8316771: Krb5.java has not defined messages for all error codes

Reviewed-by: mullan

src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java

@@ -463,8 +463,7 @@ public class CredentialsUtil {
             Credentials newTgt = getTGTforRealm(tgtRealm, serviceRealm,
                     asCreds, okAsDelegate);
             if (newTgt == null) {
-                throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,
+                throw new KrbException("No service creds");
-                        "No service creds");
             }
             if (DEBUG) {
                 System.out.println(">>> Cross-realm TGT Credentials" +

src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java

@@ -250,6 +250,9 @@ public class Krb5 {
     public static final int KDC_ERR_KEY_EXPIRED          = 23;   //Password has expired - change password to reset
     public static final int KDC_ERR_PREAUTH_FAILED       = 24;   //Pre-authentication information was invalid
     public static final int KDC_ERR_PREAUTH_REQUIRED     = 25;   //Additional pre-authentication required
+    public static final int KDC_ERR_SERVER_NOMATCH       = 26;   //Requested server and ticket don't match
+    public static final int KDC_ERR_MUST_USE_USER2USER   = 27;   //Server principal valid for user2user only
+    public static final int KDC_ERR_PATH_NOT_ACCEPTED    = 28;   //KDC Policy rejects transited path
     public static final int KDC_ERR_SVC_UNAVAILABLE      = 29;   //A service is not available
     public static final int KRB_AP_ERR_BAD_INTEGRITY     = 31;   //Integrity check on decrypted field failed
     public static final int KRB_AP_ERR_TKT_EXPIRED       = 32;   //Ticket expired
@@ -270,13 +273,13 @@ public class Krb5 {
     public static final int KRB_AP_ERR_METHOD            = 48;   //Alternative authentication method required
     public static final int KRB_AP_ERR_BADSEQ            = 49;   //Incorrect sequence number in message
     public static final int KRB_AP_ERR_INAPP_CKSUM       = 50;   //Inappropriate type of checksum in message
+    public static final int KRB_AP_PATH_NOT_ACCEPTED     = 51;   //Policy rejects transited path
     public static final int KRB_ERR_RESPONSE_TOO_BIG     = 52;   //Response too big for UDP, retry with TCP
     public static final int KRB_ERR_GENERIC              = 60;   //Generic error (description in e-text)
     public static final int KRB_ERR_FIELD_TOOLONG        = 61;   //Field is too long for this implementation
     public static final int KRB_ERR_WRONG_REALM          = 68;   //Wrong realm
-    public static final int KRB_CRYPTO_NOT_SUPPORT      = 100;    //Client does not support this crypto type
+
-    public static final int KRB_AP_ERR_NOREALM          = 62;
+    public static final int KRB_CRYPTO_NOT_SUPPORT      = 100;   //Client does not support this crypto type
-    public static final int KRB_AP_ERR_GEN_CRED         = 63;
     //  public static final int KRB_AP_ERR_CKSUM_NOKEY          =101;    //Lack of the key to generate the checksum
     // error codes specific to this implementation
     public static final int KRB_AP_ERR_REQ_OPTIONS = 101; //Invalid TGS_REQ
@@ -346,6 +349,10 @@ public class Krb5 {
         errMsgList.put(KDC_ERR_KEY_EXPIRED, "Password has expired - change password to reset");
         errMsgList.put(KDC_ERR_PREAUTH_FAILED, "Pre-authentication information was invalid");
         errMsgList.put(KDC_ERR_PREAUTH_REQUIRED, "Additional pre-authentication required");
+        errMsgList.put(KDC_ERR_SERVER_NOMATCH, "Requested server and ticket don't match");
+        errMsgList.put(KDC_ERR_MUST_USE_USER2USER, "Server principal valid for user2user only");
+        errMsgList.put(KDC_ERR_PATH_NOT_ACCEPTED, "KDC Policy rejects transited path");
+        errMsgList.put(KDC_ERR_SVC_UNAVAILABLE, "A service is not available");
         errMsgList.put(KRB_AP_ERR_BAD_INTEGRITY, "Integrity check on decrypted field failed");
         errMsgList.put(KRB_AP_ERR_TKT_EXPIRED, "Ticket expired");
         errMsgList.put(KRB_AP_ERR_TKT_NYV, "Ticket not yet valid");
@@ -365,10 +372,11 @@ public class Krb5 {
         errMsgList.put(KRB_AP_ERR_METHOD, "Alternative authentication method required");
         errMsgList.put(KRB_AP_ERR_BADSEQ, "Incorrect sequence number in message");
         errMsgList.put(KRB_AP_ERR_INAPP_CKSUM, "Inappropriate type of checksum in message");
+        errMsgList.put(KRB_AP_PATH_NOT_ACCEPTED, "Policy rejects transited path");
         errMsgList.put(KRB_ERR_RESPONSE_TOO_BIG, "Response too big for UDP, retry with TCP");
         errMsgList.put(KRB_ERR_GENERIC, "Generic error (description in e-text)");
         errMsgList.put(KRB_ERR_FIELD_TOOLONG, "Field is too long for this implementation");
-        errMsgList.put(KRB_AP_ERR_NOREALM, "Realm name not available"); //used in setDefaultCreds() in sun.security.krb5.Credentials
+        errMsgList.put(KRB_ERR_WRONG_REALM, "Wrong realm");
 
         // error messages specific to this implementation
 
@@ -398,7 +406,6 @@ public class Krb5 {
         errMsgList.put(ASN1_CANNOT_ENCODE, "Encoding failed due to invalid parameter(s)");
         errMsgList.put(KRB_CRYPTO_NOT_SUPPORT, "Client has no support for crypto type");
         errMsgList.put(KRB_AP_ERR_REQ_OPTIONS, "Invalid option setting in ticket request.");
-        errMsgList.put(KRB_AP_ERR_GEN_CRED, "Fail to create credential.");
     }
 
 }

test/jdk/sun/security/krb5/ErrorMessages.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+/*
+ * @test
+ * @bug 8316771
+ * @library /test/lib
+ * @modules java.security.jgss/sun.security.krb5.internal:+open
+ * @summary make sure each error code has a message
+ */
+
+import jdk.test.lib.Asserts;
+import sun.security.krb5.internal.Krb5;
+
+import java.lang.reflect.Field;
+import java.util.Hashtable;
+
+public class ErrorMessages {
+    public static void main(String[] args) throws Exception {
+        boolean isError = false;
+        int count = 0;
+        int size = -1;
+        for (Field v : Krb5.class.getDeclaredFields()) {
+            // The spec of the Class::getDeclaredFields method claims
+            // "The elements in the returned array are not sorted and
+            // are not in any particular order". However, the current
+            // implementation seems to be listing them in the order
+            // they appear in the code.
+            if (v.getName().equals("errMsgList")) {
+                v.setAccessible(true);
+                size = ((Hashtable)v.get(null)).size();
+                break;
+            }
+            if (v.getName().equals("KDC_ERR_NONE")) {
+                isError = true;
+            }
+            if (!isError) continue;
+            Asserts.assertNotEquals(Krb5.getErrorMessage((int)v.get(null)),
+                    null, "No msg for " + v);
+            count++;
+        }
+        Asserts.assertEQ(count, size, "Different size");
+    }
+}