JDK-6893158 : AP_REQ check should use key version number (updated by 6907425)
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2009-10-20
  • Updated: 2010-11-04
  • Resolved: 2009-11-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u21Fixed 7 b77Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Description
In Kerberos, a server side program saves long term secret keys into a keytab file and uses it to authenticate AP_REQ messages sent by a client. The AP_REQ is encrypted by the KDC using a key stored in KDC's database. The key is identified by an encryption type and a key version number so that the server can locate the correct key from the keytab. Currently, Java only uses encrytion type to search for the key. If there are multiple keys with the same etype for a given server, it's quite likely that a wrong key is returned. The result is that the AP_REQ message cannot be authenticated and checksum error is thrown.

Comments
EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6764ef7d539d
28-10-2009