draft-ietf-kitten-rfc5653bis-04.txt   draft-ietf-kitten-rfc5653bis-05.txt 
Network Working Group M. Upadhyay Network Working Group M. Upadhyay
Internet-Draft Google Internet-Draft Google
Obsoletes: 5653 (if approved) S. Malkani Obsoletes: 5653 (if approved) S. Malkani
Intended status: Standards Track ActivIdentity Intended status: Standards Track ActivIdentity
Expires: June 8, 2017 W. Wang Expires: February 5, 2018 W. Wang
Oracle Oracle
December 5, 2016 August 4, 2017
Generic Security Service API Version 2: Java Bindings Update Generic Security Service API Version 2: Java Bindings Update
draft-ietf-kitten-rfc5653bis-04 draft-ietf-kitten-rfc5653bis-05
Abstract Abstract
The Generic Security Services Application Program Interface (GSS-API) The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document atop a variety of underlying cryptographic mechanisms. This document
updates the Java bindings for the GSS-API that are specified in updates the Java bindings for the GSS-API that are specified in
"Generic Security Service API Version 2 : Java Bindings Update" (RFC "Generic Security Service API Version 2 : Java Bindings Update" (RFC
5653). This document obsoletes RFC 5653 by adding a new output token 5653). This document obsoletes RFC 5653 by adding a new output token
field to the GSSException class so that when the initSecContext or field to the GSSException class so that when the initSecContext or
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 8, 2017. This Internet-Draft will expire on February 5, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 41 skipping to change at page 2, line 41
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6
2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7 2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7
3. Additional Controls . . . . . . . . . . . . . . . . . . . . . 8 3. Additional Controls . . . . . . . . . . . . . . . . . . . . . 8
3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 10 3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 9
3.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 10 3.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 10
3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11 3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11
3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 12 3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 11
3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . . 13 3.5. Integrity and Confidentiality . . . . . . . . . . . . . . 12
3.6. Inter-process Context Transfer . . . . . . . . . . . . . 13 3.6. Inter-process Context Transfer . . . . . . . . . . . . . 13
3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 14 3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 13
4. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 14 4. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 14
4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 14 4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 14 4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 14
4.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 15 4.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 15
4.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 15 4.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 15
4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16 4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16
4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16 4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16
4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 17 4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 16
4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18 4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18
4.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19 4.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19
4.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19 4.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19
4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 20 4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 19
4.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20 4.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20
4.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22 4.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22
4.12.3. Supplementary Status Codes . . . . . . . . . . . . . 23 4.12.3. Supplementary Status Codes . . . . . . . . . . . . . 22
4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26 4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26
4.15. Optional Parameters . . . . . . . . . . . . . . . . . . . 27 4.15. Optional Parameters . . . . . . . . . . . . . . . . . . . 27
5. Introduction to GSS-API Classes and Interfaces . . . . . . . 27 5. Introduction to GSS-API Classes and Interfaces . . . . . . . 27
5.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 27 5.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 27
5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 28 5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 28
5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 29 5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 29
5.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 30 5.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 30
5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32 5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32
5.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32 5.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32
5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32 5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32
5.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 32 5.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 32
6. Detailed GSS-API Class Description . . . . . . . . . . . . . 33 6. Detailed GSS-API Class Description . . . . . . . . . . . . . 33
6.1. public abstract class GSSManager . . . . . . . . . . . . 33 6.1. public abstract class GSSManager . . . . . . . . . . . . 33
6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . 34 6.1.1. getInstance . . . . . . . . . . . . . . . . . . . . . 34
6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 35 6.1.2. getMechs . . . . . . . . . . . . . . . . . . . . . . 34
6.1.3. getMechs . . . . . . . . . . . . . . . . . . . . . . 35 6.1.3. getNamesForMech . . . . . . . . . . . . . . . . . . . 34
6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . 35 6.1.4. getMechsForName . . . . . . . . . . . . . . . . . . . 35
6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . 35 6.1.5. createName . . . . . . . . . . . . . . . . . . . . . 35
6.1.6. createName . . . . . . . . . . . . . . . . . . . . . 35 6.1.6. createName . . . . . . . . . . . . . . . . . . . . . 35
6.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36 6.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36
6.1.8. createName . . . . . . . . . . . . . . . . . . . . . 36 6.1.8. createName . . . . . . . . . . . . . . . . . . . . . 37
6.1.9. createName . . . . . . . . . . . . . . . . . . . . . 37 6.1.9. createCredential . . . . . . . . . . . . . . . . . . 37
6.1.10. createCredential . . . . . . . . . . . . . . . . . . 38 6.1.10. createCredential . . . . . . . . . . . . . . . . . . 38
6.1.11. createCredential . . . . . . . . . . . . . . . . . . 38 6.1.11. createCredential . . . . . . . . . . . . . . . . . . 38
6.1.12. createCredential . . . . . . . . . . . . . . . . . . 39 6.1.12. createContext . . . . . . . . . . . . . . . . . . . . 39
6.1.13. createContext . . . . . . . . . . . . . . . . . . . . 39 6.1.13. createContext . . . . . . . . . . . . . . . . . . . . 40
6.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40 6.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40
6.1.15. createContext . . . . . . . . . . . . . . . . . . . . 40 6.1.15. addProviderAtFront . . . . . . . . . . . . . . . . . 40
6.1.16. addProviderAtFront . . . . . . . . . . . . . . . . . 41 6.1.15.1. addProviderAtFront Example Code . . . . . . . . 41
6.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 41 6.1.16. addProviderAtEnd . . . . . . . . . . . . . . . . . . 42
6.1.18. addProviderAtEnd . . . . . . . . . . . . . . . . . . 43 6.1.16.1. addProviderAtEnd Example Code . . . . . . . . . 43
6.1.19. Example Code . . . . . . . . . . . . . . . . . . . . 43 6.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 44
6.2. public interface GSSName . . . . . . . . . . . . . . . . 44 6.2. public interface GSSName . . . . . . . . . . . . . . . . 44
6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . 44 6.2.1. Static Constants . . . . . . . . . . . . . . . . . . 44
6.2.2. Static Constants . . . . . . . . . . . . . . . . . . 45 6.2.2. equals . . . . . . . . . . . . . . . . . . . . . . . 45
6.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 46 6.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 45
6.2.4. equals . . . . . . . . . . . . . . . . . . . . . . . 46 6.2.4. canonicalize . . . . . . . . . . . . . . . . . . . . 46
6.2.5. canonicalize . . . . . . . . . . . . . . . . . . . . 47 6.2.5. export . . . . . . . . . . . . . . . . . . . . . . . 46
6.2.6. export . . . . . . . . . . . . . . . . . . . . . . . 47 6.2.6. toString . . . . . . . . . . . . . . . . . . . . . . 46
6.2.7. toString . . . . . . . . . . . . . . . . . . . . . . 47 6.2.7. getStringNameType . . . . . . . . . . . . . . . . . . 47
6.2.8. getStringNameType . . . . . . . . . . . . . . . . . . 48 6.2.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . 47
6.2.9. isAnonymous . . . . . . . . . . . . . . . . . . . . . 48 6.2.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . 47
6.2.10. isMN . . . . . . . . . . . . . . . . . . . . . . . . 48 6.2.10. Example Code . . . . . . . . . . . . . . . . . . . . 47
6.3. public interface GSSCredential implements Cloneable . . . 48 6.3. public interface GSSCredential implements Cloneable . . . 48
6.3.1. Example Code . . . . . . . . . . . . . . . . . . . . 49 6.3.1. Static Constants . . . . . . . . . . . . . . . . . . 49
6.3.2. Static Constants . . . . . . . . . . . . . . . . . . 50 6.3.2. dispose . . . . . . . . . . . . . . . . . . . . . . . 50
6.3.3. dispose . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.3. getName . . . . . . . . . . . . . . . . . . . . . . . 50
6.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 50
6.3.5. getName . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.5. getRemainingLifetime . . . . . . . . . . . . . . . . 50
6.3.6. getRemainingLifetime . . . . . . . . . . . . . . . . 51 6.3.6. getRemainingInitLifetime . . . . . . . . . . . . . . 51
6.3.7. getRemainingInitLifetime . . . . . . . . . . . . . . 51 6.3.7. getRemainingAcceptLifetime . . . . . . . . . . . . . 51
6.3.8. getRemainingAcceptLifetime . . . . . . . . . . . . . 51 6.3.8. getUsage . . . . . . . . . . . . . . . . . . . . . . 51
6.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 6.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52
6.3.10. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 6.3.10. getMechs . . . . . . . . . . . . . . . . . . . . . . 52
6.3.11. getMechs . . . . . . . . . . . . . . . . . . . . . . 52 6.3.11. add . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.3.12. add . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.3.12. equals . . . . . . . . . . . . . . . . . . . . . . . 53
6.3.13. equals . . . . . . . . . . . . . . . . . . . . . . . 53 6.3.13. Example Code . . . . . . . . . . . . . . . . . . . . 53
6.4. public interface GSSContext . . . . . . . . . . . . . . . 54 6.4. public interface GSSContext . . . . . . . . . . . . . . . 54
6.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 55 6.4.1. Static Constants . . . . . . . . . . . . . . . . . . 55
6.4.2. Static Constants . . . . . . . . . . . . . . . . . . 56 6.4.2. initSecContext . . . . . . . . . . . . . . . . . . . 55
6.4.3. initSecContext . . . . . . . . . . . . . . . . . . . 57 6.4.3. acceptSecContext . . . . . . . . . . . . . . . . . . 56
6.4.4. Example Code . . . . . . . . . . . . . . . . . . . . 57 6.4.4. isEstablished . . . . . . . . . . . . . . . . . . . . 57
6.4.5. acceptSecContext . . . . . . . . . . . . . . . . . . 58 6.4.5. dispose . . . . . . . . . . . . . . . . . . . . . . . 57
6.4.6. Example Code . . . . . . . . . . . . . . . . . . . . 59 6.4.6. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 57
6.4.7. isEstablished . . . . . . . . . . . . . . . . . . . . 60 6.4.7. wrap . . . . . . . . . . . . . . . . . . . . . . . . 58
6.4.8. dispose . . . . . . . . . . . . . . . . . . . . . . . 61 6.4.8. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59
6.4.9. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 61 6.4.9. getMIC . . . . . . . . . . . . . . . . . . . . . . . 60
6.4.10. wrap . . . . . . . . . . . . . . . . . . . . . . . . 62 6.4.10. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 60
6.4.11. unwrap . . . . . . . . . . . . . . . . . . . . . . . 63 6.4.11. export . . . . . . . . . . . . . . . . . . . . . . . 61
6.4.12. getMIC . . . . . . . . . . . . . . . . . . . . . . . 63 6.4.12. requestMutualAuth . . . . . . . . . . . . . . . . . . 62
6.4.13. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 64 6.4.13. requestReplayDet . . . . . . . . . . . . . . . . . . 62
6.4.14. export . . . . . . . . . . . . . . . . . . . . . . . 65 6.4.14. requestSequenceDet . . . . . . . . . . . . . . . . . 62
6.4.15. requestMutualAuth . . . . . . . . . . . . . . . . . . 66 6.4.15. requestCredDeleg . . . . . . . . . . . . . . . . . . 63
6.4.16. requestReplayDet . . . . . . . . . . . . . . . . . . 66 6.4.16. requestAnonymity . . . . . . . . . . . . . . . . . . 63
6.4.17. requestSequenceDet . . . . . . . . . . . . . . . . . 66 6.4.17. requestConf . . . . . . . . . . . . . . . . . . . . . 63
6.4.18. requestCredDeleg . . . . . . . . . . . . . . . . . . 66 6.4.18. requestInteg . . . . . . . . . . . . . . . . . . . . 64
6.4.19. requestAnonymity . . . . . . . . . . . . . . . . . . 67 6.4.19. requestLifetime . . . . . . . . . . . . . . . . . . . 64
6.4.20. requestConf . . . . . . . . . . . . . . . . . . . . . 67 6.4.20. setChannelBinding . . . . . . . . . . . . . . . . . . 64
6.4.21. requestInteg . . . . . . . . . . . . . . . . . . . . 67 6.4.21. getCredDelegState . . . . . . . . . . . . . . . . . . 64
6.4.22. requestLifetime . . . . . . . . . . . . . . . . . . . 68 6.4.22. getMutualAuthState . . . . . . . . . . . . . . . . . 65
6.4.23. setChannelBinding . . . . . . . . . . . . . . . . . . 68 6.4.23. getReplayDetState . . . . . . . . . . . . . . . . . . 65
6.4.24. getCredDelegState . . . . . . . . . . . . . . . . . . 68 6.4.24. getSequenceDetState . . . . . . . . . . . . . . . . . 65
6.4.25. getMutualAuthState . . . . . . . . . . . . . . . . . 68 6.4.25. getAnonymityState . . . . . . . . . . . . . . . . . . 65
6.4.26. getReplayDetState . . . . . . . . . . . . . . . . . . 69 6.4.26. isTransferable . . . . . . . . . . . . . . . . . . . 65
6.4.27. getSequenceDetState . . . . . . . . . . . . . . . . . 69 6.4.27. isProtReady . . . . . . . . . . . . . . . . . . . . . 66
6.4.28. getAnonymityState . . . . . . . . . . . . . . . . . . 69 6.4.28. getConfState . . . . . . . . . . . . . . . . . . . . 66
6.4.29. isTransferable . . . . . . . . . . . . . . . . . . . 69 6.4.29. getIntegState . . . . . . . . . . . . . . . . . . . . 66
6.4.30. isProtReady . . . . . . . . . . . . . . . . . . . . . 69 6.4.30. getLifetime . . . . . . . . . . . . . . . . . . . . . 66
6.4.31. getConfState . . . . . . . . . . . . . . . . . . . . 70 6.4.31. getSrcName . . . . . . . . . . . . . . . . . . . . . 66
6.4.32. getIntegState . . . . . . . . . . . . . . . . . . . . 70 6.4.32. getTargName . . . . . . . . . . . . . . . . . . . . . 67
6.4.33. getLifetime . . . . . . . . . . . . . . . . . . . . . 70 6.4.33. getMech . . . . . . . . . . . . . . . . . . . . . . . 67
6.4.34. getSrcName . . . . . . . . . . . . . . . . . . . . . 70 6.4.34. getDelegCred . . . . . . . . . . . . . . . . . . . . 67
6.4.35. getTargName . . . . . . . . . . . . . . . . . . . . . 70 6.4.35. isInitiator . . . . . . . . . . . . . . . . . . . . . 67
6.4.36. getMech . . . . . . . . . . . . . . . . . . . . . . . 70 6.4.36. Example Code . . . . . . . . . . . . . . . . . . . . 67
6.4.37. getDelegCred . . . . . . . . . . . . . . . . . . . . 71 6.5. public class MessageProp . . . . . . . . . . . . . . . . 69
6.4.38. isInitiator . . . . . . . . . . . . . . . . . . . . . 71 6.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 70
6.5. public class MessageProp . . . . . . . . . . . . . . . . 71 6.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 70
6.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 71 6.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 70
6.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 72 6.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 70
6.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 72 6.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 70
6.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 72 6.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 71
6.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 72 6.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 71
6.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 72 6.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 71
6.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 73 6.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 71
6.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 73 6.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 71
6.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 73 6.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 71
6.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 73 6.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 72
6.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 73 6.6. public class ChannelBinding . . . . . . . . . . . . . . . 72
6.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 73 6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 73
6.6. public class ChannelBinding . . . . . . . . . . . . . . . 74 6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 73
6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 74 6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 73
6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 75 6.6.4. getApplicationData . . . . . . . . . . . . . . . . . 74
6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 75 6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 74
6.6.4. getApplicationData . . . . . . . . . . . . . . . . . 75 6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 74
6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 76 6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 74
6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 76 6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 75
6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 76 6.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 75
6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 77 6.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 76
6.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 77 6.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 76
6.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 77 6.8. public class GSSException extends Exception . . . . . . . 76
6.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 77 6.8.1. Static Constants . . . . . . . . . . . . . . . . . . 76
6.8. public class GSSException extends Exception . . . . . . . 78 6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 79
6.8.1. Static Constants . . . . . . . . . . . . . . . . . . 78 6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 80
6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 81 6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 80
6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 82 6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 80
6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 82 6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 80
6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 82 6.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 81
6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 82 6.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 81
6.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 82 6.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 81
6.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 83 6.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 81
6.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 83 7. Sample Applications . . . . . . . . . . . . . . . . . . . . . 81
6.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 83 7.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 82
7. Sample Applications . . . . . . . . . . . . . . . . . . . . . 83 7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 85
7.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 83 8. Security Considerations . . . . . . . . . . . . . . . . . . . 89
7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 87 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 90
8. Security Considerations . . . . . . . . . . . . . . . . . . . 91 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 90
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 92 11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 90
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 92 12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 92
11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 92 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 92
12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 93 13.1. Normative References . . . . . . . . . . . . . . . . . . 92
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 94 13.2. Informative References . . . . . . . . . . . . . . . . . 93
13.1. Normative References . . . . . . . . . . . . . . . . . . 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 93
13.2. Informative References . . . . . . . . . . . . . . . . . 95
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 95
1. Introduction 1. Introduction
This document specifies Java language bindings for the Generic This document specifies Java language bindings for the Generic
Security Services Application Programming Interface version 2 (GSS- Security Services Application Programming Interface version 2 (GSS-
API). GSS-API version 2 is described in a language-independent API). GSS-API version 2 is described in a language-independent
format in RFC 2743 [RFC2743]. The GSS-API allows a caller format in RFC 2743 [RFC2743]. The GSS-API allows a caller
application to authenticate a principal identity, to delegate rights application to authenticate a principal identity, to delegate rights
to a peer, and to apply security services such as confidentiality and to a peer, and to apply security services such as confidentiality and
integrity on a per-message basis. integrity on a per-message basis.
skipping to change at page 11, line 22 skipping to change at page 11, line 17
3.3. Replay and Out-of-Sequence Detection 3.3. Replay and Out-of-Sequence Detection
The GSS-API may provide detection of mis-ordered messages once a The GSS-API may provide detection of mis-ordered messages once a
security context has been established. Protection may be applied to security context has been established. Protection may be applied to
messages by either application, by calling either getMIC or wrap messages by either application, by calling either getMIC or wrap
methods of the GSSContext interface, and verified by the peer methods of the GSSContext interface, and verified by the peer
application by calling verifyMIC or unwrap for the peer's GSSContext application by calling verifyMIC or unwrap for the peer's GSSContext
object. object.
The getMIC method calculates a cryptographic checksum of an The getMIC method calculates a cryptographic checksum (authentication
application message, and returns that checksum in a token. The tag) of an application message, and returns that checksum in a token.
application should pass both the token and the message to the peer The application should pass both the token and the message to the
application, which presents them to the verifyMIC method of the peer application, which presents them to the verifyMIC method of the
peer's GSSContext object. peer's GSSContext object.
The wrap method calculates a cryptographic checksum of an application The wrap method calculates a cryptographic checksum of an application
message, and places both the checksum and the message inside a single message, and places both the checksum and the message inside a single
token. The application should pass the token to the peer token. The application should pass the token to the peer
application, which presents it to the unwrap method of the peer's application, which presents it to the unwrap method of the peer's
GSSContext object to extract the message and verify the checksum. GSSContext object to extract the message and verify the checksum.
Either pair of routines may be capable of detecting out-of-sequence Either pair of routines may be capable of detecting out-of-sequence
message delivery or the duplication of messages. Details of such message delivery or the duplication of messages. Details of such
skipping to change at page 13, line 5 skipping to change at page 12, line 41
GSSName class. The printable form of an anonymous name should be GSSName class. The printable form of an anonymous name should be
chosen such that it implies anonymity, since this name may appear in, chosen such that it implies anonymity, since this name may appear in,
for example, audit logs. For example, the string "<anonymous>" might for example, audit logs. For example, the string "<anonymous>" might
be a good choice, if no valid printable names supported by the be a good choice, if no valid printable names supported by the
implementation can begin with "<" and end with ">". implementation can begin with "<" and end with ">".
When using the equal method of the GSSName interface, and one of the When using the equal method of the GSSName interface, and one of the
operands is a GSSName instance representing an anonymous entity, the operands is a GSSName instance representing an anonymous entity, the
method must return "false". method must return "false".
3.5. Confidentiality 3.5. Integrity and Confidentiality
If a GSSContext supports the integrity service, getMic method may be
used to create message integrity check tokens on application
messages.
If a GSSContext supports the confidentiality service, wrap method may If a GSSContext supports the confidentiality service, wrap method may
be used to encrypt application messages. Messages are selectively be used to encrypt application messages. Messages are selectively
encrypted, under the control of the setPrivacy method of the encrypted, under the control of the setPrivacy method of the
MessageProp object used in the wrap method. MessageProp object used in the wrap method. Confidentiality will be
applied if the privacy state is set to true.
3.6. Inter-process Context Transfer 3.6. Inter-process Context Transfer
GSS-APIv2 provides functionality that allows a security context to be GSS-APIv2 provides functionality that allows a security context to be
transferred between processes on a single machine. These are transferred between processes on a single machine. These are
implemented using the export method of GSSContext and a byte array implemented using the export method of GSSContext and a byte array
constructor of the same class. The most common use for such a constructor of the same class. The most common use for such a
feature is a client-server design where the server is implemented as feature is a client-server design where the server is implemented as
a single process that accepts incoming security contexts, which then a single process that accepts incoming security contexts, which then
launches child processes to deal with the data on these contexts. In launches child processes to deal with the data on these contexts. In
skipping to change at page 19, line 13 skipping to change at page 18, line 51
the initiator may choose to set various context options that will the initiator may choose to set various context options that will
determine the characteristics of the desired security context. When determine the characteristics of the desired security context. When
all the application-desired characteristics have been set, the all the application-desired characteristics have been set, the
initiator will call the initSecContext method, which will produce a initiator will call the initSecContext method, which will produce a
token for consumption by the peer's acceptSecContext method. It is token for consumption by the peer's acceptSecContext method. It is
the responsibility of the application to deliver the authentication the responsibility of the application to deliver the authentication
token(s) between the peer applications for processing. Upon token(s) between the peer applications for processing. Upon
completion of the context-establishment phase, context attributes can completion of the context-establishment phase, context attributes can
be retrieved, by both the initiator and acceptor, using the accessor be retrieved, by both the initiator and acceptor, using the accessor
methods. These will reflect the actual attributes of the established methods. These will reflect the actual attributes of the established
context. At this point, the context can be used by the application context and might not match the initiator-requested values. If any
retrieved attribute does not match the desired value but it is
necessary for the application protocol, the application should
destroy the security context and not use it for application traffic.
Otherwise, at this point, the context can be used by the application
to apply cryptographic services to its data. to apply cryptographic services to its data.
4.10. Authentication Tokens 4.10. Authentication Tokens
A token is a caller-opaque type that GSS-API uses to maintain A token is a caller-opaque type that GSS-API uses to maintain
synchronization between each end of the GSS-API security context. synchronization between each end of the GSS-API security context.
The token is a cryptographically protected octet-string, generated by The token is a cryptographically protected octet-string, generated by
the underlying mechanism at one end of a GSS-API security context for the underlying mechanism at one end of a GSS-API security context for
use by the peer mechanism at the other end. Encapsulation (if use by the peer mechanism at the other end. Encapsulation (if
required) within the application protocol and transfer of the token required) within the application protocol and transfer of the token
skipping to change at page 20, line 24 skipping to change at page 20, line 12
Java GSS-API uses exceptions implemented by the GSSException class to Java GSS-API uses exceptions implemented by the GSSException class to
signal both minor and major error values. Both mechanism-specific signal both minor and major error values. Both mechanism-specific
errors and GSS-API level errors are signaled through instances of errors and GSS-API level errors are signaled through instances of
this class. The usage of exceptions replaces the need for major and this class. The usage of exceptions replaces the need for major and
minor codes to be used within the API calls. The GSSException class minor codes to be used within the API calls. The GSSException class
also contains methods to obtain textual representations for both the also contains methods to obtain textual representations for both the
major and minor values, which is equivalent to the functionality of major and minor values, which is equivalent to the functionality of
gss_display_status. A GSSException object may also include an output gss_display_status. A GSSException object may also include an output
token that should be sent to the peer. token that should be sent to the peer.
If an exception is thrown during context establishment, the context
negotiation has failed and the GSSContext object must be abandoned.
If it is thrown in a per-message call, the context can remain useful.
4.12.1. GSS Status Codes 4.12.1. GSS Status Codes
GSS status codes indicate errors that are independent of the GSS status codes indicate errors that are independent of the
underlying mechanism(s) used to provide the security service. The underlying mechanism(s) used to provide the security service. The
errors that can be indicated via a GSS status code are generic API errors that can be indicated via a GSS status code are generic API
routine errors (errors that are defined in the GSS-API routine errors (errors that are defined in the GSS-API
specification). These bindings take advantage of the Java exceptions specification). These bindings take advantage of the Java exceptions
mechanism, thus, eliminating the need for calling errors. mechanism, thus, eliminating the need for calling errors.
A GSS status code indicates a single fatal generic API error from the A GSS status code indicates a single fatal generic API error from the
skipping to change at page 25, line 31 skipping to change at page 25, line 25
returns "true" if the two names being compared refer to the same returns "true" if the two names being compared refer to the same
entity. This is the preferred way to perform name comparisons entity. This is the preferred way to perform name comparisons
instead of using the printable names that a given GSS-API instead of using the printable names that a given GSS-API
implementation may support. Since GSS-API assumes that all primitive implementation may support. Since GSS-API assumes that all primitive
names contained within a given internal name refer to the same names contained within a given internal name refer to the same
entity, equal can return "true" if the two names have at least one entity, equal can return "true" if the two names have at least one
primitive name in common. If the implementation embodies knowledge primitive name in common. If the implementation embodies knowledge
of equivalence relationships between names taken from different of equivalence relationships between names taken from different
namespaces, this knowledge may also allow successful comparisons of namespaces, this knowledge may also allow successful comparisons of
internal names containing no overlapping primitive elements. internal names containing no overlapping primitive elements.
However, applications should note that to avoid surpising behavior,
it is best to ensure that the names being compared are either both
mechanism names for the same mechanism, or both internal names that
are not mechanism names. This holds whether the equals method is
used directly, or the export method is used to generate byte strings
that are then compared byte-by-byte.
When used in large access control lists, the overhead of creating a When used in large access control lists, the overhead of creating a
GSSName object on each name and invoking the equal method on each GSSName object on each name and invoking the equal method on each
name from the Access Control List (ACL) may be prohibitive. As an name from the Access Control List (ACL) may be prohibitive. As an
alternative way of supporting this case, GSS-API defines a special alternative way of supporting this case, GSS-API defines a special
form of the contiguous byte array name, which may be compared form of the contiguous byte array name, which may be compared
directly (byte by byte). Contiguous names suitable for comparison directly (byte by byte). Contiguous names suitable for comparison
are generated by the export method. Exported names may be re- are generated by the export method. Exported names may be re-
imported by using the byte array constructor and specifying the imported by using the byte array constructor and specifying the
NT_EXPORT_NAME as the name type object identifier. The resulting NT_EXPORT_NAME as the name type object identifier. The resulting
skipping to change at page 28, line 8 skipping to change at page 28, line 8
getInstance(). Applications that desire to provide their own getInstance(). Applications that desire to provide their own
implementation of the GSSManager class can simply extend the abstract implementation of the GSSManager class can simply extend the abstract
class themselves. class themselves.
This class contains equivalents of the following RFC 2743 [RFC2743] This class contains equivalents of the following RFC 2743 [RFC2743]
routines: routines:
+----------------------------+-------------------------+------------+ +----------------------------+-------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+----------------------------+-------------------------+------------+ +----------------------------+-------------------------+------------+
| gss_import_name | Create an internal name | 6.1.6 - | | gss_import_name | Create an internal name | 6.1.5 - |
| | from the supplied | 6.1.9 | | | from the supplied | 6.1.8 |
| | information. | | | | information. | |
| | | | | | | |
| gss_acquire_cred | Acquire credential for | 6.1.10 - | | gss_acquire_cred | Acquire credential for | 6.1.9 - |
| | use. | 6.1.12 | | | use. | 6.1.11 |
| | | | | | | |
| gss_import_sec_context | Create a previously | 6.1.15 | | gss_import_sec_context | Create a previously | 6.1.14 |
| | exported context. | | | | exported context. | |
| | | | | | | |
| gss_indicate_mechs | List the mechanisms | 6.1.3 | | gss_indicate_mechs | List the mechanisms | 6.1.2 |
| | supported by this GSS- | | | | supported by this GSS- | |
| | API implementation. | | | | API implementation. | |
| | | | | | | |
| gss_inquire_mechs_for_name | List the mechanisms | 6.1.5 | | gss_inquire_mechs_for_name | List the mechanisms | 6.1.4 |
| | supporting the | | | | supporting the | |
| | specified name type. | | | | specified name type. | |
| | | | | | | |
| gss_inquire_names_for_mech | List the name types | 6.1.4 | | gss_inquire_names_for_mech | List the name types | 6.1.3 |
| | supported by the | | | | supported by the | |
| | specified mechanism. | | | | specified mechanism. | |
+----------------------------+-------------------------+------------+ +----------------------------+-------------------------+------------+
5.2. GSSName Interface 5.2. GSSName Interface
GSS-API names are represented in the Java bindings through the GSS-API names are represented in the Java bindings through the
GSSName interface. Different name formats and their definitions are GSSName interface. Different name formats and their definitions are
identified with Universal Object Identifiers (oids). The format of identified with Universal Object Identifiers (oids). The format of
the names can be derived based on the unique oid of each name type. the names can be derived based on the unique oid of each name type.
The following GSS-API routines are provided by the GSSName interface: The following GSS-API routines are provided by the GSSName interface:
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
| gss_display_name | Convert internal name | 6.2.7 | | gss_display_name | Convert internal name | 6.2.6 |
| | representation to text | | | | representation to text | |
| | format. | | | | format. | |
| | | | | | | |
| gss_compare_name | Compare two internal names. | 6.2.3, | | gss_compare_name | Compare two internal names. | 6.2.2, |
| | | 6.2.4 | | | | 6.2.3 |
| | | | | | | |
| gss_release_name | Release resources associated | N/A | | gss_release_name | Release resources associated | N/A |
| | with the internal name. | | | | with the internal name. | |
| | | | | | | |
| gss_canonicalize_name | Convert an internal name to | 6.2.5 | | gss_canonicalize_name | Convert an internal name to | 6.2.4 |
| | a mechanism name. | | | | a mechanism name. | |
| | | | | | | |
| gss_export_name | Convert a mechanism name to | 6.2.6 | | gss_export_name | Convert a mechanism name to | 6.2.5 |
| | export format. | | | | export format. | |
| | | | | | | |
| gss_duplicate_name | Create a copy of the | N/A | | gss_duplicate_name | Create a copy of the | N/A |
| | internal name. | | | | internal name. | |
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
The gss_release_name call is not provided as Java does its own The gss_release_name call is not provided as Java does its own
garbage collection. The gss_duplicate_name call is also redundant; garbage collection. The gss_duplicate_name call is also redundant;
the GSSName interface has no mutator methods that can change the the GSSName interface has no mutator methods that can change the
state of the object so it is safe for sharing across threads. state of the object so it is safe for sharing across threads.
skipping to change at page 30, line 8 skipping to change at page 30, line 8
GSS-API credentials. Credentials identify a single entity and GSS-API credentials. Credentials identify a single entity and
provide the necessary cryptographic information to enable the provide the necessary cryptographic information to enable the
creation of a context on behalf of that entity. A single credential creation of a context on behalf of that entity. A single credential
may contain multiple mechanism-specific credentials, each referred to may contain multiple mechanism-specific credentials, each referred to
as a credential element. The GSSCredential interface provides the as a credential element. The GSSCredential interface provides the
functionality of the following GSS-API routines: functionality of the following GSS-API routines:
+--------------------------+---------------------------+------------+ +--------------------------+---------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+--------------------------+---------------------------+------------+ +--------------------------+---------------------------+------------+
| gss_add_cred | Constructs credentials | 6.3.12 | | gss_add_cred | Constructs credentials | 6.3.11 |
| | incrementally. | | | | incrementally. | |
| | | | | | | |
| gss_inquire_cred | Obtain information about | 6.3.4 - | | gss_inquire_cred | Obtain information about | 6.3.3 - |
| | credential. | 6.3.11 | | | credential. | 6.3.10 |
| | | | | | | |
| gss_inquire_cred_by_mech | Obtain per-mechanism | 6.3.5 - | | gss_inquire_cred_by_mech | Obtain per-mechanism | 6.3.4 - |
| | information about a | 6.3.10 | | | information about a | 6.3.9 |
| | credential. | | | | credential. | |
| | | | | | | |
| gss_release_cred | Dispose of credentials | 6.3.3 | | gss_release_cred | Dispose of credentials | 6.3.2 |
| | after use. | | | | after use. | |
+--------------------------+---------------------------+------------+ +--------------------------+---------------------------+------------+
5.4. GSSContext Interface 5.4. GSSContext Interface
This interface encapsulates the functionality of context-level calls This interface encapsulates the functionality of context-level calls
required for security context establishment and management between required for security context establishment and management between
peers as well as the per-message services offered to applications. A peers as well as the per-message services offered to applications. A
context is established between a pair of peers and allows the usage context is established between a pair of peers and allows the usage
of security services on a per-message basis on application data. It of security services on a per-message basis on application data. It
is created over a single security mechanism. The GSSContext is created over a single security mechanism. The GSSContext
interface provides the functionality of the following GSS-API interface provides the functionality of the following GSS-API
routines: routines:
+------------------------+-----------------------------+------------+ +------------------------+-----------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+------------------------+-----------------------------+------------+ +------------------------+-----------------------------+------------+
| gss_init_sec_context | Initiate the creation of a | 6.4.3, | | gss_init_sec_context | Initiate the creation of a | 6.4.2 |
| | security context with a | 6.4.4 | | | security context with a | |
| | peer. | | | | peer. | |
| | | | | | | |
| gss_accept_sec_context | Accept a security context | 6.4.5, | | gss_accept_sec_context | Accept a security context | 6.4.3 |
| | initiated by a peer. | 6.4.6 | | | initiated by a peer. | |
| | | | | | | |
| gss_delete_sec_context | Destroy a security context. | 6.4.8 | | gss_delete_sec_context | Destroy a security context. | 6.4.5 |
| | | | | | | |
| gss_context_time | Obtain remaining context | 6.4.33 | | gss_context_time | Obtain remaining context | 6.4.30 |
| | time. | | | | time. | |
| | | | | | | |
| gss_inquire_context | Obtain context | 6.4.24 - | | gss_inquire_context | Obtain context | 6.4.21 - |
| | characteristics. | 6.4.38 | | | characteristics. | 6.4.35 |
| | | | | | | |
| gss_wrap_size_limit | Determine token-size limit | 6.4.9 | | gss_wrap_size_limit | Determine token-size limit | 6.4.6 |
| | for gss_wrap. | | | | for gss_wrap. | |
| | | | | | | |
| gss_export_sec_context | Transfer security context | 6.4.14 | | gss_export_sec_context | Transfer security context | 6.4.11 |
| | to another process. | | | | to another process. | |
| | | | | | | |
| gss_get_mic | Calculate a cryptographic | 6.4.12 | | gss_get_mic | Calculate a cryptographic | 6.4.9 |
| | Message Integrity Code | | | | Message Integrity Code | |
| | (MIC) for a message. | | | | (MIC) for a message. | |
| | | | | | | |
| gss_verify_mic | Verify integrity on a | 6.4.13 | | gss_verify_mic | Verify integrity on a | 6.4.10 |
| | received message. | | | | received message. | |
| | | | | | | |
| gss_wrap | Attach a MIC to a message | 6.4.10 | | gss_wrap | Attach a MIC to a message | 6.4.7 |
| | and optionally encrypt the | | | | and optionally encrypt the | |
| | message content. | | | | message content. | |
| | | | | | | |
| gss_unwrap | Obtain a previously wrapped | 6.4.11 | | gss_unwrap | Obtain a previously wrapped | 6.4.8 |
| | application message | | | | application message | |
| | verifying its integrity and | | | | verifying its integrity and | |
| | optionally decrypting it. | | | | optionally decrypting it. | |
+------------------------+-----------------------------+------------+ +------------------------+-----------------------------+------------+
The functionality offered by the gss_process_context_token routine The functionality offered by the gss_process_context_token routine
has not been included in the Java bindings specification. The has not been included in the Java bindings specification. The
corresponding functionality of gss_delete_sec_context has also been corresponding functionality of gss_delete_sec_context has also been
modified to not return any peer tokens. This has been proposed in modified to not return any peer tokens. This has been proposed in
accordance to the recommendations stated in RFC 2743 [RFC2743]. accordance to the recommendations stated in RFC 2743 [RFC2743].
skipping to change at page 34, line 25 skipping to change at page 34, line 25
have the effect of creating an ordered list of <provider, oid> pairs have the effect of creating an ordered list of <provider, oid> pairs
where each pair indicates a preference of provider for a given oid. where each pair indicates a preference of provider for a given oid.
The use of these methods does not require any knowledge of whatever The use of these methods does not require any knowledge of whatever
service provider specification the GSSManager subclass follows. It service provider specification the GSSManager subclass follows. It
is hoped that these methods will serve the needs of most is hoped that these methods will serve the needs of most
applications. Additional methods may be added to an extended applications. Additional methods may be added to an extended
GSSManager that could be part of a service provider specification GSSManager that could be part of a service provider specification
that is standardized later. that is standardized later.
6.1.1. Example Code When neither of the methods is called, the implementation should
choose a default provider for each mechanism it supports.
<CODE BEGINS>
GSSManager mgr = GSSManager.getInstance();
// What mechs are available to us?
Oid[] supportedMechs = mgr.getMechs();
// Set a preference for the provider to be used when support
// is needed for the mechanisms:
// "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".
Oid krb = new Oid("1.2.840.113554.1.2.2");
Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
Provider p = (Provider) (new com.foo.security.Provider());
mgr.addProviderAtFront(p, krb);
mgr.addProviderAtFront(p, spkm1);
// What name types does this spkm implementation support?
Oid[] nameTypes = mgr.getNamesForMech(spkm1);
<CODE ENDS>
6.1.2. getInstance 6.1.1. getInstance
public static GSSManager getInstance() public static GSSManager getInstance()
Returns the default GSSManager implementation. Returns the default GSSManager implementation.
6.1.3. getMechs 6.1.2. getMechs
public abstract Oid[] getMechs() public abstract Oid[] getMechs()
Returns an array of Oid objects indicating the mechanisms available Returns an array of Oid objects indicating the mechanisms available
to GSS-API callers. A "null" value is returned when no mechanism are to GSS-API callers. A "null" value is returned when no mechanism are
available (an example of this would be when mechanism are dynamically available (an example of this would be when mechanism are dynamically
configured, and currently no mechanisms are installed). configured, and currently no mechanisms are installed).
6.1.4. getNamesForMech 6.1.3. getNamesForMech
public abstract Oid[] getNamesForMech(Oid mech) public abstract Oid[] getNamesForMech(Oid mech)
throws GSSException throws GSSException
Returns name type Oid's supported by the specified mechanism. Returns name type Oid's supported by the specified mechanism.
Parameters: Parameters:
mech The Oid object for the mechanism to query. mech The Oid object for the mechanism to query.
6.1.5. getMechsForName 6.1.4. getMechsForName
public abstract Oid[] getMechsForName(Oid nameType) public abstract Oid[] getMechsForName(Oid nameType)
Returns an array of Oid objects corresponding to the mechanisms that Returns an array of Oid objects corresponding to the mechanisms that
support the specific name type. "null" is returned when no mechanisms support the specific name type. "null" is returned when no mechanisms
are found to support the specified name type. are found to support the specified name type.
Parameters: Parameters:
nameType The Oid object for the name type. nameType The Oid object for the name type.
6.1.6. createName 6.1.5. createName
public abstract GSSName createName(String nameStr, Oid nameType) public abstract GSSName createName(String nameStr, Oid nameType)
throws GSSException throws GSSException
Factory method to convert a contiguous string name from the specified Factory method to convert a contiguous string name from the specified
namespace to a GSSName object. In general, the GSSName object namespace to a GSSName object. In general, the GSSName object
created will not be an MN; two examples that are exceptions to this created will not be an MN; two examples that are exceptions to this
are when the namespace type parameter indicates NT_EXPORT_NAME or are when the namespace type parameter indicates NT_EXPORT_NAME or
when the GSS-API implementation is not multi-mechanism. when the GSS-API implementation is not multi-mechanism.
skipping to change at page 36, line 20 skipping to change at page 35, line 43
nameType The Oid specifying the namespace of the printable nameType The Oid specifying the namespace of the printable
name is supplied. Note that nameType serves to name is supplied. Note that nameType serves to
describe and qualify the interpretation of the describe and qualify the interpretation of the
input nameStr, it does not necessarily imply a input nameStr, it does not necessarily imply a
type for the output GSSName implementation. The type for the output GSSName implementation. The
"null" value can be used to specify that a "null" value can be used to specify that a
mechanism-specific default printable syntax mechanism-specific default printable syntax
should be assumed by each mechanism that examines should be assumed by each mechanism that examines
nameStr. nameStr.
6.1.7. createName 6.1.6. createName
public abstract GSSName createName(byte[] name, Oid nameType) public abstract GSSName createName(byte[] name, Oid nameType)
throws GSSException throws GSSException
Factory method to convert a contiguous byte array containing a name Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object. In general, the from the specified namespace to a GSSName object. In general, the
GSSName object created will not be an MN; two examples that are GSSName object created will not be an MN; two examples that are
exceptions to this are when the namespace type parameter indicates exceptions to this are when the namespace type parameter indicates
NT_EXPORT_NAME or when the GSS-API implementation is not multi- NT_EXPORT_NAME or when the GSS-API implementation is not multi-
mechanism. mechanism.
skipping to change at page 36, line 46 skipping to change at page 36, line 21
nameType The Oid specifying the namespace of the name nameType The Oid specifying the namespace of the name
supplied in the byte array. Note that nameType supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation serves to describe and qualify the interpretation
of the input name byte array; it does not of the input name byte array; it does not
necessarily imply a type for the output GSSName necessarily imply a type for the output GSSName
implementation. The "null" value can be used to implementation. The "null" value can be used to
specify that a mechanism-specific default syntax specify that a mechanism-specific default syntax
should be assumed by each mechanism that examines should be assumed by each mechanism that examines
the byte array. the byte array.
6.1.8. createName 6.1.7. createName
public abstract GSSName createName(String nameStr, Oid nameType, public abstract GSSName createName(String nameStr, Oid nameType,
Oid mech) throws GSSException Oid mech) throws GSSException
Factory method to convert a contiguous string name from the specified Factory method to convert a contiguous string name from the specified
namespace to a GSSName object that is a mechanism name (MN). In namespace to a GSSName object that is a mechanism name (MN). In
other words, this method is a utility that does the equivalent of two other words, this method is a utility that does the equivalent of two
steps: the createName described in section 6.1.6, and then also the steps: the createName described in section 6.1.5, and then also the
GSSName.canonicalize() described in section 6.2.5. GSSName.canonicalize() described in section 6.2.4.
Parameters: Parameters:
nameStr The string representing a printable form of the nameStr The string representing a printable form of the
name to create. name to create.
nameType The Oid specifying the namespace of the printable nameType The Oid specifying the namespace of the printable
name supplied. Note that nameType serves to name supplied. Note that nameType serves to
describe and qualify the interpretation of the describe and qualify the interpretation of the
input nameStr; it does not necessarily imply a input nameStr; it does not necessarily imply a
type for the output GSSName implementation. The type for the output GSSName implementation. The
"null" value can be used to specify that a "null" value can be used to specify that a
mechanism-specific default printable syntax mechanism-specific default printable syntax
should be assumed when the mechanism examines should be assumed when the mechanism examines
nameStr. nameStr.
mech Oid specifying the mechanism for which this name mech Oid specifying the mechanism for which this name
should be created. should be created.
6.1.9. createName 6.1.8. createName
public abstract GSSName createName(byte[] name, Oid nameType, public abstract GSSName createName(byte[] name, Oid nameType,
Oid mech) throws GSSException Oid mech) throws GSSException
Factory method to convert a contiguous byte array containing a name Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object that is an MN. In from the specified namespace to a GSSName object that is an MN. In
other words, this method is a utility that does the equivalent of two other words, this method is a utility that does the equivalent of two
steps: the createName described in section 6.1.7, and then also the steps: the createName described in section 6.1.6, and then also the
GSSName.canonicalize() described in section 6.2.5. GSSName.canonicalize() described in section 6.2.4.
Parameters: Parameters:
name The byte array representing the name to create. name The byte array representing the name to create.
nameType The Oid specifying the namespace of the name nameType The Oid specifying the namespace of the name
supplied in the byte array. Note that nameType supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation serves to describe and qualify the interpretation
of the input name byte array, it does not of the input name byte array, it does not
necessarily imply a type for the output GSSName necessarily imply a type for the output GSSName
implementation. The "null" value can be used to implementation. The "null" value can be used to
specify that a mechanism-specific default syntax specify that a mechanism-specific default syntax
should be assumed by each mechanism that examines should be assumed by each mechanism that examines
the byte array. the byte array.
mech Oid specifying the mechanism for which this name mech Oid specifying the mechanism for which this name
should be created. should be created.
6.1.10. createCredential 6.1.9. createCredential
public abstract GSSCredential createCredential(int usage) public abstract GSSCredential createCredential(int usage)
throws GSSException throws GSSException
Factory method for acquiring default credentials. This will cause Factory method for acquiring default credentials. This will cause
the GSS-API to use system-specific defaults for the set of the GSS-API to use system-specific defaults for the set of
mechanisms, name, and a DEFAULT lifetime. mechanisms, name, and a DEFAULT lifetime.
Parameters: Parameters:
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value of this parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.1.11. createCredential 6.1.10. createCredential
public abstract GSSCredential createCredential(GSSName aName, public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid mech, int usage) int lifetime, Oid mech, int usage)
throws GSSException throws GSSException
Factory method for acquiring a single mechanism credential. Factory method for acquiring a single mechanism credential.
Parameters: Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
skipping to change at page 39, line 9 skipping to change at page 38, line 36
mech The oid of the desired mechanism. Use "(Oid) mech The oid of the desired mechanism. Use "(Oid)
null" to request the default mechanism(s). null" to request the default mechanism(s).
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value of this parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.1.12. createCredential 6.1.11. createCredential
public abstract GSSCredential createCredential(GSSName aName, public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid[] mechs, int usage) int lifetime, Oid[] mechs, int usage)
throws GSSException throws GSSException
Factory method for acquiring credentials over a set of mechanisms. Factory method for acquiring credentials over a set of mechanisms.
Acquires credentials for each of the mechanisms specified in the Acquires credentials for each of the mechanisms specified in the
array called mechs. To determine the list of mechanisms' for which array called mechs. To determine the list of mechanisms' for which
the acquisition of credentials succeeded, the caller should use the the acquisition of credentials succeeded, the caller should use the
GSSCredential.getMechs() method. GSSCredential.getMechs() method.
skipping to change at page 39, line 46 skipping to change at page 39, line 24
requesting a system-specific default set of requesting a system-specific default set of
mechanisms. mechanisms.
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value of this parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.1.13. createContext 6.1.12. createContext
public abstract GSSContext createContext(GSSName peer, Oid mech, public abstract GSSContext createContext(GSSName peer, Oid mech,
GSSCredential myCred, int lifetime) GSSCredential myCred, int lifetime)
throws GSSException throws GSSException
Factory method for creating a context on the initiator's side. Factory method for creating a context on the initiator's side.
Context flags may be modified through the mutator methods prior to Context flags may be modified through the mutator methods prior to
calling GSSContext.initSecContext(). calling GSSContext.initSecContext().
Parameters: Parameters:
skipping to change at page 40, line 24 skipping to change at page 40, line 5
to request the default mechanism. to request the default mechanism.
myCred Credentials of the initiator. Use "null" to act myCred Credentials of the initiator. Use "null" to act
as a default initiator principal. as a default initiator principal.
lifetime The request lifetime, in seconds, for the lifetime The request lifetime, in seconds, for the
context. Use GSSContext.INDEFINITE_LIFETIME and context. Use GSSContext.INDEFINITE_LIFETIME and
GSSContext.DEFAULT_LIFETIME to request indefinite GSSContext.DEFAULT_LIFETIME to request indefinite
or default context lifetime. or default context lifetime.
6.1.14. createContext 6.1.13. createContext
public abstract GSSContext createContext(GSSCredential myCred) public abstract GSSContext createContext(GSSCredential myCred)
throws GSSException throws GSSException
Factory method for creating a context on the acceptor' side. The Factory method for creating a context on the acceptor' side. The
context's properties will be determined from the input token supplied context's properties will be determined from the input token supplied
to the accept method. to the accept method.
Parameters: Parameters:
myCred Credentials for the acceptor. Use "null" to act myCred Credentials for the acceptor. Use "null" to act
as a default acceptor principal. as a default acceptor principal.
6.1.15. createContext 6.1.14. createContext
public abstract GSSContext createContext(byte[] interProcessToken) public abstract GSSContext createContext(byte[] interProcessToken)
throws GSSException throws GSSException
Factory method for creating a previously exported context. The Factory method for importing a previously exported context. The
context properties will be determined from the input token and can't context properties will be determined from the input token and can't
be modified through the set methods. be modified through the set methods.
Parameters: Parameters:
interProcessToken The token previously emitted from the export interProcessToken The token previously emitted from the export
method. method.
6.1.16. addProviderAtFront 6.1.15. addProviderAtFront
public abstract void addProviderAtFront(Provider p, Oid mech) public abstract void addProviderAtFront(Provider p, Oid mech)
throws GSSException throws GSSException
This method is used to indicate to the GSSManager that the This method is used to indicate to the GSSManager that the
application would like a particular provider to be used ahead of all application would like a particular provider to be used ahead of all
others when support is desired for the given mechanism. When a value others when support is desired for the given mechanism. When a value
of "null" is used instead of an Oid for the mechanism, the GSSManager of "null" is used instead of an Oid for the mechanism, the GSSManager
must use the indicated provider ahead of all others no matter what must use the indicated provider ahead of all others no matter what
the mechanism is. Only when the indicated provider does not support the mechanism is. Only when the indicated provider does not support
skipping to change at page 41, line 42 skipping to change at page 41, line 21
operation is unavailable. operation is unavailable.
Parameters: Parameters:
p The provider instance that should be used p The provider instance that should be used
whenever support is needed for mech. whenever support is needed for mech.
mech The mechanism for which the provider is being mech The mechanism for which the provider is being
set. set.
6.1.17. Example Code 6.1.15.1. addProviderAtFront Example Code
Suppose an application desired that the provider A always be checked Suppose an application desired that the provider A always be checked
first when any mechanism is needed, it would call: first when any mechanism is needed, it would call:
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
// mgr may at this point have its own pre-configured list // mgr may at this point have its own pre-configured list
// of provider preferences. The following will prepend to // of provider preferences. The following will prepend to
// any such list: // any such list:
skipping to change at page 42, line 38 skipping to change at page 42, line 12
Suppose, at a later time, the following call is made to the same Suppose, at a later time, the following call is made to the same
GSSManager instance: GSSManager instance:
<CODE BEGINS> <CODE BEGINS>
mgr.addProviderAtFront(B, null) mgr.addProviderAtFront(B, null)
<CODE ENDS> <CODE ENDS>
then the previous setting with the pair (B, m1) is subsumed by this then the previous setting with the pair (B, m1) is subsumed by this
and should be removed. Effectively, the list of preferences now and should be removed. Effectively, the list of preferences now
becomes {(B, null), (A, null), ... //followed by the pre-configured becomes {(B, null), (A, null), ... //followed by the pre-configured
list. list}.
Please note, however, that the following call: Please note, however, that the following call:
<CODE BEGINS> <CODE BEGINS>
mgr.addProviderAtFront(A, m3) mgr.addProviderAtFront(A, m3)
<CODE ENDS> <CODE ENDS>
does not subsume the previous setting of (A, null), and the list will does not subsume the previous setting of (A, null), and the list will
effectively become {(A, m3), (B, null), (A, null), ...} effectively become {(A, m3), (B, null), (A, null), ...}
6.1.18. addProviderAtEnd 6.1.16. addProviderAtEnd
public abstract void addProviderAtEnd(Provider p, Oid mech) public abstract void addProviderAtEnd(Provider p, Oid mech)
throws GSSException throws GSSException
This method is used to indicate to the GSSManager that the This method is used to indicate to the GSSManager that the
application would like a particular provider to be used if no other application would like a particular provider to be used if no other
provider can be found that supports the given mechanism. When a provider can be found that supports the given mechanism. When a
value of "null" is used instead of an Oid for the mechanism, the value of "null" is used instead of an Oid for the mechanism, the
GSSManager must use the indicated provider for any mechanism. GSSManager must use the indicated provider for any mechanism.
skipping to change at page 43, line 38 skipping to change at page 43, line 8
operation is unavailable. operation is unavailable.
Parameters: Parameters:
p The provider instance that should be used p The provider instance that should be used
whenever support is needed for mech. whenever support is needed for mech.
mech The mechanism for which the provider is being mech The mechanism for which the provider is being
set. set.
6.1.19. Example Code 6.1.16.1. addProviderAtEnd Example Code
Suppose an application desired that when a mechanism of Oid m1 is Suppose an application desired that when a mechanism of Oid m1 is
needed, the system default providers always be checked first, and needed, the system default providers always be checked first, and
only when they do not support m1 should a provider A be checked. It only when they do not support m1 should a provider A be checked. It
would then make the call: would then make the call:
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
mgr.addProviderAtEnd(A, m1); mgr.addProviderAtEnd(A, m1);
skipping to change at page 44, line 36 skipping to change at page 44, line 5
Please note, however, that the following call: Please note, however, that the following call:
<CODE BEGINS> <CODE BEGINS>
mgr.addProviderAtEnd(A, null) mgr.addProviderAtEnd(A, null)
<CODE ENDS> <CODE ENDS>
is not subsumed by the previous setting of (A, m1) and the list will is not subsumed by the previous setting of (A, m1) and the list will
effectively become {..., (A, m1), (B, null), (A, null)}. effectively become {..., (A, m1), (B, null), (A, null)}.
6.2. public interface GSSName 6.1.17. Example Code
This interface encapsulates a single GSS-API principal entity.
Different name formats and their definitions are identified with
Universal Object Identifiers (Oids). The format of the names can be
derived based on the unique oid of its namespace type.
6.2.1. Example Code
Included below are code examples utilizing the GSSName interface.
The code below creates a GSSName, converts it to a mechanism name
(MN), performs a comparison, obtains a printable representation of
the name, exports it and then re-imports to obtain a new GSSName.
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
// create a host-based service name // What mechs are available to us?
GSSName name = mgr.createName("service@host",
GSSName.NT_HOSTBASED_SERVICE);
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
GSSName mechName = name.canonicalize(krb5); Oid[] supportedMechs = mgr.getMechs();
// the above two steps are equivalent to the following // Set a preference for the provider to be used when support
GSSName mechName = mgr.createName("service@host", // is needed for the mechanisms:
GSSName.NT_HOSTBASED_SERVICE, krb5); // "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".
// perform name comparison Oid krb = new Oid("1.2.840.113554.1.2.2");
if (name.equals(mechName)) Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
print("Names are equals.");
// obtain textual representation of name and its printable Provider p = (Provider) (new com.foo.security.Provider());
// name type
print(mechName.toString() +
mechName.getStringNameType().toString());
// export and re-import the name mgr.addProviderAtFront(p, krb);
byte[] exportName = mechName.export(); mgr.addProviderAtFront(p, spkm1);
// create a new name object from the exported buffer // What name types does this spkm implementation support?
GSSName newName = mgr.createName(exportName, Oid[] nameTypes = mgr.getNamesForMech(spkm1);
GSSName.NT_EXPORT_NAME);
<CODE ENDS> <CODE ENDS>
6.2.2. Static Constants 6.2. public interface GSSName
This interface encapsulates a single GSS-API principal entity.
Different name formats and their definitions are identified with
Universal Object Identifiers (Oids). The format of the names can be
derived based on the unique oid of its namespace type.
6.2.1. Static Constants
public static final Oid NT_HOSTBASED_SERVICE public static final Oid NT_HOSTBASED_SERVICE
Oid indicating a host-based service name form. It is used to Oid indicating a host-based service name form. It is used to
represent services associated with host computers. This name form is represent services associated with host computers. This name form is
constructed using two elements, "service" and "hostname", as follows: constructed using two elements, "service" and "hostname", as follows:
service@hostname service@hostname
Values for the "service" element are registered with the IANA. It Values for the "service" element are registered with the IANA. It
skipping to change at page 46, line 34 skipping to change at page 45, line 34
Name type for representing an anonymous entity. It represents the Name type for representing an anonymous entity. It represents the
following value: { iso(1), org(3), dod(6), internet(1), security(5), following value: { iso(1), org(3), dod(6), internet(1), security(5),
nametypes(6), gss-anonymous-name(3) } nametypes(6), gss-anonymous-name(3) }
public static final Oid NT_EXPORT_NAME public static final Oid NT_EXPORT_NAME
Name type used to indicate an exported name produced by the export Name type used to indicate an exported name produced by the export
method. It represents the following value: { iso(1), org(3), dod(6), method. It represents the following value: { iso(1), org(3), dod(6),
internet(1), security(5), nametypes(6), gss-api-exported-name(4) } internet(1), security(5), nametypes(6), gss-api-exported-name(4) }
6.2.3. equals 6.2.2. equals
public boolean equals(GSSName another) throws GSSException public boolean equals(GSSName another) throws GSSException
Compares two GSSName objects to determine whether they refer to the Compares two GSSName objects to determine whether they refer to the
same entity. This method may throw a GSSException when the names same entity. This method may throw a GSSException when the names
cannot be compared. If either of the names represents an anonymous cannot be compared. If either of the names represents an anonymous
entity, the method will return "false". entity, the method will return "false".
Parameters: Parameters:
another GSSName object with which to compare. another GSSName object with which to compare.
6.2.4. equals 6.2.3. equals
public boolean equals(Object another) public boolean equals(Object another)
A variation of the equals method, described in section 6.2.3, that is A variation of the equals method, described in section 6.2.2, that is
provided to override the Object.equals() method that the implementing provided to override the Object.equals() method that the implementing
class will inherit. The behavior is exactly the same as that in class will inherit. The behavior is exactly the same as that in
section 6.2.3 except that no GSSException is thrown; instead, "false" section 6.2.2 except that no GSSException is thrown; instead, "false"
will be returned in the situation where an error occurs. (Note that will be returned in the situation where an error occurs. (Note that
the Java language specification requires that two objects that are the Java language specification requires that two objects that are
equal according to the equals(Object) method must return the same equal according to the equals(Object) method must return the same
integer result when the hashCode() method is called on them.) integer result when the hashCode() method is called on them.)
Parameters: Parameters:
another GSSName object with which to compare. another GSSName object with which to compare.
6.2.5. canonicalize 6.2.4. canonicalize
public GSSName canonicalize(Oid mech) throws GSSException public GSSName canonicalize(Oid mech) throws GSSException
Creates a mechanism name (MN) from an arbitrary internal name. This Creates a mechanism name (MN) from an arbitrary internal name. This
is equivalent to using the factory methods described in sections is equivalent to using the factory methods described in sections
6.1.8 or 6.1.9 that take the mechanism name as one of their 6.1.7 or 6.1.8 that take the mechanism name as one of their
parameters. parameters.
Parameters: Parameters:
mech The oid for the mechanism for which the canonical mech The oid for the mechanism for which the canonical
form of the name is requested. form of the name is requested.
6.2.6. export 6.2.5. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Returns a canonical contiguous byte representation of a mechanism Returns a canonical contiguous byte representation of a mechanism
name (MN), suitable for direct, byte-by-byte comparison by name (MN), suitable for direct, byte-by-byte comparison by
authorization functions. If the name is not an MN, implementations authorization functions. If the name is not an MN, implementations
may throw a GSSException with the NAME_NOT_MN status code. If an may throw a GSSException with the NAME_NOT_MN status code. If an
implementation chooses not to throw an exception, it should use some implementation chooses not to throw an exception, it should use some
system-specific default mechanism to canonicalize the name and then system-specific default mechanism to canonicalize the name and then
export it. The format of the header of the output buffer is export it. The format of the header of the output buffer is
specified in RFC 2743 [RFC2743]. specified in RFC 2743 [RFC2743].
6.2.7. toString 6.2.6. toString
public String toString() public String toString()
Returns a textual representation of the GSSName object. To retrieve Returns a textual representation of the GSSName object. To retrieve
the printed name format, which determines the syntax of the returned the printed name format, which determines the syntax of the returned
string, the getStringNameType method can be used. string, the getStringNameType method can be used.
6.2.8. getStringNameType 6.2.7. getStringNameType
public Oid getStringNameType() throws GSSException public Oid getStringNameType() throws GSSException
Returns the oid representing the type of name returned through the Returns the oid representing the type of name returned through the
toString method. Using this oid, the syntax of the printable name toString method. Using this oid, the syntax of the printable name
can be determined. can be determined.
6.2.9. isAnonymous 6.2.8. isAnonymous
public boolean isAnonymous() public boolean isAnonymous()
Tests if this name object represents an anonymous entity. Returns Tests if this name object represents an anonymous entity. Returns
"true" if this is an anonymous name. "true" if this is an anonymous name.
6.2.10. isMN 6.2.9. isMN
public boolean isMN() public boolean isMN()
Tests if this name object contains only one mechanism element and is Tests if this name object contains only one mechanism element and is
thus a mechanism name as defined by RFC 2743 [RFC2743]. thus a mechanism name as defined by RFC 2743 [RFC2743].
6.2.10. Example Code
Included below are code examples utilizing the GSSName interface.
The code below creates a GSSName, converts it to a mechanism name
(MN), performs a comparison, obtains a printable representation of
the name, exports it and then re-imports to obtain a new GSSName.
<CODE BEGINS>
GSSManager mgr = GSSManager.getInstance();
// create a host-based service name
GSSName name = mgr.createName("service@host",
GSSName.NT_HOSTBASED_SERVICE);
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
GSSName mechName = name.canonicalize(krb5);
// the above two steps are equivalent to the following
GSSName mechName = mgr.createName("service@host",
GSSName.NT_HOSTBASED_SERVICE, krb5);
// perform name comparison
if (name.equals(mechName))
print("Names are equals.");
// obtain textual representation of name and its printable
// name type
print(mechName.toString() +
mechName.getStringNameType().toString());
// export the name
byte[] exportName = mechName.export();
// create a new name object from the exported buffer
GSSName newName = mgr.createName(exportName,
GSSName.NT_EXPORT_NAME);
<CODE ENDS>
6.3. public interface GSSCredential implements Cloneable 6.3. public interface GSSCredential implements Cloneable
This interface encapsulates the GSS-API credentials for an entity. A This interface encapsulates the GSS-API credentials for an entity. A
credential contains all the necessary cryptographic information to credential contains all the necessary cryptographic information to
enable the creation of a context on behalf of the entity that it enable the creation of a context on behalf of the entity that it
represents. It may contain multiple, distinct, mechanism-specific represents. It may contain multiple, distinct, mechanism-specific
credential elements, each containing information for a specific credential elements, each containing information for a specific
security mechanism, but all referring to the same entity. security mechanism, but all referring to the same entity.
A credential may be used to perform context initiation, acceptance, A credential may be used to perform context initiation, acceptance,
skipping to change at page 49, line 23 skipping to change at page 49, line 33
gss_release_cred) method to release any resources held by the gss_release_cred) method to release any resources held by the
credential object and to destroy any cryptographically sensitive credential object and to destroy any cryptographically sensitive
information. information.
Classes implementing this interface also implement the Cloneable Classes implementing this interface also implement the Cloneable
interface. This indicates that the class will support the clone() interface. This indicates that the class will support the clone()
method that will allow the creation of duplicate credentials. This method that will allow the creation of duplicate credentials. This
is useful when called just before the add() call to retain a copy of is useful when called just before the add() call to retain a copy of
the original credential. the original credential.
6.3.1. Example Code 6.3.1. Static Constants
This example code demonstrates the creation of a GSSCredential
implementation for a specific entity, querying of its fields, and its
release when it is no longer needed.
<CODE BEGINS>
GSSManager mgr = GSSManager.getInstance();
// start by creating a name object for the entity
GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// now acquire credentials for the entity
GSSCredential cred = mgr.createCredential(name,
GSSCredential.ACCEPT_ONLY);
// display credential information - name, remaining lifetime,
// and the mechanisms it has been acquired over
print(cred.getName().toString());
print(cred.getRemainingLifetime());
Oid[] mechs = cred.getMechs();
if (mechs != null) {
for (int i = 0; i < mechs.length; i++)
print(mechs[i].toString());
}
// release system resources held by the credential
cred.dispose();
<CODE ENDS>
6.3.2. Static Constants
public static final int INITIATE_AND_ACCEPT public static final int INITIATE_AND_ACCEPT
Credential usage flag requesting that it be able to be used for both Credential usage flag requesting that it be able to be used for both
context initiation and acceptance. The value of this constant is 0. context initiation and acceptance. The value of this constant is 0.
public static final int INITIATE_ONLY public static final int INITIATE_ONLY
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context initiation only. The value of this constant is 1. context initiation only. The value of this constant is 1.
skipping to change at page 50, line 23 skipping to change at page 50, line 4
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context initiation only. The value of this constant is 1. context initiation only. The value of this constant is 1.
public static final int ACCEPT_ONLY public static final int ACCEPT_ONLY
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context acceptance only. The value of this constant is 2. context acceptance only. The value of this constant is 2.
public static final int DEFAULT_LIFETIME public static final int DEFAULT_LIFETIME
A lifetime constant representing the default credential lifetime. A lifetime constant representing the default credential lifetime.
The value of this constant is 0. The value of this constant is 0.
public static final int INDEFINITE_LIFETIME public static final int INDEFINITE_LIFETIME
A lifetime constant representing indefinite credential lifetime. The A lifetime constant representing indefinite credential lifetime. The
value of this constant is the maximum integer value in Java - value of this constant is the maximum integer value in Java -
Integer.MAX_VALUE. Integer.MAX_VALUE.
6.3.3. dispose 6.3.2. dispose
public void dispose() throws GSSException public void dispose() throws GSSException
Releases any sensitive information that the GSSCredential object may Releases any sensitive information that the GSSCredential object may
be containing. Applications should call this method as soon as the be containing. Applications should call this method as soon as the
credential is no longer needed to minimize the time any sensitive credential is no longer needed to minimize the time any sensitive
information is maintained. information is maintained.
6.3.4. getName 6.3.3. getName
public GSSName getName() throws GSSException public GSSName getName() throws GSSException
Retrieves the name of the entity that the credential asserts. Retrieves the name of the entity that the credential asserts.
6.3.5. getName 6.3.4. getName
public GSSName getName(Oid mechOID) throws GSSException public GSSName getName(Oid mechOID) throws GSSException
Retrieves a mechanism name of the entity that the credential asserts. Retrieves a mechanism name of the entity that the credential asserts.
Equivalent to calling canonicalize() on the name returned by section Equivalent to calling canonicalize() on the name returned by section
6.3.4. 6.3.3.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.6. getRemainingLifetime 6.3.5. getRemainingLifetime
public int getRemainingLifetime() throws GSSException public int getRemainingLifetime() throws GSSException
Returns the remaining lifetime in seconds for a credential. The Returns the remaining lifetime in seconds for a credential. The
remaining lifetime is the minimum lifetime for any of the underlying remaining lifetime is the minimum lifetime for any of the underlying
credential mechanisms. A return value of credential mechanisms. A return value of
GSSCredential.INDEFINITE_LIFETIME indicates that the credential does GSSCredential.INDEFINITE_LIFETIME indicates that the credential does
not expire. A return value of 0 indicates that the credential is not expire. A return value of 0 indicates that the credential is
already expired. already expired.
6.3.7. getRemainingInitLifetime 6.3.6. getRemainingInitLifetime
public int getRemainingInitLifetime(Oid mech) throws GSSException public int getRemainingInitLifetime(Oid mech) throws GSSException
Returns the remaining lifetime in seconds for the credential to Returns the remaining lifetime in seconds for the credential to
remain capable of initiating security contexts under the specified remain capable of initiating security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME
indicates that the credential does not expire for context initiation. indicates that the credential does not expire for context initiation.
A return value of 0 indicates that the credential is already expired. A return value of 0 indicates that the credential is already expired.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.8. getRemainingAcceptLifetime 6.3.7. getRemainingAcceptLifetime
public int getRemainingAcceptLifetime(Oid mech) throws GSSException public int getRemainingAcceptLifetime(Oid mech) throws GSSException
Returns the remaining lifetime in seconds for the credential to Returns the remaining lifetime in seconds for the credential to
remain capable of accepting security contexts under the specified remain capable of accepting security contexts under the specified
mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME
indicates that the credential does not expire for context acceptance. indicates that the credential does not expire for context acceptance.
A return value of 0 indicates that the credential is already expired. A return value of 0 indicates that the credential is already expired.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.9. getUsage 6.3.8. getUsage
public int getUsage() throws GSSException public int getUsage() throws GSSException
Returns the credential usage flag as a union over all mechanisms. Returns the credential usage flag as a union over all mechanisms.
The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2). GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
6.3.10. getUsage Specifically, GSSCredential.INITIATE_AND_ACCEPT(0) should be returned
as long as there exists one credential element allowing context
initiation and one credential element allowing context acceptance.
These two credential elements are not necessarily the same one, nor
do they need to use the same mechanism(s).
6.3.9. getUsage
public int getUsage(Oid mechOID) throws GSSException public int getUsage(Oid mechOID) throws GSSException
Returns the credential usage flag for the specified mechanism only. Returns the credential usage flag for the specified mechanism only.
The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2). GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
6.3.11. getMechs 6.3.10. getMechs
public Oid[] getMechs() throws GSSException public Oid[] getMechs() throws GSSException
Returns an array of mechanisms supported by this credential. Returns an array of mechanisms supported by this credential.
6.3.12. add 6.3.11. add
public void add(GSSName aName, int initLifetime, int acceptLifetime, public void add(GSSName aName, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException Oid mech, int usage) throws GSSException
Adds a mechanism-specific credential-element to an existing Adds a mechanism-specific credential-element to an existing
credential. This method allows the construction of credentials one credential. This method allows the construction of credentials one
mechanism at a time. mechanism at a time.
This routine is envisioned to be used mainly by context acceptors This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials, which are to be used during the creation of acceptance credentials, which are to be used
skipping to change at page 53, line 35 skipping to change at page 53, line 24
mech The mechanisms over which the credential is to be mech The mechanisms over which the credential is to be
acquired. acquired.
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value of this parameter must be one of: The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
6.3.13. equals 6.3.12. equals
public boolean equals(Object another) public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied Tests if this GSSCredential refers to the same entity as the supplied
object. The two credentials must be acquired over the same object. The two credentials must be acquired over the same
mechanisms and must refer to the same principal. Returns "true" if mechanisms and must refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise. the two GSSCredentials refer to the same entity; "false" otherwise.
(Note that the Java language specification [JLS] requires that two (Note that the Java language specification [JLS] requires that two
objects that are equal according to the equals(Object) method must objects that are equal according to the equals(Object) method must
return the same integer result when the hashCode() method is called return the same integer result when the hashCode() method is called
on them.) on them.)
Parameters: Parameters:
another Another GSSCredential object for comparison. another Another GSSCredential object for comparison.
6.3.13. Example Code
This example code demonstrates the creation of a GSSCredential
implementation for a specific entity, querying of its fields, and its
release when it is no longer needed.
<CODE BEGINS>
GSSManager mgr = GSSManager.getInstance();
// start by creating a name object for the entity
GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// now acquire credentials for the entity
GSSCredential cred = mgr.createCredential(name,
GSSCredential.ACCEPT_ONLY);
// display credential information - name, remaining lifetime,
// and the mechanisms it has been acquired over
print(cred.getName().toString());
print(cred.getRemainingLifetime());
Oid[] mechs = cred.getMechs();
if (mechs != null) {
for (int i = 0; i < mechs.length; i++)
print(mechs[i].toString());
}
// release system resources held by the credential
cred.dispose();
<CODE ENDS>
6.4. public interface GSSContext 6.4. public interface GSSContext
This interface encapsulates the GSS-API security context and provides This interface encapsulates the GSS-API security context and provides
the security services (wrap, unwrap, getMIC, verifyMIC) that are the security services (wrap, unwrap, getMIC, verifyMIC) that are
available over the context. Security contexts are established available over the context. Security contexts are established
between peers using locally acquired credentials. Multiple contexts between peers using locally acquired credentials. Multiple contexts
may exist simultaneously between a pair of peers, using the same or may exist simultaneously between a pair of peers, using the same or
different set of credentials. GSS-API functions in a manner different set of credentials. GSS-API functions in a manner
independent of the underlying transport protocol and depends on its independent of the underlying transport protocol and depends on its
calling application to transport its tokens between peers. calling application to transport its tokens between peers.
skipping to change at page 55, line 5 skipping to change at page 55, line 27
After the context has been established or the isProtReady() method After the context has been established or the isProtReady() method
returns "true", the query routines can be invoked to determine the returns "true", the query routines can be invoked to determine the
actual characteristics and services of the established context. The actual characteristics and services of the established context. The
application can also start using the per-message methods of wrap and application can also start using the per-message methods of wrap and
getMIC to obtain cryptographic operations on application supplied getMIC to obtain cryptographic operations on application supplied
data. data.
When the context is no longer needed, the application should call When the context is no longer needed, the application should call
dispose to release any system resources the context may be using. dispose to release any system resources the context may be using.
6.4.1. Example Code 6.4.1. Static Constants
The example code presented below demonstrates the usage of the
GSSContext interface for the initiating peer. Different operations
on the GSSContext object are presented, including: object
instantiation, setting of desired flags, context establishment, query
of actual context flags, per-message operations on application data,
and finally context deletion.
<CODE BEGINS>
GSSManager mgr = GSSManager.getInstance();
// start by creating the name for a service entity
GSSName targetName = mgr.createName("service@host",
GSSName.NT_HOSTBASED_SERVICE);
// create a context using default credentials for the above entity
// and the implementation-specific default mechanism
GSSContext context = mgr.createContext(targetName,
null, /* default mechanism */
null, /* default credentials */
GSSContext.INDEFINITE_LIFETIME);
// set desired context options - all others are "false" by default
context.requestConf(true);
context.requestMutualAuth(true);
context.requestReplayDet(true);
context.requestSequenceDet(true);
// establish a context between peers - using byte arrays
byte[]inTok = new byte[0];
try {
do {
byte[] outTok = context.initSecContext(inTok, 0,
inTok.length);
// send the token if present
if (outTok != null)
sendToken(outTok);
// check if we should expect more tokens
if (context.isEstablished())
break;
// another token expected from peer
inTok = readToken();
} while (true);
} catch (GSSException e) {
print("GSSAPI error: " + e.getMessage());
// If the exception contains an output token,
// it should be sent to the acceptor.
byte[] outTok = e.getOutputToken();
if (outTok != null) {
sendToken(outTok);
}
return;
}
// display context information
print("Remaining lifetime in seconds = " + context.getLifetime());
print("Context mechanism = " + context.getMech().toString());
print("Initiator = " + context.getSrcName().toString());
print("Acceptor = " + context.getTargName().toString());
if (context.getConfState())
print("Confidentiality security service available");
if (context.getIntegState())
print("Integrity security service available");
// perform wrap on an application-supplied message, appMsg,
// using QOP = 0, and requesting privacy service
byte[] appMsg ...
MessageProp mProp = new MessageProp(0, true);
byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp);
if (mProp.getPrivacy())
print("Message protected with privacy.");
sendToken(tok);
// release the local end of the context
context.dispose();
<CODE ENDS>
6.4.2. Static Constants
public static final int DEFAULT_LIFETIME public static final int DEFAULT_LIFETIME
A lifetime constant representing the default context lifetime. The A lifetime constant representing the default context lifetime. The
value of this constant is 0. value of this constant is 0.
public static final int INDEFINITE_LIFETIME public static final int INDEFINITE_LIFETIME
A lifetime constant representing indefinite context lifetime. The A lifetime constant representing indefinite context lifetime. The
value of this constant is the maximum integer value in Java - value of this constant is the maximum integer value in Java -
Integer.MAX_VALUE. Integer.MAX_VALUE.
6.4.3. initSecContext 6.4.2. initSecContext
public byte[] initSecContext(byte[] inputBuf, int offset, int len) public byte[] initSecContext(byte[] inputBuf, int offset, int len)
throws GSSException throws GSSException
Called by the context initiator to start the context creation Called by the context initiator to start the context creation
process. This method may return an output token that the application process. This method may return an output token that the application
will need to send to the peer for processing by the accept call. The will need to send to the peer for processing by the accept call. The
application can call isEstablished() to determine if the context application can call isEstablished() to determine if the context
establishment phase is complete for this peer. A return value of establishment phase is complete for this peer. A return value of
"false" from isEstablished() indicates that more tokens are expected "false" from isEstablished() indicates that more tokens are expected
skipping to change at page 57, line 46 skipping to change at page 56, line 27
inputBuf Token generated by the peer. This parameter is inputBuf Token generated by the peer. This parameter is
ignored on the first call. ignored on the first call.
offset The offset within the inputBuf where the token offset The offset within the inputBuf where the token
begins. begins.
len The length of the token within the inputBuf len The length of the token within the inputBuf
(starting at the offset). (starting at the offset).
6.4.4. Example Code 6.4.3. acceptSecContext
<CODE BEGINS>
// Create a new GSSContext implementation object.
// GSSContext wrapper implements interface GSSContext.
GSSContext context = mgr.createContext(...);
byte[] inTok = new byte[0];
try {
do {
byte[] outTok = context.initSecContext(inTok, 0,
inTok.length);
// send the token if present
if (outTok != null)
sendToken(outTok);
// check if we should expect more tokens
if (context.isEstablished())
break;
// another token expected from peer
inTok = readToken();
} while (true);
} catch (GSSException e) {
print("GSSAPI error: " + e.getMessage());
// If the exception contains an output token,
// it should be sent to the acceptor.
byte[] outTok = e.getOutputToken();
if (outTok != null) {
sendToken(outTok);
}
}
<CODE ENDS>
6.4.5. acceptSecContext
public byte[] acceptSecContext(byte[] inTok, int offset, int len) public byte[] acceptSecContext(byte[] inTok, int offset, int len)
throws GSSException throws GSSException
Called by the context acceptor upon receiving a token from the peer. Called by the context acceptor upon receiving a token from the peer.
This method may return an output token that the application will need This method may return an output token that the application will need
to send to the peer for further processing by the init call. to send to the peer for further processing by the init call.
The "null" return value indicates that no token needs to be sent to The "null" return value indicates that no token needs to be sent to
skipping to change at page 59, line 30 skipping to change at page 57, line 19
Parameters: Parameters:
inTok Token generated by the peer. inTok Token generated by the peer.
offset The offset within the inTok where the token offset The offset within the inTok where the token
begins. begins.
len The length of the token within the inTok len The length of the token within the inTok
(starting at the offset). (starting at the offset).
6.4.6. Example Code 6.4.4. isEstablished
<CODE BEGINS>
// acquire server credentials
GSSCredential server = mgr.createCredential(...);
// create acceptor GSS-API context from the default provider
GSSContext context = mgr.createContext(server, null);
try {
do {
byte[] inTok = readToken();
byte[] outTok = context.acceptSecContext(inTok, 0,
inTok.length);
// possibly send token to peer
if (outTok != null)
sendToken(outTok);
// check if local context establishment is complete
if (context.isEstablished())
break;
} while (true);
} catch (GSSException e) {
print("GSS-API error: " + e.getMessage());
// If the exception contains an output token,
// it should be sent to the initiator.
byte[] outTok = e.getOutputToken();
if (outTok != null) {
sendToken(outTok);
}
}
<CODE ENDS>
6.4.7. isEstablished
public boolean isEstablished() public boolean isEstablished()
Used during context establishment to determine the state of the Used during context establishment to determine the state of the
context. Returns "true" if this is a fully established context on context. Returns "true" if this is a fully established context on
the caller's side and no more tokens are needed from the peer. the caller's side and no more tokens are needed from the peer.
Should be called after a call to initSecContext() or Should be called after a call to initSecContext() or
acceptSecContext() when no GSSException is thrown. acceptSecContext() when no GSSException is thrown.
6.4.8. dispose 6.4.5. dispose
public void dispose() throws GSSException public void dispose() throws GSSException
Releases any system resources and cryptographic information stored in Releases any system resources and cryptographic information stored in
the context object. This will invalidate the context. the context object. This will invalidate the context.
6.4.9. getWrapSizeLimit 6.4.6. getWrapSizeLimit
public int getWrapSizeLimit(int qop, boolean confReq, public int getWrapSizeLimit(int qop, boolean confReq,
int maxTokenSize) throws GSSException int maxTokenSize) throws GSSException
Returns the maximum message size that, if presented to the wrap Returns the maximum message size that, if presented to the wrap
method with the same confReq and qop parameters, will result in an method with the same confReq and qop parameters, will result in an
output token containing no more than the maxTokenSize bytes. output token containing no more than the maxTokenSize bytes.
This call is intended for use by applications that communicate over This call is intended for use by applications that communicate over
protocols that impose a maximum message size. It enables the protocols that impose a maximum message size. It enables the
skipping to change at page 62, line 5 skipping to change at page 58, line 24
qop Indicates the level of protection wrap will be qop Indicates the level of protection wrap will be
asked to provide. asked to provide.
confReq Indicates if wrap will be asked to provide confReq Indicates if wrap will be asked to provide
privacy service. privacy service.
maxTokenSize The desired maximum size of the token emitted by maxTokenSize The desired maximum size of the token emitted by
wrap. wrap.
6.4.10. wrap 6.4.7. wrap
public byte[] wrap(byte[] inBuf, int offset, int len, public byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Applies per-message security services over the established security Applies per-message security services over the established security
context. The method will return a token with a cryptographic MIC and context. The method will return a token with a cryptographic MIC and
may optionally encrypt the specified inBuf. The returned byte array may optionally encrypt the specified inBuf. The returned byte array
will contain both the MIC and the message. will contain both the MIC and the message.
The MessageProp object is instantiated by the application and used to The MessageProp object is instantiated by the application and used to
skipping to change at page 63, line 5 skipping to change at page 59, line 19
at the offset). at the offset).
msgProp Instance of MessageProp that is used by the msgProp Instance of MessageProp that is used by the
application to set the desired QOP and privacy application to set the desired QOP and privacy
state. Set the desired QOP to 0 to request the state. Set the desired QOP to 0 to request the
default QOP. Upon return from this method, this default QOP. Upon return from this method, this
object will contain the actual privacy state that object will contain the actual privacy state that
was applied to the message by the underlying was applied to the message by the underlying
mechanism. mechanism.
6.4.11. unwrap 6.4.8. unwrap
public byte[] unwrap(byte[] inBuf, int offset, int len, public byte[] unwrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Used by the peer application to process tokens generated with the Used by the peer application to process tokens generated with the
wrap call. The method will return the message supplied in the peer wrap call. The method will return the message supplied in the peer
application to the wrap call, verifying the embedded MIC. application to the wrap call, verifying the embedded MIC.
The MessageProp object is instantiated by the application and is used The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such by the underlying mechanism to return information to the caller such
skipping to change at page 63, line 40 skipping to change at page 60, line 5
len The length of the token within the inBuf len The length of the token within the inBuf
(starting at the offset). (starting at the offset).
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain the applied QOP, the privacy state of the contain the applied QOP, the privacy state of the
message, and supplementary information, described message, and supplementary information, described
in section 4.12.3, stating whether the token was in section 4.12.3, stating whether the token was
a duplicate, old, out of sequence, or arriving a duplicate, old, out of sequence, or arriving
after a gap. after a gap.
6.4.12. getMIC 6.4.9. getMIC
public byte[] getMIC(byte[] inMsg, int offset, int len, public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Returns a token containing a cryptographic MIC for the supplied Returns a token containing a cryptographic MIC for the supplied
message for transfer to the peer application. Unlike wrap, which message for transfer to the peer application. Unlike wrap, which
encapsulates the user message in the returned token, only the message encapsulates the user message in the returned token, only the message
MIC is returned in the output token. MIC is returned in the output token.
Note that privacy can only be applied through the wrap call. Note that privacy can only be applied through the wrap call.
skipping to change at page 64, line 25 skipping to change at page 60, line 37
len The length of the token within the inMsg len The length of the token within the inMsg
(starting at the offset). (starting at the offset).
msgProp Instance of MessageProp that is used by the msgProp Instance of MessageProp that is used by the
application to set the desired QOP. Set the application to set the desired QOP. Set the
desired QOP to 0 in msgProp to request the desired QOP to 0 in msgProp to request the
default QOP. Alternatively, pass in "null" for default QOP. Alternatively, pass in "null" for
msgProp to request default QOP. msgProp to request default QOP.
6.4.13. verifyMIC 6.4.10. verifyMIC
public void verifyMIC(byte[] inTok, int tokOffset, int tokLen, public void verifyMIC(byte[] inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen, byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Verifies the cryptographic MIC, contained in the token parameter, Verifies the cryptographic MIC, contained in the token parameter,
over the supplied message. over the supplied message.
The MessageProp object is instantiated by the application and is used The MessageProp object is instantiated by the application and is used
by the underlying mechanism to return information to the caller such by the underlying mechanism to return information to the caller such
skipping to change at page 65, line 21 skipping to change at page 61, line 35
msgLen The length of the message within the inMsg msgLen The length of the message within the inMsg
(starting at the offset). (starting at the offset).
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain the applied QOP and supplementary contain the applied QOP and supplementary
information, described in section 4.12.3, stating information, described in section 4.12.3, stating
whether the token was a duplicate, old, out of whether the token was a duplicate, old, out of
sequence, or arriving after a gap. The sequence, or arriving after a gap. The
confidentiality state will be set to "false". confidentiality state will be set to "false".
6.4.14. export 6.4.11. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Provided to support the sharing of work between multiple processes. Provided to support the sharing of work between multiple processes.
This routine will typically be used by the context acceptor, in an This routine will typically be used by the context acceptor, in an
application where a single process receives incoming connection application where a single process receives incoming connection
requests and accepts security contexts over them, then passes the requests and accepts security contexts over them, then passes the
established context to one or more other processes for message established context to one or more other processes for message
exchange. exchange.
skipping to change at page 66, line 7 skipping to change at page 62, line 21
The inter-process token may contain security-sensitive information The inter-process token may contain security-sensitive information
(for example, cryptographic keys). While mechanisms are encouraged (for example, cryptographic keys). While mechanisms are encouraged
to either avoid placing such sensitive information within inter- to either avoid placing such sensitive information within inter-
process tokens or to encrypt the token before returning it to the process tokens or to encrypt the token before returning it to the
application, in a typical GSS-API implementation, this may not be application, in a typical GSS-API implementation, this may not be
possible. Thus, the application must take care to protect the inter- possible. Thus, the application must take care to protect the inter-
process token, and ensure that any process to which the token is process token, and ensure that any process to which the token is
transferred is trustworthy. transferred is trustworthy.
6.4.15. requestMutualAuth 6.4.12. requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException public void requestMutualAuth(boolean state) throws GSSException
Sets the request state of the mutual authentication flag for the Sets the request state of the mutual authentication flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if mutual authentication state Boolean representing if mutual authentication
should be requested during context establishment. should be requested during context establishment.
6.4.16. requestReplayDet 6.4.13. requestReplayDet
public void requestReplayDet(boolean state) throws GSSException public void requestReplayDet(boolean state) throws GSSException
Sets the request state of the replay detection service for the Sets the request state of the replay detection service for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if replay detection is state Boolean representing if replay detection is
desired over the established context. desired over the established context.
6.4.17. requestSequenceDet 6.4.14. requestSequenceDet
public void requestSequenceDet(boolean state) throws GSSException public void requestSequenceDet(boolean state) throws GSSException
Sets the request state for the sequence checking service of the Sets the request state for the sequence checking service of the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if sequence detection is state Boolean representing if sequence detection is
desired over the established context. desired over the established context.
6.4.18. requestCredDeleg 6.4.15. requestCredDeleg
public void requestCredDeleg(boolean state) throws GSSException public void requestCredDeleg(boolean state) throws GSSException
Sets the request state for the credential delegation flag for the Sets the request state for the credential delegation flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if credential delegation is state Boolean representing if credential delegation is
desired. desired.
6.4.19. requestAnonymity 6.4.16. requestAnonymity
public void requestAnonymity(boolean state) throws GSSException public void requestAnonymity(boolean state) throws GSSException
Requests anonymous support over the context. This method is only Requests anonymous support over the context. This method is only
valid before the context creation process begins and only for the valid before the context creation process begins and only for the
initiator. initiator.
Parameters: Parameters:
state Boolean representing if anonymity support is state Boolean representing if anonymity support is
requested. requested.
6.4.20. requestConf 6.4.17. requestConf
public void requestConf(boolean state) throws GSSException public void requestConf(boolean state) throws GSSException
Requests that confidentiality service be available over the context. Requests that confidentiality service be available over the context.
This method is only valid before the context creation process begins This method is only valid before the context creation process begins
and only for the initiator. and only for the initiator.
Parameters: Parameters:
state Boolean indicating if confidentiality services state Boolean indicating if confidentiality services
are to be requested for the context. are to be requested for the context.
6.4.21. requestInteg 6.4.18. requestInteg
public void requestInteg(boolean state) throws GSSException public void requestInteg(boolean state) throws GSSException
Requests that integrity services be available over the context. This Requests that integrity services be available over the context. This
method is only valid before the context creation process begins and method is only valid before the context creation process begins and
only for the initiator. only for the initiator.
Parameters: Parameters:
state Boolean indicating if integrity services are to state Boolean indicating if integrity services are to
be requested for the context. be requested for the context.
6.4.22. requestLifetime 6.4.19. requestLifetime
public void requestLifetime(int lifetime) throws GSSException public void requestLifetime(int lifetime) throws GSSException
Sets the desired lifetime for the context in seconds. This method is Sets the desired lifetime for the context in seconds. This method is
only valid before the context creation process begins and only for only valid before the context creation process begins and only for
the initiator. Use GSSContext.INDEFINITE_LIFETIME and the initiator. Use GSSContext.INDEFINITE_LIFETIME and
GSSContext.DEFAULT_LIFETIME to request indefinite or default context GSSContext.DEFAULT_LIFETIME to request indefinite or default context
lifetime. lifetime.
Parameters: Parameters:
lifetime The desired context lifetime in seconds. lifetime The desired context lifetime in seconds.
6.4.23. setChannelBinding 6.4.20. setChannelBinding
public void setChannelBinding(ChannelBinding cb) throws GSSException public void setChannelBinding(ChannelBinding cb) throws GSSException
Sets the channel bindings to be used during context establishment. Sets the channel bindings to be used during context establishment.
This method is only valid before the context creation process begins. This method is only valid before the context creation process begins.
Parameters: Parameters:
cb Channel bindings to be used. cb Channel bindings to be used.
6.4.24. getCredDelegState 6.4.21. getCredDelegState
public boolean getCredDelegState() public boolean getCredDelegState()
Returns the state of the delegated credentials for the context. When Returns the state of the delegated credentials for the context. When
issued before context establishment is completed or when the issued before context establishment is completed or when the
isProtReady method returns "false", it returns the desired state; isProtReady method returns "false", it returns the desired state;
otherwise, it will indicate the actual state over the established otherwise, it will indicate the actual state over the established
context. context.
6.4.25. getMutualAuthState 6.4.22. getMutualAuthState
public boolean getMutualAuthState() public boolean getMutualAuthState()
Returns the state of the mutual authentication option for the Returns the state of the mutual authentication option for the
context. When issued before context establishment completes or when context. When issued before context establishment completes or when
the isProtReady method returns "false", it returns the desired state; the isProtReady method returns "false", it returns the desired state;
otherwise, it will indicate the actual state over the established otherwise, it will indicate the actual state over the established
context. context.
6.4.26. getReplayDetState 6.4.23. getReplayDetState
public boolean getReplayDetState() public boolean getReplayDetState()
Returns the state of the replay detection option for the context. Returns the state of the replay detection option for the context.
When issued before context establishment completes or when the When issued before context establishment completes or when the
isProtReady method returns "false", it returns the desired state; isProtReady method returns "false", it returns the desired state;
otherwise, it will indicate the actual state over the established otherwise, it will indicate the actual state over the established
context. context.
6.4.27. getSequenceDetState 6.4.24. getSequenceDetState
public boolean getSequenceDetState() public boolean getSequenceDetState()
Returns the state of the sequence detection option for the context. Returns the state of the sequence detection option for the context.
When issued before context establishment completes or when the When issued before context establishment completes or when the
isProtReady method returns "false", it returns the desired state; isProtReady method returns "false", it returns the desired state;
otherwise, it will indicate the actual state over the established otherwise, it will indicate the actual state over the established
context. context.
6.4.28. getAnonymityState 6.4.25. getAnonymityState
public boolean getAnonymityState() public boolean getAnonymityState()
Returns "true" if this is an anonymous context. When issued before Returns "true" if this is an anonymous context. When issued before
context establishment completes or when the isProtReady method context establishment completes or when the isProtReady method
returns "false", it returns the desired state; otherwise, it will returns "false", it returns the desired state; otherwise, it will
indicate the actual state over the established context. indicate the actual state over the established context.
6.4.29. isTransferable 6.4.26. isTransferable
public boolean isTransferable() throws GSSException public boolean isTransferable() throws GSSException
Returns "true" if the context is transferable to other processes Returns "true" if the context is transferable to other processes
through the use of the export method. This call is only valid on through the use of the export method. This call is only valid on
fully established contexts. fully established contexts.
6.4.30. isProtReady 6.4.27. isProtReady
public boolean isProtReady() public boolean isProtReady()
Returns "true" if the per-message operations can be applied over the Returns "true" if the per-message operations can be applied over the
context. Some mechanisms may allow the usage of per-message context. Some mechanisms may allow the usage of per-message
operations before the context is fully established. This will also operations before the context is fully established. This will also
indicate that the get methods will return actual context state indicate that the get methods will return actual context state
characteristics instead of the desired ones. characteristics instead of the desired ones.
6.4.31. getConfState 6.4.28. getConfState
public boolean getConfState() public boolean getConfState()
Returns the confidentiality service state over the context. When Returns the confidentiality service state over the context. When
issued before context establishment completes or when the isProtReady issued before context establishment completes or when the isProtReady
method returns "false", it returns the desired state; otherwise, it method returns "false", it returns the desired state; otherwise, it
will indicate the actual state over the established context. will indicate the actual state over the established context.
6.4.32. getIntegState 6.4.29. getIntegState
public boolean getIntegState() public boolean getIntegState()
Returns the integrity service state over the context. When issued Returns the integrity service state over the context. When issued
before context establishment completes or when the isProtReady method before context establishment completes or when the isProtReady method
returns "false", it returns the desired state; otherwise, it will returns "false", it returns the desired state; otherwise, it will
indicate the actual state over the established context. indicate the actual state over the established context.
6.4.33. getLifetime 6.4.30. getLifetime
public int getLifetime() public int getLifetime()
Returns the context lifetime in seconds. When issued before context Returns the context lifetime in seconds. When issued before context
establishment completes or when the isProtReady method returns establishment completes or when the isProtReady method returns
"false", it returns the desired lifetime; otherwise, it will indicate "false", it returns the desired lifetime; otherwise, it will indicate
the remaining lifetime for the context. the remaining lifetime for the context.
6.4.34. getSrcName 6.4.31. getSrcName
public GSSName getSrcName() throws GSSException public GSSName getSrcName() throws GSSException
Returns the name of the context initiator. This call is valid only Returns the name of the context initiator. This call is valid only
after the context is fully established or the isProtReady method after the context is fully established or the isProtReady method
returns "true". It is guaranteed to return an MN. returns "true". It is guaranteed to return an MN.
6.4.35. getTargName 6.4.32. getTargName
public GSSName getTargName() throws GSSException public GSSName getTargName() throws GSSException
Returns the name of the context target (acceptor). This call is Returns the name of the context target (acceptor). This call is
valid only after the context is fully established or the isProtReady valid only after the context is fully established or the isProtReady
method returns "true". It is guaranteed to return an MN. method returns "true". It is guaranteed to return an MN.
6.4.36. getMech 6.4.33. getMech
public Oid getMech() throws GSSException public Oid getMech() throws GSSException
Returns the mechanism oid for this context. This method may be Returns the mechanism oid for this context. This method may be
called before the context is fully established, but the mechanism called before the context is fully established, but the mechanism
returned may change on successive calls in negotiated mechanism case. returned may change on successive calls in negotiated mechanism case.
6.4.37. getDelegCred 6.4.34. getDelegCred
public GSSCredential getDelegCred() throws GSSException public GSSCredential getDelegCred() throws GSSException
Returns the delegated credential object on the acceptor's side. To Returns the delegated credential object on the acceptor's side. To
check for availability of delegated credentials call check for availability of delegated credentials call
getDelegCredState. This call is only valid on fully established getDelegCredState. This call is only valid on fully established
contexts. contexts.
6.4.38. isInitiator 6.4.35. isInitiator
public boolean isInitiator() throws GSSException public boolean isInitiator() throws GSSException
Returns "true" if this is the initiator of the context. This call is Returns "true" if this is the initiator of the context. This call is
only valid after the context creation process has started. only valid after the context creation process has started.
6.4.36. Example Code
The example code presented below demonstrates the usage of the
GSSContext interface for the initiating peer. Different operations
on the GSSContext object are presented, including: object
instantiation, setting of desired flags, context establishment, query
of actual context flags, per-message operations on application data,
and finally context deletion.
<CODE BEGINS>
GSSManager mgr = GSSManager.getInstance();
// start by creating the name for a service entity
GSSName targetName = mgr.createName("service@host",
GSSName.NT_HOSTBASED_SERVICE);
// create a context using default credentials for the above entity
// and the implementation-specific default mechanism
GSSContext context = mgr.createContext(targetName,
null, /* default mechanism */
null, /* default credentials */
GSSContext.INDEFINITE_LIFETIME);
// set desired context options - all others are "false" by default
context.requestConf(true);
context.requestMutualAuth(true);
context.requestReplayDet(true);
context.requestSequenceDet(true);
// establish a context between peers - using byte arrays
byte[]inTok = new byte[0];
try {
do {
byte[] outTok = context.initSecContext(inTok, 0,
inTok.length);
// send the token if present
if (outTok != null)
sendToken(outTok);
// check if we should expect more tokens
if (context.isEstablished())
break;
// another token expected from peer
inTok = readToken();
} while (true);
} catch (GSSException e) {
print("GSSAPI error: " + e.getMessage());
// If the exception contains an output token,
// it should be sent to the acceptor.
byte[] outTok = e.getOutputToken();
if (outTok != null) {
sendToken(outTok);
}
return;
}
// display context information
print("Remaining lifetime in seconds = " + context.getLifetime());
print("Context mechanism = " + context.getMech().toString());
print("Initiator = " + context.getSrcName().toString());
print("Acceptor = " + context.getTargName().toString());
if (context.getConfState())
print("Confidentiality security service available");
if (context.getIntegState())
print("Integrity security service available");
// perform wrap on an application-supplied message, appMsg,
// using QOP = 0, and requesting privacy service
byte[] appMsg ...
MessageProp mProp = new MessageProp(0, true);
byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp);
if (mProp.getPrivacy())
print("Message protected with privacy.");
sendToken(tok);
// release the local end of the context
context.dispose();
<CODE ENDS>
6.5. public class MessageProp 6.5. public class MessageProp
This is a utility class used within the per-message GSSContext This is a utility class used within the per-message GSSContext
methods to convey per-message properties. methods to convey per-message properties.
When used with the GSSContext interface's wrap and getMIC methods, an When used with the GSSContext interface's wrap and getMIC methods, an
instance of this class is used to indicate the desired QOP and to instance of this class is used to indicate the desired QOP and to
request if confidentiality services are to be applied to caller request if confidentiality services are to be applied to caller
supplied data (wrap only). To request default QOP, the value of 0 supplied data (wrap only). To request default QOP, the value of 0
should be used for QOP. should be used for QOP. A QOP is an integer value defined by an
mechanism.
When used with the unwrap and verifyMIC methods of the GSSContext When used with the unwrap and verifyMIC methods of the GSSContext
interface, an instance of this class will be used to indicate the interface, an instance of this class will be used to indicate the
applied QOP and confidentiality services over the supplied message. applied QOP and confidentiality services over the supplied message.
In the case of verifyMIC, the confidentiality state will always be In the case of verifyMIC, the confidentiality state will always be
"false". Upon return from these methods, this object will also "false". Upon return from these methods, this object will also
contain any supplementary status values applicable to the processed contain any supplementary status values applicable to the processed
token. The supplementary status values can indicate old tokens, out token. The supplementary status values can indicate old tokens, out
of sequence tokens, gap tokens, or duplicate tokens. of sequence tokens, gap tokens, or duplicate tokens.
skipping to change at page 94, line 15 skipping to change at page 92, line 32
code values defined in section 4.12.1. The relevant sections in code values defined in section 4.12.1. The relevant sections in
this document are sections 4.12.1 and 6.8.1. this document are sections 4.12.1 and 6.8.1.
2) GSS Credential Usage Constant Values 2) GSS Credential Usage Constant Values
RFC 2853 section 6.3.2 defines static constants for the RFC 2853 section 6.3.2 defines static constants for the
GSSCredential usage flags. However, the values of these constants GSSCredential usage flags. However, the values of these constants
were not defined anywhere in RFC 2853 [RFC2853]. were not defined anywhere in RFC 2853 [RFC2853].
This document defines the credential usage values in section This document defines the credential usage values in section
6.3.2. The original ordering of these values from section 6.3.2 6.3.1. The original ordering of these values from section 6.3.2
of RFC 2853 [RFC2853] is maintained. of RFC 2853 [RFC2853] is maintained.
3) GSS Host-Based Service Name 3) GSS Host-Based Service Name
RFC 2853 [RFC2853], section 6.2.2, defines the static constant for RFC 2853 [RFC2853], section 6.2.2, defines the static constant for
the GSS host-based service OID NT_HOSTBASED_SERVICE, using a the GSS host-based service OID NT_HOSTBASED_SERVICE, using a
deprecated OID value. deprecated OID value.
This document updates the NT_HOSTBASED_SERVICE OID value in This document updates the NT_HOSTBASED_SERVICE OID value in
section 6.2.2 to be consistent with the C-bindings in RFC 2744 section 6.2.1 to be consistent with the C-bindings in RFC 2744
[RFC2744]. [RFC2744].
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, DOI 10.17487/RFC2025, October 1996, (SPKM)", RFC 2025, DOI 10.17487/RFC2025, October 1996,
<http://www.rfc-editor.org/info/rfc2025>. <http://www.rfc-editor.org/info/rfc2025>.
 End of changes. 154 change blocks. 
515 lines changed or deleted 470 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/