RFR: 8367344: Better error message when decryption of AP-REQ fails because of kvno mismatch [v2]
Weijun Wang
weijun at openjdk.org
Tue Sep 16 17:53:26 UTC 2025
On Tue, 16 Sep 2025 17:43:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> For interoperability, AP-REQ decryption uses the key with the highest kvno in the keytab if no exact match is found. If decryption fails, a normal "checksum failed" error is reported, which may hide the real cause that the wrong key is used. This code change throws a KRB_AP_ERR_BADKEYVER error in this case.
>>
>> The change is only made in AP-REQ decryption to minimize impact. A previous test is enhanced to cover the case.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> different exception for other etypes; test
Different etypes could throw different exceptions at decryption. All are still subtypes of `KrbException`.
Add test cases for all different types of etypes.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/27298#issuecomment-3299767697
More information about the security-dev
mailing list