draft-ietf-kitten-rfc5653bis-00.txt   draft-ietf-kitten-rfc5653bis-01.txt 
Network Working Group M. Upadhyay Network Working Group M. Upadhyay
Internet-Draft Google Internet-Draft Google
Obsoletes: 5653 (if approved) S. Malkani Obsoletes: 5653 (if approved) S. Malkani
Intended status: Standards Track ActivIdentity Intended status: Standards Track ActivIdentity
Expires: November 24, 2014 W. Wang Expires: December 1, 2014 W. Wang
Oracle Oracle
May 23, 2014 May 30, 2014
Generic Security Service API Version 2: Java Bindings Update Generic Security Service API Version 2: Java Bindings Update
draft-ietf-kitten-rfc5653bis-00 draft-ietf-kitten-rfc5653bis-01
Abstract Abstract
The Generic Security Services Application Program Interface (GSS-API) The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document atop a variety of underlying cryptographic mechanisms. This document
updates the Java bindings for the GSS-API that are specified in updates the Java bindings for the GSS-API that are specified in
"Generic Security Service API Version 2 : Java Bindings Update" (RFC "Generic Security Service API Version 2 : Java Bindings Update" (RFC
5653). This document obsoletes RFC 5653 by adding a new output token 5653). This document obsoletes RFC 5653 by adding a new output token
field to the GSSException class so that when the initSecContext or field to the GSSException class so that when the initSecContext or
skipping to change at page 2, line 10 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 24, 2014. This Internet-Draft will expire on December 1, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 6 skipping to change at page 3, line 4
4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16 4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16
4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16 4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16
4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 16 4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 16
4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18 4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18
4.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19 4.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19
4.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19 4.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19
4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 19 4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 19
4.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20 4.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20
4.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22 4.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22
4.12.3. Supplementary Status Codes . . . . . . . . . . . . . 22 4.12.3. Supplementary Status Codes . . . . . . . . . . . . . 22
4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26 4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26
4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . . 27 4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . . 27
4.16. Optional Parameters . . . . . . . . . . . . . . . . . . . 28 4.16. Optional Parameters . . . . . . . . . . . . . . . . . . . 27
5. Introduction to GSS-API Classes and Interfaces . . . . . . . 28 5. Introduction to GSS-API Classes and Interfaces . . . . . . . 27
5.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 28 5.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 27
5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 29 5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 28
5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 30 5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 29
5.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 31 5.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 30
5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32 5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32
5.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32 5.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32
5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 33 5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32
5.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 33 5.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 32
6. Detailed GSS-API Class Description . . . . . . . . . . . . . 33 6. Detailed GSS-API Class Description . . . . . . . . . . . . . 33
6.1. public abstract class GSSManager . . . . . . . . . . . . 33 6.1. public abstract class GSSManager . . . . . . . . . . . . 33
6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . 35 6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . 34
6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 35 6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 35
6.1.3. getMechs . . . . . . . . . . . . . . . . . . . . . . 35 6.1.3. getMechs . . . . . . . . . . . . . . . . . . . . . . 35
6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . 35 6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . 35
6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . 36 6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . 35
6.1.6. createName . . . . . . . . . . . . . . . . . . . . . 36 6.1.6. createName . . . . . . . . . . . . . . . . . . . . . 35
6.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36 6.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36
6.1.8. createName . . . . . . . . . . . . . . . . . . . . . 37 6.1.8. createName . . . . . . . . . . . . . . . . . . . . . 36
6.1.9. createName . . . . . . . . . . . . . . . . . . . . . 37 6.1.9. createName . . . . . . . . . . . . . . . . . . . . . 37
6.1.10. createCredential . . . . . . . . . . . . . . . . . . 38 6.1.10. createCredential . . . . . . . . . . . . . . . . . . 38
6.1.11. createCredential . . . . . . . . . . . . . . . . . . 38 6.1.11. createCredential . . . . . . . . . . . . . . . . . . 38
6.1.12. createCredential . . . . . . . . . . . . . . . . . . 39 6.1.12. createCredential . . . . . . . . . . . . . . . . . . 39
6.1.13. createContext . . . . . . . . . . . . . . . . . . . . 40 6.1.13. createContext . . . . . . . . . . . . . . . . . . . . 39
6.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40 6.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40
6.1.15. createContext . . . . . . . . . . . . . . . . . . . . 40 6.1.15. createContext . . . . . . . . . . . . . . . . . . . . 40
6.1.16. addProviderAtFront . . . . . . . . . . . . . . . . . 41 6.1.16. addProviderAtFront . . . . . . . . . . . . . . . . . 41
6.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 41 6.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 41
6.1.18. addProviderAtEnd . . . . . . . . . . . . . . . . . . 42 6.1.18. addProviderAtEnd . . . . . . . . . . . . . . . . . . 43
6.1.19. Example Code . . . . . . . . . . . . . . . . . . . . 43 6.1.19. Example Code . . . . . . . . . . . . . . . . . . . . 43
6.2. public interface GSSName . . . . . . . . . . . . . . . . 44 6.2. public interface GSSName . . . . . . . . . . . . . . . . 44
6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . 44 6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . 44
6.2.2. Static Constants . . . . . . . . . . . . . . . . . . 45 6.2.2. Static Constants . . . . . . . . . . . . . . . . . . 45
6.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 46 6.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 46
6.2.4. equals . . . . . . . . . . . . . . . . . . . . . . . 46 6.2.4. equals . . . . . . . . . . . . . . . . . . . . . . . 46
6.2.5. canonicalize . . . . . . . . . . . . . . . . . . . . 46 6.2.5. canonicalize . . . . . . . . . . . . . . . . . . . . 47
6.2.6. export . . . . . . . . . . . . . . . . . . . . . . . 47 6.2.6. export . . . . . . . . . . . . . . . . . . . . . . . 47
6.2.7. toString . . . . . . . . . . . . . . . . . . . . . . 47 6.2.7. toString . . . . . . . . . . . . . . . . . . . . . . 47
6.2.8. getStringNameType . . . . . . . . . . . . . . . . . . 47 6.2.8. getStringNameType . . . . . . . . . . . . . . . . . . 48
6.2.9. isAnonymous . . . . . . . . . . . . . . . . . . . . . 47 6.2.9. isAnonymous . . . . . . . . . . . . . . . . . . . . . 48
6.2.10. isMN . . . . . . . . . . . . . . . . . . . . . . . . 47 6.2.10. isMN . . . . . . . . . . . . . . . . . . . . . . . . 48
6.3. public interface GSSCredential implements Cloneable . . . 48 6.3. public interface GSSCredential implements Cloneable . . . 48
6.3.1. Example Code . . . . . . . . . . . . . . . . . . . . 49 6.3.1. Example Code . . . . . . . . . . . . . . . . . . . . 49
6.3.2. Static Constants . . . . . . . . . . . . . . . . . . 49 6.3.2. Static Constants . . . . . . . . . . . . . . . . . . 50
6.3.3. dispose . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.3. dispose . . . . . . . . . . . . . . . . . . . . . . . 50
6.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 50
6.3.5. getName . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.5. getName . . . . . . . . . . . . . . . . . . . . . . . 50
6.3.6. getRemainingLifetime . . . . . . . . . . . . . . . . 50 6.3.6. getRemainingLifetime . . . . . . . . . . . . . . . . 51
6.3.7. getRemainingInitLifetime . . . . . . . . . . . . . . 50 6.3.7. getRemainingInitLifetime . . . . . . . . . . . . . . 51
6.3.8. getRemainingAcceptLifetime . . . . . . . . . . . . . 51 6.3.8. getRemainingAcceptLifetime . . . . . . . . . . . . . 51
6.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 51 6.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52
6.3.10. getUsage . . . . . . . . . . . . . . . . . . . . . . 51 6.3.10. getUsage . . . . . . . . . . . . . . . . . . . . . . 52
6.3.11. getMechs . . . . . . . . . . . . . . . . . . . . . . 52 6.3.11. getMechs . . . . . . . . . . . . . . . . . . . . . . 52
6.3.12. add . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.3.12. add . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.3.13. equals . . . . . . . . . . . . . . . . . . . . . . . 53 6.3.13. equals . . . . . . . . . . . . . . . . . . . . . . . 53
6.4. public interface GSSContext . . . . . . . . . . . . . . . 53 6.4. public interface GSSContext . . . . . . . . . . . . . . . 54
6.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 54 6.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 55
6.4.2. Static Constants . . . . . . . . . . . . . . . . . . 56 6.4.2. Static Constants . . . . . . . . . . . . . . . . . . 56
6.4.3. initSecContext . . . . . . . . . . . . . . . . . . . 56 6.4.3. initSecContext . . . . . . . . . . . . . . . . . . . 57
6.4.4. Example Code . . . . . . . . . . . . . . . . . . . . 57 6.4.4. Example Code . . . . . . . . . . . . . . . . . . . . 58
6.4.5. initSecContext . . . . . . . . . . . . . . . . . . . 58 6.4.5. initSecContext . . . . . . . . . . . . . . . . . . . 58
6.4.6. Example Code . . . . . . . . . . . . . . . . . . . . 58 6.4.6. Example Code . . . . . . . . . . . . . . . . . . . . 59
6.4.7. acceptSecContext . . . . . . . . . . . . . . . . . . 59 6.4.7. acceptSecContext . . . . . . . . . . . . . . . . . . 60
6.4.8. Example Code . . . . . . . . . . . . . . . . . . . . 60 6.4.8. Example Code . . . . . . . . . . . . . . . . . . . . 61
6.4.9. acceptSecContext . . . . . . . . . . . . . . . . . . 61 6.4.9. acceptSecContext . . . . . . . . . . . . . . . . . . 62
6.4.10. Example Code . . . . . . . . . . . . . . . . . . . . 62 6.4.10. Example Code . . . . . . . . . . . . . . . . . . . . 63
6.4.11. isEstablished . . . . . . . . . . . . . . . . . . . . 63 6.4.11. isEstablished . . . . . . . . . . . . . . . . . . . . 64
6.4.12. dispose . . . . . . . . . . . . . . . . . . . . . . . 63 6.4.12. dispose . . . . . . . . . . . . . . . . . . . . . . . 65
6.4.13. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 63 6.4.13. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 65
6.4.14. wrap . . . . . . . . . . . . . . . . . . . . . . . . 64 6.4.14. wrap . . . . . . . . . . . . . . . . . . . . . . . . 66
6.4.15. wrap . . . . . . . . . . . . . . . . . . . . . . . . 65 6.4.15. wrap . . . . . . . . . . . . . . . . . . . . . . . . 67
6.4.16. unwrap . . . . . . . . . . . . . . . . . . . . . . . 66 6.4.16. unwrap . . . . . . . . . . . . . . . . . . . . . . . 68
6.4.17. unwrap . . . . . . . . . . . . . . . . . . . . . . . 67 6.4.17. unwrap . . . . . . . . . . . . . . . . . . . . . . . 68
6.4.18. getMIC . . . . . . . . . . . . . . . . . . . . . . . 67 6.4.18. getMIC . . . . . . . . . . . . . . . . . . . . . . . 69
6.4.19. getMIC . . . . . . . . . . . . . . . . . . . . . . . 68 6.4.19. getMIC . . . . . . . . . . . . . . . . . . . . . . . 70
6.4.20. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 69 6.4.20. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 70
6.4.21. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 70 6.4.21. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 71
6.4.22. export . . . . . . . . . . . . . . . . . . . . . . . 70 6.4.22. export . . . . . . . . . . . . . . . . . . . . . . . 72
6.4.23. requestMutualAuth . . . . . . . . . . . . . . . . . . 71 6.4.23. requestMutualAuth . . . . . . . . . . . . . . . . . . 73
6.4.24. requestReplayDet . . . . . . . . . . . . . . . . . . 71 6.4.24. requestReplayDet . . . . . . . . . . . . . . . . . . 73
6.4.25. requestSequenceDet . . . . . . . . . . . . . . . . . 71 6.4.25. requestSequenceDet . . . . . . . . . . . . . . . . . 73
6.4.26. requestCredDeleg . . . . . . . . . . . . . . . . . . 72 6.4.26. requestCredDeleg . . . . . . . . . . . . . . . . . . 74
6.4.27. requestAnonymity . . . . . . . . . . . . . . . . . . 72 6.4.27. requestAnonymity . . . . . . . . . . . . . . . . . . 74
6.4.28. requestConf . . . . . . . . . . . . . . . . . . . . . 72 6.4.28. requestConf . . . . . . . . . . . . . . . . . . . . . 74
6.4.29. requestInteg . . . . . . . . . . . . . . . . . . . . 72 6.4.29. requestInteg . . . . . . . . . . . . . . . . . . . . 74
6.4.30. requestLifetime . . . . . . . . . . . . . . . . . . . 72 6.4.30. requestLifetime . . . . . . . . . . . . . . . . . . . 75
6.4.31. setChannelBinding . . . . . . . . . . . . . . . . . . 73 6.4.31. setChannelBinding . . . . . . . . . . . . . . . . . . 75
6.4.32. getCredDelegState . . . . . . . . . . . . . . . . . . 73 6.4.32. getCredDelegState . . . . . . . . . . . . . . . . . . 75
6.4.33. getMutualAuthState . . . . . . . . . . . . . . . . . 73 6.4.33. getMutualAuthState . . . . . . . . . . . . . . . . . 75
6.4.34. getReplayDetState . . . . . . . . . . . . . . . . . . 73 6.4.34. getReplayDetState . . . . . . . . . . . . . . . . . . 76
6.4.35. getSequenceDetState . . . . . . . . . . . . . . . . . 74 6.4.35. getSequenceDetState . . . . . . . . . . . . . . . . . 76
6.4.36. getAnonymityState . . . . . . . . . . . . . . . . . . 74 6.4.36. getAnonymityState . . . . . . . . . . . . . . . . . . 76
6.4.37. isTransferable . . . . . . . . . . . . . . . . . . . 74 6.4.37. isTransferable . . . . . . . . . . . . . . . . . . . 76
6.4.38. isProtReady . . . . . . . . . . . . . . . . . . . . . 74 6.4.38. isProtReady . . . . . . . . . . . . . . . . . . . . . 76
6.4.39. getConfState . . . . . . . . . . . . . . . . . . . . 74 6.4.39. getConfState . . . . . . . . . . . . . . . . . . . . 77
6.4.40. getIntegState . . . . . . . . . . . . . . . . . . . . 74 6.4.40. getIntegState . . . . . . . . . . . . . . . . . . . . 77
6.4.41. getLifetime . . . . . . . . . . . . . . . . . . . . . 75 6.4.41. getLifetime . . . . . . . . . . . . . . . . . . . . . 77
6.4.42. getSrcName . . . . . . . . . . . . . . . . . . . . . 75 6.4.42. getSrcName . . . . . . . . . . . . . . . . . . . . . 77
6.4.43. getTargName . . . . . . . . . . . . . . . . . . . . . 75 6.4.43. getTargName . . . . . . . . . . . . . . . . . . . . . 77
6.4.44. getMech . . . . . . . . . . . . . . . . . . . . . . . 75 6.4.44. getMech . . . . . . . . . . . . . . . . . . . . . . . 77
6.4.45. getDelegCred . . . . . . . . . . . . . . . . . . . . 75 6.4.45. getDelegCred . . . . . . . . . . . . . . . . . . . . 78
6.4.46. isInitiator . . . . . . . . . . . . . . . . . . . . . 76 6.4.46. isInitiator . . . . . . . . . . . . . . . . . . . . . 78
6.5. public class MessageProp . . . . . . . . . . . . . . . . 76 6.5. public class MessageProp . . . . . . . . . . . . . . . . 78
6.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 76 6.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 78
6.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 76 6.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 79
6.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 77 6.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 79
6.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 77 6.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 79
6.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 77 6.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 79
6.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 77 6.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 79
6.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 77 6.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 80
6.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 77 6.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 80
6.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 78 6.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 80
6.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 78 6.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 80
6.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 78 6.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 80
6.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 78 6.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 80
6.6. public class ChannelBinding . . . . . . . . . . . . . . . 79 6.6. public class ChannelBinding . . . . . . . . . . . . . . . 81
6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 79 6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 81
6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 80 6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 82
6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 80 6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 82
6.6.4. getApplicationData . . . . . . . . . . . . . . . . . 80 6.6.4. getApplicationData . . . . . . . . . . . . . . . . . 82
6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 80 6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 83
6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 80 6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 83
6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 81 6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 83
6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 81 6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 84
6.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 81 6.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 84
6.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 81 6.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 84
6.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 82 6.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 84
6.8. public class GSSException extends Exception . . . . . . . 82 6.8. public class GSSException extends Exception . . . . . . . 85
6.8.1. Static Constants . . . . . . . . . . . . . . . . . . 82 6.8.1. Static Constants . . . . . . . . . . . . . . . . . . 85
6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 85 6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 88
6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 86 6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 89
6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 86 6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 89
6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 86 6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 89
6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 86 6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 89
6.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 86 6.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 89
6.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 87 6.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 90
6.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 87 6.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 90
6.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 87 6.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 90
7. Sample Applications . . . . . . . . . . . . . . . . . . . . . 90
7. Sample Applications . . . . . . . . . . . . . . . . . . . . . 87 7.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 90
7.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 87 7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 94
7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 91 8. Security Considerations . . . . . . . . . . . . . . . . . . . 98
8. Security Considerations . . . . . . . . . . . . . . . . . . . 95 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 99
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 96 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 99
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 96 11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 99
11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 96 12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 100
12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 97 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 101
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 98 13.1. Normative References . . . . . . . . . . . . . . . . . . 101
13.1. Normative References . . . . . . . . . . . . . . . . . . 98 13.2. Informative References . . . . . . . . . . . . . . . . . 101
13.2. Informative References . . . . . . . . . . . . . . . . . 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 101
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 98
1. Introduction 1. Introduction
This document specifies Java language bindings for the Generic This document specifies Java language bindings for the Generic
Security Services Application Programming Interface version 2 (GSS- Security Services Application Programming Interface version 2 (GSS-
API). GSS-API version 2 is described in a language-independent API). GSS-API version 2 is described in a language-independent
format in RFC 2743 [RFC2743]. The GSS-API allows a caller format in RFC 2743 [RFC2743]. The GSS-API allows a caller
application to authenticate a principal identity, to delegate rights application to authenticate a principal identity, to delegate rights
to a peer, and to apply security services such as confidentiality and to a peer, and to apply security services such as confidentiality and
integrity on a per-message basis. integrity on a per-message basis.
skipping to change at page 20, line 38 skipping to change at page 20, line 38
object that was passed in. object that was passed in.
A GSSException object, along with providing the functionality for A GSSException object, along with providing the functionality for
setting of the various error codes and translating them into textual setting of the various error codes and translating them into textual
representation, also contains the definitions of all the numeric representation, also contains the definitions of all the numeric
error values. The following table lists the definitions of error error values. The following table lists the definitions of error
codes: codes:
Table: GSS Status Codes Table: GSS Status Codes
+------------------------+--------+---------------------------------+ +----------------------+-------+------------------------------------+
| Name | Value | Meaning | | Name | Value | Meaning |
+------------------------+--------+---------------------------------+ +----------------------+-------+------------------------------------+
| BAD_BINDINGS | 1 | Incorrect channel bindings were | | BAD_BINDINGS | 1 | Incorrect channel bindings were |
| | | supplied. | | | | supplied. |
| | | | | | | |
| BAD_MECH | 2 | An unsupported mechanism was | | BAD_MECH | 2 | An unsupported mechanism was |
| | | requested. | | | | requested. |
| | | | | | | |
| BAD_NAME | 3 | An invalid name was supplied. | | BAD_NAME | 3 | An invalid name was supplied. |
| | | | | | | |
| BAD_NAMETYPE | 4 | A supplied name was of an | | BAD_NAMETYPE | 4 | A supplied name was of an |
| | | unsupported type. | | | | unsupported type. |
| | | | | | | |
| BAD_STATUS | 5 | An invalid status code was | | BAD_STATUS | 5 | An invalid status code was |
| | | supplied. | | | | supplied. |
| | | | | | | |
| BAD_MIC | 6 | A token had an invalid MIC. | | BAD_MIC | 6 | A token had an invalid MIC. |
| | | | | | | |
| CONTEXT_EXPIRED | 7 | The context has expired. | | CONTEXT_EXPIRED | 7 | The context has expired. |
| | | | | | | |
| CREDENTIALS_EXPIRED | 8 | The referenced credentials have | | CREDENTIALS_EXPIRED | 8 | The referenced credentials have |
| | | expired. | | | | expired. |
| | | | | | | |
| DEFECTIVE_CREDENTIAL | 9 | A supplied credential was | | DEFECTIVE_CREDENTIAL | 9 | A supplied credential was invalid. |
| | | invalid. | | | | |
| | | | | DEFECTIVE_TOKEN | 10 | A supplied token was invalid. |
| DEFECTIVE_TOKEN | 10 | A supplied token was invalid. | | | | |
| | | | | FAILURE | 11 | Miscellaneous failure, unspecified |
| FAILURE | 11 | Miscellaneous failure, | | | | at the GSS-API level. |
| | | unspecified at the GSS-API | | | | |
| | | level. | | NO_CONTEXT | 12 | Invalid context has been supplied. |
| | | | | | | |
| NO_CONTEXT | 12 | Invalid context has been | | NO_CRED | 13 | No credentials were supplied, or |
| | | supplied. | | | | the credentials were unavailable |
| | | | | | | or inaccessible. |
| NO_CRED | 13 | No credentials were supplied, | | | | |
| | | or the credentials were | | BAD_QOP | 14 | The quality-of-protection (QOP) |
| | | unavailable or inaccessible. | | | | requested could not be provided. |
| | | | | | | |
| BAD_QOP | 14 | The quality-of-protection (QOP) | | UNAUTHORIZED | 15 | The operation is forbidden by the |
| | | requested could not be | | | | local security policy. |
| | | provided. | | | | |
| | | | | UNAVAILABLE | 16 | The operation or option is |
| UNAUTHORIZED | 15 | The operation is forbidden by | | | | unavailable. |
| | | the local security policy. | | | | |
| | | | | DUPLICATE_ELEMENT | 17 | The requested credential element |
| UNAVAILABLE | 16 | The operation or option is | | | | already exists. |
| | | unavailable. | | | | |
| | | | | NAME_NOT_MN | 18 | The provided name was not a |
| DUPLICATE_ELEMENT | 17 | The requested credential | | | | mechanism name. |
| | | element already exists. | +----------------------+-------+------------------------------------+
| | | |
| NAME_NOT_MN | 18 | The provided name was not a |
| | | mechanism name. |
+------------------------+--------+---------------------------------+
The following four status codes (DUPLICATE_TOKEN, OLD_TOKEN, The following four status codes (DUPLICATE_TOKEN, OLD_TOKEN,
UNSEQ_TOKEN, and GAP_TOKEN) are contained in a GSSException only if UNSEQ_TOKEN, and GAP_TOKEN) are contained in a GSSException only if
detected during context establishment, in which case it is a fatal detected during context establishment, in which case it is a fatal
error. (During per-message calls, these values are indicated as error. (During per-message calls, these values are indicated as
supplementary information contained in the MessageProp object.) They supplementary information contained in the MessageProp object.) They
are: are:
+-----------------------+----------+--------------------------------+ +-----------------+-------+-----------------------------------------+
| Name | Value | Meaning | | Name | Value | Meaning |
+-----------------------+----------+--------------------------------+ +-----------------+-------+-----------------------------------------+
| DUPLICATE_TOKEN | 19 | The token was a duplicate of | | DUPLICATE_TOKEN | 19 | The token was a duplicate of an earlier |
| | | an earlier version. | | | | version. |
| | | | | | | |
| OLD_TOKEN | 20 | The token's validity period | | OLD_TOKEN | 20 | The token's validity period has |
| | | has expired. | | | | expired. |
| | | | | | | |
| UNSEQ_TOKEN | 21 | A later token has already been | | UNSEQ_TOKEN | 21 | A later token has already been |
| | | processed. | | | | processed. |
| | | | | | | |
| GAP_TOKEN | 22 | The expected token was not | | GAP_TOKEN | 22 | The expected token was not received. |
| | | received. | +-----------------+-------+-----------------------------------------+
+-----------------------+----------+--------------------------------+
The GSS major status code of FAILURE is used to indicate that the The GSS major status code of FAILURE is used to indicate that the
underlying mechanism detected an error for which no specific GSS underlying mechanism detected an error for which no specific GSS
status code is defined. The mechanism-specific status code can status code is defined. The mechanism-specific status code can
provide more details about the error. provide more details about the error.
The different major status codes that can be contained in the The different major status codes that can be contained in the
GSSException object thrown by the methods in this specification are GSSException object thrown by the methods in this specification are
the same as the major status codes returned by the corresponding the same as the major status codes returned by the corresponding
calls in RFC 2743 [RFC2743]. calls in RFC 2743 [RFC2743].
skipping to change at page 23, line 13 skipping to change at page 23, line 7
the GSSContext interface. Because of the informative nature of these the GSSContext interface. Because of the informative nature of these
errors it is not appropriate to use exceptions to signal them. errors it is not appropriate to use exceptions to signal them.
Instead, the per-message operations of the GSSContext interface Instead, the per-message operations of the GSSContext interface
return these values in a MessageProp object. return these values in a MessageProp object.
The MessageProp class defines query methods that return boolean The MessageProp class defines query methods that return boolean
values indicating the following supplementary states: values indicating the following supplementary states:
Table: Supplementary Status Methods Table: Supplementary Status Methods
+---------------------------+---------------------------------------+ +------------------+------------------------------------------------+
| Method Name | Meaning when "true" is returned | | Method Name | Meaning when "true" is returned |
+---------------------------+---------------------------------------+ +------------------+------------------------------------------------+
| isDuplicateToken | The token was a duplicate of an | | isDuplicateToken | The token was a duplicate of an earlier token. |
| | earlier token. | | | |
| | | | isOldToken | The token's validity period has expired. |
| isOldToken | The token's validity period has | | | |
| | expired. | | isUnseqToken | A later token has already been processed. |
| | | | | |
| isUnseqToken | A later token has already been | | isGapToken | An expected per-message token was not |
| | processed. | | | received. |
| | | +------------------+------------------------------------------------+
| isGapToken | An expected per-message token was not |
| | received. |
+---------------------------+---------------------------------------+
A "true" return value for any of the above methods indicates that the A "true" return value for any of the above methods indicates that the
token exhibited the specified property. The application must token exhibited the specified property. The application must
determine the appropriate course of action for these supplementary determine the appropriate course of action for these supplementary
values. They are not treated as errors by the GSS-API. values. They are not treated as errors by the GSS-API.
4.13. Names 4.13. Names
A name is used to identify a person or entity. GSS-API authenticates A name is used to identify a person or entity. GSS-API authenticates
the relationship between a name and the entity claiming the name. the relationship between a name and the entity claiming the name.
skipping to change at page 28, line 40 skipping to change at page 28, line 13
to make queries about underlying security mechanisms. to make queries about underlying security mechanisms.
A default implementation can be obtained using the static method A default implementation can be obtained using the static method
getInstance(). Applications that desire to provide their own getInstance(). Applications that desire to provide their own
implementation of the GSSManager class can simply extend the abstract implementation of the GSSManager class can simply extend the abstract
class themselves. class themselves.
This class contains equivalents of the following RFC 2743 [RFC2743] This class contains equivalents of the following RFC 2743 [RFC2743]
routines: routines:
+------------------------------+---------------------+--------------+ +----------------------------+-------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+------------------------------+---------------------+--------------+ +----------------------------+-------------------------+------------+
| gss_import_name | Create an internal | 6.1.6- 6.1.9 | | gss_import_name | Create an internal name | 6.1.6- |
| | name from the | | | | from the supplied | 6.1.9 |
| | supplied | | | | information. | |
| | information. | | | | | |
| | | | | gss_acquire_cred | Acquire credential for | 6.1.10- |
| gss_acquire_cred | Acquire credential | 6.1.10- | | | use. | 6.1.12 |
| | for use. | 6.1.12 | | | | |
| | | | | gss_import_sec_context | Create a previously | 6.1.15 |
| gss_import_sec_context | Create a previously | 6.1.15 | | | exported context. | |
| | exported context. | | | | | |
| | | | | gss_indicate_mechs | List the mechanisms | 6.1.3 |
| gss_indicate_mechs | List the mechanisms | 6.1.3 | | | supported by this GSS- | |
| | supported by this | | | | API implementation. | |
| | GSS-API | | | | | |
| | implementation. | | | gss_inquire_mechs_for_name | List the mechanisms | 6.1.5 |
| | | | | | supporting the | |
| gss_inquire_mechs_for_name | List the mechanisms | 6.1.5 | | | specified name type. | |
| | supporting the | | | | | |
| | specified name | | | gss_inquire_names_for_mech | List the name types | 6.1.4 |
| | type. | | | | supported by the | |
| | | | | | specified mechanism. | |
| gss_inquire_names_for_mech | List the name types | 6.1.4 | +----------------------------+-------------------------+------------+
| | supported by the | |
| | specified | |
| | mechanism. | |
+------------------------------+---------------------+--------------+
5.2. GSSName Interface 5.2. GSSName Interface
GSS-API names are represented in the Java bindings through the GSS-API names are represented in the Java bindings through the
GSSName interface. Different name formats and their definitions are GSSName interface. Different name formats and their definitions are
identified with Universal Object Identifiers (oids). The format of identified with Universal Object Identifiers (oids). The format of
the names can be derived based on the unique oid of each name type. the names can be derived based on the unique oid of each name type.
The following GSS-API routines are provided by the GSSName interface: The following GSS-API routines are provided by the GSSName interface:
+---------------------------+------------------------+--------------+ +-----------------------+------------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+---------------------------+------------------------+--------------+ +-----------------------+------------------------------+------------+
| gss_display_name | Covert internal name | 6.2.7 | | gss_display_name | Covert internal name | 6.2.7 |
| | representation to text | | | | representation to text | |
| | format. | | | | format. | |
| | | | | | | |
| gss_compare_name | Compare two internal | 6.2.3, 6.2.4 | | gss_compare_name | Compare two internal names. | 6.2.3, |
| | names. | | | | | 6.2.4 |
| | | | | | | |
| gss_release_name | Release resources | N/A | | gss_release_name | Release resources associated | N/A |
| | associated with the | | | | with the internal name. | |
| | internal name. | | | | | |
| | | | | gss_canonicalize_name | Convert an internal name to | 6.2.5 |
| gss_canonicalize_name | Convert an internal | 6.2.5 | | | a mechanism name. | |
| | name to a mechanism | | | | | |
| | name. | | | gss_export_name | Convert a mechanism name to | 6.2.6 |
| | | | | | export format. | |
| gss_export_name | Convert a mechanism | 6.2.6 | | | | |
| | name to export format. | | | gss_duplicate_name | Create a copy of the | N/A |
| | | | | | internal name. | |
| gss_duplicate_name | Create a copy of the | N/A | +-----------------------+------------------------------+------------+
| | internal name. | |
+---------------------------+------------------------+--------------+
The gss_release_name call is not provided as Java does its own The gss_release_name call is not provided as Java does its own
garbage collection. The gss_duplicate_name call is also redundant; garbage collection. The gss_duplicate_name call is also redundant;
the GSSName interface has no mutator methods that can change the the GSSName interface has no mutator methods that can change the
state of the object so it is safe for sharing across threads. state of the object so it is safe for sharing across threads.
5.3. GSSCredential Interface 5.3. GSSCredential Interface
The GSSCredential interface is responsible for the encapsulation of The GSSCredential interface is responsible for the encapsulation of
GSS-API credentials. Credentials identify a single entity and GSS-API credentials. Credentials identify a single entity and
provide the necessary cryptographic information to enable the provide the necessary cryptographic information to enable the
creation of a context on behalf of that entity. A single credential creation of a context on behalf of that entity. A single credential
may contain multiple mechanism-specific credentials, each referred to may contain multiple mechanism-specific credentials, each referred to
as a credential element. The GSSCredential interface provides the as a credential element. The GSSCredential interface provides the
functionality of the following GSS-API routines: functionality of the following GSS-API routines:
+----------------------------+----------------------+---------------+ +--------------------------+---------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+----------------------------+----------------------+---------------+ +--------------------------+---------------------------+------------+
| gss_add_cred | Constructs | 6.3.12 | | gss_add_cred | Constructs credentials | 6.3.12 |
| | credentials | | | | incrementally. | |
| | incrementally. | | | | | |
| | | | | gss_inquire_cred | Obtain information about | 6.3.4- |
| gss_inquire_cred | Obtain information | 6.3.4- 6.3.11 | | | credential. | 6.3.11 |
| | about credential. | | | | | |
| | | | | gss_inquire_cred_by_mech | Obtain per-mechanism | 6.3.5- |
| gss_inquire_cred_by_mech | Obtain per-mechanism | 6.3.5- 6.3.10 | | | information about a | 6.3.10 |
| | information about a | | | | credential. | |
| | credential. | | | | | |
| | | | | gss_release_cred | Dispose of credentials | 6.3.3 |
| gss_release_cred | Dispose of | 6.3.3 | | | after use. | |
| | credentials after | | +--------------------------+---------------------------+------------+
| | use. | |
+----------------------------+----------------------+---------------+
5.4. GSSContext Interface 5.4. GSSContext Interface
This interface encapsulates the functionality of context-level calls This interface encapsulates the functionality of context-level calls
required for security context establishment and management between required for security context establishment and management between
peers as well as the per-message services offered to applications. A peers as well as the per-message services offered to applications. A
context is established between a pair of peers and allows the usage context is established between a pair of peers and allows the usage
of security services on a per-message basis on application data. It of security services on a per-message basis on application data. It
is created over a single security mechanism. The GSSContext is created over a single security mechanism. The GSSContext
interface provides the functionality of the following GSS-API interface provides the functionality of the following GSS-API
routines: routines:
+--------------------------+--------------------------+-------------+ +------------------------+-----------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+--------------------------+--------------------------+-------------+ +------------------------+-----------------------------+------------+
| gss_init_sec_context | Initiate the creation of | 6.4.3- | | gss_init_sec_context | Initiate the creation of a | 6.4.3- |
| | a security context with | 6.4.6 | | | security context with a | 6.4.6 |
| | a peer. | | | | peer. | |
| | | | | | | |
| gss_accept_sec_context | Accept a security | 6.4.7- | | gss_accept_sec_context | Accept a security context | 6.4.7- |
| | context initiated by a | 6.4.10 | | | initiated by a peer. | 6.4.10 |
| | peer. | | | | | |
| | | | | gss_delete_sec_context | Destroy a security context. | 6.4.12 |
| gss_delete_sec_context | Destroy a security | 6.4.12 | | | | |
| | context. | | | gss_context_time | Obtain remaining context | 6.4.41 |
| | | | | | time. | |
| gss_context_time | Obtain remaining context | 6.4.41 | | | | |
| | time. | | | gss_inquire_context | Obtain context | 6.4.32- |
| | | | | | characteristics. | 6.4.46 |
| gss_inquire_context | Obtain context | 6.4.32- | | | | |
| | characteristics. | 6.4.46 | | gss_wrap_size_limit | Determine token-size limit | 6.4.13 |
| | | | | | for gss_wrap. | |
| gss_wrap_size_limit | Determine token-size | 6.4.13 | | | | |
| | limit for gss_wrap. | | | gss_export_sec_context | Transfer security context | 6.4.22 |
| | | | | | to another process. | |
| gss_export_sec_context | Transfer security | 6.4.22 | | | | |
| | context to another | | | gss_get_mic | Calculate a cryptographic | 6.4.18, |
| | process. | | | | Message Integrity Code | 6.4.19 |
| | | | | | (MIC) for a message. | |
| gss_get_mic | Calculate a | 6.4.18, | | | | |
| | cryptographic Message | 6.4.19 | | gss_verify_mic | Verify integrity on a | 6.4.20, |
| | Integrity Code (MIC) for | | | | received message. | 6.4.21 |
| | a message. | | | | | |
| | | | | gss_wrap | Attach a MIC to a message | 6.4.14, |
| gss_verify_mic | Verify integrity on a | 6.4.20, | | | and optionally encrypt the | 6.4.15 |
| | received message. | 6.4.21 | | | message content. | |
| | | | | | | |
| gss_wrap | Attach a MIC to a | 6.4.14, | | gss_unwrap | Obtain a previously wrapped | 6.4.16, |
| | message and optionally | 6.4.15 | | | application message | 6.4.17 |
| | encrypt the message | | | | verifying its integrity and | |
| | content. | | | | optionally decrypting it. | |
| | | | +------------------------+-----------------------------+------------+
| gss_unwrap | Obtain a previously | 6.4.16, |
| | wrapped application | 6.4.17 |
| | message verifying its | |
| | integrity and optionally | |
| | decrypting it. | |
+--------------------------+--------------------------+-------------+
The functionality offered by the gss_process_context_token routine The functionality offered by the gss_process_context_token routine
has not been included in the Java bindings specification. The has not been included in the Java bindings specification. The
corresponding functionality of gss_delete_sec_context has also been corresponding functionality of gss_delete_sec_context has also been
modified to not return any peer tokens. This has been proposed in modified to not return any peer tokens. This has been proposed in
accordance to the recommendations stated in RFC 2743 [RFC2743]. accordance to the recommendations stated in RFC 2743 [RFC2743].
GSSContext does offer the functionality of destroying the locally GSSContext does offer the functionality of destroying the locally
stored context information. stored context information.
5.5. MessageProp Class 5.5. MessageProp Class
skipping to change at page 33, line 5 skipping to change at page 32, line 25
5.6. GSSException Class 5.6. GSSException Class
Exceptions are used in the Java bindings to signal fatal errors to Exceptions are used in the Java bindings to signal fatal errors to
the calling applications. This replaces the major and minor codes the calling applications. This replaces the major and minor codes
used in the C-bindings specification as a method of signaling used in the C-bindings specification as a method of signaling
failures. The GSSException class handles both minor and major codes, failures. The GSSException class handles both minor and major codes,
as well as their translation into textual representation. All GSS- as well as their translation into textual representation. All GSS-
API methods are declared as throwing this exception. API methods are declared as throwing this exception.
+------------------------+--------------------------+---------------+ +--------------------+----------------------------+-----------------+
| RFC 2743 Routine | Function | Section | | RFC 2743 Routine | Function | Section |
+------------------------+--------------------------+---------------+ +--------------------+----------------------------+-----------------+
| gss_display_status | Retrieve textual | 6.8.5, 6.8.6, | | gss_display_status | Retrieve textual | 6.8.5, 6.8.6, |
| | representation of error | 6.8.9, 6.8.10 | | | representation of error | 6.8.9, 6.8.10 |
| | codes. | | | | codes. | |
+------------------------+--------------------------+---------------+ +--------------------+----------------------------+-----------------+
5.7. Oid Class 5.7. Oid Class
This utility class is used to represent Universal Object Identifiers This utility class is used to represent Universal Object Identifiers
and their associated operations. GSS-API uses object identifiers to and their associated operations. GSS-API uses object identifiers to
distinguish between security mechanisms and name types. This class, distinguish between security mechanisms and name types. This class,
aside from being used whenever an object identifier is needed, aside from being used whenever an object identifier is needed,
implements the following GSS-API functionality: implements the following GSS-API functionality:
+-------------------------------+------------------------+----------+ +-------------------------+-------------------------------+---------+
| RFC 2743 Routine | Function | Section | | RFC 2743 Routine | Function | Section |
+-------------------------------+------------------------+----------+ +-------------------------+-------------------------------+---------+
| gss_test_oid_set_member | Determine if the | 6.7.5 | | gss_test_oid_set_member | Determine if the specified | 6.7.5 |
| | specified oid is part | | | | oid is part of a set of oids. | |
| | of a set of oids. | | +-------------------------+-------------------------------+---------+
+-------------------------------+------------------------+----------+
5.8. ChannelBinding Class 5.8. ChannelBinding Class
An instance of this class is used to specify channel binding An instance of this class is used to specify channel binding
information to the GSSContext object before the start of a security information to the GSSContext object before the start of a security
context establishment. The application may use a byte array to context establishment. The application may use a byte array to
specify application data to be used in the channel binding as well as specify application data to be used in the channel binding as well as
to use instances of the InetAddress. InetAddress is currently the to use instances of the InetAddress. InetAddress is currently the
only address type defined within the Java platform and as such, it is only address type defined within the Java platform and as such, it is
the only one supported within the ChannelBinding class. Applications the only one supported within the ChannelBinding class. Applications
skipping to change at page 35, line 52 skipping to change at page 35, line 27
available (an example of this would be when mechanism are dynamically available (an example of this would be when mechanism are dynamically
configured, and currently no mechanisms are installed). configured, and currently no mechanisms are installed).
6.1.4. getNamesForMech 6.1.4. getNamesForMech
public abstract Oid[] getNamesForMech(Oid mech) public abstract Oid[] getNamesForMech(Oid mech)
throws GSSException throws GSSException
Returns name type Oid's supported by the specified mechanism. Returns name type Oid's supported by the specified mechanism.
Parameters:
mech The Oid object for the mechanism to query. mech The Oid object for the mechanism to query.
6.1.5. getMechsForName 6.1.5. getMechsForName
public abstract Oid[] getMechsForName(Oid nameType) public abstract Oid[] getMechsForName(Oid nameType)
Returns an array of Oid objects corresponding to the mechanisms that Returns an array of Oid objects corresponding to the mechanisms that
support the specific name type. "null" is returned when no mechanisms support the specific name type. "null" is returned when no mechanisms
are found to support the specified name type. are found to support the specified name type.
Parameters:
nameType The Oid object for the name type. nameType The Oid object for the name type.
6.1.6. createName 6.1.6. createName
public abstract GSSName createName(String nameStr, Oid nameType) public abstract GSSName createName(String nameStr, Oid nameType)
throws GSSException throws GSSException
Factory method to convert a contiguous string name from the specified Factory method to convert a contiguous string name from the specified
namespace to a GSSName object. In general, the GSSName object namespace to a GSSName object. In general, the GSSName object
created will not be an MN; two examples that are exceptions to this created will not be an MN; two examples that are exceptions to this
are when the namespace type parameter indicates NT_EXPORT_NAME or are when the namespace type parameter indicates NT_EXPORT_NAME or
when the GSS-API implementation is not multi-mechanism. when the GSS-API implementation is not multi-mechanism.
Parameters:
nameStr The string representing a printable form of the nameStr The string representing a printable form of the
name tocreate. name to create.
nameType The Oid specifying the namespace of the printable nameType The Oid specifying the namespace of the printable
nameis supplied. Note that nameType serves to name is supplied. Note that nameType serves to
describe and qualify the interpretation of the describe and qualify the interpretation of the
input nameStr, it does not necessarily imply a input nameStr, it does not necessarily imply a
type for the output GSSName implementation. The type for the output GSSName implementation. The
"null" value can be used to specify that a "null" value can be used to specify that a
mechanism-specific default printable syntax mechanism-specific default printable syntax
should be assumed by each mechanism that examines should be assumed by each mechanism that examines
nameStr. nameStr.
6.1.7. createName 6.1.7. createName
public abstract GSSName createName(byte[] name, Oid nameType) public abstract GSSName createName(byte[] name, Oid nameType)
throws GSSException throws GSSException
Factory method to convert a contiguous byte array containing a name Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object. In general, the from the specified namespace to a GSSName object. In general, the
GSSName object created will not be an MN; two examples that are GSSName object created will not be an MN; two examples that are
exceptions to this are when the namespace type parameter indicates exceptions to this are when the namespace type parameter indicates
NT_EXPORT_NAME or when the GSS-API implementation is not multi- NT_EXPORT_NAME or when the GSS-API implementation is not multi-
mechanism. mechanism.
Parameters:
name The byte array containing the name to create. name The byte array containing the name to create.
nameType The Oid specifying the namespace of the name nameType The Oid specifying the namespace of the name
supplied inthe byte array. Note that nameType supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation serves to describe and qualify the interpretation
of the input name byte array; it does not of the input name byte array; it does not
necessarily imply a type for the output GSSName necessarily imply a type for the output GSSName
implementation. The "null" value can be used to implementation. The "null" value can be used to
specify that a mechanism-specific default syntax specify that a mechanism-specific default syntax
should be assumed by each mechanism that examines should be assumed by each mechanism that examines
the byte array. the byte array.
6.1.8. createName 6.1.8. createName
public abstract GSSName createName(String nameStr, Oid nameType, public abstract GSSName createName(String nameStr, Oid nameType,
Oid mech) throws GSSException Oid mech) throws GSSException
Factory method to convert a contiguous string name from the specified Factory method to convert a contiguous string name from the specified
namespace to a GSSName object that is a mechanism name (MN). In namespace to a GSSName object that is a mechanism name (MN). In
other words, this method is a utility that does the equivalent of two other words, this method is a utility that does the equivalent of two
steps: the createName described in section 6.1.6, and then also the steps: the createName described in section 6.1.6, and then also the
GSSName.canonicalize() described in section 6.2.5. GSSName.canonicalize() described in section 6.2.5.
Parameters:
nameStr The string representing a printable form of the nameStr The string representing a printable form of the
name tocreate. name to create.
nameType The Oid specifying the namespace of the printable nameType The Oid specifying the namespace of the printable
namesupplied. Note that nameType serves to name supplied. Note that nameType serves to
describe and qualify the interpretation of the describe and qualify the interpretation of the
input nameStr; it does not necessarily imply a input nameStr; it does not necessarily imply a
type for the output GSSName implementation. The type for the output GSSName implementation. The
"null" value can be used to specify that a "null" value can be used to specify that a
mechanism-specific default printable syntax mechanism-specific default printable syntax
should be assumed when the mechanism examines should be assumed when the mechanism examines
nameStr. nameStr.
mech Oid specifying the mechanism for which this name mech Oid specifying the mechanism for which this name
should becreated. should be created.
6.1.9. createName 6.1.9. createName
public abstract GSSName createName(byte[] name, Oid nameType, public abstract GSSName createName(byte[] name, Oid nameType,
Oid mech) throws GSSException Oid mech) throws GSSException
Factory method to convert a contiguous byte array containing a name Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object that is an MN. In from the specified namespace to a GSSName object that is an MN. In
other words, this method is a utility that does the equivalent of two other words, this method is a utility that does the equivalent of two
steps: the createName described in section 6.1.7, and then also the steps: the createName described in section 6.1.7, and then also the
GSSName.canonicalize() described in section 6.2.5. GSSName.canonicalize() described in section 6.2.5.
Parameters:
name The byte array representing the name to create. name The byte array representing the name to create.
nameType The Oid specifying the namespace of the name nameType The Oid specifying the namespace of the name
supplied inthe byte array. Note that nameType supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation serves to describe and qualify the interpretation
of the input name byte array, it does not of the input name byte array, it does not
necessarily imply a type for the output GSSName necessarily imply a type for the output GSSName
implementation. The "null" value can be used to implementation. The "null" value can be used to
specify that a mechanism-specific default syntax specify that a mechanism-specific default syntax
should be assumed by each mechanism that examines should be assumed by each mechanism that examines
the byte array. the byte array.
mech Oid specifying the mechanism for which this name mech Oid specifying the mechanism for which this name
should becreated. should be created.
6.1.10. createCredential 6.1.10. createCredential
public abstract GSSCredential createCredential(int usage) public abstract GSSCredential createCredential(int usage)
throws GSSException throws GSSException
Factory method for acquiring default credentials. This will cause Factory method for acquiring default credentials. This will cause
the GSS-API to use system-specific defaults for the set of the GSS-API to use system-specific defaults for the set of
mechanisms, name, and a DEFAULT lifetime. mechanisms, name, and a DEFAULT lifetime.
Parameters:
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value ofthis parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.1.11. createCredential 6.1.11. createCredential
public abstract GSSCredential createCredential(GSSName aName, public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid mech, int usage) int lifetime, Oid mech, int usage)
throws GSSException throws GSSException
Factory method for acquiring a single mechanism credential. Factory method for acquiring a single mechanism credential.
Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
to beacquired. Use "null" to specify the default to be acquired. Use "null" to specify the
principal. default principal.
lifetime The number of seconds that credentials should lifetime The number of seconds that credentials should
remainvalid. Use remain valid. Use
GSSCredential.INDEFINITE_LIFETIME to request that GSSCredential.INDEFINITE_LIFETIME to request that
the credentials have the maximum permitted the credentials have the maximum permitted
lifetime. Use GSSCredential.DEFAULT_LIFETIME to lifetime. Use GSSCredential.DEFAULT_LIFETIME to
request default credential lifetime. request default credential lifetime.
mech The oid of the desired mechanism. Use "(Oid) mech The oid of the desired mechanism. Use "(Oid)
null" torequest the default mechanism(s). null" to request the default mechanism(s).
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value ofthis parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.1.12. createCredential 6.1.12. createCredential
public abstract GSSCredential createCredential(GSSName aName, public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid[] mechs, int usage) int lifetime, Oid[] mechs, int usage)
throws GSSException throws GSSException
Factory method for acquiring credentials over a set of mechanisms. Factory method for acquiring credentials over a set of mechanisms.
Acquires credentials for each of the mechanisms specified in the Acquires credentials for each of the mechanisms specified in the
array called mechs. To determine the list of mechanisms' for which array called mechs. To determine the list of mechanisms' for which
the acquisition of credentials succeeded, the caller should use the the acquisition of credentials succeeded, the caller should use the
GSSCredential.getMechs() method. GSSCredential.getMechs() method.
Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
to beacquired. Use "null" to specify the default to be acquired. Use "null" to specify the
principal. default principal.
lifetime The number of seconds that credentials should lifetime The number of seconds that credentials should
remainvalid. Use remain valid. Use
GSSCredential.INDEFINITE_LIFETIME to request that GSSCredential.INDEFINITE_LIFETIME to request that
the credentials have the maximum permitted the credentials have the maximum permitted
lifetime. Use GSSCredential.DEFAULT_LIFETIME to lifetime. Use GSSCredential.DEFAULT_LIFETIME to
request default credential lifetime. request default credential lifetime.
mechs The array of mechanisms over which the credential mechs The array of mechanisms over which the credential
is to beacquired. Use "(Oid[]) null" for is to be acquired. Use "(Oid[]) null" for
requesting a system-specific default set of requesting a system-specific default set of
mechanisms. mechanisms.
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value ofthis parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.1.13. createContext 6.1.13. createContext
public abstract GSSContext createContext(GSSName peer, Oid mech, public abstract GSSContext createContext(GSSName peer, Oid mech,
GSSCredential myCred, int lifetime) GSSCredential myCred, int lifetime)
throws GSSException throws GSSException
Factory method for creating a context on the initiator's side. Factory method for creating a context on the initiator's side.
Context flags may be modified through the mutator methods prior to Context flags may be modified through the mutator methods prior to
calling GSSContext.initSecContext(). calling GSSContext.initSecContext().
Parameters:
peer Name of the target peer. peer Name of the target peer.
mech Oid of the desired mechanism. Use "(Oid) null" mech Oid of the desired mechanism. Use "(Oid) null"
to requestthe default mechanism. to request the default mechanism.
myCred Credentials of the initiator. Use "null" to act myCred Credentials of the initiator. Use "null" to act
as adefault initiator principal. as a default initiator principal.
lifetime The request lifetime, in seconds, for the lifetime The request lifetime, in seconds, for the
context. UseGSSContext.INDEFINITE_LIFETIME and context. Use GSSContext.INDEFINITE_LIFETIME and
GSSContext.DEFAULT_LIFETIME to request indefinite GSSContext.DEFAULT_LIFETIME to request indefinite
or default context lifetime. or default context lifetime.
6.1.14. createContext 6.1.14. createContext
public abstract GSSContext createContext(GSSCredential myCred) public abstract GSSContext createContext(GSSCredential myCred)
throws GSSException throws GSSException
Factory method for creating a context on the acceptor' side. The Factory method for creating a context on the acceptor' side. The
context's properties will be determined from the input token supplied context's properties will be determined from the input token supplied
to the accept method. to the accept method.
Parameters:
myCred Credentials for the acceptor. Use "null" to act myCred Credentials for the acceptor. Use "null" to act
as adefault acceptor principal. as a default acceptor principal.
6.1.15. createContext 6.1.15. createContext
public abstract GSSContext createContext(byte[] interProcessToken) public abstract GSSContext createContext(byte[] interProcessToken)
throws GSSException throws GSSException
Factory method for creating a previously exported context. The Factory method for creating a previously exported context. The
context properties will be determined from the input token and can't context properties will be determined from the input token and can't
be modified through the set methods. be modified through the set methods.
interProcessToken The token previously emitted from the Parameters:
exportmethod.
interProcessToken The token previously emitted from the export
method.
6.1.16. addProviderAtFront 6.1.16. addProviderAtFront
public abstract void addProviderAtFront(Provider p, Oid mech) public abstract void addProviderAtFront(Provider p, Oid mech)
throws GSSException throws GSSException
This method is used to indicate to the GSSManager that the This method is used to indicate to the GSSManager that the
application would like a particular provider to be used ahead of all application would like a particular provider to be used ahead of all
others when support is desired for the given mechanism. When a value others when support is desired for the given mechanism. When a value
of "null" is used instead of an Oid for the mechanism, the GSSManager of "null" is used instead of an Oid for the mechanism, the GSSManager
skipping to change at page 41, line 37 skipping to change at page 41, line 34
preferences that were set for this provider in the GSSManager preferences that were set for this provider in the GSSManager
instance. Calling addProviderAtFront with a non-null Oid will remove instance. Calling addProviderAtFront with a non-null Oid will remove
any previous preference that was set using this mechanism and this any previous preference that was set using this mechanism and this
provider together. provider together.
If the GSSManager implementation does not support an SPI with a If the GSSManager implementation does not support an SPI with a
pluggable provider architecture, it should throw a GSSException with pluggable provider architecture, it should throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the the status code GSSException.UNAVAILABLE to indicate that the
operation is unavailable. operation is unavailable.
Parameters:
p The provider instance that should be used p The provider instance that should be used
whenever support isneeded for mech. whenever support is needed for mech.
mech The mechanism for which the provider is being mech The mechanism for which the provider is being
set. set.
6.1.17. Example Code 6.1.17. Example Code
Suppose an application desired that the provider A always be checked Suppose an application desired that the provider A always be checked
first when any mechanism is needed, it would call: first when any mechanism is needed, it would call:
<CODE BEGINS> <CODE BEGINS>
skipping to change at page 43, line 19 skipping to change at page 43, line 30
If there are any previously existing preferences that conflict with If there are any previously existing preferences that conflict with
the preference being set here, then the GSSManager should ignore this the preference being set here, then the GSSManager should ignore this
request. request.
If the GSSManager implementation does not support an SPI with a If the GSSManager implementation does not support an SPI with a
pluggable provider architecture, it should throw a GSSException with pluggable provider architecture, it should throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the the status code GSSException.UNAVAILABLE to indicate that the
operation is unavailable. operation is unavailable.
Parameters:
p The provider instance that should be used p The provider instance that should be used
whenever support isneeded for mech. whenever support is needed for mech.
mech The mechanism for which the provider is being mech The mechanism for which the provider is being
set. set.
6.1.19. Example Code 6.1.19. Example Code
Suppose an application desired that when a mechanism of Oid m1 is Suppose an application desired that when a mechanism of Oid m1 is
needed, the system default providers always be checked first, and needed, the system default providers always be checked first, and
only when they do not support m1 should a provider A be checked. It only when they do not support m1 should a provider A be checked. It
would then make the call: would then make the call:
skipping to change at page 46, line 28 skipping to change at page 46, line 43
6.2.3. equals 6.2.3. equals
public boolean equals(GSSName another) throws GSSException public boolean equals(GSSName another) throws GSSException
Compares two GSSName objects to determine whether they refer to the Compares two GSSName objects to determine whether they refer to the
same entity. This method may throw a GSSException when the names same entity. This method may throw a GSSException when the names
cannot be compared. If either of the names represents an anonymous cannot be compared. If either of the names represents an anonymous
entity, the method will return "false". entity, the method will return "false".
Parameters:
another GSSName object with which to compare. another GSSName object with which to compare.
6.2.4. equals 6.2.4. equals
public boolean equals(Object another) public boolean equals(Object another)
A variation of the equals method, described in section 6.2.3, that is A variation of the equals method, described in section 6.2.3, that is
provided to override the Object.equals() method that the implementing provided to override the Object.equals() method that the implementing
class will inherit. The behavior is exactly the same as that in class will inherit. The behavior is exactly the same as that in
section 6.2.3 except that no GSSException is thrown; instead, "false" section 6.2.3 except that no GSSException is thrown; instead, "false"
will be returned in the situation where an error occurs. (Note that will be returned in the situation where an error occurs. (Note that
the Java language specification requires that two objects that are the Java language specification requires that two objects that are
equal according to the equals(Object) method must return the same equal according to the equals(Object) method must return the same
integer result when the hashCode() method is called on them.) integer result when the hashCode() method is called on them.)
Parameters:
another GSSName object with which to compare. another GSSName object with which to compare.
6.2.5. canonicalize 6.2.5. canonicalize
public GSSName canonicalize(Oid mech) throws GSSException public GSSName canonicalize(Oid mech) throws GSSException
Creates a mechanism name (MN) from an arbitrary internal name. This Creates a mechanism name (MN) from an arbitrary internal name. This
is equivalent to using the factory methods described in sections is equivalent to using the factory methods described in sections
6.1.8 or 6.1.9 that take the mechanism name as one of their 6.1.8 or 6.1.9 that take the mechanism name as one of their
parameters. parameters.
Parameters:
mech The oid for the mechanism for which the canonical mech The oid for the mechanism for which the canonical
form of thename is requested. form of the name is requested.
6.2.6. export 6.2.6. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Returns a canonical contiguous byte representation of a mechanism Returns a canonical contiguous byte representation of a mechanism
name (MN), suitable for direct, byte-by-byte comparison by name (MN), suitable for direct, byte-by-byte comparison by
authorization functions. If the name is not an MN, implementations authorization functions. If the name is not an MN, implementations
may throw a GSSException with the NAME_NOT_MN status code. If an may throw a GSSException with the NAME_NOT_MN status code. If an
implementation chooses not to throw an exception, it should use some implementation chooses not to throw an exception, it should use some
skipping to change at page 50, line 31 skipping to change at page 51, line 4
6.3.4. getName 6.3.4. getName
public GSSName getName() throws GSSException public GSSName getName() throws GSSException
Retrieves the name of the entity that the credential asserts. Retrieves the name of the entity that the credential asserts.
6.3.5. getName 6.3.5. getName
public GSSName getName(Oid mechOID) throws GSSException public GSSName getName(Oid mechOID) throws GSSException
Retrieves a mechanism name of the entity that the credential asserts. Retrieves a mechanism name of the entity that the credential asserts.
Equivalent to calling canonicalize() on the name returned by section Equivalent to calling canonicalize() on the name returned by section
6.3.4. 6.3.4.
Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.6. getRemainingLifetime 6.3.6. getRemainingLifetime
public int getRemainingLifetime() throws GSSException public int getRemainingLifetime() throws GSSException
Returns the remaining lifetime in seconds for a credential. The Returns the remaining lifetime in seconds for a credential. The
remaining lifetime is the minimum lifetime for any of the underlying remaining lifetime is the minimum lifetime for any of the underlying
credential mechanisms. A return value of credential mechanisms. A return value of
skipping to change at page 51, line 4 skipping to change at page 51, line 25
public int getRemainingLifetime() throws GSSException public int getRemainingLifetime() throws GSSException
Returns the remaining lifetime in seconds for a credential. The Returns the remaining lifetime in seconds for a credential. The
remaining lifetime is the minimum lifetime for any of the underlying remaining lifetime is the minimum lifetime for any of the underlying
credential mechanisms. A return value of credential mechanisms. A return value of
GSSCredential.INDEFINITE_LIFETIME indicates that the credential does GSSCredential.INDEFINITE_LIFETIME indicates that the credential does
not expire. A return value of 0 indicates that the credential is not expire. A return value of 0 indicates that the credential is
already expired. already expired.
6.3.7. getRemainingInitLifetime 6.3.7. getRemainingInitLifetime
public int getRemainingInitLifetime(Oid mech) throws GSSException public int getRemainingInitLifetime(Oid mech) throws GSSException
Returns the remaining lifetime in seconds for the credential to Returns the remaining lifetime in seconds for the credential to
remain capable of initiating security contexts under the specified remain capable of initiating security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME
indicates that the credential does not expire for context initiation. indicates that the credential does not expire for context initiation.
A return value of 0 indicates that the credential is already expired. A return value of 0 indicates that the credential is already expired.
Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.8. getRemainingAcceptLifetime 6.3.8. getRemainingAcceptLifetime
public int getRemainingAcceptLifetime(Oid mech) throws GSSException public int getRemainingAcceptLifetime(Oid mech) throws GSSException
Returns the remaining lifetime in seconds for the credential to Returns the remaining lifetime in seconds for the credential to
remain capable of accepting security contexts under the specified remain capable of accepting security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME
indicates that the credential does not expire for context acceptance. indicates that the credential does not expire for context acceptance.
A return value of 0 indicates that the credential is already expired. A return value of 0 indicates that the credential is already expired.
Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.9. getUsage 6.3.9. getUsage
public int getUsage() throws GSSException public int getUsage() throws GSSException
Returns the credential usage flag as a union over all mechanisms. Returns the credential usage flag as a union over all mechanisms.
The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2). GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
6.3.10. getUsage 6.3.10. getUsage
public int getUsage(Oid mechOID) throws GSSException public int getUsage(Oid mechOID) throws GSSException
Returns the credential usage flag for the specified mechanism only. Returns the credential usage flag for the specified mechanism only.
The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2). GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.11. getMechs 6.3.11. getMechs
public Oid[] getMechs() throws GSSException public Oid[] getMechs() throws GSSException
Returns an array of mechanisms supported by this credential. Returns an array of mechanisms supported by this credential.
6.3.12. add 6.3.12. add
skipping to change at page 52, line 28 skipping to change at page 52, line 52
mechanism at a time. mechanism at a time.
This routine is envisioned to be used mainly by context acceptors This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials, which are to be used during the creation of acceptance credentials, which are to be used
with a variety of clients using different security mechanisms. with a variety of clients using different security mechanisms.
This routine adds the new credential element "in-place". To add the This routine adds the new credential element "in-place". To add the
element in a new credential, first call clone() to obtain a copy of element in a new credential, first call clone() to obtain a copy of
this credential, then call its add() method. this credential, then call its add() method.
Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
to beacquired. Use "null" to specify the default to be acquired. Use "null" to specify the
principal. default principal.
initLifetime The number of seconds that credentials should initLifetime The number of seconds that credentials should
remainvalid for initiating of security contexts. remain valid for initiating of security contexts.
Use GSSCredential.INDEFINITE_LIFETIME to request Use GSSCredential.INDEFINITE_LIFETIME to request
that the credentials have the maximum permitted that the credentials have the maximum permitted
lifetime. Use GSSCredential.DEFAULT_LIFETIME to lifetime. Use GSSCredential.DEFAULT_LIFETIME to
request default credential lifetime. request default credential lifetime.
acceptLifetime The number of seconds that credentials acceptLifetime The number of seconds that credentials should
shouldremain valid for accepting of security remain valid for accepting of security contexts.
contexts.
Use GSSCredential.INDEFINITE_LIFETIME to request Use GSSCredential.INDEFINITE_LIFETIME to request
that the credentials that the credentials
have the maximum permitted lifetime. Use have the maximum permitted lifetime. Use
GSSCredential.DEFAULT_LIFETIME to request default GSSCredential.DEFAULT_LIFETIME to request default
credential lifetime. credential lifetime.
mech The mechanisms over which the credential is to be mech The mechanisms over which the credential is to be
acquired. acquired.
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value ofthis parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.3.13. equals 6.3.13. equals
public boolean equals(Object another) public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied Tests if this GSSCredential refers to the same entity as the supplied
object. The two credentials must be acquired over the same object. The two credentials must be acquired over the same
mechanisms and must refer to the same principal. Returns "true" if mechanisms and must refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise. the two GSSCredentials refer to the same entity; "false" otherwise.
(Note that the Java language specification [JLS] requires that two (Note that the Java language specification [JLS] requires that two
objects that are equal according to the equals(Object) method must objects that are equal according to the equals(Object) method must
return the same integer result when the hashCode() method is called return the same integer result when the hashCode() method is called
on them.) on them.)
Parameters:
another Another GSSCredential object for comparison. another Another GSSCredential object for comparison.
6.4. public interface GSSContext 6.4. public interface GSSContext
This interface encapsulates the GSS-API security context and provides This interface encapsulates the GSS-API security context and provides
the security services (wrap, unwrap, getMIC, verifyMIC) that are the security services (wrap, unwrap, getMIC, verifyMIC) that are
available over the context. Security contexts are established available over the context. Security contexts are established
between peers using locally acquired credentials. Multiple contexts between peers using locally acquired credentials. Multiple contexts
may exist simultaneously between a pair of peers, using the same or may exist simultaneously between a pair of peers, using the same or
different set of credentials. GSS-API functions in a manner different set of credentials. GSS-API functions in a manner
skipping to change at page 57, line 12 skipping to change at page 57, line 39
that the token needs to be sent to the peer, but the local end of the that the token needs to be sent to the peer, but the local end of the
context is now fully established. context is now fully established.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the acceptor to inform the reason for the error. be sent to the acceptor to inform the reason for the error.
Parameters:
inputBuf Token generated by the peer. This parameter is inputBuf Token generated by the peer. This parameter is
ignoredon the first call. ignored on the first call.
offset The offset within the inputBuf where the token offset The offset within the inputBuf where the token
begins. begins.
len The length of the token within the inputBuf len The length of the token within the inputBuf
(starting at theoffset). (starting at the offset).
6.4.4. Example Code 6.4.4. Example Code
<CODE BEGINS> <CODE BEGINS>
// Create a new GSSContext implementation object. // Create a new GSSContext implementation object.
// GSSContext wrapper implements interface GSSContext. // GSSContext wrapper implements interface GSSContext.
GSSContext context = mgr.createContext(...); GSSContext context = mgr.createContext(...);
byte[] inTok = new byte[0]; byte[] inTok = new byte[0];
skipping to change at page 58, line 41 skipping to change at page 59, line 25
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the acceptor to inform the reason for the error. be sent to the acceptor to inform the reason for the error.
Parameters:
inStream Contains the token generated by the peer. This inStream Contains the token generated by the peer. This
parameteris ignored on the first call. parameter is ignored on the first call.
outStream Output stream where the output token will be outStream Output stream where the output token will be
written.During the final stage of context written. During the final stage of context
establishment, there may be no bytes written. establishment, there may be no bytes written.
6.4.6. Example Code 6.4.6. Example Code
This sample code merely demonstrates the token exchange during the This sample code merely demonstrates the token exchange during the
context establishment phase. It is expected that most Java context establishment phase. It is expected that most Java
applications will use custom implementations of the Input and Output applications will use custom implementations of the Input and Output
streams that encapsulate the communication routines. For instance, a streams that encapsulate the communication routines. For instance, a
simple read on the application InputStream, when called by the simple read on the application InputStream, when called by the
Context, might cause a token to be read from the peer, and a simple Context, might cause a token to be read from the peer, and a simple
skipping to change at page 60, line 31 skipping to change at page 61, line 26
indicates that the token needs to be sent to the peer, but the local indicates that the token needs to be sent to the peer, but the local
end of the context is now fully established. end of the context is now fully established.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the initiator to inform the reason for the error. be sent to the initiator to inform the reason for the error.
Parameters:
inTok Token generated by the peer. inTok Token generated by the peer.
offset The offset within the inTok where the token offset The offset within the inTok where the token
begins. begins.
len The length of the token within the inTok len The length of the token within the inTok
(starting at theoffset). (starting at the offset).
6.4.8. Example Code 6.4.8. Example Code
<CODE BEGINS> <CODE BEGINS>
// acquire server credentials // acquire server credentials
GSSCredential server = mgr.createCredential(...); GSSCredential server = mgr.createCredential(...);
// create acceptor GSS-API context from the default provider // create acceptor GSS-API context from the default provider
GSSContext context = mgr.createContext(server, null); GSSContext context = mgr.createContext(server, null);
try { try {
do { do {
byte[] inTok = readToken(); byte[] inTok = readToken();
skipping to change at page 62, line 12 skipping to change at page 63, line 23
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the initiator to inform the reason for the error. be sent to the initiator to inform the reason for the error.
Parameters:
inStream Contains the token generated by the peer. inStream Contains the token generated by the peer.
outStream Output stream where the output token will be outStream Output stream where the output token will be
written.During the final stage of context written. During the final stage of context
establishment, there may be no bytes written. establishment, there may be no bytes written.
6.4.10. Example Code 6.4.10. Example Code
This sample code merely demonstrates the token exchange during the This sample code merely demonstrates the token exchange during the
context establishment phase. It is expected that most Java context establishment phase. It is expected that most Java
applications will use custom implementations of the Input and Output applications will use custom implementations of the Input and Output
streams that encapsulate the communication routines. For instance, a streams that encapsulate the communication routines. For instance, a
simple read on the application InputStream, when called by the simple read on the application InputStream, when called by the
Context, might cause a token to be read from the peer, and a simple Context, might cause a token to be read from the peer, and a simple
skipping to change at page 64, line 18 skipping to change at page 65, line 38
specific QOP values for message protection. specific QOP values for message protection.
Successful completion of this call does not guarantee that wrap will Successful completion of this call does not guarantee that wrap will
be able to protect a message of the computed length, since this be able to protect a message of the computed length, since this
ability may depend on the availability of system resources at the ability may depend on the availability of system resources at the
time that wrap is called. However, if the implementation itself time that wrap is called. However, if the implementation itself
imposes an upper limit on the length of messages that may be imposes an upper limit on the length of messages that may be
processed by wrap, the implementation should not return a value that processed by wrap, the implementation should not return a value that
is greater than this length. is greater than this length.
Parameters:
qop Indicates the level of protection wrap will be qop Indicates the level of protection wrap will be
asked toprovide. asked to provide.
confReq Indicates if wrap will be asked to provide confReq Indicates if wrap will be asked to provide
privacyservice. privacy service.
maxTokenSize The desired maximum size of the token emitted maxTokenSize The desired maximum size of the token emitted by
bywrap. wrap.
6.4.14. wrap 6.4.14. wrap
public byte[] wrap(byte[] inBuf, int offset, int len, public byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Applies per-message security services over the established security Applies per-message security services over the established security
context. The method will return a token with a cryptographic MIC and context. The method will return a token with a cryptographic MIC and
may optionally encrypt the specified inBuf. This method is may optionally encrypt the specified inBuf. This method is
equivalent in functionality to its stream counterpart. The returned equivalent in functionality to its stream counterpart. The returned
skipping to change at page 65, line 5 skipping to change at page 66, line 32
query upon return. If the mechanism is not able to provide the query upon return. If the mechanism is not able to provide the
requested QOP, it throws a GSSException with the BAD_QOP code. requested QOP, it throws a GSSException with the BAD_QOP code.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping of zero-length messages. the wrapping of zero-length messages.
The application will be responsible for sending the token to the The application will be responsible for sending the token to the
peer. peer.
Parameters:
inBuf Application data to be protected. inBuf Application data to be protected.
offset The offset within the inBuf where the data offset The offset within the inBuf where the data
begins. begins.
len The length of the data within the inBuf (starting len The length of the data within the inBuf (starting
at theoffset). at the offset).
msgProp Instance of MessageProp that is used by the msgProp Instance of MessageProp that is used by the
application toset the desired QOP and privacy application to set the desired QOP and privacy
state. Set the desired QOP to 0 to request the state. Set the desired QOP to 0 to request the
default QOP. Upon return from this method, this default QOP. Upon return from this method, this
object will contain the actual privacy state that object will contain the actual privacy state that
was applied to the message by the underlying was applied to the message by the underlying
mechanism. mechanism.
6.4.15. wrap 6.4.15. wrap
public void wrap(InputStream inStream, OutputStream outStream, public void wrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
skipping to change at page 65, line 47 skipping to change at page 67, line 31
query upon return. If the mechanism is not able to provide the query upon return. If the mechanism is not able to provide the
requested QOP, it throws a GSSException with the BAD_QOP code. requested QOP, it throws a GSSException with the BAD_QOP code.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping of zero-length messages. the wrapping of zero-length messages.
The application will be responsible for sending the token to the The application will be responsible for sending the token to the
peer. peer.
Parameters:
inStream Input stream containing the application data to inStream Input stream containing the application data to
beprotected. be protected.
outStream The output stream to which to write the protected outStream The output stream to which to write the protected
message.The application is responsible for message. The application is responsible for
sending this to the other peer for processing in sending this to the other peer for processing in
its unwrap method. its unwrap method.
msgProp Instance of MessageProp that is used by the msgProp Instance of MessageProp that is used by the
application toset the desired QOP and privacy application to set the desired QOP and privacy
state. Set the desired QOP to 0 to request the state. Set the desired QOP to 0 to request the
default QOP. Upon return from this method, this default QOP. Upon return from this method, this
object will contain the actual privacy state that object will contain the actual privacy state that
was applied to the message by the underlying was applied to the message by the underlying
mechanism. mechanism.
6.4.16. unwrap 6.4.16. unwrap
public byte[] unwrap(byte[] inBuf, int offset, int len, public byte[] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
skipping to change at page 66, line 37 skipping to change at page 68, line 24
The MessageProp object is instantiated by the application and is used The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such by the underlying mechanism to return information to the caller such
as the QOP, whether confidentiality was applied to the message, and as the QOP, whether confidentiality was applied to the message, and
other supplementary message state information. other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping and unwrapping of zero-length messages. the wrapping and unwrapping of zero-length messages.
Parameters:
inBuf GSS-API wrap token received from peer. inBuf GSS-API wrap token received from peer.
offset The offset within the inBuf where the token offset The offset within the inBuf where the token
begins. begins.
len The length of the token within the inBuf len The length of the token within the inBuf
(starting at theoffset). (starting at the offset).
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain theapplied QOP, the privacy state of the contain the applied QOP, the privacy state of the
message, and supplementary information, described message, and supplementary information, described
in section 4.12.3, stating whether the token was in section 4.12.3, stating whether the token was
a duplicate, old, out of sequence, or arriving a duplicate, old, out of sequence, or arriving
after a gap. after a gap.
6.4.17. unwrap 6.4.17. unwrap
public void unwrap(InputStream inStream, OutputStream outStream, public void unwrap(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
skipping to change at page 67, line 24 skipping to change at page 69, line 11
The MessageProp object is instantiated by the application and is used The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such by the underlying mechanism to return information to the caller such
as the QOP, whether confidentiality was applied to the message, and as the QOP, whether confidentiality was applied to the message, and
other supplementary message state information. other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations should support by wrap to provide "secure framing", implementations should support
the wrapping and unwrapping of zero-length messages. the wrapping and unwrapping of zero-length messages.
Parameters:
inStream Input stream containing the GSS-API wrap token inStream Input stream containing the GSS-API wrap token
receivedfrom the peer. received from the peer.
outStream The output stream to which to write the outStream The output stream to which to write the
application message. application message.
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain theapplied QOP, the privacy state of the contain the applied QOP, the privacy state of the
message, and supplementary information, described message, and supplementary information, described
in section 4.12.3, stating whether the token was in section 4.12.3, stating whether the token was
a duplicate, old, out of sequence, or arriving a duplicate, old, out of sequence, or arriving
after a gap. after a gap.
6.4.18. getMIC 6.4.18. getMIC
public byte[] getMIC(byte[] inMsg, int offset, int len, public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
skipping to change at page 68, line 5 skipping to change at page 69, line 43
encapsulates the user message in the returned token, only the message encapsulates the user message in the returned token, only the message
MIC is returned in the output token. This method is identical in MIC is returned in the output token. This method is identical in
functionality to its stream counterpart. functionality to its stream counterpart.
Note that privacy can only be applied through the wrap call. Note that privacy can only be applied through the wrap call.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
derivation of MICs from zero-length messages. derivation of MICs from zero-length messages.
Parameters:
inMsg Message over which to generate MIC. inMsg Message over which to generate MIC.
offset The offset within the inMsg where the token offset The offset within the inMsg where the token
begins. begins.
len The length of the token within the inMsg len The length of the token within the inMsg
(starting at theoffset). (starting at the offset).
msgProp Instance of MessageProp that is used by the msgProp Instance of MessageProp that is used by the
application toset the desired QOP. Set the application to set the desired QOP. Set the
desired QOP to 0 in msgProp to request the desired QOP to 0 in msgProp to request the
default QOP. Alternatively, pass in "null" for default QOP. Alternatively, pass in "null" for
msgProp to request default QOP. msgProp to request default QOP.
6.4.19. getMIC 6.4.19. getMIC
public void getMIC(InputStream inStream, OutputStream outStream, public void getMIC(InputStream inStream, OutputStream outStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Produces a token containing a cryptographic MIC for the supplied Produces a token containing a cryptographic MIC for the supplied
skipping to change at page 68, line 36 skipping to change at page 70, line 28
encapsulates the user message in the returned token, only the message encapsulates the user message in the returned token, only the message
MIC is produced in the output token. This method is identical in MIC is produced in the output token. This method is identical in
functionality to its byte array counterpart. functionality to its byte array counterpart.
Note that privacy can only be applied through the wrap call. Note that privacy can only be applied through the wrap call.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
derivation of MICs from zero-length messages. derivation of MICs from zero-length messages.
Parameters:
inStream Input stream containing the message over which to inStream Input stream containing the message over which to
generate MIC. generate MIC.
outStream Output stream to which to write the GSS-API outStream Output stream to which to write the GSS-API
output token. output token.
msgProp Instance of MessageProp that is used by the msgProp Instance of MessageProp that is used by the
application toset the desired QOP. Set the application to set the desired QOP. Set the
desired QOP to 0 in msgProp to request the desired QOP to 0 in msgProp to request the
default QOP. Alternatively, pass in "null" for default QOP. Alternatively, pass in "null" for
msgProp to request default QOP. msgProp to request default QOP.
6.4.20. verifyMIC 6.4.20. verifyMIC
public void verifyMIC(byte[] inTok, int tokOffset, int tokLen, public void verifyMIC(byte[] inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen, byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
skipping to change at page 69, line 24 skipping to change at page 71, line 14
The MessageProp object is instantiated by the application and is used The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such by the underlying mechanism to return information to the caller such
as the QOP indicating the strength of protection that was applied to as the QOP indicating the strength of protection that was applied to
the message and other supplementary message state information. the message and other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
the calculation and verification of MICs over zero-length messages. the calculation and verification of MICs over zero-length messages.
Parameters:
inTok Token generated by peer's getMIC method. inTok Token generated by peer's getMIC method.
tokOffset The offset within the inTok where the token tokOffset The offset within the inTok where the token
begins. begins.
tokLen The length of the token within the inTok tokLen The length of the token within the inTok
(starting at theoffset). (starting at the offset).
inMsg Application message over which to verify the inMsg Application message over which to verify the
cryptographic MIC. cryptographic MIC.
msgOffset The offset within the inMsg where the message msgOffset The offset within the inMsg where the message
begins. begins.
msgLen The length of the message within the inMsg msgLen The length of the message within the inMsg
(starting at theoffset). (starting at the offset).
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain theapplied QOP and supplementary contain the applied QOP and supplementary
information, described in section 4.12.3, stating information, described in section 4.12.3, stating
whether the token was a duplicate, old, out of whether the token was a duplicate, old, out of
sequence, or arriving after a gap. The sequence, or arriving after a gap. The
confidentiality state will be set to "false". confidentiality state will be set to "false".
6.4.21. verifyMIC 6.4.21. verifyMIC
public void verifyMIC(InputStream tokStream, InputStream msgStream, public void verifyMIC(InputStream tokStream, InputStream msgStream,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
skipping to change at page 70, line 23 skipping to change at page 72, line 9
The MessageProp object is instantiated by the application and is used The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such by the underlying mechanism to return information to the caller such
as the QOP indicating the strength of protection that was applied to as the QOP indicating the strength of protection that was applied to
the message and other supplementary message state information. the message and other supplementary message state information.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by getMIC to provide "secure framing", implementations should support by getMIC to provide "secure framing", implementations should support
the calculation and verification of MICs over zero-length messages. the calculation and verification of MICs over zero-length messages.
Parameters:
tokStream Input stream containing the token generated by tokStream Input stream containing the token generated by
the peer'sgetMIC method. the peer's getMIC method.
msgStream Input stream containing the application message msgStream Input stream containing the application message
over which toverify the cryptographic MIC. over which to verify the cryptographic MIC.
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain theapplied QOP and supplementary contain the applied QOP and supplementary
information, described in section 4.12.3, stating information, described in section 4.12.3, stating
whether the token was a duplicate, old, out of whether the token was a duplicate, old, out of
sequence, or arriving after a gap. The sequence, or arriving after a gap. The
confidentiality state will be set to "false". confidentiality state will be set to "false".
6.4.22. export 6.4.22. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Provided to support the sharing of work between multiple processes. Provided to support the sharing of work between multiple processes.
skipping to change at page 71, line 29 skipping to change at page 73, line 17
transferred is trustworthy. transferred is trustworthy.
6.4.23. requestMutualAuth 6.4.23. requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException public void requestMutualAuth(boolean state) throws GSSException
Sets the request state of the mutual authentication flag for the Sets the request state of the mutual authentication flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters:
state Boolean representing if mutual authentication state Boolean representing if mutual authentication
should berequested during context establishment. should be requested during context establishment.
6.4.24. requestReplayDet 6.4.24. requestReplayDet
public void requestReplayDet(boolean state) throws GSSException public void requestReplayDet(boolean state) throws GSSException
Sets the request state of the replay detection service for the Sets the request state of the replay detection service for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters:
state Boolean representing if replay detection is state Boolean representing if replay detection is
desired over theestablished context. desired over the established context.
6.4.25. requestSequenceDet 6.4.25. requestSequenceDet
public void requestSequenceDet(boolean state) throws GSSException public void requestSequenceDet(boolean state) throws GSSException
Sets the request state for the sequence checking service of the Sets the request state for the sequence checking service of the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters:
state Boolean representing if sequence detection is state Boolean representing if sequence detection is
desired overthe established context. desired over the established context.
6.4.26. requestCredDeleg 6.4.26. requestCredDeleg
public void requestCredDeleg(boolean state) throws GSSException public void requestCredDeleg(boolean state) throws GSSException
Sets the request state for the credential delegation flag for the Sets the request state for the credential delegation flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters:
state Boolean representing if credential delegation is state Boolean representing if credential delegation is
desired. desired.
6.4.27. requestAnonymity 6.4.27. requestAnonymity
public void requestAnonymity(boolean state) throws GSSException public void requestAnonymity(boolean state) throws GSSException
Requests anonymous support over the context. This method is only Requests anonymous support over the context. This method is only
valid before the context creation process begins and only for the valid before the context creation process begins and only for the
initiator. initiator.
Parameters:
state Boolean representing if anonymity support is state Boolean representing if anonymity support is
requested. requested.
6.4.28. requestConf 6.4.28. requestConf
public void requestConf(boolean state) throws GSSException public void requestConf(boolean state) throws GSSException
Requests that confidentiality service be available over the context. Requests that confidentiality service be available over the context.
This method is only valid before the context creation process begins This method is only valid before the context creation process begins
and only for the initiator. and only for the initiator.
Parameters:
state Boolean indicating if confidentiality services state Boolean indicating if confidentiality services
are to berequested for the context. are to be requested for the context.
6.4.29. requestInteg 6.4.29. requestInteg
public void requestInteg(boolean state) throws GSSException public void requestInteg(boolean state) throws GSSException
Requests that integrity services be available over the context. This Requests that integrity services be available over the context. This
method is only valid before the context creation process begins and method is only valid before the context creation process begins and
only for the initiator. only for the initiator.
Parameters:
state Boolean indicating if integrity services are to state Boolean indicating if integrity services are to
be requestedfor the context. be requested for the context.
6.4.30. requestLifetime 6.4.30. requestLifetime
public void requestLifetime(int lifetime) throws GSSException public void requestLifetime(int lifetime) throws GSSException
Sets the desired lifetime for the context in seconds. This method is Sets the desired lifetime for the context in seconds. This method is
only valid before the context creation process begins and only for only valid before the context creation process begins and only for
the initiator. Use GSSContext.INDEFINITE_LIFETIME and the initiator. Use GSSContext.INDEFINITE_LIFETIME and
GSSContext.DEFAULT_LIFETIME to request indefinite or default context GSSContext.DEFAULT_LIFETIME to request indefinite or default context
lifetime. lifetime.
Parameters:
lifetime The desired context lifetime in seconds. lifetime The desired context lifetime in seconds.
6.4.31. setChannelBinding 6.4.31. setChannelBinding
public void setChannelBinding(ChannelBinding cb) throws GSSException public void setChannelBinding(ChannelBinding cb) throws GSSException
Sets the channel bindings to be used during context establishment. Sets the channel bindings to be used during context establishment.
This method is only valid before the context creation process begins. This method is only valid before the context creation process begins.
Parameters:
cb Channel bindings to be used. cb Channel bindings to be used.
6.4.32. getCredDelegState 6.4.32. getCredDelegState
public boolean getCredDelegState() public boolean getCredDelegState()
Returns the state of the delegated credentials for the context. When Returns the state of the delegated credentials for the context. When
issued before context establishment is completed or when the issued before context establishment is completed or when the
isProtReady method returns "false", it returns the desired state; isProtReady method returns "false", it returns the desired state;
otherwise, it will indicate the actual state over the established otherwise, it will indicate the actual state over the established
skipping to change at page 76, line 39 skipping to change at page 78, line 51
token. The supplementary status values can indicate old tokens, out token. The supplementary status values can indicate old tokens, out
of sequence tokens, gap tokens, or duplicate tokens. of sequence tokens, gap tokens, or duplicate tokens.
6.5.1. Constructors 6.5.1. Constructors
public MessageProp(boolean privState) public MessageProp(boolean privState)
Constructor that sets QOP to 0 indicating that the default QOP is Constructor that sets QOP to 0 indicating that the default QOP is
requested. requested.
privState The desired privacy state. "true" for privacy Parameters:
and"false" for integrity only.
privState The desired privacy state. "true" for privacy and
"false" for integrity only.
public MessageProp(int qop, boolean privState) public MessageProp(int qop, boolean privState)
Constructor that sets the values for the qop and privacy state. Constructor that sets the values for the qop and privacy state.
Parameters:
qop The desired QOP. Use 0 to request a default QOP. qop The desired QOP. Use 0 to request a default QOP.
privState The desired privacy state. "true" for privacy privState The desired privacy state. "true" for privacy and
and"false" for integrity only. "false" for integrity only.
6.5.2. getQOP 6.5.2. getQOP
public int getQOP() public int getQOP()
Retrieves the QOP value. Retrieves the QOP value.
6.5.3. getPrivacy 6.5.3. getPrivacy
public boolean getPrivacy() public boolean getPrivacy()
Retrieves the privacy state. Retrieves the privacy state.
skipping to change at page 77, line 34 skipping to change at page 79, line 51
Returns a string explaining the mechanism-specific error code. "null" Returns a string explaining the mechanism-specific error code. "null"
will be returned when no mechanism error code has been set. will be returned when no mechanism error code has been set.
6.5.6. setQOP 6.5.6. setQOP
public void setQOP(int qopVal) public void setQOP(int qopVal)
Sets the QOP value. Sets the QOP value.
Parameters:
qopVal The QOP value to be set. Use 0 to request a qopVal The QOP value to be set. Use 0 to request a
default QOPvalue. default QOP value.
6.5.7. setPrivacy 6.5.7. setPrivacy
public void setPrivacy(boolean privState) public void setPrivacy(boolean privState)
Sets the privacy state. Sets the privacy state.
Parameters:
privState The privacy state to set. privState The privacy state to set.
6.5.8. isDuplicateToken 6.5.8. isDuplicateToken
public boolean isDuplicateToken() public boolean isDuplicateToken()
Returns "true" if this is a duplicate of an earlier token. Returns "true" if this is a duplicate of an earlier token.
6.5.9. isOldToken 6.5.9. isOldToken
skipping to change at page 78, line 34 skipping to change at page 81, line 5
public void setSupplementaryStates(boolean duplicate, public void setSupplementaryStates(boolean duplicate,
boolean old, boolean unseq, boolean gap, boolean old, boolean unseq, boolean gap,
int minorStatus, String minorString) int minorStatus, String minorString)
This method sets the state for the supplementary information flags This method sets the state for the supplementary information flags
and the minor status in MessageProp. It is not used by the and the minor status in MessageProp. It is not used by the
application but by the GSS implementation to return this information application but by the GSS implementation to return this information
to the caller of a per-message context method. to the caller of a per-message context method.
Parameters:
duplicate "true" if the token was a duplicate of an earlier duplicate "true" if the token was a duplicate of an earlier
token; otherwise,"false". token; otherwise, "false".
old "true" if the token's validity period has old "true" if the token's validity period has
expired; otherwise, "false". expired; otherwise, "false".
unseq "true" if a later token has already been unseq "true" if a later token has already been
processed; otherwise, "false". processed; otherwise, "false".
gap "true" if one or more predecessor tokens have not gap "true" if one or more predecessor tokens have not
yet beensuccessfully processed; otherwise, yet been successfully processed; otherwise,
"false". "false".
minorStatus The integer minor status code that the minorStatus The integer minor status code that the underlying
underlyingmechanism wants to set. mechanism wants to set.
minorString The textual representation of the minorStatus minorString The textual representation of the minorStatus
value. value.
6.6. public class ChannelBinding 6.6. public class ChannelBinding
The GSS-API accommodates the concept of caller-provided channel The GSS-API accommodates the concept of caller-provided channel
binding information. Channel bindings are used to strengthen the binding information. Channel bindings are used to strengthen the
quality with which peer entity authentication is provided during quality with which peer entity authentication is provided during
context establishment. They enable the GSS-API callers to bind the context establishment. They enable the GSS-API callers to bind the
skipping to change at page 79, line 33 skipping to change at page 82, line 5
6.6.1. Constructors 6.6.1. Constructors
public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr, public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr,
byte[] appData) byte[] appData)
Create a ChannelBinding object with user-supplied address information Create a ChannelBinding object with user-supplied address information
and data. "null" values can be used for any fields that the and data. "null" values can be used for any fields that the
application does not want to specify. application does not want to specify.
Parameters:
initAddr The address of the context initiator. "null" initAddr The address of the context initiator. "null"
value can besupplied to indicate that the value can be supplied to indicate that the
application does not want to set this value. application does not want to set this value.
acceptAddr The address of the context acceptor. "null" value acceptAddr The address of the context acceptor. "null" value
canbe supplied to indicate that the application can be supplied to indicate that the application
does not want to set this value. does not want to set this value.
appData Application-supplied data to be used as part of appData Application-supplied data to be used as part of
thechannel bindings. "null" value can be supplied the channel bindings. "null" value can be
to indicate that the application does not want to supplied to indicate that the application does
set this value. not want to set this value.
public ChannelBinding(byte[] appData) public ChannelBinding(byte[] appData)
Creates a ChannelBinding object without any addressing information. Creates a ChannelBinding object without any addressing information.
Parameters:
appData Application supplied data to be used as part of appData Application supplied data to be used as part of
thechannel bindings. the channel bindings.
6.6.2. getInitiatorAddress 6.6.2. getInitiatorAddress
public InetAddress getInitiatorAddress() public InetAddress getInitiatorAddress()
Returns the initiator's address for this channel binding. "null" is Returns the initiator's address for this channel binding. "null" is
returned if the address has not been set. returned if the address has not been set.
6.6.3. getAcceptorAddress 6.6.3. getAcceptorAddress
skipping to change at page 80, line 36 skipping to change at page 83, line 14
6.6.5. equals 6.6.5. equals
public boolean equals(Object obj) public boolean equals(Object obj)
Returns "true" if two channel bindings match. (Note that the Java Returns "true" if two channel bindings match. (Note that the Java
language specification requires that two objects that are equal language specification requires that two objects that are equal
according to the equals(Object) method must return the same integer according to the equals(Object) method must return the same integer
result when the hashCode() method is called on them.) result when the hashCode() method is called on them.)
Parameters:
obj Another channel binding with which to compare. obj Another channel binding with which to compare.
6.7. public class Oid 6.7. public class Oid
This class represents Universal Object Identifiers (Oids) and their This class represents Universal Object Identifiers (Oids) and their
associated operations. associated operations.
Oids are hierarchically globally interpretable identifiers used Oids are hierarchically globally interpretable identifiers used
within the GSS-API framework to identify mechanisms and name formats. within the GSS-API framework to identify mechanisms and name formats.
skipping to change at page 81, line 12 skipping to change at page 83, line 40
The GSSName name class contains public static Oid objects The GSSName name class contains public static Oid objects
representing the standard name types defined in GSS-API. representing the standard name types defined in GSS-API.
6.7.1. Constructors 6.7.1. Constructors
public Oid(String strOid) throws GSSException public Oid(String strOid) throws GSSException
Creates an Oid object from a string representation of its integer Creates an Oid object from a string representation of its integer
components (e.g., "1.2.840.113554.1.2.2"). components (e.g., "1.2.840.113554.1.2.2").
Parameters:
strOid The string representation for the oid. strOid The string representation for the oid.
public Oid(InputStream derOid) throws GSSException public Oid(InputStream derOid) throws GSSException
Creates an Oid object from its DER encoding. This refers to the full Creates an Oid object from its DER encoding. This refers to the full
encoding including tag and length. The structure and encoding of encoding including tag and length. The structure and encoding of
Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is
identical in functionality to its byte array counterpart. identical in functionality to its byte array counterpart.
Parameters:
derOid Stream containing the DER-encoded oid. derOid Stream containing the DER-encoded oid.
public Oid(byte[] DEROid) throws GSSException public Oid(byte[] DEROid) throws GSSException
Creates an Oid object from its DER encoding. This refers to the full Creates an Oid object from its DER encoding. This refers to the full
encoding including tag and length. The structure and encoding of encoding including tag and length. The structure and encoding of
Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is
identical in functionality to its byte array counterpart. identical in functionality to its byte array counterpart.
Parameters:
derOid Byte array storing a DER-encoded oid. derOid Byte array storing a DER-encoded oid.
6.7.2. toString 6.7.2. toString
public String toString() public String toString()
Returns a string representation of the oid's integer components in Returns a string representation of the oid's integer components in
dot separated notation (e.g., "1.2.840.113554.1.2.2"). dot separated notation (e.g., "1.2.840.113554.1.2.2").
6.7.3. equals 6.7.3. equals
public boolean equals(Object Obj) public boolean equals(Object Obj)
Returns "true" if the two Oid objects represent the same oid value. Returns "true" if the two Oid objects represent the same oid value.
(Note that the Java language specification [JLS] requires that two (Note that the Java language specification [JLS] requires that two
objects that are equal according to the equals(Object) method must objects that are equal according to the equals(Object) method must
return the same integer result when the hashCode() method is called return the same integer result when the hashCode() method is called
on them.) on them.)
Parameters:
obj Another Oid object with which to compare. obj Another Oid object with which to compare.
6.7.4. getDER 6.7.4. getDER
public byte[] getDER() public byte[] getDER()
Returns the full ASN.1 DER encoding for this oid object, which Returns the full ASN.1 DER encoding for this oid object, which
includes the tag and length. includes the tag and length.
6.7.5. containedIn 6.7.5. containedIn
public boolean containedIn(Oid[] oids) public boolean containedIn(Oid[] oids)
A utility method to test if an Oid object is contained within the A utility method to test if an Oid object is contained within the
skipping to change at page 82, line 16 skipping to change at page 85, line 5
Returns the full ASN.1 DER encoding for this oid object, which Returns the full ASN.1 DER encoding for this oid object, which
includes the tag and length. includes the tag and length.
6.7.5. containedIn 6.7.5. containedIn
public boolean containedIn(Oid[] oids) public boolean containedIn(Oid[] oids)
A utility method to test if an Oid object is contained within the A utility method to test if an Oid object is contained within the
supplied Oid object array. supplied Oid object array.
Parameters:
oids An array of oids to search. oids An array of oids to search.
6.8. public class GSSException extends Exception 6.8. public class GSSException extends Exception
This exception is thrown whenever a fatal GSS-API error occurs This exception is thrown whenever a fatal GSS-API error occurs
including mechanism-specific errors. It may contain both, the major including mechanism-specific errors. It may contain both, the major
and minor, GSS-API status codes. The mechanism implementors are and minor, GSS-API status codes. The mechanism implementors are
responsible for setting appropriate minor status codes when throwing responsible for setting appropriate minor status codes when throwing
this exception. Aside from delivering the numeric error code(s) to this exception. Aside from delivering the numeric error code(s) to
the caller, this class performs the mapping from their numeric values the caller, this class performs the mapping from their numeric values
skipping to change at page 85, line 28 skipping to change at page 88, line 25
Creates a GSSException object with the specified major code, minor Creates a GSSException object with the specified major code, minor
code, and minor code textual explanation. This constructor is to be code, and minor code textual explanation. This constructor is to be
used when the exception is originating from the security mechanism. used when the exception is originating from the security mechanism.
It allows to specify the GSS code and the mechanism code. It allows to specify the GSS code and the mechanism code.
Calling this constructor is equivalent to calling Calling this constructor is equivalent to calling
GSSException(majorCode, minorCode, minorString, null). GSSException(majorCode, minorCode, minorString, null).
public GSSException(int majorCode, String majorString, public GSSException(int majorCode, String majorString,
int minorCode, String minorString,
int minorCode, String minorString, byte[] outputToken) byte[] outputToken)
Creates a GSSException object with the specified major code, major Creates a GSSException object with the specified major code, major
code textual explanation, minor code, minor code textual explanation, code textual explanation, minor code, minor code textual explanation,
and an output token. This is a general-purpose constructor that can and an output token. This is a general-purpose constructor that can
be used to create any type of GSSException. be used to create any type of GSSException.
Parameters:
majorCode The GSS error code causing this exception to be majorCode The GSS error code causing this exception to be
thrown. thrown.
majorString The textual explanation of the GSS error code. majorString The textual explanation of the GSS error code.
If null isprovided, a default explanation that If null is provided, a default explanation that
matches the majorCode will be set. matches the majorCode will be set.
minorCode The mechanism error code causing this exception minorCode The mechanism error code causing this exception
to bethrown. Can be 0 if no mechanism error code to be thrown. Can be 0 if no mechanism error
is available. code is available.
minorString The textual explanation of the mechanism error minorString The textual explanation of the mechanism error
code.Can be null if no textual explanation is code. Can be null if no textual explanation is
available. available.
outputToken The output token that should be sent to the outputToken The output token that should be sent to the peer.
peer.Can be null if no such token is available. Can be null if no such token is available. It
It must not be an empty array. When provided, must not be an empty array. When provided, the
the array will be cloned to protect against array will be cloned to protect against
subsequent modifications. subsequent modifications.
6.8.3. getMajor 6.8.3. getMajor
public int getMajor() public int getMajor()
Returns the major code representing the GSS error code that caused Returns the major code representing the GSS error code that caused
this exception to be thrown. this exception to be thrown.
6.8.4. getMinor 6.8.4. getMinor
skipping to change at page 87, line 15 skipping to change at page 90, line 12
The return value must be null if no such token is generated. It must The return value must be null if no such token is generated. It must
not be an empty byte array. not be an empty byte array.
6.8.8. setMinor 6.8.8. setMinor
public void setMinor(int minorCode, String message) public void setMinor(int minorCode, String message)
Used internally by the GSS-API implementation and the underlying Used internally by the GSS-API implementation and the underlying
mechanisms to set the minor code and its textual representation. mechanisms to set the minor code and its textual representation.
Parameters:
minorCode The mechanism-specific error code. minorCode The mechanism-specific error code.
message A textual explanation of the mechanism error message A textual explanation of the mechanism error
code. code.
6.8.9. toString 6.8.9. toString
public String toString() public String toString()
Returns a textual representation of both the major and minor status Returns a textual representation of both the major and minor status
skipping to change at page 96, line 39 skipping to change at page 99, line 38
insightful ideas and suggestions that have contributed to this insightful ideas and suggestions that have contributed to this
document. document.
11. Changes since RFC 5653 11. Changes since RFC 5653
There is a design flaw in the initSecContext and acceptSecContext There is a design flaw in the initSecContext and acceptSecContext
methods of the GSSContext class defined in Generic Security Service methods of the GSSContext class defined in Generic Security Service
API Version 2: Java Bindings Update [RFC5653]. API Version 2: Java Bindings Update [RFC5653].
The methods could either return a token (possibly null if no more The methods could either return a token (possibly null if no more
token is needed) when the call succeeds or throw a GSSException if tokens are needed) when the call succeeds or throw a GSSException if
there is a failure, but NOT both. On the other hand, the C bindings there is a failure, but NOT both. On the other hand, the C bindings
of GSS-API [RFC2744] can return both, that is to say, a call to of GSS-API [RFC2744] can return both, that is to say, a call to the
GSS_Init_sec_context() function call can return a major status code, GSS_Init_sec_context() function can return a major status code, and
and at the same time, fill in the output_token argument if there is at the same time, fill in the output_token argument if there is one.
one.
Without the ability to emit an error token when there is a failure, a Without the ability to emit an error token when there is a failure, a
Java application has no chance to tell the other side what the error Java application has no mechanism to tell the other side what the
is. For example, a "reject" NegTokenResp token will never be able to error is. For example, a "reject" NegTokenResp token can never be
sent out for the SPNEGO mechanism [RFC4178]. transmitted for the SPNEGO mechanism [RFC4178].
While a Java method can never return a value and throw an exception While a Java method can never return a value and throw an exception
at the same time, we can embed the error token inside the exception at the same time, we can embed the error token inside the exception
so that the caller has a chance to retrieve it. This update adds a so that the caller has a chance to retrieve it. This update adds a
new GSSException constructor to include this token inside a new GSSException constructor to include this token inside a
GSSException object, and a getOutputToken() method to retrieve the GSSException object, and a getOutputToken() method to retrieve the
token. The specification for initSecContext and acceptSecContext token. The specification for the initSecContext and acceptSecContext
methods are updated to describe the new behavior. Various examples methods are updated to describe the new behavior. Various examples
are also updated. are also updated.
This is a compatible change. New JGSS programs should make use of This is a compatible change. New JGSS programs should make use of
this new feature but it is not mandatory. this new feature but it is not mandatory.
12. Changes since RFC 2853 12. Changes since RFC 2853
This document has following changes: This document has following changes:
skipping to change at page 98, line 22 skipping to change at page 101, line 18
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, October 1996. (SPKM)", RFC 2025, October 1996.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : [RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
[RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service API
Version 2 : Java Bindings", RFC 2853, June 2000.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121, July Interface (GSS-API) Mechanism: Version 2", RFC 4121, July
2005. 2005.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
Simple and Protected Generic Security Service Application Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism", RFC Program Interface (GSS-API) Negotiation Mechanism", RFC
4178, October 2005. 4178, October 2005.
 End of changes. 176 change blocks. 
443 lines changed or deleted 544 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/