Code review request: 8014310: JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679

Weijun Wang weijun.wang at oracle.com
Mon May 27 02:06:36 UTC 2013


Please review the code changes at

    http://cr.openjdk.java.net/~weijun/8014310/webrev.00/

The reason is that since we set allow_weak_crypto to false, if the user 
only had DES keys or only has DES-related etypes enabled, there will be 
no working etype at all. Soon or later, an NPE is thrown.

This fix includes:

1. Instead of returning null in Config::defaultEtype(configName), a 
KrbException is thrown.

2. Removes useless if-null-then-KrbException checks.

3. Not related to the bug: remove sort-by-etype in 
KeyTab::readServiceKeys(princ). It was meant to make sure a preferred 
etype appears before another one. In fact, the order of etypes returned 
by EType::getDefaults(configName,keys) are determined by the order of 
Config::defaultEtype(configName) instead of keys. Therefore it's 
actually useless. The sort-by-kvno is preserved. This does not matter 
when the key is used to decrypt an EncryptedData structure (which knows 
what kvno should be used). Sometime we still have to pick one with no 
hint at all, say, creating the encrypted timestamp in preauth AS-REQ. A 
key with higher kvno is normally more likely to be the current one.

Thanks
Max



More information about the security-dev mailing list