United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-5006629 : Kerberos library should only select keys of types that it supports

Details
Type:
Bug
Submit Date:
2004-03-02
Status:
Resolved
Updated Date:
2004-09-09
Project Name:
JDK
Resolved Date:
2004-04-06
Component:
security-libs
OS:
solaris_8
Sub-Component:
org.ietf.jgss:krb5
CPU:
sparc
Priority:
P3
Resolution:
Fixed
Affected Versions:
5.0
Fixed Versions:
5.0 (b44)

Related Reports
Backport:

Sub Tasks

Description
The Java Kerberos library sometimes cannot use keytabs that contain keys of
encryption types that it does not support, even though the same keytabs
might contain keys of encryption types that it does support. The problem
is that when asked to get a key from the keytab for a service, the library
simply gets the last key from the keytab for that service. It does not
look for keys that it can support. Consequently, when it tries to use
the key, it gets an error.

This creates an interoperability issue. Java clients cannot use keytabs
generated by other systems that support other encryption types and happen
to put those keys after the DES keys.

                                    

Comments
SUGGESTED FIX

The service key is obtained via the following code path:

Krb5LoginModule.attemptAuthentication();
<- EncryptionKey.acquireSecretKey(principal, keyTabName);
  <- KeyTab.readServiceKey(principal);

KeyTab.readServiceKey(principal) reads the *last* key entry from the
keytab that matches the service principal name supplied. It doesn't
check the keytype at that point, just records it. Later on, when
the key gets used, say, in EncryptedData:

	EType etypeEngine = EType.getInstance(key.getEType());

It discovers that it doesn't have support for that keytype and then fails.

It seems that an appropriate fix would be to check in readServiceKey()
that the key being returned is one that can be supported instead
just getting the last key in the keytab.
                                     
2004-09-10
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
1.4.2_07
tiger-beta2

FIXED IN:
tiger-beta2

INTEGRATED IN:
tiger-b44
tiger-b46
tiger-beta2


                                     
2004-09-10
EVALUATION

Fix as suggested.

###@###.### 2004-03-02
                                     
2004-03-02



Hardware and Software, Engineered to Work Together