Bug ID: 5006629 Kerberos library should only select keys of types that it supports

5006629 : Kerberos library should only select keys of types that it supports

Details

Type:	Bug	Submit Date:	2004-03-02
Status:	Resolved	Updated Date:	2004-09-09
Project Name:	JDK	Resolved Date:	2004-04-06
Component:	security-libs	OS:	solaris_8
Sub-Component:	org.ietf.jgss:krb5	CPU:	sparc
Priority:	P3
Resolution:	Fixed
Affected Versions:	5.0
Fixed Versions:	5.0

Related Reports

Backport:

JDK-2114916 - Kerberos library should only select keys of types that it supports

Sub Tasks

Description

The Java Kerberos library sometimes cannot use keytabs that contain keys of
encryption types that it does not support, even though the same keytabs
might contain keys of encryption types that it does support. The problem
is that when asked to get a key from the keytab for a service, the library
simply gets the last key from the keytab for that service. It does not
look for keys that it can support. Consequently, when it tries to use
the key, it gets an error.

This creates an interoperability issue. Java clients cannot use keytabs
generated by other systems that support other encryption types and happen
to put those keys after the DES keys.

Comments

SUGGESTED FIX

The service key is obtained via the following code path:

Krb5LoginModule.attemptAuthentication();
<- EncryptionKey.acquireSecretKey(principal, keyTabName);
  <- KeyTab.readServiceKey(principal);

KeyTab.readServiceKey(principal) reads the *last* key entry from the
keytab that matches the service principal name supplied. It doesn't
check the keytype at that point, just records it. Later on, when
the key gets used, say, in EncryptedData:

	EType etypeEngine = EType.getInstance(key.getEType());

It discovers that it doesn't have support for that keytype and then fails.

It seems that an appropriate fix would be to check in readServiceKey()
that the key being returned is one that can be supported instead
just getting the last key in the keytab.

2004-09-10

CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
1.4.2_07
tiger-beta2

FIXED IN:
tiger-beta2

INTEGRATED IN:
tiger-b44
tiger-b46
tiger-beta2

2004-09-10

EVALUATION

Fix as suggested.

###@###.### 2004-03-02

2004-03-02

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together