            byte[] key, int usage) throws KrbCryptoException{
         MessageDigest md5;
         byte[] result = null;
         try {
@@ -91,18 +90,9 @@ public final class RsaMd5CksumType extends CksumType {
         return result;
     }
 
-    public byte[] calculateKeyedChecksum(byte[] data, int size,
-        byte[] key, int usage) throws KrbCryptoException {
-                                             return null;
-                                         }
-
-    public boolean verifyKeyedChecksum(byte[] data, int size,
-        byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
-        return false;
-    }
-
     @Override
-    public boolean verifyChecksum(byte[] data, byte[] checksum)
+    public boolean verifyChecksum(byte[] data, int size,
+            byte[] key, byte[] checksum, int usage)
             throws KrbCryptoException {
         try {
             byte[] calculated = MessageDigest.getInstance("MD5").digest(data);

src/share/classes/sun/security/krb5/internal/crypto/RsaMd5DesCksumType.java

@@ -33,12 +33,8 @@ import sun.security.krb5.Checksum;
 import sun.security.krb5.Confounder;
 import sun.security.krb5.KrbCryptoException;
 import sun.security.krb5.internal.*;
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
 import javax.crypto.spec.DESKeySpec;
 import java.security.MessageDigest;
-import java.security.Provider;
-import java.security.Security;
 import java.security.InvalidKeyException;
 
 public final class RsaMd5DesCksumType extends CksumType {
@@ -54,7 +50,7 @@ public final class RsaMd5DesCksumType extends CksumType {
         return Checksum.CKSUMTYPE_RSA_MD5_DES;
     }
 
-    public boolean isSafe() {
+    public boolean isKeyed() {
         return true;
     }
 
@@ -79,7 +75,7 @@ public final class RsaMd5DesCksumType extends CksumType {
      *
      * @modified by Yanni Zhang, 12/08/99.
      */
-    public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
+    public byte[] calculateChecksum(byte[] data, int size, byte[] key,
         int usage) throws KrbCryptoException {
         //prepend confounder
         byte[] new_data = new byte[size + confounderSize()];
@@ -88,7 +84,7 @@ public final class RsaMd5DesCksumType extends CksumType {
         System.arraycopy(data, 0, new_data, confounderSize(), size);
 
         //calculate md5 cksum
-        byte[] mdc_cksum = calculateChecksum(new_data, new_data.length);
+        byte[] mdc_cksum = calculateRawChecksum(new_data, new_data.length);
         byte[] cksum = new byte[cksumSize()];
         System.arraycopy(conf, 0, cksum, 0, confounderSize());
         System.arraycopy(mdc_cksum, 0, cksum, confounderSize(),
@@ -125,7 +121,7 @@ public final class RsaMd5DesCksumType extends CksumType {
      *
      * @modified by Yanni Zhang, 12/08/99.
      */
-    public boolean verifyKeyedChecksum(byte[] data, int size,
+    public boolean verifyChecksum(byte[] data, int size,
         byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
         //decrypt checksum
         byte[] cksum = decryptKeyedChecksum(checksum, key);
@@ -135,7 +131,7 @@ public final class RsaMd5DesCksumType extends CksumType {
         System.arraycopy(cksum, 0, new_data, 0, confounderSize());
         System.arraycopy(data, 0, new_data, confounderSize(), size);
 
-        byte[] new_cksum = calculateChecksum(new_data, new_data.length);
+        byte[] new_cksum = calculateRawChecksum(new_data, new_data.length);
         //extract original cksum value
         byte[] orig_cksum = new byte[cksumSize() - confounderSize()];
         System.arraycopy(cksum,  confounderSize(), orig_cksum, 0,
@@ -181,7 +177,7 @@ public final class RsaMd5DesCksumType extends CksumType {
      *
      * @modified by Yanni Zhang, 12/08/99.
      */
-    public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{
+    private byte[] calculateRawChecksum(byte[] data, int size) throws KrbCryptoException{
         MessageDigest md5;
         byte[] result = null;
         try {
@@ -197,5 +193,4 @@ public final class RsaMd5DesCksumType extends CksumType {
         }
         return result;
     }
-
 }

test/sun/security/krb5/auto/KDC.java

@@ -726,7 +726,7 @@ public class KDC {
      * @return the key
      * @throws sun.security.krb5.KrbException for unknown/unsupported etype
      */
-    private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
+    EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
             throws KrbException {
         try {
             // Do not call EncryptionKey.acquireSecretKeys(), otherwise
@@ -797,7 +797,7 @@ public class KDC {
             int e2 = eTypes[0];     // etype for outgoing session key
             int e3 = eTypes[0];     // etype for outgoing ticket
 
-            PAData[] pas = KDCReqDotPAData(tgsReq);
+            PAData[] pas = tgsReq.pAData;
 
             Ticket tkt = null;
             EncTicketPart etp = null;
@@ -828,7 +828,6 @@ public class KDC {
                 for (PAData pa: pas) {
                     if (pa.getType() == Krb5.PA_TGS_REQ) {
                         APReq apReq = new APReq(pa.getValue());
-                        EncryptedData ed = apReq.authenticator;
                         tkt = apReq.ticket;
                         int te = tkt.encPart.getEType();
                         EncryptionKey kkey = keyForUser(tkt.sname, te, true);
@@ -1282,7 +1281,7 @@ public class KDC {
                 outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
             }
 
-            PAData[] inPAs = KDCReqDotPAData(asReq);
+            PAData[] inPAs = asReq.pAData;
             List<PAData> enc_outPAs = new ArrayList<>();
 
             byte[] paEncTimestamp = null;
@@ -2100,7 +2099,6 @@ public class KDC {
     }
 
     // Calling private methods thru reflections
-    private static final Field getPADataField;
     private static final Field getEType;
     private static final Constructor<EncryptedData> ctorEncryptedData;
     private static final Method stringToKey;
@@ -2110,8 +2108,6 @@ public class KDC {
         try {
             ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class);
             ctorEncryptedData.setAccessible(true);
-            getPADataField = KDCReq.class.getDeclaredField("pAData");
-            getPADataField.setAccessible(true);
             getEType = KDCReqBody.class.getDeclaredField("eType");
             getEType.setAccessible(true);
             stringToKey = EncryptionKey.class.getDeclaredMethod(
@@ -2133,13 +2129,6 @@ public class KDC {
             throw new AssertionError(e);
         }
     }
-    private static PAData[] KDCReqDotPAData(KDCReq req) {
-        try {
-            return (PAData[])getPADataField.get(req);
-        } catch (Exception e) {
-            throw new AssertionError(e);
-        }
-    }
     private static int[] KDCReqBodyDotEType(KDCReqBody body) {
         try {
             return (int[]) getEType.get(body);