From 46b7cb7838a2de1a6463ddf17edefef73ec1217f Mon Sep 17 00:00:00 2001
Date: Thu, 3 Aug 2023 10:03:27 +0800
Subject: [PATCH] Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified
---
.../security/auth/kerberos/KerberosKey.java | 46 ++------
.../javax/security/auth/kerberos/KeyImpl.java | 26 ++---
.../sun/security/krb5/EncryptionKey.java | 17 +--
.../security/auth/kerberos/StandardNames.java | 108 ------------------
4 files changed, 28 insertions(+), 169 deletions(-)
delete mode 100644 jdk/test/javax/security/auth/kerberos/StandardNames.java
diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java
index a8d12131a..5c8b65f27 100644
--- a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java
+++ b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java
@@ -52,20 +52,7 @@ import javax.security.auth.DestroyFailedException;
* application depends on the default JGSS Kerberos mechanism to access the
* KerberosKey. In that case, however, the application will need an
* appropriate
- * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.<p>
- *
- * When creating a {@code KerberosKey} using the
- * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor,
- * an implementation may accept non-IANA algorithm names (For example,
- * "ArcFourMac" for "rc4-hmac"), but the {@link #getAlgorithm} method
- * must always return the IANA algorithm name.<p>
- *
- * @implNote Old algorithm names used before JDK 9 are supported in the
- * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor in this
- * implementation for compatibility reasons, which are "DES" (and null) for
- * "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac",
- * "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for
- * "aes256-cts-hmac-sha1-96".
+ * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.
*
* @author Mayank Upadhyay
* @since 1.4
@@ -86,7 +73,7 @@ public class KerberosKey implements SecretKey, Destroyable {
*
* @serial
*/
- private final int versionNum;
+ private int versionNum;
/**
* {@code KeyImpl} is serialized by writing out the ASN1 Encoded bytes
@@ -126,16 +113,13 @@ public class KerberosKey implements SecretKey, Destroyable {
}
/**
- * Constructs a KerberosKey from a principal's password using the specified
- * algorithm name. The algorithm name (case insensitive) should be provided
- * as the encryption type string defined on the IANA
- * <a href="https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1">Kerberos Encryption Type Numbers</a>
- * page. The version number of the key generated will be 0.
+ * Constructs a KerberosKey from a principal's password.
*
* @param principal the principal that this password belongs to
* @param password the password that should be used to compute the key
* @param algorithm the name for the algorithm that this key will be
- * used for
+ * used for. This parameter may be null in which case the default
+ * algorithm "DES" will be assumed.
* @throws IllegalArgumentException if the name of the
* algorithm passed is unsupported.
*/
@@ -144,7 +128,6 @@ public class KerberosKey implements SecretKey, Destroyable {
String algorithm) {
this.principal = principal;
- this.versionNum = 0;
// Pass principal in for salt
key = new KeyImpl(principal, password, algorithm);
}
@@ -187,18 +170,13 @@ public class KerberosKey implements SecretKey, Destroyable {
*/
/**
- * Returns the standard algorithm name for this key. The algorithm names
- * are the encryption type string defined on the IANA
- * <a href="https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1">Kerberos Encryption Type Numbers</a>
- * page.
- * <p>
- * This method can return the following value not defined on the IANA page:
- * <ol>
- * <li>none: for etype equal to 0</li>
- * <li>unknown: for etype greater than 0 but unsupported by
- * the implementation</li>
- * <li>private: for etype smaller than 0</li>
- * </ol>
+ * Returns the standard algorithm name for this key. For
+ * example, "DES" would indicate that this key is a DES key.
+ * See Appendix A in the <a href=
+ * "../../../../../technotes/guides/security/crypto/CryptoSpec.html#AppA">
+ * Java Cryptography Architecture API Specification & Reference
+ * </a>
+ * for information about standard algorithm names.
*
* @return the name of the algorithm associated with this key.
*/
diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java
index 571387e0c..6791c42f0 100644
--- a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java
+++ b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java
@@ -36,6 +36,7 @@ import sun.security.krb5.PrincipalName;
import sun.security.krb5.EncryptionKey;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.KrbException;
+import sun.security.krb5.KrbCryptoException;
import sun.security.util.DerValue;
/**
@@ -85,12 +86,8 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
try {
PrincipalName princ = new PrincipalName(principal.getName());
- EncryptionKey key;
- if ("none".equalsIgnoreCase(algorithm)) {
- key = EncryptionKey.NULL_KEY;
- } else {
- key = new EncryptionKey(password, princ.getSalt(), algorithm);
- }
+ EncryptionKey key =
+ new EncryptionKey(password, princ.getSalt(), algorithm);
this.keyBytes = key.getBytes();
this.keyType = key.getEType();
} catch (KrbException e) {
@@ -121,22 +118,20 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
switch (eType) {
case EncryptedData.ETYPE_DES_CBC_CRC:
- return "des-cbc-crc";
-
case EncryptedData.ETYPE_DES_CBC_MD5:
- return "des-cbc-md5";
+ return "DES";
case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD:
- return "des3-cbc-sha1-kd";
+ return "DESede";
case EncryptedData.ETYPE_ARCFOUR_HMAC:
- return "rc4-hmac";
+ return "ArcFourHmac";
case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96:
- return "aes128-cts-hmac-sha1-96";
+ return "AES128";
case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96:
- return "aes256-cts-hmac-sha1-96";
+ return "AES256";
case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA256_128:
return "aes128-cts-hmac-sha256-128";
@@ -145,10 +140,11 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
return "aes256-cts-hmac-sha384-192";
case EncryptedData.ETYPE_NULL:
- return "none";
+ return "NULL";
default:
- return eType > 0 ? "unknown" : "private";
+ throw new IllegalArgumentException(
+ "Unsupported encryption type: " + eType);
}
}
diff --git a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
index 627168e70..71e667028 100644
--- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
+++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java
@@ -277,22 +277,15 @@ public class EncryptionKey
String salt,
String algorithm) throws KrbCryptoException {
- if (algorithm == null || algorithm.equalsIgnoreCase("DES")
- || algorithm.equalsIgnoreCase("des-cbc-md5")) {
+ if (algorithm == null || algorithm.equalsIgnoreCase("DES")) {
keyType = EncryptedData.ETYPE_DES_CBC_MD5;
- } else if (algorithm.equalsIgnoreCase("des-cbc-crc")) {
- keyType = EncryptedData.ETYPE_DES_CBC_CRC;
- } else if (algorithm.equalsIgnoreCase("DESede")
- || algorithm.equalsIgnoreCase("des3-cbc-sha1-kd")) {
+ } else if (algorithm.equalsIgnoreCase("DESede")) {
keyType = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD;
- } else if (algorithm.equalsIgnoreCase("AES128")
- || algorithm.equalsIgnoreCase("aes128-cts-hmac-sha1-96")) {
+ } else if (algorithm.equalsIgnoreCase("AES128")) {
keyType = EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96;
- } else if (algorithm.equalsIgnoreCase("ArcFourHmac")
- || algorithm.equalsIgnoreCase("rc4-hmac")) {
+ } else if (algorithm.equalsIgnoreCase("ArcFourHmac")) {
keyType = EncryptedData.ETYPE_ARCFOUR_HMAC;
- } else if (algorithm.equalsIgnoreCase("AES256")
- || algorithm.equalsIgnoreCase("aes256-cts-hmac-sha1-96")) {
+ } else if (algorithm.equalsIgnoreCase("AES256")) {
keyType = EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96;
// validate if AES256 is enabled
if (!EType.isSupported(keyType)) {
diff --git a/jdk/test/javax/security/auth/kerberos/StandardNames.java b/jdk/test/javax/security/auth/kerberos/StandardNames.java
deleted file mode 100644
index 40590f6d0..000000000
--- a/jdk/test/javax/security/auth/kerberos/StandardNames.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8035986
- * @summary KerberosKey algorithm names are not specified
- */
-
-import sun.security.krb5.EncryptedData;
-
-import javax.crypto.Cipher;
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import java.util.Locale;
-
-public class StandardNames {
- static KerberosPrincipal kp = new KerberosPrincipal("user@REALM");
- static char[] pass = "secret".toCharArray();
- static byte[] keyBytes = new byte[1];
-
- public static void main(String[] args) throws Exception {
- for (EncType e: EncType.values()) {
- if (e == EncType.e18) {
- if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
- System.out.println("Skipping aes256-cts-hmac-sha1-96");
- continue;
- }
- }
- checkByName(e.name, e);
- checkByName(e.name.toUpperCase(Locale.US), e);
- for (String n: e.oldnames) {
- checkByName(n, e);
- if (n != null) {
- checkByName(n.toLowerCase(Locale.US), e);
- }
- }
- checkByEType(e.etype, e.name);
- }
- checkByEType(100, "unknown");
- checkByEType(-1, "private");
-
- try {
- System.out.println("unsupported");
- new KerberosKey(kp, pass, "unsupported");
- throw new Exception("unsupported");
- } catch (IllegalArgumentException iae) {
- // Expected
- }
- }
-
- private static void checkByName(String n, EncType e) throws Exception {
- System.out.println("CheckByName " + n);
- KerberosKey k = new KerberosKey(kp, pass, n);
- if (!k.getAlgorithm().equals(e.name)) throw new Exception(n);
- if (k.getKeyType() != e.etype) throw new Exception(n);
- if (k.getVersionNumber() != 0) throw new Exception(n);
- }
-
- private static void checkByEType(int i, String n) throws Exception {
- System.out.println("CheckByInt " + i);
- KerberosKey k = new KerberosKey(kp, keyBytes, i, 13);
- if (!k.getAlgorithm().equals(n)) throw new Exception("" + i);
- if (k.getKeyType() != i) throw new Exception("" + i);
- if (k.getVersionNumber() != 13) throw new Exception("" + i);
- }
-}
-
-enum EncType {
- e0("none", EncryptedData.ETYPE_NULL),
- e1("des-cbc-crc", EncryptedData.ETYPE_DES_CBC_CRC),
- e3("des-cbc-md5", EncryptedData.ETYPE_DES_CBC_MD5, "DES", null),
- e16("des3-cbc-sha1-kd", EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD, "DESede"),
- e17("aes128-cts-hmac-sha1-96", EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, "AES128"),
- e18("aes256-cts-hmac-sha1-96", EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96, "AES256"),
- e23("rc4-hmac", EncryptedData.ETYPE_ARCFOUR_HMAC, "ArcFourHmac"),
- ;
-
- final String name;
- final int etype;
- final String[] oldnames;
-
- EncType(String name, int etype, String... oldnames) {
- this.name = name;
- this.etype = etype;
- this.oldnames = oldnames;
- }
-}
--
2.22.0