Bug ID: JDK-8367344 Better error message when decryption of AP-REQ fails because of kvno mismatch

JDK-8367344 : Better error message when decryption of AP-REQ fails because of kvno mismatch

Type: Bug
Component: security-libs
Sub-Component: org.ietf.jgss:krb5
Affected Version: 8

Priority: P4
Status: Open
Resolution: Unresolved

Submitted: 2025-09-10
Updated: 2025-09-15

Related Reports

Relates :

JDK-7197159 - accept different kvno if there no match

Description

An acceptor finds a key from keytab to decrypt AP-REQ. If there is no exact kvno match we would return a key with the highest kvno (see JDK-7197159). If the key cannot decrypt the message we report an decryption error which usually looks like "Checksum failed". This can be enhanced since the more likely reason is that we don't have the key with the matching kvno. We can consider a better exception message and/or extra debug outputs.

Comments

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/27298 Date: 2025-09-15 15:49:11 +0000

15-09-2025

The bug is reported at https://mail.openjdk.org/pipermail/security-dev/2025-September/047984.html.

10-09-2025