1 /*
2 * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 6893158 6907425 7197159
27 * @modules java.base/sun.net.spi.nameservice
28 * java.base/sun.security.util
29 * java.security.jgss/sun.security.jgss
30 * java.security.jgss/sun.security.krb5
31 * java.security.jgss/sun.security.krb5.internal
32 * java.security.jgss/sun.security.krb5.internal.ccache
33 * java.security.jgss/sun.security.krb5.internal.crypto
34 * java.security.jgss/sun.security.krb5.internal.ktab
35 * @run main/othervm MoreKvno
36 * @summary AP_REQ check should use key version number
37 */
38
39 import org.ietf.jgss.GSSException;
40 import sun.security.jgss.GSSUtil;
41 import sun.security.krb5.KrbException;
42 import sun.security.krb5.PrincipalName;
43 import sun.security.krb5.internal.ktab.KeyTab;
44 import sun.security.krb5.internal.Krb5;
45
46 public class MoreKvno {
47
48 static PrincipalName p;
49 public static void main(String[] args)
50 throws Exception {
51
52 OneKDC kdc = new OneKDC(null);
53 kdc.writeJAASConf();
54
55 // Rewrite keytab, 3 set of keys with different kvno
56 KeyTab ktab = KeyTab.create(OneKDC.KTAB);
57 p = new PrincipalName(
58 OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
59 ktab.addEntry(p, "pass1".toCharArray(), 1, true);
60 ktab.addEntry(p, "pass3".toCharArray(), 3, true);
61 ktab.addEntry(p, "pass2".toCharArray(), 2, true);
62 ktab.save();
63
64 char[] pass = "pass2".toCharArray();
65 kdc.addPrincipal(OneKDC.SERVER, pass);
66 go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
67
68 pass = "pass3".toCharArray();
69 kdc.addPrincipal(OneKDC.SERVER, pass);
70 // "server" initiate also, check pass2 is used at authentication
71 go(OneKDC.SERVER, "server", pass);
72
73 try {
74 pass = "pass4".toCharArray();
75 kdc.addPrincipal(OneKDC.SERVER, pass);
76 go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
77 throw new Exception("This test should fail");
78 } catch (GSSException gsse) {
79 // Since 7197159, different kvno is accepted, this return code
80 // will never be thrown out again.
81 //KrbException ke = (KrbException)gsse.getCause();
82 //if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
83 // throw new Exception("Not expected failure code: " +
84 // ke.returnCode());
85 //}
86 }
87 }
88
89 static void go(String server, String entry, char[] pass) throws Exception {
90 Context c, s;
91
92 // Part 1: Test keytab
93 c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
94 s = Context.fromJAAS(entry);
95
96 c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
97 s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
98
99 Context.handshake(c, s);
100
101 s.dispose();
102 c.dispose();
103
104 // Part 2: Test username/password pair
105 c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
106 s = Context.fromUserPass(p.getNameString(), pass, true);
107
108 c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
109 s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
110
111 Context.handshake(c, s);
112
113 s.dispose();
114 c.dispose();
115 }
116 }