- All Implemented Interfaces:
Serializable
,Key
,SecretKey
,Destroyable
A KerberosKey
object includes an EncryptionKey, a
KerberosPrincipal
as its owner, and the version number
of the key.
An EncryptionKey is defined in Section 4.2.9 of the Kerberos Protocol Specification (RFC 4120) as:
EncryptionKey ::= SEQUENCE { keytype [0] Int32 -- actually encryption type --, keyvalue [1] OCTET STRING }The key material of a
KerberosKey
is defined as the value
of the keyValue
above.
All Kerberos JAAS login modules that obtain a principal's password and
generate the secret key from it should use this class.
Sometimes, such as when authenticating a server in
the absence of user-to-user authentication, the login module will store
an instance of this class in the private credential set of a
Subject
during the commit phase of the
authentication process.
A Kerberos service using a keytab to read secret keys should use
the KeyTab
class, where latest keys can be read when needed.
It might be necessary for the application to be granted a
PrivateCredentialPermission
if it needs to access the KerberosKey
instance from a Subject. This permission is not needed when the
application depends on the default JGSS Kerberos mechanism to access the
KerberosKey
. In that case, however, the application will need an
appropriate
ServicePermission
.
When creating a KerberosKey
using the
KerberosKey(KerberosPrincipal, char[], String)
constructor,
an implementation may accept non-IANA algorithm names (For example,
"ArcFourMac" for "rc4-hmac"), but the getAlgorithm()
method
must always return the IANA algorithm name.
- Implementation Note:
- Old algorithm names used before JDK 9 are supported in the
KerberosKey(KerberosPrincipal, char[], String)
constructor in this implementation for compatibility reasons, which are "DES" (and null) for "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac", "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for "aes256-cts-hmac-sha1-96". - Since:
- 1.4
- See Also:
-
Constructor Summary
ConstructorDescriptionKerberosKey
(KerberosPrincipal principal, byte[] keyBytes, int keyType, int versionNum) Constructs aKerberosKey
from the given bytes when the key type and key version number are known.KerberosKey
(KerberosPrincipal principal, char[] password, String algorithm) Constructs aKerberosKey
from a principal's password using the specified algorithm name. -
Method Summary
Modifier and TypeMethodDescriptionvoid
destroy()
Destroys this key by clearing out the key material of this secret key.boolean
Compares the specified object with thisKerberosKey
for equality.final String
Returns the standard algorithm name for this key.final byte[]
Returns the key material of this secret key.final String
Returns the name of the encoding format for this secret key.final int
Returns the key type for this long-term key.final KerberosPrincipal
Returns the principal that this key belongs to.final int
Returns the key version number.int
hashCode()
Returns a hash code for thisKerberosKey
.boolean
Determines if this key has been destroyed.toString()
Returns an informative textual representation of thisKerberosKey
.
-
Constructor Details
-
KerberosKey
Constructs aKerberosKey
from the given bytes when the key type and key version number are known. This can be used when reading the secret key information from a Kerberos "keytab".- Parameters:
principal
- the principal that this secret key belongs tokeyBytes
- the key material for the secret keykeyType
- the key type for the secret key as defined by the Kerberos protocol specification.versionNum
- the version number of this secret key
-
KerberosKey
Constructs aKerberosKey
from a principal's password using the specified algorithm name. The algorithm name (case insensitive) should be provided as the encryption type string defined on the IANA Kerberos Encryption Type Numbers page. The version number of the key generated will be 0.- Parameters:
principal
- the principal that this password belongs topassword
- the password that should be used to compute the keyalgorithm
- the name for the algorithm that this key will be used for- Throws:
IllegalArgumentException
- if the name of the algorithm passed is unsupported.
-
-
Method Details
-
getPrincipal
Returns the principal that this key belongs to.- Returns:
- the principal this key belongs to.
- Throws:
IllegalStateException
- if the key is destroyed
-
getVersionNumber
public final int getVersionNumber()Returns the key version number.- Returns:
- the key version number.
- Throws:
IllegalStateException
- if the key is destroyed
-
getKeyType
public final int getKeyType()Returns the key type for this long-term key.- Returns:
- the key type.
- Throws:
IllegalStateException
- if the key is destroyed
-
getAlgorithm
Returns the standard algorithm name for this key. The algorithm names are the encryption type string defined on the IANA Kerberos Encryption Type Numbers page.This method can return the following value not defined on the IANA page:
- none: for etype equal to 0
- unknown: for etype greater than 0 but unsupported by the implementation
- private: for etype smaller than 0
- Specified by:
getAlgorithm
in interfaceKey
- Returns:
- the name of the algorithm associated with this key.
- Throws:
IllegalStateException
- if the key is destroyed
-
getFormat
Returns the name of the encoding format for this secret key.- Specified by:
getFormat
in interfaceKey
- Returns:
- the String "RAW"
- Throws:
IllegalStateException
- if the key is destroyed
-
getEncoded
public final byte[] getEncoded()Returns the key material of this secret key.- Specified by:
getEncoded
in interfaceKey
- Returns:
- the key material
- Throws:
IllegalStateException
- if the key is destroyed
-
destroy
Destroys this key by clearing out the key material of this secret key.- Specified by:
destroy
in interfaceDestroyable
- Throws:
DestroyFailedException
- if some error occurs while destroying this key.
-
isDestroyed
public boolean isDestroyed()Determines if this key has been destroyed.- Specified by:
isDestroyed
in interfaceDestroyable
- Returns:
- true if this
Object
has been destroyed, false otherwise.
-
toString
-
hashCode
-
equals
Compares the specified object with thisKerberosKey
for equality. Returns true if the given object is also aKerberosKey
and the twoKerberosKey
instances are equivalent. A destroyedKerberosKey
object is only equal to itself.
-