6885204: JSSE should not require Kerberos to be present

Reviewed-by: wetmore, alanb

src/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java

 /*
- * Copyright 2001-2005 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -116,7 +116,10 @@ class VerifierWrapper implements javax.net.ssl.HostnameVerifier {
         try {
             String serverName;
             Principal principal = getPeerPrincipal(session);
-            if (principal instanceof KerberosPrincipal) {
+            // X.500 principal or Kerberos principal.
+            // (Use ciphersuite check to determine whether Kerberos is present.)
+            if (session.getCipherSuite().startsWith("TLS_KRB5") &&
+                    principal instanceof KerberosPrincipal) {
                 serverName =
                     HostnameChecker.getServerName((KerberosPrincipal)principal);
             } else {

src/share/classes/sun/net/www/protocol/https/HttpsClient.java

 /*
- * Copyright 2001-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -461,12 +461,16 @@ final class HttpsClient extends HttpClient
         }
 
         Certificate[] peerCerts = null;
+        String cipher = session.getCipherSuite();
         try {
             HostnameChecker checker = HostnameChecker.getInstance(
                                                 HostnameChecker.TYPE_TLS);
 
             Principal principal = getPeerPrincipal();
-            if (principal instanceof KerberosPrincipal) {
+            // X.500 principal or Kerberos principal.
+            // (Use ciphersuite check to determine whether Kerberos is present.)
+            if (cipher.startsWith("TLS_KRB5") &&
+                    principal instanceof KerberosPrincipal) {
                 if (!checker.match(host, (KerberosPrincipal)principal)) {
                     throw new SSLPeerUnverifiedException("Hostname checker" +
                                 " failed for Kerberos");
@@ -499,7 +503,6 @@ final class HttpsClient extends HttpClient
             // ignore
         }
 
-        String cipher = session.getCipherSuite();
         if ((cipher != null) && (cipher.indexOf("_anon_") != -1)) {
             return;
         } else if ((hostnameVerifier != null) &&

src/share/classes/sun/security/ssl/CipherSuite.java

 /*
- * Copyright 2002-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -74,7 +74,7 @@ final class CipherSuite implements Comparable {
     // Flag indicating if CipherSuite availability can change dynamically.
     // This is the case when we rely on a JCE cipher implementation that
     // may not be available in the installed JCE providers.
-    // It is true because we do not have a Java ECC implementation.
+    // It is true because we might not have an ECC or Kerberos implementation.
     final static boolean DYNAMIC_AVAILABILITY = true;
 
     private final static boolean ALLOW_ECC = Debug.getBooleanProperty
@@ -278,14 +278,22 @@ final class CipherSuite implements Comparable {
         KeyExchange(String name, boolean allowed) {
             this.name = name;
             this.allowed = allowed;
-            this.alwaysAvailable = allowed && (name.startsWith("EC") == false);
+            this.alwaysAvailable = allowed &&
+                (!name.startsWith("EC")) && (!name.startsWith("KRB"));
         }
 
         boolean isAvailable() {
             if (alwaysAvailable) {
                 return true;
             }
-            return allowed && JsseJce.isEcAvailable();
+
+            if (name.startsWith("EC")) {
+                return (allowed && JsseJce.isEcAvailable());
+            } else if (name.startsWith("KRB")) {
+                return (allowed && JsseJce.isKerberosAvailable());
+            } else {
+                return allowed;
+            }
         }
 
         public String toString() {

src/share/classes/sun/security/ssl/JsseJce.java

 /*
- * Copyright 2001-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -64,6 +64,29 @@ final class JsseJce {
     // If yes, then all the EC based crypto we need is available.
     private static volatile Boolean ecAvailable;
 
+    // Flag indicating whether Kerberos crypto is available.
+    // If true, then all the Kerberos-based crypto we need is available.
+    private final static boolean kerberosAvailable;
+    static {
+        boolean temp;
+        try {
+            AccessController.doPrivileged(
+                new PrivilegedExceptionAction<Void>() {
+                    public Void run() throws Exception {
+                        // Test for Kerberos using the bootstrap class loader
+                        Class.forName("sun.security.krb5.PrincipalName", true,
+                                null);
+                        return null;
+                    }
+                });
+            temp = true;
+
+        } catch (Exception e) {
+            temp = false;
+        }
+        kerberosAvailable = temp;
+    }
+
     static {
         // force FIPS flag initialization
         // Because isFIPS() is synchronized and cryptoProvider is not modified
@@ -187,6 +210,10 @@ final class JsseJce {
         ecAvailable = null;
     }
 
+    static boolean isKerberosAvailable() {
+        return kerberosAvailable;
+    }
+
     /**
      * Return an JCE cipher implementation for the specified algorithm.
      */