-
Enhancement
-
Resolution: Fixed
-
P4
-
7
-
None
-
b70
-
generic
-
generic
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8170056 | 6-pool | Unassigned | P4 | Closed | Won't Fix |
We are about to support retrieving session key through the (vendor-specific extended) JGSS API.
Currently, MIT krb5-1.7alpha supports 5 OIDs in its gss_inquire_sec_context_by_oid() function:
GSS_C_INQ_SSPI_SESSION_KEY
KRB5_GET_TKT_FLAGS
KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
KRB5_EXPORT_LUCID_SEC_CONTEXT
KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
and, at least one customer has asked for support of KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT.
I think we can easily support 4 of them (except KRB5_EXPORT_LUCID_SEC_CONTEXT):
For the server side, they can be grabbed from the encrypted part of the service ticket (which the server can decrypt):
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags [0] TicketFlags,
key [1] EncryptionKey,
...
authtime [5] KerberosTime,
...
authorization-data [10] AuthorizationData OPTIONAL
}
For the client side, from the encrypted part of the TGS-REP (which the client can decrypt):
EncKDCRepPart ::= SEQUENCE {
key [0] EncryptionKey,
...
flags [4] TicketFlags,
authtime [5] KerberosTime,
...
}
Note that authorization-data is not available at client side.
flags can be boolean[], key be Key, authtime be Calendar or String (in the 19851106210627Z format), authorization-data be AuthorizationDataEntry[], where AuthorizationDataEntry has the interface:
final class AuthorizationDataEntry {
public int getType();
public byte[] getData();
}
Currently, MIT krb5-1.7alpha supports 5 OIDs in its gss_inquire_sec_context_by_oid() function:
GSS_C_INQ_SSPI_SESSION_KEY
KRB5_GET_TKT_FLAGS
KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
KRB5_EXPORT_LUCID_SEC_CONTEXT
KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
and, at least one customer has asked for support of KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT.
I think we can easily support 4 of them (except KRB5_EXPORT_LUCID_SEC_CONTEXT):
For the server side, they can be grabbed from the encrypted part of the service ticket (which the server can decrypt):
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags [0] TicketFlags,
key [1] EncryptionKey,
...
authtime [5] KerberosTime,
...
authorization-data [10] AuthorizationData OPTIONAL
}
For the client side, from the encrypted part of the TGS-REP (which the client can decrypt):
EncKDCRepPart ::= SEQUENCE {
key [0] EncryptionKey,
...
flags [4] TicketFlags,
authtime [5] KerberosTime,
...
}
Note that authorization-data is not available at client side.
flags can be boolean[], key be Key, authtime be Calendar or String (in the 19851106210627Z format), authorization-data be AuthorizationDataEntry[], where AuthorizationDataEntry has the interface:
final class AuthorizationDataEntry {
public int getType();
public byte[] getData();
}
- backported by
-
JDK-8170056 more InquireType values for ExtendedGSSContext
-
- Closed
-