RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Xuelei Fan xuelei.fan at oracle.com
Wed Sep 17 02:27:22 UTC 2014

I'm OK with the doPrivileged-with-permission mode.

Generally speaking, we only need to define the authentication part of a
cipher suite for KRB5 implementation.  I was wondering, can we simplify
the code more as follow:
1. define an private external authentication interface, which:
   a. generate key exchange message;
   b. read key exchange message;
   c. generate pre-master secret.

2. This interface can be implemented for key exchange/authentication as
KRB5 (RFC 2712), SRP (RFC 5054), PSK (RFC 4279), etc.

For this fix, we probably want to:
1. move KerberosClientKeyExchange.java to krb5 model.
2. update ExternalCipherSuiteProvider (rename to KeyExchangeService?) to
support HandshakeMessage parser and generation, and the generation of
pre-master secret.
3. don't need Krb5Helper any more, call the new interface directly.

After the update, the SunJSSE provider would only known the algorithm
name of the KRB5 key exchange.

What do you think?


On 9/16/2014 9:31 AM, Wang Weijun wrote:
> Hi Xuelei
> Please review the latest code change at
>    http://cr.openjdk.java.net/~weijun/8038089/webrev.04/
> Compared with webrev.03, only the way the provider is loaded is changed, which is the static block on lines 50-71 of Krb5Helper.java.
> Thanks
> Max

More information about the security-dev mailing list