Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6821190

more InquireType values for ExtendedGSSContext

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 7
    • Fix Version/s: 7
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b70
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        We are about to support retrieving session key through the (vendor-specific extended) JGSS API.

        Currently, MIT krb5-1.7alpha supports 5 OIDs in its gss_inquire_sec_context_by_oid() function:

          GSS_C_INQ_SSPI_SESSION_KEY
          KRB5_GET_TKT_FLAGS
          KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
          KRB5_EXPORT_LUCID_SEC_CONTEXT
          KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT

        and, at least one customer has asked for support of KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT.

        I think we can easily support 4 of them (except KRB5_EXPORT_LUCID_SEC_CONTEXT):

        For the server side, they can be grabbed from the encrypted part of the service ticket (which the server can decrypt):

           EncTicketPart ::= [APPLICATION 3] SEQUENCE {
                   flags [0] TicketFlags,
                   key [1] EncryptionKey,
                   ...
                   authtime [5] KerberosTime,
                   ...
                   authorization-data [10] AuthorizationData OPTIONAL
           }

        For the client side, from the encrypted part of the TGS-REP (which the client can decrypt):

           EncKDCRepPart ::= SEQUENCE {
                   key [0] EncryptionKey,
                   ...
                   flags [4] TicketFlags,
                   authtime [5] KerberosTime,
                   ...
           }

        Note that authorization-data is not available at client side.

        flags can be boolean[], key be Key, authtime be Calendar or String (in the 19851106210627Z format), authorization-data be AuthorizationDataEntry[], where AuthorizationDataEntry has the interface:

             final class AuthorizationDataEntry {
                 public int getType();
                 public byte[] getData();
             }

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  weijun Weijun Wang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: