RFR 8035986: KerberosKey algorithm names are not specified

Xuelei Fan xuelei.fan at oracle.com
Wed Apr 9 02:27:56 UTC 2014


> Yes, that is still my preference.
OK.

Thanks,
Xuelei

On 4/9/2014 9:50 AM, Weijun Wang wrote:
> 
> 
> On 4/9/2014 9:15, Xuelei Fan wrote:
>> On 4/9/2014 8:53 AM, Weijun Wang wrote:
>>> There is already getKeyType() and toString().
>> ;-) They should not lower the standards to design another good method.
> 
> I just meant different methods serve for different purposes.
> 
>>
>>> Also I don't think
>>> "kid-2014" is useful. If people really want to inspect the result, I
>>> expect they would fall into the "default" or "else" block anyway.
>>>
>> There is a constructor to put unknown or private key type:
>>      KerberosKey(KerberosPrincipal principal,
>>                  byte[] keyBytes,
>>                  int keyType, int versionNum)
>>
>> Which will accept any kind of integer key type.
> 
> Yes, this method does not need to understand the keyType to generate a
> key. However, the one we are talking about now must understand the
> algorithm name and call its string2key() method to generate the key from
> a passphrase. So even if you provide "kid-2014", it still has to throw
> an IllegalArgumentException.
> 
>>
>> I think it might be help to get the algorithm in string even if key type
>> is not supported (getKeyType() is not as convenient as getAlgorithm() to
>> get the string algorithm, toString() covers too much information if one
>> only needs to know the algorithm).
>>
>>     KerberosKey kk = new KerberosKey(..., 123, 0);
>>     String alg = kk.getAlgorithm();   // "unknown" returns
>>
>>     KerberosKey kk = new KerberosKey(..., 124, 0);
>>     String alg = kk.getAlgorithm();   // "unknown" returns
>>
>>     KerberosKey kk = new KerberosKey(..., -123, 0);
>>     String alg = kk.getAlgorithm();   // "private" returns
>>
>>     KerberosKey kk = new KerberosKey(..., -124, 0);
>>     String alg = kk.getAlgorithm();   // "private" returns
> 
> I would expect actual developers calling getKeyType() more often because
> it's easy to deal with in Kerberos. In this sense, getAlgorithm() only
> exists to override the method in Key.
> 
>>
>> At least for meaningful debug log or exception message, "unknown" and
>> "private" is not as instinctive as "xxx-123" and "xxx-124".
>>
>> Anyway, not a big concern of mine.  Please go ahead if you prefer
>> "unknown" and "private".
> 
> Yes, that is still my preference.
> 
> Thanks
> Max
> 
>>
>> Xuelei
>>
>>> --Max
>>>
>>> On 4/9/2014 7:57, Xuelei Fan wrote:
>>>> Looks fine to me.
>>>>
>>>> I was wondering, whether it is a little bit more instinctive to
>>>> return a
>>>> string with the type number for "unknown" and "private" algorithm in
>>>> KerberosKey.getAlgorithm().  For example:
>>>>
>>>>       "unknown" -> "kid-2014"
>>>>       "private" -> "kid-(2014)"
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>> On 4/8/2014 10:37 AM, Weijun Wang wrote:
>>>>> Hi All
>>>>>
>>>>> Please review the code changes at
>>>>>
>>>>>      http://cr.openjdk.java.net/~weijun/8035986/webrev.00/
>>>>>
>>>>> It's about using IANA names in KerberosKey instead of old non-standard
>>>>> names.
>>>>>
>>>>> Thanks
>>>>> Max
>>>>
>>




More information about the security-dev mailing list