RFR: 8245527: LDAP Channel Binding support for Java GSS/Kerberos
Weijun Wang
weijun at openjdk.java.net
Tue Sep 22 15:43:56 UTC 2020
On Mon, 21 Sep 2020 08:19:28 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
> Hi,
>
> Plaese review JDK-8245527 fix which implements LDAP Channel Binding support for Java GSS/Kerberos.
> Initial review is available at core-devs: https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-August/068197.html
> This version removes "tls-unique" CB type from the list of possible channel binding types. The only supported type is
> "tls-server-end-point"
> CSR is also updated : https://bugs.openjdk.java.net/browse/JDK-8247311
>
> Thank you
> Alexey
I'm mostly OK with the SASL/JGSS part, except for the small nits in this comment. I'm not an expert on
HandshakeCompletedListener.
src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java line 156:
> 154: if (props != null) {
> 155: // TLS Channel Binding
> 156: byte[] tlsCB = (byte[])props.get("jdk.internal.sasl.tlschannelbinding");
You can say the name is defined in another class in another module. If we really want to rename it one day we will know
where it's from.
src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitialToken.java line 389:
> 387: int acceptorAddressType = getAddrType(acceptorAddress,
> 388: (channelBinding instanceof TlsChannelBindingImpl)?
> 389: CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR);
Normally we put a white space around "?" and ":".
src/java.naming/share/classes/com/sun/jndi/ldap/sasl/TlsChannelBinding.java line 82:
> 80: /**
> 81: * Parse value of "com.sun.jndi.ldap.tls.cbtype" property
> 82: * @param cbType
Please add a `@return` here, esp, about null.
src/java.naming/share/classes/com/sun/jndi/ldap/sasl/TlsChannelBinding.java line 137:
> 135: public TlsChannelBindingType getType() {
> 136: return cbType;
> 137: }
Add a new line here.
-------------
PR: https://git.openjdk.java.net/jdk/pull/278
More information about the security-dev
mailing list