RFR: 8367344: Better error message when decryption of AP-REQ fails because of kvno mismatch
Weijun Wang
weijun at openjdk.org
Tue Sep 16 17:05:31 UTC 2025
On Tue, 16 Sep 2025 16:11:46 GMT, Mikhail Yankelevich <myankelevich at openjdk.org> wrote:
>> For interoperability, AP-REQ decryption uses the key with the highest kvno in the keytab if no exact match is found. If decryption fails, a normal "checksum failed" error is reported, which may hide the real cause that the wrong key is used. This code change throws a KRB_AP_ERR_BADKEYVER error in this case.
>>
>> The change is only made in AP-REQ decryption to minimize impact. A previous test is enhanced to cover the case.
>
> src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java line 578:
>
>> 576: Integer kv = keys[i].getKeyVersionNumber();
>> 577: etypeFound = true;
>> 578: if (versionMatches(kvno, kv)) {
>
> I believe there is no coverage for this block. Do you think expanding the test would be reasonable in this pr?
Thanks. Actually when I tried to add a test I found some coding issues. I'm fixing now.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27298#discussion_r2353132169
More information about the security-dev
mailing list