-
Bug
-
Resolution: Fixed
-
P4
-
6u24
-
b140
-
x86
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8170054 | Unassigned | P4 | Closed | Won't Fix |
FULL PRODUCT VERSION :
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux mes 2.6.33.7-desktop-2mnb #1 SMP Mon Dec 6 06:28:09 EST 2010 x86_64 Intel(R) Xeon(R) CPU E5405 @ 2.00GHz GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Server:
Mandriva Linux Enterprise Server release 5.2 (Official) for x86_64, krb5 1.8.1
Workstation:
ROSA Desktop 2010.2. (This is Mandriva 2010.2)
A DESCRIPTION OF THE PROBLEM :
I tried to use SPNEGO.
At first I used jetty webserver and I got an decrypt exception.
Then I made my class. I used JGSS and I got the same result.
GSSAPI works. I can use POP, IMAP and SMTP protocols with AES 256. I use nginx and postfix.
I downloaded JCE archive from http://www.oracle.com/technetwork/java/javase/downloads/index.html.
When I use DES3 It works for a principal. When I try to use AES 128/256 It crashes.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
It's for jetty webserver. It's the same for my class.
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.mortbay.jetty.security.SpnegoUserRealm.authenticate(SpnegoUserRealm.java:128)
at org.mortbay.jetty.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:104)
at org.mortbay.jetty.security.SecurityHandler.check(SecurityHandler.java:443)
at org.mortbay.jetty.security.SecurityHandler.checkSecurityConstraints(SecurityHandler.java:271)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:193)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:422)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:322)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:929)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:262)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 29 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
... 35 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Krb5Login.java:
...
public static void performAs(String principal, String keytab, PrivilegedExceptionAction action) throws PrivilegedActionException, LoginException {
LoginContext lc = null;
try {
// Authenticate to Kerberos.
lc = Krb5Login.withKeyTab(principal, keytab);
lc.login();
// Assume the identity of the authenticated principal.
Subject.doAs(lc.getSubject(), action);
} finally {
if (lc != null) {
try {
lc.logout();
} catch(LoginException le) {
ZimbraLog.account.warn("krb5 logout failed", le);
}
}
}
}
...
public static LoginContext withKeyTab(String principal,
String keytab)
throws LoginException
{
/*
* com.sun.security.auth.module.Krb5LoginModule required
* useKeyTab=true
* debug=true
* keyTab="/apps/workgroup-audit/keytab/keytab.workgroup-audit"
* doNotPrompt=true
* storeKey=true
* principal="service/###@###.###"
* useTicketCache=true
*/
Krb5Config kc = Krb5Config.getInstance();
// kc.setDebug(true);
kc.setPrincipal(principal);
kc.setKeyTab(keytab);
kc.setStoreKey(true);
kc.setDoNotPrompt(true);
kc.setUseTicketCache(true);
Configuration dc = new DynamicConfiguration(S_CONFIG_NAME, new AppConfigurationEntry[] {kc});
return new LoginContext(S_CONFIG_NAME, null, null, dc);
}
...
Krb5Auth.java:
...
public static class AcceptNegotiationTokenAction implements PrivilegedExceptionAction {
private String mPrincipal;
private String mNegotiationToken;
private AcceptNegotiationTokenResult mResult;
public AcceptNegotiationTokenAction(String principal, String negotiationToken, AcceptNegotiationTokenResult result) {
mPrincipal = principal;
mNegotiationToken = negotiationToken;
mResult = result;
}
public Object run() {
try {
GSSManager gssManager = GSSManager.getInstance();
GSSName serverName =
gssManager.createName(mPrincipal, null);
//Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
GSSCredential serverCred = gssManager.createCredential(
serverName, GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid, GSSCredential.ACCEPT_ONLY);
GSSContext gssContext = gssManager.createContext(serverCred);
// establish gss context
byte[] token = new Base64().decode(mNegotiationToken.getBytes());
token = gssContext.acceptSecContext(token, 0, token.length);
mNegotiationToken = new String(new Base64().encode(token));
if (!mNegotiationToken.equals("")) {
mResult.setNegotiationToken(mNegotiationToken);
} else {
mResult.setNegotiationToken(null);
}
if (gssContext.isEstablished()) {
mResult.setPrincipal(gssContext.getSrcName().toString());
} else {
mResult.setPrincipal(null);
}
} catch (GSSException e) {
e.printStackTrace();
mResult.setNegotiationToken(null);
mResult.setPrincipal(null);
}
return null;
}
}
...
---------- END SOURCE ----------
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux mes 2.6.33.7-desktop-2mnb #1 SMP Mon Dec 6 06:28:09 EST 2010 x86_64 Intel(R) Xeon(R) CPU E5405 @ 2.00GHz GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Server:
Mandriva Linux Enterprise Server release 5.2 (Official) for x86_64, krb5 1.8.1
Workstation:
ROSA Desktop 2010.2. (This is Mandriva 2010.2)
A DESCRIPTION OF THE PROBLEM :
I tried to use SPNEGO.
At first I used jetty webserver and I got an decrypt exception.
Then I made my class. I used JGSS and I got the same result.
GSSAPI works. I can use POP, IMAP and SMTP protocols with AES 256. I use nginx and postfix.
I downloaded JCE archive from http://www.oracle.com/technetwork/java/javase/downloads/index.html.
When I use DES3 It works for a principal. When I try to use AES 128/256 It crashes.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
It's for jetty webserver. It's the same for my class.
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.mortbay.jetty.security.SpnegoUserRealm.authenticate(SpnegoUserRealm.java:128)
at org.mortbay.jetty.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:104)
at org.mortbay.jetty.security.SecurityHandler.check(SecurityHandler.java:443)
at org.mortbay.jetty.security.SecurityHandler.checkSecurityConstraints(SecurityHandler.java:271)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:193)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:422)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:322)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:929)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:262)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 29 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
... 35 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Krb5Login.java:
...
public static void performAs(String principal, String keytab, PrivilegedExceptionAction action) throws PrivilegedActionException, LoginException {
LoginContext lc = null;
try {
// Authenticate to Kerberos.
lc = Krb5Login.withKeyTab(principal, keytab);
lc.login();
// Assume the identity of the authenticated principal.
Subject.doAs(lc.getSubject(), action);
} finally {
if (lc != null) {
try {
lc.logout();
} catch(LoginException le) {
ZimbraLog.account.warn("krb5 logout failed", le);
}
}
}
}
...
public static LoginContext withKeyTab(String principal,
String keytab)
throws LoginException
{
/*
* com.sun.security.auth.module.Krb5LoginModule required
* useKeyTab=true
* debug=true
* keyTab="/apps/workgroup-audit/keytab/keytab.workgroup-audit"
* doNotPrompt=true
* storeKey=true
* principal="service/###@###.###"
* useTicketCache=true
*/
Krb5Config kc = Krb5Config.getInstance();
// kc.setDebug(true);
kc.setPrincipal(principal);
kc.setKeyTab(keytab);
kc.setStoreKey(true);
kc.setDoNotPrompt(true);
kc.setUseTicketCache(true);
Configuration dc = new DynamicConfiguration(S_CONFIG_NAME, new AppConfigurationEntry[] {kc});
return new LoginContext(S_CONFIG_NAME, null, null, dc);
}
...
Krb5Auth.java:
...
public static class AcceptNegotiationTokenAction implements PrivilegedExceptionAction {
private String mPrincipal;
private String mNegotiationToken;
private AcceptNegotiationTokenResult mResult;
public AcceptNegotiationTokenAction(String principal, String negotiationToken, AcceptNegotiationTokenResult result) {
mPrincipal = principal;
mNegotiationToken = negotiationToken;
mResult = result;
}
public Object run() {
try {
GSSManager gssManager = GSSManager.getInstance();
GSSName serverName =
gssManager.createName(mPrincipal, null);
//Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
GSSCredential serverCred = gssManager.createCredential(
serverName, GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid, GSSCredential.ACCEPT_ONLY);
GSSContext gssContext = gssManager.createContext(serverCred);
// establish gss context
byte[] token = new Base64().decode(mNegotiationToken.getBytes());
token = gssContext.acceptSecContext(token, 0, token.length);
mNegotiationToken = new String(new Base64().encode(token));
if (!mNegotiationToken.equals("")) {
mResult.setNegotiationToken(mNegotiationToken);
} else {
mResult.setNegotiationToken(null);
}
if (gssContext.isEstablished()) {
mResult.setPrincipal(gssContext.getSrcName().toString());
} else {
mResult.setPrincipal(null);
}
} catch (GSSException e) {
e.printStackTrace();
mResult.setNegotiationToken(null);
mResult.setPrincipal(null);
}
return null;
}
}
...
---------- END SOURCE ----------
- backported by
-
JDK-8170054 AES 128/256 decrypt exception
-
- Closed
-