From 6e6e3cf6da6a8e74bc8d5c63fefae953f027629e Mon Sep 17 00:00:00 2001
From: Alexey Bakhtin <abakhtin@openjdk.org>
Date: Fri, 10 May 2024 13:38:53 -0700
Subject: [PATCH] 8328726: Better Kerberos support
Reviewed-by: mbalao
Backport-of: 7325899a11f17bf4516d39495a12796385e459ed
---
.../security/auth/kerberos/EncryptionKey.java | 4 ++--
.../auth/kerberos/KerberosCredMessage.java | 6 ++---
.../security/auth/kerberos/KerberosKey.java | 8 +++----
.../javax/security/auth/kerberos/KeyImpl.java | 16 +++++---------
.../sun/security/jgss/krb5/Krb5Context.java | 22 +++++--------------
.../sun/security/jgss/krb5/Krb5Util.java | 15 +++++++++++++
.../sun/security/krb5/EncryptionKey.java | 8 ++-----
.../sun/security/krb5/internal/Krb5.java | 3 ---
.../security/krb5/internal/tools/Kinit.java | 4 ----
.../pkcs11/wrapper/CK_PBE_PARAMS.java | 5 -----
.../security/auth/module/Krb5LoginModule.java | 10 +++------
11 files changed, 39 insertions(+), 62 deletions(-)
diff --git a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/EncryptionKey.java b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/EncryptionKey.java
index 492915f638e..9ca1272dfb0 100644
--- a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/EncryptionKey.java
+++ b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/EncryptionKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -168,7 +168,7 @@ public final class EncryptionKey implements SecretKey {
if (destroyed) {
return "Destroyed EncryptionKey";
}
- return "key " + key.toString();
+ return "EncryptionKey: " + key.toString();
}
/**
diff --git a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosCredMessage.java b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosCredMessage.java
index c39ae01d913..08b67e0abaf 100644
--- a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosCredMessage.java
+++ b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosCredMessage.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,7 +27,6 @@ package javax.security.auth.kerberos;
import javax.security.auth.Destroyable;
import java.util.Arrays;
-import java.util.Base64;
import java.util.Objects;
/**
@@ -140,8 +139,7 @@ public final class KerberosCredMessage implements Destroyable {
if (destroyed) {
return "Destroyed KerberosCredMessage";
} else {
- return "KRB_CRED from " + sender + " to " + recipient + ":\n"
- + Base64.getUrlEncoder().encodeToString(message);
+ return "KRB_CRED from " + sender + " to " + recipient;
}
}
diff --git a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosKey.java b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosKey.java
index b5874f5637e..43d74c37a6b 100644
--- a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosKey.java
+++ b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -270,9 +270,9 @@ public class KerberosKey implements SecretKey {
if (destroyed) {
return "Destroyed KerberosKey";
}
- return "Kerberos Principal " + principal +
- "Key Version " + versionNum +
- "key " + key.toString();
+ return "KerberosKey: principal " + principal +
+ ", version " + versionNum +
+ ", key " + key.toString();
}
/**
diff --git a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyImpl.java b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyImpl.java
index 59c1a4458f8..caa702c2ed4 100644
--- a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyImpl.java
+++ b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,7 +30,8 @@ import java.util.Arrays;
import javax.crypto.SecretKey;
import javax.security.auth.Destroyable;
import javax.security.auth.DestroyFailedException;
-import sun.security.util.HexDumpEncoder;
+
+import sun.security.jgss.krb5.Krb5Util;
import sun.security.krb5.Asn1Exception;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.EncryptionKey;
@@ -222,15 +223,8 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
}
public String toString() {
- HexDumpEncoder hd = new HexDumpEncoder();
- return "EncryptionKey: keyType=" + keyType
- + " keyBytes (hex dump)="
- + (keyBytes == null || keyBytes.length == 0 ?
- " Empty Key" :
- '\n' + hd.encodeBuffer(keyBytes)
- + '\n');
-
-
+ return "keyType=" + keyType
+ + ", " + Krb5Util.keyInfo(keyBytes);
}
public int hashCode() {
diff --git a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
index 3cb0bf46cb8..67cd1315886 100644
--- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
@@ -914,15 +914,11 @@ class Krb5Context implements GSSContextSpi {
public final byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException {
- if (DEBUG) {
- System.out.println("Krb5Context.wrap: data=["
- + getHexBytes(inBuf, offset, len)
- + "]");
- }
- if (state != STATE_DONE)
- throw new GSSException(GSSException.NO_CONTEXT, -1,
- "Wrap called in invalid state!");
+ if (state != STATE_DONE) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1,
+ "Wrap called in invalid state!");
+ }
byte[] encToken = null;
try {
@@ -1067,12 +1063,6 @@ class Krb5Context implements GSSContextSpi {
setSequencingAndReplayProps(token, msgProp);
}
- if (DEBUG) {
- System.out.println("Krb5Context.unwrap: data=["
- + getHexBytes(data, 0, data.length)
- + "]");
- }
-
return data;
}
@@ -1423,8 +1413,8 @@ class Krb5Context implements GSSContextSpi {
@Override
public String toString() {
- return "Kerberos session key: etype: " + key.getEType() + "\n" +
- new HexDumpEncoder().encodeBuffer(key.getBytes());
+ return "Kerberos session key: etype=" + key.getEType()
+ + ", " + Krb5Util.keyInfo(key.getBytes());
}
}
diff --git a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java
index 24353cceeca..54102205026 100644
--- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java
@@ -201,4 +201,19 @@ public class Krb5Util {
KeyTab ktab, PrincipalName cname) {
return snapshotFromJavaxKeyTab(ktab).readServiceKeys(cname);
}
+
+ public static String keyInfo(byte[] data) {
+ if (data == null) {
+ return "null key";
+ } else if (data.length == 0) {
+ return "empty key";
+ } else {
+ for (byte b : data) {
+ if (b != 0) {
+ return data.length + "-byte key";
+ }
+ }
+ return data.length + "-byte zero key";
+ }
+ }
}
diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java b/src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java
index c7dc72fdebe..d812fd63d2c 100644
--- a/src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java
@@ -31,6 +31,7 @@
package sun.security.krb5;
+import sun.security.jgss.krb5.Krb5Util;
import sun.security.util.*;
import sun.security.krb5.internal.*;
import sun.security.krb5.internal.crypto.*;
@@ -498,12 +499,7 @@ public class EncryptionKey
public String toString() {
return new String("EncryptionKey: keyType=" + keyType
- + " kvno=" + kvno
- + " keyValue (hex dump)="
- + (keyValue == null || keyValue.length == 0 ?
- " Empty Key" : '\n'
- + Krb5.hexDumper.encodeBuffer(keyValue)
- + '\n'));
+ + ", kvno=" + kvno + ", " + Krb5Util.keyInfo(keyValue));
}
/**
diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java b/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java
index fabff57ae64..93831f5a3e6 100644
--- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java
@@ -315,9 +315,6 @@ public class Krb5 {
public static final boolean DEBUG = GetBooleanAction
.privilegedGetProperty("sun.security.krb5.debug");
- public static final sun.security.util.HexDumpEncoder hexDumper =
- new sun.security.util.HexDumpEncoder();
-
static {
errMsgList = new Hashtable<Integer,String> ();
errMsgList.put(KDC_ERR_NONE, "No error");
diff --git a/src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/Kinit.java b/src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/Kinit.java
index 813939643c3..4f124771d51 100644
--- a/src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/Kinit.java
+++ b/src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/Kinit.java
@@ -192,10 +192,6 @@ public class Kinit {
System.out.print("Password for " + princName + ":");
System.out.flush();
psswd = Password.readPassword(System.in);
- if (DEBUG) {
- System.out.println(">>> Kinit console input " +
- new String(psswd));
- }
}
builder = new KrbAsReqBuilder(principal, psswd);
} else {
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
index e8b048869c4..7b874ced493 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
@@ -121,11 +121,6 @@ public class CK_PBE_PARAMS {
sb.append(pPassword.length);
sb.append(Constants.NEWLINE);
- sb.append(Constants.INDENT);
- sb.append("pPassword: ");
- sb.append(pPassword);
- sb.append(Constants.NEWLINE);
-
sb.append(Constants.INDENT);
sb.append("ulSaltLen: ");
sb.append(pSalt.length);
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
index 5cb2b4cb6c4..7678efa1fca 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
@@ -42,7 +42,7 @@ import javax.security.auth.spi.*;
import sun.security.krb5.*;
import sun.security.jgss.krb5.Krb5Util;
import sun.security.krb5.Credentials;
-import sun.security.util.HexDumpEncoder;
+
import static sun.security.util.ResourcesMgr.getAuthResourceString;
/**
@@ -765,15 +765,11 @@ public class Krb5LoginModule implements LoginModule {
if (debug) {
System.out.println("principal is " + principal);
- HexDumpEncoder hd = new HexDumpEncoder();
if (ktab != null) {
System.out.println("Will use keytab");
} else if (storeKey) {
for (int i = 0; i < encKeys.length; i++) {
- System.out.println("EncryptionKey: keyType=" +
- encKeys[i].getEType() +
- " keyBytes (hex dump)=" +
- hd.encodeBuffer(encKeys[i].getBytes()));
+ System.out.println(encKeys[i].toString());
}
}
}
@@ -874,7 +870,7 @@ public class Krb5LoginModule implements LoginModule {
}
if (debug) {
System.out.println
- ("password is " + new String(password));
+ ("Get password from shared state");
}
return;
}
--
GitLab