draft-ietf-cat-gssv2-javabind-00.txt   draft-ietf-cat-gssv2-javabind-01.txt 
Internet-Draft Jack Kabat Internet-Draft Jack Kabat
IETF Common Authentication Technology WG Sun Microsystems IETF CAT Working Group ValiCert, Inc.
Document: <draft-ietf-cat-gssv2-javabind-00.txt> August 1998 Document: <draft-ietf-cat-gssv2-javabind-01.txt> Mayank Upadhyay
Sun Microsystems, Inc.
Generic Security Service API Version 2 : Java bindings Generic Security Service API Version 2 : Java bindings
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft and is in full conformance with
documents of the Internet Engineering Task Force (IETF), its areas, all provisions of Section 10 of RFC2026.
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the The list of current Internet-Drafts can be accessed at
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow http://www.ietf.org/ietf/1id-abstracts.txt
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Comments on this draft should be sent to "cat-ietf@mit.edu", the IETF The list of Internet-Draft Shadow Directories can be accessed at
Common Authentication Technology WG discussion list. http://www.ietf.org/shadow.html.
Abstract Abstract
The Generic Security Services Application Program Interface (GSS-API) The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document atop a variety of underlying cryptographic mechanisms. This document
specifies the Java bindings for GSS-API which is described at a specifies the Java bindings for GSS-API which is described at a
language independent conceptual level in RFC 2078 [GSSAPIv2]. language independent conceptual level in RFC 2078 [GSSAPIv2].
The GSS-API allows a caller application to authenticate a principal The GSS-API allows a caller application to authenticate a principal
identity, to delegate rights to a peer, and to apply security identity, to delegate rights to a peer, and to apply security
services such as confidentiality and integrity on a per-message services such as confidentiality and integrity on a per-message
basis. Examples of security mechanisms defined for GSS-API are The basis. Examples of security mechanisms defined for GSS-API are The
Simple Public-Key GSS-API Mechanism [SPKM] and The Kerberos Version 5 Simple Public-Key GSS-API Mechanism [SPKM] and The Kerberos Version 5
GSS-API Mechanism [KERBV5]. GSS-API Mechanism [KERBV5].
GSS-API Java Bindings August 1998
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6
2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 6 2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 6
3. GSS-API Classes . . . . . . . . . . . . . . . . . . . . . . 8 3. GSS-API Classes . . . . . . . . . . . . . . . . . . . . . . 8
3.1. GSSCredential class . . . . . . . . . . . . . . . . . . . 8 3.1. GSSCredential class . . . . . . . . . . . . . . . . . . . 8
3.2. GSSContext class . . . . . . . . . . . . . . . . . . . . . 9 3.2. GSSContext class . . . . . . . . . . . . . . . . . . . . . 9
3.3. GSSName class . . . . . . . . . . . . . . . . . . . . . 10 3.3. GSSName class . . . . . . . . . . . . . . . . . . . . . 10
3.4. GSSManager class . . . . . . . . . . . . . . . . . . . . 11 3.4. GSSManager class . . . . . . . . . . . . . . . . . . . . 11
3.5. GSSException class . . . . . . . . . . . . . . . . . . . 11 3.5. GSSException class . . . . . . . . . . . . . . . . . . . 11
skipping to change at page 3, line 4 skipping to change at page 3, line 4
5.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 30 5.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 30
6. Detailed GSS-API Class Description . . . . . . . . . . . . 30 6. Detailed GSS-API Class Description . . . . . . . . . . . . 30
6.1. public class GSSName . . . . . . . . . . . . . . . . . . 30 6.1. public class GSSName . . . . . . . . . . . . . . . . . . 30
6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . . 30 6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . . 30
6.1.2. Class Constants . . . . . . . . . . . . . . . . . . . 31 6.1.2. Class Constants . . . . . . . . . . . . . . . . . . . 31
6.1.3. Constructors . . . . . . . . . . . . . . . . . . . . . 32 6.1.3. Constructors . . . . . . . . . . . . . . . . . . . . . 32
6.1.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 34 6.1.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 34
6.1.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 34 6.1.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 34
6.1.6. canonicalize . . . . . . . . . . . . . . . . . . . . . 34 6.1.6. canonicalize . . . . . . . . . . . . . . . . . . . . . 34
6.1.7. export . . . . . . . . . . . . . . . . . . . . . . . . 35 6.1.7. export . . . . . . . . . . . . . . . . . . . . . . . . 35
GSS-API Java Bindings August 1998
6.1.8. toString . . . . . . . . . . . . . . . . . . . . . . . 35 6.1.8. toString . . . . . . . . . . . . . . . . . . . . . . . 35
6.1.9. getStringNameType . . . . . . . . . . . . . . . . . . 35 6.1.9. getStringNameType . . . . . . . . . . . . . . . . . . 35
6.1.10. clone . . . . . . . . . . . . . . . . . . . . . . . . 35 6.1.10. clone . . . . . . . . . . . . . . . . . . . . . . . . 35
6.1.11. isAnonymous . . . . . . . . . . . . . . . . . . . . . 35 6.1.11. isAnonymous . . . . . . . . . . . . . . . . . . . . . 35
6.2. public class GSSCredential . . . . . . . . . . . . . . . 35 6.2. public class GSSCredential . . . . . . . . . . . . . . . 35
6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . . 36 6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . . 36
6.2.2. Class Constants . . . . . . . . . . . . . . . . . . . 37 6.2.2. Class Constants . . . . . . . . . . . . . . . . . . . 37
6.2.3. Constructors . . . . . . . . . . . . . . . . . . . . . 37 6.2.3. Constructors . . . . . . . . . . . . . . . . . . . . . 37
6.2.4. dispose . . . . . . . . . . . . . . . . . . . . . . . 39 6.2.4. dispose . . . . . . . . . . . . . . . . . . . . . . . 39
6.2.5. getGSSName . . . . . . . . . . . . . . . . . . . . . . 39 6.2.5. getGSSName . . . . . . . . . . . . . . . . . . . . . . 39
skipping to change at page 4, line 4 skipping to change at page 4, line 4
6.3.15. getMIC . . . . . . . . . . . . . . . . . . . . . . . 56 6.3.15. getMIC . . . . . . . . . . . . . . . . . . . . . . . 56
6.3.16. getMIC . . . . . . . . . . . . . . . . . . . . . . . 57 6.3.16. getMIC . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.17. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 57 6.3.17. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 57
6.3.18. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 58 6.3.18. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 58
6.3.19. export . . . . . . . . . . . . . . . . . . . . . . . 59 6.3.19. export . . . . . . . . . . . . . . . . . . . . . . . 59
6.3.20. requestMutualAuth . . . . . . . . . . . . . . . . . . 60 6.3.20. requestMutualAuth . . . . . . . . . . . . . . . . . . 60
6.3.21. requestReplayDet . . . . . . . . . . . . . . . . . . 60 6.3.21. requestReplayDet . . . . . . . . . . . . . . . . . . 60
6.3.22. requestSequenceDet . . . . . . . . . . . . . . . . . 60 6.3.22. requestSequenceDet . . . . . . . . . . . . . . . . . 60
6.3.23. requestCredDeleg . . . . . . . . . . . . . . . . . . 60 6.3.23. requestCredDeleg . . . . . . . . . . . . . . . . . . 60
6.3.24. requestAnonymity . . . . . . . . . . . . . . . . . . 61 6.3.24. requestAnonymity . . . . . . . . . . . . . . . . . . 61
GSS-API Java Bindings August 1998
6.3.25. requestConf . . . . . . . . . . . . . . . . . . . . . 61 6.3.25. requestConf . . . . . . . . . . . . . . . . . . . . . 61
6.3.26. requestInteg . . . . . . . . . . . . . . . . . . . . 61 6.3.26. requestInteg . . . . . . . . . . . . . . . . . . . . 61
6.3.27. requestLifetime . . . . . . . . . . . . . . . . . . . 62 6.3.27. requestLifetime . . . . . . . . . . . . . . . . . . . 62
6.3.28. setChannelBinding . . . . . . . . . . . . . . . . . . 62 6.3.28. setChannelBinding . . . . . . . . . . . . . . . . . . 62
6.3.29. getCredDelegState . . . . . . . . . . . . . . . . . . 62 6.3.29. getCredDelegState . . . . . . . . . . . . . . . . . . 62
6.3.30. getMutualAuthState . . . . . . . . . . . . . . . . . 62 6.3.30. getMutualAuthState . . . . . . . . . . . . . . . . . 62
6.3.31. getReplayDetState . . . . . . . . . . . . . . . . . . 63 6.3.31. getReplayDetState . . . . . . . . . . . . . . . . . . 63
6.3.32. getSequenceDetState . . . . . . . . . . . . . . . . . 63 6.3.32. getSequenceDetState . . . . . . . . . . . . . . . . . 63
6.3.33. getAnonymityState . . . . . . . . . . . . . . . . . . 63 6.3.33. getAnonymityState . . . . . . . . . . . . . . . . . . 63
6.3.34. isTransferable . . . . . . . . . . . . . . . . . . . 63 6.3.34. isTransferable . . . . . . . . . . . . . . . . . . . 63
skipping to change at page 5, line 4 skipping to change at page 5, line 4
6.6.4. getApplicationData . . . . . . . . . . . . . . . . . . 70 6.6.4. getApplicationData . . . . . . . . . . . . . . . . . . 70
6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 70 6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 70
6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 70 6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 70
6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . . 71 6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . . 71
6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . . 71 6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . . 71
6.7.3. toRFC2078String . . . . . . . . . . . . . . . . . . . 72 6.7.3. toRFC2078String . . . . . . . . . . . . . . . . . . . 72
6.7.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 72 6.7.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 72
6.7.5. getDER . . . . . . . . . . . . . . . . . . . . . . . . 72 6.7.5. getDER . . . . . . . . . . . . . . . . . . . . . . . . 72
6.7.6. containedIn . . . . . . . . . . . . . . . . . . . . . 72 6.7.6. containedIn . . . . . . . . . . . . . . . . . . . . . 72
6.8. public class GSSException extends Exception . . . . . . 72 6.8. public class GSSException extends Exception . . . . . . 72
GSS-API Java Bindings August 1998
6.8.1. Class Constants . . . . . . . . . . . . . . . . . . . 73 6.8.1. Class Constants . . . . . . . . . . . . . . . . . . . 73
6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . . 75 6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . . 75
6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . . 76 6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . . 76
6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . . 76 6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . . 76
6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . . 76 6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . . 76
6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . . 77 6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . . 77
6.8.7. setMinor . . . . . . . . . . . . . . . . . . . . . . . 77 6.8.7. setMinor . . . . . . . . . . . . . . . . . . . . . . . 77
6.8.8. toString . . . . . . . . . . . . . . . . . . . . . . . 77 6.8.8. toString . . . . . . . . . . . . . . . . . . . . . . . 77
6.8.9. getMessage . . . . . . . . . . . . . . . . . . . . . . 77 6.8.9. getMessage . . . . . . . . . . . . . . . . . . . . . . 77
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 77 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 77
8. Bibliography . . . . . . . . . . . . . . . . . . . . . . . 79 8. Bibliography . . . . . . . . . . . . . . . . . . . . . . . 79
9. Author's Address . . . . . . . . . . . . . . . . . . . . . 80 9. Author's Address . . . . . . . . . . . . . . . . . . . . . 80
GSS-API Java Bindings August 1998
1. Introduction 1. Introduction
This document specifies Java language bindings for the Generic This document specifies Java language bindings for the Generic
Security Services Application Programming Interface (GSS-API) Version Security Services Application Programming Interface (GSS-API) Version
2. GSS-API Version 2 is described in a language independent format in 2. GSS-API Version 2 is described in a language independent format in
RFC 2078 [GSSAPIv2]. The GSS-API allows a caller application to RFC 2078 [GSSAPIv2]. The GSS-API allows a caller application to
authenticate a principal identity, to delegate rights to a peer, and authenticate a principal identity, to delegate rights to a peer, and
to apply security services such as confidentiality and integrity on a to apply security services such as confidentiality and integrity on a
per-message basis. per-message basis.
skipping to change at page 7, line 4 skipping to change at page 7, line 4
may prove its identity to other processes. The may prove its identity to other processes. The
application's credentials vouch for its global identity, application's credentials vouch for its global identity,
which may or may not be related to any local username under which may or may not be related to any local username under
which it may be running. which it may be running.
2) A pair of communicating applications establish a joint 2) A pair of communicating applications establish a joint
security context using their credentials. The security security context using their credentials. The security
context encapsulates shared state information, which is context encapsulates shared state information, which is
required in order that per-message security services may be required in order that per-message security services may be
provided. Examples of state information that might be provided. Examples of state information that might be
GSS-API Java Bindings August 1998
shared between applications as part of a security context shared between applications as part of a security context
are cryptographic keys, and message sequence numbers. As are cryptographic keys, and message sequence numbers. As
part of the establishment of a security context, the part of the establishment of a security context, the
context initiator is authenticated to the responder, and context initiator is authenticated to the responder, and
may require that the responder is authenticated back to the may require that the responder is authenticated back to the
initiator. The initiator may optionally give the responder initiator. The initiator may optionally give the responder
the right to initiate further security contexts, acting as the right to initiate further security contexts, acting as
an agent or delegate of the initiator. This transfer of an agent or delegate of the initiator. This transfer of
rights is termed "delegation", and is achieved by creating rights is termed "delegation", and is achieved by creating
a set of credentials, similar to those used by the a set of credentials, similar to those used by the
skipping to change at page 8, line 4 skipping to change at page 8, line 4
receiver will pass the received token (and, in the case of receiver will pass the received token (and, in the case of
data protected by getMIC, the accompanying message-data) to data protected by getMIC, the accompanying message-data) to
the corresponding decoding method of the GSSContext class the corresponding decoding method of the GSSContext class
(verifyMIC or unwrap) to remove the protection and validate (verifyMIC or unwrap) to remove the protection and validate
the data. the data.
4) At the completion of a communications session (which may 4) At the completion of a communications session (which may
extend across several transport connections), each extend across several transport connections), each
application uses a GSSContext method to invalidate the application uses a GSSContext method to invalidate the
security context and release any system or cryptographic security context and release any system or cryptographic
GSS-API Java Bindings August 1998
resources held. Multiple contexts may also be used (either resources held. Multiple contexts may also be used (either
successively or simultaneously) within a single successively or simultaneously) within a single
communications association, at the discretion of the communications association, at the discretion of the
applications. applications.
3. GSS-API Classes 3. GSS-API Classes
This section presents a brief description of the classes comprising This section presents a brief description of the classes comprising
the GSS-API class library and the corresponding RFC 2078 the GSS-API class library and the corresponding RFC 2078
functionality implemented by each of them. Detailed description of functionality implemented by each of them. Detailed description of
skipping to change at page 9, line 5 skipping to change at page 9, line 5
gss_inquire_cred Obtain information about 6.2.5-6.2.12 gss_inquire_cred Obtain information about 6.2.5-6.2.12
credential. credential.
gss_inquire_cred_by_mech Obtain per-mechanism 6.2.5-6.2.12 gss_inquire_cred_by_mech Obtain per-mechanism 6.2.5-6.2.12
information about information about
a credential. a credential.
gss_release_cred Disposes of credentials 6.2.4 gss_release_cred Disposes of credentials 6.2.4
after use. after use.
GSS-API Java Bindings August 1998
3.2. GSSContext class 3.2. GSSContext class
This class encapsulates the functionality of context-level calls This class encapsulates the functionality of context-level calls
required for security context establishment and management between required for security context establishment and management between
peers as well as the per-message services offered to applications. A peers as well as the per-message services offered to applications. A
context is established between a pair of peers and allows the usage context is established between a pair of peers and allows the usage
of security services on a per-message basis on application data. It of security services on a per-message basis on application data. It
is created over a single security mechanism. The GSSContext class is created over a single security mechanism. The GSSContext class
implements the functionality of the following GSS-API routines: implements the functionality of the following GSS-API routines:
skipping to change at page 10, line 5 skipping to change at page 10, line 5
Message Integrity Code (MIC) 6.3.16 Message Integrity Code (MIC) 6.3.16
for a message. for a message.
gss_verify_mic Verify integrity on a received 6.3.17, gss_verify_mic Verify integrity on a received 6.3.17,
message. 6.3.18 message. 6.3.18
gss_wrap Attach a MIC to a message and 6.3.11, gss_wrap Attach a MIC to a message and 6.3.11,
optionally encrypt the message 6.3.12 optionally encrypt the message 6.3.12
content. content.
GSS-API Java Bindings August 1998
gss_unwrap Obtain a previously wrapped 6.3.13, gss_unwrap Obtain a previously wrapped 6.3.13,
application message verifying 6.3.14 application message verifying 6.3.14
its integrity and optionally its integrity and optionally
decrypting it. decrypting it.
The functionality offered by the gss_process_context_token routine The functionality offered by the gss_process_context_token routine
has not been included in the Java bindings specification. The has not been included in the Java bindings specification. The
corresponding functionality of gss_delete_sec_context has also been corresponding functionality of gss_delete_sec_context has also been
modified to not return any peer tokens. This has been proposed in modified to not return any peer tokens. This has been proposed in
accordance to the recommendations stated in the RFC 2078 update accordance to the recommendations stated in the RFC 2078 update
skipping to change at page 11, line 5 skipping to change at page 11, line 5
gss_canonicalize_name Convert an internal name to a 6.1.3, 6.1.6 gss_canonicalize_name Convert an internal name to a 6.1.3, 6.1.6
mechanism name. mechanism name.
gss_export_name Convert a Mechanism name to 6.1.7 gss_export_name Convert a Mechanism name to 6.1.7
export format. export format.
gss_duplicate_name Create a copy of the internal 6.1.10 gss_duplicate_name Create a copy of the internal 6.1.10
name. name.
GSS-API Java Bindings August 1998
3.4. GSSManager class 3.4. GSSManager class
The responsibilities of the GSSManager class is to provide The responsibilities of the GSSManager class is to provide
functionality common to the entire GSS-API class library. This would functionality common to the entire GSS-API class library. This would
include queries about the mechanisms supported and the default include queries about the mechanisms supported and the default
mechanism value. GSSManager implements the following RFC 2078 mechanism value. GSSManager implements the following RFC 2078
routines: routines:
RFC 2078 Routine Function Section RFC 2078 Routine Function Section
skipping to change at page 12, line 5 skipping to change at page 12, line 5
codes. codes.
3.6. Oid class 3.6. Oid class
This utility class is used to represent Universal Object Identifiers This utility class is used to represent Universal Object Identifiers
and their associated operations. GSS-API uses object identifiers to and their associated operations. GSS-API uses object identifiers to
distinguish between security mechanisms and name types. This class, distinguish between security mechanisms and name types. This class,
aside from being used whenever an object identifier is needed, aside from being used whenever an object identifier is needed,
implements the following GSS-API functionality: implements the following GSS-API functionality:
GSS-API Java Bindings August 1998
RFC 2078 Routine Function Section RFC 2078 Routine Function Section
gss_test_oid_set_member Determine if the specified oid 6.7.6 gss_test_oid_set_member Determine if the specified oid 6.7.6
is part of a set of oids. is part of a set of oids.
3.7. MessageProp class 3.7. MessageProp class
This helper class is used in the per-message operations of the This helper class is used in the per-message operations of the
GSSContext class to convey the requested and applied per-message GSSContext class to convey the requested and applied per-message
options. An instance of this class is used to specify the desired QOP options. An instance of this class is used to specify the desired QOP
skipping to change at page 13, line 5 skipping to change at page 13, line 5
4.1. Integer types 4.1. Integer types
All numeric values are declared as "int" primitive Java type. The All numeric values are declared as "int" primitive Java type. The
Java specification guarantees that this will be a 32 bit two's Java specification guarantees that this will be a 32 bit two's
complement signed number. complement signed number.
Throughout this API, the "boolean" primitive Java type is used Throughout this API, the "boolean" primitive Java type is used
wherever a boolean value is required or returned. wherever a boolean value is required or returned.
GSS-API Java Bindings August 1998
4.2. Opaque Data types 4.2. Opaque Data types
Java byte arrays are used to represent opaque data types which are Java byte arrays are used to represent opaque data types which are
consumed and produced by the GSS-API in the forms of tokens. Java consumed and produced by the GSS-API in the forms of tokens. Java
arrays contain a length field which enables the users to easily arrays contain a length field which enables the users to easily
determine their size. The language has automatic garbage collection determine their size. The language has automatic garbage collection
which alleviates the need by developers to release memory and which alleviates the need by developers to release memory and
simplifies buffer ownership issues. simplifies buffer ownership issues.
4.3. Strings 4.3. Strings
skipping to change at page 14, line 4 skipping to change at page 14, line 4
The Java bindings represents object identifiers sets as arrays of Oid The Java bindings represents object identifiers sets as arrays of Oid
objects. All Java arrays contain a length field which allows for easy objects. All Java arrays contain a length field which allows for easy
manipulation and reference. manipulation and reference.
In order to support the full functionality of RFC 2078, the Oid class In order to support the full functionality of RFC 2078, the Oid class
includes a method which checks for existence of an Oid object within includes a method which checks for existence of an Oid object within
a specified array. This is equivalent in functionality to a specified array. This is equivalent in functionality to
gss_test_oid_set_member. The use of Java arrays and Java's automatic gss_test_oid_set_member. The use of Java arrays and Java's automatic
garbage collection has eliminated the need for the following garbage collection has eliminated the need for the following
GSS-API Java Bindings August 1998
routines: gss_create_empty_oid_set, gss_release_oid_set, and routines: gss_create_empty_oid_set, gss_release_oid_set, and
gss_add_oid_set_member. Java GSS-API implementations will not contain gss_add_oid_set_member. Java GSS-API implementations will not contain
them. Java's automatic garbage collection and the immutable property them. Java's automatic garbage collection and the immutable property
of the Oid object eliminates the complicated memory management issues of the Oid object eliminates the complicated memory management issues
of the C counterpart. of the C counterpart.
When ever a default value for an Object Identifier Set is required, a When ever a default value for an Object Identifier Set is required, a
"null" value can be used. Please consult the detailed method "null" value can be used. Please consult the detailed method
description for details. description for details.
skipping to change at page 15, line 5 skipping to change at page 15, line 5
The constructor's for the GSSContext object allow the value of "null" The constructor's for the GSSContext object allow the value of "null"
to be specified as their GSSCredential input parameter. This will to be specified as their GSSCredential input parameter. This will
indicate a desire by the application to act as a default principal. indicate a desire by the application to act as a default principal.
While individual GSS-API implementations are free to determine such While individual GSS-API implementations are free to determine such
default behavior as appropriate to the mechanism, the following default behavior as appropriate to the mechanism, the following
default behavior by these routines is recommended for portability: default behavior by these routines is recommended for portability:
For the initiator side of the context: For the initiator side of the context:
GSS-API Java Bindings August 1998
1) If there is only a single principal capable of initiating 1) If there is only a single principal capable of initiating
security contexts for the chosen mechanism that the security contexts for the chosen mechanism that the
application is authorized to act on behalf of, then that application is authorized to act on behalf of, then that
principal shall be used, otherwise principal shall be used, otherwise
2) If the platform maintains a concept of a default network- 2) If the platform maintains a concept of a default network-
identity for the chosen mechanism, and if the application identity for the chosen mechanism, and if the application
is authorized to act on behalf of that identity for the is authorized to act on behalf of that identity for the
purpose of initiating security contexts, then the principal purpose of initiating security contexts, then the principal
corresponding to that identity shall be used, otherwise corresponding to that identity shall be used, otherwise
skipping to change at page 16, line 4 skipping to change at page 16, line 4
3) If the mechanism supports context acceptance by any 3) If the mechanism supports context acceptance by any
principal, and if mutual authentication was not requested, principal, and if mutual authentication was not requested,
any principal that the application is authorized to accept any principal that the application is authorized to accept
security contexts under using the chosen mechanism may be security contexts under using the chosen mechanism may be
used, otherwise used, otherwise
4) A user-configurable default identity shall be used. 4) A user-configurable default identity shall be used.
The purpose of the above rules is to allow security contexts to be The purpose of the above rules is to allow security contexts to be
established by both initiator and acceptor using the default behavior established by both initiator and acceptor using the default behavior
GSS-API Java Bindings August 1998
whenever possible. Applications requesting default behavior are whenever possible. Applications requesting default behavior are
likely to be more portable across mechanisms and implementations than likely to be more portable across mechanisms and implementations than
ones that instantiate a GSSCredential representing a specific ones that instantiate a GSSCredential representing a specific
identity. identity.
4.7. Contexts 4.7. Contexts
The GSSContext class is used to represent one end of a GSS-API The GSSContext class is used to represent one end of a GSS-API
security context, storing state information appropriate to that end security context, storing state information appropriate to that end
of the peer communication, including cryptographic state information. of the peer communication, including cryptographic state information.
skipping to change at page 17, line 4 skipping to change at page 17, line 4
Java GSS-API uses byte arrays to represent authentication tokens. Java GSS-API uses byte arrays to represent authentication tokens.
Overloaded methods exist which allow the caller to supply input and Overloaded methods exist which allow the caller to supply input and
output streams which will be used for the reading and writing of the output streams which will be used for the reading and writing of the
token data. token data.
4.9. Interprocess tokens 4.9. Interprocess tokens
Certain GSS-API routines are intended to transfer data between Certain GSS-API routines are intended to transfer data between
processes in multi-process programs. These routines use a caller- processes in multi-process programs. These routines use a caller-
GSS-API Java Bindings August 1998
opaque octet-string, generated by the GSS-API in one process for use opaque octet-string, generated by the GSS-API in one process for use
by the GSS-API in another process. The calling application is by the GSS-API in another process. The calling application is
responsible for transferring such tokens between processes. Note responsible for transferring such tokens between processes. Note
that, while GSS-API implementors are encouraged to avoid placing that, while GSS-API implementors are encouraged to avoid placing
sensitive information within interprocess tokens, or to sensitive information within interprocess tokens, or to
cryptographically protect them, many implementations will be unable cryptographically protect them, many implementations will be unable
to avoid placing key material or other sensitive data within them. to avoid placing key material or other sensitive data within them.
It is the application's responsibility to ensure that interprocess It is the application's responsibility to ensure that interprocess
tokens are protected in transit, and transferred only to processes tokens are protected in transit, and transferred only to processes
that are trustworthy. An interprocess token is represented using a that are trustworthy. An interprocess token is represented using a
skipping to change at page 18, line 4 skipping to change at page 18, line 4
GSS status codes indicate errors that are independent of the GSS status codes indicate errors that are independent of the
underlying mechanism(s) used to provide the security service. The underlying mechanism(s) used to provide the security service. The
errors that can be indicated via a GSS status code are generic API errors that can be indicated via a GSS status code are generic API
routine errors (errors that are defined in the GSS-API routine errors (errors that are defined in the GSS-API
specification). The Java bindings take advantage of the strong type specification). The Java bindings take advantage of the strong type
checking of the Java language, thus eliminating the need for calling checking of the Java language, thus eliminating the need for calling
errors. errors.
A GSS status code indicates a single fatal generic API error from the A GSS status code indicates a single fatal generic API error from the
routine that has thrown the GSSException. Using exceptions announces routine that has thrown the GSSException. Using exceptions announces
GSS-API Java Bindings August 1998
that a fatal error has occurred during the execution of the method. that a fatal error has occurred during the execution of the method.
Several GSS-API routines can also return supplementary status Several GSS-API routines can also return supplementary status
information which indicate non-fatal errors. These are handled as information which indicate non-fatal errors. These are handled as
return values since using exceptions is not appropriate for return values since using exceptions is not appropriate for
informatory or warning-like information. The methods that are capable informatory or warning-like information. The methods that are capable
of producing supplementary information are limited to the per-message of producing supplementary information are limited to the per-message
methods of the GSSContext class, namely verifyMIC and unwrap. These methods of the GSSContext class, namely verifyMIC and unwrap. These
methods return an instance of MessageProp class which contains the methods return an instance of MessageProp class which contains the
specific supplementary error information. specific supplementary error information.
skipping to change at page 19, line 5 skipping to change at page 19, line 5
or inaccessible. or inaccessible.
NO_CONTEXT 8 Invalid context has been NO_CONTEXT 8 Invalid context has been
supplied. supplied.
DEFECTIVE_TOKEN 9 A supplied token was invalid. DEFECTIVE_TOKEN 9 A supplied token was invalid.
DEFECTIVE_CREDENTIAL 10 A supplied credential was DEFECTIVE_CREDENTIAL 10 A supplied credential was
invalid. invalid.
GSS-API Java Bindings August 1998
CREDENTIALS_EXPIRED 11 The referenced credentials CREDENTIALS_EXPIRED 11 The referenced credentials
have expired. have expired.
CONTEXT_EXPIRED 12 The context has expired. CONTEXT_EXPIRED 12 The context has expired.
FAILURE 13 Miscellaneous failure, FAILURE 13 Miscellaneous failure,
unspecified at the GSS-API level. unspecified at the GSS-API level.
BAD_QOP 14 The quality-of-protection BAD_QOP 14 The quality-of-protection
requested could not be provided. requested could not be provided.
skipping to change at page 20, line 5 skipping to change at page 20, line 5
4.10.2. Mechanism-specific status codes 4.10.2. Mechanism-specific status codes
The GSSException thrown from a GSS-API method may originate from the The GSSException thrown from a GSS-API method may originate from the
mechanism independent layer or the mechanism specific layer. In the mechanism independent layer or the mechanism specific layer. In the
latter case, the exception will be used to indicate not only the latter case, the exception will be used to indicate not only the
major error codes but also the mechanism specific error code. major error codes but also the mechanism specific error code.
A default value of 0 will be used to represent the absence of the A default value of 0 will be used to represent the absence of the
mechanism specific status code. mechanism specific status code.
GSS-API Java Bindings August 1998
4.10.3. Supplementary status codes 4.10.3. Supplementary status codes
Supplementary status codes are confined to the per-message methods of Supplementary status codes are confined to the per-message methods of
the GSSContext class. Because of the informative nature of these the GSSContext class. Because of the informative nature of these
errors it is not appropriate to use exceptions to signal them. errors it is not appropriate to use exceptions to signal them.
Instead, the per-message operations of the GSSContext class return an Instead, the per-message operations of the GSSContext class return an
instance of a MessageProp class which contain supplementary status instance of a MessageProp class which contain supplementary status
information. information.
The MessageProp class defines query methods which return boolean The MessageProp class defines query methods which return boolean
skipping to change at page 21, line 5 skipping to change at page 21, line 5
the relationship between a name and the entity claiming the name. the relationship between a name and the entity claiming the name.
Since different authentication mechanisms may employ different Since different authentication mechanisms may employ different
namespaces for identifying their principals, GSS-API's naming support namespaces for identifying their principals, GSS-API's naming support
is necessarily complex in multi-mechanism environments (or even in is necessarily complex in multi-mechanism environments (or even in
some single-mechanism environments where the underlying mechanism some single-mechanism environments where the underlying mechanism
supports multiple namespaces). supports multiple namespaces).
Two distinct conceptual representations are defined for names: Two distinct conceptual representations are defined for names:
GSS-API Java Bindings August 1998
1) A GSS-API form represented by instances of the GSSName class: A 1) A GSS-API form represented by instances of the GSSName class: A
single GSSName object may contain multiple names from different single GSSName object may contain multiple names from different
namespaces, but all names should refer to the same entity. An namespaces, but all names should refer to the same entity. An
example of such an internal name would be the name returned from example of such an internal name would be the name returned from
a call to the getName method of the GSSCredential class, when a call to the getName method of the GSSCredential class, when
applied to a credential containing credential elements for applied to a credential containing credential elements for
multiple authentication mechanisms employing different multiple authentication mechanisms employing different
namespaces. This GSSName object will contain a distinct name for namespaces. This GSSName object will contain a distinct name for
the entity for each authentication mechanism. the entity for each authentication mechanism.
skipping to change at page 22, line 4 skipping to change at page 22, line 4
There is no guarantee that calling the toString method on a GSSName There is no guarantee that calling the toString method on a GSSName
object will produce the same string form as the original imported object will produce the same string form as the original imported
string name. Furthermore, it is possible that the name was not even string name. Furthermore, it is possible that the name was not even
constructed from a string representation. The same applies to name- constructed from a string representation. The same applies to name-
space identifiers which may not necessarily survive unchanged after a space identifiers which may not necessarily survive unchanged after a
journey through the internal name-form. An example of this might be journey through the internal name-form. An example of this might be
a mechanism that authenticates X.500 names, but provides an a mechanism that authenticates X.500 names, but provides an
algorithmic mapping of Internet DNS names into X.500. That algorithmic mapping of Internet DNS names into X.500. That
mechanism's implementation of GSSName might, when presented with a mechanism's implementation of GSSName might, when presented with a
GSS-API Java Bindings August 1998
DNS name, generate an internal name that contained both the original DNS name, generate an internal name that contained both the original
DNS name and the equivalent X.500 name. Alternatively, it might only DNS name and the equivalent X.500 name. Alternatively, it might only
store the X.500 name. In the latter case, the toString method of store the X.500 name. In the latter case, the toString method of
GSSName would most likely generate a printable X.500 name, rather GSSName would most likely generate a printable X.500 name, rather
than the original DNS name. than the original DNS name.
The context acceptor can obtain an instance of GSSName representing The context acceptor can obtain an instance of GSSName representing
the entity performing the context initiation (through the usage of the entity performing the context initiation (through the usage of
getSrcName method). Since this name has been authenticated by a getSrcName method). Since this name has been authenticated by a
single mechanism, it contains only a single name (even if the single mechanism, it contains only a single name (even if the
skipping to change at page 23, line 4 skipping to change at page 23, line 4
suitable for comparison are generated by the export method, which suitable for comparison are generated by the export method, which
requires that the GSSName represent a MN. Exported names may be re- requires that the GSSName represent a MN. Exported names may be re-
imported by using the byte array constructor and specifying the imported by using the byte array constructor and specifying the
NT_EXPORT_NAME as the name type object identifier. The resulting NT_EXPORT_NAME as the name type object identifier. The resulting
GSSName name will also be a MN. The GSSName object defines public GSSName name will also be a MN. The GSSName object defines public
static Oid objects representing the standard name types. static Oid objects representing the standard name types.
Structurally, an exported name object consists of a header containing Structurally, an exported name object consists of a header containing
an OID identifying the mechanism that authenticated the name, and a an OID identifying the mechanism that authenticated the name, and a
trailer containing the name itself, where the syntax of the trailer trailer containing the name itself, where the syntax of the trailer
is defined by the individual mechanism specification. Detailed is defined by the individual mechanism specification. Detailed
GSS-API Java Bindings August 1998
description of the format is specified in the language-independent description of the format is specified in the language-independent
GSS-API specification [GSSAPIv2]. GSS-API specification [GSSAPIv2].
Note that the results obtained by using the equal method will in Note that the results obtained by using the equal method will in
general be different from those obtained by invoking canonicalize and general be different from those obtained by invoking canonicalize and
export, and then comparing the byte array output. The first series export, and then comparing the byte array output. The first series
of operation determines whether two (unauthenticated) names identify of operation determines whether two (unauthenticated) names identify
the same principal; the second whether a particular mechanism would the same principal; the second whether a particular mechanism would
authenticate them as the same principal. These two operations will authenticate them as the same principal. These two operations will
in general give the same results only for MNs. in general give the same results only for MNs.
skipping to change at page 24, line 4 skipping to change at page 24, line 4
address information, and the application supplied byte array to form address information, and the application supplied byte array to form
an octet string. The mechanism calculates a MIC over this octet an octet string. The mechanism calculates a MIC over this octet
string and binds the MIC to the context establishment token emitted string and binds the MIC to the context establishment token emitted
by init method of the GSSContext class. The same bindings are set by by init method of the GSSContext class. The same bindings are set by
the context acceptor for its GSSContext object and during processing the context acceptor for its GSSContext object and during processing
of the accept method a MIC is calculated in the same way. The of the accept method a MIC is calculated in the same way. The
calculated MIC is compared with that found in the token, and if the calculated MIC is compared with that found in the token, and if the
MICs differ, accept will throw a GSSException with the major code MICs differ, accept will throw a GSSException with the major code
set to BAD_BINDINGS, and the context will not be established. Some set to BAD_BINDINGS, and the context will not be established. Some
mechanisms may include the actual channel binding data in the token mechanisms may include the actual channel binding data in the token
GSS-API Java Bindings August 1998
(rather than just a MIC); applications should therefore not use (rather than just a MIC); applications should therefore not use
confidential data as channel-binding components. confidential data as channel-binding components.
Individual mechanisms may impose additional constraints on addresses Individual mechanisms may impose additional constraints on addresses
that may appear in channel bindings. For example, a mechanism may that may appear in channel bindings. For example, a mechanism may
verify that the initiator address field of the channel binding verify that the initiator address field of the channel binding
contains the correct network address of the host system. Portable contains the correct network address of the host system. Portable
applications should therefore ensure that they either provide correct applications should therefore ensure that they either provide correct
information for the address fields, or omit setting of the addressing information for the address fields, or omit setting of the addressing
information. information.
skipping to change at page 25, line 5 skipping to change at page 25, line 5
indicate which parameters are optional. Methods overloading has also indicate which parameters are optional. Methods overloading has also
been used as a technique to indicate default parameters. been used as a technique to indicate default parameters.
5. Additional Controls 5. Additional Controls
This section discusses the optional services that a context initiator This section discusses the optional services that a context initiator
may request of the GSS-API before the context establishment. Each of may request of the GSS-API before the context establishment. Each of
these services is requested by calling the appropriate mutator method these services is requested by calling the appropriate mutator method
in the GSSContext object before the first call to init is performed. in the GSSContext object before the first call to init is performed.
GSS-API Java Bindings August 1998
Only the context initiator can request context flags. Only the context initiator can request context flags.
The optional services defined are: The optional services defined are:
Delegation Delegation
The (usually temporary) transfer of rights from initiator to The (usually temporary) transfer of rights from initiator to
acceptor, enabling the acceptor to authenticate itself as an acceptor, enabling the acceptor to authenticate itself as an
agent of the initiator. agent of the initiator.
Mutual Authentication Mutual Authentication
skipping to change at page 26, line 4 skipping to change at page 26, line 4
providing a requested service, it should proceed without the service providing a requested service, it should proceed without the service
leaving the application to abort the context establishment process if leaving the application to abort the context establishment process if
it considers the requested service to be mandatory. it considers the requested service to be mandatory.
Some mechanisms may specify that support for some services is Some mechanisms may specify that support for some services is
optional, and that implementors of the mechanism need not provide it. optional, and that implementors of the mechanism need not provide it.
This is most commonly true of the confidentiality service, often This is most commonly true of the confidentiality service, often
because of legal restrictions on the use of data-encryption, but may because of legal restrictions on the use of data-encryption, but may
apply to any of the services. Such mechanisms are required to send apply to any of the services. Such mechanisms are required to send
at least one token from acceptor to initiator during context at least one token from acceptor to initiator during context
GSS-API Java Bindings August 1998
establishment when the initiator indicates a desire to use such a establishment when the initiator indicates a desire to use such a
service, so that the initiating GSS-API can correctly indicate service, so that the initiating GSS-API can correctly indicate
whether the service is supported by the acceptor's GSS-API. whether the service is supported by the acceptor's GSS-API.
5.1. Delegation 5.1. Delegation
The GSS-API allows delegation to be controlled by the initiating The GSS-API allows delegation to be controlled by the initiating
application via the requestCredDeleg method before the first call to application via the requestCredDeleg method before the first call to
init has been issued. Some mechanisms do not support delegation, and init has been issued. Some mechanisms do not support delegation, and
for such mechanisms attempts by an application to enable delegation for such mechanisms attempts by an application to enable delegation
skipping to change at page 27, line 4 skipping to change at page 27, line 4
object that delegation is not desired, then the implementation must object that delegation is not desired, then the implementation must
not permit delegation to occur. This is an exception to the general not permit delegation to occur. This is an exception to the general
rule that a mechanism may enable services even if they are not rule that a mechanism may enable services even if they are not
requested - delegation may only be provided at the explicit request requested - delegation may only be provided at the explicit request
of the application. of the application.
5.2. Mutual Authentication 5.2. Mutual Authentication
Usually, a context acceptor will require that a context initiator Usually, a context acceptor will require that a context initiator
authenticate itself so that the acceptor may make an access-control authenticate itself so that the acceptor may make an access-control
GSS-API Java Bindings August 1998
decision prior to performing a service for the initiator. In some decision prior to performing a service for the initiator. In some
cases, the initiator may also request that the acceptor authenticate cases, the initiator may also request that the acceptor authenticate
itself. GSS-API allows the initiating application to request this itself. GSS-API allows the initiating application to request this
mutual authentication service by calling the requestMutualAuth method mutual authentication service by calling the requestMutualAuth method
of the GSSContext class with a "true" parameter before making the of the GSSContext class with a "true" parameter before making the
first call to init. The initiating application is informed as to first call to init. The initiating application is informed as to
whether or not the context acceptor has authenticated itself. Note whether or not the context acceptor has authenticated itself. Note
that some mechanisms may not support mutual authentication, and other that some mechanisms may not support mutual authentication, and other
mechanisms may always perform mutual authentication, whether or not mechanisms may always perform mutual authentication, whether or not
the initiating application requests it. In particular, mutual the initiating application requests it. In particular, mutual
skipping to change at page 28, line 5 skipping to change at page 28, line 5
the MessageProp object returned from each of these routines. the MessageProp object returned from each of these routines.
A mechanism need not maintain a list of all tokens that have been A mechanism need not maintain a list of all tokens that have been
processed in order to support these status codes. A typical processed in order to support these status codes. A typical
mechanism might retain information about only the most recent "N" mechanism might retain information about only the most recent "N"
tokens processed, allowing it to distinguish duplicates and missing tokens processed, allowing it to distinguish duplicates and missing
tokens within the most recent "N" messages; the receipt of a token tokens within the most recent "N" messages; the receipt of a token
older than the most recent "N" would result in a isOldToken method of older than the most recent "N" would result in a isOldToken method of
the instance of MessageProp to return "true". the instance of MessageProp to return "true".
GSS-API Java Bindings August 1998
5.4. Anonymous Authentication 5.4. Anonymous Authentication
In certain situations, an application may wish to initiate the In certain situations, an application may wish to initiate the
authentication process to authenticate a peer, without revealing its authentication process to authenticate a peer, without revealing its
own identity. As an example, consider an application providing own identity. As an example, consider an application providing
access to a database containing medical information, and offering access to a database containing medical information, and offering
unrestricted access to the service. A client of such a service might unrestricted access to the service. A client of such a service might
wish to authenticate the service (in order to establish trust in any wish to authenticate the service (in order to establish trust in any
information retrieved from it), but might not wish the service to be information retrieved from it), but might not wish the service to be
able to obtain the client's identity (perhaps due to privacy concerns able to obtain the client's identity (perhaps due to privacy concerns
skipping to change at page 29, line 5 skipping to change at page 29, line 5
class. The printable form of an anonymous name should be chosen such class. The printable form of an anonymous name should be chosen such
that it implies anonymity, since this name may appear in, for that it implies anonymity, since this name may appear in, for
example, audit logs. For example, the string "<anonymous>" might be example, audit logs. For example, the string "<anonymous>" might be
a good choice, if no valid printable names supported by the a good choice, if no valid printable names supported by the
implementation can begin with "<" and end with ">". implementation can begin with "<" and end with ">".
When using the equal method of the GSSName class, and one of the When using the equal method of the GSSName class, and one of the
operands is a GSSName instance representing an anonymous entity, the operands is a GSSName instance representing an anonymous entity, the
method must return "false". method must return "false".
GSS-API Java Bindings August 1998
5.5. Confidentiality 5.5. Confidentiality
If a GSSContext supports the confidentiality service, wrap method may If a GSSContext supports the confidentiality service, wrap method may
be used to encrypt application messages. Messages are selectively be used to encrypt application messages. Messages are selectively
encrypted, under the control of the setPrivacy method of the encrypted, under the control of the setPrivacy method of the
MessageProp object used within the wrap method. MessageProp object used within the wrap method.
5.6. Inter-process Context Transfer 5.6. Inter-process Context Transfer
GSS-API V2 provides functionality which allows a security context to GSS-API V2 provides functionality which allows a security context to
skipping to change at page 30, line 5 skipping to change at page 30, line 5
The inter-process token may contain sensitive data from the original The inter-process token may contain sensitive data from the original
security context (including cryptographic keys). Applications using security context (including cryptographic keys). Applications using
inter-process tokens to transfer security contexts must take inter-process tokens to transfer security contexts must take
appropriate steps to protect these tokens in transit. appropriate steps to protect these tokens in transit.
Implementations are not required to support the inter-process Implementations are not required to support the inter-process
transfer of security contexts. Calling the isTransferable method of transfer of security contexts. Calling the isTransferable method of
the GSSContext class will indicate if the context object is the GSSContext class will indicate if the context object is
transferable. transferable.
GSS-API Java Bindings August 1998
5.7. The Use of Incomplete Contexts 5.7. The Use of Incomplete Contexts
Some mechanisms may allow the per-message services to be used before Some mechanisms may allow the per-message services to be used before
the context establishment process is complete. For example, a the context establishment process is complete. For example, a
mechanism may include sufficient information in its initial context- mechanism may include sufficient information in its initial context-
level tokens for the context acceptor to immediately decode messages level tokens for the context acceptor to immediately decode messages
protected with wrap or getMIC. For such a mechanism, the initiating protected with wrap or getMIC. For such a mechanism, the initiating
application need not wait until subsequent context-level tokens have application need not wait until subsequent context-level tokens have
been sent and received before invoking the per-message protection been sent and received before invoking the per-message protection
services. services.
skipping to change at page 31, line 4 skipping to change at page 31, line 4
(MN), performs a comparison, obtains a printable representation of (MN), performs a comparison, obtains a printable representation of
the name, exports it and then re-imports to obtain a new GSSName the name, exports it and then re-imports to obtain a new GSSName
object. object.
//create an oid object for Kerberos v5 //create an oid object for Kerberos v5
Oid krb5 = new Oid("1.2.840.113554.1.2.2"); Oid krb5 = new Oid("1.2.840.113554.1.2.2");
//create a service name, and convert it to a mechanism name //create a service name, and convert it to a mechanism name
GSSName aName = new GSSName("service@host", GSSName aName = new GSSName("service@host",
GSSName.NT_HOSTBASED_SERVICE); GSSName.NT_HOSTBASED_SERVICE);
GSS-API Java Bindings August 1998
GSSName mechName = aName.canonicalize(krb5); GSSName mechName = aName.canonicalize(krb5);
//the above two steps are equivalent to the following constructor //the above two steps are equivalent to the following constructor
GSSName mechName = new GSSName("service@host", GSSName mechName = new GSSName("service@host",
GSSName.NT_HOSTBASED_SERVICE, GSSName.NT_HOSTBASED_SERVICE,
krb5); krb5);
//perform name comparison //perform name comparison
if (aName.equals(mechName)) if (aName.equals(mechName))
print("Names are equals."); print("Names are equals.");
skipping to change at page 32, line 4 skipping to change at page 32, line 4
Values for the "service" element are registered with the IANA. It Values for the "service" element are registered with the IANA. It
represents the following value: { 1(iso), 3(org), 6(dod), represents the following value: { 1(iso), 3(org), 6(dod),
1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) } 1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) }
public static final Oid NT_USER_NAME public static final Oid NT_USER_NAME
Name type to indicate a named user on a local system. It represents Name type to indicate a named user on a local system. It represents
the following value: { iso(1) member-body(2) United States(840) the following value: { iso(1) member-body(2) United States(840)
mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) } mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
GSS-API Java Bindings August 1998
public static final Oid NT_MACHINE_UID_NAME public static final Oid NT_MACHINE_UID_NAME
Name type to indicate a numeric user identifier corresponding to a Name type to indicate a numeric user identifier corresponding to a
user on a local system. (e.g. Uid). It represents the following user on a local system. (e.g. Uid). It represents the following
value: { iso(1) member-body(2) United States(840) mit(113554) value: { iso(1) member-body(2) United States(840) mit(113554)
infosys(1) gssapi(2) generic(1) machine_uid_name(2) } infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
public static final Oid NT_STRING_UID_NAME public static final Oid NT_STRING_UID_NAME
Name type to indicate a string of digits representing the numeric Name type to indicate a string of digits representing the numeric
skipping to change at page 33, line 5 skipping to change at page 33, line 5
NT_EXPORT_NAME. NT_EXPORT_NAME.
Parameters: Parameters:
nameStr The string representing the name to create. nameStr The string representing the name to create.
type Oid specifying type of the printable name supplied. type Oid specifying type of the printable name supplied.
"null" value can be used to specify a default "null" value can be used to specify a default
printable syntax. printable syntax.
GSS-API Java Bindings August 1998
public GSSName(byte name[], Oid type) throws GSSException public GSSName(byte name[], Oid type) throws GSSException
Converts a contiguous byte name to a GSSName object of the specified Converts a contiguous byte name to a GSSName object of the specified
type. The name parameter is interpreted based on the type specified. type. The name parameter is interpreted based on the type specified.
This constructor is provided for use with names that aren't expressed This constructor is provided for use with names that aren't expressed
as printable strings (for example, names of type NT_EXPORT_NAME). In as printable strings (for example, names of type NT_EXPORT_NAME). In
general, the GSSName object created will not be an MN. general, the GSSName object created will not be an MN.
Parameters: Parameters:
skipping to change at page 34, line 5 skipping to change at page 34, line 5
throws GSSException throws GSSException
Converts a contiguous byte name to a GSSName object of the specified Converts a contiguous byte name to a GSSName object of the specified
type. The name parameter is interpreted based on the type specified. type. The name parameter is interpreted based on the type specified.
This constructor is provided to be used with names that aren't This constructor is provided to be used with names that aren't
expressed as printable strings. It allows the creation of expressed as printable strings. It allows the creation of
mechanism-specific names without having to call canonicalize. mechanism-specific names without having to call canonicalize.
Parameters: Parameters:
GSS-API Java Bindings August 1998
name The byte array representing the name to create. name The byte array representing the name to create.
type Oid specifying the type of name supplied. "null" value type Oid specifying the type of name supplied. "null" value
can be used to specify a default syntax. can be used to specify a default syntax.
mechType Oid specifying the mechanism for which this name mechType Oid specifying the mechanism for which this name
should be created. "null" value can be used to specify should be created. "null" value can be used to specify
the default mechanism. the default mechanism.
6.1.4. equals 6.1.4. equals
skipping to change at page 35, line 5 skipping to change at page 35, line 5
Creates a mechanism name (MN) from an arbitrary internal name. This Creates a mechanism name (MN) from an arbitrary internal name. This
is equivalent to using a constructor which takes the mechanism name is equivalent to using a constructor which takes the mechanism name
as one of its parameters. as one of its parameters.
Parameters: Parameters:
mechOid The oid for the authentication mechanism for which the mechOid The oid for the authentication mechanism for which the
canonical form of the name is requested. canonical form of the name is requested.
GSS-API Java Bindings August 1998
6.1.7. export 6.1.7. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Returns a canonical contiguous byte representation of a mechanism Returns a canonical contiguous byte representation of a mechanism
name (MN), suitable for direct, byte by byte comparison by name (MN), suitable for direct, byte by byte comparison by
authorization functions. The name must a MN before calling this authorization functions. The name must a MN before calling this
method. The format of the header of the outputted buffer is specified method. The format of the header of the outputted buffer is specified
in RFC 2078. in RFC 2078.
skipping to change at page 36, line 4 skipping to change at page 36, line 4
6.1.11. isAnonymous 6.1.11. isAnonymous
public boolean isAnonymous() public boolean isAnonymous()
Tests if this name object represents an anonymous entity. Returns Tests if this name object represents an anonymous entity. Returns
"true" if this is an anonymous name. "true" if this is an anonymous name.
6.2. public class GSSCredential 6.2. public class GSSCredential
This class manages GSS-API credentials and their associated This class manages GSS-API credentials and their associated
GSS-API Java Bindings August 1998
operations. A credential contains all the necessary cryptographic operations. A credential contains all the necessary cryptographic
information to enable the creation of a context on behalf of the information to enable the creation of a context on behalf of the
entity that it represents. It may contain multiple, distinct, entity that it represents. It may contain multiple, distinct,
mechanism specific credential elements, each containing information mechanism specific credential elements, each containing information
for a specific security mechanism, but all referring to the same for a specific security mechanism, but all referring to the same
entity. entity.
A credential may be used to perform context initiation, acceptance, A credential may be used to perform context initiation, acceptance,
or both. or both.
skipping to change at page 37, line 4 skipping to change at page 37, line 4
6.2.1. Example Code 6.2.1. Example Code
This example code demonstrates the creation of a GSSCredential object This example code demonstrates the creation of a GSSCredential object
for a specific entity, querying of its fields, and its release when for a specific entity, querying of its fields, and its release when
it is no longer needed. it is no longer needed.
//start by creating a name object for the entity //start by creating a name object for the entity
GSSName aName = new GSSName("userName", GSSName.NT_USER_NAME); GSSName aName = new GSSName("userName", GSSName.NT_USER_NAME);
GSSCredential entity = new GSSCredential( GSSCredential entity = new GSSCredential(
GSS-API Java Bindings August 1998
aName, aName,
GSSCredential.ACCEPT_ONLY); GSSCredential.ACCEPT_ONLY);
//display credential information - name, remaining lifetime, //display credential information - name, remaining lifetime,
//and the mechanisms it has been acquired over //and the mechanisms it has been acquired over
print(entity.getGSSName().toString()); print(entity.getGSSName().toString());
print(entity.getRemainingLifetime()); print(entity.getRemainingLifetime());
Oid [] mechs = entity.getMechs(); Oid [] mechs = entity.getMechs();
if (mechs != null) { if (mechs != null) {
skipping to change at page 38, line 4 skipping to change at page 38, line 4
public static final int INDEFINITE public static final int INDEFINITE
A lifetime constant representing indefinite credential lifetime. A lifetime constant representing indefinite credential lifetime.
This value must be set to the maximum integer value in Java - This value must be set to the maximum integer value in Java -
Integer.MAX_VALUE. Integer.MAX_VALUE.
6.2.3. Constructors 6.2.3. Constructors
public GSSCredential(int usage) throws GSSException public GSSCredential(int usage) throws GSSException
GSS-API Java Bindings August 1998
Constructor for default credentials. This will use the default Constructor for default credentials. This will use the default
mechanism, name, and an INDEFINITE lifetime. mechanism, name, and an INDEFINITE lifetime.
Parameters are: Parameters are:
usage The intended usage for this credential object. The usage The intended usage for this credential object. The
value of this parameter must be one of: value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
skipping to change at page 39, line 4 skipping to change at page 39, line 4
lifetime The number of seconds that credentials should remain lifetime The number of seconds that credentials should remain
valid. Use GSSCredential.INDEFINITE to request that valid. Use GSSCredential.INDEFINITE to request that
the credentials have the maximum permitted lifetime. the credentials have the maximum permitted lifetime.
mechOid The oid of the desired mechanism. mechOid The oid of the desired mechanism.
usage The intended usage for this credential object. The usage The intended usage for this credential object. The
value of this parameter must be one of: value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_AND_INITIATE,
GSS-API Java Bindings August 1998
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
public GSSCredential(GSSName aName, int lifetime, Oid mechs[], public GSSCredential(GSSName aName, int lifetime, Oid mechs[],
int usage) throws GSSException int usage) throws GSSException
Constructor for a credential over a set of mechanisms. Acquires Constructor for a credential over a set of mechanisms. Acquires
credentials for each of the mechanisms specified in mechs array. credentials for each of the mechanisms specified in mechs array.
"null" value can be used for aName to obtain system specific default. "null" value can be used for aName to obtain system specific default.
To determine which mechanism's acquisition of the credential was To determine which mechanism's acquisition of the credential was
successful use the getMechs method. This call is equivalent to successful use the getMechs method. This call is equivalent to
skipping to change at page 40, line 5 skipping to change at page 40, line 5
containing. Applications should call this method as soon as the containing. Applications should call this method as soon as the
credential is no longer needed to minimize the time sensitive credential is no longer needed to minimize the time sensitive
information is maintained. information is maintained.
6.2.5. getGSSName 6.2.5. getGSSName
public GSSName getGSSName() throws GSSException public GSSName getGSSName() throws GSSException
Retrieves the name of the entity that the credential asserts. Retrieves the name of the entity that the credential asserts.
GSS-API Java Bindings August 1998
6.2.6. getGSSName 6.2.6. getGSSName
public GSSName getGSSName(Oid mechOID) throws GSSException public GSSName getGSSName(Oid mechOID) throws GSSException
Retrieves per-mechanism name of the entity that the credential Retrieves per-mechanism name of the entity that the credential
asserts. asserts.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
skipping to change at page 41, line 4 skipping to change at page 41, line 4
returned. returned.
6.2.9. getRemainingAcceptLifetime 6.2.9. getRemainingAcceptLifetime
public int getRemainingAcceptLifetime(Oid mech) throws GSSException public int getRemainingAcceptLifetime(Oid mech) throws GSSException
Returns the remaining lifetime is seconds for the credential to Returns the remaining lifetime is seconds for the credential to
remain capable of accepting security contexts under the specified remain capable of accepting security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE indicates that mechanism. A return value of GSSCredential.INDEFINITE indicates that
the credential does not expire for context acceptance. A return value the credential does not expire for context acceptance. A return value
GSS-API Java Bindings August 1998
of 0 indicates that the credential is already expired. of 0 indicates that the credential is already expired.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.2.10. getUsage 6.2.10. getUsage
public int getUsage() throws GSSException public int getUsage() throws GSSException
skipping to change at page 42, line 4 skipping to change at page 42, line 4
6.2.13. add 6.2.13. add
public void add(GSSName aName, int initLifetime, int acceptLifetime, public void add(GSSName aName, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException Oid mech, int usage) throws GSSException
Adds a mechanism specific credential-element to an existing Adds a mechanism specific credential-element to an existing
credential. This method allows the construction of credentials one credential. This method allows the construction of credentials one
mechanism at a time. This functionality is equivalent to using the mechanism at a time. This functionality is equivalent to using the
GSSCredential constructor which takes an Oid array as an input GSSCredential constructor which takes an Oid array as an input
GSS-API Java Bindings August 1998
parameter or calling this method once for each of the mechanisms in parameter or calling this method once for each of the mechanisms in
the array. the array.
This routine is envisioned to be used mainly by context acceptors This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials which are to be used during the creation of acceptance credentials which are to be used
with a variety of clients using different security mechanisms. with a variety of clients using different security mechanisms.
To obtain a new credential object after the addition of the new To obtain a new credential object after the addition of the new
mechanism credential, the clone method can be called. mechanism credential, the clone method can be called.
skipping to change at page 43, line 5 skipping to change at page 43, line 5
public boolean equals(Object another) public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied Tests if this GSSCredential refers to the same entity as the supplied
object. The two GSSCredentials must be acquired over the same object. The two GSSCredentials must be acquired over the same
mechanisms and must refer to the same principal. Returns "true" if mechanisms and must refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise. the two GSSCredentials refer to the same entity; "false" otherwise.
Parameter: Parameter:
GSS-API Java Bindings August 1998
another Another GSSCredential object for comparison. another Another GSSCredential object for comparison.
6.3. public class GSSContext 6.3. public class GSSContext
This class represents the GSS-API security context and its associated This class represents the GSS-API security context and its associated
operations. Security contexts are established between peers using operations. Security contexts are established between peers using
locally acquired credentials. Multiple contexts may exist locally acquired credentials. Multiple contexts may exist
simultaneously between a pair of peers, using the same or different simultaneously between a pair of peers, using the same or different
set of credentials. GSS-API functions in a manner independent of the set of credentials. GSS-API functions in a manner independent of the
underlying transport protocol and depends on its calling application underlying transport protocol and depends on its calling application
skipping to change at page 44, line 5 skipping to change at page 44, line 5
This allows implementation to use per-message operations on contexts This allows implementation to use per-message operations on contexts
which aren't fully established. which aren't fully established.
After the context has been established or the isProtReady method After the context has been established or the isProtReady method
returns "true", the query routines can be invoked to determine the returns "true", the query routines can be invoked to determine the
actual characteristics and services of the established context. The actual characteristics and services of the established context. The
application can also start using the per-message methods of wrap and application can also start using the per-message methods of wrap and
getMIC to obtain cryptographic operations on application supplied getMIC to obtain cryptographic operations on application supplied
data. data.
GSS-API Java Bindings August 1998
When the context is no longer needed, the application should call When the context is no longer needed, the application should call
dispose to release any system resources the context may be using. dispose to release any system resources the context may be using.
6.3.1. Example Code 6.3.1. Example Code
The example code presented below demonstrates the usage of the The example code presented below demonstrates the usage of the
GSSContext object for the initiating peer. Different operations on GSSContext object for the initiating peer. Different operations on
the GSSContext object are presented, including: object instantiation, the GSSContext object are presented, including: object instantiation,
setting of desired flags, context establishment, query of actual setting of desired flags, context establishment, query of actual
context flags, per-message operations on application data, and context flags, per-message operations on application data, and
skipping to change at page 45, line 4 skipping to change at page 45, line 4
//send the token if present //send the token if present
if (outTok != null) if (outTok != null)
sendToken(outTok); sendToken(outTok);
//check if we should expect more tokens //check if we should expect more tokens
if (aCtxt.isEstablished()) if (aCtxt.isEstablished())
break; break;
//another token expected from peer //another token expected from peer
GSS-API Java Bindings August 1998
inTok = readToken(); inTok = readToken();
} while (true); } while (true);
} catch (GSSException e) { } catch (GSSException e) {
print("GSSAPI error: " + e.getMessage()); print("GSSAPI error: " + e.getMessage());
} }
//display context information //display context information
print("Remaining lifetime in seconds = " + aCtxt.getLifetime()); print("Remaining lifetime in seconds = " + aCtxt.getLifetime());
skipping to change at page 46, line 5 skipping to change at page 46, line 5
aCtxt.dispose(); aCtxt.dispose();
6.3.2. Class Constants 6.3.2. Class Constants
public static final int INDEFINITE public static final int INDEFINITE
A lifetime constant representing indefinite context lifetime. This A lifetime constant representing indefinite context lifetime. This
value must be set to the maximum integer value in Java - value must be set to the maximum integer value in Java -
Integer.MAX_VALUE. Integer.MAX_VALUE.
GSS-API Java Bindings August 1998
public static final int COMPLETE public static final int COMPLETE
Return value from either accept or init stating that the context Return value from either accept or init stating that the context
creation phase is complete for this peer. creation phase is complete for this peer.
public static final int CONTINUE_NEEDED public static final int CONTINUE_NEEDED
Return value from either accept or init stating that another token is Return value from either accept or init stating that another token is
required from the peer to continue context creation. This may be required from the peer to continue context creation. This may be
returned several times indicating multiple token exchanges. returned several times indicating multiple token exchanges.
skipping to change at page 47, line 4 skipping to change at page 47, line 4
Constructor for creating a context on the acceptor' side. The Constructor for creating a context on the acceptor' side. The
context's properties will be determined from the input token supplied context's properties will be determined from the input token supplied
to the accept method. to the accept method.
Parameters: Parameters:
myCred Credentials for the acceptor. Use "null" to act as a myCred Credentials for the acceptor. Use "null" to act as a
default acceptor principal. default acceptor principal.
public GSSContext(byte [] interProcessToken) throws GSSException public GSSContext(byte [] interProcessToken) throws GSSException
GSS-API Java Bindings August 1998
Constructor for creating a previously exported context. The context Constructor for creating a previously exported context. The context
properties will be determined from the input token and can't be properties will be determined from the input token and can't be
modified through the set methods. modified through the set methods.
Parameters: Parameters:
interProcessToken interProcessToken
The token previously emitted from the export method. The token previously emitted from the export method.
6.3.4. init 6.3.4. init
skipping to change at page 48, line 5 skipping to change at page 48, line 5
offset The offset within the inputBuf where the token begins. offset The offset within the inputBuf where the token begins.
len The length of the token within the inputBuf (starting len The length of the token within the inputBuf (starting
at the offset). at the offset).
6.3.4.1. Example Code 6.3.4.1. Example Code
//create a GSSContext object //create a GSSContext object
GSSContext aCtxt = new GSSContext(... GSSContext aCtxt = new GSSContext(...
GSS-API Java Bindings August 1998
byte []inTok = new byte[0]; byte []inTok = new byte[0];
try { try {
do { do {
byte[] outTok = aCtxt.init(inTok, 0, byte[] outTok = aCtxt.init(inTok, 0,
inTok.length); inTok.length);
//send the token if present //send the token if present
if (outTok != null) if (outTok != null)
skipping to change at page 49, line 5 skipping to change at page 49, line 5
COMPLETE or CONTINUE_NEEDED indicating the status of the current COMPLETE or CONTINUE_NEEDED indicating the status of the current
context. A return value of COMPLETE indicates that the context context. A return value of COMPLETE indicates that the context
establishment phase is complete for this peer, while CONTINUE_NEEDED establishment phase is complete for this peer, while CONTINUE_NEEDED
means that another token is expected from the peer. The isEstablished means that another token is expected from the peer. The isEstablished
method can also be used to determine this state. Note that it is method can also be used to determine this state. Note that it is
possible to have a token for the peer while this method returns possible to have a token for the peer while this method returns
COMPLETE. This indicates that the local end of the context is COMPLETE. This indicates that the local end of the context is
established, but the token needs to be sent to the peer to complete established, but the token needs to be sent to the peer to complete
the context establishment. the context establishment.
GSS-API Java Bindings August 1998
The GSS-API authentication tokens contain a definitive start and end. The GSS-API authentication tokens contain a definitive start and end.
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
Parameters: Parameters:
inputBuf Contains the token generated by the peer. This inputBuf Contains the token generated by the peer. This
skipping to change at page 50, line 4 skipping to change at page 50, line 4
is = recvToken(); is = recvToken();
} }
//send token if present //send token if present
if (os.size() > 0) if (os.size() > 0)
sendToken(os); sendToken(os);
} catch (GSSException e) { } catch (GSSException e) {
print("GSS-API error: " + e.getMessage()); print("GSS-API error: " + e.getMessage());
} }
GSS-API Java Bindings August 1998
6.3.6. accept 6.3.6. accept
public byte[] accept(byte inTok[], int offset, int len) public byte[] accept(byte inTok[], int offset, int len)
throws GSSException throws GSSException
Called by the context acceptor upon receiving a token from the peer. Called by the context acceptor upon receiving a token from the peer.
This call is equivalent to the stream based method except that the This call is equivalent to the stream based method except that the
token buffers are handled as byte arrays instead of using stream token buffers are handled as byte arrays instead of using stream
objects. objects.
skipping to change at page 51, line 4 skipping to change at page 51, line 4
//obtain server credentials //obtain server credentials
GSSCredential server = ... GSSCredential server = ...
//create acceptor GSS-API context //create acceptor GSS-API context
GSSContext aCtxt = new GSSContext(server); GSSContext aCtxt = new GSSContext(server);
try { try {
do { do {
byte [] inTok = readToken(); byte [] inTok = readToken();
GSS-API Java Bindings August 1998
byte []outTok = aCtxt.accept(inTok, 0, byte []outTok = aCtxt.accept(inTok, 0,
inTok.length); inTok.length);
//possibly send token to peer //possibly send token to peer
if (outTok != null) if (outTok != null)
sendToken(outTok); sendToken(outTok);
//check if local context establishment is complete //check if local context establishment is complete
if (aCtxt.isEstablished()) if (aCtxt.isEstablished())
break; break;
skipping to change at page 52, line 5 skipping to change at page 52, line 5
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
Parameters: Parameters:
inputBuf Contains the token generated by the peer. inputBuf Contains the token generated by the peer.
GSS-API Java Bindings August 1998
outputBuf Buffer where the output token will be written. During outputBuf Buffer where the output token will be written. During
the final stage of context establishment, there may be the final stage of context establishment, there may be
no bytes written. no bytes written.
6.3.7.1. Example Code 6.3.7.1. Example Code
//obtain server credentials //obtain server credentials
GSSCredential server = ... GSSCredential server = ...
//create acceptor GSS-API context //create acceptor GSS-API context
skipping to change at page 53, line 4 skipping to change at page 53, line 4
public boolean isEstablished() public boolean isEstablished()
Returns "true" if this is a fully established context. Used after the Returns "true" if this is a fully established context. Used after the
init and accept methods to check if more tokens are needed from the init and accept methods to check if more tokens are needed from the
peer. peer.
6.3.9. dispose 6.3.9. dispose
public void dispose() throws GSSException public void dispose() throws GSSException
GSS-API Java Bindings August 1998
Releases any system resources and cryptographic information stored in Releases any system resources and cryptographic information stored in
the context object. This will invalidate the context. the context object. This will invalidate the context.
6.3.10. getWrapSizeLimit 6.3.10. getWrapSizeLimit
public int getWrapSizeLimit(int qop, boolean confReq, public int getWrapSizeLimit(int qop, boolean confReq,
int maxTokenSize) throws GSSException int maxTokenSize) throws GSSException
Returns the maximum message size that, if presented to the wrap Returns the maximum message size that, if presented to the wrap
method with the same confReq and qop parameters, will result in an method with the same confReq and qop parameters, will result in an
skipping to change at page 54, line 4 skipping to change at page 54, line 4
maxTokenSize maxTokenSize
The desired maximum size of the token emitted by wrap. The desired maximum size of the token emitted by wrap.
6.3.11. wrap 6.3.11. wrap
public byte[] wrap(byte inBuf[], int offset, int len, public byte[] wrap(byte inBuf[], int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Allows to apply per-message security services over the established Allows to apply per-message security services over the established
GSS-API Java Bindings August 1998
security context. The method will return a token with a cryptographic security context. The method will return a token with a cryptographic
MIC and may optionally encrypt the specified inBuf. This method is MIC and may optionally encrypt the specified inBuf. This method is
equivalent in functionality to its stream counterpart. The returned equivalent in functionality to its stream counterpart. The returned
byte array will contain both the MIC and the message. The msgProp byte array will contain both the MIC and the message. The msgProp
object is used to specify a QOP value which selects cryptographic object is used to specify a QOP value which selects cryptographic
algorithms, and a privacy service, if supported by the chosen algorithms, and a privacy service, if supported by the chosen
mechanism. mechanism.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
skipping to change at page 55, line 4 skipping to change at page 55, line 4
The outBuf will contain both the MIC and the message. The msgProp The outBuf will contain both the MIC and the message. The msgProp
object is used to specify a QOP value to select cryptographic object is used to specify a QOP value to select cryptographic
algorithms, and a privacy service, if supported by the chosen algorithms, and a privacy service, if supported by the chosen
mechanism. mechanism.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping of zero-length messages. the wrapping of zero-length messages.
The application will be responsible for sending the token to the The application will be responsible for sending the token to the
GSS-API Java Bindings August 1998
peer. peer.
Parameters: Parameters:
inpBuf Application data to be protected. inpBuf Application data to be protected.
outBuf The buffer to write the protected message to. The outBuf The buffer to write the protected message to. The
application is responsible for sending this to the application is responsible for sending this to the
other peer for processing in its unwrap method. other peer for processing in its unwrap method.
skipping to change at page 56, line 5 skipping to change at page 56, line 5
offset The offset within the inBuf where the token begins. offset The offset within the inBuf where the token begins.
len The length of the token within the inBuf (starting at len The length of the token within the inBuf (starting at
the offset). the offset).
msgProp Upon return from the method, this object will contain msgProp Upon return from the method, this object will contain
the applied QOP and the privacy state of the supplied the applied QOP and the privacy state of the supplied
token. token.
GSS-API Java Bindings August 1998
6.3.14. unwrap 6.3.14. unwrap
public void unwrap(InputStream inBuf, OutputStream outBuf, public void unwrap(InputStream inBuf, OutputStream outBuf,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Used by the peer application to process tokens generated with the Used by the peer application to process tokens generated with the
wrap call. This call is equal in functionality to its byte array wrap call. This call is equal in functionality to its byte array
counterpart. It will produce the message supplied in the peer counterpart. It will produce the message supplied in the peer
application to the wrap call, verifying the embedded MIC. The application to the wrap call, verifying the embedded MIC. The
msgProp parameter will indicate whether the message was encrypted and msgProp parameter will indicate whether the message was encrypted and
skipping to change at page 57, line 5 skipping to change at page 57, line 5
functionality to its stream counterpart. functionality to its stream counterpart.
Note that privacy can only be applied through the wrap call. Note that privacy can only be applied through the wrap call.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
derivation of MICs from zero-length messages. derivation of MICs from zero-length messages.
Parameters: Parameters:
GSS-API Java Bindings August 1998
inMsg Message to generate MIC over. inMsg Message to generate MIC over.
offset The offset within the inMsg where the token begins. offset The offset within the inMsg where the token begins.
len The length of the token within the inMsg (starting at len The length of the token within the inMsg (starting at
the offset). the offset).
msgProp Indicates the desired QOP to be used. Use QOP of 0 to msgProp Indicates the desired QOP to be used. Use QOP of 0 to
indicate default value. The confidentiality flag is indicate default value. The confidentiality flag is
ignored. Upon return from the method, this object will ignored. Upon return from the method, this object will
skipping to change at page 58, line 4 skipping to change at page 58, line 4
msgProp Indicates the desired QOP to be used. Use QOP of 0 to msgProp Indicates the desired QOP to be used. Use QOP of 0 to
indicate default value. The confidentiality flag is indicate default value. The confidentiality flag is
ignored. Upon return from the method, this object will ignored. Upon return from the method, this object will
contain the applied QOP (in case 0 was selected). contain the applied QOP (in case 0 was selected).
6.3.17. verifyMIC 6.3.17. verifyMIC
public void verifyMIC(byte []inTok, int tokOffset, int tokLen, public void verifyMIC(byte []inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen, byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
GSS-API Java Bindings August 1998
Verifies the cryptographic MIC, contained in the token parameter, Verifies the cryptographic MIC, contained in the token parameter,
over the supplied message. The msgProp parameter will contain the over the supplied message. The msgProp parameter will contain the
QOP indicating the strength of protection that was applied to the QOP indicating the strength of protection that was applied to the
message. This method is equivalent in functionality to its stream message. This method is equivalent in functionality to its stream
counterpart. counterpart.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
the calculation and verification of MICs over zero-length messages. the calculation and verification of MICs over zero-length messages.
skipping to change at page 59, line 5 skipping to change at page 59, line 5
Verifies the cryptographic MIC, contained in the token parameter, Verifies the cryptographic MIC, contained in the token parameter,
over the supplied message. The msgProp parameter will contain the over the supplied message. The msgProp parameter will contain the
QOP indicating the strength of protection that was applied to the QOP indicating the strength of protection that was applied to the
message. This method is equivalent in functionality to its byte array message. This method is equivalent in functionality to its byte array
counterpart. counterpart.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
the calculation and verification of MICs over zero-length messages. the calculation and verification of MICs over zero-length messages.
GSS-API Java Bindings August 1998
Parameters: Parameters:
inTok Contains the token generated by peer's getMIC method. inTok Contains the token generated by peer's getMIC method.
inMsg Contains application message to verify the inMsg Contains application message to verify the
cryptographic MIC over. cryptographic MIC over.
msgProp Upon return from the method, this object will contain msgProp Upon return from the method, this object will contain
the applied QOP and supplementary status values for the applied QOP and supplementary status values for
the supplied token. The confidentiality state will be the supplied token. The confidentiality state will be
skipping to change at page 60, line 5 skipping to change at page 60, line 5
The interprocess token may contain security-sensitive information The interprocess token may contain security-sensitive information
(for example cryptographic keys). While mechanisms are encouraged to (for example cryptographic keys). While mechanisms are encouraged to
either avoid placing such sensitive information within interprocess either avoid placing such sensitive information within interprocess
tokens, or to encrypt the token before returning it to the tokens, or to encrypt the token before returning it to the
application, in a typical GSS-API implementation this may not be application, in a typical GSS-API implementation this may not be
possible. Thus the application must take care to protect the possible. Thus the application must take care to protect the
interprocess token, and ensure that any process to which the token is interprocess token, and ensure that any process to which the token is
transferred is trustworthy. transferred is trustworthy.
GSS-API Java Bindings August 1998
6.3.20. requestMutualAuth 6.3.20. requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException public void requestMutualAuth(boolean state) throws GSSException
Sets the request state of the mutual authentication flag for the Sets the request state of the mutual authentication flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
skipping to change at page 61, line 4 skipping to change at page 61, line 4
state Boolean representing if sequence detection is desired state Boolean representing if sequence detection is desired
over the established context. over the established context.
6.3.23. requestCredDeleg 6.3.23. requestCredDeleg
public void requestCredDeleg(boolean state) throws GSSException public void requestCredDeleg(boolean state) throws GSSException
Sets the request state for the credential delegation flag for the Sets the request state for the credential delegation flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
GSS-API Java Bindings August 1998
process begins and only for the initiator. process begins and only for the initiator.
Parameter: Parameter:
state Boolean representing if credential delegation is state Boolean representing if credential delegation is
desired. desired.
6.3.24. requestAnonymity 6.3.24. requestAnonymity
public void requestAnonymity(boolean state) throws GSSException public void requestAnonymity(boolean state) throws GSSException
skipping to change at page 62, line 5 skipping to change at page 62, line 5
Requests that integrity services be available over the context. This Requests that integrity services be available over the context. This
method is only valid before the context creation process begins and method is only valid before the context creation process begins and
only for the initiator. only for the initiator.
Parameters: Parameters:
state Boolean indicating if integrity services are to be state Boolean indicating if integrity services are to be
requested for the context. requested for the context.
GSS-API Java Bindings August 1998
6.3.27. requestLifetime 6.3.27. requestLifetime
public void requestLifetime(int lifetime) throws GSSException public void requestLifetime(int lifetime) throws GSSException
Sets the desired lifetime for the context in seconds. This method is Sets the desired lifetime for the context in seconds. This method is
only valid before the context creation process begins and only for only valid before the context creation process begins and only for
the initiator. the initiator.
Parameters: Parameters:
skipping to change at page 63, line 5 skipping to change at page 63, line 5
6.3.30. getMutualAuthState 6.3.30. getMutualAuthState
public boolean getMutualAuthState() public boolean getMutualAuthState()
Returns the state of the mutual authentication option for the Returns the state of the mutual authentication option for the
context. When issued before context establishment completes or when context. When issued before context establishment completes or when
the isProtReady method returns "false", it returns the desired state, the isProtReady method returns "false", it returns the desired state,
otherwise it will indicate the actual state over the established otherwise it will indicate the actual state over the established
context. context.
GSS-API Java Bindings August 1998
6.3.31. getReplayDetState 6.3.31. getReplayDetState
public boolean getReplayDetState() public boolean getReplayDetState()
Returns the state of the replay detection option for the context. Returns the state of the replay detection option for the context.
When issued before context establishment completes or when the When issued before context establishment completes or when the
isProtReady method returns "false", it returns the desired state, isProtReady method returns "false", it returns the desired state,
otherwise it will indicate the actual state over the established otherwise it will indicate the actual state over the established
context. context.
skipping to change at page 64, line 4 skipping to change at page 64, line 4
Returns "true" if the context is transferable to other processes Returns "true" if the context is transferable to other processes
through the use of the export method. This call is only valid on through the use of the export method. This call is only valid on
fully established contexts. fully established contexts.
6.3.35. isProtReady 6.3.35. isProtReady
public boolean isProtReady() public boolean isProtReady()
Returns "true" if the per message operations can be applied over the Returns "true" if the per message operations can be applied over the
context. Some mechanisms may allow the usage of per-message context. Some mechanisms may allow the usage of per-message
GSS-API Java Bindings August 1998
operations before the context is fully established. This will also operations before the context is fully established. This will also
indicate that the get methods will return actual context state indicate that the get methods will return actual context state
characteristics instead of the desired ones. characteristics instead of the desired ones.
6.3.36. getConfState 6.3.36. getConfState
public boolean getConfState() public boolean getConfState()
Returns the confidentiality service state over the context. When Returns the confidentiality service state over the context. When
issued before context establishment completes or when the isProtReady issued before context establishment completes or when the isProtReady
skipping to change at page 65, line 4 skipping to change at page 65, line 4
public GSSName getSrcName() throws GSSException public GSSName getSrcName() throws GSSException
Returns the name of the context initiator. This call is valid only Returns the name of the context initiator. This call is valid only
after the context is fully established or the isProtReady method after the context is fully established or the isProtReady method
returns "true". returns "true".
6.3.40. getTargName 6.3.40. getTargName
public GSSName getTargName() throws GSSException public GSSName getTargName() throws GSSException
GSS-API Java Bindings August 1998
Returns the name of the context target (acceptor). This call is Returns the name of the context target (acceptor). This call is
valid only after the context is fully established or the isProtReady valid only after the context is fully established or the isProtReady
method returns "true". method returns "true".
6.3.41. getMech 6.3.41. getMech
public Oid getMech() throws GSSException public Oid getMech() throws GSSException
Returns the mechanism oid for this context. Returns the mechanism oid for this context.
skipping to change at page 66, line 4 skipping to change at page 66, line 4
instance of this class is used to indicate the desired QOP and to instance of this class is used to indicate the desired QOP and to
request if confidentiality services are to be applied to caller request if confidentiality services are to be applied to caller
supplied data (wrap only). To request default QOP, the value of 0 supplied data (wrap only). To request default QOP, the value of 0
should be used. should be used.
When used with the unwrap and verifyMIC methods of the GSSContext When used with the unwrap and verifyMIC methods of the GSSContext
class, an instance of this class will be used to indicate the applied class, an instance of this class will be used to indicate the applied
QOP and confidentiality services over the supplied message. In the QOP and confidentiality services over the supplied message. In the
case of verifyMIC, the confidentiality state will always be "false". case of verifyMIC, the confidentiality state will always be "false".
Upon return from these methods, this object will also contain any Upon return from these methods, this object will also contain any
GSS-API Java Bindings August 1998
supplementary status values applicable to the processed token. The supplementary status values applicable to the processed token. The
supplementary status values can indicate old tokens, out of sequence supplementary status values can indicate old tokens, out of sequence
tokens, gap tokens or duplicate tokens. tokens, gap tokens or duplicate tokens.
6.4.1. Constructors 6.4.1. Constructors
public MessageProp() public MessageProp()
Default constructor for the class. QOP is set to 0 and Default constructor for the class. QOP is set to 0 and
confidentiality to "false". confidentiality to "false".
skipping to change at page 67, line 5 skipping to change at page 67, line 5
6.4.4. setQOP 6.4.4. setQOP
public void setQOP(int qopVal) public void setQOP(int qopVal)
Sets the QOP value. Sets the QOP value.
Parameter: Parameter:
qopVal The QOP value to be set. qopVal The QOP value to be set.
GSS-API Java Bindings August 1998
6.4.5. setPrivacy 6.4.5. setPrivacy
public void setPrivacy(boolean privState) public void setPrivacy(boolean privState)
Sets the privacy state. Sets the privacy state.
Parameter: Parameter:
privState The privacy state to set. privState The privacy state to set.
skipping to change at page 68, line 5 skipping to change at page 68, line 5
public boolean isGapToken() public boolean isGapToken()
Returns "true" if an expected per-message token was not received. Returns "true" if an expected per-message token was not received.
6.5. public class GSSManager 6.5. public class GSSManager
This class implements functionality common to the entire GSS-API This class implements functionality common to the entire GSS-API
package. It does not define any public constructors and all its package. It does not define any public constructors and all its
methods are static. methods are static.
GSS-API Java Bindings August 1998
6.5.1. getMechs 6.5.1. getMechs
public static Oid[] getMechs() public static Oid[] getMechs()
Returns an array of Oid objects, one for each mechanism available Returns an array of Oid objects, one for each mechanism available
within this GSS-API package. A "null" value is returned when no within this GSS-API package. A "null" value is returned when no
mechanism are available (an example of this would be when mechanism mechanism are available (an example of this would be when mechanism
are dynamically configured, and currently no mechanisms are are dynamically configured, and currently no mechanisms are
installed). installed).
skipping to change at page 69, line 4 skipping to change at page 69, line 4
6.5.4. getDefaultMech 6.5.4. getDefaultMech
public static Oid getDefaultMech() public static Oid getDefaultMech()
Returns the default mechanism oid. This is the mechanisms that will Returns the default mechanism oid. This is the mechanisms that will
be used when a "null" Oid object is specified in place of an Oid be used when a "null" Oid object is specified in place of an Oid
object within GSSCredential and GSSContext methods. object within GSSCredential and GSSContext methods.
6.6. public class ChannelBinding 6.6. public class ChannelBinding
GSS-API Java Bindings August 1998
The GSS-API accommodates the concept of caller-provided channel The GSS-API accommodates the concept of caller-provided channel
binding information. Channel bindings are used to strengthen the binding information. Channel bindings are used to strengthen the
quality with which peer entity authentication is provided during quality with which peer entity authentication is provided during
context establishment. They enable the GSS-API callers to bind the context establishment. They enable the GSS-API callers to bind the
establishment of the security context to relevant characteristics establishment of the security context to relevant characteristics
like addresses or to application specific data. like addresses or to application specific data.
The caller initiating the security context must determine the The caller initiating the security context must determine the
appropriate channel binding values to set in the GSSContext object. appropriate channel binding values to set in the GSSContext object.
The acceptor must provide an identical binding in order to validate The acceptor must provide an identical binding in order to validate
skipping to change at page 70, line 5 skipping to change at page 70, line 5
channel bindings. "null" value can be supplied to channel bindings. "null" value can be supplied to
indicate that the application does not want to set indicate that the application does not want to set
this value. this value.
public ChannelBinding(byte[] appData) public ChannelBinding(byte[] appData)
Creates a ChannelBinding object without any addressing information. Creates a ChannelBinding object without any addressing information.
Parameters: Parameters:
GSS-API Java Bindings August 1998
appData Application supplied data to be used as part of the appData Application supplied data to be used as part of the
channel bindings. channel bindings.
6.6.2. getInitiatorAddress 6.6.2. getInitiatorAddress
public InetAddress getInitiatorAddress() public InetAddress getInitiatorAddress()
Returns the initiator's address for this channel binding. "null" is Returns the initiator's address for this channel binding. "null" is
returned if the address has not been set. returned if the address has not been set.
skipping to change at page 71, line 5 skipping to change at page 71, line 5
obj Another channel binding to compare with. obj Another channel binding to compare with.
6.7. public class Oid 6.7. public class Oid
This class represents Universal Object Identifiers (Oids) and their This class represents Universal Object Identifiers (Oids) and their
associated operations. associated operations.
Oids are hierarchically globally-interpretable identifiers used Oids are hierarchically globally-interpretable identifiers used
within the GSS-API framework to identify mechanisms and name formats. within the GSS-API framework to identify mechanisms and name formats.
GSS-API Java Bindings August 1998
The structure and encoding of Oids is defined in ISOIEC-8824 and The structure and encoding of Oids is defined in ISOIEC-8824 and
ISOIEC-8825. For example the Oid representation of Kerberos V5 ISOIEC-8825. For example the Oid representation of Kerberos V5
mechanism is "1.2.840.113554.1.2.2" mechanism is "1.2.840.113554.1.2.2"
The GSSName name class contains public static Oid objects The GSSName name class contains public static Oid objects
representing the standard name types defined in GSS-API. representing the standard name types defined in GSS-API.
6.7.1. Constructors 6.7.1. Constructors
public Oid(String strOid) throws GSSException public Oid(String strOid) throws GSSException
skipping to change at page 72, line 4 skipping to change at page 72, line 4
Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is
identical in functionality to its byte array counterpart. identical in functionality to its byte array counterpart.
Parameters: Parameters:
derOid Byte array storing a DER encoded oid. derOid Byte array storing a DER encoded oid.
6.7.2. toString 6.7.2. toString
public String toString() public String toString()
GSS-API Java Bindings August 1998
Returns a string representation of the oid's integer components in Returns a string representation of the oid's integer components in
dot separated notation (e.g. "1.2.840.113554.1.2.2"). dot separated notation (e.g. "1.2.840.113554.1.2.2").
6.7.3. toRFC2078String 6.7.3. toRFC2078String
public String toRFC2078String() public String toRFC2078String()
Returns a string representation of the Oid's integer components in Returns a string representation of the Oid's integer components in
the format specified within RFC 2078 (e.g. "{ 1 2 840 113554 1 2 2 the format specified within RFC 2078 (e.g. "{ 1 2 840 113554 1 2 2
}"). }").
skipping to change at page 73, line 4 skipping to change at page 73, line 4
public boolean containedIn(Oid[] oids) public boolean containedIn(Oid[] oids)
A utility method to test if an Oid object is contained within the A utility method to test if an Oid object is contained within the
supplied Oid object array. supplied Oid object array.
Parameter: Parameter:
oids An array of oids to search. oids An array of oids to search.
6.8. public class GSSException extends Exception 6.8. public class GSSException extends Exception
GSS-API Java Bindings August 1998
This exception is thrown whenever a fatal GSS-API error occurs This exception is thrown whenever a fatal GSS-API error occurs
including mechanism specific errors. It may contain both, the major including mechanism specific errors. It may contain both, the major
and minor, GSS-API status codes. The mechanism implementers are and minor, GSS-API status codes. The mechanism implementers are
responsible for setting appropriate minor status codes when throwing responsible for setting appropriate minor status codes when throwing
this exception. Aside from delivering the numeric error code(s) to this exception. Aside from delivering the numeric error code(s) to
the caller, this class performs the mapping from their numeric values the caller, this class performs the mapping from their numeric values
to textual representations. All Java GSS-API methods are declared to textual representations. All Java GSS-API methods are declared
throwing this exception. throwing this exception.
All implementations are encouraged to use the Java All implementations are encouraged to use the Java
skipping to change at page 74, line 5 skipping to change at page 74, line 5
Name of unsupported type provided error. Name of unsupported type provided error.
public static final int BAD_STATUS public static final int BAD_STATUS
Invalid status code error - this is the default status value. Invalid status code error - this is the default status value.
public static final int BAD_MIC public static final int BAD_MIC
Token had invalid integrity check error. Token had invalid integrity check error.
GSS-API Java Bindings August 1998
public static final int CONTEXT_EXPIRED public static final int CONTEXT_EXPIRED
Specified security context expired error. Specified security context expired error.
public static final int CREDENTIALS_EXPIRED public static final int CREDENTIALS_EXPIRED
Expired credentials detected error. Expired credentials detected error.
public static final int DEFECTIVE_CREDENTIAL public static final int DEFECTIVE_CREDENTIAL
skipping to change at page 75, line 5 skipping to change at page 75, line 5
Unsupported QOP value error. Unsupported QOP value error.
public static final int UNAUTHORIZED public static final int UNAUTHORIZED
Operation unauthorized error. Operation unauthorized error.
public static final int UNAVAILABLE public static final int UNAVAILABLE
Operation unavailable error. Operation unavailable error.
GSS-API Java Bindings August 1998
public static final int DUPLICATE_ELEMENT public static final int DUPLICATE_ELEMENT
Duplicate credential element requested error. Duplicate credential element requested error.
public static final int NAME_NOT_MN public static final int NAME_NOT_MN
Name contains multi-mechanism elements error. Name contains multi-mechanism elements error.
public static final int DUPLICATE_TOKEN public static final int DUPLICATE_TOKEN
skipping to change at page 76, line 5 skipping to change at page 76, line 5
error code that may occur during context establishment. It is not error code that may occur during context establishment. It is not
used to indicate supplementary status values. The MessageProp object used to indicate supplementary status values. The MessageProp object
is used for that purpose. is used for that purpose.
6.8.2. Constructors 6.8.2. Constructors
public GSSException(int majorCode) public GSSException(int majorCode)
Creates a GSSException object with a specified major code. Creates a GSSException object with a specified major code.
GSS-API Java Bindings August 1998
Parameters: Parameters:
majorCode The GSS error code causing this exception to be majorCode The GSS error code causing this exception to be
thrown. thrown.
public GSSException(int majorCode, int minorCode, String minorString) public GSSException(int majorCode, int minorCode, String minorString)
Creates a GSSException object with the specified major code, minor Creates a GSSException object with the specified major code, minor
code, and minor code textual explanation. This constructor is to be code, and minor code textual explanation. This constructor is to be
used when the exception is originating from the security mechanism. used when the exception is originating from the security mechanism.
skipping to change at page 77, line 5 skipping to change at page 77, line 5
minor code is set by the underlying mechanism. Value of 0 indicates minor code is set by the underlying mechanism. Value of 0 indicates
that mechanism error code is not set. that mechanism error code is not set.
6.8.5. getMajorString 6.8.5. getMajorString
public String getMajorString() public String getMajorString()
Returns a string explaining the GSS major error code causing this Returns a string explaining the GSS major error code causing this
exception to be thrown. exception to be thrown.
GSS-API Java Bindings August 1998
6.8.6. getMinorString 6.8.6. getMinorString
public String getMinorString() public String getMinorString()
Returns a string explaining the mechanism specific error code. An Returns a string explaining the mechanism specific error code. An
empty string will be returned when no mechanism error code has been empty string will be returned when no mechanism error code has been
set. set.
6.8.7. setMinor 6.8.7. setMinor
skipping to change at page 78, line 5 skipping to change at page 78, line 5
Throwable.getMessage. It is customary in Java to use this method to Throwable.getMessage. It is customary in Java to use this method to
obtain exception information. obtain exception information.
7. Acknowledgments 7. Acknowledgments
This proposed API leverages earlier work performed by the IETF's CAT This proposed API leverages earlier work performed by the IETF's CAT
WG as outlined in both RFC 2078 and J. Wray's C-bindings draft for WG as outlined in both RFC 2078 and J. Wray's C-bindings draft for
the GSS-API. Many conceptual definitions, implementation directions, the GSS-API. Many conceptual definitions, implementation directions,
and explanations have been included from the C-bindings draft. and explanations have been included from the C-bindings draft.
GSS-API Java Bindings August 1998
I would like to thank Mike Eisler, Mayank Upadhyay, Lin Ling, Ram I would like to thank Mike Eisler, Mayank Upadhyay, Lin Ling, Ram
Marti, Michael Saltz and other members of Sun's development team for Marti, Michael Saltz and other members of Sun's development team for
their helpful input, comments and suggestions. their helpful input, comments and suggestions.
I would also like to thank Michael Smith for many insightful ideas I would also like to thank Michael Smith for many insightful ideas
and suggestions that have contributed to this draft. and suggestions that have contributed to this draft.
GSS-API Java Bindings August 1998
8. Bibliography 8. Bibliography
[GSSAPIv2] [GSSAPIv2]
J. Linn, "Generic Security Service Application Program Interface, J. Linn, "Generic Security Service Application Program Interface,
Version 2", RFC 2078, January 1997. Version 2", RFC 2078, January 1997.
[GSSAPIv2-UPDATE] [GSSAPIv2-UPDATE]
J. Linn, "Generic Security Service Application Program Interface, J. Linn, "Generic Security Service Application Program Interface,
Version 2, Update 1", IETF work in progress, Internet Draft, July Version 2, Update 1", IETF work in progress, Internet Draft, July
1998. 1998.
skipping to change at page 80, line 5 skipping to change at page 80, line 5
work in progress, Internet Draft, July 1998. work in progress, Internet Draft, July 1998.
[KERBEROS_V5] [KERBEROS_V5]
J. Linn, "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, June J. Linn, "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, June
1996. 1996.
[SPKM] [SPKM]
C. Adams, "The Simple Public-Key GSS-API Mechanism", RFC 2025, C. Adams, "The Simple Public-Key GSS-API Mechanism", RFC 2025,
October 1996. October 1996.
GSS-API Java Bindings August 1998
9. Author's Address 9. Author's Address
Address comments related to this memorandum to: Address comments related to this memorandum to:
<cat-ietf@mit.edu> <cat-ietf@mit.edu>
Jack Kabat Jack Kabat
ValiCert, Inc.
1215 Terra Bella Avenue
Mountain View, CA
94043, USA
Phone: +1-650-567-5496
E-mail: jackk@valicert.com
Mayank Upadhyay
Sun Microsystems, Inc. Sun Microsystems, Inc.
17 Network Circle, MPK 017 901 San Antonio Road, MS MPK17-201
Menlo Park, CA Palo Alto, CA 94303
94025, USA
Phone: +1-650-786-5072 Phone: +1-650-786-4282
E-mail: jkabat@eng.sun.com E-mail: mdu@eng.sun.com
 End of changes. 86 change blocks. 
172 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/