RFR: 8273670: Remove weak etypes from default krb5 etype list

Sat Sep 25 01:30:54 UTC 2021

On Fri, 24 Sep 2021 22:01:26 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well.
>
> src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 111:
> 
>> 109:         } else {
>> 110:             supportedETypes = Arrays.copyOf(result, num);
>> 111:         }
> 
> nit: it seems clearer to base supportedETypes on defaultETypes, e.g.
> <pre>        if (allowWeakCrypto) {
>             supportedETypes = Arrays.copyOf(defaultETypes,
>                 defaultETypes.length + 4);
>             supportedETypes[defaultETypes.length] =
>                     EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD;
>             supportedETypes[defaultETypes.length + 1] =
>                     EncryptedData.ETYPE_ARCFOUR_HMAC;
>             supportedETypes[defaultETypes.length + 2] =
>                     EncryptedData.ETYPE_DES_CBC_CRC;
>             supportedETypes[defaultETypes.length + 3] =
>                     EncryptedData.ETYPE_DES_CBC_MD5;
>         } else {
>             supportedETypes = defaultETypes;
>         }
> </pre>

Yes.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5654