RFR 6722928: Support SSPI as a native GSS-API provider

Weijun Wang weijun.wang at oracle.com
Thu Nov 29 02:00:02 UTC 2018

Thanks a lot. Some comments inline.

> On Nov 29, 2018, at 1:55 AM, Nico Williams <Nico.Williams at twosigma.com> wrote:
> On Tue, Nov 20, 2018 at 09:56:36AM +0800, Weijun Wang wrote:
>> Please take a review at
>>   https://cr.openjdk.java.net/~weijun/6722928/webrev.01/
>> We ported [1] the native GSS bridge to Windows in JDK 11, but user still have
>> to download and install a native GSS-API library. This code change provides a
>> native GSS-API library inside JDK that can be used without setting the
>> "sun.security.jgss.lib" system property. It is based on Windows SSPI and now
>> only supports the client side using the default credentials.
>> No regression tests included. A Windows Active Directory server is needed.
> This is my initial round of comments, and it's mostly high-level:
> - Right now this looks very basic, and you won't get support for any
>   mechanism other than Kerberos.  That's fine though, as NTLM is dead,
>   you're willing to implement SPNEGO yourself, and there are no other
>   GSS mechs on Windows at this time (so far as I know).
> - You're constructing SPNEGO tokens yourself.  I'll have to review that
>   very carefully.

I wrapped the outgoing token into NetTokenInit and extracted in incoming NegTokenTarg. This might fail if there are multiple rounds, but I think for kerberos it's OK.

>   It would be better to let Windows provide SPNEGO though...

But it might promote NTLM.

> - I've checked the DER-encoded OID constants.  They are correct.
> - The name type OID for GSS_KRB5_NT_PRINCIPAL_NAME is not implemented but is
>   used elsewhere (e.g., in one GSSNameElement constructor).  Look for
> - gss_canonicalize_name() is not fully implemented.  This will be noticeable
>   to callers of GSSNameElement's getKrbName().  In particular, permissions
>   checks will fail (e.g., in GSSCredElement's doServicePermCheck(); similarly
>   in NativeGSSContext).
>   At minimum you absolutely must parse generic GSS name type names into
>   Kerberos-style names (e.g., service at hostname -> service/hostname@).


>   When an MN is displayed, you need to output the Kerberos-style name.
>   (For those following along, "MN" means "mechanism name", which means
>   a GSSName / gss_name_t instance which is "canonical" and whose
>   display form will be mechanism-specific.  gss_canonicalize_name() is
>   supposed to output a "canonical" version of its input.)
>   You'll also have to determine a realm for the parsed principal names.
>   You won't need a realm for services.  Use an empty realm name for
>   services -- that's the Heimdal/MIT (and Solaris) convention for when
>   you're willing to rely on KDC referrals.
>   (I would also urge you to NOT attempt any DNS canonicalization of
>   hostnames.  Let's not further spread that mistake.)

I didn't.

>   For user principals it's trickier, and I think you might need some notion of
>   default realm, but a) maybe you can get away with an empty realm here on
>   Windows, b) I'm not sure where you'd a default realm on Windows.

I'm using the environment variable USERDNSDOMAIN now.

>   What we do to determine the default realm for user names in our
>   patched version of Martin Rex's GSS->SSPI bridge is call
>   AcquireCredentialsHandle() or QueryCredentialsAttributesW() to
>   get/query the default credential and get its name, and from that the
>   realm, and we use that as the default realm.
>   I'll have to look and see how we handle host-based service names
>   (Martin's original code has a domain_realm table in the registry, but
>   we removed all of that and rely on referrals instead.)
> - If you can get Legal approval for including / distributing a fork of
>   Martin Rex's bridge, you'll get all of the above functionality and
>   also acceptor functionality.

Anyway, one can use his bridge with -Dsun.security.jgss.lib.


> Nico
> -- 

More information about the security-dev mailing list