Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7030180

AES 128/256 decrypt exception

    Details

    • Subcomponent:
    • Resolved In Build:
      b140
    • CPU:
      x86
    • OS:
      linux
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.6.0_24"
        Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
        Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)

        ADDITIONAL OS VERSION INFORMATION :
        Linux mes 2.6.33.7-desktop-2mnb #1 SMP Mon Dec 6 06:28:09 EST 2010 x86_64 Intel(R) Xeon(R) CPU E5405 @ 2.00GHz GNU/Linux

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        Server:
        Mandriva Linux Enterprise Server release 5.2 (Official) for x86_64, krb5 1.8.1

        Workstation:
        ROSA Desktop 2010.2. (This is Mandriva 2010.2)

        A DESCRIPTION OF THE PROBLEM :
        I tried to use SPNEGO.

        At first I used jetty webserver and I got an decrypt exception.

        Then I made my class. I used JGSS and I got the same result.

        GSSAPI works. I can use POP, IMAP and SMTP protocols with AES 256. I use nginx and postfix.

        I downloaded JCE archive from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

        When I use DES3 It works for a principal. When I try to use AES 128/256 It crashes.


        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        It's for jetty webserver. It's the same for my class.

        GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
                at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
                at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
                at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
                at org.mortbay.jetty.security.SpnegoUserRealm.authenticate(SpnegoUserRealm.java:128)
                at org.mortbay.jetty.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:104)
                at org.mortbay.jetty.security.SecurityHandler.check(SecurityHandler.java:443)
                at org.mortbay.jetty.security.SecurityHandler.checkSecurityConstraints(SecurityHandler.java:271)
                at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:193)
                at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
                at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
                at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:422)
                at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
                at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
                at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
                at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
                at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
                at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
                at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
                at org.mortbay.jetty.Server.handle(Server.java:322)
                at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
                at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:929)
                at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
                at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
                at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
                at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
                at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
        Caused by: KrbException: Checksum failed
                at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
                at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
                at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
                at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)
                at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:262)
                at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
                at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
                ... 29 more
        Caused by: java.security.GeneralSecurityException: Checksum failed
                at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
                at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
                at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
                at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
                ... 35 more

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        Krb5Login.java:
        ...
        public static void performAs(String principal, String keytab, PrivilegedExceptionAction action) throws PrivilegedActionException, LoginException {
                LoginContext lc = null;
                try {
                    // Authenticate to Kerberos.
                    lc = Krb5Login.withKeyTab(principal, keytab);
                    lc.login();
                    
                    // Assume the identity of the authenticated principal.
                    Subject.doAs(lc.getSubject(), action);
                    
                } finally {
                    if (lc != null) {
                        try {
                            lc.logout();
                        } catch(LoginException le) {
                            ZimbraLog.account.warn("krb5 logout failed", le);
                        }
                    }
                }
            }
        ...
            public static LoginContext withKeyTab(String principal,
                                                  String keytab)
                throws LoginException
            {
                /*
                 * com.sun.security.auth.module.Krb5LoginModule required
                 * useKeyTab=true
                 * debug=true
                 * keyTab="/apps/workgroup-audit/keytab/keytab.workgroup-audit"
                 * doNotPrompt=true
                 * storeKey=true
                 * principal="service/###@###.###"
                 * useTicketCache=true
                 */
                Krb5Config kc = Krb5Config.getInstance();
                // kc.setDebug(true);
                kc.setPrincipal(principal);
                kc.setKeyTab(keytab);
                kc.setStoreKey(true);
                kc.setDoNotPrompt(true);
                kc.setUseTicketCache(true);
                Configuration dc = new DynamicConfiguration(S_CONFIG_NAME, new AppConfigurationEntry[] {kc});
                return new LoginContext(S_CONFIG_NAME, null, null, dc);
            }
        ...

        Krb5Auth.java:
        ...
        public static class AcceptNegotiationTokenAction implements PrivilegedExceptionAction {

                private String mPrincipal;
                private String mNegotiationToken;
                private AcceptNegotiationTokenResult mResult;

                public AcceptNegotiationTokenAction(String principal, String negotiationToken, AcceptNegotiationTokenResult result) {
                    mPrincipal = principal;
                    mNegotiationToken = negotiationToken;
                    mResult = result;
                }

                public Object run() {
                    try {
                        GSSManager gssManager = GSSManager.getInstance();
                        GSSName serverName =
                            gssManager.createName(mPrincipal, null);
                        //Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
                        Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
                        GSSCredential serverCred = gssManager.createCredential(
                            serverName, GSSCredential.INDEFINITE_LIFETIME,
                            spnegoMechOid, GSSCredential.ACCEPT_ONLY);
                        GSSContext gssContext = gssManager.createContext(serverCred);

                        // establish gss context
                        byte[] token = new Base64().decode(mNegotiationToken.getBytes());
                        token = gssContext.acceptSecContext(token, 0, token.length);
                        mNegotiationToken = new String(new Base64().encode(token));

                        if (!mNegotiationToken.equals("")) {
                            mResult.setNegotiationToken(mNegotiationToken);
                        } else {
                            mResult.setNegotiationToken(null);
                        }

                        if (gssContext.isEstablished()) {
                            mResult.setPrincipal(gssContext.getSrcName().toString());
                        } else {
                            mResult.setPrincipal(null);
                        }
                    } catch (GSSException e) {
                        e.printStackTrace();

                        mResult.setNegotiationToken(null);
                        mResult.setPrincipal(null);
                    }
                    return null;
                }
            }
        ...
        ---------- END SOURCE ----------

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: