Serializable
, Key
, SecretKey
, Destroyable
public class KerberosKey extends Object implements SecretKey
A KerberosKey
object includes an EncryptionKey, a KerberosPrincipal
as its owner, and the version number of the key.
An EncryptionKey is defined in Section 4.2.9 of the Kerberos Protocol Specification (RFC 4120) as:
EncryptionKey ::= SEQUENCE { keytype [0] Int32 -- actually encryption type --, keyvalue [1] OCTET STRING }The key material of a
KerberosKey
is defined as the value of the keyValue
above. All Kerberos JAAS login modules that obtain a principal's password and generate the secret key from it should use this class. Sometimes, such as when authenticating a server in the absence of user-to-user authentication, the login module will store an instance of this class in the private credential set of a Subject
during the commit phase of the authentication process.
A Kerberos service using a keytab to read secret keys should use the KeyTab
class, where latest keys can be read when needed.
It might be necessary for the application to be granted a PrivateCredentialPermission
if it needs to access the KerberosKey
instance from a Subject. This permission is not needed when the application depends on the default JGSS Kerberos mechanism to access the KerberosKey
. In that case, however, the application will need an appropriate ServicePermission
.
When creating a KerberosKey
using the KerberosKey(KerberosPrincipal, char[], String)
constructor, an implementation may accept non-IANA algorithm names (For example, "ArcFourMac" for "rc4-hmac"), but the getAlgorithm()
method must always return the IANA algorithm name.
KerberosKey(KerberosPrincipal, char[], String)
constructor in this implementation for compatibility reasons, which are "DES" (and null) for "des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac", "AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for "aes256-cts-hmac-sha1-96".Constructor | Description |
---|---|
KerberosKey |
Constructs a KerberosKey from the given bytes when the key type and key version number are known. |
KerberosKey |
Constructs a KerberosKey from a principal's password using the specified algorithm name. |
Modifier and Type | Method | Description |
---|---|---|
void |
destroy() |
Destroys this key by clearing out the key material of this secret key. |
boolean |
equals |
Compares the specified object with this KerberosKey for equality. |
final String |
getAlgorithm() |
Returns the standard algorithm name for this key. |
final byte[] |
getEncoded() |
Returns the key material of this secret key. |
final String |
getFormat() |
Returns the name of the encoding format for this secret key. |
final int |
getKeyType() |
Returns the key type for this long-term key. |
final KerberosPrincipal |
getPrincipal() |
Returns the principal that this key belongs to. |
final int |
getVersionNumber() |
Returns the key version number. |
int |
hashCode() |
Returns a hash code for this KerberosKey . |
boolean |
isDestroyed() |
Determines if this key has been destroyed. |
String |
toString() |
Returns an informative textual representation of this KerberosKey . |
public KerberosKey(KerberosPrincipal principal, byte[] keyBytes, int keyType, int versionNum)
KerberosKey
from the given bytes when the key type and key version number are known. This can be used when reading the secret key information from a Kerberos "keytab".principal
- the principal that this secret key belongs tokeyBytes
- the key material for the secret keykeyType
- the key type for the secret key as defined by the Kerberos protocol specification.versionNum
- the version number of this secret keypublic KerberosKey(KerberosPrincipal principal, char[] password, String algorithm)
KerberosKey
from a principal's password using the specified algorithm name. The algorithm name (case insensitive) should be provided as the encryption type string defined on the IANA Kerberos Encryption Type Numbers page. The version number of the key generated will be 0.principal
- the principal that this password belongs topassword
- the password that should be used to compute the keyalgorithm
- the name for the algorithm that this key will be used forIllegalArgumentException
- if the name of the algorithm passed is unsupported.public final KerberosPrincipal getPrincipal()
IllegalStateException
- if the key is destroyedpublic final int getVersionNumber()
IllegalStateException
- if the key is destroyedpublic final int getKeyType()
IllegalStateException
- if the key is destroyedpublic final String getAlgorithm()
This method can return the following value not defined on the IANA page:
getAlgorithm
in interface Key
IllegalStateException
- if the key is destroyedpublic final String getFormat()
getFormat
in interface Key
IllegalStateException
- if the key is destroyedpublic final byte[] getEncoded()
getEncoded
in interface Key
IllegalStateException
- if the key is destroyedpublic void destroy() throws DestroyFailedException
destroy
in interface Destroyable
DestroyFailedException
- if some error occurs while destroying this key.public boolean isDestroyed()
isDestroyed
in interface Destroyable
Object
has been destroyed, false otherwise.public String toString()
KerberosKey
.public int hashCode()
KerberosKey
.public boolean equals(Object other)
KerberosKey
for equality. Returns true if the given object is also a KerberosKey
and the two KerberosKey
instances are equivalent. A destroyed KerberosKey
object is only equal to itself.
© 1993, 2023, Oracle and/or its affiliates. All rights reserved.
Documentation extracted from Debian's OpenJDK Development Kit package.
Licensed under the GNU General Public License, version 2, with the Classpath Exception.
Various third party code in OpenJDK is licensed under different licenses (see Debian package).
Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
https://docs.oracle.com/en/java/javase/21/docs/api/java.security.jgss/javax/security/auth/kerberos/KerberosKey.html