diff --git a/Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified.patch b/Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified.patch new file mode 100644 index 0000000000000000000000000000000000000000..c14207f1e335598529781560398881ec779bcbcb --- /dev/null +++ b/Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified.patch @@ -0,0 +1,319 @@ +From 46b7cb7838a2de1a6463ddf17edefef73ec1217f Mon Sep 17 00:00:00 2001 +Date: Thu, 3 Aug 2023 10:03:27 +0800 +Subject: [PATCH] Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified + +--- + .../security/auth/kerberos/KerberosKey.java | 46 ++------ + .../javax/security/auth/kerberos/KeyImpl.java | 26 ++--- + .../sun/security/krb5/EncryptionKey.java | 17 +-- + .../security/auth/kerberos/StandardNames.java | 108 ------------------ + 4 files changed, 28 insertions(+), 169 deletions(-) + delete mode 100644 jdk/test/javax/security/auth/kerberos/StandardNames.java + +diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java +index a8d12131a..5c8b65f27 100644 +--- a/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java ++++ b/jdk/src/share/classes/javax/security/auth/kerberos/KerberosKey.java +@@ -52,20 +52,7 @@ import javax.security.auth.DestroyFailedException; + * application depends on the default JGSS Kerberos mechanism to access the + * KerberosKey. In that case, however, the application will need an + * appropriate +- * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}.

+- * +- * When creating a {@code KerberosKey} using the +- * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor, +- * an implementation may accept non-IANA algorithm names (For example, +- * "ArcFourMac" for "rc4-hmac"), but the {@link #getAlgorithm} method +- * must always return the IANA algorithm name.

+- * +- * @implNote Old algorithm names used before JDK 9 are supported in the +- * {@link #KerberosKey(KerberosPrincipal, char[], String)} constructor in this +- * implementation for compatibility reasons, which are "DES" (and null) for +- * "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac", +- * "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for +- * "aes256-cts-hmac-sha1-96". ++ * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. + * + * @author Mayank Upadhyay + * @since 1.4 +@@ -86,7 +73,7 @@ public class KerberosKey implements SecretKey, Destroyable { + * + * @serial + */ +- private final int versionNum; ++ private int versionNum; + + /** + * {@code KeyImpl} is serialized by writing out the ASN1 Encoded bytes +@@ -126,16 +113,13 @@ public class KerberosKey implements SecretKey, Destroyable { + } + + /** +- * Constructs a KerberosKey from a principal's password using the specified +- * algorithm name. The algorithm name (case insensitive) should be provided +- * as the encryption type string defined on the IANA +- * Kerberos Encryption Type Numbers +- * page. The version number of the key generated will be 0. ++ * Constructs a KerberosKey from a principal's password. + * + * @param principal the principal that this password belongs to + * @param password the password that should be used to compute the key + * @param algorithm the name for the algorithm that this key will be +- * used for ++ * used for. This parameter may be null in which case the default ++ * algorithm "DES" will be assumed. + * @throws IllegalArgumentException if the name of the + * algorithm passed is unsupported. + */ +@@ -144,7 +128,6 @@ public class KerberosKey implements SecretKey, Destroyable { + String algorithm) { + + this.principal = principal; +- this.versionNum = 0; + // Pass principal in for salt + key = new KeyImpl(principal, password, algorithm); + } +@@ -187,18 +170,13 @@ public class KerberosKey implements SecretKey, Destroyable { + */ + + /** +- * Returns the standard algorithm name for this key. The algorithm names +- * are the encryption type string defined on the IANA +- * Kerberos Encryption Type Numbers +- * page. +- *

+- * This method can return the following value not defined on the IANA page: +- *

    +- *
  1. none: for etype equal to 0
    2. +- *
  2. unknown: for etype greater than 0 but unsupported by +- * the implementation
    3. +- *
  3. private: for etype smaller than 0
    4. +- *
++ * Returns the standard algorithm name for this key. For ++ * example, "DES" would indicate that this key is a DES key. ++ * See Appendix A in the ++ * Java Cryptography Architecture API Specification & Reference ++ * ++ * for information about standard algorithm names. + * + * @return the name of the algorithm associated with this key. + */ +diff --git a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java +index 571387e0c..6791c42f0 100644 +--- a/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java ++++ b/jdk/src/share/classes/javax/security/auth/kerberos/KeyImpl.java +@@ -36,6 +36,7 @@ import sun.security.krb5.PrincipalName; + import sun.security.krb5.EncryptionKey; + import sun.security.krb5.EncryptedData; + import sun.security.krb5.KrbException; ++import sun.security.krb5.KrbCryptoException; + import sun.security.util.DerValue; + + /** +@@ -85,12 +86,8 @@ class KeyImpl implements SecretKey, Destroyable, Serializable { + + try { + PrincipalName princ = new PrincipalName(principal.getName()); +- EncryptionKey key; +- if ("none".equalsIgnoreCase(algorithm)) { +- key = EncryptionKey.NULL_KEY; +- } else { +- key = new EncryptionKey(password, princ.getSalt(), algorithm); +- } ++ EncryptionKey key = ++ new EncryptionKey(password, princ.getSalt(), algorithm); + this.keyBytes = key.getBytes(); + this.keyType = key.getEType(); + } catch (KrbException e) { +@@ -121,22 +118,20 @@ class KeyImpl implements SecretKey, Destroyable, Serializable { + + switch (eType) { + case EncryptedData.ETYPE_DES_CBC_CRC: +- return "des-cbc-crc"; +- + case EncryptedData.ETYPE_DES_CBC_MD5: +- return "des-cbc-md5"; ++ return "DES"; + + case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD: +- return "des3-cbc-sha1-kd"; ++ return "DESede"; + + case EncryptedData.ETYPE_ARCFOUR_HMAC: +- return "rc4-hmac"; ++ return "ArcFourHmac"; + + case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96: +- return "aes128-cts-hmac-sha1-96"; ++ return "AES128"; + + case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96: +- return "aes256-cts-hmac-sha1-96"; ++ return "AES256"; + + case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA256_128: + return "aes128-cts-hmac-sha256-128"; +@@ -145,10 +140,11 @@ class KeyImpl implements SecretKey, Destroyable, Serializable { + return "aes256-cts-hmac-sha384-192"; + + case EncryptedData.ETYPE_NULL: +- return "none"; ++ return "NULL"; + + default: +- return eType > 0 ? "unknown" : "private"; ++ throw new IllegalArgumentException( ++ "Unsupported encryption type: " + eType); + } + } + +diff --git a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java +index 627168e70..71e667028 100644 +--- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java ++++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java +@@ -277,22 +277,15 @@ public class EncryptionKey + String salt, + String algorithm) throws KrbCryptoException { + +- if (algorithm == null || algorithm.equalsIgnoreCase("DES") +- || algorithm.equalsIgnoreCase("des-cbc-md5")) { ++ if (algorithm == null || algorithm.equalsIgnoreCase("DES")) { + keyType = EncryptedData.ETYPE_DES_CBC_MD5; +- } else if (algorithm.equalsIgnoreCase("des-cbc-crc")) { +- keyType = EncryptedData.ETYPE_DES_CBC_CRC; +- } else if (algorithm.equalsIgnoreCase("DESede") +- || algorithm.equalsIgnoreCase("des3-cbc-sha1-kd")) { ++ } else if (algorithm.equalsIgnoreCase("DESede")) { + keyType = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD; +- } else if (algorithm.equalsIgnoreCase("AES128") +- || algorithm.equalsIgnoreCase("aes128-cts-hmac-sha1-96")) { ++ } else if (algorithm.equalsIgnoreCase("AES128")) { + keyType = EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96; +- } else if (algorithm.equalsIgnoreCase("ArcFourHmac") +- || algorithm.equalsIgnoreCase("rc4-hmac")) { ++ } else if (algorithm.equalsIgnoreCase("ArcFourHmac")) { + keyType = EncryptedData.ETYPE_ARCFOUR_HMAC; +- } else if (algorithm.equalsIgnoreCase("AES256") +- || algorithm.equalsIgnoreCase("aes256-cts-hmac-sha1-96")) { ++ } else if (algorithm.equalsIgnoreCase("AES256")) { + keyType = EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96; + // validate if AES256 is enabled + if (!EType.isSupported(keyType)) { +diff --git a/jdk/test/javax/security/auth/kerberos/StandardNames.java b/jdk/test/javax/security/auth/kerberos/StandardNames.java +deleted file mode 100644 +index 40590f6d0..000000000 +--- a/jdk/test/javax/security/auth/kerberos/StandardNames.java ++++ /dev/null +@@ -1,108 +0,0 @@ +-/* +- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +- * +- * This code is free software; you can redistribute it and/or modify it +- * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. +- * +- * This code is distributed in the hope that it will be useful, but WITHOUT +- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +- * version 2 for more details (a copy is included in the LICENSE file that +- * accompanied this code). +- * +- * You should have received a copy of the GNU General Public License version +- * 2 along with this work; if not, write to the Free Software Foundation, +- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +- * +- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +- * or visit www.oracle.com if you need additional information or have any +- * questions. +- */ +- +-/* +- * @test +- * @bug 8035986 +- * @summary KerberosKey algorithm names are not specified +- */ +- +-import sun.security.krb5.EncryptedData; +- +-import javax.crypto.Cipher; +-import javax.security.auth.kerberos.KerberosKey; +-import javax.security.auth.kerberos.KerberosPrincipal; +-import java.util.Locale; +- +-public class StandardNames { +- static KerberosPrincipal kp = new KerberosPrincipal("user@REALM"); +- static char[] pass = "secret".toCharArray(); +- static byte[] keyBytes = new byte[1]; +- +- public static void main(String[] args) throws Exception { +- for (EncType e: EncType.values()) { +- if (e == EncType.e18) { +- if (Cipher.getMaxAllowedKeyLength("AES") < 256) { +- System.out.println("Skipping aes256-cts-hmac-sha1-96"); +- continue; +- } +- } +- checkByName(e.name, e); +- checkByName(e.name.toUpperCase(Locale.US), e); +- for (String n: e.oldnames) { +- checkByName(n, e); +- if (n != null) { +- checkByName(n.toLowerCase(Locale.US), e); +- } +- } +- checkByEType(e.etype, e.name); +- } +- checkByEType(100, "unknown"); +- checkByEType(-1, "private"); +- +- try { +- System.out.println("unsupported"); +- new KerberosKey(kp, pass, "unsupported"); +- throw new Exception("unsupported"); +- } catch (IllegalArgumentException iae) { +- // Expected +- } +- } +- +- private static void checkByName(String n, EncType e) throws Exception { +- System.out.println("CheckByName " + n); +- KerberosKey k = new KerberosKey(kp, pass, n); +- if (!k.getAlgorithm().equals(e.name)) throw new Exception(n); +- if (k.getKeyType() != e.etype) throw new Exception(n); +- if (k.getVersionNumber() != 0) throw new Exception(n); +- } +- +- private static void checkByEType(int i, String n) throws Exception { +- System.out.println("CheckByInt " + i); +- KerberosKey k = new KerberosKey(kp, keyBytes, i, 13); +- if (!k.getAlgorithm().equals(n)) throw new Exception("" + i); +- if (k.getKeyType() != i) throw new Exception("" + i); +- if (k.getVersionNumber() != 13) throw new Exception("" + i); +- } +-} +- +-enum EncType { +- e0("none", EncryptedData.ETYPE_NULL), +- e1("des-cbc-crc", EncryptedData.ETYPE_DES_CBC_CRC), +- e3("des-cbc-md5", EncryptedData.ETYPE_DES_CBC_MD5, "DES", null), +- e16("des3-cbc-sha1-kd", EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD, "DESede"), +- e17("aes128-cts-hmac-sha1-96", EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, "AES128"), +- e18("aes256-cts-hmac-sha1-96", EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96, "AES256"), +- e23("rc4-hmac", EncryptedData.ETYPE_ARCFOUR_HMAC, "ArcFourHmac"), +- ; +- +- final String name; +- final int etype; +- final String[] oldnames; +- +- EncType(String name, int etype, String... oldnames) { +- this.name = name; +- this.etype = etype; +- this.oldnames = oldnames; +- } +-} +-- +2.22.0 + diff --git a/openjdk-1.8.0.spec b/openjdk-1.8.0.spec index 4912bcd687b3d20195dad1a130124e89ca1be115..7232757522aacecac864c8bfaec3eccc81e74f60 100644 --- a/openjdk-1.8.0.spec +++ b/openjdk-1.8.0.spec @@ -916,7 +916,7 @@ Provides: java-%{javaver}-%{origin}-accessibility%{?1} = %{epoch}:%{version}-%{r Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} -Release: 0 +Release: 1 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1246,6 +1246,7 @@ Patch363: fixing-a-bug-in-the-processing-of-default-attributes.patch Patch364: enhance-java-heap-oom-err-log.patch Patch365: 8014628-Support-AES-Encryption-with-HMAC-SHA2-for-Ke.patch Patch366: 8179273-sun.net.httpserver.LeftOverInputStream-shoul.patch +Patch367: Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified.patch ############################################# # @@ -1826,6 +1827,7 @@ pushd %{top_level_dir_name} %patch364 -p1 %patch365 -p1 %patch366 -p1 +%patch367 -p1 popd # System library fixes @@ -2449,6 +2451,9 @@ cjc.mainProgram(arg) %endif %changelog +* Thu Aug 3 2023 kuenking111 - 1:1.8.0.382-b05.1 +- add Revert-backport-8035986-KerberosKey-algorithm-names-are-not-specified.patch + * Mon Jul 31 2023 wanghao_hw - 1:1.8.0.382-b05.0 - add Huawei-Print-more-information-when-AbortVMOnException.patch - deleted patch 8185736-missing-default-exception-handler-in-calls-t.patch