Hi
Please take a review at --
http://cr.openjdk.java.net/~weijun/6893158/webrev.00
The original EncryptionKey.findKey is still used at other places for
client side (initiator). They won't touch the kvno field.
Thanks
Max
Begin forwarded message:
From: [email protected]
Date: October 20, 2009 10:51:17 AM GMT+08:00
Subject: CR 6893158 Created, P3 jgss/krb5plugin AP_REQ check should
use key version number
*Synopsis*: AP_REQ check should use key version number
=== *Description*
============================================================
In Kerberos, a server side program saves long term secret keys into
a keytab file and uses it to authenticate AP_REQ messages sent by a
client. The AP_REQ is encrypted by the KDC using a key stored in
KDC's database. The key is identified by an encryption type and a
key version number so that the server can locate the correct key
from the keytab. Currently, Java only uses encrytion type to search
for the key. If there are multiple keys with the same etype for a
given server, it's quite likely that a wrong key is returned. The
result is that the AP_REQ message cannot be authenticated and
checksum error is thrown.
