This class encapsulates a long term secret key for a Kerberos principal.
A KerberosKey object includes an EncryptionKey, a
KerberosPrincipal as its owner, and the version number
of the key.
An EncryptionKey is defined in Section 4.2.9 of the Kerberos Protocol Specification (RFC 4120) as:
EncryptionKey ::= SEQUENCE {
keytype [0] Int32 -- actually encryption type --,
keyvalue [1] OCTET STRING
}
The key material of a KerberosKey is defined as the value
of the keyValue above.
All Kerberos JAAS login modules that obtain a principal's password and
generate the secret key from it should use this class.
Sometimes, such as when authenticating a server in
the absence of user-to-user authentication, the login module will store
an instance of this class in the private credential set of a
Subject during the commit phase of the
authentication process.
A Kerberos service using a keytab to read secret keys should use
the KeyTab class, where latest keys can be read when needed.
It might be necessary for the application to be granted a
PrivateCredentialPermission if it needs to access the KerberosKey
instance from a Subject. This permission is not needed when the
application depends on the default JGSS Kerberos mechanism to access the
KerberosKey. In that case, however, the application will need an
appropriate
ServicePermission.
When creating a KerberosKey using the
KerberosKey(KerberosPrincipal, char[], String) constructor,
an implementation may accept non-IANA algorithm names (For example,
"ArcFourMac" for "rc4-hmac"), but the getAlgorithm method
must always return the IANA algorithm name.
implements
@implNote Old algorithm names used before JDK 9 are supported in the
KerberosKey(KerberosPrincipal, char[], String) constructor in this
implementation for compatibility reasons, which are "DES" (and null) for
"des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac",
"AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for
"aes256-cts-hmac-sha1-96".