Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
Sun JDK 7 + Active Directory
Description
Calling org.apache.directory.kerberos.client.KdcConnection.changePassword() will result in an NPE if a reply is received from the ActiveDirectory server, regardless of password change success or failure.
StackTrace:
org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException: Request failed due to a hard error in processing the request.
at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:619)
at com.test.PasswordChangeUtil.main(KPasswordChange.java:52)
Caused by: java.lang.NullPointerException
at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:118)
at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:605)
... 1 more
Fix:
The Change Password spec (http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-02) says:
"This KRB-PRIV message [OF THE REPLY] must be generated using the subkey in the Authenticator in the AP-REQ data."
Therefore line 605 of KdcConnection is using the incorrect key.
byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
Patch:
-byte[] data = cipherTextHandler.decrypt( encApRepPart.getSubkey(), replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY );
+byte[] data = cipherTextHandler.decrypt( subKey, replyPriv.getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY )
This leaves a few unused variables that can be cleaned up as well.
