[Bug] javax.security.auth.kerberos.KeyTab returns unrequested keys
Osipov, Michael (IN IT IN)
michael.osipov at innomotics.com
Mon May 6 17:14:44 UTC 2024
Folks,
consider the following code:
> KeyTab keytab = KeyTab.getUnboundInstance(new File("..."));
> KerberosPrincipal principal = new KerberosPrincipal("foo$", KerberosPrincipal.KRB_NT_PRINCIPAL);
> KerberosKey[] keys = keytab.getKeys(principal);
Let's check the keytab for etype 18 only:
> 10 2022-08-04T11:55:55 foo$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
> 10 2022-08-04T11:55:56 FOO$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
> 11 2024-05-06T18:21:28 foo$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
> 11 2024-05-06T18:21:29 FOO$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
My expectation is that I get exactly *two* returned because according
RFC 4120 KerberosString is case-sensitive (I know that MS Kerberos
deviates from), but the method returns me *four* keys because
PrincipalName performs a case-insensitive match [1]. Comparing two equal
keys with KerberosKey#equals() gives me false because the principal is
compared case-senstively [2].
Is this considered as a bug?
Michael
I am on latest Java 8, but code looks identical for Java 22.
[1]
https://github.com/openjdk/jdk/blob/a8b3f194e811eed6b20bce71c752705c7cd50d24/src/java.security.jgss/share/classes/sun/security/krb5/PrincipalName.java#L616-L637
[2]
https://github.com/openjdk/jdk/blob/a8b3f194e811eed6b20bce71c752705c7cd50d24/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L259-L261
More information about the security-dev
mailing list