8279842: HTTPS Channel Binding support for Java GSS/Kerberos

src/java.base/share/classes/java/net/doc-files/net-properties.html

@@ -214,6 +214,19 @@ <H2>Misc HTTP URL stream protocol handler properties</H2>
 	      property is defined, then its value will be used as the domain
 	      name.</P>
 	</OL>
+	<LI><P><B>{@systemProperty jdk.https.negotiate.cbt}</B> (default: &lt;never&gt;)<BR>
+	This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos 
+        or the Negotiate authentication scheme using Kerberos are employed over HTTPS with 
+        {@code HttpURLConnection}. There are three possible settings:</P>
+        <OL>
+          <LI><P>"never". This is also the default value if the property is not set. In this case,
+              CBT's are never sent.</P>
+          <LI><P>"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.</P>
+          <LI><P>"domain:&lt;comma separated domain list&gt;" Each domain in the list specifies destination
+              host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com,
+              or wildcards like *.foo.com which matches all hosts under foo.com and its sub-domains.
+              CBTs are not sent to any destinations that don't match one of the list entries</P>
+	</OL>
 </UL>
 <P>All these properties are checked only once at startup.</P>
 <a id="AddressCache"></a>

src/java.base/share/classes/sun/net/www/http/HttpClient.java

@@ -144,7 +144,7 @@ private static int getDefaultPort(String proto) {
     // Traffic capture tool, if configured. See HttpCapture class for info
     private HttpCapture capture = null;
 
-    /* "jdk.spnego.cbt" property can be set to "always" (always sent), "never" (never sent) or
+    /* "jdk.https.negotiate.cbt" property can be set to "always" (always sent), "never" (never sent) or
      * "domain:a,c.d,*.e.f" (sent to host a, or c.d or to the domain e.f and any of its subdomains). This is
      * a comma separated list of arbitrary length with no white-space allowed.
      * If enabled (for a particular destination) then SPNEGO authentication requests will include
@@ -160,6 +160,11 @@ private static void logFinest(String msg) {
             logger.finest(msg);
         }
     }
+    private static void logError(String msg) {
+        if (logger.isLoggable(PlatformLogger.Level.SEVERE)) {
+            logger.severe(msg);
+        }
+    }
 
     protected volatile String authenticatorKey;
 
@@ -180,6 +185,7 @@ static String normalizeCBT(String s) {
                 s.equals("never") || s.startsWith("domain:"))) {
             return "never";
         } else {
+            logError("Unexpected value for \"jdk.https.negotiate.cbt\" system property");
             return s;
         }
     }
@@ -191,7 +197,7 @@ static String normalizeCBT(String s) {
         String cacheNTLM = props.getProperty("jdk.ntlm.cache");
         String cacheSPNEGO = props.getProperty("jdk.spnego.cache");
 
-        String s = props.getProperty("jdk.spnego.cbt");
+        String s = props.getProperty("jdk.https.negotiate.cbt");
         spnegoCBT = normalizeCBT(s);
 
         if (keepAlive != null) {

src/java.base/share/classes/sun/security/util/ChannelBindingException.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+/**
+ * Thrown by TlsChannelBinding if an error occurs
+ */
+public class ChannelBindingException extends Exception {
+
+    @java.io.Serial
+    private static final long serialVersionUID = -5021387249782788460L;
+
+    /**
+     * Constructs a ChannelBindingException with no detail message. A detail
+     * message is a String that describes this particular exception.
+     */
+    public ChannelBindingException() {
+        super();
+    }
+
+    /**
+     * Constructs a ChannelBindingException with a detail message and
+     * specified cause.
+     */
+    public ChannelBindingException(String msg, Exception e) {
+        super(msg, e);
+    }
+
+    /**
+     * Constructs a ChannelBindingException with a detail message
+     */
+    public ChannelBindingException(String msg) {
+        super(msg);
+    }
+}

src/java.naming/share/classes/com/sun/jndi/ldap/sasl/TlsChannelBinding.java → src/java.base/share/classes/sun/security/util/TlsChannelBinding.java

@@ -22,10 +22,9 @@
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
-package com.sun.jndi.ldap.sasl;
 
-import javax.naming.NamingException;
-import javax.security.sasl.SaslException;
+package sun.security.util;
+
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateEncodingException;
@@ -84,14 +83,14 @@ public String getName() {
      * @param  cbType
      * @return TLS Channel Binding type or null if
      *         "com.sun.jndi.ldap.tls.cbtype" property has not been set.
-     * @throws NamingException
+     * @throws ChannelBindingException
      */
-    public static TlsChannelBindingType parseType(String cbType) throws NamingException {
+    public static TlsChannelBindingType parseType(String cbType) throws ChannelBindingException {
         if (cbType != null) {
             if (cbType.equals(TlsChannelBindingType.TLS_SERVER_END_POINT.getName())) {
                 return TlsChannelBindingType.TLS_SERVER_END_POINT;
             } else {
-                throw new NamingException("Illegal value for " +
+                throw new ChannelBindingException("Illegal value for " +
                         CHANNEL_BINDING_TYPE + " property.");
             }
         }
@@ -104,9 +103,9 @@ public static TlsChannelBindingType parseType(String cbType) throws NamingExcept
     /**
      * Construct tls-server-end-point Channel Binding data
      * @param serverCertificate
-     * @throws SaslException
+     * @throws ChannelBindingException
      */
-    public static TlsChannelBinding create(X509Certificate serverCertificate) throws SaslException {
+    public static TlsChannelBinding create(X509Certificate serverCertificate) throws ChannelBindingException {
         try {
             final byte[] prefix =
                 TlsChannelBindingType.TLS_SERVER_END_POINT.getName().concat(":").getBytes();
@@ -127,7 +126,7 @@ public static TlsChannelBinding create(X509Certificate serverCertificate) throws
             System.arraycopy(hash, 0, cbData, prefix.length, hash.length);
             return new TlsChannelBinding(TlsChannelBindingType.TLS_SERVER_END_POINT, cbData);
         } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
-            throw new SaslException("Cannot create TLS channel binding data", e);
+            throw new ChannelBindingException("Cannot create TLS channel binding data", e);
         }
     }
 

src/java.naming/share/classes/com/sun/jndi/ldap/sasl/LdapSasl.java

@@ -42,7 +42,9 @@
 import com.sun.jndi.ldap.Connection;
 import com.sun.jndi.ldap.LdapClient;
 import com.sun.jndi.ldap.LdapResult;
-import com.sun.jndi.ldap.sasl.TlsChannelBinding.TlsChannelBindingType;
+import sun.security.util.ChannelBindingException;
+import sun.security.util.TlsChannelBinding;
+import sun.security.util.TlsChannelBinding.TlsChannelBindingType;
 
 /**
   * Handles SASL support.
@@ -123,15 +125,23 @@ public static LdapResult saslBind(LdapClient clnt, Connection conn,
         try {
             // Prepare TLS Channel Binding data
             if (conn.isTlsConnection()) {
-                TlsChannelBindingType cbType =
-                        TlsChannelBinding.parseType(
+                TlsChannelBindingType cbType;
+                try {
+                    cbType = TlsChannelBinding.parseType(
                                 (String)env.get(TlsChannelBinding.CHANNEL_BINDING_TYPE));
+                } catch (ChannelBindingException e) {
+                    throw new SaslException(e.getMessage());
+                }
                 if (cbType == TlsChannelBindingType.TLS_SERVER_END_POINT) {
                     // set tls-server-end-point channel binding
                     X509Certificate cert = conn.getTlsServerCertificate();
                     if (cert != null) {
-                        TlsChannelBinding tlsCB =
-                                TlsChannelBinding.create(cert);
+                        TlsChannelBinding tlsCB;
+                        try {
+                            tlsCB = TlsChannelBinding.create(cert);
+                        } catch (ChannelBindingException e) {
+                            throw new SaslException(e.getMessage());
+                        }
                         envProps = (Hashtable<String, Object>) env.clone();
                         envProps.put(TlsChannelBinding.CHANNEL_BINDING, tlsCB.getData());
                     } else {

src/java.naming/share/classes/module-info.java

@@ -127,9 +127,6 @@
         jdk.naming.dns,
         jdk.naming.rmi;
 
-    exports com.sun.jndi.ldap.sasl to
-        java.security.jgss;
-
     uses javax.naming.ldap.StartTlsResponse;
     uses javax.naming.spi.InitialContextFactory;
     uses javax.naming.ldap.spi.LdapDnsProvider;

src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java

@@ -27,7 +27,6 @@
 
 import java.io.IOException;
 import java.security.cert.Certificate;
-import javax.security.sasl.SaslException;
 
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSException;
@@ -43,7 +42,8 @@
 import sun.security.jgss.GSSUtil;
 import sun.security.jgss.HttpCaller;
 import sun.security.jgss.krb5.internal.TlsChannelBindingImpl;
-import com.sun.jndi.ldap.sasl.TlsChannelBinding;
+import sun.security.util.ChannelBindingException;
+import sun.security.util.TlsChannelBinding;
 
 /**
  * This class encapsulates all JAAS and JGSS API calls in a separate class
@@ -69,7 +69,7 @@ public class NegotiatorImpl extends Negotiator {
      * <li>Creating GSSContext
      * <li>A first call to initSecContext</ul>
      */
-    private void init(HttpCallerInfo hci) throws GSSException, SaslException {
+    private void init(HttpCallerInfo hci) throws GSSException, ChannelBindingException {
         final Oid oid;
 
         if (hci.scheme.equalsIgnoreCase("Kerberos")) {
@@ -122,7 +122,7 @@ private void init(HttpCallerInfo hci) throws GSSException, SaslException {
     public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
         try {
             init(hci);
-        } catch (GSSException | SaslException  e) {
+        } catch (GSSException | ChannelBindingException  e) {
             if (DEBUG) {
                 System.out.println("Negotiate support not initiated, will " +
                         "fallback to other scheme if allowed. Reason:");