代码拉取完成,页面将自动刷新
From ea08edece64add39a00a0bca558d11d41bf21513 Mon Sep 17 00:00:00 2001
Date: Thu, 27 Jul 2023 10:21:50 +0800
Subject: [PATCH] [Backport]8035986: KerberosKey algorithm names are not specified
---
.../javax/security/auth/kerberos/KerberosKey.java | 46 ++++++---
.../javax/security/auth/kerberos/KeyImpl.java | 26 ++---
.../classes/sun/security/krb5/EncryptionKey.java | 17 +++-
.../security/auth/kerberos/StandardNames.java | 108 +++++++++++++++++++++
4 files changed, 169 insertions(+), 28 deletions(-)
create mode 100644 jdk/test/javax/security/auth/kerberos/StandardNames.java
diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java
index 5c8b65f27..a8d12131a 100644
--- a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java
+++ b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java
@@ -52,7 +52,20 @@ import javax.security.auth.DestroyFailedException;
* application depends on the default JGSS Kerberos mechanism to access the
* KerberosKey. In that case, however, the application will need an
* appropriate
- * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.
+ * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.<p>
+ *
+ * When creating a {@code KerberosKey} using the
+ * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor,
+ * an implementation may accept non-IANA algorithm names (For example,
+ * "ArcFourMac" for "rc4-hmac"), but the {@link #getAlgorithm} method
+ * must always return the IANA algorithm name.<p>
+ *
+ * @implNote Old algorithm names used before JDK 9 are supported in the
+ * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor in this
+ * implementation for compatibility reasons, which are "DES" (and null) for
+ * "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac",
+ * "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for
+ * "aes256-cts-hmac-sha1-96".
*
* @author Mayank Upadhyay
* @since 1.4
@@ -73,7 +86,7 @@ public class KerberosKey implements SecretKey, Destroyable {
*
* @serial
*/
- private int versionNum;
+ private final int versionNum;
/**
* {@code KeyImpl} is serialized by writing out the ASN1 Encoded bytes
@@ -113,13 +126,16 @@ public class KerberosKey implements SecretKey, Destroyable {
}
/**
- * Constructs a KerberosKey from a principal's password.
+ * Constructs a KerberosKey from a principal's password using the specified
+ * algorithm name. The algorithm name (case insensitive) should be provided
+ * as the encryption type string defined on the IANA
+ * <a href="https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1">Kerberos Encryption Type Numbers</a>
+ * page. The version number of the key generated will be 0.
*
* @param principal the principal that this password belongs to
* @param password the password that should be used to compute the key
* @param algorithm the name for the algorithm that this key will be
- * used for. This parameter may be null in which case the default
- * algorithm "DES" will be assumed.
+ * used for
* @throws IllegalArgumentException if the name of the
* algorithm passed is unsupported.
*/
@@ -128,6 +144,7 @@ public class KerberosKey implements SecretKey, Destroyable {
String algorithm) {
this.principal = principal;
+ this.versionNum = 0;
// Pass principal in for salt
key = new KeyImpl(principal, password, algorithm);
}
@@ -170,13 +187,18 @@ public class KerberosKey implements SecretKey, Destroyable {
*/
/**
- * Returns the standard algorithm name for this key. For
- * example, "DES" would indicate that this key is a DES key.
- * See Appendix A in the <a href=
- * "../../../../../technotes/guides/security/crypto/CryptoSpec.html#AppA">
- * Java Cryptography Architecture API Specification & Reference
- * </a>
- * for information about standard algorithm names.
+ * Returns the standard algorithm name for this key. The algorithm names
+ * are the encryption type string defined on the IANA
+ * <a href="https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1">Kerberos Encryption Type Numbers</a>
+ * page.
+ * <p>
+ * This method can return the following value not defined on the IANA page:
+ * <ol>
+ * <li>none: for etype equal to 0</li>
+ * <li>unknown: for etype greater than 0 but unsupported by
+ * the implementation</li>
+ * <li>private: for etype smaller than 0</li>
+ * </ol>
*
* @return the name of the algorithm associated with this key.
*/
diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java
index f4ee94721..9d36d1e9e 100644
--- a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java
+++ b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java
@@ -36,7 +36,6 @@ import sun.security.krb5.PrincipalName;
import sun.security.krb5.EncryptionKey;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.KrbException;
-import sun.security.krb5.KrbCryptoException;
import sun.security.util.DerValue;
/**
@@ -86,8 +85,12 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
try {
PrincipalName princ = new PrincipalName(principal.getName());
- EncryptionKey key =
- new EncryptionKey(password, princ.getSalt(), algorithm);
+ EncryptionKey key;
+ if ("none".equalsIgnoreCase(algorithm)) {
+ key = EncryptionKey.NULL_KEY;
+ } else {
+ key = new EncryptionKey(password, princ.getSalt(), algorithm);
+ }
this.keyBytes = key.getBytes();
this.keyType = key.getEType();
} catch (KrbException e) {
@@ -118,27 +121,28 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
switch (eType) {
case EncryptedData.ETYPE_DES_CBC_CRC:
+ return "des-cbc-crc";
+
case EncryptedData.ETYPE_DES_CBC_MD5:
- return "DES";
+ return "des-cbc-md5";
case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD:
- return "DESede";
+ return "des3-cbc-sha1-kd";
case EncryptedData.ETYPE_ARCFOUR_HMAC:
- return "ArcFourHmac";
+ return "rc4-hmac";
case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96:
- return "AES128";
+ return "aes128-cts-hmac-sha1-96";
case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96:
- return "AES256";
+ return "aes256-cts-hmac-sha1-96";
case EncryptedData.ETYPE_NULL:
- return "NULL";
+ return "none";
default:
- throw new IllegalArgumentException(
- "Unsupported encryption type: " + eType);
+ return eType > 0 ? "unknown" : "private";
}
}
diff --git a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
index 4823b2525..d484d7c55 100644
--- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
+++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
@@ -271,15 +271,22 @@ public class EncryptionKey
String salt,
String algorithm) throws KrbCryptoException {
- if (algorithm == null || algorithm.equalsIgnoreCase("DES")) {
+ if (algorithm == null || algorithm.equalsIgnoreCase("DES")
+ || algorithm.equalsIgnoreCase("des-cbc-md5")) {
keyType = EncryptedData.ETYPE_DES_CBC_MD5;
- } else if (algorithm.equalsIgnoreCase("DESede")) {
+ } else if (algorithm.equalsIgnoreCase("des-cbc-crc")) {
+ keyType = EncryptedData.ETYPE_DES_CBC_CRC;
+ } else if (algorithm.equalsIgnoreCase("DESede")
+ || algorithm.equalsIgnoreCase("des3-cbc-sha1-kd")) {
keyType = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD;
- } else if (algorithm.equalsIgnoreCase("AES128")) {
+ } else if (algorithm.equalsIgnoreCase("AES128")
+ || algorithm.equalsIgnoreCase("aes128-cts-hmac-sha1-96")) {
keyType = EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96;
- } else if (algorithm.equalsIgnoreCase("ArcFourHmac")) {
+ } else if (algorithm.equalsIgnoreCase("ArcFourHmac")
+ || algorithm.equalsIgnoreCase("rc4-hmac")) {
keyType = EncryptedData.ETYPE_ARCFOUR_HMAC;
- } else if (algorithm.equalsIgnoreCase("AES256")) {
+ } else if (algorithm.equalsIgnoreCase("AES256")
+ || algorithm.equalsIgnoreCase("aes256-cts-hmac-sha1-96")) {
keyType = EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96;
// validate if AES256 is enabled
if (!EType.isSupported(keyType)) {
diff --git a/jdk/test/javax/security/auth/kerberos/StandardNames.java b/jdk/test/javax/security/auth/kerberos/StandardNames.java
new file mode 100644
index 000000000..40590f6d0
--- /dev/null
+++ b/jdk/test/javax/security/auth/kerberos/StandardNames.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8035986
+ * @summary KerberosKey algorithm names are not specified
+ */
+
+import sun.security.krb5.EncryptedData;
+
+import javax.crypto.Cipher;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import java.util.Locale;
+
+public class StandardNames {
+ static KerberosPrincipal kp = new KerberosPrincipal("user@REALM");
+ static char[] pass = "secret".toCharArray();
+ static byte[] keyBytes = new byte[1];
+
+ public static void main(String[] args) throws Exception {
+ for (EncType e: EncType.values()) {
+ if (e == EncType.e18) {
+ if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
+ System.out.println("Skipping aes256-cts-hmac-sha1-96");
+ continue;
+ }
+ }
+ checkByName(e.name, e);
+ checkByName(e.name.toUpperCase(Locale.US), e);
+ for (String n: e.oldnames) {
+ checkByName(n, e);
+ if (n != null) {
+ checkByName(n.toLowerCase(Locale.US), e);
+ }
+ }
+ checkByEType(e.etype, e.name);
+ }
+ checkByEType(100, "unknown");
+ checkByEType(-1, "private");
+
+ try {
+ System.out.println("unsupported");
+ new KerberosKey(kp, pass, "unsupported");
+ throw new Exception("unsupported");
+ } catch (IllegalArgumentException iae) {
+ // Expected
+ }
+ }
+
+ private static void checkByName(String n, EncType e) throws Exception {
+ System.out.println("CheckByName " + n);
+ KerberosKey k = new KerberosKey(kp, pass, n);
+ if (!k.getAlgorithm().equals(e.name)) throw new Exception(n);
+ if (k.getKeyType() != e.etype) throw new Exception(n);
+ if (k.getVersionNumber() != 0) throw new Exception(n);
+ }
+
+ private static void checkByEType(int i, String n) throws Exception {
+ System.out.println("CheckByInt " + i);
+ KerberosKey k = new KerberosKey(kp, keyBytes, i, 13);
+ if (!k.getAlgorithm().equals(n)) throw new Exception("" + i);
+ if (k.getKeyType() != i) throw new Exception("" + i);
+ if (k.getVersionNumber() != 13) throw new Exception("" + i);
+ }
+}
+
+enum EncType {
+ e0("none", EncryptedData.ETYPE_NULL),
+ e1("des-cbc-crc", EncryptedData.ETYPE_DES_CBC_CRC),
+ e3("des-cbc-md5", EncryptedData.ETYPE_DES_CBC_MD5, "DES", null),
+ e16("des3-cbc-sha1-kd", EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD, "DESede"),
+ e17("aes128-cts-hmac-sha1-96", EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, "AES128"),
+ e18("aes256-cts-hmac-sha1-96", EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96, "AES256"),
+ e23("rc4-hmac", EncryptedData.ETYPE_ARCFOUR_HMAC, "ArcFourHmac"),
+ ;
+
+ final String name;
+ final int etype;
+ final String[] oldnames;
+
+ EncType(String name, int etype, String... oldnames) {
+ this.name = name;
+ this.etype = etype;
+ this.oldnames = oldnames;
+ }
+}
--
2.12.3
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
