Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos & Java GSS (JGSS) - Server side - Checksum failed !

843810Jul 19 2010 — edited Jul 19 2010

Hi again,

now the client side works fine, he can do a login on kdc and save to a file the cripted token.
the server-side program should read the encrypted file and then logging in to the KDC to determine who is the user that generated this token, and greet him.
But when i run the server-side program,i've an issue.. as always.. here the output :

Found key for krbadm/admin@EVIL.IT(3)
Found key for krbadm/admin@EVIL.IT(23)
Found key for krbadm/admin@EVIL.IT(18)
Found key for krbadm/admin@EVIL.IT(17)
Found key for krbadm/admin@EVIL.IT(1)
Found key for krbadm/admin@EVIL.IT(16)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Checksum failed !
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at it.evil.kerberos.KerberosServer$1.run(KerberosServer.java:140)
at it.evil.kerberos.KerberosServer$1.run(KerberosServer.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at it.evil.kerberos.KerberosServer.acceptSecurityContext(KerberosServer.java:123)
at it.evil.kerberos.KerberosServer.main(KerberosServer.java:58)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
... 8 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 14 more

it seams that he can read the token with BASE64Decoder but when he try to accept the context and return the client principal name go to error.

this is the linecode where the error is :

return Subject.doAs( subject, new PrivilegedAction<String>()

here is the main :

	      // Login to the KDC.
	      server.login( password);
	      byte serviceTicket[] = loadTokenFromDisk();
	      // Request the service ticket.
	      String clientName = server.acceptSecurityContext( serviceTicket);

he pass the loadTokenFromDisk and crash on server.acceptSecurityContext( serviceTicket);

here's the decript:

// Load the security token from disk and decode it. Return the raw GSS token.
private static byte[] loadTokenFromDisk() throws IOException 
{
	BufferedReader in = new BufferedReader( new FileReader( "security.token"));
	System.out.println( new File( "security.token").getAbsolutePath());
	String str;
	StringBuffer buffer = new StringBuffer();
	while ((str = in.readLine()) != null) 
	{
	       buffer.append( str + "\n");
	}
	    
	in.close();
	System.out.println( buffer.toString());
	    
	BASE64Decoder decoder = new BASE64Decoder();
	return decoder.decodeBuffer( buffer.toString());
}

and this is the function with the problem:

private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException 
{
	krb5Oid = new Oid( "1.2.840.113554.1.2.2");
	return Subject.doAs( subject, new PrivilegedAction<String>() 
	{
		public String run() 
			{
	        	try 
	        		{
	        			GSSManager manager = GSSManager.getInstance();
	        			GSSContext context = manager.createContext( (GSSCredential) null);
	        			context.acceptSecContext( serviceTicket, 0, serviceTicket.length);
	        			return context.getSrcName().toString();
	        		}
	        	catch ( Exception e) 
	        		{
	        			e.printStackTrace();
	        			return null;
	        		}
			}
	 });

the error is clear : Checksum failed !

but I can not tell if it is a problem of decryption or authentication token.

thanks for any reply.

Locked Post

New comments cannot be posted to this locked post.

Locked on Aug 16 2010

Added on Jul 19 2010

#kerberos-java-gss-jgss

2 comments

5,431 views