Class KerberosKey

java.lang.Object
javax.security.auth.kerberos.KerberosKey
All Implemented Interfaces:
Serializable, Key, SecretKey, Destroyable

public class KerberosKey extends Object implements SecretKey
This class encapsulates a long term secret key for a Kerberos principal.

A KerberosKey object includes an EncryptionKey, a KerberosPrincipal as its owner, and the version number of the key.

An EncryptionKey is defined in Section 4.2.9 of the Kerberos Protocol Specification (RFC 4120) as:

     EncryptionKey   ::= SEQUENCE {
             keytype         [0] Int32 -- actually encryption type --,
             keyvalue        [1] OCTET STRING
     }
 
The key material of a KerberosKey is defined as the value of the keyValue above.

All Kerberos JAAS login modules that obtain a principal's password and generate the secret key from it should use this class. Sometimes, such as when authenticating a server in the absence of user-to-user authentication, the login module will store an instance of this class in the private credential set of a Subject during the commit phase of the authentication process.

A Kerberos service using a keytab to read secret keys should use the KeyTab class, where latest keys can be read when needed.

It might be necessary for the application to be granted a PrivateCredentialPermission if it needs to access the KerberosKey instance from a Subject. This permission is not needed when the application depends on the default JGSS Kerberos mechanism to access the KerberosKey. In that case, however, the application will need an appropriate ServicePermission.

When creating a KerberosKey using the KerberosKey(KerberosPrincipal, char[], String) constructor, an implementation may accept non-IANA algorithm names (For example, "ArcFourMac" for "rc4-hmac"), but the getAlgorithm() method must always return the IANA algorithm name.

Implementation Note:
Old algorithm names used before JDK 9 are supported in the KerberosKey(KerberosPrincipal, char[], String) constructor in this implementation for compatibility reasons, which are "DES" (and null) for "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac", "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for "aes256-cts-hmac-sha1-96".
Since:
1.4
See Also: