JDK-8014310 : JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-05-09
  • Updated: 2020-02-26
  • Resolved: 2013-06-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 Other
7u231Fixed 8 b96Fixed openjdk7uFixed
Related Reports
Relates :  
Relates :  
Description
After the change for disabling DES-related etypes, JAAS login fails at the test fails with NPE.
Test Configuration :
-------------------------
SEAM instance SEAM.THREE.COM was used
Client side krb5.conf has  
     default_tkt_enctypes=des-cbc-md5
     default_tgs_enctypes=des-cbc-md5
     permitted_enctypes=des-cbc-md5
does not have  allow_weak_crypto = true

At this point a meaningful error message 
like "Failure unspecified at GSS-API level (Mechanism level: Encryption type DES CBC mode with CRC-32 is not supported/enabled)"
is expected.
Instead a NPE is obtained


javax.security.auth.login.LoginException: java.lang.NullPointerException
        at sun.security.krb5.internal.KDCReqBody.asn1Encode(KDCReqBody.java:251)
        at sun.security.krb5.internal.KDCReq.asn1Encode(KDCReq.java:203)
        at sun.security.krb5.KrbAsReq.encoding(KrbAsReq.java:145)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:765)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:616)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:491)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
        at Server.main(Server.java:670)

If krb5.conf in the clientside is modified to include "allow_weak_crypto = true"
login happens


Comments
add sqebug label to match aurora result Test level exit status: 1
07-06-2013

Affected test: JAAS/krb5/krbticketcachefalse_SEC SPNEGO/RFE/4515853
06-06-2013

Affected list: JGSS/jep113/ADDS21_Negative JGSS/jep113/ADDS22_Negative SPNEGO/ADDS21-SPNEGO [nithya]These tests now PASS, since the test krb5.conf file modified to allow weak cryptos. New test is needed for this bug.
28-05-2013

There are no supported etypes in this case. Should throw a KrbException somewhere.
14-05-2013