RFR 6722928: Support SSPI as a native GSS-API provider
Weijun Wang
weijun.wang at oracle.com
Tue Dec 4 02:55:49 UTC 2018
> On Nov 29, 2018, at 10:00 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
>> - gss_canonicalize_name() is not fully implemented. This will be noticeable
>> to callers of GSSNameElement's getKrbName(). In particular, permissions
>> checks will fail (e.g., in GSSCredElement's doServicePermCheck(); similarly
>> in NativeGSSContext).
>>
>> At minimum you absolutely must parse generic GSS name type names into
>> Kerberos-style names (e.g., service at hostname -> service/hostname@).
>
> OK.
I'm playing with the Java native bridge to MIT krb5 and noticed that whatever GSSName I created (user, user at REALM, service at host) the toString() of the original GSSName and its canonicalize(KRB5_OID) are always the same (and the same as the original input). On the other hand, the export() forms of them are also the same and show Kerberos-style names.
From the debug output, I can see the first export() call notices it's not MN and canonicalize automatically.
In my library, since there is only one mechanism, the name is created as MN at the beginning. So in import_name() you can see service at host is already changed into service/host, canonicalize_name() does nothing, and export_name() adds the realm. Is this also OK?
Summary:
Input MIT name export MIT mn export my name export my mn export
----- -------- ------ ------ ------ ------- ------ ----- ------
a a a at R a a at R a a at R a a at R
s at h s at h s/h@ s at h s/h@ s/h s/h at R s/h s/h at R
Thanks
Max
More information about the security-dev
mailing list