From 7c86823f01722ef91d94da70382dbeb07f720c04 Mon Sep 17 00:00:00 2001
From: Weijun Wang <weijun@openjdk.org>
Date: Thu, 20 Aug 2009 11:24:42 +0800
Subject: [PATCH] 6867665: Problem with keytabs with multiple kvno's (key
 versions)

Reviewed-by: valeriep, ohair
---
 .../security/krb5/internal/ktab/KeyTab.java   |  72 +++---
 .../sun/security/krb5/ktab/HighestKvno.java   | 237 ++++++++++++++++++
 2 files changed, 271 insertions(+), 38 deletions(-)
 create mode 100644 jdk/test/sun/security/krb5/ktab/HighestKvno.java

diff --git a/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java b/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
index d7c5484ec0c..388548b2eeb 100644
--- a/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
+++ b/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
@@ -41,6 +41,7 @@ import java.io.IOException;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.File;
+import java.util.Comparator;
 import java.util.StringTokenizer;
 
 /**
@@ -229,10 +230,11 @@ public class KeyTab implements KeyTabConstants {
     /**
      * Reads the service key from the keytab file.
      * @param service the PrincipalName of the requested service.
-     * @return the last service key in the keytab
+     * @return the last service key in the keytab with the highest kvno
      */
     public EncryptionKey readServiceKey(PrincipalName service) {
         KeyTabEntry entry = null;
+        EncryptionKey key = null;
         if (entries != null) {
             // Find latest entry for this service that has an etype
             // that has been configured for use
@@ -240,9 +242,12 @@ public class KeyTab implements KeyTabConstants {
                 entry = entries.elementAt(i);
                 if (entry.service.match(service)) {
                     if (EType.isSupported(entry.keyType)) {
-                        return new EncryptionKey(entry.keyblock,
+                        if (key == null ||
+                                entry.keyVersion > key.getKeyVersionNumber()) {
+                            key = new EncryptionKey(entry.keyblock,
                                              entry.keyType,
                                              new Integer(entry.keyVersion));
+                        }
                     } else if (DEBUG) {
                         System.out.println("Found unsupported keytype (" +
                             entry.keyType + ") for " + service);
@@ -250,12 +255,13 @@ public class KeyTab implements KeyTabConstants {
                 }
             }
         }
-        return null;
+        return key;
     }
 
     /**
      * Reads all keys for a service from the keytab file that have
-     * etypes that have been configured for use.
+     * etypes that have been configured for use. If there are multiple
+     * keys with same etype, the one with the highest kvno is returned.
      * @param service the PrincipalName of the requested service
      * @return an array containing all the service keys
      */
@@ -288,49 +294,39 @@ public class KeyTab implements KeyTabConstants {
         size = keys.size();
         if (size == 0)
             return null;
-        EncryptionKey[] retVal = new EncryptionKey[size];
+        EncryptionKey[] retVal = keys.toArray(new EncryptionKey[size]);
 
         // Sort keys according to default_tkt_enctypes
-        int pos = 0;
-        EncryptionKey k;
         if (DEBUG) {
             System.out.println("Ordering keys wrt default_tkt_enctypes list");
         }
-        int[] etypes = EType.getDefaults("default_tkt_enctypes");
-        if (etypes == null || etypes == EType.getBuiltInDefaults()) {
-            // Either no supported types specified in default_tkt_enctypes
-            // or no default_tkt_enctypes entry at all. For both cases,
-            // just return supported keys in the order retrieved
-            for (int i = 0; i < size; i++) {
-                retVal[pos++] = keys.get(i);
-            }
-        } else {
-            for (int j = 0; j < etypes.length && pos < size; j++) {
-                int target = etypes[j];
-                for (int i = 0; i < size && pos < size; i++) {
-                    k = keys.get(i);
-                    if (k != null && k.getEType() == target) {
-                        if (DEBUG) {
-                            System.out.println(pos + ": " + k);
+
+        final int[] etypes = EType.getDefaults("default_tkt_enctypes");
+
+        // Sort the keys, k1 is preferred than k2 if:
+        // 1. k1's etype appears earlier in etypes than k2's
+        // 2. If same, k1's KVNO is higher
+        Arrays.sort(retVal, new Comparator<EncryptionKey>() {
+            @Override
+            public int compare(EncryptionKey o1, EncryptionKey o2) {
+                if (etypes != null && etypes != EType.getBuiltInDefaults()) {
+                    int o1EType = o1.getEType();
+                    int o2EType = o2.getEType();
+                    if (o1EType != o2EType) {
+                        for (int i=0; i<etypes.length; i++) {
+                            if (etypes[i] == o1EType) {
+                                return -1;
+                            } else if (etypes[i] == o2EType) {
+                                return 1;
+                            }
                         }
-                        retVal[pos++] = k;
-                        keys.set(i, null);  // Cleared from consideration
                     }
                 }
+                return o2.getKeyVersionNumber().intValue()
+                        - o1.getKeyVersionNumber().intValue();
             }
-            // copy the rest
-            for (int i = 0; i < size && pos < size; i++) {
-                k = keys.get(i);
-                if (k != null) {
-                    retVal[pos++] = k;
-                }
-            }
-        }
-        if (pos != size) {
-            throw new RuntimeException(
-                "Internal Error: did not copy all keys;expecting " + size +
-                    "; got " + pos);
-        }
+        });
+
         return retVal;
     }
 
diff --git a/jdk/test/sun/security/krb5/ktab/HighestKvno.java b/jdk/test/sun/security/krb5/ktab/HighestKvno.java
new file mode 100644
index 00000000000..09880ae9346
--- /dev/null
+++ b/jdk/test/sun/security/krb5/ktab/HighestKvno.java
@@ -0,0 +1,237 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+/*
+ * @test
+ * @bug 6867665
+ * @summary Problem with keytabs with multiple kvno's (key versions)
+ */
+
+import sun.security.krb5.internal.ktab.*;
+import sun.security.krb5.*;
+import java.io.File;
+import java.io.FileOutputStream;
+
+public class HighestKvno {
+
+    public static void main(String[] args) throws Exception {
+        // kt is a keytab including these entries:
+        //
+        // me@MAD.LOCAL: Type: 3, KVNO: 4
+        // me@MAD.LOCAL: Type: 23, KVNO: 4
+        // me@MAD.LOCAL: Type: 16, KVNO: 4
+        // me@MAD.LOCAL: Type: 1, KVNO: 5
+        // me@MAD.LOCAL: Type: 17, KVNO: 5
+        // me@MAD.LOCAL: Type: 18, KVNO: 5
+        // me@MAD.LOCAL: Type: 1, KVNO: 3
+        // me@MAD.LOCAL: Type: 17, KVNO: 3
+        // me@MAD.LOCAL: Type: 18, KVNO: 3
+        // he@MAD.LOCAL: Type: 1, KVNO: 1
+        // he@MAD.LOCAL: Type: 17, KVNO: 1
+        // he@MAD.LOCAL: Type: 18, KVNO: 1
+        //
+        // This file is created with these steps:
+        // 1. Modify JRE's Ktab.java so that adding new entries
+        //    does not remove the old one.
+        // 2. Run the modified Ktab to create 4 sets of keys
+        // 3. Manually hex edit the KVNO as above
+
+        byte[] kt = {
+            (byte)0x05, (byte)0x02, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x26, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x44, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x02, (byte)0x6D, (byte)0x65, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x4A,
+            (byte)0x79, (byte)0x45, (byte)0xCD, (byte)0x04,
+            (byte)0x00, (byte)0x03, (byte)0x00, (byte)0x08,
+            (byte)0xE6, (byte)0xB0, (byte)0x07, (byte)0xA8,
+            (byte)0x5B, (byte)0xF8, (byte)0x73, (byte)0xAD,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x2E,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x44, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x02, (byte)0x6D,
+            (byte)0x65, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x4A, (byte)0x79, (byte)0x45,
+            (byte)0xCD, (byte)0x04, (byte)0x00, (byte)0x17,
+            (byte)0x00, (byte)0x10, (byte)0x50, (byte)0x92,
+            (byte)0x01, (byte)0x6B, (byte)0xCF, (byte)0x5A,
+            (byte)0x2A, (byte)0x7A, (byte)0x4F, (byte)0xE8,
+            (byte)0x39, (byte)0xD9, (byte)0x90, (byte)0xB5,
+            (byte)0x9C, (byte)0xEB, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x36, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x44, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x02, (byte)0x6D, (byte)0x65, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x4A,
+            (byte)0x79, (byte)0x45, (byte)0xCD, (byte)0x04,
+            (byte)0x00, (byte)0x10, (byte)0x00, (byte)0x18,
+            (byte)0xDF, (byte)0xDF, (byte)0x62, (byte)0x86,
+            (byte)0x37, (byte)0xCE, (byte)0x29, (byte)0xBA,
+            (byte)0xBC, (byte)0x23, (byte)0x15, (byte)0xDC,
+            (byte)0x86, (byte)0x7C, (byte)0xB6, (byte)0x89,
+            (byte)0x25, (byte)0x25, (byte)0xCD, (byte)0x4A,
+            (byte)0x9B, (byte)0xCE, (byte)0xF4, (byte)0xAE,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x26,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x44, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x02, (byte)0x6D,
+            (byte)0x65, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x4A, (byte)0x79, (byte)0x4B,
+            (byte)0x5E, (byte)0x05, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x08, (byte)0xE6, (byte)0xB0,
+            (byte)0x07, (byte)0xA8, (byte)0x5B, (byte)0xF8,
+            (byte)0x73, (byte)0xAD, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x2E, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x44, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x02, (byte)0x6D, (byte)0x65, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x4A,
+            (byte)0x79, (byte)0x4B, (byte)0x5E, (byte)0x05,
+            (byte)0x00, (byte)0x11, (byte)0x00, (byte)0x10,
+            (byte)0xEA, (byte)0xF5, (byte)0xA8, (byte)0x36,
+            (byte)0xA5, (byte)0x3E, (byte)0x5F, (byte)0x5C,
+            (byte)0x26, (byte)0xE9, (byte)0xDD, (byte)0x8B,
+            (byte)0x8C, (byte)0xE8, (byte)0x92, (byte)0x9C,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x3E,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x44, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x02, (byte)0x6D,
+            (byte)0x65, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x4A, (byte)0x79, (byte)0x4B,
+            (byte)0x5E, (byte)0x05, (byte)0x00, (byte)0x12,
+            (byte)0x00, (byte)0x20, (byte)0x68, (byte)0xBE,
+            (byte)0xD4, (byte)0x17, (byte)0x3A, (byte)0x06,
+            (byte)0xE0, (byte)0x0C, (byte)0x62, (byte)0x11,
+            (byte)0xB7, (byte)0x53, (byte)0x1B, (byte)0x3E,
+            (byte)0xB2, (byte)0x6B, (byte)0x0D, (byte)0x48,
+            (byte)0xD8, (byte)0x52, (byte)0x5A, (byte)0x4C,
+            (byte)0xBE, (byte)0x24, (byte)0xBB, (byte)0x3D,
+            (byte)0xC1, (byte)0x74, (byte)0x69, (byte)0xDA,
+            (byte)0x34, (byte)0x98, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x26, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x44, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x02, (byte)0x6D, (byte)0x65, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x4A,
+            (byte)0x79, (byte)0x51, (byte)0x27, (byte)0x03,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x08,
+            (byte)0xE6, (byte)0xB0, (byte)0x07, (byte)0xA8,
+            (byte)0x5B, (byte)0xF8, (byte)0x73, (byte)0xAD,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x2E,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x44, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x02, (byte)0x6D,
+            (byte)0x65, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x4A, (byte)0x79, (byte)0x51,
+            (byte)0x27, (byte)0x03, (byte)0x00, (byte)0x11,
+            (byte)0x00, (byte)0x10, (byte)0xEA, (byte)0xF5,
+            (byte)0xA8, (byte)0x36, (byte)0xA5, (byte)0x3E,
+            (byte)0x5F, (byte)0x5C, (byte)0x26, (byte)0xE9,
+            (byte)0xDD, (byte)0x8B, (byte)0x8C, (byte)0xE8,
+            (byte)0x92, (byte)0x9C, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x3E, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x44, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x02, (byte)0x6D, (byte)0x65, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x4A,
+            (byte)0x79, (byte)0x51, (byte)0x27, (byte)0x03,
+            (byte)0x00, (byte)0x12, (byte)0x00, (byte)0x20,
+            (byte)0x68, (byte)0xBE, (byte)0xD4, (byte)0x17,
+            (byte)0x3A, (byte)0x06, (byte)0xE0, (byte)0x0C,
+            (byte)0x62, (byte)0x11, (byte)0xB7, (byte)0x53,
+            (byte)0x1B, (byte)0x3E, (byte)0xB2, (byte)0x6B,
+            (byte)0x0D, (byte)0x48, (byte)0xD8, (byte)0x52,
+            (byte)0x5A, (byte)0x4C, (byte)0xBE, (byte)0x24,
+            (byte)0xBB, (byte)0x3D, (byte)0xC1, (byte)0x74,
+            (byte)0x69, (byte)0xDA, (byte)0x34, (byte)0x98,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x26,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x44, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x02, (byte)0x68,
+            (byte)0x65, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x4A, (byte)0x79, (byte)0x54,
+            (byte)0xC7, (byte)0x01, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x08, (byte)0x85, (byte)0x5B,
+            (byte)0xE3, (byte)0x13, (byte)0x3E, (byte)0xF8,
+            (byte)0x76, (byte)0xEC, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x2E, (byte)0x00, (byte)0x01,
+            (byte)0x00, (byte)0x09, (byte)0x4D, (byte)0x41,
+            (byte)0x44, (byte)0x2E, (byte)0x4C, (byte)0x4F,
+            (byte)0x43, (byte)0x41, (byte)0x4C, (byte)0x00,
+            (byte)0x02, (byte)0x68, (byte)0x65, (byte)0x00,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x4A,
+            (byte)0x79, (byte)0x54, (byte)0xC7, (byte)0x01,
+            (byte)0x00, (byte)0x11, (byte)0x00, (byte)0x10,
+            (byte)0xEC, (byte)0xCC, (byte)0x16, (byte)0xCD,
+            (byte)0xE8, (byte)0x51, (byte)0x46, (byte)0x4C,
+            (byte)0x1B, (byte)0x57, (byte)0xAE, (byte)0x19,
+            (byte)0xC3, (byte)0xD2, (byte)0x55, (byte)0x1B,
+            (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x3E,
+            (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x09,
+            (byte)0x4D, (byte)0x41, (byte)0x44, (byte)0x2E,
+            (byte)0x4C, (byte)0x4F, (byte)0x43, (byte)0x41,
+            (byte)0x4C, (byte)0x00, (byte)0x02, (byte)0x68,
+            (byte)0x65, (byte)0x00, (byte)0x00, (byte)0x00,
+            (byte)0x00, (byte)0x4A, (byte)0x79, (byte)0x54,
+            (byte)0xC7, (byte)0x01, (byte)0x00, (byte)0x12,
+            (byte)0x00, (byte)0x20, (byte)0xAE, (byte)0xBA,
+            (byte)0xCB, (byte)0xF5, (byte)0xA8, (byte)0x09,
+            (byte)0xC1, (byte)0xB0, (byte)0x2C, (byte)0x2A,
+            (byte)0x3D, (byte)0x96, (byte)0x2C, (byte)0x2D,
+            (byte)0xF5, (byte)0xFE, (byte)0x65, (byte)0xEC,
+            (byte)0x75, (byte)0x72, (byte)0x5B, (byte)0x46,
+            (byte)0x84, (byte)0xD7, (byte)0x49, (byte)0x3E,
+            (byte)0xF2, (byte)0x27, (byte)0x32, (byte)0x69,
+            (byte)0x75, (byte)0x9B,
+        };
+        System.setProperty("java.security.krb5.conf",
+                new File(System.getProperty("test.src"),
+                    "../krb5.conf").getAbsolutePath());
+        FileOutputStream fout = new FileOutputStream("kt");
+        fout.write(kt);
+        fout.close();
+        KeyTab ktab = KeyTab.getInstance("kt");
+        PrincipalName pn = new PrincipalName("me@MAD.LOCAL");
+        EncryptionKey[] keys = ktab.readServiceKeys(pn);
+        if (keys.length != 9) {
+            throw new Exception("Count error");
+        }
+        if (keys[0].getKeyVersionNumber() != 5) {
+            throw new Exception("Highest not first");
+        }
+        if (ktab.readServiceKey(pn).getKeyVersionNumber() != 5) {
+            throw new Exception("Highest not chosen");
+        }
+        new File("kt").delete();
+    }
+}