Code review request: 8014310: JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679
Weijun Wang
weijun.wang at oracle.com
Fri Jun 7 07:31:23 UTC 2013
Ding dong.
On 5/27/13 10:06 AM, Weijun Wang wrote:
>
> Please review the code changes at
>
> http://cr.openjdk.java.net/~weijun/8014310/webrev.00/
>
> The reason is that since we set allow_weak_crypto to false, if the user
> only had DES keys or only has DES-related etypes enabled, there will be
> no working etype at all. Soon or later, an NPE is thrown.
>
> This fix includes:
>
> 1. Instead of returning null in Config::defaultEtype(configName), a
> KrbException is thrown.
>
> 2. Removes useless if-null-then-KrbException checks.
>
> 3. Not related to the bug: remove sort-by-etype in
> KeyTab::readServiceKeys(princ). It was meant to make sure a preferred
> etype appears before another one. In fact, the order of etypes returned
> by EType::getDefaults(configName,keys) are determined by the order of
> Config::defaultEtype(configName) instead of keys. Therefore it's
> actually useless. The sort-by-kvno is preserved. This does not matter
> when the key is used to decrypt an EncryptedData structure (which knows
> what kvno should be used). Sometime we still have to pick one with no
> hint at all, say, creating the encrypted timestamp in preauth AS-REQ. A
> key with higher kvno is normally more likely to be the current one.
>
> Thanks
> Max
More information about the security-dev
mailing list