8349546: Linux support for Kerberos "nativeccache" functionality

make/autoconf/lib-krb5.m4

@@ -0,0 +1,113 @@
+#
+# Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+################################################################################
+# Setup krb5 (Kerberos 5)
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_KRB5],
+[
+  AC_ARG_WITH(krb5, [AS_HELP_STRING([--with-krb5],
+      [enable krb5 support (default=yes), or "no" to disable])])
+
+  # Determine if krb5 should be disabled
+  KRB5_DISABLED=no
+  if test "x${with_krb5}" = xno; then
+    AC_MSG_NOTICE([krb5 explicitly disabled])
+    KRB5_DISABLED=yes
+  elif test "x$NEEDS_LIB_KRB5" = xfalse; then
+    if test "x${with_krb5}" != x && test "x${with_krb5}" != xno; then
+      AC_MSG_WARN([[krb5 not used, so --with-krb5 is ignored]])
+    fi
+    KRB5_DISABLED=yes
+  fi
+
+  if test "x$KRB5_DISABLED" = xyes; then
+    KRB5_CFLAGS=
+    KRB5_LIBS=
+    ENABLE_LIBLINUXKRB5=false
+  else
+    # First try pkg-config (most modern approach)
+    AC_PATH_TOOL([PKG_CONFIG], [pkg-config], [no])
+    use_pkgconfig_for_krb5=no
+
+    if test "x$PKG_CONFIG" != "xno"; then
+      AC_MSG_CHECKING([if pkg-config knows about krb5])
+      if $PKG_CONFIG --exists krb5; then
+        AC_MSG_RESULT([yes])
+        use_pkgconfig_for_krb5=yes
+      else
+        AC_MSG_RESULT([no])
+      fi
+    fi
+
+    if test "x$use_pkgconfig_for_krb5" = "xyes"; then
+      # Use pkg-config to get compiler and linker flags
+      AC_MSG_CHECKING([for krb5 cflags via pkg-config])
+      KRB5_CFLAGS="`$PKG_CONFIG --cflags krb5`"
+      AC_MSG_RESULT([$KRB5_CFLAGS])
+
+      AC_MSG_CHECKING([for krb5 libs via pkg-config])
+      KRB5_LIBS="`$PKG_CONFIG --libs krb5`"
+      AC_MSG_RESULT([$KRB5_LIBS])
+
+      ENABLE_LIBLINUXKRB5=true
+    else
+      # Fallback: try krb5-config
+      AC_PATH_TOOL([KRB5CONF], [krb5-config], [no])
+
+      if test "x$KRB5CONF" != "xno"; then
+        # Use krb5-config to get compiler and linker flags
+        AC_MSG_CHECKING([for krb5 cflags via krb5-config])
+        KRB5_CFLAGS="`$KRB5CONF --cflags`"
+        AC_MSG_RESULT([$KRB5_CFLAGS])
+
+        AC_MSG_CHECKING([for krb5 libs via krb5-config])
+        KRB5_LIBS="`$KRB5CONF --libs`"
+        AC_MSG_RESULT([$KRB5_LIBS])
+
+        ENABLE_LIBLINUXKRB5=true
+      else
+        # Final fallback: try manual detection in system locations
+        AC_CHECK_HEADERS([krb5.h], [
+          AC_CHECK_LIB([krb5], [krb5_init_context], [
+            KRB5_CFLAGS=""
+            KRB5_LIBS="-lkrb5"
+            # Check for com_err header and library which are often required
+            AC_CHECK_HEADERS([com_err.h], [
+              AC_CHECK_LIB([com_err], [com_err], [
+                KRB5_LIBS="$KRB5_LIBS -lcom_err"
+              ])
+            ])
+            ENABLE_LIBLINUXKRB5=true
+          ], [ENABLE_LIBLINUXKRB5=false])
+        ], [ENABLE_LIBLINUXKRB5=false])
+      fi
+    fi
+  fi
+
+  AC_SUBST(KRB5_CFLAGS)
+  AC_SUBST(KRB5_LIBS)
+  AC_SUBST(ENABLE_LIBLINUXKRB5)
+])

make/autoconf/libraries.m4

@@ -31,6 +31,7 @@ m4_include([lib-ffi.m4])
 m4_include([lib-fontconfig.m4])
 m4_include([lib-freetype.m4])
 m4_include([lib-hsdis.m4])
+m4_include([lib-krb5.m4])
 m4_include([lib-std.m4])
 m4_include([lib-x11.m4])
 
@@ -81,6 +82,13 @@ AC_DEFUN_ONCE([LIB_DETERMINE_DEPENDENCIES],
     NEEDS_LIB_ALSA=false
   fi
 
+  # Check if krb5 is needed
+  if test "x$OPENJDK_TARGET_OS" = xlinux -o "x$OPENJDK_TARGET_OS" = xmacosx; then
+    NEEDS_LIB_KRB5=true
+  else
+    NEEDS_LIB_KRB5=false
+  fi
+
   # Check if ffi is needed
   if HOTSPOT_CHECK_JVM_VARIANT(zero) || test "x$ENABLE_FALLBACK_LINKER" = "xtrue"; then
     NEEDS_LIB_FFI=true
@@ -117,6 +125,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
   LIB_SETUP_FONTCONFIG
   LIB_SETUP_FREETYPE
   LIB_SETUP_HSDIS
+  LIB_SETUP_KRB5
   LIB_SETUP_LIBFFI
   LIB_SETUP_MISC_LIBS
   LIB_SETUP_X11

make/autoconf/spec.gmk.template

@@ -435,6 +435,9 @@ FONTCONFIG_CFLAGS := @FONTCONFIG_CFLAGS@
 CUPS_CFLAGS := @CUPS_CFLAGS@
 ALSA_LIBS := @ALSA_LIBS@
 ALSA_CFLAGS := @ALSA_CFLAGS@
+KRB5_LIBS := @KRB5_LIBS@
+KRB5_CFLAGS := @KRB5_CFLAGS@
+ENABLE_LIBLINUXKRB5 := @ENABLE_LIBLINUXKRB5@
 LIBFFI_LIBS := @LIBFFI_LIBS@
 LIBFFI_CFLAGS := @LIBFFI_CFLAGS@
 ENABLE_LIBFFI_BUNDLING := @ENABLE_LIBFFI_BUNDLING@

make/modules/java.security.jgss/Lib.gmk

@@ -86,6 +86,7 @@ ifneq ($(BUILD_CRYPTO), false)
         NAME := osxkrb5, \
         OPTIMIZATION := LOW, \
         EXTRA_HEADER_DIRS := java.base:libjava, \
+        EXTRA_SRC := $(TOPDIR)/src/java.security.jgss/share/native/libkrb5shared, \
         DISABLED_WARNINGS_clang_nativeccache.c := deprecated-declarations, \
         LIBS_macosx := \
             -framework Cocoa \
@@ -95,6 +96,23 @@ ifneq ($(BUILD_CRYPTO), false)
 
     TARGETS += $(BUILD_LIBOSXKRB5)
   endif
+
+  ifeq ($(call isTargetOs, linux), true)
+    ifeq ($(ENABLE_LIBLINUXKRB5), true)
+      $(eval $(call SetupJdkLibrary, BUILD_LIBLINUXKRB5, \
+          NAME := linuxkrb5, \
+          OPTIMIZATION := LOW, \
+          DISABLED_WARNINGS_clang_nativeccache.c := deprecated-declarations, \
+          EXTRA_HEADER_DIRS := java.base:libjava, \
+          EXTRA_SRC := $(TOPDIR)/src/java.security.jgss/share/native/libkrb5shared, \
+          CFLAGS_linux := $(KRB5_CFLAGS) $(COM_ERR_CFLAGS), \
+          LIBS_linux := $(KRB5_LIBS) $(COM_ERR_LIBS), \
+      ))
+
+      TARGETS += $(BUILD_LIBLINUXKRB5)
+    endif
+  endif
+
 endif
 
 ################################################################################

make/test/JtregNativeJdk.gmk

@@ -110,6 +110,20 @@ ifeq ($(call isTargetOs, linux), true)
   BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libCreationTimeHelper := -ldl
 endif
 
+# Kerberos native test library - only build if krb5 is available
+ifeq ($(ENABLE_LIBLINUXKRB5), true)
+  BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libNativeCredentialCacheHelper := $(KRB5_LIBS)
+  BUILD_JDK_JTREG_LIBRARIES_CFLAGS_libNativeCredentialCacheHelper := $(KRB5_CFLAGS)
+
+  ifeq ($(call isTargetOs, macosx), true)
+    # On macOS, disable deprecation warnings for krb5 API
+    BUILD_JDK_JTREG_LIBRARIES_CFLAGS_libNativeCredentialCacheHelper += -Wno-deprecated-declarations
+  endif
+else
+  # Exclude the Kerberos test library if krb5 is not available
+  BUILD_JDK_JTREG_EXCLUDE += libNativeCredentialCacheHelper.c
+endif
+
 ifeq ($(ASAN_ENABLED), true)
   # Any executable which launches the JVM and uses a custom launcher needs to explicitly link in the
   # default ASan options.

src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java

@@ -326,9 +326,13 @@ public static Credentials acquireTGTFromCache(PrincipalName princ,
         throws KrbException, IOException {
 
         if (ticketCache == null) {
-            // The default ticket cache on Windows and Mac is not a file.
+            // On Windows/MacOSX/Linux, use native system library calls to acquire
+            // credentials from any supported credential cache types on those
+            // platforms (in particular, the default ticket cache on Windows and
+            // Mac is not a file, so cannot use the pure Java code)
             if (OperatingSystem.isWindows() ||
-                    OperatingSystem.isMacOS()) {
+                    OperatingSystem.isMacOS() ||
+                        OperatingSystem.isLinux()) {
                 Credentials creds = acquireDefaultCreds();
                 if (creds == null) {
                     if (DEBUG != null) {
@@ -411,7 +415,7 @@ public static Credentials acquireTGTFromCache(PrincipalName princ,
     // It assumes that the GSS call has
     // the privilege to access the default cache file.
 
-    // This method is only called on Windows and Mac OS X, the native
+    // This method is only called on Windows, Mac OS X and Linux, the native
     // acquireDefaultNativeCreds is also available on these platforms.
     public static synchronized Credentials acquireDefaultCreds() {
         Credentials result = null;
@@ -528,6 +532,8 @@ public static void printDebug(Credentials c) {
     static void ensureLoaded() {
         if (OperatingSystem.isMacOS()) {
             System.loadLibrary("osxkrb5");
+        } else if (OperatingSystem.isLinux()) {
+            System.loadLibrary("linuxkrb5");
         } else {
             System.loadLibrary("w2k_lsa_auth");
         }

src/java.security.jgss/macosx/native/libosxkrb5/nativeccache.c → src/java.security.jgss/share/native/libkrb5shared/nativeccache.c

@@ -23,10 +23,28 @@
  * questions.
  */
 
-#import "sun_security_krb5_Credentials.h"
-#import <Kerberos/Kerberos.h>
-#import <string.h>
-#import <time.h>
+/*
+ * Unified Kerberos native credential cache implementation for Mac OS X and Linux.
+ * This implementation consolidates the previously separate platform-specific
+ * implementations while maintaining platform-specific library names.
+ *
+ * Platform-specific differences are handled via conditional compilation.
+ */
+
+#include "sun_security_krb5_Credentials.h"
+#include <string.h>
+#include <time.h>
+#include <stdarg.h>
+
+#ifdef MACOSX
+    // Mac OS X specific includes
+    #import <Kerberos/Kerberos.h>
+#elif defined(LINUX)
+    // Linux specific includes
+    #include <krb5/krb5.h>
+    #include <arpa/inet.h>
+    #include <com_err.h>
+#endif
 
 #include "jni_util.h"
 
@@ -72,7 +90,7 @@ static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_pri
 static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey);
 static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags);
 static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime);
-static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime);
+static jobject BuildAddressList(JNIEnv *env, krb5_address **addresses);
 
 static void printiferr (errcode_t err, const char *format, ...);
 
@@ -446,9 +464,6 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
     return krbCreds;
 }
 
-
-#pragma mark -
-
 jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket)
 {
     // To build a Ticket, we need to make a byte array out of the EncodedTicket.
@@ -567,6 +582,10 @@ jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) {
         p++;
     }
 
+    if (addressCount == 0) {
+        return NULL;
+    }
+
     jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL);
 
     if (address_list == NULL) {
@@ -607,8 +626,6 @@ jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) {
     return address_list;
 }
 
-#pragma mark - Utility methods -
-
 static void printiferr (errcode_t err, const char *format, ...)
 {
     if (err) {