Kerberos Enc Type Expectations for delegated credential within AP_REQ message.

Thu, 11 Sep 2014 08:49:10 -0700

Hello there, I am currently attempting to get to the bottom of some interoperability issues regarding the handling of Kerberos AP_REQ messages that contain a delegated credential.
Before I start raising bug reports I wanted to pass it through you guys first in case there is a strong opposition to this being raised as a Java bug. 

The kind of error messages I am seeing are: -
  http://fpaste.org/132824/
  http://fpaste.org/132825/


In short the class 'sun.security.jgss.krb5.InitialToken' is making an 
assumption as to if the enc type for the delegated credential is NULL 
based on the enc type of the session key.



If I follow through the call to the constructor in 
'sun.security.krb5.KrbCred' there is even a comment saying the key will 
always be NULL even though that is no longer true so it looks like this 
block of code has been modified at some point to start to support an 
EncryptionKey.



The reason this is a problem is that I have Mac OS clients that will 
always use NULL regardless of the algorithm for the session key, I also 
have Linux clients that will use the session key regardless of the 
algorithm.



After researching this I am yet to find anything that tells me the 
algorithm for the session key should affect if the credential is 
encrypted which is why I am questioning if that is a valid approach.



My proposal would be to update the code within InitialToken to skip 
trying to decide to use EncryptionKey.NULL_KEY, instead just keep the 
try / catch block for the key and sub-key.  Within 
sun.security.krb5.KrbCred just before decrypt is called it would be 
possible to check the encType and check for the NULL type and substitute 
in the NULL_KEY at that point.



Where the delegated credential is encrypted the existing checks would 
still apply to identify any encType mis-match - so overall this change 
would be to use the EncryptionKey.NULL_KEY only when absolutely 
confirmed it is required.



I am happy to create a Jira issue and e-mail over a proposed patch but 
as I say I just wanted to run this by you guys before I start down that 
patch.


Regards,
Darran Lofthouse.
























					Reply via email to