RFR 8035986: KerberosKey algorithm names are not specified

Weijun Wang weijun.wang at oracle.com
Wed Apr 9 01:50:53 UTC 2014



On 4/9/2014 9:15, Xuelei Fan wrote:
> On 4/9/2014 8:53 AM, Weijun Wang wrote:
>> There is already getKeyType() and toString().
> ;-) They should not lower the standards to design another good method.

I just meant different methods serve for different purposes.

>
>> Also I don't think
>> "kid-2014" is useful. If people really want to inspect the result, I
>> expect they would fall into the "default" or "else" block anyway.
>>
> There is a constructor to put unknown or private key type:
>      KerberosKey(KerberosPrincipal principal,
>                  byte[] keyBytes,
>                  int keyType, int versionNum)
>
> Which will accept any kind of integer key type.

Yes, this method does not need to understand the keyType to generate a 
key. However, the one we are talking about now must understand the 
algorithm name and call its string2key() method to generate the key from 
a passphrase. So even if you provide "kid-2014", it still has to throw 
an IllegalArgumentException.

>
> I think it might be help to get the algorithm in string even if key type
> is not supported (getKeyType() is not as convenient as getAlgorithm() to
> get the string algorithm, toString() covers too much information if one
> only needs to know the algorithm).
>
>     KerberosKey kk = new KerberosKey(..., 123, 0);
>     String alg = kk.getAlgorithm();   // "unknown" returns
>
>     KerberosKey kk = new KerberosKey(..., 124, 0);
>     String alg = kk.getAlgorithm();   // "unknown" returns
>
>     KerberosKey kk = new KerberosKey(..., -123, 0);
>     String alg = kk.getAlgorithm();   // "private" returns
>
>     KerberosKey kk = new KerberosKey(..., -124, 0);
>     String alg = kk.getAlgorithm();   // "private" returns

I would expect actual developers calling getKeyType() more often because 
it's easy to deal with in Kerberos. In this sense, getAlgorithm() only 
exists to override the method in Key.

>
> At least for meaningful debug log or exception message, "unknown" and
> "private" is not as instinctive as "xxx-123" and "xxx-124".
>
> Anyway, not a big concern of mine.  Please go ahead if you prefer
> "unknown" and "private".

Yes, that is still my preference.

Thanks
Max

>
> Xuelei
>
>> --Max
>>
>> On 4/9/2014 7:57, Xuelei Fan wrote:
>>> Looks fine to me.
>>>
>>> I was wondering, whether it is a little bit more instinctive to return a
>>> string with the type number for "unknown" and "private" algorithm in
>>> KerberosKey.getAlgorithm().  For example:
>>>
>>>       "unknown" -> "kid-2014"
>>>       "private" -> "kid-(2014)"
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 4/8/2014 10:37 AM, Weijun Wang wrote:
>>>> Hi All
>>>>
>>>> Please review the code changes at
>>>>
>>>>      http://cr.openjdk.java.net/~weijun/8035986/webrev.00/
>>>>
>>>> It's about using IANA names in KerberosKey instead of old non-standard
>>>> names.
>>>>
>>>> Thanks
>>>> Max
>>>
>


More information about the security-dev mailing list