This class encapsulates a long term secret key for a Kerberos principal.
A KerberosKey
object includes an EncryptionKey, a
KerberosPrincipal
as its owner, and the version number
of the key.
An EncryptionKey is defined in Section 4.2.9 of the Kerberos Protocol Specification (RFC 4120) as:
EncryptionKey ::= SEQUENCE { keytype [0] Int32 -- actually encryption type --, keyvalue [1] OCTET STRING }The key material of a
KerberosKey
is defined as the value
of the keyValue
above.
All Kerberos JAAS login modules that obtain a principal's password and
generate the secret key from it should use this class.
Sometimes, such as when authenticating a server in
the absence of user-to-user authentication, the login module will store
an instance of this class in the private credential set of a
Subject
during the commit phase of the
authentication process.
A Kerberos service using a keytab to read secret keys should use
the KeyTab
class, where latest keys can be read when needed.
It might be necessary for the application to be granted a
PrivateCredentialPermission
if it needs to access the KerberosKey
instance from a Subject. This permission is not needed when the
application depends on the default JGSS Kerberos mechanism to access the
KerberosKey
. In that case, however, the application will need an
appropriate
ServicePermission
.
When creating a KerberosKey
using the
KerberosKey(KerberosPrincipal, char[], String)
constructor,
an implementation may accept non-IANA algorithm names (For example,
"ArcFourMac" for "rc4-hmac"), but the getAlgorithm
method
must always return the IANA algorithm name.
implements
@implNote Old algorithm names used before JDK 9 are supported in the
KerberosKey(KerberosPrincipal, char[], String)
constructor in this
implementation for compatibility reasons, which are "DES" (and null) for
"des-cbc-md5", "DESede" for "des3-cbc-sha1-kd", "ArcFourHmac" for "rc4-hmac",
"AES128" for "aes128-cts-hmac-sha1-96", and "AES256" for
"aes256-cts-hmac-sha1-96".