Re: [Bug] javax.security.auth.kerberos.KeyTab returns unrequested keys

Mon, 06 May 2024 12:55:50 -0700 

Hi Michael,

Thanks for the report. It seems not conforming to the RFC strictly but I 
hesitate to make a change now.

The getKeys() method uses the PrincipalName.match() method to compare principal 
names in case-insensitive style. The same method is also used to locate a 
ticket from a ccache file. This has been true from the beginning of JGSS before 
it became a part of Java SE 1.4. There must be a history on why it's coded this 
way, probably relate to what you said MS deviates from the rule.

That said, I would look into the code to see if this might return the wrong key 
when decrypting the authenticator in a AP-REQ. If there is any bug there, I'll 
fix it. On the initiator side, I will also see if it can help locating the 
correct ticket.

Thanks,
Weijun

> On May 6, 2024, at 1:14 PM, Osipov, Michael (IN IT IN) 
> <michael.osi...@innomotics.com> wrote:
> 
> Folks,
> 
> consider the following code:
>> KeyTab keytab = KeyTab.getUnboundInstance(new File("..."));
>> KerberosPrincipal principal = new KerberosPrincipal("foo$", 
>> KerberosPrincipal.KRB_NT_PRINCIPAL);
>> KerberosKey[] keys = keytab.getKeys(principal);
> 
> Let's check the keytab for etype 18 only:
>>  10 2022-08-04T11:55:55 foo$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>>  10 2022-08-04T11:55:56 FOO$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>>  11 2024-05-06T18:21:28 foo$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>>  11 2024-05-06T18:21:29 FOO$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
> 
> My expectation is that I get exactly *two* returned because according RFC 
> 4120 KerberosString is case-sensitive (I know that MS Kerberos deviates 
> from), but the method returns me *four* keys because PrincipalName performs a 
> case-insensitive match [1]. Comparing two equal keys with 
> KerberosKey#equals() gives me false because the principal is compared 
> case-senstively [2].
> 
> Is this considered as a bug?
> 
> Michael
> 
> I am on latest Java 8, but code looks identical for Java 22.
> 
> [1] 
> https://github.com/openjdk/jdk/blob/a8b3f194e811eed6b20bce71c752705c7cd50d24/src/java.security.jgss/share/classes/sun/security/krb5/PrincipalName.java#L616-L637
> [2] 
> https://github.com/openjdk/jdk/blob/a8b3f194e811eed6b20bce71c752705c7cd50d24/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L259-L261

Reply via email to