On Mon, 15 Sep 2025 15:49:11 GMT, Weijun Wang <[email protected]> wrote:
> For interoperability, AP-REQ decryption uses the key with the highest kvno in
> the keytab if no exact match is found. If decryption fails, a normal
> "checksum failed" error is reported, which may hide the real cause that the
> wrong key is used. This code change throws a KRB_AP_ERR_BADKEYVER error in
> this case.
>
> The change is only made in AP-REQ decryption to minimize impact. A previous
> test is enhanced to cover the case.
src/java.security.jgss/share/classes/sun/security/krb5/EncryptionKey.java line
578:
> 576: Integer kv = keys[i].getKeyVersionNumber();
> 577: etypeFound = true;
> 578: if (versionMatches(kvno, kv)) {
I believe there is no coverage for this block. Do you think expanding the test
would be reasonable in this pr?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27298#discussion_r2353005366
