8328726: Better Kerberos support

Reviewed-by: ahgross, rhalade, valeriep, coffeys

src/java.security.jgss/share/classes/javax/security/auth/kerberos/EncryptionKey.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -170,7 +170,7 @@ public final class EncryptionKey implements SecretKey {
         if (destroyed) {
             return "Destroyed EncryptionKey";
         }
-        return "key "  + key.toString();
+        return "EncryptionKey: " + key.toString();
     }
 
     /**

src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosCredMessage.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,7 +27,6 @@ package javax.security.auth.kerberos;
 
 import javax.security.auth.Destroyable;
 import java.util.Arrays;
-import java.util.Base64;
 import java.util.Objects;
 
 /**
@@ -140,8 +139,7 @@ public final class KerberosCredMessage implements Destroyable {
         if (destroyed) {
             return "Destroyed KerberosCredMessage";
         } else {
-            return "KRB_CRED from " + sender + " to " + recipient + ":\n"
+            return "KRB_CRED from " + sender + " to " + recipient;
-                    + Base64.getUrlEncoder().encodeToString(message);
         }
     }
 

src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosKey.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -273,9 +273,9 @@ public class KerberosKey implements SecretKey {
         if (destroyed) {
             return "Destroyed KerberosKey";
         }
-        return "Kerberos Principal " + principal +
+        return "KerberosKey: principal " + principal +
-                "Key Version " + versionNum +
+                ", version " + versionNum +
-                "key "  + key.toString();
+                ", key "  + key.toString();
     }
 
     /**

src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,7 +30,8 @@ import java.util.Arrays;
 import javax.crypto.SecretKey;
 import javax.security.auth.Destroyable;
 import javax.security.auth.DestroyFailedException;
-import sun.security.util.HexDumpEncoder;
+
+import sun.security.jgss.krb5.Krb5Util;
 import sun.security.krb5.Asn1Exception;
 import sun.security.krb5.PrincipalName;
 import sun.security.krb5.EncryptionKey;
@@ -225,15 +226,8 @@ class KeyImpl implements SecretKey, Destroyable, Serializable {
     }
 
     public String toString() {
-        HexDumpEncoder hd = new HexDumpEncoder();
+        return "keyType=" + keyType
-        return "EncryptionKey: keyType=" + keyType
+                + ", " + Krb5Util.keyInfo(keyBytes);
-                          + " keyBytes (hex dump)="
-                          + (keyBytes == null || keyBytes.length == 0 ?
-                             " Empty Key" :
-                             '\n' + hd.encodeBuffer(keyBytes)
-                          + '\n');
-
-
     }
 
     public int hashCode() {

src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java

@@ -901,15 +901,11 @@ class Krb5Context implements GSSContextSpi {
 
     public final byte[] wrap(byte[] inBuf, int offset, int len,
                              MessageProp msgProp) throws GSSException {
-        if (DEBUG != null) {
-            DEBUG.println("Krb5Context.wrap: data=["
-                               + getHexBytes(inBuf, offset, len)
-                               + "]");
-        }
 
-        if (state != STATE_DONE)
+        if (state != STATE_DONE) {
-        throw new GSSException(GSSException.NO_CONTEXT, -1,
+            throw new GSSException(GSSException.NO_CONTEXT, -1,
-                               "Wrap called in invalid state!");
+                    "Wrap called in invalid state!");
+        }
 
         byte[] encToken = null;
         try {
@@ -1052,12 +1048,6 @@ class Krb5Context implements GSSContextSpi {
                 setSequencingAndReplayProps(token, msgProp);
             }
 
-            if (DEBUG != null) {
-                DEBUG.println("Krb5Context.unwrap: data=["
-                                   + getHexBytes(data, 0, data.length)
-                                   + "]");
-            }
-
             return data;
         }
 
@@ -1407,8 +1397,8 @@ class Krb5Context implements GSSContextSpi {
 
         @Override
         public String toString() {
-            return "Kerberos session key: etype: " + key.getEType() + "\n" +
+            return "Kerberos session key: etype=" + key.getEType()
-                    new HexDumpEncoder().encodeBuffer(key.getBytes());
+                    + ", " + Krb5Util.keyInfo(key.getBytes());
         }
 
         /**

src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java

@@ -187,4 +187,19 @@ public class Krb5Util {
             KeyTab ktab, PrincipalName cname) {
         return snapshotFromJavaxKeyTab(ktab).readServiceKeys(cname);
     }
+
+    public static String keyInfo(byte[] data) {
+        if (data == null) {
+            return "null key";
+        } else if (data.length == 0) {
+            return "empty key";
+        } else {
+            for (byte b : data) {
+                if (b != 0) {
+                    return data.length + "-byte key";
+                }
+            }
+            return data.length + "-byte zero key";
+        }
+    }
 }

src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java

@@ -31,6 +31,7 @@
 
 package sun.security.krb5;
 
+import sun.security.jgss.krb5.Krb5Util;
 import sun.security.util.*;
 import sun.security.krb5.internal.*;
 import sun.security.krb5.internal.crypto.*;
@@ -498,12 +499,7 @@ public class EncryptionKey
 
     public String toString() {
         return "EncryptionKey: keyType=" + keyType
-                + " kvno=" + kvno
+                + ", kvno=" + kvno + ", " + Krb5Util.keyInfo(keyValue);
-                + " keyValue (hex dump)="
-                + (keyValue == null || keyValue.length == 0 ?
-                " Empty Key" : '\n'
-                + Krb5.hexDumper.encodeBuffer(keyValue)
-                + '\n');
     }
 
     /**

src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java

@@ -320,9 +320,6 @@ public class Krb5 {
     public static final Debug DEBUG = Debug.of("krb5", GetPropertyAction
             .privilegedGetProperty("sun.security.krb5.debug"));
 
-    public static final sun.security.util.HexDumpEncoder hexDumper =
-        new sun.security.util.HexDumpEncoder();
-
     static {
         errMsgList = new Hashtable<Integer,String> ();
         errMsgList.put(KDC_ERR_NONE, "No error");

src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/Kinit.java

@@ -195,10 +195,6 @@ public class Kinit {
                 System.out.print("Password for " + princName + ":");
                 System.out.flush();
                 psswd = Password.readPassword(System.in);
-                if (DEBUG != null) {
-                    DEBUG.println(">>> Kinit console input " +
-                        new String(psswd));
-                }
             }
             builder = new KrbAsReqBuilder(principal, psswd);
         } else {

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java

@@ -127,11 +127,6 @@ public class CK_PBE_PARAMS {
         sb.append(pPassword.length);
         sb.append(Constants.NEWLINE);
 
-        sb.append(Constants.INDENT);
-        sb.append("pPassword: ");
-        sb.append(pPassword);
-        sb.append(Constants.NEWLINE);
-
         sb.append(Constants.INDENT);
         sb.append("ulSaltLen: ");
         sb.append(pSalt.length);

src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java

@@ -43,7 +43,7 @@ import sun.security.krb5.*;
 import sun.security.jgss.krb5.Krb5Util;
 import sun.security.krb5.Credentials;
 import sun.security.util.Debug;
-import sun.security.util.HexDumpEncoder;
+
 import static sun.security.util.ResourcesMgr.getAuthResourceString;
 
 /**
@@ -769,15 +769,11 @@ public class Krb5LoginModule implements LoginModule {
 
                 if (debug != null) {
                     debug.println("principal is " + principal);
-                    HexDumpEncoder hd = new HexDumpEncoder();
                     if (ktab != null) {
                         debug.println("Will use keytab");
                     } else if (storeKey) {
                         for (int i = 0; i < encKeys.length; i++) {
-                            debug.println("EncryptionKey: keyType=" +
+                            debug.println(encKeys[i].toString());
-                                encKeys[i].getEType() +
-                                " keyBytes (hex dump)=" +
-                                hd.encodeBuffer(encKeys[i].getBytes()));
                         }
                     }
                 }
@@ -868,7 +864,7 @@ public class Krb5LoginModule implements LoginModule {
             }
             if (debug != null) {
                 debug.println
-                    ("password is " + new String(password));
+                    ("Get password from shared state");
             }
             return;
         }