1 /*
2 * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 6893158 6907425 7197159
27 * @run main/othervm MoreKvno
28 * @summary AP_REQ check should use key version number
29 */
30
31 import org.ietf.jgss.GSSException;
32 import sun.security.jgss.GSSUtil;
33 import sun.security.krb5.KrbException;
34 import sun.security.krb5.PrincipalName;
35 import sun.security.krb5.internal.ktab.KeyTab;
36 import sun.security.krb5.internal.Krb5;
37
38 public class MoreKvno {
39
40 static PrincipalName p;
41 public static void main(String[] args)
42 throws Exception {
43
44 OneKDC kdc = new OneKDC(null);
45 kdc.writeJAASConf();
46
47 // Rewrite keytab, 3 set of keys with different kvno
48 KeyTab ktab = KeyTab.create(OneKDC.KTAB);
49 p = new PrincipalName(
50 OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
51 ktab.addEntry(p, "pass1".toCharArray(), 1, true);
52 ktab.addEntry(p, "pass3".toCharArray(), 3, true);
53 ktab.addEntry(p, "pass2".toCharArray(), 2, true);
54 ktab.save();
55
56 char[] pass = "pass2".toCharArray();
57 kdc.addPrincipal(OneKDC.SERVER, pass);
58 go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
59
60 pass = "pass3".toCharArray();
61 kdc.addPrincipal(OneKDC.SERVER, pass);
62 // "server" initiate also, check pass2 is used at authentication
63 go(OneKDC.SERVER, "server", pass);
64
65 try {
66 pass = "pass4".toCharArray();
67 kdc.addPrincipal(OneKDC.SERVER, pass);
68 go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
69 throw new Exception("This test should fail");
70 } catch (GSSException gsse) {
71 // Since 7197159, different kvno is accepted, this return code
72 // will never be thrown out again.
73 //KrbException ke = (KrbException)gsse.getCause();
74 //if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
75 // throw new Exception("Not expected failure code: " +
76 // ke.returnCode());
77 //}
78 }
79 }
80
81 static void go(String server, String entry, char[] pass) throws Exception {
82 Context c, s;
83
84 // Part 1: Test keytab
85 c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
86 s = Context.fromJAAS(entry);
87
88 c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
89 s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
90
91 Context.handshake(c, s);
92
93 s.dispose();
94 c.dispose();
95
96 // Part 2: Test username/password pair
97 c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
98 s = Context.fromUserPass(p.getNameString(), pass, true);
99
100 c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
101 s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
102
103 Context.handshake(c, s);
104
105 s.dispose();
106 c.dispose();
107 }
108 }