[JDK-8223172] Incomplete/Unusable Kerberos Cross-Realm Referrals Support

Osipov, Michael michael.osipov at siemens.com
Wed Sep 25 21:27:17 UTC 2019


Hi folks,

apologies upfront that I wasn't able when Martin Balao asked for a 
review of the code. I finally made to test it and cannot see that it is 
working anyhow here.

I won't dive into my usecase now, but will depict two simple cases which 
are not possible.

All tests were performed with Oracle JDK 13 on Windows 7:
> java version "13" 2019-09-17
> Java(TM) SE Runtime Environment (build 13+33)
> Java HotSpot(TM) 64-Bit Server VM (build 13+33, mixed mode, sharing)

1. kinit (JDK bundled) does not work. It does neither provide an '-E' 
option, nor does it send NT-ENTERPRISE, but only NT-UNKNOWN:

> 0000   30 25 a0 03 02 01 00 a1 1e 30 1c 1b 1a 6d 69 63   0%.......0...mic
> 0010   68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d   hael.osipov at siem
> 0020   65 6e 73 2e 63 6f 6d                              ens.com

In byte 0x06 is the name type NT-UNKNOWN (0). In contrast to this with 
MIT Kerberos 1.17 and 'kinit -E' I see in Wireshark:

> 0000   30 25 a0 03 02 01 0a a1 1e 30 1c 1b 1a 6d 69 63   0%.......0...mic
> 0010   68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d   hael.osipov at siem
> 0020   65 6e 73 2e 63 6f 6d                              ens.com

byte 0x06 is now name type NT-ENTERPRISE-PRINCIPAL (10).

Trying the very same with LSA on Windows with "run as user" I get for my 
implicit UPN osipovmi at AD001.SIEMENS.NET always type 10. It only uses 
NT-PRINCIPAL when I provide the local part (samAccountName).

2. Using the appropriate OID for the enterprise principal:

> 	public static void main(String[] args) throws GSSException {
> 
> 		GSSManager m = GSSManager.getInstance();
> 
> 		Oid msUpnOid = new Oid("1.3.6.1.4.1.311.20.2.3");
> 		Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1");
> 		Oid krb5EnterprisePrincialOid = new Oid("1.2.840.113554.1.2.2.6");
> 
> 		Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
> 
> 		GSSName upn = m.createName("michael.osipov at siemens.com", krb5EnterprisePrincialOid);
> 
> 	}

gives me:
> Exception in thread "main" GSSException: Name of unsupported type provided (Mechanism level: 1.2.840.113554.1.2.2.6 is an unsupported nametype)
> 	at java.security.jgss/sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:87)
> 	at java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99)
> 	at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)
> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:478)
> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:151)
> 	at java.security.jgss/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
> 	at com.siemens.dynamowerk.Main.main(Main.java:20)

and yes, the OID has never been defined in that class [1], but is 
present in MIT Kerberos [2].

I haven't tried a programmatical kinit, but as mentioned in the notes 
[3], Krb5LoginModule does not support it, so I don't even have to try.


Any insights?

Beside that, it'd be very cool if this gets into 11u or better yet to 
8u. I have talked with Weijun about this several times many years ago 
for Java 7+. I have no option to use anything else, but Java 8 for now.

If someone  wants to know better about my usecase, I'd be happy to lay 
it out in detail. I do need at least krb5EnterprisePrincialOid and 
better msUpnOid for my usecase.

The only option I see now is to write a delegating wrapper for this:

>  GSSName upn = m.createName("michael.osipov at siemens.com", krb5PrincipalOid);
> 
>  GSSName wrappedUpn = new WrappedGSSName(upn, krb5EnterprisePrincialOid);
> 
>  System.out.println(wrappedUpn);
>  System.out.println(wrappedUpn.getStringNameType());

> michael.osipov at siemens.com
> 1.2.840.113554.1.2.2.6

Michael

[1] 
https://github.com/AdoptOpenJDK/openjdk-jdk13u/blob/bb0786d980437800b9d6efe17e42d18241714ea1/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5MechFactory.java#L51-L61
[2] https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html
[3] 
http://mail.openjdk.java.net/pipermail/security-dev/2018-December/018952.html



More information about the security-dev mailing list