RFR 6722928: Support SSPI as a native GSS-API provider

Weijun Wang weijun.wang at oracle.com
Fri Dec 7 02:45:02 UTC 2018 

Hi Nico,

Your detailed analysis is very valuable and I've included the whole text into https://bugs.openjdk.java.net/browse/JDK-8214988. I knew GSSName was complicated at the beginning and I remember I've especially asked you to look at it in my initial code review request. I think I have a better understanding now but unfortunately we are not likely to fix the native library very soon since RDP 1 for JDK 12 is near [1].

Let's come back to this bug. Yesterday I sent out a plan (pasted below):

> Since GSSName::isMN is always true, every gss_name_t must be a MN and I decide the name to be always krb5 style and the type to be always NT_KRB5_NAME. However, somewhere in the JGSS native bridge implementation the name and type are cached on the Java side, therefore the result of gSSMananger.createName("service at host", NT_HOSTBASED_SERVICE) does have toString() being service at host and type being NT_HOSTBASED_SERVICE. When canonicalize() is called, even if the GSS-API canonicalize_name() is not called a new gss_name_t is created and the Java side cache will be recreated, and this time name becomes service/host and type becomes NT_KRB5_NAME.
> 
> Is this what you like to see?
> 
> As for export(), I can also output a/b at . When the result is imported as a NT_EXPORT_NAME, I'll remember to remove the @ at the end.
> 
> The result is:
> 
>    GSSManager m = GSSManager.getInstance();
>    GSSName n = m.createName("service at host", GSSName.NT_HOSTBASED_SERVICE);
>    // n is now (service at host, NT_HOSTBASED_SERVICE)
>    n = n.canonicalize(new Oid("1.2.840.113554.1.2.2"));
>    // n is now (service/host, NT_KRB5_NAME)
>    byte[] x = n.export();
>    // 0000: 04 01 00 0B 06 09 2A 86   48 86 F7 12 01 02 02 00  ......*.H.......
>    // 0010: 00 00 0D 73 65 72 76 69   63 65 2F 68 6F 73 74 40  ...service/host@
>    n = m.createName(x, GSSName.NT_EXPORT_NAME);
>    // n is now (service/host, NT_KRB5_NAME)

I think the result is quite good. It's like the native bridge itself has stored a non-MN (except that its isMN() is true) although inside the new library there is only MN.

And you mentioned about ServicePermission check, this means I cannot export a/b@ only and the realm is needed. The latest webrev is at

   https://cr.openjdk.java.net/~weijun/6722928/webrev.02/

Any other comment? You said you wanted to check the krb5 <-> SPNEGO token translation codes.

Thanks,
Max

[1] https://openjdk.java.net/projects/jdk/12/

> On Dec 7, 2018, at 2:48 AM, Nico Williams <Nico.Williams at twosigma.com> wrote:
> 
> On Wed, Dec 05, 2018 at 11:41:44AM +0800, Weijun Wang wrote:
>> Java's GSSName::isMN always returns true, therefore to my observation, the
>> GSS-API canonicalize_name() is not called if GSSName::canonicalize is called.
> 
> That *would* be a valid design choice (per RFCs 2743 and 2744), but it requires
> always calling gss_canonicalize_name() immediately when you gss_import_name() a
> string (as opposed to an exported name token).
> 
> However, to do this you have to canonicalize the name for every mechanism
> indicated by gss_indicate_mechs()!  And then it wouldn't be clear what to
> output from toString() when the native provider supports multiple mechanisms,
> so I don't recommend this design choice.
> 
> But the JGSS JNI bindings isn't actually doing any of that.
> 
> Instead the JGSS JNI bindings outright lies about the name claiming it's an MN
> when it may not be.  I'm not sure how much appetite we should have to fix this
> sort of buglet, but it should be fixed, really.
> 
> If I'd noticed this buglet a couple of years ago then our contribution would
> include a fix for it :(
> 
>> It is only called in export(), where the first call to export_name() might
> 
> (And in getKrbName(), which is used only for JAAS permissions checks.)
> 
>> return "Name is not MN" (MIT krb5 behavior) and then the bridge automatically
>> call canonicalize_name() and export_name() again.
> 
> Right.
> 
>> And then, the export format is only useful when importing a NT_EXPORT_NAME.
> 
> The export name is meant for two things:
> 
> - to be able to get a stable token you can store in things like ACLs
> 
> - to be able to memcmp() for name equality, which has different semantics than
>   gss_compare_name()
> 
>> So, seems like both export_name() and canonicalize_name() are quite useless
>> (at least in the view of the native bridge).
> 
> Exported name tokens have uses (see above), and it does work in JGSS.  So
> exportName is not at all useless.
> 
> canonicalizeName(), however, is pretty useless.  Because
> gss_canonicalize_name() is pretty useless.
> 
> gss_canonicalize_name() was originally intended so that one could write an
> application that takes a user-input principal name, canonicalizes it, exports
> it, and stores the exported name token in an ACL.
> 
> The problems with gss_canonicalize_name() are:
> 
> a) It can require credentials in order to talk to a directory, but there's no
>   input credentials handle argument.
> 
>   E.g., given referrals, to properly canonicalize a name with Kerberos
>   requires doing TGS exchanges, which requires Kerberos client credentials.
> 
> b) A directory may be required for the canonicalization step, but none may be
>   available.
> 
>   E.g., imagine a GSS mechanism that uses PKIX certificates...  How would you
>   resolve a name "nico" of username name-type to something like CN=nico,...?
> 
>   For some realms you could have local mapping rules configuration to do that
>   with, but in the general case you'd need a directory (LDAP, say), and you'd
>   have to know how to search it for this.  There isn't always a directory that
>   allows these searches, and it's not always the case that certificates issued
>   by some CA adhere to a rigid naming convention.
> 
>   Even if you use various subjectAlternativeName name types, you'd still have
>   canonicalization issues that might require a directory.
> 
>   Oh, and searching any such directory would presumably require credentials;
>   see (a).
> 
> We've had a few lengthy discussions of this on the KRB-WG and KITTEN mailing
> lists.  And I suspect if you look you might find discussions of this in the old
> CAT WG mailing list from the early- and mid-90s.
> 
> Because of its shortcomings, I'm inclined to not worry too much about
> gss_canonicalize_name(), but isMN() *must not* lie, that's for sure, so in the
> end I'm inclined to just fix GSSNameElement to know whether a name is an MN,
> and to have a proper, public canonicalize() method that calls the native
> canonicalizeName() method (and so gss_canonicalize_name()).
> 
> If you do all this then exportName() need not have that fallback code path to
> call gss_canonicalize_name().  In principle it's a bug to do that because,
> again, if the native GSS provider supports multiple mechanisms, which mechanism
> should exportName() pick?!  This sort of bug has been papered over by
> supporting only Kerberos and SPNEGO, since ultimately that means supporting
> only Kerberos.  But there are other mechanisms that might be supported.  E.g.,
> MSFT has one called PKU2U that uses PKIX credentials instead of Kerberos, and
> Globus has one that uses TLS for the same purpose.
> 
>> What's your ideal output? The toString of canonicalize() and import(export)
>> always showing krb5 style and name type being KRB5_NAME?
> 
> In the JNI bindings toString() should always output whatever gss_display_name()
> outputs.  Full stop.
> 
> The effect of that, if the bindings only call gss_canonicalize_name() when the
> Java canonicalize() method is called, would be this:
> 
> - if a name is not an MN, meaning it wasn't output by gss_canonicalize_name(),
>   gss_accept_sec_context(), gss_inquire_context(), or gss_import_name() of a
>   GSS_C_NT_EXPORTED_NAME token, then toString() should return the original
>   name from the gss_import_name() call (the GSSNameElement constructor);
> 
> - otherwise (if a name is an MN), then toString() should return the output of 
>   gss_display_name() as applied to the MN
> 
> If the JNI bindings were to aggressively call gss_canonicalize_name() early,
> then you'd have to choose a mechanism whose name display form to output in
> toString() (see above).
> 
> Nico
> --

More information about the security-dev mailing list