draft-ietf-kitten-rfc5653bis-01.txt   draft-ietf-kitten-rfc5653bis-02.txt 
Network Working Group M. Upadhyay Network Working Group M. Upadhyay
Internet-Draft Google Internet-Draft Google
Obsoletes: 5653 (if approved) S. Malkani Obsoletes: 5653 (if approved) S. Malkani
Intended status: Standards Track ActivIdentity Intended status: Standards Track ActivIdentity
Expires: December 1, 2014 W. Wang Expires: August 9, 2015 W. Wang
Oracle Oracle
May 30, 2014 February 5, 2015
Generic Security Service API Version 2: Java Bindings Update Generic Security Service API Version 2: Java Bindings Update
draft-ietf-kitten-rfc5653bis-01 draft-ietf-kitten-rfc5653bis-02
Abstract Abstract
The Generic Security Services Application Program Interface (GSS-API) The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document atop a variety of underlying cryptographic mechanisms. This document
updates the Java bindings for the GSS-API that are specified in updates the Java bindings for the GSS-API that are specified in
"Generic Security Service API Version 2 : Java Bindings Update" (RFC "Generic Security Service API Version 2 : Java Bindings Update" (RFC
5653). This document obsoletes RFC 5653 by adding a new output token 5653). This document obsoletes RFC 5653 by adding a new output token
field to the GSSException class so that when the initSecContext or field to the GSSException class so that when the initSecContext or
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 1, 2014. This Internet-Draft will expire on August 9, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6
2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7 2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7
3. Additional Controls . . . . . . . . . . . . . . . . . . . . . 8 3. Additional Controls . . . . . . . . . . . . . . . . . . . . . 9
3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 9 3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 10
3.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 10 3.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 11
3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11 3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11
3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 11 3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 12
3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . . 12 3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . . 13
3.6. Inter-process Context Transfer . . . . . . . . . . . . . 13 3.6. Inter-process Context Transfer . . . . . . . . . . . . . 13
3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 13 3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 14
4. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 14 4. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 14
4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 14 4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 14 4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 14
4.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 15 4.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 15
4.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 15 4.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 15
4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16 4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16
4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16 4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16
4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 16 4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 17
4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18 4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18
4.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19 4.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19
4.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19 4.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19
4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 19 4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 20
4.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20 4.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20
4.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22 4.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22
4.12.3. Supplementary Status Codes . . . . . . . . . . . . . 22 4.12.3. Supplementary Status Codes . . . . . . . . . . . . . 23
4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26 4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26
4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . . 27 4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . . 27
4.16. Optional Parameters . . . . . . . . . . . . . . . . . . . 27 4.16. Optional Parameters . . . . . . . . . . . . . . . . . . . 27
5. Introduction to GSS-API Classes and Interfaces . . . . . . . 27 5. Introduction to GSS-API Classes and Interfaces . . . . . . . 27
5.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 27 5.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 28
5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 28 5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 29
5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 29 5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 29
5.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 30 5.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 30
5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32 5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32
5.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32 5.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32
5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32 5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32
5.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 32 5.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 32
6. Detailed GSS-API Class Description . . . . . . . . . . . . . 33 6. Detailed GSS-API Class Description . . . . . . . . . . . . . 33
6.1. public abstract class GSSManager . . . . . . . . . . . . 33 6.1. public abstract class GSSManager . . . . . . . . . . . . 33
6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . 34 6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . 34
6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 35 6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 35
skipping to change at page 29, line 8 skipping to change at page 29, line 16
GSS-API names are represented in the Java bindings through the GSS-API names are represented in the Java bindings through the
GSSName interface. Different name formats and their definitions are GSSName interface. Different name formats and their definitions are
identified with Universal Object Identifiers (oids). The format of identified with Universal Object Identifiers (oids). The format of
the names can be derived based on the unique oid of each name type. the names can be derived based on the unique oid of each name type.
The following GSS-API routines are provided by the GSSName interface: The following GSS-API routines are provided by the GSSName interface:
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
| gss_display_name | Covert internal name | 6.2.7 | | gss_display_name | Convert internal name | 6.2.7 |
| | representation to text | | | | representation to text | |
| | format. | | | | format. | |
| | | | | | | |
| gss_compare_name | Compare two internal names. | 6.2.3, | | gss_compare_name | Compare two internal names. | 6.2.3, |
| | | 6.2.4 | | | | 6.2.4 |
| | | | | | | |
| gss_release_name | Release resources associated | N/A | | gss_release_name | Release resources associated | N/A |
| | with the internal name. | | | | with the internal name. | |
| | | | | | | |
| gss_canonicalize_name | Convert an internal name to | 6.2.5 | | gss_canonicalize_name | Convert an internal name to | 6.2.5 |
skipping to change at page 57, line 37 skipping to change at page 57, line 37
is possible that the initSecContext() method will return a token for is possible that the initSecContext() method will return a token for
the peer and isEstablished() will return "true" also. This indicates the peer and isEstablished() will return "true" also. This indicates
that the token needs to be sent to the peer, but the local end of the that the token needs to be sent to the peer, but the local end of the
context is now fully established. context is now fully established.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the acceptor to inform the reason for the error. be sent to the acceptor to communicate the reason for the error.
Parameters: Parameters:
inputBuf Token generated by the peer. This parameter is inputBuf Token generated by the peer. This parameter is
ignored on the first call. ignored on the first call.
offset The offset within the inputBuf where the token offset The offset within the inputBuf where the token
begins. begins.
len The length of the token within the inputBuf len The length of the token within the inputBuf
skipping to change at page 59, line 23 skipping to change at page 59, line 23
The GSS-API authentication tokens contain a definitive start and end. The GSS-API authentication tokens contain a definitive start and end.
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the acceptor to inform the reason for the error. be sent to the acceptor to communicate the reason for the error.
Parameters: Parameters:
inStream Contains the token generated by the peer. This inStream Contains the token generated by the peer. This
parameter is ignored on the first call. parameter is ignored on the first call.
outStream Output stream where the output token will be outStream Output stream where the output token will be
written. During the final stage of context written. During the final stage of context
establishment, there may be no bytes written. establishment, there may be no bytes written.
skipping to change at page 61, line 24 skipping to change at page 61, line 24
Note that it is possible that acceptSecContext() will return a token Note that it is possible that acceptSecContext() will return a token
for the peer and isEstablished() will return "true" also. This for the peer and isEstablished() will return "true" also. This
indicates that the token needs to be sent to the peer, but the local indicates that the token needs to be sent to the peer, but the local
end of the context is now fully established. end of the context is now fully established.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the initiator to inform the reason for the error. be sent to the initiator to communicate the reason for the error.
Parameters: Parameters:
inTok Token generated by the peer. inTok Token generated by the peer.
offset The offset within the inTok where the token offset The offset within the inTok where the token
begins. begins.
len The length of the token within the inTok len The length of the token within the inTok
(starting at the offset). (starting at the offset).
skipping to change at page 63, line 21 skipping to change at page 63, line 21
The GSS-API authentication tokens contain a definitive start and end. The GSS-API authentication tokens contain a definitive start and end.
This method will attempt to read one of these tokens per invocation, This method will attempt to read one of these tokens per invocation,
and may block on the stream if only part of the token is available. and may block on the stream if only part of the token is available.
Upon completion of the context establishment, the available context Upon completion of the context establishment, the available context
options may be queried through the get methods. options may be queried through the get methods.
A GSSException will be thrown if the call fails. Users should call A GSSException will be thrown if the call fails. Users should call
its getOutputToken() method to find out if there is a token that can its getOutputToken() method to find out if there is a token that can
be sent to the initiator to inform the reason for the error. be sent to the initiator to communicate the reason for the error.
Parameters: Parameters:
inStream Contains the token generated by the peer. inStream Contains the token generated by the peer.
outStream Output stream where the output token will be outStream Output stream where the output token will be
written. During the final stage of context written. During the final stage of context
establishment, there may be no bytes written. establishment, there may be no bytes written.
6.4.10. Example Code 6.4.10. Example Code
 End of changes. 19 change blocks. 
23 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/