JDK-8014310 : JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-05-09
  • Updated: 2020-02-26
  • Resolved: 2013-06-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 Other
7u231Fixed 8 b96Fixed openjdk7uFixed
Related Reports
Relates :  
Relates :  
After the change for disabling DES-related etypes, JAAS login fails at the test fails with NPE.
Test Configuration :
SEAM instance SEAM.THREE.COM was used
Client side krb5.conf has  
does not have  allow_weak_crypto = true

At this point a meaningful error message 
like "Failure unspecified at GSS-API level (Mechanism level: Encryption type DES CBC mode with CRC-32 is not supported/enabled)"
is expected.
Instead a NPE is obtained

javax.security.auth.login.LoginException: java.lang.NullPointerException
        at sun.security.krb5.internal.KDCReqBody.asn1Encode(KDCReqBody.java:251)
        at sun.security.krb5.internal.KDCReq.asn1Encode(KDCReq.java:203)
        at sun.security.krb5.KrbAsReq.encoding(KrbAsReq.java:145)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:765)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:616)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:491)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
        at Server.main(Server.java:670)

If krb5.conf in the clientside is modified to include "allow_weak_crypto = true"
login happens

add sqebug label to match aurora result Test level exit status: 1

Affected test: JAAS/krb5/krbticketcachefalse_SEC SPNEGO/RFE/4515853

Affected list: JGSS/jep113/ADDS21_Negative JGSS/jep113/ADDS22_Negative SPNEGO/ADDS21-SPNEGO [nithya]These tests now PASS, since the test krb5.conf file modified to allow weak cryptos. New test is needed for this bug.

There are no supported etypes in this case. Should throw a KrbException somewhere.