draft-ietf-cat-gssv2-javabind-01.txt   draft-ietf-cat-gssv2-javabind-02.txt 
Internet-Draft Jack Kabat Internet-Draft Jack Kabat
IETF CAT Working Group ValiCert, Inc. IETF CAT Working Group ValiCert, Inc.
Document: <draft-ietf-cat-gssv2-javabind-01.txt> Mayank Upadhyay Document: <draft-ietf-cat-gssv2-javabind-02.txt> Mayank Upadhyay
Sun Microsystems, Inc. Sun Microsystems, Inc.
Generic Security Service API Version 2 : Java bindings Generic Security Service API Version 2 : Java bindings
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 2, line 8 skipping to change at page 2, line 8
The GSS-API allows a caller application to authenticate a principal The GSS-API allows a caller application to authenticate a principal
identity, to delegate rights to a peer, and to apply security identity, to delegate rights to a peer, and to apply security
services such as confidentiality and integrity on a per-message services such as confidentiality and integrity on a per-message
basis. Examples of security mechanisms defined for GSS-API are The basis. Examples of security mechanisms defined for GSS-API are The
Simple Public-Key GSS-API Mechanism [SPKM] and The Kerberos Version 5 Simple Public-Key GSS-API Mechanism [SPKM] and The Kerberos Version 5
GSS-API Mechanism [KERBV5]. GSS-API Mechanism [KERBV5].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6
2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 6 2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7
3. GSS-API Classes . . . . . . . . . . . . . . . . . . . . . . 8 3. Additional Controls . . . . . . . . . . . . . . . . . . . . 8
3.1. GSSCredential class . . . . . . . . . . . . . . . . . . . 8 3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2. GSSContext class . . . . . . . . . . . . . . . . . . . . . 9 3.2. Mutual Authentication . . . . . . . . . . . . . . . . . 10
3.3. GSSName class . . . . . . . . . . . . . . . . . . . . . 10 3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11
3.4. GSSManager class . . . . . . . . . . . . . . . . . . . . 11 3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 11
3.5. GSSException class . . . . . . . . . . . . . . . . . . . 11 3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . 12
3.6. Oid class . . . . . . . . . . . . . . . . . . . . . . . 11 3.6. Inter-process Context Transfer . . . . . . . . . . . . . 13
3.7. MessageProp class . . . . . . . . . . . . . . . . . . . 12 3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 13
3.8. ChannelBinding class . . . . . . . . . . . . . . . . . . 12 4. Calling Conventions . . . . . . . . . . . . . . . . . . . 14
4. Calling Conventions . . . . . . . . . . . . . . . . . . . 12 4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 14
4.1. Integer types . . . . . . . . . . . . . . . . . . . . . 12 4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 14
4.2. Opaque Data types . . . . . . . . . . . . . . . . . . . 13 4.3. Integer types . . . . . . . . . . . . . . . . . . . . . 15
4.3. Strings . . . . . . . . . . . . . . . . . . . . . . . . 13 4.4. Opaque Data types . . . . . . . . . . . . . . . . . . . 15
4.4. Object Identifiers . . . . . . . . . . . . . . . . . . . 13 4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . 15
4.5. Object Identifier Sets . . . . . . . . . . . . . . . . . 13 4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16
4.6. Credentials . . . . . . . . . . . . . . . . . . . . . . 14 4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16
4.7. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 16 4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . 16
4.8. Authentication tokens . . . . . . . . . . . . . . . . . 16 4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18
4.9. Interprocess tokens . . . . . . . . . . . . . . . . . . 16 4.10. Authentication tokens . . . . . . . . . . . . . . . . . 19
4.10. Error Reporting . . . . . . . . . . . . . . . . . . . . 17 4.11. Interprocess tokens . . . . . . . . . . . . . . . . . . 19
4.10.1. GSS status codes . . . . . . . . . . . . . . . . . . 17 4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . 20
4.10.2. Mechanism-specific status codes . . . . . . . . . . . 19 4.12.1. GSS status codes . . . . . . . . . . . . . . . . . . 20
4.10.3. Supplementary status codes . . . . . . . . . . . . . 20 4.12.2. Mechanism-specific status codes . . . . . . . . . . . 22
4.11. Names . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.12.3. Supplementary status codes . . . . . . . . . . . . . 22
4.12. Channel Bindings . . . . . . . . . . . . . . . . . . . 23 4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.13. Stream Objects . . . . . . . . . . . . . . . . . . . . 24 4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . 26
4.14. Optional Parameters . . . . . . . . . . . . . . . . . . 24 4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . 27
5. Additional Controls . . . . . . . . . . . . . . . . . . . 24 4.16. Optional Parameters . . . . . . . . . . . . . . . . . . 27
5.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 26 5. GSS Provider's Interface . . . . . . . . . . . . . . . . . 27
5.2. Mutual Authentication . . . . . . . . . . . . . . . . . 26 5.1. GSSFactory interface . . . . . . . . . . . . . . . . . . 28
5.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 27 5.2. IGSSName interface . . . . . . . . . . . . . . . . . . . 28
5.4. Anonymous Authentication . . . . . . . . . . . . . . . . 28 5.3. IGSSCredential interface . . . . . . . . . . . . . . . . 29
5.5. Confidentiality . . . . . . . . . . . . . . . . . . . . 29 5.4. IGSSContext interface . . . . . . . . . . . . . . . . . 30
5.6. Inter-process Context Transfer . . . . . . . . . . . . . 29 6. GSS Application Programmer's Classes . . . . . . . . . . . 31
5.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 30 6.1. GSSManager class . . . . . . . . . . . . . . . . . . . . 32
6. Detailed GSS-API Class Description . . . . . . . . . . . . 30 6.2. GSSName class . . . . . . . . . . . . . . . . . . . . . 32
6.1. public class GSSName . . . . . . . . . . . . . . . . . . 30 6.3. GSSCredential class . . . . . . . . . . . . . . . . . . 32
6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . . 30 6.4. GSSContext class . . . . . . . . . . . . . . . . . . . . 32
6.1.2. Class Constants . . . . . . . . . . . . . . . . . . . 31 6.5. MessageProp class . . . . . . . . . . . . . . . . . . . 33
6.1.3. Constructors . . . . . . . . . . . . . . . . . . . . . 32 6.6. GSSException class . . . . . . . . . . . . . . . . . . . 33
6.1.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 34 6.7. Oid class . . . . . . . . . . . . . . . . . . . . . . . 33
6.1.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 34 6.8. ChannelBinding class . . . . . . . . . . . . . . . . . . 33
6.1.6. canonicalize . . . . . . . . . . . . . . . . . . . . . 34 7. Detailed GSS-API Class Description . . . . . . . . . . . . 34
6.1.7. export . . . . . . . . . . . . . . . . . . . . . . . . 35 7.1. public interface GSSFactory . . . . . . . . . . . . . . 34
6.1.8. toString . . . . . . . . . . . . . . . . . . . . . . . 35 7.1.1. createName . . . . . . . . . . . . . . . . . . . . . . 34
6.1.9. getStringNameType . . . . . . . . . . . . . . . . . . 35 7.1.2. createName . . . . . . . . . . . . . . . . . . . . . . 35
6.1.10. clone . . . . . . . . . . . . . . . . . . . . . . . . 35 7.1.3. createName . . . . . . . . . . . . . . . . . . . . . . 36
6.1.11. isAnonymous . . . . . . . . . . . . . . . . . . . . . 35 7.1.4. createName . . . . . . . . . . . . . . . . . . . . . . 36
6.2. public class GSSCredential . . . . . . . . . . . . . . . 35 7.1.5. createCredential . . . . . . . . . . . . . . . . . . . 37
6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . . 36 7.1.6. createCredential . . . . . . . . . . . . . . . . . . . 37
6.2.2. Class Constants . . . . . . . . . . . . . . . . . . . 37 7.1.7. createCredential . . . . . . . . . . . . . . . . . . . 38
6.2.3. Constructors . . . . . . . . . . . . . . . . . . . . . 37 7.1.8. createContext . . . . . . . . . . . . . . . . . . . . 38
6.2.4. dispose . . . . . . . . . . . . . . . . . . . . . . . 39 7.1.9. createContext . . . . . . . . . . . . . . . . . . . . 39
6.2.5. getGSSName . . . . . . . . . . . . . . . . . . . . . . 39 7.1.10. createContext . . . . . . . . . . . . . . . . . . . . 39
6.2.6. getGSSName . . . . . . . . . . . . . . . . . . . . . . 40 7.1.11. getMechs . . . . . . . . . . . . . . . . . . . . . . 39
6.2.7. getRemainingLifetime . . . . . . . . . . . . . . . . . 40 7.1.12. getMechsForName . . . . . . . . . . . . . . . . . . . 40
6.2.8. getRemainingInitLifetime . . . . . . . . . . . . . . . 40 7.1.13. getNamesForMech . . . . . . . . . . . . . . . . . . . 40
6.2.9. getRemainingAcceptLifetime . . . . . . . . . . . . . . 40 7.2. public interface IGSSName extends java.security.Principal 40
6.2.10. getUsage . . . . . . . . . . . . . . . . . . . . . . 41 7.2.1. Static Constants . . . . . . . . . . . . . . . . . . . 41
6.2.11. getUsage . . . . . . . . . . . . . . . . . . . . . . 41 7.2.2. equals . . . . . . . . . . . . . . . . . . . . . . . . 42
6.2.12. getMechs . . . . . . . . . . . . . . . . . . . . . . 41 7.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . . 42
6.2.13. add . . . . . . . . . . . . . . . . . . . . . . . . . 41 7.2.4. canonicalize . . . . . . . . . . . . . . . . . . . . . 42
6.2.14. equals . . . . . . . . . . . . . . . . . . . . . . . 42 7.2.5. export . . . . . . . . . . . . . . . . . . . . . . . . 43
6.3. public class GSSContext . . . . . . . . . . . . . . . . 43 7.2.6. toString . . . . . . . . . . . . . . . . . . . . . . . 43
6.3.1. Example Code . . . . . . . . . . . . . . . . . . . . . 44 7.2.7. getStringNameType . . . . . . . . . . . . . . . . . . 43
6.3.2. Class Constants . . . . . . . . . . . . . . . . . . . 45 7.2.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . 43
6.3.3. Constructors . . . . . . . . . . . . . . . . . . . . . 46 7.2.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.3.4. init . . . . . . . . . . . . . . . . . . . . . . . . . 47 7.3. public interface IGSSCredential implements Cloneable . . 44
6.3.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 47 7.3.1. Static Constants . . . . . . . . . . . . . . . . . . . 45
6.3.5. init . . . . . . . . . . . . . . . . . . . . . . . . . 48 7.3.2. dispose . . . . . . . . . . . . . . . . . . . . . . . 45
6.3.5.1. Example Code . . . . . . . . . . . . . . . . . . . . 49 7.3.3. getName . . . . . . . . . . . . . . . . . . . . . . . 45
6.3.6. accept . . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 46
6.3.6.1. Example Code . . . . . . . . . . . . . . . . . . . . 50 7.3.5. getRemainingLifetime . . . . . . . . . . . . . . . . . 46
6.3.7. accept . . . . . . . . . . . . . . . . . . . . . . . . 51 7.3.6. getRemainingInitLifetime . . . . . . . . . . . . . . . 46
6.3.7.1. Example Code . . . . . . . . . . . . . . . . . . . . 52 7.3.7. getRemainingAcceptLifetime . . . . . . . . . . . . . . 46
6.3.8. isEstablished . . . . . . . . . . . . . . . . . . . . 52 7.3.8. getUsage . . . . . . . . . . . . . . . . . . . . . . . 47
6.3.9. dispose . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . . 47
6.3.10. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 53 7.3.10. getMechs . . . . . . . . . . . . . . . . . . . . . . 47
6.3.11. wrap . . . . . . . . . . . . . . . . . . . . . . . . 53 7.3.11. add . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.3.12. wrap . . . . . . . . . . . . . . . . . . . . . . . . 54 7.3.12. equals . . . . . . . . . . . . . . . . . . . . . . . 48
6.3.13. unwrap . . . . . . . . . . . . . . . . . . . . . . . 55 7.4. public interface IGSSContext . . . . . . . . . . . . . . 49
6.3.14. unwrap . . . . . . . . . . . . . . . . . . . . . . . 56 7.4.1. Static Constants . . . . . . . . . . . . . . . . . . . 50
6.3.15. getMIC . . . . . . . . . . . . . . . . . . . . . . . 56 7.4.2. initSecContext . . . . . . . . . . . . . . . . . . . . 50
6.3.16. getMIC . . . . . . . . . . . . . . . . . . . . . . . 57 7.4.2.1. Example Code . . . . . . . . . . . . . . . . . . . . 51
6.3.17. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 57 7.4.3. initSecContext . . . . . . . . . . . . . . . . . . . . 51
6.3.18. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 58 7.4.3.1. Example Code . . . . . . . . . . . . . . . . . . . . 52
6.3.19. export . . . . . . . . . . . . . . . . . . . . . . . 59 7.4.4. acceptSecContext . . . . . . . . . . . . . . . . . . . 53
6.3.20. requestMutualAuth . . . . . . . . . . . . . . . . . . 60 7.4.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 54
6.3.21. requestReplayDet . . . . . . . . . . . . . . . . . . 60 7.4.5. acceptSecContext . . . . . . . . . . . . . . . . . . . 54
6.3.22. requestSequenceDet . . . . . . . . . . . . . . . . . 60 7.4.5.1. Example Code . . . . . . . . . . . . . . . . . . . . 55
6.3.23. requestCredDeleg . . . . . . . . . . . . . . . . . . 60 7.4.6. isEstablished . . . . . . . . . . . . . . . . . . . . 56
6.3.24. requestAnonymity . . . . . . . . . . . . . . . . . . 61 7.4.7. dispose . . . . . . . . . . . . . . . . . . . . . . . 56
6.3.25. requestConf . . . . . . . . . . . . . . . . . . . . . 61 7.4.8. getWrapSizeLimit . . . . . . . . . . . . . . . . . . . 56
6.3.26. requestInteg . . . . . . . . . . . . . . . . . . . . 61 7.4.9. wrap . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.27. requestLifetime . . . . . . . . . . . . . . . . . . . 62 7.4.10. wrap . . . . . . . . . . . . . . . . . . . . . . . . 58
6.3.28. setChannelBinding . . . . . . . . . . . . . . . . . . 62 7.4.11. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59
6.3.29. getCredDelegState . . . . . . . . . . . . . . . . . . 62 7.4.12. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59
6.3.30. getMutualAuthState . . . . . . . . . . . . . . . . . 62 7.4.13. getMIC . . . . . . . . . . . . . . . . . . . . . . . 60
6.3.31. getReplayDetState . . . . . . . . . . . . . . . . . . 63 7.4.14. getMIC . . . . . . . . . . . . . . . . . . . . . . . 61
6.3.32. getSequenceDetState . . . . . . . . . . . . . . . . . 63 7.4.15. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 61
6.3.33. getAnonymityState . . . . . . . . . . . . . . . . . . 63 7.4.16. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 62
6.3.34. isTransferable . . . . . . . . . . . . . . . . . . . 63 7.4.17. export . . . . . . . . . . . . . . . . . . . . . . . 63
6.3.35. isProtReady . . . . . . . . . . . . . . . . . . . . . 63 7.4.18. requestMutualAuth . . . . . . . . . . . . . . . . . . 64
6.3.36. getConfState . . . . . . . . . . . . . . . . . . . . 64 7.4.19. requestReplayDet . . . . . . . . . . . . . . . . . . 64
6.3.37. getIntegState . . . . . . . . . . . . . . . . . . . . 64 7.4.20. requestSequenceDet . . . . . . . . . . . . . . . . . 64
6.3.38. getLifetime . . . . . . . . . . . . . . . . . . . . . 64 7.4.21. requestCredDeleg . . . . . . . . . . . . . . . . . . 65
6.3.39. getSrcName . . . . . . . . . . . . . . . . . . . . . 64 7.4.22. requestAnonymity . . . . . . . . . . . . . . . . . . 65
6.3.40. getTargName . . . . . . . . . . . . . . . . . . . . . 64 7.4.23. requestConf . . . . . . . . . . . . . . . . . . . . . 65
6.3.41. getMech . . . . . . . . . . . . . . . . . . . . . . . 65 7.4.24. requestInteg . . . . . . . . . . . . . . . . . . . . 66
6.3.42. getDelegCred . . . . . . . . . . . . . . . . . . . . 65 7.4.25. requestLifetime . . . . . . . . . . . . . . . . . . . 66
6.3.43. isInitiator . . . . . . . . . . . . . . . . . . . . . 65 7.4.26. setChannelBinding . . . . . . . . . . . . . . . . . . 66
6.4. public class MessageProp . . . . . . . . . . . . . . . . 65 7.4.27. getCredDelegState . . . . . . . . . . . . . . . . . . 66
6.4.1. Constructors . . . . . . . . . . . . . . . . . . . . . 66 7.4.28. getMutualAuthState . . . . . . . . . . . . . . . . . 67
6.4.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . . 66 7.4.29. getReplayDetState . . . . . . . . . . . . . . . . . . 67
6.4.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . . 66 7.4.30. getSequenceDetState . . . . . . . . . . . . . . . . . 67
6.4.4. setQOP . . . . . . . . . . . . . . . . . . . . . . . . 66 7.4.31. getAnonymityState . . . . . . . . . . . . . . . . . . 67
6.4.5. setPrivacy . . . . . . . . . . . . . . . . . . . . . . 67 7.4.32. isTransferable . . . . . . . . . . . . . . . . . . . 67
6.4.6. isDuplicateToken . . . . . . . . . . . . . . . . . . . 67 7.4.33. isProtReady . . . . . . . . . . . . . . . . . . . . . 68
6.4.7. isOldToken . . . . . . . . . . . . . . . . . . . . . . 67 7.4.34. getConfState . . . . . . . . . . . . . . . . . . . . 68
6.4.8. isUnseqToken . . . . . . . . . . . . . . . . . . . . . 67 7.4.35. getIntegState . . . . . . . . . . . . . . . . . . . . 68
6.4.9. isGapToken . . . . . . . . . . . . . . . . . . . . . . 67 7.4.36. getLifetime . . . . . . . . . . . . . . . . . . . . . 68
6.5. public class GSSManager . . . . . . . . . . . . . . . . 67 7.4.37. getSrcName . . . . . . . . . . . . . . . . . . . . . 68
6.5.1. getMechs . . . . . . . . . . . . . . . . . . . . . . . 68 7.4.38. getTargName . . . . . . . . . . . . . . . . . . . . . 69
6.5.2. getNamesForMech . . . . . . . . . . . . . . . . . . . 68 7.4.39. getMech . . . . . . . . . . . . . . . . . . . . . . . 69
6.5.3. getMechsForName . . . . . . . . . . . . . . . . . . . 68 7.4.40. getDelegCred . . . . . . . . . . . . . . . . . . . . 69
6.5.4. getDefaultMech . . . . . . . . . . . . . . . . . . . . 68 7.4.41. isInitiator . . . . . . . . . . . . . . . . . . . . . 69
6.6. public class ChannelBinding . . . . . . . . . . . . . . 68 7.5. public class MessageProp . . . . . . . . . . . . . . . . 69
6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . . 69 7.5.1. Constructors . . . . . . . . . . . . . . . . . . . . . 70
6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 70 7.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . . 70
6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . . 70 7.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . . 70
6.6.4. getApplicationData . . . . . . . . . . . . . . . . . . 70 7.5.4. setQOP . . . . . . . . . . . . . . . . . . . . . . . . 71
6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 70 7.5.5. setPrivacy . . . . . . . . . . . . . . . . . . . . . . 71
6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 70 7.5.6. isDuplicateToken . . . . . . . . . . . . . . . . . . . 71
6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . . 71 7.5.7. isOldToken . . . . . . . . . . . . . . . . . . . . . . 71
6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . . 71 7.5.8. isUnseqToken . . . . . . . . . . . . . . . . . . . . . 71
6.7.3. toRFC2078String . . . . . . . . . . . . . . . . . . . 72 7.5.9. isGapToken . . . . . . . . . . . . . . . . . . . . . . 72
6.7.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 72 7.5.10. setSupplementaryStates . . . . . . . . . . . . . . . 72
6.7.5. getDER . . . . . . . . . . . . . . . . . . . . . . . . 72 7.6. public class ChannelBinding . . . . . . . . . . . . . . 72
6.7.6. containedIn . . . . . . . . . . . . . . . . . . . . . 72 7.6.1. Constructors . . . . . . . . . . . . . . . . . . . . . 73
6.8. public class GSSException extends Exception . . . . . . 72 7.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 73
6.8.1. Class Constants . . . . . . . . . . . . . . . . . . . 73 7.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . . 74
6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . . 75 7.6.4. getApplicationData . . . . . . . . . . . . . . . . . . 74
6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . . 76 7.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 74
6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . . 76 7.7. public class Oid . . . . . . . . . . . . . . . . . . . . 74
6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . . 76 7.7.1. Constructors . . . . . . . . . . . . . . . . . . . . . 75
6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . . 77 7.7.2. toString . . . . . . . . . . . . . . . . . . . . . . . 75
6.8.7. setMinor . . . . . . . . . . . . . . . . . . . . . . . 77 7.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . . 75
6.8.8. toString . . . . . . . . . . . . . . . . . . . . . . . 77 7.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . . 76
6.8.9. getMessage . . . . . . . . . . . . . . . . . . . . . . 77 7.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 76
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 77 7.8. public class GSSException extends Exception . . . . . . 76
8. Bibliography . . . . . . . . . . . . . . . . . . . . . . . 79 7.8.1. Static Constants . . . . . . . . . . . . . . . . . . . 76
9. Author's Address . . . . . . . . . . . . . . . . . . . . . 80 7.8.2. Constructors . . . . . . . . . . . . . . . . . . . . . 79
7.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . . 80
7.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . . 80
7.8.5. getMajorString . . . . . . . . . . . . . . . . . . . . 80
7.8.6. getMinorString . . . . . . . . . . . . . . . . . . . . 80
7.8.7. setMinor . . . . . . . . . . . . . . . . . . . . . . . 81
7.8.8. toString . . . . . . . . . . . . . . . . . . . . . . . 81
7.8.9. getMessage . . . . . . . . . . . . . . . . . . . . . . 81
7.9. public abstract class GSSManager . . . . . . . . . . . . 81
7.9.1. Example . . . . . . . . . . . . . . . . . . . . . . . 82
7.9.2. setDefaultProvider . . . . . . . . . . . . . . . . . . 82
7.9.3. getDefaultProvider . . . . . . . . . . . . . . . . . . 83
7.9.4. getMechs . . . . . . . . . . . . . . . . . . . . . . . 83
7.9.5. getNamesForMech . . . . . . . . . . . . . . . . . . . 83
7.9.6. getMechsForName . . . . . . . . . . . . . . . . . . . 83
7.9.7. getProviderFromToken . . . . . . . . . . . . . . . . . 84
7.9.8. getProviderForMechanism . . . . . . . . . . . . . . . 84
7.10. public class GSSName implements IGSSName . . . . . . . 85
7.10.1. Example . . . . . . . . . . . . . . . . . . . . . . . 86
7.10.2. Constructors . . . . . . . . . . . . . . . . . . . . 87
7.10.3. getProvider . . . . . . . . . . . . . . . . . . . . . 89
7.11. public class GSSCredential implements IGSSCredential . 89
7.11.1. Example . . . . . . . . . . . . . . . . . . . . . . . 90
7.11.2. Constructors . . . . . . . . . . . . . . . . . . . . 91
7.11.3. getProvider . . . . . . . . . . . . . . . . . . . . . 93
7.12. public class GSSContext implements IGSSContext . . . . 93
7.12.1. Example . . . . . . . . . . . . . . . . . . . . . . . 96
7.12.2. Constructors . . . . . . . . . . . . . . . . . . . . 97
7.12.3. getProvider . . . . . . . . . . . . . . . . . . . . . 99
8. Sample Applications . . . . . . . . . . . . . . . . . . . 99
8.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 100
8.2. GSS Context Acceptor Using Multiple Providers . . . . . 104
8.3. GSS Context Initiator Using the Provider Factory Directly 108
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 112
10. Bibliography . . . . . . . . . . . . . . . . . . . . . . 114
11. Author's Address . . . . . . . . . . . . . . . . . . . . 115
1. Introduction 1. Introduction
This document specifies Java language bindings for the Generic This document specifies Java language bindings for the Generic
Security Services Application Programming Interface (GSS-API) Version Security Services Application Programming Interface (GSS-API) Version
2. GSS-API Version 2 is described in a language independent format in 2. GSS-API Version 2 is described in a language independent format in
RFC 2078 [GSSAPIv2]. The GSS-API allows a caller application to RFC 2078 [GSSAPIv2]. The GSS-API allows a caller application to
authenticate a principal identity, to delegate rights to a peer, and authenticate a principal identity, to delegate rights to a peer, and
to apply security services such as confidentiality and integrity on a to apply security services such as confidentiality and integrity on a
per-message basis. per-message basis.
This document leverages on the work performed by the WG in the area This document leverages the work performed by the WG in the area of
of RFC 2078 [GSSAPIv2] the C-bindings draft [GSSAPI-C]. Whenever RFC 2078 [GSSAPIv2] the C-bindings draft [GSSAPI-C]. Whenever
appropriate, text has been used from the C-bindings document to appropriate, text has been used from the C-bindings document to
explain generic concepts and provide direction to the implementors. explain generic concepts and provide direction to the implementors.
The design goals of this API have been to satisfy all the The design goals of this API have been to satisfy all the
functionality defined in RFC 2078 and to provide these services in an functionality defined in RFC 2078 and to provide these services in an
object oriented method. Further, the specification presents an API object oriented method. The specification also aims to satisfy the
that will naturally fit within the operation environment of the Java needs of both types of Java application developers, those who would
platform. Readers are assumed to be familiar with both the GSS-API like access to a "system-wide" GSS-API implementation, as well as
and the Java platform. those who would want to provide their own "custom" implementation.
A "system-wide" implementation is one that is available to all
applications in the form of a library package. It may be a standard
package in the Java runtime environment (JRE) being used or it may be
additionally installed and accessible to any application via the
CLASSPATH.
A "custom" implementation of the GSS-API, on the other hand, is one
that would, in most cases, be bundled with the application during
distribution. It is expected that such an implementation would be
meant to provide for some particular need of the application, such as
support for some specific mechanism.
The design of this API also aims to allow applications to add to and
choose between GSS-API implementations at runtime. Key elements from
one implementation may be added to the remaining framework from
another implementation ("system-wide") to support new mechanisms with
minimum addition of binaries. This is particularly useful to applet
developers who need flexibility in choice but prefer to remain
lightweight.
Lastly, this specification presents an API that will naturally fit
within the operation environment of the Java platform. Readers are
assumed to be familiar with both the GSS-API and the Java platform.
2. GSS-API Operational Paradigm 2. GSS-API Operational Paradigm
The Generic Security Service Application Programming Interface The Generic Security Service Application Programming Interface
[GSSAPIv2] defines a generic security API to calling applications. [GSSAPIv2] defines a generic security API to calling applications.
It allows a communicating application to authenticate the user It allows a communicating application to authenticate the user
associated with another application, to delegate rights to another associated with another application, to delegate rights to another
application, and to apply security services such as confidentiality application, and to apply security services such as confidentiality
and integrity on a per-message basis. and integrity on a per-message basis.
skipping to change at page 7, line 19 skipping to change at page 7, line 42
initiator. The initiator may optionally give the responder initiator. The initiator may optionally give the responder
the right to initiate further security contexts, acting as the right to initiate further security contexts, acting as
an agent or delegate of the initiator. This transfer of an agent or delegate of the initiator. This transfer of
rights is termed "delegation", and is achieved by creating rights is termed "delegation", and is achieved by creating
a set of credentials, similar to those used by the a set of credentials, similar to those used by the
initiating application, but which may be used by the initiating application, but which may be used by the
responder. responder.
A GSSContext object is used to establish and maintain the A GSSContext object is used to establish and maintain the
shared information that makes up the security context. shared information that makes up the security context.
(Please note that for the purposes of this discussion,
GSSContext and IGSSContext are used interchangeably).
Certain GSSContext methods will generate a token, which Certain GSSContext methods will generate a token, which
applications treat as cryptographically protected, opaque applications treat as cryptographically protected, opaque
data. The caller of such GSSContext method is responsible data. The caller of such GSSContext method is responsible
for transferring the token to the peer application, for transferring the token to the peer application,
encapsulated if necessary in an application-to-application encapsulated if necessary in an application-to-application
protocol. On receipt of such a token, the peer application protocol. On receipt of such a token, the peer application
should pass it to a corresponding GSSContext method which should pass it to a corresponding GSSContext method which
will decode the token and extract the information, updating will decode the token and extract the information, updating
the security context state information accordingly. the security context state information accordingly.
skipping to change at page 8, line 9 skipping to change at page 8, line 34
4) At the completion of a communications session (which may 4) At the completion of a communications session (which may
extend across several transport connections), each extend across several transport connections), each
application uses a GSSContext method to invalidate the application uses a GSSContext method to invalidate the
security context and release any system or cryptographic security context and release any system or cryptographic
resources held. Multiple contexts may also be used (either resources held. Multiple contexts may also be used (either
successively or simultaneously) within a single successively or simultaneously) within a single
communications association, at the discretion of the communications association, at the discretion of the
applications. applications.
3. GSS-API Classes 3. Additional Controls
This section presents a brief description of the classes comprising
the GSS-API class library and the corresponding RFC 2078
functionality implemented by each of them. Detailed description of
all the classes and their corresponding methods is presented in
section 6.
3.1. GSSCredential class
The GSSCredential class is responsible for the encapsulation of GSS-
API credentials. Credentials identify a single entity and provide the
necessary cryptographic information to enable the creation of a
context on behalf of that entity. A single GSSCredential may contain
multiple mechanism specific credentials, each referred to as a
credential element. The GSSCredential class implements the
functionality of the following GSS-API routines:
RFC 2078 Routine Function Section(s)
gss_acquire_cred Acquire credential for use. 6.2.3
gss_add_cred Constructs credentials 6.2.13
incrementally.
gss_inquire_cred Obtain information about 6.2.5-6.2.12
credential.
gss_inquire_cred_by_mech Obtain per-mechanism 6.2.5-6.2.12
information about
a credential.
gss_release_cred Disposes of credentials 6.2.4 This section discusses the optional services that a context initiator
after use. may request of the GSS-API before the context establishment. Each of
these services is requested by calling the appropriate mutator method
in the GSSContext object before the first call to init is performed.
Only the context initiator can request context flags.
3.2. GSSContext class The optional services defined are:
This class encapsulates the functionality of context-level calls Delegation
required for security context establishment and management between The (usually temporary) transfer of rights from initiator to
peers as well as the per-message services offered to applications. A acceptor, enabling the acceptor to authenticate itself as an
context is established between a pair of peers and allows the usage agent of the initiator.
of security services on a per-message basis on application data. It
is created over a single security mechanism. The GSSContext class
implements the functionality of the following GSS-API routines:
RFC 2078 Routine Function Section(s) Mutual Authentication
In addition to the initiator authenticating its identity to the
context acceptor, the context acceptor should also authenticate
itself to the initiator.
gss_init_sec_context Initiate the creation of a 6.3.4, Replay Detection
security context with 6.3.5 In addition to providing message integrity services, GSSContext
a peer. per-message operations of getMIC and wrap should include message
numbering information to enable verifyMIC and unwrap to detect
if a message has been duplicated.
gss_accept_sec_context Accept a security context 6.3.6, Out-of-Sequence Detection
initiated by a peer. 6.3.7 In addition to providing message integrity services, GSSContext
per-message operations (getMIC and wrap) should include message
sequencing information to enable verifyMIC and unwrap to detect
if a message has been received out of sequence.
gss_delete_sec_context Destroy a security context. 6.3.9 Anonymous Authentication
The establishment of the security context should not reveal the
initiator's identity to the context acceptor.
gss_context_time Obtain remaining context 6.3.38 Some mechanisms may not support all optional services, and some
time. mechanisms may only support some services in conjunction with others.
The GSSContext class offers query methods to allow the verification
by the calling application of which services will be available from
the context when the establishment phase is complete. In general, if
the security mechanism is capable of providing a requested service,
it should do so even if additional services must be enabled in order
to provide the requested service. If the mechanism is incapable of
providing a requested service, it should proceed without the service
leaving the application to abort the context establishment process if
it considers the requested service to be mandatory.
gss_inquire_context Obtain context 6.3.38 to Some mechanisms may specify that support for some services is
characteristics. 6.3.43 optional, and that implementors of the mechanism need not provide it.
This is most commonly true of the confidentiality service, often
because of legal restrictions on the use of data-encryption, but may
apply to any of the services. Such mechanisms are required to send
at least one token from acceptor to initiator during context
establishment when the initiator indicates a desire to use such a
service, so that the initiating GSS-API can correctly indicate
whether the service is supported by the acceptor's GSS-API.
gss_wrap_size_limit Determine token-size limit 6.3.10 3.1. Delegation
for gss_wrap.
gss_export_sec_context Transfer security context 6.3.19 The GSS-API allows delegation to be controlled by the initiating
to another process. application via the requestCredDeleg method before the first call to
init has been issued. Some mechanisms do not support delegation, and
for such mechanisms attempts by an application to enable delegation
are ignored.
gss_import_sec_context Create a previously exported 6.3.3 The acceptor of a security context, for which the initiator enabled
context. delegation, can check if delegation was enabled by using the
getCredDelegState method of the GSSContext class. In cases when it
is, the delegated credential object can be obtained by calling the
getDelegCred method. The obtained IGSSCredential object may then be
used to initiate subsequent GSS-API security contexts as an agent or
delegate of the initiator. (Please note that for the purposes of
this discussion GSSCredential and IGSSCredential are used
interchangeably.) If the original initiator's identity is "A" and
the delegate's identity is "B", then, depending on the underlying
mechanism, the identity embodied by the delegated credential may be
either "A" or "B acting for A".
gss_get_mic Calculate a cryptographic 6.3.15, For many mechanisms that support delegation, a simple boolean does
Message Integrity Code (MIC) 6.3.16 not provide enough control. Examples of additional aspects of
for a message. delegation control that a mechanism might provide to an application
are duration of delegation, network addresses from which delegation
is valid, and constraints on the tasks that may be performed by a
delegate. Such controls are presently outside the scope of the GSS-
API. GSS-API implementations supporting mechanisms offering
additional controls should provide extension routines that allow
these controls to be exercised (perhaps by modifying the initiator's
GSS-API credential object prior to its use in establishing a
context). However, the simple delegation control provided by GSS-API
should always be able to over-ride other mechanism-specific
delegation controls. If the application instructs the GSSContext
object that delegation is not desired, then the implementation must
not permit delegation to occur. This is an exception to the general
rule that a mechanism may enable services even if they are not
requested - delegation may only be provided at the explicit request
of the application.
gss_verify_mic Verify integrity on a received 6.3.17, 3.2. Mutual Authentication
message. 6.3.18
gss_wrap Attach a MIC to a message and 6.3.11, Usually, a context acceptor will require that a context initiator
optionally encrypt the message 6.3.12 authenticate itself so that the acceptor may make an access-control
content. decision prior to performing a service for the initiator. In some
cases, the initiator may also request that the acceptor authenticate
itself. GSS-API allows the initiating application to request this
mutual authentication service by calling the requestMutualAuth method
of the GSSContext class with a "true" parameter before making the
first call to init. The initiating application is informed as to
whether or not the context acceptor has authenticated itself. Note
that some mechanisms may not support mutual authentication, and other
mechanisms may always perform mutual authentication, whether or not
the initiating application requests it. In particular, mutual
authentication may be required by some mechanisms in order to support
replay or out-of-sequence message detection, and for such mechanisms
a request for either of these services will automatically enable
mutual authentication.
gss_unwrap Obtain a previously wrapped 6.3.13, 3.3. Replay and Out-of-Sequence Detection
application message verifying 6.3.14
its integrity and optionally
decrypting it.
The functionality offered by the gss_process_context_token routine The GSS-API may provide detection of mis-ordered messages once a
has not been included in the Java bindings specification. The security context has been established. Protection may be applied to
corresponding functionality of gss_delete_sec_context has also been messages by either application, by calling either getMIC or wrap
modified to not return any peer tokens. This has been proposed in methods of the GSSContext class, and verified by the peer application
accordance to the recommendations stated in the RFC 2078 update by calling verifyMIC or unwrap for the peer's GSSContext object.
draft. GSSContext does offer the functionality of destroying the
locally-stored context information.
3.3. GSSName class The getMIC method calculates a cryptographic checksum of an
application message, and returns that checksum in a token. The
application should pass both the token and the message to the peer
application, which presents them to the verifyMIC method of the
peer's GSSContext object.
GSS-API names are represented in the Java bindings through the The wrap method calculates a cryptographic checksum of an application
GSSName class. Different name formats and their definitions are message, and places both the checksum and the message inside a single
identified with universal Object Identifiers (oids). The format of token. The application should pass the token to the peer
the names can be derived based on the unique oid of each name type. application, which presents it to the unwrap method of the peer's
The following GSS-API routines are implemented by the GSSName object: GSSContext object to extract the message and verify the checksum.
RFC 2078 Routine Function Section(s) Either pair of routines may be capable of detecting out-of-sequence
message delivery, or duplication of messages. Details of such mis-
ordered messages are indicated through supplementary query methods of
the MessageProp object that is filled in by each of these routines.
gss_import_name Create an internal name from 6.1.3 A mechanism need not maintain a list of all tokens that have been
the supplied information. processed in order to support these status codes. A typical
mechanism might retain information about only the most recent "N"
tokens processed, allowing it to distinguish duplicates and missing
tokens within the most recent "N" messages; the receipt of a token
older than the most recent "N" would result in the isOldToken method
of the instance of MessageProp to return "true".
gss_display_name Covert internal name 6.1.8, 6.1.9 3.4. Anonymous Authentication
representation to text format.
gss_compare_name Compare two internal names. 6.1.4, 6.1.5 In certain situations, an application may wish to initiate the
authentication process to authenticate a peer, without revealing its
own identity. As an example, consider an application providing
access to a database containing medical information, and offering
unrestricted access to the service. A client of such a service might
wish to authenticate the service (in order to establish trust in any
information retrieved from it), but might not wish the service to be
able to obtain the client's identity (perhaps due to privacy concerns
about the specific inquiries, or perhaps simply to avoid being placed
on mailing-lists).
gss_release_name Release resources associated N/A In normal use of the GSS-API, the initiator's identity is made
with the internal name. available to the acceptor as a result of the context establishment
process. However, context initiators may request that their identity
not be revealed to the context acceptor. Many mechanisms do not
support anonymous authentication, and for such mechanisms the request
will not be honored. An authentication token will still be
generated, but the application is always informed if a requested
service is unavailable, and has the option to abort context
establishment if anonymity is valued above the other security
services that would require a context to be established.
gss_canonicalize_name Convert an internal name to a 6.1.3, 6.1.6 In addition to informing the application that a context is
mechanism name. established anonymously (via the isAnonymous method of the GSSContext
class), the getSrcName method of the acceptor's GSSContext object
will, for such contexts, return a reserved internal-form name,
defined by the implementation.
gss_export_name Convert a Mechanism name to 6.1.7 The toString method for a GSSName object representing an anonymous
export format. entity will return a printable name. (Please note that for the
purposes of this discussion GSSName and IGSSName are used
interchangeably.) The returned value will be syntactically
distinguishable from any valid principal name supported by the
implementation. The associated name-type object identifier will be
an oid representing the value of NT_ANONYMOUS. This name-type oid
will be defined as a public, static Oid object of the GSSName class.
The printable form of an anonymous name should be chosen such that it
implies anonymity, since this name may appear in, for example, audit
logs. For example, the string "<anonymous>" might be a good choice,
if no valid printable names supported by the implementation can begin
with "<" and end with ">".
gss_duplicate_name Create a copy of the internal 6.1.10 When using the equal method of the GSSName class, and one of the
name. operands is a GSSName instance representing an anonymous entity, the
method must return "false".
3.4. GSSManager class 3.5. Confidentiality
The responsibilities of the GSSManager class is to provide If a GSSContext supports the confidentiality service, wrap method may
functionality common to the entire GSS-API class library. This would be used to encrypt application messages. Messages are selectively
include queries about the mechanisms supported and the default encrypted, under the control of the setPrivacy method of the
mechanism value. GSSManager implements the following RFC 2078 MessageProp object used in the wrap method.
routines:
RFC 2078 Routine Function Section 3.6. Inter-process Context Transfer
gss_inquire_names_for_mech List the name types 6.5.2 GSS-API V2 provides functionality which allows a security context to
supported by the be transferred between processes on a single machine. These are
specified mechanism. implemented using the export method of GSSContext and a byte array
constructor of the same class. The most common use for such a
feature is a client-server design where the server is implemented as
a single process that accepts incoming security contexts, which then
launches child processes to deal with the data on these contexts. In
such a design, the child processes must have access to the security
context object created within the parent so that they can use per-
message protection services and delete the security context when the
communication session ends.
gss_inquire_mechs_for_name List the mechanisms 6.5.3 Since the security context data structure is expected to contain
supporting the sequencing information, it is impractical in general to share a
specified name type. context between processes. Thus GSSContext class provides an export
method that the process, which currently owns the context, can call
to declare that it has no intention to use the context subsequently,
and to create an inter-process token containing information needed by
the adopting process to successfully re-create the context. After
successful completion of export, the original security context is
made inaccessible to the calling process by GSS-API and any further
usage of this object will result in failures. The originating
process transfers the inter-process token to the adopting process,
which creates a new GSSContext object using the byte array
constructor. The properties of the context are equivalent to that of
the original context.
gss_indicate_mechs List the mechanisms 6.5.1 The inter-process token may contain sensitive data from the original
supported by this GSS-API security context (including cryptographic keys). Applications using
implementation. inter-process tokens to transfer security contexts must take
appropriate steps to protect these tokens in transit.
3.5. GSSException class Implementations are not required to support the inter-process
transfer of security contexts. Calling the isTransferable method of
the GSSContext class will indicate if the context object is
transferable.
Exceptions are used in the Java bindings to signal fatal errors to 3.7. The Use of Incomplete Contexts
the calling applications. This replaces the major and minor codes
used in the C-bindings specification as a method of signaling
failures. The GSSException class handles both minor and major codes,
as well as their translation into textual representation. All GSS-
API methods are declared as possibly throwing this exception.
RFC 2078 Routine Function Section Some mechanisms may allow the per-message services to be used before
the context establishment process is complete. For example, a
mechanism may include sufficient information in its initial context-
level tokens for the context acceptor to immediately decode messages
protected with wrap or getMIC. For such a mechanism, the initiating
application need not wait until subsequent context-level tokens have
been sent and received before invoking the per-message protection
services.
gss_display_status Retrieve textual 6.8.5, 6.8.6, An application can invoke the isProtReady method of the GSSContext
representation of error 6.8.8, 6.8.9 class to determine if the per-message services are available in
codes. advance of complete context establishment. Applications wishing to
use per-message protection services on partially-established contexts
should query this method before attempting to invoke wrap or getMIC.
3.6. Oid class 4. Calling Conventions
This utility class is used to represent Universal Object Identifiers Java provides the implementors with not just a syntax for the
and their associated operations. GSS-API uses object identifiers to language, but also an operational environment. For example, memory
distinguish between security mechanisms and name types. This class, is automatically managed and does not require application
aside from being used whenever an object identifier is needed, intervention. These language features have allowed for a simpler API
implements the following GSS-API functionality: and have led to the elimination of certain GSS-API functions.
RFC 2078 Routine Function Section Moreover, the Java security libraries contain a provider architecture
that allows applications to be independent of the implementations of
the security API's they use. Using this model, applications can
seamlessly switch between different implementations at runtime in
order to get support for different mechanisms.
gss_test_oid_set_member Determine if the specified oid 6.7.6 4.1. Package Name
is part of a set of oids.
3.7. MessageProp class The classes and interfaces defined in this document reside in the
package called "org.ietf.JGSS". Applications that wish to make use
of this API should import this package name as shows in section 8.
This helper class is used in the per-message operations of the GSS-API implementors will have their implementation specific classes
GSSContext class to convey the requested and applied per-message that are not defined in this document reside in other packages. The
options. An instance of this class is used to specify the desired QOP GSSManager class insulates the user from knowledge of these provider
and confidentiality state for a per-message operation of the specific packages.
GSSContext class. Upon return from those methods, this object will
contain the applied QOP and confidentiality state as well as any
supplementary status information for the completed per-message
operation.
3.8. ChannelBinding class 4.2. Provider Framework
An instance of this class is used to specify channel binding The Java security API's use a provider architecture that allows
information to the GSSContext object before the start of a security applications to be implementation independent. The
context establishment. The application may use a byte array to java.security.Provider class is an abstract class that a vendor
specify application data to be used in the channel binding as well as extends. This class maps various properties that represent different
using instances of the InetAddress. InetAddress is currently the only security services to the names of the actual vendor classes that
address type defined within the Java platform and as such, it is the implement those services. When requesting a service, an application
only one supported within the ChannelBinding class. simply specifies the desired provider and the API classes delegate
the request to the appropriate provider class.
4. Calling Conventions Providers of the Java GSS-API should map the property
"org.ietf.JGSS.GSSFactory" to the fully qualified name of their
implementation of the GSSFactory class. As explained later in
section 4.1 this class is the bootstrapping class for every GSS
provider and will allow the framework to obtain references to the
other classes that encapsulate the GSS services.
Java provides the implementors with more than just a syntax for the Using the Java security provider model insulates applications from
language, but also an operational environment. For example, memory is implementation details of the providers they wish to use. The
automatically managed and does not require application intervention. benefits of this approach are that applications can switch between
These language features have allowed for a simpler API and have led providers transparently and new providers can be added as needed.
to the elimination of certain GSS-API functions. Binary compatibility is maintained and applications can switch
providers even at runtime. The providers themselves can change
their implementation without having existing applications break.
4.1. Integer types 4.3. Integer types
All numeric values are declared as "int" primitive Java type. The All numeric values are declared as "int" primitive Java type. The
Java specification guarantees that this will be a 32 bit two's Java specification guarantees that this will be a 32 bit two's
complement signed number. complement signed number.
Throughout this API, the "boolean" primitive Java type is used Throughout this API, the "boolean" primitive Java type is used
wherever a boolean value is required or returned. wherever a boolean value is required or returned.
4.2. Opaque Data types 4.4. Opaque Data types
Java byte arrays are used to represent opaque data types which are Java byte arrays are used to represent opaque data types which are
consumed and produced by the GSS-API in the forms of tokens. Java consumed and produced by the GSS-API in the forms of tokens. Java
arrays contain a length field which enables the users to easily arrays contain a length field which enables the users to easily
determine their size. The language has automatic garbage collection determine their size. The language has automatic garbage collection
which alleviates the need by developers to release memory and which alleviates the need by developers to release memory and
simplifies buffer ownership issues. simplifies buffer ownership issues.
4.3. Strings 4.5. Strings
The String object will be used to represent all textual data. The The String object will be used to represent all textual data. The
Java String object, transparently treats all characters as two-byte Java String object, transparently treats all characters as two-byte
Unicode characters which allows support for many locals. All routines Unicode characters which allows support for many locals. All
returning or accepting textual data will use the String object. routines returning or accepting textual data will use the String
object.
4.4. Object Identifiers 4.6. Object Identifiers
An Oid object will be used to represent Universal Object Identifiers An Oid object will be used to represent Universal Object Identifiers
(Oids). Oids are ISO-defined, hierarchically globally-interpretable (Oids). Oids are ISO-defined, hierarchically globally-interpretable
identifiers used within the GSS-API framework to identify security identifiers used within the GSS-API framework to identify security
mechanisms and name formats. The Oid object can be created from a mechanisms and name formats. The Oid object can be created from a
string representation of its dot notation (e.g. "1.3.6.1.5.6.2") as string representation of its dot notation (e.g. "1.3.6.1.5.6.2") as
well as from its ASN.1 DER encoding. Methods are also provided to well as from its ASN.1 DER encoding. Methods are also provided to
test equality and provide the DER representation for the object. test equality and provide the DER representation for the object.
An important feature of the Oid class is that its instances are An important feature of the Oid class is that its instances are
immutable - i.e. there are no methods defined that allow one to immutable - i.e. there are no methods defined that allow one to
change the contents of an Oid. This property allows one to treat change the contents of an Oid. This property allows one to treat
these objects as "statics" without the need to perform copies. these objects as "statics" without the need to perform copies.
Certain routines allow the usage of a default oid. A "null" value can Certain routines allow the usage of a default oid. A "null" value
be used in those cases. can be used in those cases.
4.5. Object Identifier Sets 4.7. Object Identifier Sets
The Java bindings represents object identifiers sets as arrays of Oid The Java bindings represents object identifiers sets as arrays of Oid
objects. All Java arrays contain a length field which allows for easy objects. All Java arrays contain a length field which allows for
manipulation and reference. easy manipulation and reference.
In order to support the full functionality of RFC 2078, the Oid class In order to support the full functionality of RFC 2078, the Oid class
includes a method which checks for existence of an Oid object within includes a method which checks for existence of an Oid object within
a specified array. This is equivalent in functionality to a specified array. This is equivalent in functionality to
gss_test_oid_set_member. The use of Java arrays and Java's automatic gss_test_oid_set_member. The use of Java arrays and Java's automatic
garbage collection has eliminated the need for the following garbage collection has eliminated the need for the following
routines: gss_create_empty_oid_set, gss_release_oid_set, and routines: gss_create_empty_oid_set, gss_release_oid_set, and
gss_add_oid_set_member. Java GSS-API implementations will not contain gss_add_oid_set_member. Java GSS-API implementations will not
them. Java's automatic garbage collection and the immutable property contain them. Java's automatic garbage collection and the immutable
of the Oid object eliminates the complicated memory management issues property of the Oid object eliminates the complicated memory
of the C counterpart. management issues of the C counterpart.
When ever a default value for an Object Identifier Set is required, a When ever a default value for an Object Identifier Set is required, a
"null" value can be used. Please consult the detailed method "null" value can be used. Please consult the detailed method
description for details. description for details.
4.6. Credentials 4.8. Credentials
GSS-API credentials are represented with the GSSCredential object. GSS-API credentials are represented by the GSSCredential interface.
The object contains several constructs to allow for the creation of The interface contains several constructs to allow for the creation
most common credential objects for the initiator and the acceptor. of most common credential objects for the initiator and the acceptor.
Comparisons are performed using the object's "equals" method. The Comparisons are performed using the interface's "equals" method. The
following general description of GSS-API credentials is included from following general description of GSS-API credentials is included from
the C-bindings specification: the C-bindings specification:
GSS-API credentials can contain mechanism-specific principal GSS-API credentials can contain mechanism-specific principal
authentication data for multiple mechanisms. A GSS-API credential is authentication data for multiple mechanisms. A GSS-API credential is
composed of a set of credential-elements, each of which is applicable composed of a set of credential-elements, each of which is applicable
to a single mechanism. A credential may contain at most one to a single mechanism. A credential may contain at most one
credential-element for each supported mechanism. A credential-element credential-element for each supported mechanism. A credential-
identifies the data needed by a single mechanism to authenticate a element identifies the data needed by a single mechanism to
single principal, and conceptually contains two credential-references authenticate a single principal, and conceptually contains two
that describe the actual mechanism-specific authentication data, one credential-references that describe the actual mechanism-specific
to be used by GSS-API for initiating contexts, and one to be used authentication data, one to be used by GSS-API for initiating
for accepting contexts. For mechanisms that do not distinguish contexts, and one to be used for accepting contexts. For mechanisms
between acceptor and initiator credentials, both references would that do not distinguish between acceptor and initiator credentials,
point to the same underlying mechanism-specific authentication data. both references would point to the same underlying mechanism-specific
authentication data.
Credentials describe a set of mechanism-specific principals, and give Credentials describe a set of mechanism-specific principals, and give
their holder the ability to act as any of those principals. All their holder the ability to act as any of those principals. All
principal identities asserted by a single GSS-API credential should principal identities asserted by a single GSS-API credential should
belong to the same entity, although enforcement of this property is belong to the same entity, although enforcement of this property is
an implementation-specific matter. A single GSSCredential object an implementation-specific matter. A single IGSSCredential object
represents all the credential elements that have been acquired. represents all the credential elements that have been acquired.
The constructor's for the GSSContext object allow the value of "null" The creation's of an IGSSContext object allows the value of "null" to
to be specified as their GSSCredential input parameter. This will be specified as the IGSSCredential input parameter. This will
indicate a desire by the application to act as a default principal. indicate a desire by the application to act as a default principal.
While individual GSS-API implementations are free to determine such While individual GSS-API implementations are free to determine such
default behavior as appropriate to the mechanism, the following default behavior as appropriate to the mechanism, the following
default behavior by these routines is recommended for portability: default behavior by these routines is recommended for portability:
For the initiator side of the context: For the initiator side of the context:
1) If there is only a single principal capable of initiating 1) If there is only a single principal capable of initiating
security contexts for the chosen mechanism that the security contexts for the chosen mechanism that the
application is authorized to act on behalf of, then that application is authorized to act on behalf of, then that
skipping to change at page 16, line 6 skipping to change at page 18, line 39
any principal that the application is authorized to accept any principal that the application is authorized to accept
security contexts under using the chosen mechanism may be security contexts under using the chosen mechanism may be
used, otherwise used, otherwise
4) A user-configurable default identity shall be used. 4) A user-configurable default identity shall be used.
The purpose of the above rules is to allow security contexts to be The purpose of the above rules is to allow security contexts to be
established by both initiator and acceptor using the default behavior established by both initiator and acceptor using the default behavior
whenever possible. Applications requesting default behavior are whenever possible. Applications requesting default behavior are
likely to be more portable across mechanisms and implementations than likely to be more portable across mechanisms and implementations than
ones that instantiate a GSSCredential representing a specific ones that instantiate an IGSSCredential object representing a
identity. specific identity.
4.7. Contexts 4.9. Contexts
The GSSContext class is used to represent one end of a GSS-API The IGSSContext interface is used to represent one end of a GSS-API
security context, storing state information appropriate to that end security context, storing state information appropriate to that end
of the peer communication, including cryptographic state information. of the peer communication, including cryptographic state information.
GSSContext class has distinct constructors to allow the creation of The instantiation of the context object is done differently by the
an initiator and acceptor side of the contexts. After the context has initiator and the acceptor. After the context has been instantiated,
been instantiated, the initiator may choose to set various context the initiator may choose to set various context options which will
options which will determine the characteristics of the desired determine the characteristics of the desired security context. When
security context. When all the application desired characteristics all the application desired characteristics have been set, the
have been set, the initiator will call the init method which will initiator will call the initSecContext method which will produce a
produce a token for consumption by the peer's accept method. It is token for consumption by the peer's acceptSecContext method. It is
the responsibility of the application to deliver the authentication the responsibility of the application to deliver the authentication
token(s) between the peer applications for processing. Upon token(s) between the peer applications for processing. Upon
completion of the context establishment phase, context attributes can completion of the context establishment phase, context attributes can
be retrieved, by both the initiator and acceptor, using the accessor be retrieved, by both the initiator and acceptor, using the accessor
methods. These will reflect the actual attributes of the established methods. These will reflect the actual attributes of the established
context. At this point the context can be used by the application to context. At this point the context can be used by the application to
apply cryptographic services to its data. apply cryptographic services to its data.
4.8. Authentication tokens 4.10. Authentication tokens
A token is a caller-opaque type that GSS-API uses to maintain A token is a caller-opaque type that GSS-API uses to maintain
synchronization between each end of the GSS-API security context. The synchronization between each end of the GSS-API security context.
token is a cryptographically protected octet-string, generated by the The token is a cryptographically protected octet-string, generated by
underlying mechanism at one end of a GSS-API security context for use the underlying mechanism at one end of a GSS-API security context for
by the peer mechanism at the other end. Encapsulation (if required) use by the peer mechanism at the other end. Encapsulation (if
within the application protocol and transfer of the token are the required) within the application protocol and transfer of the token
responsibility of the peer applications. are the responsibility of the peer applications.
Java GSS-API uses byte arrays to represent authentication tokens. Java GSS-API uses byte arrays to represent authentication tokens.
Overloaded methods exist which allow the caller to supply input and Overloaded methods exist which allow the caller to supply input and
output streams which will be used for the reading and writing of the output streams which will be used for the reading and writing of the
token data. token data.
4.9. Interprocess tokens 4.11. Interprocess tokens
Certain GSS-API routines are intended to transfer data between Certain GSS-API routines are intended to transfer data between
processes in multi-process programs. These routines use a caller- processes in multi-process programs. These routines use a caller-
opaque octet-string, generated by the GSS-API in one process for use opaque octet-string, generated by the GSS-API in one process for use
by the GSS-API in another process. The calling application is by the GSS-API in another process. The calling application is
responsible for transferring such tokens between processes. Note responsible for transferring such tokens between processes. Note
that, while GSS-API implementors are encouraged to avoid placing that, while GSS-API implementors are encouraged to avoid placing
sensitive information within interprocess tokens, or to sensitive information within interprocess tokens, or to
cryptographically protect them, many implementations will be unable cryptographically protect them, many implementations will be unable
to avoid placing key material or other sensitive data within them. to avoid placing key material or other sensitive data within them.
It is the application's responsibility to ensure that interprocess It is the application's responsibility to ensure that interprocess
tokens are protected in transit, and transferred only to processes tokens are protected in transit, and transferred only to processes
that are trustworthy. An interprocess token is represented using a that are trustworthy. An interprocess token is represented using a
byte array emitted from the export method of the GSSContext class. byte array emitted from the export method of the IGSSContext
The receiver of the interprocess token would use a GSSContext interface. The receiver of the interprocess token would use
constructor to create a new context object from the supplied token. initialize an IGSSContext object with this token to create a new
Once a context has been exported, the GSSContext object is context. Once a context has been exported, the IGSSContext object is
invalidated and is no longer available. invalidated and is no longer available.
4.10. Error Reporting 4.12. Error Reporting
RFC 2078 defined the usage of major and minor status values for RFC 2078 defined the usage of major and minor status values for
signaling of GSS-API errors. The major code, also called GSS status signaling of GSS-API errors. The major code, also called GSS status
code, is used to signal errors at the GSS-API level independent of code, is used to signal errors at the GSS-API level independent of
the underlying mechanism(s). The minor status value or Mechanism the underlying mechanism(s). The minor status value or Mechanism
status code, is a mechanism defined error value indicating a status code, is a mechanism defined error value indicating a
mechanism specific error code. mechanism specific error code.
Java GSS-API uses exceptions implemented by the GSSException class to Java GSS-API uses exceptions implemented by the GSSException class to
signal both minor and major error values. Both, mechanism specific signal both minor and major error values. Both, mechanism specific
errors and GSS-API level errors are signaled through instances of errors and GSS-API level errors are signaled through instances of
this class. The usage of exceptions replaces the need for major and this class. The usage of exceptions replaces the need for major and
minor codes to be used within the API calls. GSSException class also minor codes to be used within the API calls. GSSException class also
contains methods to obtain textual representations for both the major contains methods to obtain textual representations for both the major
and minor values, which is equivalent to the functionality of and minor values, which is equivalent to the functionality of
gss_display_status. gss_display_status.
4.10.1. GSS status codes 4.12.1. GSS status codes
GSS status codes indicate errors that are independent of the GSS status codes indicate errors that are independent of the
underlying mechanism(s) used to provide the security service. The underlying mechanism(s) used to provide the security service. The
errors that can be indicated via a GSS status code are generic API errors that can be indicated via a GSS status code are generic API
routine errors (errors that are defined in the GSS-API routine errors (errors that are defined in the GSS-API
specification). The Java bindings take advantage of the strong type specification). These bindings take advantage of the Java exceptions
checking of the Java language, thus eliminating the need for calling mechanism, thus eliminating the need for calling errors.
errors.
A GSS status code indicates a single fatal generic API error from the A GSS status code indicates a single fatal generic API error from the
routine that has thrown the GSSException. Using exceptions announces routine that has thrown the GSSException. Using exceptions announces
that a fatal error has occurred during the execution of the method. that a fatal error has occurred during the execution of the method.
Several GSS-API routines can also return supplementary status Two GSS-API routines can also return supplementary status information
information which indicate non-fatal errors. These are handled as which indicates non-fatal errors. These are handled as return values
return values since using exceptions is not appropriate for since using exceptions is not appropriate for informatory or
informatory or warning-like information. The methods that are capable warning-like information. The methods that are capable of producing
of producing supplementary information are limited to the per-message supplementary information are the two per-message methods
methods of the GSSContext class, namely verifyMIC and unwrap. These IGSSContext.verifyMIC() and IGSSContext.unwrap(). These methods fill
methods return an instance of MessageProp class which contains the the supplementary status codes in the MessageProp object that was
specific supplementary error information. passed in.
GSSException object, along with providing the functionality for GSSException object, along with providing the functionality for
setting of the various error codes and translating them into textual setting of the various error codes and translating them into textual
representation, also contains the definitions of all the numeric representation, also contains the definitions of all the numeric
error values. The following table lists the definitions of error error values. The following table lists the definitions of error
codes: codes:
Table: GSS Status Codes Table: GSS Status Codes
Name Value Meaning Name Value Meaning
skipping to change at page 19, line 39 skipping to change at page 22, line 25
expired. expired.
DUPLICATE_TOKEN 20 The token was a duplicate of an DUPLICATE_TOKEN 20 The token was a duplicate of an
earlier version. earlier version.
The GSS major status code of FAILURE is used to indicate that the The GSS major status code of FAILURE is used to indicate that the
underlying mechanism detected an error for which no specific GSS underlying mechanism detected an error for which no specific GSS
status code is defined. The mechanism-specific status code can status code is defined. The mechanism-specific status code can
provide more details about the error. provide more details about the error.
4.10.2. Mechanism-specific status codes 4.12.2. Mechanism-specific status codes
The GSSException thrown from a GSS-API method may originate from the The GSSException thrown from a GSS-API method may originate from the
mechanism independent layer or the mechanism specific layer. In the mechanism independent layer or the mechanism specific layer. In the
latter case, the exception will be used to indicate not only the latter case, the exception will be used to indicate not only the
major error codes but also the mechanism specific error code. major error codes but also the mechanism specific error code.
A default value of 0 will be used to represent the absence of the A default value of 0 will be used to represent the absence of the
mechanism specific status code. mechanism specific status code.
4.10.3. Supplementary status codes 4.12.3. Supplementary status codes
Supplementary status codes are confined to the per-message methods of Supplementary status codes are confined to the per-message methods of
the GSSContext class. Because of the informative nature of these the IGSSContext interface. Because of the informative nature of
errors it is not appropriate to use exceptions to signal them. these errors it is not appropriate to use exceptions to signal them.
Instead, the per-message operations of the GSSContext class return an Instead, the per-message operations of the IGSSContext interface
instance of a MessageProp class which contain supplementary status return these values in a MessageProp object.
information.
The MessageProp class defines query methods which return boolean The MessageProp class defines query methods which return boolean
values indicating the following supplementary states: values indicating the following supplementary states:
Table: Supplementary Status Methods Table: Supplementary Status Methods
Method Name Meaning when "true" is returned Method Name Meaning when "true" is returned
isDuplicateToken The token was a duplicate of an isDuplicateToken The token was a duplicate of an
earlier token. earlier token.
isOldToken The token's validity period has isOldToken The token's validity period has
expired. expired.
isUnseqToken A later token has already been isUnseqToken A later token has already been
processed. processed.
skipping to change at page 20, line 38 skipping to change at page 23, line 23
processed. processed.
isGapToken An expected per-message token was isGapToken An expected per-message token was
not received. not received.
"true" return value for any of the above methods indicates that the "true" return value for any of the above methods indicates that the
token exhibited the specified property. The application must token exhibited the specified property. The application must
determine the appropriate course of action for these supplementary determine the appropriate course of action for these supplementary
values. They are not treated as errors by the GSS-API. values. They are not treated as errors by the GSS-API.
4.11. Names 4.13. Names
A name is used to identify a person or entity. GSS-API authenticates A name is used to identify a person or entity. GSS-API authenticates
the relationship between a name and the entity claiming the name. the relationship between a name and the entity claiming the name.
Since different authentication mechanisms may employ different Since different authentication mechanisms may employ different
namespaces for identifying their principals, GSS-API's naming support namespaces for identifying their principals, GSS-API's naming support
is necessarily complex in multi-mechanism environments (or even in is necessarily complex in multi-mechanism environments (or even in
some single-mechanism environments where the underlying mechanism some single-mechanism environments where the underlying mechanism
supports multiple namespaces). supports multiple namespaces).
Two distinct conceptual representations are defined for names: Two distinct conceptual representations are defined for names:
1) A GSS-API form represented by instances of the GSSName class: A 1) A GSS-API form represented by implementations of the IGSSName
single GSSName object may contain multiple names from different interface: A single IGSSName object may contain multiple names
namespaces, but all names should refer to the same entity. An from different namespaces, but all names should refer to the
example of such an internal name would be the name returned from same entity. An example of such an internal name would be the
a call to the getName method of the GSSCredential class, when name returned from a call to the getName method of the
applied to a credential containing credential elements for IGSSCredential interface, when applied to a credential
multiple authentication mechanisms employing different containing credential elements for multiple authentication
namespaces. This GSSName object will contain a distinct name for mechanisms employing different namespaces. This IGSSName object
the entity for each authentication mechanism. will contain a distinct name for the entity for each
authentication mechanism.
For GSS-API implementations supporting multiple namespaces, For GSS-API implementations supporting multiple namespaces,
GSSName object implementations must contain sufficient IGSSName implementations must contain sufficient information to
information to determine the namespace to which each primitive determine the namespace to which each primitive name belongs.
name belongs.
2) Mechanism-specific contiguous byte array and string forms: 2) Mechanism-specific contiguous byte array and string forms:
Different GSSName constructors are provided to handle both byte Different IGSSName initialization methods are provided to handle
array and string formats and to accommodate various calling both byte array and string formats and to accommodate various
applications and name types. These formats are capable of calling applications and name types. These formats are capable
containing only a single name (from a single namespace). of containing only a single name (from a single namespace).
Contiguous string names are always accompanied by an object Contiguous string names are always accompanied by an object
identifier specifying the namespace to which the name belongs, identifier specifying the namespace to which the name belongs,
and their format is dependent on the authentication mechanism and their format is dependent on the authentication mechanism
that employs that name. The string name forms are assumed to be that employs that name. The string name forms are assumed to be
printable, and may therefore be used by GSS-API applications for printable, and may therefore be used by GSS-API applications for
communication with their users. The byte array name formats are communication with their users. The byte array name formats are
assumed to be in non-printable formats (e.g. the byte array assumed to be in non-printable formats (e.g. the byte array
returned from the export method of the GSSName class). returned from the export method of the IGSSName interface).
A GSSName object can be converted to a contiguous representation by An IGSSName object can be converted to a contiguous representation by
using the toString method. This will guarantee that the name will be using the toString method. This will guarantee that the name will be
converted to a printable format. Different constructors for the converted to a printable format. Different initialization methods in
GSSName object are defined allowing support for multiple syntaxes for the IGSSName interface are defined allowing support for multiple
each supported namespace, and allowing users the freedom to choose a syntaxes for each supported namespace, and allowing users the freedom
preferred name representation. The toString method should use an to choose a preferred name representation. The toString method
implementation-chosen printable syntax for each supported name-type. should use an implementation-chosen printable syntax for each
To obtain the printable name type, getStringNameType method can be supported name-type. To obtain the printable name type,
used. getStringNameType method can be used.
There is no guarantee that calling the toString method on a GSSName There is no guarantee that calling the toString method on the
object will produce the same string form as the original imported IGSSName interface will produce the same string form as the original
string name. Furthermore, it is possible that the name was not even imported string name. Furthermore, it is possible that the name was
constructed from a string representation. The same applies to name- not even constructed from a string representation. The same applies
space identifiers which may not necessarily survive unchanged after a to name- space identifiers which may not necessarily survive
journey through the internal name-form. An example of this might be unchanged after a journey through the internal name-form. An example
a mechanism that authenticates X.500 names, but provides an of this might be a mechanism that authenticates X.500 names, but
algorithmic mapping of Internet DNS names into X.500. That provides an algorithmic mapping of Internet DNS names into X.500.
mechanism's implementation of GSSName might, when presented with a That mechanism's implementation of IGSSName might, when presented
DNS name, generate an internal name that contained both the original with a DNS name, generate an internal name that contained both the
DNS name and the equivalent X.500 name. Alternatively, it might only original DNS name and the equivalent X.500 name. Alternatively, it
store the X.500 name. In the latter case, the toString method of might only store the X.500 name. In the latter case, the toString
GSSName would most likely generate a printable X.500 name, rather method of IGSSName would most likely generate a printable X.500 name,
than the original DNS name. rather than the original DNS name.
The context acceptor can obtain an instance of GSSName representing The context acceptor can obtain an IGSSName object representing the
the entity performing the context initiation (through the usage of entity performing the context initiation (through the usage of
getSrcName method). Since this name has been authenticated by a getSrcName method). Since this name has been authenticated by a
single mechanism, it contains only a single name (even if the single mechanism, it contains only a single name (even if the
internal name presented by the context initiator to the GSSContext internal name presented by the context initiator to the IGSSContext
object had multiple components). Such names are termed internal object had multiple components). Such names are termed internal
mechanism names, or "MN"s and the names emitted by GSSContext class mechanism names, or "MN"s and the names emitted by IGSSContext
in the getSrcName and getTargName are always of this type. Since interface in the getSrcName and getTargName are always of this type.
some applications may require MNs without wanting to incur the Since some applications may require MNs without wanting to incur the
overhead of an authentication operation, a set of constructors is overhead of an authentication operation, creation methods are
provided which take not only the name buffer and name type, but also provided that take not only the name buffer and name type, but also
the mechanism oid for which this name should be created. When the mechanism oid for which this name should be created. When
dealing with an existing GSSName object, the canonicalize method may dealing with an existing IGSSName object, the canonicalize method may
be invoked to convert a general internal name into an MN. be invoked to convert a general internal name into an MN.
GSSName objects can be compared using their equal method, which IGSSName objects can be compared using their equal method, which
returns "true" if the two names being compared refer to the same returns "true" if the two names being compared refer to the same
entity. This is the preferred way to perform name comparisons instead entity. This is the preferred way to perform name comparisons
of using the printable names that a given GSS-API implementation may instead of using the printable names that a given GSS-API
support. Since GSS-API assumes that all primitive names contained implementation may support. Since GSS-API assumes that all primitive
within a given internal name refer to the same entity, equal can names contained within a given internal name refer to the same
return "true" if the two names have at least one primitive name in entity, equal can return "true" if the two names have at least one
common. If the implementation embodies knowledge of equivalence primitive name in common. If the implementation embodies knowledge
relationships between names taken from different namespaces, this of equivalence relationships between names taken from different
knowledge may also allow successful comparisons of internal names namespaces, this knowledge may also allow successful comparisons of
containing no overlapping primitive elements. internal names containing no overlapping primitive elements.
When used in large access control lists, the overhead of creating a When used in large access control lists, the overhead of creating an
GSSName on each name and invoking the equal method on each name from IGSSName object on each name and invoking the equal method on each
the ACL may be prohibitive. As an alternative way of supporting this name from the ACL may be prohibitive. As an alternative way of
case, GSS-API defines a special form of the contiguous byte array supporting this case, GSS-API defines a special form of the
name which may be compared directly (byte by byte). Contiguous names contiguous byte array name which may be compared directly (byte by
suitable for comparison are generated by the export method, which byte). Contiguous names suitable for comparison are generated by the
requires that the GSSName represent a MN. Exported names may be re- export method. Exported names may be re-imported by using the byte
imported by using the byte array constructor and specifying the array constructor and specifying the NT_EXPORT_NAME as the name type
NT_EXPORT_NAME as the name type object identifier. The resulting object identifier. The resulting IGSSName name will also be a MN.
GSSName name will also be a MN. The GSSName object defines public The IGSSName interface defines public static Oid objects representing
static Oid objects representing the standard name types. the standard name types. Structurally, an exported name object
Structurally, an exported name object consists of a header containing consists of a header containing an OID identifying the mechanism that
an OID identifying the mechanism that authenticated the name, and a authenticated the name, and a trailer containing the name itself,
trailer containing the name itself, where the syntax of the trailer where the syntax of the trailer is defined by the individual
is defined by the individual mechanism specification. Detailed mechanism specification. Detailed description of the format is
description of the format is specified in the language-independent specified in the language-independent GSS-API specification
GSS-API specification [GSSAPIv2]. [GSSAPIv2].
Note that the results obtained by using the equal method will in Note that the results obtained by using the equals method will in
general be different from those obtained by invoking canonicalize and general be different from those obtained by invoking canonicalize and
export, and then comparing the byte array output. The first series export, and then comparing the byte array output. The first series
of operation determines whether two (unauthenticated) names identify of operation determines whether two (unauthenticated) names identify
the same principal; the second whether a particular mechanism would the same principal; the second whether a particular mechanism would
authenticate them as the same principal. These two operations will authenticate them as the same principal. These two operations will
in general give the same results only for MNs. in general give the same results only for MNs.
It is important to note that the above are guidelines as how GSSName It is important to note that the above are guidelines as how IGSSName
objects should behave, and are not intended to be specific implementations should behave, and are not intended to be specific
requirements of how names objects must be implemented. The mechanism requirements of how names objects must be implemented. The mechanism
designers are free to decide on the details of their implementations designers are free to decide on the details of their implementations
of the GSSName object as long as the behavior satisfies the above of the IGSSName interface as long as the behavior satisfies the above
guidelines. guidelines.
4.12. Channel Bindings 4.14. Channel Bindings
GSS-API supports the use of user-specified tags to identify a given GSS-API supports the use of user-specified tags to identify a given
context to the peer application. These tags are intended to be used context to the peer application. These tags are intended to be used
to identify the particular communications channel that carries the to identify the particular communications channel that carries the
context. Channel bindings are communicated to the GSS-API using the context. Channel bindings are communicated to the GSS-API using the
ChannelBinding object. The application may use byte arrays to specify ChannelBinding object. The application may use byte arrays to
the application data to be used in the channel binding as well as specify the application data to be used in the channel binding as
using instances of the InetAddress. The InetAddress for the initiator well as using instances of the InetAddress. The InetAddress for the
and/or acceptor can be used within an instance of a ChannelBinding. initiator and/or acceptor can be used within an instance of a
ChannelBinding can be set for the GSSContext object using the ChannelBinding. ChannelBinding can be set for the IGSSContext object
setChannelBinding method before the first call to init or accept has using the setChannelBinding method before the first call to init or
been performed. Unless the setChannelBinding method has been used to accept has been performed. Unless the setChannelBinding method has
set the ChannelBinding for an instance of GSSContext method, "null" been used to set the ChannelBinding for an IGSSContext object, "null"
ChannelBinding will be assumed. InetAddress is currently the only ChannelBinding will be assumed. InetAddress is currently the only
address type defined within the Java platform and as such, it is the address type defined within the Java platform and as such, it is the
only one supported within the ChannelBinding class. only one supported within the ChannelBinding class. Applications
that use other types of addresses can include them as part of the
application specific data.
Conceptually, the GSS-API concatenates the initiator and acceptor Conceptually, the GSS-API concatenates the initiator and acceptor
address information, and the application supplied byte array to form address information, and the application supplied byte array to form
an octet string. The mechanism calculates a MIC over this octet an octet string. The mechanism calculates a MIC over this octet
string and binds the MIC to the context establishment token emitted string and binds the MIC to the context establishment token emitted
by init method of the GSSContext class. The same bindings are set by by init method of the IGSSContext class. The same bindings are set
the context acceptor for its GSSContext object and during processing by the context acceptor for its IGSSContext object and during
of the accept method a MIC is calculated in the same way. The processing of the accept method a MIC is calculated in the same way.
calculated MIC is compared with that found in the token, and if the The calculated MIC is compared with that found in the token, and if
MICs differ, accept will throw a GSSException with the major code the MICs differ, accept will throw a GSSException with the major
set to BAD_BINDINGS, and the context will not be established. Some code set to BAD_BINDINGS, and the context will not be established.
mechanisms may include the actual channel binding data in the token Some mechanisms may include the actual channel binding data in the
(rather than just a MIC); applications should therefore not use token (rather than just a MIC); applications should therefore not use
confidential data as channel-binding components. confidential data as channel-binding components.
Individual mechanisms may impose additional constraints on addresses Individual mechanisms may impose additional constraints on addresses
that may appear in channel bindings. For example, a mechanism may that may appear in channel bindings. For example, a mechanism may
verify that the initiator address field of the channel binding verify that the initiator address field of the channel binding
contains the correct network address of the host system. Portable contains the correct network address of the host system. Portable
applications should therefore ensure that they either provide correct applications should therefore ensure that they either provide correct
information for the address fields, or omit setting of the addressing information for the address fields, or omit setting of the addressing
information. information.
4.13. Stream Objects 4.15. Stream Objects
The GSSContext object provides overloaded methods which use input and The context object provides overloaded methods which use input and
output streams as the means to convey authentication and per-message output streams as the means to convey authentication and per-message
GSS-API tokens. It is important to note that the streams are expected GSS-API tokens. It is important to note that the streams are
to contain the usual GSS-API tokens which would otherwise be handled expected to contain the usual GSS-API tokens which would otherwise be
through the usage of byte arrays. The tokens are expected to have a handled through the usage of byte arrays. The tokens are expected to
definite start and an end. The callers are responsible for ensuring have a definite start and an end. The callers are responsible for
that the supplied streams will not block, or expect to block until a ensuring that the supplied streams will not block, or expect to block
full token is processed by the GSS-API method. Only a single GSS-API until a full token is processed by the GSS-API method. Only a single
token will be processed per invocation of the stream based method. GSS-API token will be processed per invocation of the stream based
method.
The usage of streams allows the callers to have control and The usage of streams allows the callers to have control and
management of the supplied buffers. Because streams are non-primitive management of the supplied buffers. Because streams are non-
objects, the callers can make the streams as complicated or as simple primitive objects, the callers can make the streams as complicated or
as desired simply by using the streams defined in the java.io package as simple as desired simply by using the streams defined in the
or creating their own through the use of inheritance. This will allow java.io package or creating their own through the use of inheritance.
for the application's greatest flexibility. This will allow for the application's greatest flexibility.
4.14. Optional Parameters 4.16. Optional Parameters
Whenever the application wishes to omit an optional parameter the Whenever the application wishes to omit an optional parameter the
"null" value shall be used. The detailed method descriptions "null" value shall be used. The detailed method descriptions
indicate which parameters are optional. Methods overloading has also indicate which parameters are optional. Methods overloading has also
been used as a technique to indicate default parameters. been used as a technique to indicate default parameters.
5. Additional Controls 5. GSS Provider's Interface
This section discusses the optional services that a context initiator This section presents a brief description of the interfaces that
may request of the GSS-API before the context establishment. Each of encapsulate the services provided by a GSS-API implementator. They
these services is requested by calling the appropriate mutator method are part of a framework presented in this document that will allow an
in the GSSContext object before the first call to init is performed. application to switch between different providers at runtime, by
enabling the framework to access the desired provider's
implementation via these interfaces.
Only the context initiator can request context flags. The API in this section is meant primarily for GSS implementors. The
GSS-API user does not need to obtain direct references to the classes
implementing these interfaces. In fact, doing so might make the
application dependent on that particular implementation.
Applications that distribute a bundled GSS-API implementation along
with them can use this API to avoid providing the concrete class
wrappers in the framework. However, for applications that expect to
use a system-wide GSS library, it is envisioned that the callers will
utilize the wrapper classes of section 6 as the method of choice for
the creation of GSS-API objects.
The optional services defined are: This section also shows the corresponding RFC 2078 functionality
implemented by each of the interfaces. Detailed description of these
interfaces and their methods is presented in section 7.
Delegation 5.1. GSSFactory interface
The (usually temporary) transfer of rights from initiator to
acceptor, enabling the acceptor to authenticate itself as an
agent of the initiator.
Mutual Authentication This interface represents the bootstrapping class that is supplied
In addition to the initiator authenticating its identity to the with every GSS-API provider and encapsulates information that is
context acceptor, the context acceptor should also authenticate specific to that particular provider. It contains factory methods to
itself to the initiator. obtain references to implementations of the other interfaces from the
provider. GSSFactory also handles all queries which would require a
knowledge of the list of underlying mechanisms that is supported by
the particular provider. It contains equivalents of the following
RFC 2078 routines:
Replay Detection RFC 2078 Routine Function Section
In addition to providing message integrity services, GSSContext
per-message operations of getMIC and wrap should include message
numbering information to enable verifyMIC and unwrap to detect
if a message has been duplicated.
Out-of-Sequence Detection gss_indicate_mechs List the mechanisms 7.1.10
In addition to providing message integrity services, GSSContext supported by this GSS-API
per-message operations (getMIC and wrap) should include message implementation.
sequencing information to enable verifyMIC and unwrap to detect
if a message has been received out of sequence.
Anonymous Authentication gss_inquire_mechs_for_name List the mechanisms 7.1.11
The establishment of the security context should not reveal the supporting the
initiator's identity to the context acceptor. specified name type.
Some mechanisms may not support all optional services, and some gss_inquire_names_for_mech List the name types 7.1.12
mechanisms may only support some services in conjunction with others. supported by the
The GSSContext class offers query methods to allow the verification specified mechanism.
by the calling application of which services will be available from
the context when the establishment phase is complete. In general, if
the security mechanism is capable of providing a requested service,
it should do so even if additional services must be enabled in order
to provide the requested service. If the mechanism is incapable of
providing a requested service, it should proceed without the service
leaving the application to abort the context establishment process if
it considers the requested service to be mandatory.
Some mechanisms may specify that support for some services is 5.2. IGSSName interface
optional, and that implementors of the mechanism need not provide it.
This is most commonly true of the confidentiality service, often
because of legal restrictions on the use of data-encryption, but may
apply to any of the services. Such mechanisms are required to send
at least one token from acceptor to initiator during context
establishment when the initiator indicates a desire to use such a
service, so that the initiating GSS-API can correctly indicate
whether the service is supported by the acceptor's GSS-API.
5.1. Delegation GSS-API names are represented in the Java bindings through the
IGSSName interface. Different name formats and their definitions are
identified with universal Object Identifiers (oids). The format of
the names can be derived based on the unique oid of each name type.
The following GSS-API routines are provided by the IGSSName
interface:
The GSS-API allows delegation to be controlled by the initiating RFC 2078 Routine Function Section(s)
application via the requestCredDeleg method before the first call to
init has been issued. Some mechanisms do not support delegation, and
for such mechanisms attempts by an application to enable delegation
are ignored.
The acceptor of a security context, for which the initiator enabled gss_import_name Create an internal name from 7.1.1-7.1.4
delegation, can check if delegation was enabled by using the the supplied information.
getCredDelegState method of the GSSContext class. In cases when it
is, the delegated credential object can be obtained by calling the
getDelegCred method. The obtained GSSCredential object may then be
used to initiate subsequent GSS-API security contexts as an agent or
delegate of the initiator. If the original initiator's identity is
"A" and the delegate's identity is "B", then, depending on the
underlying mechanism, the identity embodied by the delegated
credential may be either "A" or "B acting for A".
For many mechanisms that support delegation, a simple boolean does gss_display_name Covert internal name 7.2.6
not provide enough control. Examples of additional aspects of representation to text format.
delegation control that a mechanism might provide to an application
are duration of delegation, network addresses from which delegation
is valid, and constraints on the tasks that may be performed by a
delegate. Such controls are presently outside the scope of the GSS-
API. GSS-API implementations supporting mechanisms offering
additional controls should provide extension routines that allow
these controls to be exercised (perhaps by modifying the initiator's
GSS-API credential object prior to its use in establishing a
context). However, the simple delegation control provided by GSS-API
should always be able to over-ride other mechanism-specific
delegation controls. If the application instructs the GSSContext
object that delegation is not desired, then the implementation must
not permit delegation to occur. This is an exception to the general
rule that a mechanism may enable services even if they are not
requested - delegation may only be provided at the explicit request
of the application.
5.2. Mutual Authentication gss_compare_name Compare two internal names. 7.2.2, 7.2.3
Usually, a context acceptor will require that a context initiator gss_release_name Release resources associated N/A
authenticate itself so that the acceptor may make an access-control with the internal name.
decision prior to performing a service for the initiator. In some
cases, the initiator may also request that the acceptor authenticate
itself. GSS-API allows the initiating application to request this
mutual authentication service by calling the requestMutualAuth method
of the GSSContext class with a "true" parameter before making the
first call to init. The initiating application is informed as to
whether or not the context acceptor has authenticated itself. Note
that some mechanisms may not support mutual authentication, and other
mechanisms may always perform mutual authentication, whether or not
the initiating application requests it. In particular, mutual
authentication may be required by some mechanisms in order to support
replay or out-of-sequence message detection, and for such mechanisms
a request for either of these services will automatically enable
mutual authentication.
5.3. Replay and Out-of-Sequence Detection gss_canonicalize_name Convert an internal name to a 7.1.3, 7.2.4
mechanism name.
The GSS-API may provide detection of mis-ordered messages once a gss_export_name Convert a mechanism name to 7.2.5
security context has been established. Protection may be applied to export format.
messages by either application, by calling either getMIC or wrap
methods of the GSSContext class, and verified by the peer application
by calling verifyMIC or unwrap for the peer's GSSContext object.
getMIC calculates a cryptographic checksum of an application message, gss_duplicate_name Create a copy of the internal N/A
and returns that checksum in a token. The application should pass name.
both the token and the message to the peer application, which
presents them to the verifyMIC method of the peer's GSSContext
object.
wrap calculates a cryptographic checksum of an application message, The gss_release_name call is not provided as Java does its own
and places both the checksum and the message inside a single token. garbage collection. The gss_duplicate_name call is also redundant;
The application should pass the token to the peer application, which the IGSSName interface has no mutator methods that can change the
presents it to the unwrap method of the peer's GSSContext object to state of the object, and so long as there is a reference to it, the
extract the message and verify the checksum. object will not be released by the JVM.
Either pair of routines may be capable of detecting out-of-sequence 5.3. IGSSCredential interface
message delivery, or duplication of messages. Details of such mis-
ordered messages are indicated through supplementary query methods of
the MessageProp object returned from each of these routines.
A mechanism need not maintain a list of all tokens that have been The IGSSCredential interface is responsible for the encapsulation of
processed in order to support these status codes. A typical GSS-API credentials. Credentials identify a single entity and
mechanism might retain information about only the most recent "N" provide the necessary cryptographic information to enable the
tokens processed, allowing it to distinguish duplicates and missing creation of a context on behalf of that entity. A single credential
tokens within the most recent "N" messages; the receipt of a token may contain multiple mechanism specific credentials, each referred to
older than the most recent "N" would result in a isOldToken method of as a credential element. The IGSSCredential interface provides the
the instance of MessageProp to return "true". functionality of the following GSS-API routines:
5.4. Anonymous Authentication RFC 2078 Routine Function Section(s)
In certain situations, an application may wish to initiate the gss_acquire_cred Acquire credential for use. 7.1.5-7.1.7
authentication process to authenticate a peer, without revealing its
own identity. As an example, consider an application providing
access to a database containing medical information, and offering
unrestricted access to the service. A client of such a service might
wish to authenticate the service (in order to establish trust in any
information retrieved from it), but might not wish the service to be
able to obtain the client's identity (perhaps due to privacy concerns
about the specific inquiries, or perhaps simply to avoid being placed
on mailing-lists).
In normal use of the GSS-API, the initiator's identity is made gss_add_cred Constructs credentials 7.3.11
available to the acceptor as a result of the context establishment incrementally.
process. However, context initiators may request that their identity
not be revealed to the context acceptor. Many mechanisms do not
support anonymous authentication, and for such mechanisms the request
will not be honored. An authentication token will still be
generated, but the application is always informed if a requested
service is unavailable, and has the option to abort context
establishment if anonymity is valued above the other security
services that would require a context to be established.
In addition to informing the application that a context is gss_inquire_cred Obtain information about 7.3.3-
established anonymously (via the isAnonymous method of the GSSContext credential.
class), the getSrcName method of the acceptor's GSSContext object
will, for such contexts, return a reserved internal-form name,
defined by the implementation.
The toString method for a GSSName object representing an anonymous gss_inquire_cred_by_mech Obtain per-mechanism 7.3.3-7.3.10
entity will return a printable name. The returned value will be information about
syntactically distinguishable from any valid principal name supported a credential.
by the implementation. The associated name-type object identifier
will be an oid representing the value of NT_ANONYMOUS. This name-type
oid will be defined as a public, static Oid object of the GSSName
class. The printable form of an anonymous name should be chosen such
that it implies anonymity, since this name may appear in, for
example, audit logs. For example, the string "<anonymous>" might be
a good choice, if no valid printable names supported by the
implementation can begin with "<" and end with ">".
When using the equal method of the GSSName class, and one of the gss_release_cred Disposes of credentials 7.3.2
operands is a GSSName instance representing an anonymous entity, the after use.
method must return "false".
5.5. Confidentiality 5.4. IGSSContext interface
If a GSSContext supports the confidentiality service, wrap method may This interface encapsulates the functionality of context-level calls
be used to encrypt application messages. Messages are selectively required for security context establishment and management between
encrypted, under the control of the setPrivacy method of the peers as well as the per-message services offered to applications. A
MessageProp object used within the wrap method. context is established between a pair of peers and allows the usage
of security services on a per-message basis on application data. It
is created over a single security mechanism. The IGSSContext
interface provides the functionality of the following GSS-API
routines:
5.6. Inter-process Context Transfer RFC 2078 Routine Function Section(s)
GSS-API V2 provides functionality which allows a security context to gss_init_sec_context Initiate the creation of a 7.4.2,
be transferred between processes on a single machine. These are security context with 7.4.3
implemented using the export method of GSSContext and a byte array a peer.
constructor of the same class. The most common use for such a
feature is a client-server design where the server is implemented as
a single process that accepts incoming security contexts, which then
launches child processes to deal with the data on these contexts. In
such a design, the child processes must have access to the security
context object created within the parent so that they can use per-
message protection services and delete the security context when the
communication session ends.
Since the security context data structure is expected to contain gss_accept_sec_context Accept a security context 7.4.4,
sequencing information, it is impractical in general to share a initiated by a peer. 7.4.5
context between processes. Thus GSSContext class provides an export
method that the process, which currently owns the context, can call
to declare that it has no intention to use the context subsequently,
and to create an inter-process token containing information needed by
the adopting process to successfully re-create the context. After
successful completion of export, the original security context is
made inaccessible to the calling process by GSS-API and any further
usage of this object will result in failures. The originating
process transfers the inter-process token to the adopting process,
which creates a new GSSContext object using the byte array
constructor. The properties of the context are equivalent to that of
the original context.
The inter-process token may contain sensitive data from the original gss_delete_sec_context Destroy a security context. 7.4.7
security context (including cryptographic keys). Applications using
inter-process tokens to transfer security contexts must take
appropriate steps to protect these tokens in transit.
Implementations are not required to support the inter-process gss_context_time Obtain remaining context 7.4.36
transfer of security contexts. Calling the isTransferable method of time.
the GSSContext class will indicate if the context object is
transferable.
5.7. The Use of Incomplete Contexts gss_inquire_context Obtain context 7.3.38 to
characteristics. 7.3.43
Some mechanisms may allow the per-message services to be used before gss_wrap_size_limit Determine token-size limit 7.4.8
the context establishment process is complete. For example, a for gss_wrap.
mechanism may include sufficient information in its initial context-
level tokens for the context acceptor to immediately decode messages
protected with wrap or getMIC. For such a mechanism, the initiating
application need not wait until subsequent context-level tokens have
been sent and received before invoking the per-message protection
services.
An application can invoke the isProtReady method of the GSSContext gss_export_sec_context Transfer security context 7.4.17
class to determine if the per-message services are available in to another process.
advance of complete context establishment. Applications wishing to
use per-message protection services on partially-established contexts
should query this method before attempting to invoke wrap or getMIC.
6. Detailed GSS-API Class Description gss_import_sec_context Create a previously exported 7.1.10
context.
This section lists a detailed description of all the public methods gss_get_mic Calculate a cryptographic 7.4.13,
that each of the GSS-API classes must provide. Message Integrity Code (MIC) 7.4.14
for a message.
6.1. public class GSSName gss_verify_mic Verify integrity on a received 7.4.15,
message. 7.4.16
An object of this class encapsulates a single GSS-API principal gss_wrap Attach a MIC to a message and 7.4.9,
entity. Different name formats and their definitions are identified optionally encrypt the message 7.4.10
with universal Object Identifiers (Oids). The format of the names can content.
be derived based on the unique oid of each name type.
6.1.1. Example Code gss_unwrap Obtain a previously wrapped 7.4.11,
application message verifying 7.4.12
its integrity and optionally
decrypting it.
Included below are code examples utilizing the GSSName object. The The functionality offered by the gss_process_context_token routine
code below creates a GSSName object, converts it to a mechanism name has not been included in the Java bindings specification. The
(MN), performs a comparison, obtains a printable representation of corresponding functionality of gss_delete_sec_context has also been
the name, exports it and then re-imports to obtain a new GSSName modified to not return any peer tokens. This has been proposed in
object. accordance to the recommendations stated in the RFC 2078 update
draft. IGSSContext does offer the functionality of destroying the
locally-stored context information.
//create an oid object for Kerberos v5 6. GSS Application Programmer's Classes
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
//create a service name, and convert it to a mechanism name This section presents a brief description of the classes that a
GSSName aName = new GSSName("service@host", typical application would use. The implementations of these classes
GSSName.NT_HOSTBASED_SERVICE); are picked from the CLASSPATH defined by the application. If Java
GSSName mechName = aName.canonicalize(krb5); GSS becomes part of the standard Java API's then these classes will
be available by default on all systems as part of the JRE's system
classes.
//the above two steps are equivalent to the following constructor These classes are primarily part of a framework and do not provide
GSSName mechName = new GSSName("service@host", any of the security services themselves. The classes that provide
GSSName.NT_HOSTBASED_SERVICE, the security services are those that a provider can plug into this
krb5); framework as described in sections 4.2 and 5. Some classes described
here delegate their calls to the appropriate implementation class
from the provider.
//perform name comparison This section also shows the corresponding RFC 2078 functionality
if (aName.equals(mechName)) implemented by each of the interfaces. Detailed description of these
print("Names are equals."); interfaces and their methods is presented in section 7.
//obtain textual representation of name and its printable 6.1. GSSManager class
//name type
print(mechName.toString() +
mechName.getStringNameType().toString());
//export and re-import the name This class contains methods to interrogate a provider's GSSFactory
byte [] exportName = mechName.export(); object. It also provides a means for a single point of control to
set the preferred GSS-API provider. All delegation done by the
GSSContext, GSSCredential and GSSName classes is then directed to
implementing classes for that provider by default.
//create a new name object from the exported buffer Implementions of this class can locate and instantiate a provider
GSSName newName = new GSSName(exportName, with the help of the java.Security.getProvider() method. They can
GSSName.NT_EXPORT_NAME); query the provider for the "org.ietf.JGSS.GSSFactory" property which
returns the name of that provider's GSSFactory implementation.
6.1.2. Class Constants By encapsulating this behaviour in this class an application can
seamlessly switch between GSS-API implementations at runtime by
simply identifying a new provider to the GSSManager.
public static final Oid NT_HOSTBASED_SERVICE It contains the equivalents of the following RFC 2078 routines to
query the provider's GSSFactory: gss_indicate_mechs,
gss_inquire_mechs_for_name, gss_inquire_names_for_mech.
Oid indicating a host-based service name form. It is used to 6.2. GSSName class
represent services associated with host computers. This name form is
constructed using two elements, "service" and "hostname", as follows:
service@hostname This concrete class is a wrapper around the interface IGSSName. It
provides all the methods that are defined in the IGSSName interface
and associated constructors. It uses the preferred GSS-API provider
and its GSSFactory to instantiate an IGSSName implementation and then
delegate all calls to it.
Values for the "service" element are registered with the IANA. It 6.3. GSSCredential class
represents the following value: { 1(iso), 3(org), 6(dod),
1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) }
public static final Oid NT_USER_NAME This concrete class is a wrapper around the interface IGSSCredential.
It provides all the methods that are defined in the IGSSCredential
interface and associated constructors. It uses the preferred GSS-API
provider and its GSSFactory to instantiate an IGSSCredential
implementation and then delegate all calls to it.
Name type to indicate a named user on a local system. It represents 6.4. GSSContext class
the following value: { iso(1) member-body(2) United States(840)
mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
public static final Oid NT_MACHINE_UID_NAME
Name type to indicate a numeric user identifier corresponding to a This concrete class is a wrapper around the interface IGSSContext.
user on a local system. (e.g. Uid). It represents the following It provides all the methods that are defined in the IGSSContext
value: { iso(1) member-body(2) United States(840) mit(113554) interface and associated constructors. It uses the preferred GSS-API
infosys(1) gssapi(2) generic(1) machine_uid_name(2) } provider and its GSSFactory to instantiate an IGSSContext
implementation and then delegate all calls to it.
public static final Oid NT_STRING_UID_NAME 6.5. MessageProp class
Name type to indicate a string of digits representing the numeric This helper class is used in the per-message operations on the
user identifier of a user on a local system. It represents the context. An instance of this class is created by the application and
following value: { iso(1) member-body(2) United States(840) then passed into the per-message calls. In some cases, the
mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) } application conveys information to the GSS-API implementation through
this object and in other cases the GSS-API returns information to the
application by setting it in this object. See the description of the
per-message operations wrap, unwrap, getMIC, and verifyMIC in the
IGSSContext interfaces for details.
public static final Oid NT_ANONYMOUS 6.6. GSSException class
Name type for representing an anonymous entity. It represents the Exceptions are used in the Java bindings to signal fatal errors to
following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), the calling applications. This replaces the major and minor codes
6(nametypes), 3(gss-anonymous-name) } used in the C-bindings specification as a method of signaling
failures. The GSSException class handles both minor and major codes,
as well as their translation into textual representation. All GSS-
API methods are declared as throwing this exception.
public static final Oid NT_EXPORT_NAME RFC 2078 Routine Function Section
Name type used to indicate an exported name produced by the export gss_display_status Retrieve textual 7.8.5, 7.8.6,
method. It represents the following value: { 1(iso), 3(org), 6(dod), representation of error 7.8.8, 7.8.9
1(internet), 5(security), 6(nametypes), 4(gss-api-exported-name) } codes.
6.1.3. Constructors 6.7. Oid class
public GSSName(String nameStr, Oid type) throws GSSException This utility class is used to represent Universal Object Identifiers
and their associated operations. GSS-API uses object identifiers to
distinguish between security mechanisms and name types. This class,
aside from being used whenever an object identifier is needed,
implements the following GSS-API functionality:
Converts a contiguous string name to a GSSName object of the RFC 2078 Routine Function Section
specified type. The nameStr parameter is interpreted based on the
type specified. In general, the GSSName object created will not be
an MN; the exception to this is if the type parameter indicates
NT_EXPORT_NAME.
Parameters: gss_test_oid_set_member Determine if the specified oid 7.7.6
is part of a set of oids.
nameStr The string representing the name to create. 6.8. ChannelBinding class
type Oid specifying type of the printable name supplied. An instance of this class is used to specify channel binding
"null" value can be used to specify a default information to the IGSSContext object before the start of a security
printable syntax. context establishment. The application may use a byte array to
specify application data to be used in the channel binding as well as
use instances of the InetAddress. InetAddress is currently the only
address type defined within the Java platform and as such, it is the
only one supported within the ChannelBinding class. Applications that
use other types of addresses can include them as part of the
application data.
public GSSName(byte name[], Oid type) throws GSSException 7. Detailed GSS-API Class Description
Converts a contiguous byte name to a GSSName object of the specified This section lists a detailed description of all the public methods
type. The name parameter is interpreted based on the type specified. that each of the GSS-API classes and interfaces must provide.
This constructor is provided for use with names that aren't expressed
as printable strings (for example, names of type NT_EXPORT_NAME). In 7.1. public interface GSSFactory
general, the GSSName object created will not be an MN.
This interface provides factory methods to obtain provider specific
implementations of the interfaces IGSSCredential, IGSSName, and
IGSSContext. It also contains other functionality that requires
implementation specific knowledge and cannot be placed cleanly in any
of the other interfaces.
Each GSS-API provider defines a class that implements this interface.
Applications can instantiate the provider's implementation of
GSSFactory if they are aware of the qualified name of that class.
However, in the interest of portability applications are advised to
go through the GSSManager API instead. The GSSFactory interface is
primarily meant for GSS implementors and for developers who bundle a
custom GSS-API implementation together with their application. Such
applications may choose not to implement the GSSManager class along
with the other wrappers such as GSSName, GSSCredential, and
GSSContext. They would then directly instantiate and use the
interfaces described in section 5.
7.1.1. createName
public IGSSName createName(String nameStr, Oid nameSpace)
throws GSSException
Factory method to convert a contiguous string name from the specified
namespace to an IGSSName object. In general, the IGSSName object
created will not be an MN; two examples that are exceptions to this
are when the namespace type parameter indicates NT_EXPORT_NAME or
when the GSS-API implementation is not multi-mechanism.
Parameters: Parameters:
name The byte array representing the name to create. nameStr The string representing a printable form of the name
to create.
type Oid specifying the type of name supplied. "null" value nameType The Oid specifying the namespace of the printable name
can be used to specify a default syntax. supplied. Note that nameType serves to describe and
qualify the interpretation of the input nameStr, it
does not necessarily imply a type for the output
IGSSName implementation. "null" value can be used to
specify that a mechanism specific default printable
syntax should be assumed by each mechanism that
examines nameStr.
public GSSName(String nameStr, Oid nameType, Oid mechType) 7.1.2. createName
public IGSSName createName(byte name[], Oid nameType)
throws GSSException throws GSSException
Converts a contiguous string name to a GSSName object of the Factory method to convert a contiguous byte array containing a name
specified type. The nameStr parameter is interpreted based on the from the specified namespace to an IGSSName object. In general, the
type specified. This constructor is provided to allow the creation of IGSSName object created will not be an MN; two examples that are
mechanism-specific names without having to call canonicalize. exceptions to this are when the namespace type parameter indicates
NT_EXPORT_NAME or when the GSS-API implementation is not multi-
mechanism.
Parameters: Parameters:
nameStr The string representing the name to create. name The byte array containing the name to create.
nameType Oid specifying type of the printable name supplied. nameType The Oid specifying the namespace of the name supplied
"null" value can be used to specify a default in the byte array.
printable syntax. Note that nameType serves to describe and qualify the
interpretation of the input name byte array, it does not
necessarily imply a type for the output IGSSName implementation.
"null" value can be used to specify that a mechanism specific
default syntax should be assumed by each mechanism that examines
the byte array..IP "nameType" 10 The Oid specifying the
namespace of the printable name supplied. Note that nameType
serves to describe and qualify the interpretation of the input
nameStr, it does not necessarily imply a type for the output
IGSSName implementation. "null" value can be used to specify
that a mechanism specific default printable syntax should be
assumed by each mechanism that examines nameStr.
7.1.3. createName
public IGSSName createName(String nameStr, Oid nameType,
Oid mechType) throws GSSException
Factory method to convert a contiguous string name from the specified
namespace to an IGSSName object that is a mechanism name (MN). In
other words, this method is a utility that does the equivalent of two
steps: the createName described in 7.1.1 and then also the
IGSSName.canonicalize() described in 7.2.4.
Parameters:
nameStr The string representing a printable form of the name
to create.
nameType The Oid specifying the namespace of the printable name
supplied. Note that nameType serves to describe and
qualify the interpretation of the input nameStr, it
does not necessarily imply a type for the output
IGSSName implementation. "null" value can be used to
specify that a mechanism specific default printable
syntax should be assumed when the mechanism examines
nameStr.
mechType Oid specifying the mechanism for which this name mechType Oid specifying the mechanism for which this name
should be created. "null" value can be used to specify should be created.
the default mechanism.
public GSSName(byte name[], Oid nameType, Oid mechType) 7.1.4. createName
public createName(byte name[], Oid nameType, Oid mechType)
throws GSSException throws GSSException
Converts a contiguous byte name to a GSSName object of the specified Factory method to convert a contiguous byte array containing a name
type. The name parameter is interpreted based on the type specified. from the specified namespace to an IGSSName object that is an MN. In
This constructor is provided to be used with names that aren't other words, this method is a utility that does the equivalent of two
expressed as printable strings. It allows the creation of steps: the createName described in 7.1.2 and then also the
mechanism-specific names without having to call canonicalize. IGSSName.canonicalize() described in 7.2.4.
Parameters: Parameters:
name The byte array representing the name to create. name The byte array representing the name to create.
type Oid specifying the type of name supplied. "null" value nameType The Oid specifying the namespace of the name supplied
can be used to specify a default syntax. in the byte array. Note that nameType serves to
describe and qualify the interpretation of the input
name byte array, it does not necessarily imply a type
for the output IGSSName implementation. "null" value
can be used to specify that a mechanism specific
default syntax should be assumed by each mechanism
that examines the byte array.
mechType Oid specifying the mechanism for which this name mechType Oid specifying the mechanism for which this name
should be created. "null" value can be used to specify should be created.
the default mechanism.
6.1.4. equals 7.1.5. createCredential
public boolean equals(Object another) public IGSSCredential createCredential (int usage)
throws GSSException
Compares two GSSName objects to determine whether they refer to the Factory method for acquiring default credentials. This will cause
same entity. If either of the names is of the NT_ANONYMOUS type, the GSS-API to use system specific defaults for the set of
this call will return "false". mechanisms, name, and an INDEFINITE lifetime.
Parameters:
usage The intended usage for this credential object. The
value of this parameter must be one of:
IGSSCredential.ACCEPT_AND_INITIATE,
IGSSCredential.ACCEPT_ONLY,
IGSSCredential.INITIATE_ONLY
7.1.6. createCredential
public IGSSCredential createCredential (IGSSName aName,
int lifetime, Oid mechOid, int usage)
throws GSSException
Factory method for acquiring a single mechanism credential.
Parameters:
aName Name of the principal for whom this credential is to
be acquired. Use "null" to specify the default
principal.
lifetime The number of seconds that credentials should remain
valid. Use IGSSCredential.INDEFINITE to request that
the credentials have the maximum permitted lifetime.
mechOid The oid of the desired mechanism. Use "(Oid) null" to
request the default mechanism(s).
usage The intended usage for this credential object. The
value of this parameter must be one of:
IGSSCredential.ACCEPT_AND_INITIATE,
IGSSCredential.ACCEPT_ONLY,
IGSSCredential.INITIATE_ONLY
7.1.7. createCredential
public IGSSCredential createCredential(IGSSName aName,
int lifetime, Oid mechs[], int usage)
throws GSSException
Factory method for acquiring credentials over a set of mechanisms.
Acquires credentials for each of the mechanisms specified in the
array called mechs. To determine the list of mechanisms' for which
the acquisition of credentials succeeded, the caller should use the
IGSSCredential.getMechs() method.
Parameters:
aName Name of the principal for whom this credential is to
be acquired. Use "null" to specify the default
principal.
lifetime The number of seconds that credentials should remain
valid. Use IGSSCredential.INDEFINITE to request that
the credentials have the maximum permitted lifetime.
mechOid The array of mechanisms over which the credential is
to be acquired. Use "(Oid[]) null" for requesting a
system specific default set of mechanisms.
usage The intended usage for this credential object. The
value of this parameter must be one of:
IGSSCredential.ACCEPT_AND_INITIATE,
IGSSCredential.ACCEPT_ONLY,
IGSSCredential.INITIATE_ONLY
7.1.8. createContext
public IGSSContext createContext(IGSSName peer, Oid mechOid,
IGSSCredential myCred, int lifetime)
throws GSSException
Factory method for creating a context on the initiator's side.
Context flags may be modified through the mutator methods prior to
calling IGSSContext.initSecContext().
Parameters:
peer Name of the target peer.
mechOid Oid of the desired mechanism. Use "(Oid) null" to
request default mechanism.
myCred Credentials of the initiator. Use "null" to act as a
default initiator principal.
lifetime The request lifetime, in seconds, for the credential.
7.1.9. createContext
public IGSSContext createContext(IGSSCredential myCred)
throws GSSException
Factory method for creating a context on the acceptor' side. The
context's properties will be determined from the input token supplied
to the accept method.
Parameters:
myCred Credentials for the acceptor. Use "null" to act as a
default acceptor principal.
7.1.10. createContext
public IGSSContext createContext(byte [] interProcessToken)
throws GSSException
Factory method for creating a previously exported context. The
context properties will be determined from the input token and can't
be modified through the set methods.
Parameters:
interProcessToken
The token previously emitted from the export method.
7.1.11. getMechs
public Oid[] getMechs()
Returns an array of Oid objects, one for each mechanism available
through this GSS-API implementation. A "null" value is returned when
no mechanism are available (an example of this would be when
mechanism are dynamically configured, and currently no mechanisms are
installed).
7.1.12. getMechsForName
public Oid[] getMechsForName(Oid nameType)
Returns an array of Oid objects, one for each mechanism that supports
the specific namespace type. "null" is returned when no mechanisms
are found to support the specified namespace type.
Parameters:
nameType The Oid object for the namespace type
7.1.13. getNamesForMech
public Oid[] getNamesForMech(Oid mech) throws GSSException
Returns the Oid's for the various types of namespaces that are
supported by the specified mechanism.
Parameters:
mech The Oid for the mechanism to query.
7.2. public interface IGSSName extends java.security.Principal
This interface encapsulates a single GSS-API principal entity.
Different name formats and their definitions are identified with
universal Object Identifiers (Oids). The format of the names can be
derived based on the unique oid of its namespace type.
This interface extends the java.security.Principal interface which
represents the more abstract notion of an entity in Java. With
IGSSName extending this standard java interface, we achieve a tighter
integration of GSS-API names with java objects. Applications may use
this to their benefit in instances where a GSS name can be passed as
a java security name, for instance, to a repository of principal
names.
The java.security.Principal.getName() method of a class implementing
the IGSSName interface is expected to return the same String as the
toString() method would, which is the equivalent of the
gss_display_name() call.
7.2.1. Static Constants
public static final Oid NT_HOSTBASED_SERVICE
Oid indicating a host-based service name form. It is used to
represent services associated with host computers. This name form is
constructed using two elements, "service" and "hostname", as follows:
service@hostname
Values for the "service" element are registered with the IANA. It
represents the following value: { 1(iso), 3(org), 6(dod),
1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) }
public static final Oid NT_USER_NAME
Name type to indicate a named user on a local system. It represents
the following value: { iso(1) member-body(2) United States(840)
mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
public static final Oid NT_MACHINE_UID_NAME
Name type to indicate a numeric user identifier corresponding to a
user on a local system. (e.g. Uid). It represents the following
value: { iso(1) member-body(2) United States(840) mit(113554)
infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
public static final Oid NT_STRING_UID_NAME
Name type to indicate a string of digits representing the numeric
user identifier of a user on a local system. It represents the
following value: { iso(1) member-body(2) United States(840)
mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) }
public static final Oid NT_ANONYMOUS
Name type for representing an anonymous entity. It represents the
following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security),
6(nametypes), 3(gss-anonymous-name) }
public static final Oid NT_EXPORT_NAME
Name type used to indicate an exported name produced by the export
method. It represents the following value: { 1(iso), 3(org), 6(dod),
1(internet), 5(security), 6(nametypes), 4(gss-api-exported-name) }
7.2.2. equals
public boolean equals(IGSSName another) throws GSSException
Compares two IGSSName objects to determine whether they refer to the
same entity. This method may throw a GSSException when the names
cannot be compared. If either of the names represents an anonymous
entity, the method will return "false".
Parameters: Parameters:
another GSSName object to compare with. another GSSName object to compare with.
6.1.5. equals 7.2.3. equals
public boolean equals(GSSName another) throws GSSException public boolean equals(Object another)
A variation of equals method which may throw a GSSException when the A variation of the equals method described in 7.2.2 that is provided
names cannot be compared. If either of the names represents an to override the Object.equals() method that the implementing class
anonymous entity, the method will return "false". will inherit. The behaviour is exactly the same as that in 7.2.2
except that no GSSException is thrown; instead, false will be
returned in the situation where an error occurs.
Parameters: Parameters:
another GSSName object to compare with. another GSSName object to compare with.
6.1.6. canonicalize 7.2.4. canonicalize
public GSSName canonicalize(Oid mechOid) throws GSSException public IGSSName canonicalize(Oid mechOid) throws GSSException
Creates a mechanism name (MN) from an arbitrary internal name. This Creates a mechanism name (MN) from an arbitrary internal name. This
is equivalent to using a constructor which takes the mechanism name is equivalent to using the factory methods described in 7.1.3 or
as one of its parameters. 7.1.4 that take the mechanism name as one of their parameters.
Parameters: Parameters:
mechOid The oid for the authentication mechanism for which the mechOid The oid for the authentication mechanism for which the
canonical form of the name is requested. canonical form of the name is requested.
6.1.7. export 7.2.5. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Returns a canonical contiguous byte representation of a mechanism Returns a canonical contiguous byte representation of a mechanism
name (MN), suitable for direct, byte by byte comparison by name (MN), suitable for direct, byte by byte comparison by
authorization functions. The name must a MN before calling this authorization functions. If the name is not an MN, implementations
method. The format of the header of the outputted buffer is specified may throw a GSSException with the NAME_NOT_MN status code. If an
in RFC 2078. implementation chooses not to throw an exception, it should use some
system specific default mechanism to canonicalize the name and then
export it. The format of the header of the outputted buffer is
specified in RFC 2078.
6.1.8. toString 7.2.6. toString
public String toString() public String toString()
Returns a textual representation of the GSSName object. To retrieve Returns a textual representation of the GSSName object. To retrieve
the printed name format, which determines the syntax of the returned the printed name format, which determines the syntax of the returned
string, the getStringNameType method can be used. string, the getStringNameType method can be used.
6.1.9. getStringNameType 7.2.7. getStringNameType
public Oid getStringNameType() throws GSSException public Oid getStringNameType() throws GSSException
Returns the oid representing the type of name returned through the Returns the oid representing the type of name returned through the
toString method. Using this oid, the syntax of the printable name can toString method. Using this oid, the syntax of the printable name
be determined. can be determined.
6.1.10. clone
public Object clone() throws CloneNotSupportedException
Creates a duplicate copy of this name.
6.1.11. isAnonymous 7.2.8. isAnonymous
public boolean isAnonymous() public boolean isAnonymous()
Tests if this name object represents an anonymous entity. Returns Tests if this name object represents an anonymous entity. Returns
"true" if this is an anonymous name. "true" if this is an anonymous name.
6.2. public class GSSCredential 7.2.9. isMN
This class manages GSS-API credentials and their associated public boolean isMN()
operations. A credential contains all the necessary cryptographic
information to enable the creation of a context on behalf of the Tests if this name object contains only one mechanism element and is
entity that it represents. It may contain multiple, distinct, thus a mechanism name as defined by RFC 2078.
mechanism specific credential elements, each containing information
for a specific security mechanism, but all referring to the same 7.3. public interface IGSSCredential implements Cloneable
entity.
This interface encapsulates the GSS-API credentials for an entity. A
credential contains all the necessary cryptographic information to
enable the creation of a context on behalf of the entity that it
represents. It may contain multiple, distinct, mechanism specific
credential elements, each containing information for a specific
security mechanism, but all referring to the same entity.
A credential may be used to perform context initiation, acceptance, A credential may be used to perform context initiation, acceptance,
or both. or both.
GSS-API implementations must impose a local access-control policy on GSS-API implementations must impose a local access-control policy on
callers to prevent unauthorized callers from acquiring credentials to callers to prevent unauthorized callers from acquiring credentials to
which they are not entitled. GSSCredential creation is not intended which they are not entitled. GSS-API credential creation is not
to provide a "login to the network" function, as such a function intended to provide a "login to the network" function, as such a
would involve the creation of new credentials rather than merely function would involve the creation of new credentials rather than
acquiring a handle to existing credentials. Such functions, if merely acquiring a handle to existing credentials. Such functions,
required, should be defined in implementation-specific extensions to if required, should be defined in implementation-specific extensions
the API. to the API.
If credential acquisition is time-consuming for a mechanism, the If credential acquisition is time-consuming for a mechanism, the
mechanism may choose to delay the actual acquisition until the mechanism may choose to delay the actual acquisition until the
credential is required (e.g. by the GSSContext object). Such credential is required (e.g. by IGSSContext). Such mechanism-
mechanism-specific implementation decisions should be invisible to specific implementation decisions should be invisible to the calling
the calling application; thus the query methods immediately following application; thus the query methods immediately following the
the creation of a credential object must return valid credential creation of a credential object must return valid credential data,
data, and may therefore incur the overhead of a deferred credential and may therefore incur the overhead of a deferred credential
acquisition. acquisition.
Applications will create a GSSCredential object passing the desired Applications will create a credential object passing the desired
parameters. The application can then use the query methods to obtain parameters. The application can then use the query methods to obtain
specific information about the instantiated credential object specific information about the instantiated credential object
(equivalent to the gss_inquire routines). When the credential is no (equivalent to the gss_inquire routines). When the credential is no
longer needed, the application should call the dispose (equivalent to longer needed, the application should call the dispose (equivalent to
gss_release_cred) method to release any resources held by the gss_release_cred) method to release any resources held by the
credential object and to destroy any cryptographically sensitive credential object and to destroy any cryptographically sensitive
information. information.
6.2.1. Example Code Classes implementing this interface also implement the Cloneable
interface. This indicates the the class will support the clone()
This example code demonstrates the creation of a GSSCredential object method that will allow the creation of duplicate credentials. This
for a specific entity, querying of its fields, and its release when is useful when called just before the add() call to retain a copy of
it is no longer needed. the original credential.
//start by creating a name object for the entity
GSSName aName = new GSSName("userName", GSSName.NT_USER_NAME);
GSSCredential entity = new GSSCredential(
aName,
GSSCredential.ACCEPT_ONLY);
//display credential information - name, remaining lifetime,
//and the mechanisms it has been acquired over
print(entity.getGSSName().toString());
print(entity.getRemainingLifetime());
Oid [] mechs = entity.getMechs();
if (mechs != null) {
for (int i = 0; i < mechs.length; i++)
print(mechs[i].toString());
}
//release system resources held by the credential
entity.dispose();
6.2.2. Class Constants 7.3.1. Static Constants
public static final int INITIATE_AND_ACCEPT public static final int INITIATE_AND_ACCEPT
Credential usage flag requesting that it be able to be used for both Credential usage flag requesting that it be able to be used for both
context initiation and acceptance. context initiation and acceptance.
public static final int INITIATE_ONLY public static final int INITIATE_ONLY
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context initiation only. context initiation only.
skipping to change at page 37, line 44 skipping to change at page 45, line 34
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context acceptance only. context acceptance only.
public static final int INDEFINITE public static final int INDEFINITE
A lifetime constant representing indefinite credential lifetime. A lifetime constant representing indefinite credential lifetime.
This value must be set to the maximum integer value in Java - This value must be set to the maximum integer value in Java -
Integer.MAX_VALUE. Integer.MAX_VALUE.
6.2.3. Constructors 7.3.2. dispose
public GSSCredential(int usage) throws GSSException
Constructor for default credentials. This will use the default
mechanism, name, and an INDEFINITE lifetime.
Parameters are:
usage The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
public GSSCredential(GSSName aName, int usage) throws GSSException
Constructor for default mechanism credential. Uses default mechanism
and INDEFINITE lifetime.
Parameters are:
aName Name of the principal for whom this credential is to
be acquired.
usage The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
public GSSCredential(GSSName aName, int lifetime, Oid mechOid,
int usage) throws GSSException
Constructor for a single mechanism credential. "null" values can be
specified for name and mechanism to obtain system specific defaults.
Parameters:
aName Name of the principal for whom this credential is to
be acquired. Use "null" to specify the default
principal.
lifetime The number of seconds that credentials should remain
valid. Use GSSCredential.INDEFINITE to request that
the credentials have the maximum permitted lifetime.
mechOid The oid of the desired mechanism.
usage The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
public GSSCredential(GSSName aName, int lifetime, Oid mechs[],
int usage) throws GSSException
Constructor for a credential over a set of mechanisms. Acquires
credentials for each of the mechanisms specified in mechs array.
"null" value can be used for aName to obtain system specific default.
To determine which mechanism's acquisition of the credential was
successful use the getMechs method. This call is equivalent to
creating a single mechanism credential and using addCred to extend
the credential over other mechanisms.
Parameters:
aName Name of the principal for whom this credential is to
be acquired. Use "null" to specify the default
principal.
lifetime The number of seconds that credentials should remain
valid. Use GSSCredential.INDEFINITE to request that
the credentials have the maximum permitted lifetime.
mechOid The array of mechanisms over which the credential is
to be acquired.
usage The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
6.2.4. dispose
public void dispose() throws GSSException public void dispose() throws GSSException
Releases any sensitive information that the GSSCredential may be Releases any sensitive information that the IGSSCredential object may
containing. Applications should call this method as soon as the be containing. Applications should call this method as soon as the
credential is no longer needed to minimize the time sensitive credential is no longer needed to minimize the time any sensitive
information is maintained. information is maintained.
6.2.5. getGSSName 7.3.3. getName
public GSSName getGSSName() throws GSSException
public IGSSName getName() throws GSSException
Retrieves the name of the entity that the credential asserts. Retrieves the name of the entity that the credential asserts.
6.2.6. getGSSName 7.3.4. getName
public GSSName getGSSName(Oid mechOID) throws GSSException public IGSSName getName(Oid mechOID) throws GSSException
Retrieves per-mechanism name of the entity that the credential Retrieves a mechanism name of the entity that the credential asserts.
asserts. Equivalent to calling canonicalize() on the name returned by 7.3.3.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.2.7. getRemainingLifetime 7.3.5. getRemainingLifetime
public int getRemainingLifetime() throws GSSException public int getRemainingLifetime() throws GSSException
Returns the remaining lifetime in seconds for a credential. The Returns the remaining lifetime in seconds for a credential. The
remaining lifetime is the minimum lifetime for any of the underlying remaining lifetime is the minimum lifetime for any of the underlying
credential mechanisms. A return value of GSSCredential.INDEFINITE credential mechanisms. A return value of IGSSCredential.INDEFINITE
indicates that the credential does not expire. A return value of 0 indicates that the credential does not expire. A return value of 0
indicates that the credential is already expired. indicates that the credential is already expired.
6.2.8. getRemainingInitLifetime 7.3.6. getRemainingInitLifetime
public int getRemainingInitLifetime(Oid mech) throws GSSException public int getRemainingInitLifetime(Oid mech) throws GSSException
Returns the remaining lifetime is seconds for the credential to Returns the remaining lifetime is seconds for the credential to
remain capable of initiating security contexts under the specified remain capable of initiating security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE indicates that mechanism. A return value of IGSSCredential.INDEFINITE indicates
the credential does not expire for context initiation. A return value that the credential does not expire for context initiation. A return
of 0 indicates that the credential is already expired. value of 0 indicates that the credential is already expired.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.2.9. getRemainingAcceptLifetime 7.3.7. getRemainingAcceptLifetime
public int getRemainingAcceptLifetime(Oid mech) throws GSSException public int getRemainingAcceptLifetime(Oid mech) throws GSSException
Returns the remaining lifetime is seconds for the credential to Returns the remaining lifetime is seconds for the credential to
remain capable of accepting security contexts under the specified remain capable of accepting security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE indicates that mechanism. A return value of IGSSCredential.INDEFINITE indicates
the credential does not expire for context acceptance. A return value that the credential does not expire for context acceptance. A return
of 0 indicates that the credential is already expired. value of 0 indicates that the credential is already expired.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.2.10. getUsage 7.3.8. getUsage
public int getUsage() throws GSSException public int getUsage() throws GSSException
Returns the credential usage flag. The return value will be one of Returns the credential usage flag. The return value will be one of
GSSCredential.INITIATE_ONLY, GSSCredential.ACCEPT_ONLY, or IGSSCredential.INITIATE_ONLY, IGSSCredential.ACCEPT_ONLY, or
GSSCredential.INITIATE_AND_ACCEPT. IGSSCredential.INITIATE_AND_ACCEPT.
6.2.11. getUsage 7.3.9. getUsage
public int getUsage(Oid mechOID) throws GSSException public int getUsage(Oid mechOID) throws GSSException
Returns the credential usage flag for the specified credential Returns the credential usage flag for the specified credential
mechanism. The return value will be one of mechanism. The return value will be one of
GSSCredential.INITIATE_ONLY, GSSCredential.ACCEPT_ONLY, or IGSSCredential.INITIATE_ONLY, IGSSCredential.ACCEPT_ONLY, or
GSSCredential.INITIATE_AND_ACCEPT. IGSSCredential.INITIATE_AND_ACCEPT.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.2.12. getMechs 7.3.10. getMechs
public Oid[] getMechs() throws GSSException public Oid[] getMechs() throws GSSException
Returns an array of mechanisms supported by this credential. Returns an array of mechanisms supported by this credential.
6.2.13. add 7.3.11. add
public void add(GSSName aName, int initLifetime, int acceptLifetime, public void add(GSSName aName, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException Oid mech, int usage) throws GSSException
Adds a mechanism specific credential-element to an existing Adds a mechanism specific credential-element to an existing
credential. This method allows the construction of credentials one credential. This method allows the construction of credentials one
mechanism at a time. This functionality is equivalent to using the mechanism at a time.
GSSCredential constructor which takes an Oid array as an input
parameter or calling this method once for each of the mechanisms in
the array.
This routine is envisioned to be used mainly by context acceptors This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials which are to be used during the creation of acceptance credentials which are to be used
with a variety of clients using different security mechanisms. with a variety of clients using different security mechanisms.
To obtain a new credential object after the addition of the new This routine adds the new credential element "in-place". To add the
mechanism credential, the clone method can be called. element in a new credential, first call clone() to obtain a copy of
this credential, then call its add() method.
Parameters: Parameters:
aName Name of the principal for whom this credential is to aName Name of the principal for whom this credential is to
be acquired. Use "null" to specify the default be acquired. Use "null" to specify the default
principal. principal.
initLifetime initLifetime
The number of seconds that credentials should remain The number of seconds that credentials should remain
valid for initiating of security contexts. Use valid for initiating of security contexts. Use
skipping to change at page 42, line 40 skipping to change at page 48, line 41
credentials have the maximum permitted lifetime. credentials have the maximum permitted lifetime.
mechOid The mechanisms over which the credential is to be mechOid The mechanisms over which the credential is to be
acquired. acquired.
usage The intended usage for this credential object. The usage The intended usage for this credential object. The
value of this parameter must be one of: value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
6.2.14. equals 7.3.12. equals
public boolean equals(Object another) public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied Tests if this IGSSCredential refers to the same entity as the
object. The two GSSCredentials must be acquired over the same supplied object. The two credentials must be acquired over the same
mechanisms and must refer to the same principal. Returns "true" if mechanisms and must refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise. the two GSSCredentials refer to the same entity; "false" otherwise.
Parameter: Parameters:
another Another GSSCredential object for comparison.
6.3. public class GSSContext another Another IGSSCredential object for comparison.
This class represents the GSS-API security context and its associated 7.4. public interface IGSSContext
operations. Security contexts are established between peers using
locally acquired credentials. Multiple contexts may exist
simultaneously between a pair of peers, using the same or different
set of credentials. GSS-API functions in a manner independent of the
underlying transport protocol and depends on its calling application
to transport its tokens between peers.
The GSSContext object can be thought of as having 3 implicit states: This interface encapsulates the GSS-API security context and provides
before it is established, during its context establishment, and after the security services (wrap, unwrap, getMIC, verifyMIC) that are
a fully established context exists. available over the context. Security contexts are established
between peers using locally acquired credentials. Multiple contexts
may exist simultaneously between a pair of peers, using the same or
different set of credentials. GSS-API functions in a manner
independent of the underlying transport protocol and depends on its
calling application to transport its tokens between peers.
Before the context establishment phase is initiated, the context Before the context establishment phase is initiated, the context
initiator may request specific characteristics desired of the initiator may request specific characteristics desired of the
established context. These can be set using the set methods. After established context. These can be set using the set methods. After
the context is established, the caller can check the actual the context is established, the caller can check the actual
characteristic and services offered by the context using the query characteristic and services offered by the context using the query
methods. methods.
The context establishment phase begins with the first call to the The context establishment phase begins with the first call to the
init method by the context initiator. During this phase the init and init method by the context initiator. During this phase the
accept methods will produce GSS-API authentication tokens which the initSecContext and acceptSecContext methods will produce GSS-API
calling application needs to send to its peer. The init and accept authentication tokens which the calling application needs to send to
methods may return a CONTINUE_NEEDED code which indicates that a its peer. If an error occurs at any point, an exception will get
token is needed from its peer in order to continue the context thrown and the code will start executing in a catch block. If not,
establishment phase. A return code of COMPLETE signals that the local the normal flow of code continues and the application can make a call
end of the context is established. This may still require that a to the isEstablished() method. If this method returns false it
token be sent to the peer, depending if one is produced by GSS-API. indicates that a token is needed from its peer in order to continue
The isEstablished method can also be used to determine if the local the context establishment phase. A return value of true signals that
end of the context has been fully established. During the context the local end of the context is established. This may still require
establishment phase, the isProtReady method may be called to that a token be sent to the peer, if one is produced by GSS-API.
determine if the context can be used for the per-message operations. During the context establishment phase, the isProtReady() method may
This allows implementation to use per-message operations on contexts be called to determine if the context can be used for the per-message
which aren't fully established. operations. This allows applications to use per-message operations
on contexts which aren't fully established.
After the context has been established or the isProtReady method After the context has been established or the isProtReady() method
returns "true", the query routines can be invoked to determine the returns "true", the query routines can be invoked to determine the
actual characteristics and services of the established context. The actual characteristics and services of the established context. The
application can also start using the per-message methods of wrap and application can also start using the per-message methods of wrap and
getMIC to obtain cryptographic operations on application supplied getMIC to obtain cryptographic operations on application supplied
data. data.
When the context is no longer needed, the application should call When the context is no longer needed, the application should call
dispose to release any system resources the context may be using. dispose to release any system resources the context may be using.
6.3.1. Example Code 7.4.1. Static Constants
The example code presented below demonstrates the usage of the
GSSContext object for the initiating peer. Different operations on
the GSSContext object are presented, including: object instantiation,
setting of desired flags, context establishment, query of actual
context flags, per-message operations on application data, and
finally context deletion.
//start by creating the name for a service entity
GSSName targetName = new GSSName("service@host",
GSSName.NT_HOSTBASED_SERVICE);
//create a context using default credentials for the
//default mechanism
GSSContext aCtxt = new GSSContext(targetName,
null, /* default mechanism */
null, /* default credentials */
GSSContext.INDEFINITE);
//set desired context options - all others are false by default
aCtxt.requestConf(true);
aCtxt.requestMutualAuth(true);
aCtxt.requestReplayDet(true);
aCtxt.requestSequenceDet(true);
//establish a context between peers - using byte arrays
byte []inTok = new byte[0];
try {
do {
byte[] outTok = aCtxt.init(inTok, 0, inTok.length);
//send the token if present
if (outTok != null)
sendToken(outTok);
//check if we should expect more tokens
if (aCtxt.isEstablished())
break;
//another token expected from peer
inTok = readToken();
} while (true);
} catch (GSSException e) {
print("GSSAPI error: " + e.getMessage());
}
//display context information
print("Remaining lifetime in seconds = " + aCtxt.getLifetime());
print("Context mechanism = " + aCtxt.getMech().toString());
print("Initiator = " + aCtxt.getSrcName().toString());
print("Acceptor = " + aCtxt.getTargName().toString());
if (aCtxt.getConfState())
print("Confidentiality security service available");
if (aCtxt.getIntegState())
print("Integrity security service available");
//perform wrap on an application supplied message, appMsg,
//using QOP = 0, and requesting privacy service
byte [] appMsg ...
MessageProp mProp = new MessageProp(0, true);
byte []tok = aCtxt.wrap(appMsg, 0, appMsg.length, mProp);
if (mProp.getPrivacy())
print("Message protected with privacy.");
sendToken(tok);
//release the local-end of the context
aCtxt.dispose();
6.3.2. Class Constants
public static final int INDEFINITE public static final int INDEFINITE
A lifetime constant representing indefinite context lifetime. This A lifetime constant representing indefinite context lifetime. This
value must be set to the maximum integer value in Java - value must be set to the maximum integer value in Java -
Integer.MAX_VALUE. Integer.MAX_VALUE.
public static final int COMPLETE 7.4.2. initSecContext
Return value from either accept or init stating that the context
creation phase is complete for this peer.
public static final int CONTINUE_NEEDED
Return value from either accept or init stating that another token is
required from the peer to continue context creation. This may be
returned several times indicating multiple token exchanges.
6.3.3. Constructors
public GSSContext(GSSName peer, Oid mechOid, GSSCredential myCred,
int lifetime) throws GSSException
Constructor for creating a context on the initiator's side. Context
flags may be modified through the mutator methods prior to calling
init.
Parameters:
peer Name of the target peer.
mechOid Oid of the desired mechanism. Use "null" to request
the default mechanism.
myCred Credentials of the initiator. Use "null" to act as a
default initiator principal.
lifetime The request lifetime, in seconds, for the credential.
public GSSContext(GSSCredential myCred) throws GSSException
Constructor for creating a context on the acceptor' side. The
context's properties will be determined from the input token supplied
to the accept method.
Parameters:
myCred Credentials for the acceptor. Use "null" to act as a
default acceptor principal.
public GSSContext(byte [] interProcessToken) throws GSSException
Constructor for creating a previously exported context. The context
properties will be determined from the input token and can't be
modified through the set methods.
Parameters:
interProcessToken
The token previously emitted from the export method.
6.3.4. init
public byte[] init(byte inputBuf[], int offset, int len) public byte[] initSecContext(byte inputBuf[], int offset, int len)
throws GSSException throws GSSException
Called by the context initiator to start the context creation Called by the context initiator to start the context creation
process. This is equivalent to the stream based method except that process. This is equivalent to the stream based method except that
the token buffers are handled as byte arrays instead of using stream the token buffers are handled as byte arrays instead of using stream
objects. This method may return an output token which the application objects. This method may return an output token which the
will need to send to the peer for processing by the accept call. application will need to send to the peer for processing by the
"null" return value indicates that no token needs to be sent to the accept call. "null" return value indicates that no token needs to be
peer. The application can call isEstablished to determine if the sent to the peer. The application can call isEstablished() to
context establishment phase is complete for this peer. A return value determine if the context establishment phase is complete for this
of "false" from isEstablished indicates that more tokens are expected peer. A return value of "false" from isEstablished() indicates that
to be supplied to the init method. Please note that the init method more tokens are expected to be supplied to the initSecContext()
may return a token for the peer, and isEstablished return "true" method. Note that it is possible that the initSecContext() method
also. This indicates that the token needs to be sent to the peer, but return a token for the peer, and isEstablished() return "true" also.
the local end of the context is now fully established. This indicates that the token needs to be sent to the peer, but the
local end of the context is now fully established.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
Parameters: Parameters:
inputBuf Token generated by the peer. This parameter is ignored inputBuf Token generated by the peer. This parameter is ignored
on the first call. on the first call.
offset The offset within the inputBuf where the token begins. offset The offset within the inputBuf where the token begins.
len The length of the token within the inputBuf (starting len The length of the token within the inputBuf (starting
at the offset). at the offset).
6.3.4.1. Example Code 7.4.2.1. Example Code
//create a GSSContext object // Create a new IGSSContext implementation object.
GSSContext aCtxt = new GSSContext(... // GSSContext wrapper implements interface IGSSContext.
IGSSContext context = new GSSContext(...);
byte []inTok = new byte[0]; byte []inTok = new byte[0];
try { try {
do { do {
byte[] outTok = aCtxt.init(inTok, 0, byte[] outTok = context.initSecContext(inTok, 0,
inTok.length); inTok.length);
//send the token if present //send the token if present
if (outTok != null) if (outTok != null)
sendToken(outTok); sendToken(outTok);
//check if we should expect more tokens //check if we should expect more tokens
if (aCtxt.isEstablished()) if (context.isEstablished())
break; break;
//another token expected from peer //another token expected from peer
inTok = readToken(); inTok = readToken();
} while (true); } while (true);
} catch (GSSException e) { } catch (GSSException e) {
print("GSSAPI error: " + e.getMessage()); print("GSSAPI error: " + e.getMessage());
} }
6.3.5. init 7.4.3. initSecContext
public int init(InputStream inputBuf, OutputStream outputBuf) public int initSecContext(InputStream inStream,
throws GSSException OutputStream outStream) throws GSSException
Called by the context initiator to start the context creation Called by the context initiator to start the context creation
process. This is equivalent to the byte array based method. This process. This is equivalent to the byte array based method. This
method may write an output token to the outputBuf, which the method may write an output token to the outStream, which the
application will need to send to the peer for processing by the application will need to send to the peer for processing by the
accept call. 0 bytes written to the output stream indicate that no accept call. 0 bytes written to the output stream indicate that no
token needs to be sent to the peer. The method will return either token needs to be sent to the peer. The application can call
COMPLETE or CONTINUE_NEEDED indicating the status of the current isEstablished() to determine if the context establishment phase is
context. A return value of COMPLETE indicates that the context complete for this peer. A return value of "false" from isEstablished
establishment phase is complete for this peer, while CONTINUE_NEEDED indicates that more tokens are expected to be supplied to the
means that another token is expected from the peer. The isEstablished initSecContext method. Note that it is possible that the
method can also be used to determine this state. Note that it is initSecContext() method return a token for the peer, and
possible to have a token for the peer while this method returns isEstablished() return "true" also. This indicates that the token
COMPLETE. This indicates that the local end of the context is needs to be sent to the peer, but the local end of the context is now
established, but the token needs to be sent to the peer to complete fully established.
the context establishment.
The GSS-API authentication tokens contain a definitive start and end. The GSS-API authentication tokens contain a definitive start and end.
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
Parameters: Parameters:
inputBuf Contains the token generated by the peer. This inStream Contains the token generated by the peer. This
parameter is ignored on the first call. parameter is ignored on the first call.
outputBuf Buffer where the output token will be written. During outStream Output stream where the output token will be written.
the final stage of context establishment, there may be During the final stage of context establishment, there
no bytes written. may be no bytes written.
6.3.5.1. Example Code 7.4.3.1. Example Code
//create a GSSContext object // Create a new IGSSContext implementation object.
GSSContext aCtxt = new GSSContext(... // GSSContext wrapper implements interface IGSSContext.
IGSSContext context = new GSSContext(...);
//use standard java.io stream objects //use standard java.io stream objects
ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayOutputStream os = new ByteArrayOutputStream();
ByteArrayInputStream is = null; ByteArrayInputStream is = null;
try { try {
while (aCtxt.init(is, os) == do {
GSSContext.CONTINUE_NEEDED) { context.init(is, os);
//send token to peer // send token if present
if (os.size() > 0)
sendToken(os); sendToken(os);
// check if we should expect more tokens
if (context.isEstablished())
break;
//another token expected from peer //another token expected from peer
is = recvToken(); is = recvToken();
}
//send token if present } while (true);
if (os.size() > 0)
sendToken(os);
} catch (GSSException e) { } catch (GSSException e) {
print("GSS-API error: " + e.getMessage()); print("GSSAPI error: " + e.getMessage());
} }
6.3.6. accept 7.4.4. acceptSecContext
public byte[] accept(byte inTok[], int offset, int len) public byte[] acceptSecContext(byte inTok[], int offset, int len)
throws GSSException throws GSSException
Called by the context acceptor upon receiving a token from the peer. Called by the context acceptor upon receiving a token from the peer.
This call is equivalent to the stream based method except that the This call is equivalent to the stream based method except that the
token buffers are handled as byte arrays instead of using stream token buffers are handled as byte arrays instead of using stream
objects. objects.
This method may return an output token which the application will This method may return an output token which the application will
need to send to the peer for further processing by the init call. need to send to the peer for further processing by the init call.
"null" return value indicates that no token needs to be sent to the "null" return value indicates that no token needs to be sent to the
peer. The application can call isEstablished to determine if the peer. The application can call isEstablished() to determine if the
context establishment phase is complete for this peer. A return value context establishment phase is complete for this peer. A return
of "false" from isEstablished indicates that more tokens are expected value of "false" from isEstablished() indicates that more tokens are
to be supplied to this method. expected to be supplied to this method.
Please note that the accept method may return a token for the peer, Note that it is possible that acceptSecContext() return a token for
and isEstablished return "true" also. This indicates that the token the peer, and isEstablished() return "true" also. This indicates
needs to be sent to the peer, but the local end of the context is now that the token needs to be sent to the peer, but the local end of the
fully established. context is now fully established.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
Parameters: Parameters:
inTok Token generated by the peer. inTok Token generated by the peer.
offset The offset within the inTok where the token begins. offset The offset within the inTok where the token begins.
len The length of the token within the inTok (starting at len The length of the token within the inTok (starting at
the offset). the offset).
6.3.6.1. Example Code 7.4.4.1. Example Code
//obtain server credentials // acquire server credentials
GSSCredential server = ... IGSSCredential server = new GSSCredential(...);
//create acceptor GSS-API context // create acceptor GSS-API context fromthe default provider
GSSContext aCtxt = new GSSContext(server); IGSSContext context = new GSSContext(server, null);
try { try {
do { do {
byte [] inTok = readToken(); byte [] inTok = readToken();
byte []outTok = aCtxt.accept(inTok, 0,
byte []outTok = context.accept(inTok, 0,
inTok.length); inTok.length);
//possibly send token to peer //possibly send token to peer
if (outTok != null) if (outTok != null)
sendToken(outTok); sendToken(outTok);
//check if local context establishment is complete //check if local context establishment is complete
if (aCtxt.isEstablished()) if (context.isEstablished())
break; break;
} while (true); } while (true);
} catch (GSSException e) { } catch (GSSException e) {
print("GSS-API error: " + e.getMessage()); print("GSS-API error: " + e.getMessage());
} }
6.3.7. accept 7.4.5. acceptSecContext
public int accept(InputStream inputBuf, OutputStream outputBuf) public void acceptSecContext(InputStream inStream,
throws GSSException OutputStream outStream) throws GSSException
Called by the context acceptor upon receiving a token from the peer. Called by the context acceptor upon receiving a token from the peer.
This call is equivalent to the byte array method. It may write an This call is equivalent to the byte array method. It may write an
output token to the outputBuf, which the application will need to output token to the outStreamf, which the application will need to
send to the peer for processing by its init method. 0 bytes written send to the peer for processing by its initSecContext method. 0 bytes
to the output stream indicate that no token needs to be sent to the written to the output stream indicate that no token needs to be sent
peer. The method will return either COMPLETE or CONTINUE_NEEDED to the peer. The application can call isEstablished() to determine
indicating the status of the current context. A return value of if the context establishment phase is complete for this peer. A
COMPLETE indicates that the context establishment phase is complete return value of "false" from isEstablished() indicates that more
for this peer, while CONTINUE_NEEDED means that another token is tokens are expected to be supplied to this method.
expected from the peer. The isEstablished method can also be used to
determine this state. Note that it is possible to have a token for Note that it is possible that acceptSecContext() return a token for
the peer while this method returns COMPLETE. This indicates that the the peer, and isEstablished() return "true" also. This indicates
local end of the context is established, but the token needs to be that the token needs to be sent to the peer, but the local end of the
sent to the peer to complete the context establishment. context is now fully established.
The GSS-API authentication tokens contain a definitive start and end. The GSS-API authentication tokens contain a definitive start and end.
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
Parameters: Parameters:
inputBuf Contains the token generated by the peer. inStream Contains the token generated by the peer.
outputBuf Buffer where the output token will be written. During outStream Output stream where the output token will be written.
the final stage of context establishment, there may be During the final stage of context establishment, there
no bytes written. may be no bytes written.
6.3.7.1. Example Code 7.4.5.1. Example Code
//obtain server credentials // acquire server credentials
GSSCredential server = ... IGSSCredential server = new GSSCredential(...);
//create acceptor GSS-API context // create acceptor GSS-API context fromthe default provider
GSSContext aCtxt = new GSSContext(server); IGSSContext context = new GSSContext(server, null);
//use standard java.io stream objects //use standard java.io stream objects
ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayOutputStream os = new ByteArrayOutputStream();
ByteArrayInputStream is = null; ByteArrayInputStream is = null;
int retCode;
try { try {
do { do {
is = recvToken(); is = recvToken();
retCode = aCtxt.accept(is, os);
context.acceptSecContext(is, os);
//possibly send token to peer //possibly send token to peer
if (os.size() > 0) if (os.size() > 0)
sendToken(os); sendToken(os);
} while (retCode == GSSContext.CONTINUE_NEEDED); // check if local context establishment is complete
if (context.isEstablished())
break;
} while (true);
} catch (GSSException e) { } catch (GSSException e) {
print("GSS-API error: " + e.getMessage()); print("GSS-API error: " + e.getMessage());
} }
6.3.8. isEstablished 7.4.6. isEstablished
public boolean isEstablished() public boolean isEstablished()
Returns "true" if this is a fully established context. Used after the Used during context establishment to determine the state of the
init and accept methods to check if more tokens are needed from the context. Returns "true" if this is a fully established context on
peer. the caller's side and no more tokens are needed from the peer.
Should be called after a call to initSecContext() or
acceptSecContext() when no GSSException is thrown.
6.3.9. dispose 7.4.7. dispose
public void dispose() throws GSSException public void dispose() throws GSSException
Releases any system resources and cryptographic information stored in Releases any system resources and cryptographic information stored in
the context object. This will invalidate the context. the context object. This will invalidate the context.
6.3.10. getWrapSizeLimit 7.4.8. getWrapSizeLimit
public int getWrapSizeLimit(int qop, boolean confReq, public int getWrapSizeLimit(int qop, boolean confReq,
int maxTokenSize) throws GSSException int maxTokenSize) throws GSSException
Returns the maximum message size that, if presented to the wrap Returns the maximum message size that, if presented to the wrap
method with the same confReq and qop parameters, will result in an method with the same confReq and qop parameters, will result in an
output token containing no more than the maxTokenSize bytes. output token containing no more than the maxTokenSize bytes.
This call is intended for use by applications that communicate over This call is intended for use by applications that communicate over
protocols that impose a maximum message size. It enables the protocols that impose a maximum message size. It enables the
skipping to change at page 53, line 44 skipping to change at page 57, line 18
qop Indicates the level of protection wrap will be asked qop Indicates the level of protection wrap will be asked
to provide. to provide.
confReq Indicates if wrap will be asked to provide privacy confReq Indicates if wrap will be asked to provide privacy
service. service.
maxTokenSize maxTokenSize
The desired maximum size of the token emitted by wrap. The desired maximum size of the token emitted by wrap.
6.3.11. wrap 7.4.9. wrap
public byte[] wrap(byte inBuf[], int offset, int len, public byte[] wrap(byte inBuf[], int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Allows to apply per-message security services over the established Applies per-message security services over the established security
security context. The method will return a token with a cryptographic context. The method will return a token with a cryptographic MIC and
MIC and may optionally encrypt the specified inBuf. This method is may optionally encrypt the specified inBuf. This method is
equivalent in functionality to its stream counterpart. The returned equivalent in functionality to its stream counterpart. The returned
byte array will contain both the MIC and the message. The msgProp byte array will contain both the MIC and the message.
object is used to specify a QOP value which selects cryptographic
algorithms, and a privacy service, if supported by the chosen The MessageProp object is instantiated by the application and used to
mechanism. specify a QOP value which selects cryptographic algorithms, and a
privacy service to optionally encrypt the message. The underlying
mechanism that is used in the call may not be able to provide the
privacy service. It sets the actual privacy service that it does
provide in this MessageProp object which the caller should then query
upon return. If the mechanism is not able to provide the requested
QOP, it throws a GSSException with the BAD_QOP code.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping of zero-length messages. the wrapping of zero-length messages.
The application will be responsible for sending the token to the The application will be responsible for sending the token to the
peer. peer.
Parameters: Parameters:
inBuf Application data to be protected. inBuf Application data to be protected.
offset The offset within the inBuf where the data begins. offset The offset within the inBuf where the data begins.
len The length of the data within the inBuf (starting at len The length of the data within the inBuf (starting at
the offset). the offset).
msgProp Instance of MessageProp containing the desired QOP and msgProp Instance of MessageProp that is used by the
privacy state. Upon return from this method, this application to set the desired QOP and privacy state.
object will contain the applied QOP (for cases when 0 Set the desired QOP to 0 to request the default QOP.
was used) and the actual privacy state of the token. Upon return from this method, this object will contain
the the actual privacy state that was applied to the
message by the underlying mechanism.
6.3.12. wrap 7.4.10. wrap
public void wrap(InputStream inBuf, OutputStream outBuf, public void wrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Allows to apply per-message security services over the established Allows to apply per-message security services over the established
security context. The method will produce a token with a security context. The method will produce a token with a
cryptographic MIC and may optionally encrypt the specified inBuf. cryptographic MIC and may optionally encrypt the message in inStream.
The outBuf will contain both the MIC and the message. The msgProp The outStream will contain both the MIC and the message.
object is used to specify a QOP value to select cryptographic
algorithms, and a privacy service, if supported by the chosen The MessageProp object is instantiated by the application and used to
mechanism. specify a QOP value which selects cryptographic algorithms, and a
privacy service to optionally encrypt the message. The underlying
mechanism that is used in the call may not be able to provide the
privacy service. It sets the actual privacy service that it does
provide in this MessageProp object which the caller should then query
upon return. If the mechanism is not able to provide the requested
QOP, it throws a GSSException with the BAD_QOP code.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping of zero-length messages. the wrapping of zero-length messages.
The application will be responsible for sending the token to the The application will be responsible for sending the token to the
peer. peer.
Parameters: Parameters:
inpBuf Application data to be protected. inStream Input stream containing the application data to be
protected.
outBuf The buffer to write the protected message to. The outStream The output stream to write the protected message to.
application is responsible for sending this to the The application is responsible for sending this to the
other peer for processing in its unwrap method. other peer for processing in its unwrap method.
msgProp Instance of MessageProp containing the desired QOP and msgProp Instance of MessageProp that is used by the
privacy state. Upon return from this method, this application to set the desired QOP and privacy state.
object will contain the applied QOP (for cases when 0
was used) and the actual privacy state of the token.
6.3.13. unwrap Set the desired QOP to 0 to request the default QOP.
Upon return from this method, this object will contain
the the actual privacy state that was applied to the
message by the underlying mechanism.
7.4.11. unwrap
public byte [] unwrap(byte[] inBuf, int offset, int len, public byte [] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Used by the peer application to process tokens generated with the Used by the peer application to process tokens generated with the
wrap call. This call is equal in functionality to its stream wrap call. This call is equal in functionality to its stream
counterpart. The method will return the message supplied in the peer counterpart. The method will return the message supplied in the peer
application to the wrap call, verifying the embedded MIC. The application to the wrap call, verifying the embedded MIC.
msgProp instance will indicate whether the message was encrypted and
will contain the QOP indicating the strength of protection that was The MessageProp object is instantiated by the application and is used
used to provide the confidentiality and integrity services. by the underlying mechanism to return information to the caller such
as the QOP, whether confidentiality was applied to the message, and
other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping and unwrapping of zero-length messages. the wrapping and unwrapping of zero-length messages.
Parameters: Parameters:
inBuf GSS-API wrap token received from peer. inBuf GSS-API wrap token received from peer.
offset The offset within the inBuf where the token begins. offset The offset within the inBuf where the token begins.
len The length of the token within the inBuf (starting at len The length of the token within the inBuf (starting at
the offset). the offset).
msgProp Upon return from the method, this object will contain msgProp Upon return from the method, this object will contain
the applied QOP and the privacy state of the supplied the applied QOP, the privacy state of the message, and
token. supplementary information described in 4.12.3 stating
whether the token was a duplicate, old, out of
sequence or arriving after a gap.
6.3.14. unwrap 7.4.12. unwrap
public void unwrap(InputStream inBuf, OutputStream outBuf, public void unwrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Used by the peer application to process tokens generated with the Used by the peer application to process tokens generated with the
wrap call. This call is equal in functionality to its byte array wrap call. This call is equal in functionality to its byte array
counterpart. It will produce the message supplied in the peer counterpart. It will produce the message supplied in the peer
application to the wrap call, verifying the embedded MIC. The application to the wrap call, verifying the embedded MIC.
msgProp parameter will indicate whether the message was encrypted and
will contain the QOP indicating the strength of protection that was The MessageProp object is instantiated by the application and is used
used to provide the confidentiality and integrity services. The by the underlying mechanism to return information to the caller such
msgProp object will also contain the supplementary status information as the QOP, whether confidentiality was applied to the message, and
for the token. other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping and unwrapping of zero-length messages. the wrapping and unwrapping of zero-length messages.
Parameters: Parameters:
inBuf GSS-API wrap token received from peer. inStream Input stream containing the GSS-API wrap token
received from the peer.
outBuf The buffer to write the application message to. outStream The output stream to write the application message to.
msgProp Upon return from the method, this object will contain msgProp Upon return from the method, this object will contain
the applied QOP, the privacy state, and supplementary the applied QOP, the privacy state of the message, and
status values for the supplied token. supplementary information described in 4.12.3 stating
whether the token was a duplicate, old, out of
sequence or arriving after a gap.
6.3.15. getMIC 7.4.13. getMIC
public byte[] getMIC(byte []inMsg, int offset, int len, public byte[] getMIC(byte []inMsg, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Returns a token containing a cryptographic MIC for the supplied Returns a token containing a cryptographic MIC for the supplied
message, for transfer to the peer application. Unlike wrap, which message, for transfer to the peer application. Unlike wrap, which
encapsulates the user message in the returned token, only the message encapsulates the user message in the returned token, only the message
MIC is returned in the output token. This method is identical in MIC is returned in the output token. This method is identical in
functionality to its stream counterpart. functionality to its stream counterpart.
skipping to change at page 57, line 12 skipping to change at page 61, line 8
Parameters: Parameters:
inMsg Message to generate MIC over. inMsg Message to generate MIC over.
offset The offset within the inMsg where the token begins. offset The offset within the inMsg where the token begins.
len The length of the token within the inMsg (starting at len The length of the token within the inMsg (starting at
the offset). the offset).
msgProp Indicates the desired QOP to be used. Use QOP of 0 to msgProp Instance of MessageProp that is used by the
indicate default value. The confidentiality flag is application to set the desired QOP. Set the desired
ignored. Upon return from the method, this object will QOP to 0 in msgProp to request the default QOP.
contain the applied QOP (in case 0 was selected). Alternatively pass in "null" for msgProp to request
default QOP.
6.3.16. getMIC 7.4.14. getMIC
public void getMIC(InputStream inMsg, OutputStream outBuf, public void getMIC(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Produces a token containing a cryptographic MIC for the supplied Produces a token containing a cryptographic MIC for the supplied
message, for transfer to the peer application. Unlike wrap, which message, for transfer to the peer application. Unlike wrap, which
encapsulates the user message in the returned token, only the message encapsulates the user message in the returned token, only the message
MIC is produced in the output token. This method is identical in MIC is produced in the output token. This method is identical in
functionality to its byte array counterpart. functionality to its byte array counterpart.
Note that privacy can only be applied through the wrap call. Note that privacy can only be applied through the wrap call.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
derivation of MICs from zero-length messages. derivation of MICs from zero-length messages.
Parameters: Parameters:
inMsg Buffer containing the message to generate MIC over. inStream inStream Input stream containing the message to
generate MIC over.
outBuf The buffer to write the GSS-API output token into. outStream outStream Output stream to write the GSS-API output
token to.
msgProp Indicates the desired QOP to be used. Use QOP of 0 to msgProp Instance of MessageProp that is used by the
indicate default value. The confidentiality flag is application to set the desired QOP. Set the desired
ignored. Upon return from the method, this object will QOP to 0 in msgProp to request the default QOP.
contain the applied QOP (in case 0 was selected). Alternatively pass in "null" for msgProp to request
default QOP.
6.3.17. verifyMIC 7.4.15. verifyMIC
public void verifyMIC(byte []inTok, int tokOffset, int tokLen, public void verifyMIC(byte []inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen, byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Verifies the cryptographic MIC, contained in the token parameter, Verifies the cryptographic MIC, contained in the token parameter,
over the supplied message. The msgProp parameter will contain the over the supplied message. This method is equivalent in
QOP indicating the strength of protection that was applied to the functionality to its stream counterpart.
message. This method is equivalent in functionality to its stream
counterpart. The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such
as the QOP indicating the strength of protection that was applied to
the message and other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
the calculation and verification of MICs over zero-length messages. the calculation and verification of MICs over zero-length messages.
Parameters: Parameters:
inTok Token generated by peer's getMIC method. inTok Token generated by peer's getMIC method.
tokOffset The offset within the inTok where the token begins. tokOffset The offset within the inTok where the token begins.
skipping to change at page 58, line 32 skipping to change at page 62, line 35
inMsg Application message to verify the cryptographic MIC inMsg Application message to verify the cryptographic MIC
over. over.
msgOffset The offset within the inMsg where the message begins. msgOffset The offset within the inMsg where the message begins.
msgLen The length of the message within the inMsg (starting msgLen The length of the message within the inMsg (starting
at the offset). at the offset).
msgProp Upon return from the method, this object will contain msgProp Upon return from the method, this object will contain
the applied QOP and supplementary status values for the applied QOP and supplementary information
the supplied token. The confidentiality state will be described in 4.12.3 stating whether the token was a
always set to "false". duplicate, old, out of sequence or arriving after a
gap. The confidentiality state will be set to
"false".
6.3.18. verifyMIC 7.4.16. verifyMIC
public void verifyMIC(InputStream inTok, InputStream inMsg, public void verifyMIC(InputStream tokStream, InputStream msgStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Verifies the cryptographic MIC, contained in the token parameter, Verifies the cryptographic MIC, contained in the token parameter,
over the supplied message. The msgProp parameter will contain the over the supplied message. This method is equivalent in
QOP indicating the strength of protection that was applied to the functionality to its byte array counterpart.
message. This method is equivalent in functionality to its byte array
counterpart. The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such
as the QOP indicating the strength of protection that was applied to
the message and other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
the calculation and verification of MICs over zero-length messages. the calculation and verification of MICs over zero-length messages.
Parameters: Parameters:
inTok Contains the token generated by peer's getMIC method. tokStream Input stream containing the token generated by peer's
getMIC method.
inMsg Contains application message to verify the msgStream Input stream containing the application message to
cryptographic MIC over. verify the cryptographic MIC over.
msgProp Upon return from the method, this object will contain msgProp Upon return from the method, this object will contain
the applied QOP and supplementary status values for the applied QOP and supplementary information
the supplied token. The confidentiality state will be described in 4.12.3 stating whether the token was a
always set to "false". duplicate, old, out of sequence or arriving after a
gap. The confidentiality state will be set to
"false".
6.3.19. export 7.4.17. export
public byte [] export() throws GSSException public byte [] export() throws GSSException
Provided to support the sharing of work between multiple processes. Provided to support the sharing of work between multiple processes.
This routine will typically be used by the context-acceptor, in an This routine will typically be used by the context-acceptor, in an
application where a single process receives incoming connection application where a single process receives incoming connection
requests and accepts security contexts over them, then passes the requests and accepts security contexts over them, then passes the
established context to one or more other processes for message established context to one or more other processes for message
exchange. exchange.
This method deactivates the security context and creates an This method deactivates the security context and creates an
interprocess token which, when passed to the byte array constructor interprocess token which, when passed to the byte array constructor
of the GSSContext class in another process, will re-activate the of the GSSContext class in another process, will re-activate the
context in the second process. Only a single instantiation of a given context in the second process. Only a single instantiation of a
context may be active at any one time; a subsequent attempt by a given context may be active at any one time; a subsequent attempt by
context exporter to access the exported security context will fail. a context exporter to access the exported security context will fail.
The implementation may constrain the set of processes by which the The implementation may constrain the set of processes by which the
interprocess token may be imported, either as a function of local interprocess token may be imported, either as a function of local
security policy, or as a result of implementation decisions. For security policy, or as a result of implementation decisions. For
example, some implementations may constrain contexts to be passed example, some implementations may constrain contexts to be passed
only between processes that run under the same account, or which are only between processes that run under the same account, or which are
part of the same process group. part of the same process group.
The interprocess token may contain security-sensitive information The interprocess token may contain security-sensitive information
(for example cryptographic keys). While mechanisms are encouraged to (for example cryptographic keys). While mechanisms are encouraged to
either avoid placing such sensitive information within interprocess either avoid placing such sensitive information within interprocess
tokens, or to encrypt the token before returning it to the tokens, or to encrypt the token before returning it to the
application, in a typical GSS-API implementation this may not be application, in a typical GSS-API implementation this may not be
possible. Thus the application must take care to protect the possible. Thus the application must take care to protect the
interprocess token, and ensure that any process to which the token is interprocess token, and ensure that any process to which the token is
transferred is trustworthy. transferred is trustworthy.
6.3.20. requestMutualAuth 7.4.18. requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException public void requestMutualAuth(boolean state) throws GSSException
Sets the request state of the mutual authentication flag for the Sets the request state of the mutual authentication flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if mutual authentication should state Boolean representing if mutual authentication should
be requested during context establishment. be requested during context establishment.
6.3.21. requestReplayDet 7.4.19. requestReplayDet
public void requestReplayDet(boolean state) throws GSSException public void requestReplayDet(boolean state) throws GSSException
Sets the request state of the replay detection service for the Sets the request state of the replay detection service for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if replay detection is desired state Boolean representing if replay detection is desired
over the established context. over the established context.
6.3.22. requestSequenceDet 7.4.20. requestSequenceDet
public void requestSequenceDet(boolean state) throws GSSException public void requestSequenceDet(boolean state) throws GSSException
Sets the request state for the sequence checking service of the Sets the request state for the sequence checking service of the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if sequence detection is desired state Boolean representing if sequence detection is desired
over the established context. over the established context.
6.3.23. requestCredDeleg 7.4.21. requestCredDeleg
public void requestCredDeleg(boolean state) throws GSSException public void requestCredDeleg(boolean state) throws GSSException
Sets the request state for the credential delegation flag for the Sets the request state for the credential delegation flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameter: Parameters:
state Boolean representing if credential delegation is state Boolean representing if credential delegation is
desired. desired.
6.3.24. requestAnonymity 7.4.22. requestAnonymity
public void requestAnonymity(boolean state) throws GSSException public void requestAnonymity(boolean state) throws GSSException
Requests anonymous support over the context. This method is only Requests anonymous support over the context. This method is only
valid before the context creation process begins and only for the valid before the context creation process begins and only for the
initiator. initiator.
Parameter: Parameters:
state Boolean representing if anonymity support is state Boolean representing if anonymity support is
requested. requested.
6.3.25. requestConf 7.4.23. requestConf
public void requestConf(boolean state) throws GSSException public void requestConf(boolean state) throws GSSException
Requests that confidentiality service be available over the context. Requests that confidentiality service be available over the context.
This method is only valid before the context creation process begins This method is only valid before the context creation process begins
and only for the initiator. and only for the initiator.
Parameters: Parameters:
state Boolean indicating if confidentiality services are to state Boolean indicating if confidentiality services are to
be requested for the context. be requested for the context.
6.3.26. requestInteg 7.4.24. requestInteg
public void requestInteg(boolean state) throws GSSException public void requestInteg(boolean state) throws GSSException
Requests that integrity services be available over the context. This Requests that integrity services be available over the context. This
method is only valid before the context creation process begins and method is only valid before the context creation process begins and
only for the initiator. only for the initiator.
Parameters: Parameters:
state Boolean indicating if integrity services are to be state Boolean indicating if integrity services are to be
requested for the context. requested for the context.
6.3.27. requestLifetime 7.4.25. requestLifetime
public void requestLifetime(int lifetime) throws GSSException public void requestLifetime(int lifetime) throws GSSException
Sets the desired lifetime for the context in seconds. This method is Sets the desired lifetime for the context in seconds. This method is
only valid before the context creation process begins and only for only valid before the context creation process begins and only for
the initiator. the initiator.
Parameters: Parameters:
lifetime The desired context lifetime in seconds. lifetime The desired context lifetime in seconds.
6.3.28. setChannelBinding 7.4.26. setChannelBinding
public void setChannelBinding(ChannelBinding cb) throws GSSException public void setChannelBinding(ChannelBinding cb) throws GSSException
Sets the channel bindings to be used during context establishment. Sets the channel bindings to be used during context establishment.
This method is only valid before the context creation process begins. This method is only valid before the context creation process begins.
Parameters: Parameters:
cb Channel bindings to be used. cb Channel bindings to be used.
6.3.29. getCredDelegState 7.4.27. getCredDelegState
public boolean getCredDelegState() public boolean getCredDelegState()
Returns the state of the delegated credentials for the context. When Returns the state of the delegated credentials for the context. When
issued before context establishment is completed or when the issued before context establishment is completed or when the
isProtReady method returns "false", it returns the desired state, isProtReady method returns "false", it returns the desired state,
otherwise it will indicate the actual state over the established otherwise it will indicate the actual state over the established
context. context.
6.3.30. getMutualAuthState 7.4.28. getMutualAuthState
public boolean getMutualAuthState() public boolean getMutualAuthState()
Returns the state of the mutual authentication option for the Returns the state of the mutual authentication option for the
context. When issued before context establishment completes or when context. When issued before context establishment completes or when
the isProtReady method returns "false", it returns the desired state, the isProtReady method returns "false", it returns the desired state,
otherwise it will indicate the actual state over the established otherwise it will indicate the actual state over the established
context. context.
6.3.31. getReplayDetState 7.4.29. getReplayDetState
public boolean getReplayDetState() public boolean getReplayDetState()
Returns the state of the replay detection option for the context. Returns the state of the replay detection option for the context.
When issued before context establishment completes or when the When issued before context establishment completes or when the
isProtReady method returns "false", it returns the desired state, isProtReady method returns "false", it returns the desired state,
otherwise it will indicate the actual state over the established otherwise it will indicate the actual state over the established
context. context.
6.3.32. getSequenceDetState 7.4.30. getSequenceDetState
public boolean getSequenceDetState() public boolean getSequenceDetState()
Returns the state of the sequence detection option for the context. Returns the state of the sequence detection option for the context.
When issued before context establishment completes or when the When issued before context establishment completes or when the
isProtReady method returns "false", it returns the desired state, isProtReady method returns "false", it returns the desired state,
otherwise it will indicate the actual state over the established otherwise it will indicate the actual state over the established
context. context.
6.3.33. getAnonymityState 7.4.31. getAnonymityState
public boolean getAnonymityState() public boolean getAnonymityState()
Returns "true" if this is an anonymous context. When issued before Returns "true" if this is an anonymous context. When issued before
context establishment completes or when the isProtReady method context establishment completes or when the isProtReady method
returns "false", it returns the desired state, otherwise it will returns "false", it returns the desired state, otherwise it will
indicate the actual state over the established context. indicate the actual state over the established context.
6.3.34. isTransferable 7.4.32. isTransferable
public boolean isTransferable() throws GSSException public boolean isTransferable() throws GSSException
Returns "true" if the context is transferable to other processes Returns "true" if the context is transferable to other processes
through the use of the export method. This call is only valid on through the use of the export method. This call is only valid on
fully established contexts. fully established contexts.
6.3.35. isProtReady 7.4.33. isProtReady
public boolean isProtReady() public boolean isProtReady()
Returns "true" if the per message operations can be applied over the Returns "true" if the per message operations can be applied over the
context. Some mechanisms may allow the usage of per-message context. Some mechanisms may allow the usage of per-message
operations before the context is fully established. This will also operations before the context is fully established. This will also
indicate that the get methods will return actual context state indicate that the get methods will return actual context state
characteristics instead of the desired ones. characteristics instead of the desired ones.
6.3.36. getConfState 7.4.34. getConfState
public boolean getConfState() public boolean getConfState()
Returns the confidentiality service state over the context. When Returns the confidentiality service state over the context. When
issued before context establishment completes or when the isProtReady issued before context establishment completes or when the isProtReady
method returns "false", it returns the desired state, otherwise it method returns "false", it returns the desired state, otherwise it
will indicate the actual state over the established context. will indicate the actual state over the established context.
6.3.37. getIntegState 7.4.35. getIntegState
public boolean getIntegState() public boolean getIntegState()
Returns the integrity service state over the context. When issued Returns the integrity service state over the context. When issued
before context establishment completes or when the isProtReady method before context establishment completes or when the isProtReady method
returns "false", it returns the desired state, otherwise it will returns "false", it returns the desired state, otherwise it will
indicate the actual state over the established context. indicate the actual state over the established context.
6.3.38. getLifetime 7.4.36. getLifetime
public int getLifetime() public int getLifetime()
Returns the context lifetime in seconds. When issued before context Returns the context lifetime in seconds. When issued before context
establishment completes or when the isProtReady method returns establishment completes or when the isProtReady method returns
"false", it returns the desired lifetime, otherwise it will indicate "false", it returns the desired lifetime, otherwise it will indicate
the remaining lifetime for the context. the remaining lifetime for the context.
6.3.39. getSrcName 7.4.37. getSrcName
public GSSName getSrcName() throws GSSException public GSSName getSrcName() throws GSSException
Returns the name of the context initiator. This call is valid only Returns the name of the context initiator. This call is valid only
after the context is fully established or the isProtReady method after the context is fully established or the isProtReady method
returns "true". returns "true". It is guaranteed to return an MN.
6.3.40. getTargName 7.4.38. getTargName
public GSSName getTargName() throws GSSException public GSSName getTargName() throws GSSException
Returns the name of the context target (acceptor). This call is Returns the name of the context target (acceptor). This call is
valid only after the context is fully established or the isProtReady valid only after the context is fully established or the isProtReady
method returns "true". method returns "true". It is guaranteed to return an MN.
6.3.41. getMech 7.4.39. getMech
public Oid getMech() throws GSSException public Oid getMech() throws GSSException
Returns the mechanism oid for this context. Returns the mechanism oid for this context.
6.3.42. getDelegCred 7.4.40. getDelegCred
public GSSCredential getDelegCred() throws GSSException public GSSCredential getDelegCred() throws GSSException
Returns the delegated credential object on the acceptor's side. To Returns the delegated credential object on the acceptor's side. To
check for availability of delegated credentials call check for availability of delegated credentials call
getDelegCredState. This call is only valid on fully established getDelegCredState. This call is only valid on fully established
contexts. contexts.
6.3.43. isInitiator 7.4.41. isInitiator
public boolean isInitiator() throws GSSException public boolean isInitiator() throws GSSException
Returns "true" if this is the initiator of the context. This call is Returns "true" if this is the initiator of the context. This call is
only valid after the context creation process has started. only valid after the context creation process has started.
6.4. public class MessageProp 7.5. public class MessageProp
This is a utility class used within the per-message GSSContext This is a utility class used within the per-message GSSContext
methods to convey per-message properties. methods to convey per-message properties.
When used with the GSSContext class wrap and getMIC methods, an When used with the IGSSContext interface's wrap and getMIC methods,
instance of this class is used to indicate the desired QOP and to an instance of this class is used to indicate the desired QOP and to
request if confidentiality services are to be applied to caller request if confidentiality services are to be applied to caller
supplied data (wrap only). To request default QOP, the value of 0 supplied data (wrap only). To request default QOP, the value of 0
should be used. should be used for QOP.
When used with the unwrap and verifyMIC methods of the GSSContext When used with the unwrap and verifyMIC methods of the IGSSContext
class, an instance of this class will be used to indicate the applied interface, an instance of this class will be used to indicate the
QOP and confidentiality services over the supplied message. In the applied QOP and confidentiality services over the supplied message.
case of verifyMIC, the confidentiality state will always be "false". In the case of verifyMIC, the confidentiality state will always be
Upon return from these methods, this object will also contain any "false". Upon return from these methods, this object will also
supplementary status values applicable to the processed token. The contain any supplementary status values applicable to the processed
supplementary status values can indicate old tokens, out of sequence token. The supplementary status values can indicate old tokens, out
tokens, gap tokens or duplicate tokens. of sequence tokens, gap tokens or duplicate tokens.
6.4.1. Constructors 7.5.1. Constructors
public MessageProp() public MessageProp(boolean privState)
Default constructor for the class. QOP is set to 0 and Constructor which sets QOP to 0 indicating that the default QOP is
confidentiality to "false". requested.
Parameters:
privState The desired privacy state. "true" for privacy and
"false" for integrity only.
public MessageProp(int qop, boolean privState) public MessageProp(int qop, boolean privState)
Constructor which sets the values for the qop and privacy state. Constructor which sets the values for the qop and privacy state.
Parameters: Parameters:
qop The desired QOP. qop The desired QOP. Use 0 to request a default QOP.
privState The desired privacy state. privState The desired privacy state. "true" for privacy and
"false" for integrity only.
6.4.2. getQOP 7.5.2. getQOP
public int getQOP() public int getQOP()
Retrieves the QOP value. Retrieves the QOP value.
6.4.3. getPrivacy 7.5.3. getPrivacy
public boolean getPrivacy() public boolean getPrivacy()
Retrieves the privacy state. Retrieves the privacy state.
6.4.4. setQOP 7.5.4. setQOP
public void setQOP(int qopVal) public void setQOP(int qopVal)
Sets the QOP value. Sets the QOP value.
Parameter: Parameters:
qopVal The QOP value to be set. qopVal The QOP value to be set. Use 0 to request a default
QOP value.
6.4.5. setPrivacy 7.5.5. setPrivacy
public void setPrivacy(boolean privState) public void setPrivacy(boolean privState)
Sets the privacy state. Sets the privacy state.
Parameter: Parameters:
privState The privacy state to set. privState The privacy state to set.
6.4.6. isDuplicateToken 7.5.6. isDuplicateToken
public boolean isDuplicateToken() public boolean isDuplicateToken()
Returns "true" if this is a duplicate of an earlier token. Returns "true" if this is a duplicate of an earlier token.
6.4.7. isOldToken 7.5.7. isOldToken
public boolean isOldToken() public boolean isOldToken()
Returns "true" if the token's validity period has expired. Returns "true" if the token's validity period has expired.
6.4.8. isUnseqToken 7.5.8. isUnseqToken
public boolean isUnseqToken() public boolean isUnseqToken()
Returns "true" if a later token has already been processed. Returns "true" if a later token has already been processed.
6.4.9. isGapToken 7.5.9. isGapToken
public boolean isGapToken() public boolean isGapToken()
Returns "true" if an expected per-message token was not received. Returns "true" if an expected per-message token was not received.
6.5. public class GSSManager 7.5.10. setSupplementaryStates
This class implements functionality common to the entire GSS-API
package. It does not define any public constructors and all its
methods are static.
6.5.1. getMechs
public static Oid[] getMechs()
Returns an array of Oid objects, one for each mechanism available
within this GSS-API package. A "null" value is returned when no
mechanism are available (an example of this would be when mechanism
are dynamically configured, and currently no mechanisms are
installed).
6.5.2. getNamesForMech
public static Oid[] getNamesForMech(Oid mech) throws GSSException public void setSupplementaryStates(boolean duplicate,
boolean old, boolean unseq, boolean gap)
Returns name types Oids supported by the specified mechanism. This method sets the state for the supplementary information flags in
MessageProp. It is not used by the application but by the GSS
implementation to return this information to the caller of a per-
message context method.
Parameters: Parameters:
mech The Oid object for the mechanism to query. duplicate true if the token was a duplicate of an earlier token,
false otherwise
6.5.3. getMechsForName
public static Oid[] getMechsForName(Oid nameType)
Returns an array of Oid objects, one for each mechanisms that support
the specific name type. "null" is returned when no mechanisms are
found to support the specified name type.
Parameters:
nameType The Oid object for the name type to query. old true if the token's validity period has expired, false
otherwise
6.5.4. getDefaultMech unseq true if a later token has already been processed,
false otherwise
public static Oid getDefaultMech() gap true if one or more predecessor tokens have not yet
been succesfully processed, false otherwise
Returns the default mechanism oid. This is the mechanisms that will 7.6. public class ChannelBinding
be used when a "null" Oid object is specified in place of an Oid
object within GSSCredential and GSSContext methods.
6.6. public class ChannelBinding
The GSS-API accommodates the concept of caller-provided channel The GSS-API accommodates the concept of caller-provided channel
binding information. Channel bindings are used to strengthen the binding information. Channel bindings are used to strengthen the
quality with which peer entity authentication is provided during quality with which peer entity authentication is provided during
context establishment. They enable the GSS-API callers to bind the context establishment. They enable the GSS-API callers to bind the
establishment of the security context to relevant characteristics establishment of the security context to relevant characteristics
like addresses or to application specific data. like addresses or to application specific data.
The caller initiating the security context must determine the The caller initiating the security context must determine the
appropriate channel binding values to set in the GSSContext object. appropriate channel binding values to set in the GSSContext object.
The acceptor must provide an identical binding in order to validate The acceptor must provide an identical binding in order to validate
that received tokens possess correct channel-related characteristics. that received tokens possess correct channel-related characteristics.
Use of channel bindings is optional in GSS-API. Since channel-binding Use of channel bindings is optional in GSS-API. Since channel-
information may be transmitted in context establishment tokens, binding information may be transmitted in context establishment
applications should therefore not use confidential data as channel- tokens, applications should therefore not use confidential data as
binding components. channel-binding components.
6.6.1. Constructors 7.6.1. Constructors
public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr, public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr,
byte[] appData) byte[] appData)
Create a ChannelBinding object with user supplied address information Create a ChannelBinding object with user supplied address information
and data. "null" values can be used for any fields which the and data. "null" values can be used for any fields which the
application does not want to specify. application does not want to specify.
Parameters: Parameters:
skipping to change at page 70, line 8 skipping to change at page 73, line 43
public ChannelBinding(byte[] appData) public ChannelBinding(byte[] appData)
Creates a ChannelBinding object without any addressing information. Creates a ChannelBinding object without any addressing information.
Parameters: Parameters:
appData Application supplied data to be used as part of the appData Application supplied data to be used as part of the
channel bindings. channel bindings.
6.6.2. getInitiatorAddress 7.6.2. getInitiatorAddress
public InetAddress getInitiatorAddress() public InetAddress getInitiatorAddress()
Returns the initiator's address for this channel binding. "null" is Returns the initiator's address for this channel binding. "null" is
returned if the address has not been set. returned if the address has not been set.
6.6.3. getAcceptorAddress 7.6.3. getAcceptorAddress
public InetAddress getAcceptorAddress() public InetAddress getAcceptorAddress()
Returns the acceptor's address for this channel binding. "null" is Returns the acceptor's address for this channel binding. "null" is
returned if the address has not been set. returned if the address has not been set.
6.6.4. getApplicationData 7.6.4. getApplicationData
public byte[] getApplicationData() public byte[] getApplicationData()
Returns application data being used as part of the ChannelBinding. Returns application data being used as part of the ChannelBinding.
"null" is returned if no application data has been specified for the "null" is returned if no application data has been specified for the
channel binding. channel binding.
6.6.5. equals 7.6.5. equals
public boolean equals(Object obj) public boolean equals(Object obj)
Returns "true" if two channel bindings match. Returns "true" if two channel bindings match.
Parameter: Parameters:
obj Another channel binding to compare with. obj Another channel binding to compare with.
6.7. public class Oid 7.7. public class Oid
This class represents Universal Object Identifiers (Oids) and their This class represents Universal Object Identifiers (Oids) and their
associated operations. associated operations.
Oids are hierarchically globally-interpretable identifiers used Oids are hierarchically globally-interpretable identifiers used
within the GSS-API framework to identify mechanisms and name formats. within the GSS-API framework to identify mechanisms and name formats.
The structure and encoding of Oids is defined in ISOIEC-8824 and The structure and encoding of Oids is defined in ISOIEC-8824 and
ISOIEC-8825. For example the Oid representation of Kerberos V5 ISOIEC-8825. For example the Oid representation of Kerberos V5
mechanism is "1.2.840.113554.1.2.2" mechanism is "1.2.840.113554.1.2.2"
The GSSName name class contains public static Oid objects The GSSName name class contains public static Oid objects
representing the standard name types defined in GSS-API. representing the standard name types defined in GSS-API.
6.7.1. Constructors 7.7.1. Constructors
public Oid(String strOid) throws GSSException public Oid(String strOid) throws GSSException
Creates an Oid object from a string representation of its integer Creates an Oid object from a string representation of its integer
components (e.g. "1.2.840.113554.1.2.2"). components (e.g. "1.2.840.113554.1.2.2").
Parameters: Parameters:
strOid The string representation for the oid. strOid The string representation for the oid.
skipping to change at page 71, line 45 skipping to change at page 75, line 38
Creates an Oid object from its DER encoding. This refers to the full Creates an Oid object from its DER encoding. This refers to the full
encoding including tag and length. The structure and encoding of encoding including tag and length. The structure and encoding of
Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is
identical in functionality to its byte array counterpart. identical in functionality to its byte array counterpart.
Parameters: Parameters:
derOid Byte array storing a DER encoded oid. derOid Byte array storing a DER encoded oid.
6.7.2. toString 7.7.2. toString
public String toString() public String toString()
Returns a string representation of the oid's integer components in Returns a string representation of the oid's integer components in
dot separated notation (e.g. "1.2.840.113554.1.2.2"). dot separated notation (e.g. "1.2.840.113554.1.2.2").
6.7.3. toRFC2078String 7.7.3. equals
public String toRFC2078String()
Returns a string representation of the Oid's integer components in
the format specified within RFC 2078 (e.g. "{ 1 2 840 113554 1 2 2
}").
6.7.4. equals
public boolean equals(Object Obj) public boolean equals(Object Obj)
Returns "true" if the two Oid objects represent the same oid value. Returns "true" if the two Oid objects represent the same oid value.
Parameter: Parameters:
obj Another Oid object to compare with. obj Another Oid object to compare with.
6.7.5. getDER 7.7.4. getDER
public byte[] getDER() public byte[] getDER()
Returns the full ASN.1 DER encoding for this oid object, which Returns the full ASN.1 DER encoding for this oid object, which
includes the tag and length. includes the tag and length.
6.7.6. containedIn 7.7.5. containedIn
public boolean containedIn(Oid[] oids) public boolean containedIn(Oid[] oids)
A utility method to test if an Oid object is contained within the A utility method to test if an Oid object is contained within the
supplied Oid object array. supplied Oid object array.
Parameter: Parameters:
oids An array of oids to search. oids An array of oids to search.
6.8. public class GSSException extends Exception 7.8. public class GSSException extends Exception
This exception is thrown whenever a fatal GSS-API error occurs This exception is thrown whenever a fatal GSS-API error occurs
including mechanism specific errors. It may contain both, the major including mechanism specific errors. It may contain both, the major
and minor, GSS-API status codes. The mechanism implementers are and minor, GSS-API status codes. The mechanism implementers are
responsible for setting appropriate minor status codes when throwing responsible for setting appropriate minor status codes when throwing
this exception. Aside from delivering the numeric error code(s) to this exception. Aside from delivering the numeric error code(s) to
the caller, this class performs the mapping from their numeric values the caller, this class performs the mapping from their numeric values
to textual representations. All Java GSS-API methods are declared to textual representations. All Java GSS-API methods are declared
throwing this exception. throwing this exception.
All implementations are encouraged to use the Java All implementations are encouraged to use the Java
internationalization techniques to provide local translations of the internationalization techniques to provide local translations of the
message strings. message strings.
6.8.1. Class Constants 7.8.1. Static Constants
All valid major GSS-API error code values are declared as constants All valid major GSS-API error code values are declared as constants
in this class. in this class.
public static final int BAD_BINDINGS public static final int BAD_BINDINGS
Channel bindings mismatch error. Channel bindings mismatch error.
public static final int BAD_MECH public static final int BAD_MECH
skipping to change at page 75, line 41 skipping to change at page 79, line 29
indicate supplementary status values. The MessageProp object is used indicate supplementary status values. The MessageProp object is used
for that purpose. for that purpose.
public static final int GAP_TOKEN public static final int GAP_TOKEN
An expected per-message token was not received. This is a fatal An expected per-message token was not received. This is a fatal
error code that may occur during context establishment. It is not error code that may occur during context establishment. It is not
used to indicate supplementary status values. The MessageProp object used to indicate supplementary status values. The MessageProp object
is used for that purpose. is used for that purpose.
6.8.2. Constructors 7.8.2. Constructors
public GSSException(int majorCode) public GSSException(int majorCode)
Creates a GSSException object with a specified major code. Creates a GSSException object with a specified major code.
Parameters: Parameters:
majorCode The GSS error code causing this exception to be majorCode The GSS error code causing this exception to be
thrown. thrown.
skipping to change at page 76, line 28 skipping to change at page 80, line 16
majorCode The GSS error code causing this exception to be majorCode The GSS error code causing this exception to be
thrown. thrown.
minorCode The mechanism error code causing this exception minorCode The mechanism error code causing this exception
to be thrown. to be thrown.
minorString The textual explanation of the mechanism error minorString The textual explanation of the mechanism error
code. code.
6.8.3. getMajor 7.8.3. getMajor
public int getMajor() public int getMajor()
Returns the major code representing the GSS error code that caused Returns the major code representing the GSS error code that caused
this exception to be thrown. this exception to be thrown.
6.8.4. getMinor 7.8.4. getMinor
public int getMinor() public int getMinor()
Returns the mechanism error code that caused this exception. The Returns the mechanism error code that caused this exception. The
minor code is set by the underlying mechanism. Value of 0 indicates minor code is set by the underlying mechanism. Value of 0 indicates
that mechanism error code is not set. that mechanism error code is not set.
6.8.5. getMajorString 7.8.5. getMajorString
public String getMajorString() public String getMajorString()
Returns a string explaining the GSS major error code causing this Returns a string explaining the GSS major error code causing this
exception to be thrown. exception to be thrown.
6.8.6. getMinorString 7.8.6. getMinorString
public String getMinorString() public String getMinorString()
Returns a string explaining the mechanism specific error code. An Returns a string explaining the mechanism specific error code. An
empty string will be returned when no mechanism error code has been empty string will be returned when no mechanism error code has been
set. set.
6.8.7. setMinor 7.8.7. setMinor
public void setMinor(int minorCode, String message) public void setMinor(int minorCode, String message)
Used internally by the GSS-API implementation and the underlying Used internally by the GSS-API implementation and the underlying
mechanisms to set the minor code and its textual representation. mechanisms to set the minor code and its textual representation.
Parameters: Parameters:
minorCode The mechanism specific error code. minorCode The mechanism specific error code.
message A textual explanation of the mechanism error code. message A textual explanation of the mechanism error code.
6.8.8. toString 7.8.8. toString
public String toString() public String toString()
Returns a textual representation of both the major and minor status Returns a textual representation of both the major and minor status
codes. codes.
6.8.9. getMessage 7.8.9. getMessage
public String getMessage() public String getMessage()
Returns a detailed message of this exception. Overrides Returns a detailed message of this exception. Overrides
Throwable.getMessage. It is customary in Java to use this method to Throwable.getMessage. It is customary in Java to use this method to
obtain exception information. obtain exception information.
7. Acknowledgments 7.9. public abstract class GSSManager
This class contains methods to manage and query different GSS-API
providers. This saves the application from knowing the name of the
provider's factory class and instantiating it. When the application
has multiple providers installed on its system, it can use the
GSSManager to search through them and return one that supports a
desired underlying mechanism. It also provides a means for a single
point of control to set the preferred GSS-API provider. All
delegation done by the GSSContext, GSSCredential and GSSName classes
is then directed to implementing classes for that provider by
default.
Because this class locates and instantiates providers using the
standard Java provider architecture, applications are encouraged to
make use of this class to maximize portability across implementations
rather than obtaining direct references to the factory classes from
the implementations.
The benefits of this approach are that applications can switch
between providers transparently and new providers can be added as
needed. Binary compatibility is maintained and applications can
switch providers even at runtime. The providers themselves can
change their implementation without having existing applications
break.
7.9.1. Example
// Import the Security class and the Provider class from
// the java security package
import java.security.Security;
import java.security.Provider;
// We want to use the GSS-API implementation from a provider that is
// registered with the system as FOOBAR.
Provider p = Security.getProvider("FOOBAR");
// What mechs does FOOBAR's GSS-API implementation support?
Oid[] supportedMechs = GSSManager.getMechs(p);
// Which provider is being used by default?
Provider p = GSSManager.getDefaultProvider();
print(p.getName()); // May not be "FOOBAR"
7.9.2. setDefaultProvider
public static void setDefaultProvider(Provider p)
throws java.security.NoSuchProviderException
Sets the desired provider for the GSSManager, and the wrapper classes
GSSName, GSSContext, and GSSCredential to use to delegate their calls
by default.
Parameters:
p The provider that should be used by default.
7.9.3. getDefaultProvider
public static Provider getDefaultProvider()
Returns a Provider object that represents the provider that the
GSSManager, and the wrapper classes GSSName, GSSContext, and
GSSCredential and using to delegate their calls to.
7.9.4. getMechs
public static Oid[] getMechs(Provider p)
Returns an array of Oid objects, one for each mechanism available
within the GSS-API implementation supplied by the indicated provider.
A "null" value is returned when no mechanism are available (an
example of this would be when mechanism are dynamically configured,
and currently no mechanisms are installed).
Parameters:
p The provider that should be queried. "null" indicates
query the default GSS-API provider.
7.9.5. getNamesForMech
public static Oid[] getNamesForMech(Oid mech, Provider p)
throws GSSException
Returns name types Oids supported by the specified mechanism.
Parameters:
mech The Oid object for the mechanism to query.
p The provider that should be queried. "null" indicates
query the default GSS-API provider.
7.9.6. getMechsForName
public static Oid[] getMechsForName(Oid nameType, Provider p)
Returns an array of Oid objects, one for each mechanisms that support
the specific name type. "null" is returned when no mechanisms are
found to support the specified name type.
Parameters:
nameType The Oid object for the name type to query.
p The provider that should be queried. "null" indicates
query the default GSS-API provider.
7.9.7. getProviderFromToken
public static Provider getProviderFromToken(byte[] firstToken)
Find a provider whose GSS-API implementation can support the
mechanism that is needed for accepting a context with the given
context establishment token. This call can be made only with the
first context establishment token received at the acceptor's end;
that token is required to follow the format defined in section 3.1 of
RFC 2078.
This call is useful to a context acceptor that has multiple GSS
implementations available to it and has to decide which one of them
to use such that the implementation supports the mechanism that the
context initiator wishes to use.
Parameters:
firstTokenThe first token that is emitted during a GSS-API
context establishment.
7.9.8. getProviderForMechanism
public static Provider[] getProvidersForMechanism(Oid mechOid)
A utility method to find the provider(s) whose GSS-API implementation
can support the given mechanism. The GSSManager class locates all
java security providers registered with the system and determines
from their respective GSSFactory implementations which ones support
this mechanism. It returns as array with all such provider objects.
An application can then choose a preferred provider from the returned
set.
Parameters:
mechOid The Oid of the desired mechanism.
7.10. public class GSSName implements IGSSName
This concrete class is a wrapper around the interface IGSSName. An
application can use the GSSName class to perform all functionality of
the IGSSName interface eliminating the need to know the interface and
instantiating it from the provider. Its constructor performs the
following in one step: obtain the provider specific factory
(IGSSFactory) object, and obtain an IGSSName object from the factory
initialized with the parameters supplied in the constructor. The
wrapper delegates all its calls to this provider specific IGSSName
object.
It uses the preferred GSS-API provider to instantiate the IGSSName
implementation to delegate to. A default provider can optionally be
set by the application with the GSSManager.setDefaultProvider() call.
The GSSName class implements the IGSSName interface and thus provides
for all its functionality and also passes the compiler's type
checking when used in place of IGSSName. The methods from IGSSName
that GSSName implements are:
public boolean equals(IGSSName another) throws GSSException
public boolean equals(Object another)
public IGSSName canonicalize(Oid mechOid) throws GSSException
public byte[] export() throws GSSException
public String toString()
public Oid getStringNameType() throws GSSException
public boolean isAnonymous()
public boolean isMN()
Similarly, it inherits the following static constants:
public static final Oid NT_HOSTBASED_SERVICE
public static final Oid NT_USER_NAME
public static final Oid NT_MACHINE_UID_NAME
public static final Oid NT_STRING_UID_NAME
public static final Oid NT_ANONYMOUS
public static final Oid NT_EXPORT_NAME
7.10.1. Example
Included below are code examples utilizing a GSSName object. The
code below creates a GSSName object, converts it to a mechanism name
(MN), performs a comparison, obtains a printable representation of
the name, exports it and then re-imports to obtain a new GSSName
object. This code uses the default GSS-API provider on the system.
// create an oid object for Kerberos v5 to export the name with
// Kerberos later on
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
// create a host based service name
GSSName name = new GSSName("service@host",
GSSName.NT_HOSTBASED_SERVICE, null);
GSSName mechName = name.canonicalize(krb5);
// the above two steps are equivalent to the following constructor
GSSName mechName = new GSSName("service@host",
GSSName.NT_HOSTBASED_SERVICE, krb5, null);
// perform name comparison
if (name.equals(mechName))
print("Names are equals.");
// obtain textual representation of name and its printable
// name type
print(mechName.toString() +
mechName.getStringNameType().toString());
// export and re-import the name
byte [] exportName = mechName.export();
// create a new name object from the exported buffer
GSSName newName = new GSSName(exportName,
GSSName.NT_EXPORT_NAME, null);
7.10.2. Constructors
public GSSName(String nameStr, Oid nameSpace, Provider p)
throws GSSException
Converts a contiguous string name from the specified namespace to a
GSSName object. In general, the GSSName object created will not be
an MN; the exception to this is if the namespace type parameter
indicates NT_EXPORT_NAME or if the GSS-API implementation is not
multi-mechanism.
Parameters:
nameStr The string representing a printable form of the name
to create.
nameType The Oid specifying the namespace of the printable name
supplied. "null" value can be used to specify that a
mechanism specific default printable syntax should be
assumed by each mechanism that examines nameStr.
p The preferred provider whose GSS-API implementation
should be used. "null" indicates use the default GSS-
API provider.
public GSSName(byte name[], Oid nameType, Provider p)
throws GSSException
Converts a contiguous byte array containing a name from the specified
namespace to a GSSName object. In general, the GSSName object
created will not be an MN; the exception to this is if the namespace
type parameter indicates NT_EXPORT_NAME or if the GSS-API
implementation is not multi-mechanism.
Parameters:
name The byte array containing the name to create.
nameType The Oid specifying the namespace of the name supplied
in the byte array. "null" value can be used to specify
that a mechanism specific default syntax should be
assumed by each mechanism that examines the byte
array.
p The preferred provider whose GSS-API implementation
should be used. "null" indicates use the default
GSS-API provider.
public GSSName(String nameStr, Oid nameType, Oid mechType,
Provider p) throws GSSException
Converts a contiguous string name from the specified namespace to a
GSSName object that is a mechanism name (MN).
Parameters:
nameStr The string representing a printable form of the name
to create.
nameType The Oid specifying the namespace of the printable name
supplied. "null" value can be used to specify that a
mechanism specific default printable syntax should be
assumed when the mechanism examines nameStr.
mechType The Oid specifying the mechanism for which this name
should be created. "null" value can be used to
specify the default mechanism.
p The preferred provider whose GSS-API implementation
should be used. "null" indicates use the default GSS-
API provider. Implementations should then pick the
first registered provider on the system that supports
the mechanism mechType.
public GSSName(byte name[], Oid nameType, Oid mechType,
Provider p) throws GSSException
Converts a contiguous byte array containing a name from the specified
namespace to a GSSName object that is a mechanism name (MN).
Parameters:
name The byte array representing the name to create.
nameType The Oid specifying the namespace of the printable name
supplied. "null" value can be used to specify that a
mechanism specific default printable syntax should be
assumed when the mechanism examines nameStr.
mechType The Oid specifying the mechanism for which this name
should be created.
p The preferred provider whose GSS-API implementation
should be used. "null" indicates use the default GSS-
API provider. Implementations should then pick the
first registered provider on the system that supports
the mechanism mechType.
7.10.3. getProvider
public java.security.Provider getProvider()
Returns the provider of the IGSSName implementation that this GSSName
object is delegating all its calls to. This is useful for
applications to track which GSS implementation this object came from.
It is important to not pass an IGSSName implementation (which
contains provider specific internal elements) to an IGSSCredential or
IGSSContext implementation from another provider.
7.11. public class GSSCredential implements IGSSCredential
This concrete class is a wrapper around the interface IGSSCredential
An application can use the GSSCredential class to perform all
functionality of the IGSSCredential interface eliminating the need to
know the interface and instantiating it from the provider. Its
constructor performs the following in one step: obtain the provider
specific factory (IGSSFactory) object, and obtain an IGSSCredential
object from the factory initialized with the parameters supplied in
the constructor. The wrapper delegates all its calls to this
provider specific IGSSName object.
It uses the preferred GSS-API provider to instantiate the
IGSSCredential implementation to delegate to. A default provider can
optionally be set by the application with the
GSSManager.setDefaultProvider() call.
The GSSCredential class implements the IGSSCredential interface and
thus provides for all its functionality and also passes the
compiler's type checking when used in place of IGSSCredential. The
methods from IGSSCredential that GSSCredential implements are:
public void dispose() throws GSSException
public IGSSName getName() throws GSSException
public IGSSName getName(Oid mechOID) throws GSSException
public int getRemainingLifetime() throws GSSException
public int getRemainingInitLifetime(Oid mech)
throws GSSException
public int getRemainingAcceptLifetime(Oid mech)
throws GSSException
public int getUsage() throws GSSException
public int getUsage(Oid mechOID) throws GSSException
public Oid[] getMechs() throws GSSException
public void add(GSSName aName, int initLifetime,
int acceptLifetime, Oid mech,
int usage) throws GSSException
public boolean equals(Object another)
Similarly, it inherits the following static constants:
public static final int INITIATE_AND_ACCEPT
public static final int INITIATE_ONLY
public static final int ACCEPT_ONLY