1 /* 2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 8078439 27 * @summary SPNEGO auth fails if client proposes MS krb5 OID 28 */ 29 30 import org.ietf.jgss.GSSContext; 31 import org.ietf.jgss.GSSCredential; 32 import org.ietf.jgss.GSSException; 33 import org.ietf.jgss.GSSManager; 34 35 import java.lang.Exception; 36 import java.nio.file.Files; 37 import java.nio.file.Paths; 38 import java.util.Arrays; 39 import java.util.Base64; 40 41 public class MSOID { 42 public static void main(String[] args) throws Exception { 43 44 // msoid.txt is a NegTokenInit packet sent from Internet Explorer to 45 // IIS server on a test machine. No sensitive info included. 46 byte[] header = Files.readAllBytes( 47 Paths.get(System.getProperty("test.src"), "msoid.txt")); 48 byte[] token = Base64.getMimeDecoder().decode( 49 Arrays.copyOfRange(header, 10, header.length)); 50 51 GSSCredential cred = null; 52 GSSContext ctx = GSSManager.getInstance().createContext(cred); 53 54 try { 55 ctx.acceptSecContext(token, 0, token.length); 56 // Before the fix, GSS_KRB5_MECH_OID_MS is not recognized 57 // and acceptor chooses another mech and goes on 58 throw new Exception("Should fail"); 59 } catch (GSSException gsse) { 60 // After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token 61 // cannot be accepted because we don't have any krb5 credential. 62 gsse.printStackTrace(); 63 if (gsse.getMajor() != GSSException.NO_CRED) { 64 throw gsse; 65 } 66 for (StackTraceElement st: gsse.getStackTrace()) { 67 if (st.getClassName().startsWith("sun.security.jgss.krb5.")) { 68 // Good, it is already in krb5 mech's hand. 69 return; 70 } 71 } 72 throw gsse; 73 } 74 } 75 }