RFR: 8349546: Linux support for Kerberos "nativeccache" functionality [v10]

Shawn M Emery duke at openjdk.org
Wed Nov 12 01:40:12 UTC 2025 

On Mon, 3 Nov 2025 18:50:37 GMT, Nick Hall <duke at openjdk.org> wrote:

>> _Purpose_
>> 
>> This PR allows Linux based applications using JAAS to acquire Kerberos TGTs natively using the local system's Kerberos libraries/configuration, building on existing support on Windows/MacOSX.
>> 
>> _Rationale_
>> 
>> Currently the (pure java) JAAS codebase only supports file-based credential caches (ccaches).  There are many other useful types of ccache accessible via the local system libraries; this change allows credentials to be acquired natively using those libraries, and thus adds support for all other ccache types supported by the local system (e.g. KCM, in-memory and kernel types),  This support already exists on MacOSX and Windows.
>> 
>> The code change here largely uses the MacOSX code, edited for Linux with associated build system changes. It also adds an appropriate jtreg test which uses some native test helper code to manufacture an in-memory cache, and then uses the new code to acquire these credentials natively.  This has been tested on Linux/Mac and the jtreg test passes on each (I couldn't see any existing tests on MacOSX for this feature).
>> 
>> Additionally this PR fixes a bug that's existed for a while (see L585-588 in `nativeccache.c`) - without this code, this is a 100% reproducible segfault on Linux (it's unclear why this hasn't affected the Mac JVMs up to now, probably just no calling code that provides an empty list of addresses).  It also fixes a (non problem) typo in the variable name in a function prototype.
>> 
>> _Implementation Detail_
>> 
>> Note that there were multiple possible ways of doing this:
>> 
>> 1) Duplicate the MacOSX `nativeccache.c`, edit lightly for Linux and build a new library on Linux only (`liblinuxkrb5`), leaving MacOSX largely unchanged, but at the expense of this code duplication.
>> 
>> 2) Create a new shared library used on both platforms with conditional compilation to manage the differences.  This necessitates a library name change on MacOSX and potentially knock-on packaging changes on that platform, which seemed a potentially expensive side-effect.
>> 
>> 3) Create a shared `nativeccache.c` (using `EXTRA_SRC` in the build) and build separate MacOSX/Linux libraries.  This allows the MacOSX library name to remain unchanged, and only adds a new library in Linux.
>> 
>> I tried all three options; 3 seemed to be the best compromise all around, although is one of the options that effectively introduces a "no-op" change on MacOSX as a result.  Hopefully the additional jtreg test is sufficient to compensat...
>
> Nick Hall has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Address second set of @erikj79's build comments

make/test/JtregNativeJdk.gmk line 126:

> 124:   # macOS: build with system krb5 and disable deprecation warnings
> 125:   BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libNativeCredentialCacheHelper := -lkrb5 -lcom_err
> 126:   BUILD_JDK_JTREG_LIBRARIES_CFLAGS_libNativeCredentialCacheHelper := -Wno-deprecated-declarations

Why doesn't the macosx target use the KRB5* variables as well?

src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java line 2:

> 1: /*
> 2:  * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.

nit: update copyright year

src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java line 335:

> 333:             if (OperatingSystem.isWindows() ||
> 334:                     OperatingSystem.isMacOS() ||
> 335:                         OperatingSystem.isLinux()) {

nit: extra tab?

src/java.security.jgss/share/native/libkrb5shared/nativeccache.c line 2:

> 1: /*
> 2:  * Copyright (c) 2011, 2024, Oracle and/or its affiliates. All rights reserved.

nit: update copyright year

test/jdk/sun/security/krb5/native/NativeCacheTest.java line 26:

> 24: /*
> 25:  * @test
> 26:  * @bug 8123456

`@bug` annotation not relevant here

test/jdk/sun/security/krb5/native/libNativeCredentialCacheHelper.c line 71:

> 69:     if (utf_chars == NULL) return NULL;
> 70: 
> 71:     char *result = strdup(utf_chars);

Should check for NULL here

test/jdk/sun/security/krb5/native/libNativeCredentialCacheHelper.c line 143:

> 141: }
> 142: 
> 143: 

nit: extra line

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516387392
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516256982
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516241205
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516233000
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516271877
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2513002208
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2513007140

More information about the security-dev mailing list