8349546: Linux support for Kerberos "nativeccache" functionality

make/autoconf/lib-krb5.m4

@@ -0,0 +1,187 @@
+#
+# Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+################################################################################
+# Setup krb5 (Kerberos 5)
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_KRB5],
+[
+  AC_ARG_WITH(krb5, [AS_HELP_STRING([--with-krb5],
+      [specify prefix directory for the krb5 package on Linux, or use "yes/no/auto" (default=auto)])])
+  AC_ARG_WITH(krb5-include, [AS_HELP_STRING([--with-krb5-include],
+      [specify directory for the krb5 include files on Linux])])
+  AC_ARG_WITH(krb5-lib, [AS_HELP_STRING([--with-krb5-lib],
+      [specify directory for the krb5 library on Linux])])
+
+  KRB5_CFLAGS=
+  KRB5_LIBS=
+  ENABLE_LIBKRB5_LINUX=false
+
+  if test "x$OPENJDK_TARGET_OS" != "xlinux" && test "x${with_krb5}" = "xyes"; then
+    AC_MSG_ERROR([krb5 support is only available on Linux])
+  elif test "x${with_krb5}" = "xno"; then
+    AC_MSG_CHECKING([for krb5])
+    AC_MSG_RESULT([disabled])
+  else
+    KRB5_FOUND=no
+
+    if test "x${with_krb5}" != "x" && test "x${with_krb5}" != "xyes" && test "x${with_krb5}" != "xauto"; then
+      # if a path was provided, use it
+      if test "x${with_krb5}" != "x"; then
+        AC_MSG_CHECKING([for krb5])
+        KRB5_LIBS="-L${with_krb5}/lib -lkrb5 -lcom_err"
+        KRB5_CFLAGS="-I${with_krb5}/include"
+        KRB5_FOUND=yes
+        AC_MSG_RESULT([${with_krb5}])
+      fi
+    fi
+
+    if test "x${with_krb5_include}" != "x"; then
+      AC_MSG_CHECKING([for krb5 includes])
+      KRB5_CFLAGS="-I${with_krb5_include}"
+      KRB5_FOUND=yes
+      AC_MSG_RESULT([${with_krb5_include}])
+    fi
+
+    if test "x${with_krb5_lib}" != "x"; then
+      AC_MSG_CHECKING([for krb5 libs])
+      KRB5_LIBS="-L${with_krb5_lib} -lkrb5 -lcom_err"
+      KRB5_FOUND=yes
+      AC_MSG_RESULT([${with_krb5_lib}])
+    fi
+
+    if test "x$KRB5_FOUND" = "xno"; then
+      if test "x$SYSROOT" != "x"; then
+        AC_MSG_CHECKING([for krb5 ($SYSROOT)])
+        # Cross-compilation with SYSROOT - look at known locations in SYSROOT.
+        KRB5_LIB_PATH=""
+        COM_ERR_LIB_PATH=""
+
+        # Look for libkrb5/libcom_err
+        if test -f "$SYSROOT/usr/lib64/libkrb5.so" && test "x$OPENJDK_TARGET_CPU_BITS" = x64; then
+          KRB5_LIB_PATH="$SYSROOT/usr/lib64"
+        elif test -f "$SYSROOT/usr/lib/libkrb5.so"; then
+          KRB5_LIB_PATH="$SYSROOT/usr/lib"
+        elif test -f "$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI/libkrb5.so"; then
+          KRB5_LIB_PATH="$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI"
+        elif test -f "$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU_AUTOCONF-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI/libkrb5.so"; then
+          KRB5_LIB_PATH="$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU_AUTOCONF-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI"
+        fi
+
+        if test -f "$KRB5_LIB_PATH/libcom_err.so"; then
+          COM_ERR_LIB_PATH="$KRB5_LIB_PATH"
+        elif test -f "$SYSROOT/usr/lib64/libcom_err.so" && test "x$OPENJDK_TARGET_CPU_BITS" = x64; then
+          COM_ERR_LIB_PATH="$SYSROOT/usr/lib64"
+        elif test -f "$SYSROOT/usr/lib/libcom_err.so"; then
+          COM_ERR_LIB_PATH="$SYSROOT/usr/lib"
+        elif test -f "$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI/libcom_err.so"; then
+          COM_ERR_LIB_PATH="$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI"
+        elif test -f "$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU_AUTOCONF-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI/libcom_err.so"; then
+          COM_ERR_LIB_PATH="$SYSROOT/usr/lib/$OPENJDK_TARGET_CPU_AUTOCONF-$OPENJDK_TARGET_OS-$OPENJDK_TARGET_ABI"
+        fi
+
+        # Check for matching include files
+        KRB5_INCLUDE_PATH=""
+        COM_ERR_INCLUDE_PATH=""
+
+        if test -f "$SYSROOT/usr/include/krb5/krb5.h"; then
+          KRB5_INCLUDE_PATH="$SYSROOT/usr/include"
+        fi
+
+        if test -f "$SYSROOT/usr/include/com_err.h"; then
+          COM_ERR_INCLUDE_PATH="$SYSROOT/usr/include"
+        fi
+
+        # Check everything was found and merge paths
+        if test "x$KRB5_LIB_PATH" != "x" && test "x$COM_ERR_LIB_PATH" != "x" && \
+             test "x$KRB5_INCLUDE_PATH" != "x" && test "x$COM_ERR_INCLUDE_PATH" != "x"; then
+          KRB5_LIBS="-L$KRB5_LIB_PATH -lkrb5"
+          if test "x$COM_ERR_LIB_PATH" != "x" && test "x$COM_ERR_LIB_PATH" != "x$KRB5_LIB_PATH"; then
+            KRB5_LIBS="$KRB5_LIBS -L$COM_ERR_LIB_PATH"
+          fi
+          KRB5_LIBS="$KRB5_LIBS -lcom_err"
+
+          KRB5_CFLAGS="-I$KRB5_INCLUDE_PATH"
+          if test "x$COM_ERR_INCLUDE_PATH" != "x" && test "x$COM_ERR_INCLUDE_PATH" != "x$KRB5_INCLUDE_PATH"; then
+            KRB5_CFLAGS="$KRB5_CFLAGS -I$COM_ERR_INCLUDE_PATH"
+          fi
+
+          KRB5_FOUND=yes
+        fi
+        AC_MSG_RESULT([$KRB5_FOUND])
+      else
+        if test "x$PKG_CONFIG" != "x" ; then
+          PKG_CHECK_MODULES(KRB5, krb5, [KRB5_FOUND=yes], [KRB5_FOUND=no])
+          if test "x$KRB5_FOUND" = "xyes" ; then
+            AC_MSG_CHECKING([for krb5])
+            AC_MSG_RESULT([yes (using pkg-config)])
+          fi
+        fi
+
+        if test "x$KRB5_FOUND" = "xno"; then
+          UTIL_LOOKUP_PROGS(KRB5CONF, krb5-config)
+          if test "x$KRB5CONF" != "x"; then
+            AC_MSG_CHECKING([for krb5 using krb5-config])
+            KRB5_CFLAGS="`$KRB5CONF --cflags`"
+            KRB5_LIBS="`$KRB5CONF --libs`"
+            KRB5_FOUND=yes
+            AC_MSG_RESULT([$KRB5_FOUND])
+          fi
+        fi
+      fi
+    fi
+
+    # No sysconfig/pkg-config/krb5-config, so auto-detect
+    if test "x$KRB5_FOUND" = "xno"; then
+      AC_CHECK_HEADERS([krb5.h], [
+        AC_CHECK_HEADERS([com_err.h], [
+          AC_CHECK_LIB([krb5], [krb5_init_context], [
+            KRB5_CFLAGS=""
+            KRB5_LIBS="-lkrb5"
+            AC_CHECK_LIB([com_err], [com_err], [
+              KRB5_LIBS="$KRB5_LIBS -lcom_err"
+            ])
+            KRB5_FOUND=yes
+          ])
+        ])
+      ])
+    fi
+
+    if test "x$KRB5_FOUND" = "xno"; then
+      if test "x${with_krb5}" = "xyes"; then
+        AC_MSG_ERROR([krb5 was required but could not be found])
+      fi
+      KRB5_CFLAGS=
+      KRB5_LIBS=
+      ENABLE_LIBKRB5_LINUX=false
+    else
+      ENABLE_LIBKRB5_LINUX=true
+    fi
+  fi
+
+  AC_SUBST(KRB5_CFLAGS)
+  AC_SUBST(KRB5_LIBS)
+  AC_SUBST(ENABLE_LIBKRB5_LINUX)
+])

make/autoconf/libraries.m4

@@ -31,6 +31,7 @@ m4_include([lib-ffi.m4])
 m4_include([lib-fontconfig.m4])
 m4_include([lib-freetype.m4])
 m4_include([lib-hsdis.m4])
+m4_include([lib-krb5.m4])
 m4_include([lib-std.m4])
 m4_include([lib-x11.m4])
 
@@ -117,6 +118,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
   LIB_SETUP_FONTCONFIG
   LIB_SETUP_FREETYPE
   LIB_SETUP_HSDIS
+  LIB_SETUP_KRB5
   LIB_SETUP_LIBFFI
   LIB_SETUP_MISC_LIBS
   LIB_SETUP_X11

make/autoconf/spec.gmk.template

@@ -435,6 +435,9 @@ FONTCONFIG_CFLAGS := @FONTCONFIG_CFLAGS@
 CUPS_CFLAGS := @CUPS_CFLAGS@
 ALSA_LIBS := @ALSA_LIBS@
 ALSA_CFLAGS := @ALSA_CFLAGS@
+KRB5_LIBS := @KRB5_LIBS@
+KRB5_CFLAGS := @KRB5_CFLAGS@
+ENABLE_LIBKRB5_LINUX := @ENABLE_LIBKRB5_LINUX@
 LIBFFI_LIBS := @LIBFFI_LIBS@
 LIBFFI_CFLAGS := @LIBFFI_CFLAGS@
 ENABLE_LIBFFI_BUNDLING := @ENABLE_LIBFFI_BUNDLING@

make/modules/java.security.jgss/Lib.gmk

@@ -86,6 +86,7 @@ ifneq ($(BUILD_CRYPTO), false)
         NAME := osxkrb5, \
         OPTIMIZATION := LOW, \
         EXTRA_HEADER_DIRS := java.base:libjava, \
+        EXTRA_SRC := $(TOPDIR)/src/java.security.jgss/share/native/libkrb5shared, \
         DISABLED_WARNINGS_clang_nativeccache.c := deprecated-declarations, \
         LIBS_macosx := \
             -framework Cocoa \
@@ -95,6 +96,23 @@ ifneq ($(BUILD_CRYPTO), false)
 
     TARGETS += $(BUILD_LIBOSXKRB5)
   endif
+
+  ifeq ($(call isTargetOs, linux), true)
+    ifeq ($(ENABLE_LIBKRB5_LINUX), true)
+      $(eval $(call SetupJdkLibrary, BUILD_LIBKRB5_LINUX, \
+          NAME := linuxkrb5, \
+          OPTIMIZATION := LOW, \
+          DISABLED_WARNINGS_clang_nativeccache.c := deprecated-declarations, \
+          EXTRA_HEADER_DIRS := java.base:libjava, \
+          EXTRA_SRC := $(TOPDIR)/src/java.security.jgss/share/native/libkrb5shared, \
+          CFLAGS_linux := $(KRB5_CFLAGS) $(COM_ERR_CFLAGS), \
+          LIBS_linux := $(KRB5_LIBS) $(COM_ERR_LIBS), \
+      ))
+
+      TARGETS += $(BUILD_LIBKRB5_LINUX)
+    endif
+  endif
+
 endif
 
 ################################################################################

make/test/JtregNativeJdk.gmk

@@ -110,6 +110,25 @@ ifeq ($(call isTargetOs, linux), true)
   BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libCreationTimeHelper := -ldl
 endif
 
+# Kerberos native test library configuration
+ifeq ($(call isTargetOs, linux), true)
+  # Linux: only build if krb5 is enabled and working
+  ifeq ($(ENABLE_LIBKRB5_LINUX), true)
+    BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libNativeCredentialCacheHelper := $(KRB5_LIBS)
+    BUILD_JDK_JTREG_LIBRARIES_CFLAGS_libNativeCredentialCacheHelper := $(KRB5_CFLAGS)
+  else
+    # Exclude the Kerberos test library if krb5 is not available on Linux
+    BUILD_JDK_JTREG_EXCLUDE += libNativeCredentialCacheHelper.c
+  endif
+else ifeq ($(call isTargetOs, macosx), true)
+  # macOS: build with system krb5 and disable deprecation warnings
+  BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libNativeCredentialCacheHelper := -lkrb5 -lcom_err
+  BUILD_JDK_JTREG_LIBRARIES_CFLAGS_libNativeCredentialCacheHelper := -Wno-deprecated-declarations
+else
+  # Other platforms: exclude the library
+  BUILD_JDK_JTREG_EXCLUDE += libNativeCredentialCacheHelper.c
+endif
+
 ifeq ($(ASAN_ENABLED), true)
   # Any executable which launches the JVM and uses a custom launcher needs to explicitly link in the
   # default ASan options.

src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java

@@ -326,9 +326,13 @@ public static Credentials acquireTGTFromCache(PrincipalName princ,
         throws KrbException, IOException {
 
         if (ticketCache == null) {
-            // The default ticket cache on Windows and Mac is not a file.
+            // On Windows/MacOSX/Linux, use native system library calls to acquire
+            // credentials from any supported credential cache types on those
+            // platforms (in particular, the default ticket cache on Windows and
+            // MacOSX is not a file, so cannot use the pure Java code)
             if (OperatingSystem.isWindows() ||
-                    OperatingSystem.isMacOS()) {
+                    OperatingSystem.isMacOS() ||
+                        OperatingSystem.isLinux()) {
                 Credentials creds = acquireDefaultCreds();
                 if (creds == null) {
                     if (DEBUG != null) {
@@ -411,7 +415,7 @@ public static Credentials acquireTGTFromCache(PrincipalName princ,
     // It assumes that the GSS call has
     // the privilege to access the default cache file.
 
-    // This method is only called on Windows and Mac OS X, the native
+    // This method is only called on Windows, MacOSX and Linux, the native
     // acquireDefaultNativeCreds is also available on these platforms.
     public static synchronized Credentials acquireDefaultCreds() {
         Credentials result = null;
@@ -528,6 +532,8 @@ public static void printDebug(Credentials c) {
     static void ensureLoaded() {
         if (OperatingSystem.isMacOS()) {
             System.loadLibrary("osxkrb5");
+        } else if (OperatingSystem.isLinux()) {
+            System.loadLibrary("linuxkrb5");
         } else {
             System.loadLibrary("w2k_lsa_auth");
         }

src/java.security.jgss/macosx/native/libosxkrb5/nativeccache.c → src/java.security.jgss/share/native/libkrb5shared/nativeccache.c

@@ -23,10 +23,24 @@
  * questions.
  */
 
-#import "sun_security_krb5_Credentials.h"
-#import <Kerberos/Kerberos.h>
-#import <string.h>
-#import <time.h>
+/*
+ * Unified Kerberos native credential cache implementation for MacOSX/Linux.
+ */
+
+#include "sun_security_krb5_Credentials.h"
+#include <string.h>
+#include <time.h>
+#include <stdarg.h>
+
+#ifdef MACOSX
+    // Mac OS X specific includes
+    #import <Kerberos/Kerberos.h>
+#elif defined(LINUX)
+    // Linux specific includes
+    #include <krb5/krb5.h>
+    #include <arpa/inet.h>
+    #include <com_err.h>
+#endif
 
 #include "jni_util.h"
 
@@ -72,7 +86,7 @@ static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_pri
 static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey);
 static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags);
 static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime);
-static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime);
+static jobject BuildAddressList(JNIEnv *env, krb5_address **addresses);
 
 static void printiferr (errcode_t err, const char *format, ...);
 
@@ -446,9 +460,6 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
     return krbCreds;
 }
 
-
-#pragma mark -
-
 jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket)
 {
     // To build a Ticket, we need to make a byte array out of the EncodedTicket.
@@ -567,6 +578,10 @@ jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) {
         p++;
     }
 
+    if (addressCount == 0) {
+        return NULL;
+    }
+
     jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL);
 
     if (address_list == NULL) {
@@ -607,8 +622,6 @@ jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) {
     return address_list;
 }
 
-#pragma mark - Utility methods -
-
 static void printiferr (errcode_t err, const char *format, ...)
 {
     if (err) {