directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DIRSERVER-1635) Exception when obtaining service ticket and aes256-cts-hmac-sha1-96 encryption is used
Date Mon, 25 Jul 2011 23:09:09 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Stefan Seelmann resolved DIRSERVER-1635.
----------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.0-M2
         Assignee: Stefan Seelmann

Fixed here:
  http://svn.apache.org/viewvc?rev=1150951&view=rev

A very ugly thing are the tests: The Sun Kerberos implementation uses RSA_MD5 as default checksum
type. The only way to set the checksum is to put a field "default_checksum" to the krb5.conf.
However in the Sun implementation this field is only read once in a static initializer. So
it isn't possible to change the value between tests using the krb5.conf file. So I used reflection
to modify the static field at runtime.

> Exception when obtaining service ticket and aes256-cts-hmac-sha1-96 encryption is used
> --------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-1635
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1635
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M1
>         Environment: * ApacheDS Trunk as KDC, encryption is set to "aes256-cts-hmac-sha1-96".
> * Service: Apache HTTPD 2.2 with mod_auth_kerb
> * Client: Linux with MIT Kerberos and Firefox 5
>            Reporter: Stefan Seelmann
>            Assignee: Stefan Seelmann
>             Fix For: 2.0.0-M2
>
>
> The client accesses a SPNEGO protected website. When obtaining the service ticket the
exception below is thrown.
> When using "des-cbc-md5" encryption no exception is thrown and authentication works.
I didn't test other encryption types, but they should be tested.
> [13:38:25] ERROR [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- ERR_152 Unexpected exception: Missing argument
> java.lang.IllegalArgumentException: Missing argument
> 	at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:93)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.processCipher(AesCtsSha1Encryption.java:176)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.encrypt(AesCtsSha1Encryption.java:136)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.Aes256CtsSha1Encryption.encrypt(Aes256CtsSha1Encryption.java:30)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionEngine.deriveRandom(EncryptionEngine.java:71)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.deriveKey(AesCtsSha1Encryption.java:148)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.calculateChecksum(AesCtsSha1Encryption.java:68)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.Aes256CtsSha1Encryption.calculateChecksum(Aes256CtsSha1Encryption.java:30)
> 	at org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler.verifyChecksum(ChecksumHandler.java:107)
> 	at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.verifyBodyChecksum(TicketGrantingService.java:305)
> 	at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.execute(TicketGrantingService.java:107)
> 	at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:172)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> 	at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> 	at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> 	at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> 	at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:486)
> 	at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:456)
> 	at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$1000(AbstractPollingConnectionlessIoAcceptor.java:61)
> 	at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:414)
> 	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> 	at java.lang.Thread.run(Thread.java:636)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message