sun.security.spnego.msinterop does not work anymore/disable by default for 15
Osipov, Michael
michael.osipov at siemens.com
Tue Apr 14 21:09:03 UTC 2020
Hi Max,
I have just wasted an entire day to make the following observation:
Running Java 8u242, SPNEGO acceptor via HTTP. SSPI clients constantly
report: SEC_E_INVALID_TOKEN. Tried with Java via JNA, Java via new SSPI
Bridge, Python SSPI Negotiate module. Regardless of what I do the token
generated by Java is invalid for the initiator.
I am running a Windows 10 client on my desktop.
A MIT Kerberos acceptor reponds:
>
oYG2MIGzoAMKAQChCwYJKoZIgvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuixaQG7nwXC0uiguOl256srmAhgjVD9A5OgHQ+fXdJ03zNMQhLu2ly93WzHfUxaDOKZPS5Wkfz1NHVyRMiYcS7EwzYg+c97Q0aYOLqcQG+0j3pGVHFWzEyMZW4OoWOD6avnX9dI+oDE
An ASN.1 sequence with three members. Java, SSPI, MIT Kerberos accept
this one.
JGSS responds:
>
oYHzMIHwoAMKAQChCwYJKoZIgvcSAQICom0Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQT2FosuhMJoIXpAw4GyGADOfD7bsyPGfNAvUV1kKJGqR/0X+2rzby4XU5qWYypCT4asVvlw6LkWbK79P6vaT5vCQo20Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQT2FosuhMJoIXpAw4GyGADOfD7bsyPGfNAvUV1kKJGqR/0X+2rzby4XU5qWYypCT4asVvlw6LkWbK79P6vaT5vCQ
Sequence has four members. The last two members are the encrypted
response token twice(!). Java and MIT Kerberos accept this, SSPI rejects.
After poking around for hours I have found
sun.security.spnego.msinterop. As soon as this one is set to false
(default: true). Following token is genereated:
>
oYGEMIGBoAMKAQChCwYJKoZIgvcSAQICom0Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQRS9XZ5wjfA5wj832Zs9pufcP6IRArfBgG6/2XiU/vv2++i1vK/kmhc3UIa9X4nb2e7+CgCXV7X1rK30vCHKTeIv
Three members, but the token is almost as twice as small as the one from
MIT Kerberos.
A SSPI acceptor returns:
>
oYG2MIGzoAMKAQChCwYJKoZIgvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuuhFIL4c9Nzov6g93sh5Q81AB2c5nK5ZyQQXcN1TmNaCDjsdn9irTnui7NO3ogemrrUO6sRT2A7hB01mwvY23ZVetNaQ/DCmnI8q2ATppcFf9yUPRNDZ8Gqg2FlKSTeusK5fcFQOjZmmxXB1vbRo=
three members and 110 bytes just like MIT Kerberos.
Decoded with: https://lapo.it/asn1js
Two important points arise here:
* As far as I remember MIT Kerberos never returned anything else. This
hack does not work for SSPI initiators anymore, at least here on Windows
10. File an issue with JBS? Request to set to false for 15, reqeust
backport and document it?
* Why is the token as twice as small?
Michael
More information about the security-dev
mailing list