Bug ID: 6893158 AP_REQ check should use key version number (updated by 6907425)

6893158 : AP_REQ check should use key version number (updated by 6907425)

Details

Type:	Bug	Submit Date:	2009-10-20
Status:	Resolved	Updated Date:	2010-11-04
Project Name:	JDK	Resolved Date:	2009-11-24
Component:	security-libs	OS:	generic
Sub-Component:	org.ietf.jgss:krb5	CPU:	generic
Priority:	P3
Resolution:	Fixed
Affected Versions:	7
Fixed Versions:	7

Related Reports

Backport:	JDK-2184349 - AP_REQ check should use key version number (updated by 6907425)
Relates:	JDK-6984764 - kerberos fails if service side keytab is generated using JDK ktab
Relates:	JDK-6907425 - JCK Kerberos tests fail since b77
Relates:	JDK-6867665 - Problem with keytabs with multiple kvno's (key versions)
Relates:	JDK-6913636 - kvno check in JSSE
Relates:	JDK-6895415 - backout 6867665

Sub Tasks

Description

In Kerberos, a server side program saves long term secret keys into a keytab file and uses it to authenticate AP_REQ messages sent by a client. The AP_REQ is encrypted by the KDC using a key stored in KDC's database. The key is identified by an encryption type and a key version number so that the server can locate the correct key from the keytab. Currently, Java only uses encrytion type to search for the key. If there are multiple keys with the same etype for a given server, it's quite likely that a wrong key is returned. The result is that the AP_REQ message cannot be authenticated and checksum error is thrown.

Comments

EVALUATION

http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6764ef7d539d

2009-10-28

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together