draft-ietf-kitten-rfc5653bis-07.txt   rfc8353.txt 
Network Working Group M. Upadhyay Internet Engineering Task Force (IETF) M. Upadhyay
Internet-Draft Google Request for Comments: 8353 Google
Obsoletes: 5653 (if approved) S. Malkani Obsoletes: 5653 S. Malkani
Intended status: Standards Track ActivIdentity Category: Standards Track ActivIdentity
Expires: August 13, 2018 W. Wang ISSN: 2070-1721 W. Wang
Oracle Oracle
February 9, 2018 May 2018
Generic Security Service API Version 2: Java Bindings Update Generic Security Service API Version 2: Java Bindings Update
draft-ietf-kitten-rfc5653bis-07
Abstract Abstract
The Generic Security Services Application Program Interface (GSS-API) The Generic Security Services Application Programming Interface
offers application programmers uniform access to security services (GSS-API) offers application programmers uniform access to security
atop a variety of underlying cryptographic mechanisms. This document services atop a variety of underlying cryptographic mechanisms. This
updates the Java bindings for the GSS-API that are specified in document updates the Java bindings for the GSS-API that are specified
"Generic Security Service API Version 2 : Java Bindings Update" (RFC in "Generic Security Service API Version 2: Java Bindings Update"
5653). This document obsoletes RFC 5653 by adding a new output token (RFC 5653). This document obsoletes RFC 5653 by adding a new output
field to the GSSException class so that when the initSecContext or token field to the GSSException class so that when the initSecContext
acceptSecContext methods of the GSSContext class fails it has a or acceptSecContext methods of the GSSContext class fail, it has a
chance to emit an error token which can be sent to the peer for chance to emit an error token that can be sent to the peer for
debugging or informational purpose. The stream-based GSSContext debugging or informational purpose. The stream-based GSSContext
methods are also removed in this version. methods are also removed in this version.
The GSS-API is described at a language-independent conceptual level The GSS-API is described at a language-independent conceptual level
in "Generic Security Service Application Program Interface Version 2, in "Generic Security Service Application Program Interface Version 2,
Update 1" (RFC 2743). The GSS-API allows a caller application to Update 1" (RFC 2743). The GSS-API allows a caller application to
authenticate a principal identity, to delegate rights to a peer, and authenticate a principal identity, to delegate rights to a peer, and
to apply security services such as confidentiality and integrity on a to apply security services such as confidentiality and integrity on a
per-message basis. Examples of security mechanisms defined for GSS- per-message basis. Examples of security mechanisms defined for
API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The GSS-API are "The Simple Public-Key GSS-API Mechanism (SPKM)"
Kerberos Version 5 Generic Security Service Application Program (RFC 2025) and "The Kerberos Version 5 Generic Security Service
Interface (GSS-API) Mechanism: Version 2" (RFC 4121). Application Program Interface (GSS-API) Mechanism: Version 2"
(RFC 4121).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on August 13, 2018. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8353.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 41 skipping to change at page 3, line 10
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 7 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 7
3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7 3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7
4. Additional Controls . . . . . . . . . . . . . . . . . . . . . 8 4. Additional Controls . . . . . . . . . . . . . . . . . . . . . 9
4.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 10
4.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 10 4.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 11
4.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11 4.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11
4.4. Anonymous Authentication . . . . . . . . . . . . . . . . 12 4.4. Anonymous Authentication . . . . . . . . . . . . . . . . 12
4.5. Integrity and Confidentiality . . . . . . . . . . . . . . 13 4.5. Integrity and Confidentiality . . . . . . . . . . . . . . 13
4.6. Inter-process Context Transfer . . . . . . . . . . . . . 13 4.6. Inter-process Context Transfer . . . . . . . . . . . . . 13
4.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 14 4.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 14
5. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 14 5. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 15
5.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 14 5.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 15
5.2. Provider Framework . . . . . . . . . . . . . . . . . . . 14 5.2. Provider Framework . . . . . . . . . . . . . . . . . . . 15
5.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 15 5.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 16
5.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 15 5.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 16
5.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16 5.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16
5.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 16 5.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 17
5.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 17 5.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 17
5.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18 5.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 19
5.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 19 5.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 20
5.11. Inter-Process Tokens . . . . . . . . . . . . . . . . . . 19 5.11. Inter-process Tokens . . . . . . . . . . . . . . . . . . 20
5.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 20 5.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 20
5.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 20 5.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 21
5.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 22 5.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 23
5.12.3. Supplementary Status Codes . . . . . . . . . . . . . 23 5.12.3. Supplementary Status Codes . . . . . . . . . . . . . 23
5.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 23 5.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 26 5.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 27
5.15. Optional Parameters . . . . . . . . . . . . . . . . . . . 27 5.15. Optional Parameters . . . . . . . . . . . . . . . . . . . 28
6. Introduction to GSS-API Classes and Interfaces . . . . . . . 27 6. Introduction to GSS-API Classes and Interfaces . . . . . . . 28
6.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 27 6.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 28
6.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 28 6.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 29
6.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 29 6.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 30
6.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 30 6.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 31
6.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32 6.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32
6.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32 6.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32
6.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32 6.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32
6.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 32 6.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 33
7. Detailed GSS-API Class Description . . . . . . . . . . . . . 33 7. Detailed GSS-API Class Description . . . . . . . . . . . . . 33
7.1. public abstract class GSSManager . . . . . . . . . . . . 33 7.1. public abstract class GSSManager . . . . . . . . . . . . 33
7.1.1. getInstance . . . . . . . . . . . . . . . . . . . . . 34 7.1.1. getInstance . . . . . . . . . . . . . . . . . . . . . 34
7.1.2. getMechs . . . . . . . . . . . . . . . . . . . . . . 34 7.1.2. getMechs . . . . . . . . . . . . . . . . . . . . . . 34
7.1.3. getNamesForMech . . . . . . . . . . . . . . . . . . . 34 7.1.3. getNamesForMech . . . . . . . . . . . . . . . . . . . 35
7.1.4. getMechsForName . . . . . . . . . . . . . . . . . . . 35 7.1.4. getMechsForName . . . . . . . . . . . . . . . . . . . 35
7.1.5. createName . . . . . . . . . . . . . . . . . . . . . 35 7.1.5. createName . . . . . . . . . . . . . . . . . . . . . 35
7.1.6. createName . . . . . . . . . . . . . . . . . . . . . 35 7.1.6. createName . . . . . . . . . . . . . . . . . . . . . 36
7.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36 7.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36
7.1.8. createName . . . . . . . . . . . . . . . . . . . . . 37 7.1.8. createName . . . . . . . . . . . . . . . . . . . . . 37
7.1.9. createCredential . . . . . . . . . . . . . . . . . . 37 7.1.9. createCredential . . . . . . . . . . . . . . . . . . 38
7.1.10. createCredential . . . . . . . . . . . . . . . . . . 38 7.1.10. createCredential . . . . . . . . . . . . . . . . . . 38
7.1.11. createCredential . . . . . . . . . . . . . . . . . . 38 7.1.11. createCredential . . . . . . . . . . . . . . . . . . 39
7.1.12. createContext . . . . . . . . . . . . . . . . . . . . 39 7.1.12. createContext . . . . . . . . . . . . . . . . . . . . 39
7.1.13. createContext . . . . . . . . . . . . . . . . . . . . 40 7.1.13. createContext . . . . . . . . . . . . . . . . . . . . 40
7.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40 7.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40
7.1.15. addProviderAtFront . . . . . . . . . . . . . . . . . 40 7.1.15. addProviderAtFront . . . . . . . . . . . . . . . . . 41
7.1.15.1. addProviderAtFront Example Code . . . . . . . . 41 7.1.15.1. addProviderAtFront Example Code . . . . . . . . 42
7.1.16. addProviderAtEnd . . . . . . . . . . . . . . . . . . 42 7.1.16. addProviderAtEnd . . . . . . . . . . . . . . . . . . 43
7.1.16.1. addProviderAtEnd Example Code . . . . . . . . . 43 7.1.16.1. addProviderAtEnd Example Code . . . . . . . . . 43
7.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 44 7.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 44
7.2. public interface GSSName . . . . . . . . . . . . . . . . 44 7.2. public interface GSSName . . . . . . . . . . . . . . . . 45
7.2.1. Static Constants . . . . . . . . . . . . . . . . . . 44 7.2.1. Static Constants . . . . . . . . . . . . . . . . . . 45
7.2.2. equals . . . . . . . . . . . . . . . . . . . . . . . 45 7.2.2. equals . . . . . . . . . . . . . . . . . . . . . . . 46
7.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 45 7.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 46
7.2.4. canonicalize . . . . . . . . . . . . . . . . . . . . 46 7.2.4. canonicalize . . . . . . . . . . . . . . . . . . . . 47
7.2.5. export . . . . . . . . . . . . . . . . . . . . . . . 46 7.2.5. export . . . . . . . . . . . . . . . . . . . . . . . 47
7.2.6. toString . . . . . . . . . . . . . . . . . . . . . . 46 7.2.6. toString . . . . . . . . . . . . . . . . . . . . . . 47
7.2.7. getStringNameType . . . . . . . . . . . . . . . . . . 47 7.2.7. getStringNameType . . . . . . . . . . . . . . . . . . 47
7.2.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . 47 7.2.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . 47
7.2.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . 47 7.2.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2.10. Example Code . . . . . . . . . . . . . . . . . . . . 47 7.2.10. Example Code . . . . . . . . . . . . . . . . . . . . 48
7.3. public interface GSSCredential implements Cloneable . . . 48 7.3. public interface GSSCredential implements Cloneable . . . 49
7.3.1. Static Constants . . . . . . . . . . . . . . . . . . 49 7.3.1. Static Constants . . . . . . . . . . . . . . . . . . 50
7.3.2. dispose . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.2. dispose . . . . . . . . . . . . . . . . . . . . . . . 50
7.3.3. getName . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.3. getName . . . . . . . . . . . . . . . . . . . . . . . 50
7.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 51
7.3.5. getRemainingLifetime . . . . . . . . . . . . . . . . 50 7.3.5. getRemainingLifetime . . . . . . . . . . . . . . . . 51
7.3.6. getRemainingInitLifetime . . . . . . . . . . . . . . 51 7.3.6. getRemainingInitLifetime . . . . . . . . . . . . . . 51
7.3.7. getRemainingAcceptLifetime . . . . . . . . . . . . . 51 7.3.7. getRemainingAcceptLifetime . . . . . . . . . . . . . 51
7.3.8. getUsage . . . . . . . . . . . . . . . . . . . . . . 51 7.3.8. getUsage . . . . . . . . . . . . . . . . . . . . . . 52
7.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 7.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52
7.3.10. getMechs . . . . . . . . . . . . . . . . . . . . . . 52 7.3.10. getMechs . . . . . . . . . . . . . . . . . . . . . . 52
7.3.11. add . . . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.11. add . . . . . . . . . . . . . . . . . . . . . . . . . 52
7.3.12. equals . . . . . . . . . . . . . . . . . . . . . . . 53 7.3.12. equals . . . . . . . . . . . . . . . . . . . . . . . 53
7.3.13. Example Code . . . . . . . . . . . . . . . . . . . . 53 7.3.13. Example Code . . . . . . . . . . . . . . . . . . . . 54
7.4. public interface GSSContext . . . . . . . . . . . . . . . 54 7.4. public interface GSSContext . . . . . . . . . . . . . . . 54
7.4.1. Static Constants . . . . . . . . . . . . . . . . . . 55 7.4.1. Static Constants . . . . . . . . . . . . . . . . . . 55
7.4.2. initSecContext . . . . . . . . . . . . . . . . . . . 55 7.4.2. initSecContext . . . . . . . . . . . . . . . . . . . 56
7.4.3. acceptSecContext . . . . . . . . . . . . . . . . . . 56 7.4.3. acceptSecContext . . . . . . . . . . . . . . . . . . 56
7.4.4. isEstablished . . . . . . . . . . . . . . . . . . . . 57 7.4.4. isEstablished . . . . . . . . . . . . . . . . . . . . 57
7.4.5. dispose . . . . . . . . . . . . . . . . . . . . . . . 57 7.4.5. dispose . . . . . . . . . . . . . . . . . . . . . . . 57
7.4.6. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 57 7.4.6. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 58
7.4.7. wrap . . . . . . . . . . . . . . . . . . . . . . . . 58 7.4.7. wrap . . . . . . . . . . . . . . . . . . . . . . . . 58
7.4.8. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59 7.4.8. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59
7.4.9. getMIC . . . . . . . . . . . . . . . . . . . . . . . 60 7.4.9. getMIC . . . . . . . . . . . . . . . . . . . . . . . 60
7.4.10. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 60 7.4.10. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 61
7.4.11. export . . . . . . . . . . . . . . . . . . . . . . . 61 7.4.11. export . . . . . . . . . . . . . . . . . . . . . . . 62
7.4.12. requestMutualAuth . . . . . . . . . . . . . . . . . . 62 7.4.12. requestMutualAuth . . . . . . . . . . . . . . . . . . 62
7.4.13. requestReplayDet . . . . . . . . . . . . . . . . . . 62 7.4.13. requestReplayDet . . . . . . . . . . . . . . . . . . 63
7.4.14. requestSequenceDet . . . . . . . . . . . . . . . . . 62 7.4.14. requestSequenceDet . . . . . . . . . . . . . . . . . 63
7.4.15. requestCredDeleg . . . . . . . . . . . . . . . . . . 63 7.4.15. requestCredDeleg . . . . . . . . . . . . . . . . . . 63
7.4.16. requestAnonymity . . . . . . . . . . . . . . . . . . 63 7.4.16. requestAnonymity . . . . . . . . . . . . . . . . . . 64
7.4.17. requestConf . . . . . . . . . . . . . . . . . . . . . 63 7.4.17. requestConf . . . . . . . . . . . . . . . . . . . . . 64
7.4.18. requestInteg . . . . . . . . . . . . . . . . . . . . 64 7.4.18. requestInteg . . . . . . . . . . . . . . . . . . . . 64
7.4.19. requestLifetime . . . . . . . . . . . . . . . . . . . 64 7.4.19. requestLifetime . . . . . . . . . . . . . . . . . . . 64
7.4.20. setChannelBinding . . . . . . . . . . . . . . . . . . 64 7.4.20. setChannelBinding . . . . . . . . . . . . . . . . . . 65
7.4.21. getCredDelegState . . . . . . . . . . . . . . . . . . 64 7.4.21. getCredDelegState . . . . . . . . . . . . . . . . . . 65
7.4.22. getMutualAuthState . . . . . . . . . . . . . . . . . 65 7.4.22. getMutualAuthState . . . . . . . . . . . . . . . . . 65
7.4.23. getReplayDetState . . . . . . . . . . . . . . . . . . 65 7.4.23. getReplayDetState . . . . . . . . . . . . . . . . . . 65
7.4.24. getSequenceDetState . . . . . . . . . . . . . . . . . 65 7.4.24. getSequenceDetState . . . . . . . . . . . . . . . . . 66
7.4.25. getAnonymityState . . . . . . . . . . . . . . . . . . 65 7.4.25. getAnonymityState . . . . . . . . . . . . . . . . . . 66
7.4.26. isTransferable . . . . . . . . . . . . . . . . . . . 65 7.4.26. isTransferable . . . . . . . . . . . . . . . . . . . 66
7.4.27. isProtReady . . . . . . . . . . . . . . . . . . . . . 66 7.4.27. isProtReady . . . . . . . . . . . . . . . . . . . . . 66
7.4.28. getConfState . . . . . . . . . . . . . . . . . . . . 66 7.4.28. getConfState . . . . . . . . . . . . . . . . . . . . 66
7.4.29. getIntegState . . . . . . . . . . . . . . . . . . . . 66 7.4.29. getIntegState . . . . . . . . . . . . . . . . . . . . 67
7.4.30. getLifetime . . . . . . . . . . . . . . . . . . . . . 66 7.4.30. getLifetime . . . . . . . . . . . . . . . . . . . . . 67
7.4.31. getSrcName . . . . . . . . . . . . . . . . . . . . . 66 7.4.31. getSrcName . . . . . . . . . . . . . . . . . . . . . 67
7.4.32. getTargName . . . . . . . . . . . . . . . . . . . . . 67 7.4.32. getTargName . . . . . . . . . . . . . . . . . . . . . 67
7.4.33. getMech . . . . . . . . . . . . . . . . . . . . . . . 67 7.4.33. getMech . . . . . . . . . . . . . . . . . . . . . . . 67
7.4.34. getDelegCred . . . . . . . . . . . . . . . . . . . . 67 7.4.34. getDelegCred . . . . . . . . . . . . . . . . . . . . 68
7.4.35. isInitiator . . . . . . . . . . . . . . . . . . . . . 67 7.4.35. isInitiator . . . . . . . . . . . . . . . . . . . . . 68
7.4.36. Example Code . . . . . . . . . . . . . . . . . . . . 67 7.4.36. Example Code . . . . . . . . . . . . . . . . . . . . 68
7.5. public class MessageProp . . . . . . . . . . . . . . . . 69 7.5. public class MessageProp . . . . . . . . . . . . . . . . 70
7.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 70 7.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 70
7.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 70 7.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 71
7.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 70 7.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 71
7.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 70 7.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 71
7.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 70 7.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 71
7.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 71 7.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 71
7.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 71 7.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 72
7.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 71 7.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 72
7.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 71 7.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 72
7.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 71 7.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 72
7.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 71 7.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 72
7.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 72 7.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 72
7.6. public class ChannelBinding . . . . . . . . . . . . . . . 72 7.6. public class ChannelBinding . . . . . . . . . . . . . . . 73
7.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 73 7.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 73
7.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 73 7.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 74
7.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 73 7.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 74
7.6.4. getApplicationData . . . . . . . . . . . . . . . . . 74 7.6.4. getApplicationData . . . . . . . . . . . . . . . . . 74
7.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 74 7.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 75
7.7. public class Oid . . . . . . . . . . . . . . . . . . . . 74
7.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 74
7.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 75
7.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 75
7.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 76
7.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 76
7.8. public class GSSException extends Exception . . . . . . . 76
7.8.1. Static Constants . . . . . . . . . . . . . . . . . . 76
7.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 79
7.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 80
7.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 80
7.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 80
7.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 80
7.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 81
7.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 81
7.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 81
7.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 81
8. Sample Applications . . . . . . . . . . . . . . . . . . . . . 81 7.7. public class Oid . . . . . . . . . . . . . . . . . . . . 75
8.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 82 7.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 75
8.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 85 7.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 76
9. Security Considerations . . . . . . . . . . . . . . . . . . . 89 7.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 76
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 90 7.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 76
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 90 7.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 77
12. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 90 7.8. public class GSSException extends Exception . . . . . . . 77
13. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 92 7.8.1. Static Constants . . . . . . . . . . . . . . . . . . 77
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 92 7.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 80
14.1. Normative References . . . . . . . . . . . . . . . . . . 92 7.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 81
14.2. Informative References . . . . . . . . . . . . . . . . . 93 7.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 81
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 94 7.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 81
7.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 81
7.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 82
7.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 82
7.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 82
7.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 82
8. Sample Applications . . . . . . . . . . . . . . . . . . . . . 83
8.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 83
8.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 87
9. Security Considerations . . . . . . . . . . . . . . . . . . . 90
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 91
11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 91
12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 93
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 94
13.1. Normative References . . . . . . . . . . . . . . . . . . 94
13.2. Informative References . . . . . . . . . . . . . . . . . 95
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 96
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
1. Introduction 1. Introduction
This document specifies Java language bindings for the Generic This document specifies Java language bindings for the Generic
Security Services Application Programming Interface version 2 (GSS- Security Services Application Programming Interface (GSS-API) version
API). GSS-API version 2 is described in a language-independent 2. GSS-API version 2 is described in a language-independent format
format in RFC 2743 [RFC2743]. The GSS-API allows a caller in RFC 2743 [RFC2743]. The GSS-API allows a caller application to
application to authenticate a principal identity, to delegate rights authenticate a principal identity, delegate rights to a peer, and
to a peer, and to apply security services such as confidentiality and apply security services such as confidentiality and integrity on a
integrity on a per-message basis. per-message basis.
This document and its predecessor, RFC 2853 [RFC2853] and RFC 5653 This document and its predecessors, RFC 2853 [RFC2853] and RFC 5653
[RFC5653], leverage the work done by the working group (WG) in the [RFC5653], leverage the work done by the working group (WG) in the
area of RFC 2743 [RFC2743] and the C-bindings of RFC 2744 [RFC2744]. area of RFC 2743 [RFC2743] and the C-bindings of RFC 2744 [RFC2744].
Whenever appropriate, text has been used from the C-bindings document Whenever appropriate, text has been used from the C-bindings document
(RFC 2744) to explain generic concepts and provide direction to the (RFC 2744) to explain generic concepts and provide direction to the
implementors. implementors.
The design goals of this API have been to satisfy all the The design goals of this API have been to satisfy all the
functionality defined in RFC 2743 [RFC2743] and to provide these functionality defined in RFC 2743 [RFC2743] and to provide these
services in an object-oriented method. The specification also aims services in an object-oriented method. The specification also aims
to satisfy the needs of both types of Java application developers, to satisfy the needs of both types of Java application developers,
those who would like access to a "system-wide" GSS-API those who would like access to a "system-wide" GSS-API
implementation, as well as those who would want to provide their own implementation, as well as those who would want to provide their own
"custom" implementation. "custom" implementation.
A system-wide implementation is one that is available to all A system-wide implementation is one that is available to all
applications in the form of a library package. It may be the applications in the form of a library package. It may be the
standard package in the Java runtime environment (JRE) being used or standard package in the Java runtime environment (JRE) being used, or
it may be additionally installed and accessible to any application it may be additionally installed and accessible to any application
via the CLASSPATH. via the CLASSPATH.
A custom implementation of the GSS-API, on the other hand, is one A custom implementation of the GSS-API, on the other hand, is one
that would, in most cases, be bundled with the application during that would, in most cases, be bundled with the application during
distribution. It is expected that such an implementation would be distribution. It is expected that such an implementation would be
meant to provide for some particular need of the application, such as meant to provide for some particular need of the application, such as
support for some specific mechanism. support for some specific mechanism.
The design of this API also aims to provide a flexible framework to The design of this API also aims to provide a flexible framework to
add and manage GSS-API mechanisms. GSS-API leverages the Java add and manage GSS-API mechanisms. GSS-API leverages the Java
Cryptography Architecture (JCA) provider model to support the Cryptography Architecture (JCA) provider model to support the
plugability of mechanisms. Mechanisms can be added on a system-wide plugability of mechanisms. Mechanisms can be added on a system-wide
basis, where all users of the framework will have them available. basis, where all users of the framework will have them available.
The specification also allows for the addition of mechanisms per- The specification also allows for the addition of mechanisms per
instance of the GSS-API. instance of the GSS-API.
Lastly, this specification presents an API that will naturally fit Lastly, this specification presents an API that will naturally fit
within the operation environment of the Java platform. Readers are within the operation environment of the Java platform. Readers are
assumed to be familiar with both the GSS-API and the Java platform. assumed to be familiar with both the GSS-API and the Java platform.
2. Notational Conventions 2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. GSS-API Operational Paradigm 3. GSS-API Operational Paradigm
"Generic Security Service Application Programming Interface, Version "Generic Security Service Application Programming Interface, Version
2" [RFC2743] defines a generic security API to calling applications. 2" [RFC2743] defines a generic security API to calling applications.
It allows a communicating application to authenticate the user It allows a communicating application to authenticate the user
associated with another application, to delegate rights to another associated with another application, to delegate rights to another
application, and to apply security services such as confidentiality application, and to apply security services such as confidentiality
and integrity on a per-message basis. and integrity on a per-message basis.
skipping to change at page 7, line 50 skipping to change at page 8, line 19
credentials vouch for its global identity, which may or may not be credentials vouch for its global identity, which may or may not be
related to any local username under which it may be running. related to any local username under which it may be running.
2) A pair of communicating applications establish a joint security 2) A pair of communicating applications establish a joint security
context using their credentials. The security context context using their credentials. The security context
encapsulates shared state information, which is required in order encapsulates shared state information, which is required in order
that per-message security services may be provided. Examples of that per-message security services may be provided. Examples of
state information that might be shared between applications as state information that might be shared between applications as
part of a security context are cryptographic keys and message part of a security context are cryptographic keys and message
sequence numbers. As part of the establishment of a security sequence numbers. As part of the establishment of a security
context, the context initiator is authenticated to the responder, context, the context initiator is authenticated to the responder
and may require that the responder is authenticated back to the and may require that the responder is authenticated back to the
initiator. The initiator may optionally give the responder the initiator. The initiator may optionally give the responder the
right to initiate further security contexts, acting as an agent or right to initiate further security contexts, acting as an agent or
delegate of the initiator. This transfer of rights is termed delegate of the initiator. This transfer of rights is termed
"delegation", and is achieved by creating a set of credentials, "delegation" and is achieved by creating a set of credentials,
similar to those used by the initiating application, but which may similar to those used by the initiating application, but which may
be used by the responder. be used by the responder.
A GSSContext object is used to establish and maintain the shared A GSSContext object is used to establish and maintain the shared
information that makes up the security context. Certain information that makes up the security context. Certain
GSSContext methods will generate a token, which applications treat GSSContext methods will generate a token, which applications treat
as cryptographically protected, opaque data. The caller of such a as cryptographically protected, opaque data. The caller of such a
GSSContext method is responsible for transferring the token to the GSSContext method is responsible for transferring the token to the
peer application, encapsulated if necessary in an application-to- peer application, encapsulated if necessary in an application-to-
application protocol. On receipt of such a token, the peer application protocol. On receipt of such a token, the peer
application should pass it to a corresponding GSSContext method application should pass it to a corresponding GSSContext method,
which will decode the token and extract the information, updating which will decode the token and extract the information, updating
the security context state information accordingly. the security context state information accordingly.
3) Per-message services are invoked on a GSSContext object to apply 3) Per-message services are invoked on a GSSContext object to apply
either: either:
integrity and data origin authentication, or integrity and data origin authentication, or
confidentiality, integrity and data origin authentication confidentiality, integrity, and data origin authentication
to application data, which are treated by GSS-API as arbitrary to application data, which are treated by GSS-API as arbitrary
octet-strings. An application transmitting a message that it octet strings. An application transmitting a message that it
wishes to protect will call the appropriate GSSContext method wishes to protect will call the appropriate GSSContext method
(getMIC or wrap) to apply protection, and send the resulting token (getMIC or wrap) to apply protection before sending the resulting
to the receiving application. The receiver will pass the received token to the receiving application. The receiver will pass the
token (and, in the case of data protected by getMIC, the received token (and, in the case of data protected by getMIC, the
accompanying message-data) to the corresponding decoding method of accompanying message data) to the corresponding decoding method of
the GSSContext interface (verifyMIC or unwrap) to remove the the GSSContext interface (verifyMIC or unwrap) to remove the
protection and validate the data. protection and validate the data.
4) At the completion of a communications session (which may extend 4) At the completion of a communications session (which may extend
across several transport connections), each application uses a across several transport connections), each application uses a
GSSContext method to invalidate the security context and release GSSContext method to invalidate the security context and release
any system or cryptographic resources held. Multiple contexts may any system or cryptographic resources held. Multiple contexts may
also be used (either successively or simultaneously) within a also be used (either successively or simultaneously) within a
single communications association, at the discretion of the single communications association, at the discretion of the
applications. applications.
skipping to change at page 9, line 46 skipping to change at page 10, line 15
available from the context when the establishment phase is complete. available from the context when the establishment phase is complete.
In general, if the security mechanism is capable of providing a In general, if the security mechanism is capable of providing a
requested service, it SHOULD do so even if additional services must requested service, it SHOULD do so even if additional services must
be enabled in order to provide the requested service. If the be enabled in order to provide the requested service. If the
mechanism is incapable of providing a requested service, it SHOULD mechanism is incapable of providing a requested service, it SHOULD
proceed without the service leaving the application to abort the proceed without the service leaving the application to abort the
context establishment process if it considers the requested service context establishment process if it considers the requested service
to be mandatory. to be mandatory.
Some mechanisms MAY specify that support for some services is Some mechanisms MAY specify that support for some services is
optional, and that implementors of the mechanism need not provide it. optional and that implementors of the mechanism need not provide it.
This is most commonly true of the confidentiality service, often This is most commonly true of the confidentiality service, often
because of legal restrictions on the use of data-encryption, but may because of legal restrictions on the use of data encryption, but it
apply to any of the services. Such mechanisms are required to send may apply to any of the services. Such mechanisms are required to
at least one token from acceptor to initiator during context send at least one token from acceptor to initiator during context
establishment when the initiator indicates a desire to use such a establishment when the initiator indicates a desire to use such a
service, so that the initiating GSS-API can correctly indicate service, so that the initiating GSS-API can correctly indicate
whether the service is supported by the acceptor's GSS-API. whether the service is supported by the acceptor's GSS-API.
4.1. Delegation 4.1. Delegation
The GSS-API allows delegation to be controlled by the initiating The GSS-API allows delegation to be controlled by the initiating
application via the requestCredDeleg method before the first call to application via the requestCredDeleg method before the first call to
init has been issued. Some mechanisms do not support delegation, and init has been issued. Some mechanisms do not support delegation, and
for such mechanisms, attempts by an application to enable delegation for such mechanisms, attempts by an application to enable delegation
skipping to change at page 10, line 31 skipping to change at page 10, line 48
an agent or delegate of the initiator. If the original initiator's an agent or delegate of the initiator. If the original initiator's
identity is "A" and the delegate's identity is "B", then, depending identity is "A" and the delegate's identity is "B", then, depending
on the underlying mechanism, the identity embodied by the delegated on the underlying mechanism, the identity embodied by the delegated
credential may be either "A" or "B acting for A". credential may be either "A" or "B acting for A".
For many mechanisms that support delegation, a simple boolean does For many mechanisms that support delegation, a simple boolean does
not provide enough control. Examples of additional aspects of not provide enough control. Examples of additional aspects of
delegation control that a mechanism might provide to an application delegation control that a mechanism might provide to an application
are duration of delegation, network addresses from which delegation are duration of delegation, network addresses from which delegation
is valid, and constraints on the tasks that may be performed by a is valid, and constraints on the tasks that may be performed by a
delegate. Such controls are presently outside the scope of the GSS- delegate. Such controls are presently outside the scope of the
API. GSS-API implementations supporting mechanisms offering GSS-API. GSS-API implementations supporting mechanisms offering
additional controls SHOULD provide extension routines that allow additional controls SHOULD provide extension routines that allow
these controls to be exercised (perhaps by modifying the initiator's these controls to be exercised (perhaps by modifying the initiator's
GSS-API credential object prior to its use in establishing a GSS-API credential object prior to its use in establishing a
context). However, the simple delegation control provided by GSS-API context). However, the simple delegation control provided by GSS-API
SHOULD always be able to override other mechanism-specific delegation SHOULD always be able to override other mechanism-specific delegation
controls. If the application instructs the GSSContext object that controls. If the application instructs the GSSContext object that
delegation is not desired, then the implementation MUST NOT permit delegation is not desired, then the implementation MUST NOT permit
delegation to occur. This is an exception to the general rule that a delegation to occur. This is an exception to the general rule that a
mechanism may enable services even if they are not requested -- mechanism may enable services even if they are not requested --
delegation may only be provided at the explicit request of the delegation may only be provided at the explicit request of the
skipping to change at page 12, line 38 skipping to change at page 13, line 10
In addition to informing the application that a context is In addition to informing the application that a context is
established anonymously (via the isAnonymous method of the GSSContext established anonymously (via the isAnonymous method of the GSSContext
class), the getSrcName method of the acceptor's GSSContext object class), the getSrcName method of the acceptor's GSSContext object
will, for such contexts, return a reserved internal-form name, will, for such contexts, return a reserved internal-form name,
defined by the implementation. defined by the implementation.
The toString method for a GSSName object representing an anonymous The toString method for a GSSName object representing an anonymous
entity will return a printable name. The returned value will be entity will return a printable name. The returned value will be
syntactically distinguishable from any valid principal name supported syntactically distinguishable from any valid principal name supported
by the implementation. The associated name-type object identifier by the implementation. The associated name-type Object Identifier
will be an oid representing the value of NT_ANONYMOUS. This name- (OID) will be an OID representing the value of NT_ANONYMOUS. This
type oid will be defined as a public, static Oid object of the name-type OID will be defined as a public, static Oid object of the
GSSName class. The printable form of an anonymous name SHOULD be GSSName class. The printable form of an anonymous name SHOULD be
chosen such that it implies anonymity, since this name may appear in, chosen such that it implies anonymity, since this name may appear in,
for example, audit logs. For example, the string "<anonymous>" might for example, audit logs. For example, the string "<anonymous>" might
be a good choice, if no valid printable names supported by the be a good choice, if no valid printable names supported by the
implementation can begin with "<" and end with ">". implementation can begin with "<" and end with ">".
When using the equal method of the GSSName interface, and one of the When using the equal method of the GSSName interface, and one of the
operands is a GSSName instance representing an anonymous entity, the operands is a GSSName instance representing an anonymous entity, the
method MUST return "false". method MUST return "false".
4.5. Integrity and Confidentiality 4.5. Integrity and Confidentiality
If a GSSContext supports the integrity service, getMic method may be If a GSSContext supports the integrity service, the getMic method may
used to create message integrity check tokens on application be used to create message integrity check tokens on application
messages. messages.
If a GSSContext supports the confidentiality service, wrap method may If a GSSContext supports the confidentiality service, the wrap method
be used to encrypt application messages. Messages are selectively may be used to encrypt application messages. Messages are
encrypted, under the control of the setPrivacy method of the selectively encrypted, under the control of the setPrivacy method of
MessageProp object used in the wrap method. Confidentiality will be the MessageProp object used in the wrap method. Confidentiality will
applied if the privacy state is set to true. be applied if the privacy state is set to true.
4.6. Inter-process Context Transfer 4.6. Inter-process Context Transfer
GSS-APIv2 provides functionality that allows a security context to be GSS-APIv2 provides functionality that allows a security context to be
transferred between processes on a single machine. These are transferred between processes on a single machine. These are
implemented using the export method of GSSContext and a byte array implemented using the export method of GSSContext and a byte array
constructor of the same class. The most common use for such a constructor of the same class. The most common use for such a
feature is a client-server design where the server is implemented as feature is a client-server design where the server is implemented as
a single process that accepts incoming security contexts, which then a single process that accepts incoming security contexts, which then
launches child processes to deal with the data on these contexts. In launches child processes to deal with the data on these contexts. In
such a design, the child processes must have access to the security such a design, the child processes must have access to the security
context object created within the parent so that they can use per- context object created within the parent so that they can use per-
message protection services and delete the security context when the message protection services and delete the security context when the
communication session ends. communication session ends.
Since the security context data structure is expected to contain Since the security context data structure is expected to contain
sequencing information, it is impractical in general to share a sequencing information, it is impractical in general to share a
context between processes. Thus, the GSSContext interface provides context between processes. Thus, the GSSContext interface provides
an export method that the process, which currently owns the context, an export method that the process, which currently owns the context,
can call to declare that it has no intention to use the context can call to declare that it has no intention to use the context
subsequently, and to create an inter-process token containing subsequently and to create an inter-process token containing
information needed by the adopting process to successfully recreate information needed by the adopting process to successfully recreate
the context. After successful completion of export, the original the context. After successful completion of export, the original
security context is made inaccessible to the calling process by GSS- security context is made inaccessible to the calling process by
API, and any further usage of this object will result in failures. GSS-API, and any further usage of this object will result in
The originating process transfers the inter-process token to the failures. The originating process transfers the inter-process token
adopting process, which creates a new GSSContext object using the to the adopting process, which creates a new GSSContext object using
byte array constructor. The properties of the context are equivalent the byte array constructor. The properties of the context are
to that of the original context. equivalent to that of the original context.
The inter-process token MAY contain sensitive data from the original The inter-process token MAY contain sensitive data from the original
security context (including cryptographic keys). Applications using security context (including cryptographic keys). Applications using
inter-process tokens to transfer security contexts MUST take inter-process tokens to transfer security contexts MUST take
appropriate steps to protect these tokens in transit. appropriate steps to protect these tokens in transit.
Implementations are not required to support the inter-process Implementations are not required to support the inter-process
transfer of security contexts. Calling the isTransferable method of transfer of security contexts. Calling the isTransferable method of
the GSSContext interface will indicate if the context object is the GSSContext interface will indicate if the context object is
transferable. transferable.
skipping to change at page 14, line 27 skipping to change at page 15, line 8
An application can invoke the isProtReady method of the GSSContext An application can invoke the isProtReady method of the GSSContext
class to determine if the per-message services are available in class to determine if the per-message services are available in
advance of complete context establishment. Applications wishing to advance of complete context establishment. Applications wishing to
use per-message protection services on partially established contexts use per-message protection services on partially established contexts
SHOULD query this method before attempting to invoke wrap or getMIC. SHOULD query this method before attempting to invoke wrap or getMIC.
5. Calling Conventions 5. Calling Conventions
Java provides the implementors with not just a syntax for the Java provides the implementors with not just a syntax for the
language, but also an operational environment. For example, memory language but also an operational environment. For example, memory is
is automatically managed and does not require application automatically managed and does not require application intervention.
intervention. These language features have allowed for a simpler API These language features have allowed for a simpler API and have led
and have led to the elimination of certain GSS-API functions. to the elimination of certain GSS-API functions.
Moreover, the JCA defines a provider model that allows for Moreover, the JCA defines a provider model that allows for
implementation-independent access to security services. Using this implementation-independent access to security services. Using this
model, applications can seamlessly switch between different model, applications can seamlessly switch between different
implementations and dynamically add new services. The GSS-API implementations and dynamically add new services. The GSS-API
specification leverages these concepts by the usage of providers for specification leverages these concepts by the usage of providers for
the mechanism implementations. the mechanism implementations.
5.1. Package Name 5.1. Package Name
The classes and interfaces defined in this document reside in the The classes and interfaces defined in this document reside in the
package called "org.ietf.jgss". Applications that wish to make use package called "org.ietf.jgss". Applications that wish to make use
of this API should import this package name as shown in section 8. of this API should import this package name as shown in Section 8.
5.2. Provider Framework 5.2. Provider Framework
The Java security API's use a provider architecture that allows Java security APIs use a provider architecture that allows
applications to be implementation independent and security API applications to be implementation independent and security API
implementations to be modular and extensible. The implementations to be modular and extensible. The
java.security.Provider class is an abstract class that a vendor java.security.Provider class is an abstract class that a vendor
extends. This class maps various properties that represent different extends. This class maps various properties that represent different
security services that are available to the names of the actual security services that are available to the names of the actual
vendor classes that implement those services. When requesting a vendor classes that implement those services. When requesting a
service, an application simply specifies the desired provider and the service, an application simply specifies the desired provider, and
API delegates the request to service classes available from that the API delegates the request to service classes available from that
provider. provider.
Using the Java security provider model insulates applications from Using the Java security provider model insulates applications from
implementation details of the services they wish to use. implementation details of the services they wish to use.
Applications can switch between providers easily and new providers Applications can switch between providers easily, and new providers
can be added as needed, even at runtime. can be added as needed, even at runtime.
The GSS-API may use providers to find components for specific The GSS-API may use providers to find components for specific
underlying security mechanisms. For instance, a particular provider underlying security mechanisms. For instance, a particular provider
might contain components that will allow the GSS-API to support the might contain components that will allow the GSS-API to support the
Kerberos v5 mechanism [RFC4121] and another might contain components Kerberos v5 mechanism [RFC4121], and another might contain components
to support the Simple Public-Key GSS-API Mechanism (SPKM) [RFC2025]. to support the Simple Public-Key GSS-API Mechanism (SPKM) [RFC2025].
By delegating mechanism-specific functionality to the components By delegating mechanism-specific functionality to the components
obtained from providers, the GSS-API can be extended to support an obtained from providers, the GSS-API can be extended to support an
arbitrary list of mechanism. arbitrary list of mechanisms.
How the GSS-API locates and queries these providers is beyond the How the GSS-API locates and queries these providers is beyond the
scope of this document and is being deferred to a Service Provider scope of this document and is being deferred to a Service Provider
Interface (SPI) specification. The availability of such an SPI Interface (SPI) specification. The availability of such an SPI
specification is not mandatory for the adoption of this API specification is not mandatory for the adoption of this API
specification nor is it mandatory to use providers in the specification nor is it mandatory to use providers in the
implementation of a GSS-API framework. However, by using the implementation of a GSS-API framework. However, by using the
provider framework together with an SPI specification, one can create provider framework together with an SPI specification, one can create
an extensible and implementation-independent GSS-API framework. an extensible and implementation-independent GSS-API framework.
5.3. Integer Types 5.3. Integer Types
All numeric values are declared as "int" primitive Java type. The All numeric values are declared as the "int" primitive Java type.
Java specification guarantees that this will be a 32-bit two's The Java specification guarantees that this will be a 32-bit two's
complement signed number. complement signed number.
Throughout this API, the "boolean" primitive Java type is used Throughout this API, the "boolean" primitive Java type is used
wherever a boolean value is required or returned. wherever a boolean value is required or returned.
5.4. Opaque Data Types 5.4. Opaque Data Types
Java byte arrays are used to represent opaque data types that are Java byte arrays are used to represent opaque data types that are
consumed and produced by the GSS-API in the form of tokens. Java consumed and produced by the GSS-API in the form of tokens. Java
arrays contain a length field that enables the users to easily arrays contain a length field that enables the users to easily
skipping to change at page 16, line 16 skipping to change at page 16, line 43
The String object will be used to represent all textual data. The The String object will be used to represent all textual data. The
Java String object transparently treats all characters as two-byte Java String object transparently treats all characters as two-byte
Unicode characters, which allows support for many locals. All Unicode characters, which allows support for many locals. All
routines returning or accepting textual data will use the String routines returning or accepting textual data will use the String
object. object.
5.6. Object Identifiers 5.6. Object Identifiers
An Oid object will be used to represent Universal Object Identifiers An Oid object will be used to represent Universal Object Identifiers
(Oids). Oids are ISO-defined, hierarchically globally interpretable (OIDs). OIDs are ISO-defined, hierarchically globally interpretable
identifiers used within the GSS-API framework to identify security identifiers used within the GSS-API framework to identify security
mechanisms and name formats. The Oid object can be created from a mechanisms and name formats. The Oid object can be created from a
string representation of its dot notation (e.g., "1.3.6.1.5.6.2") as string representation of its dot notation (e.g., "1.3.6.1.5.6.2") as
well as from its ASN.1 DER encoding. Methods are also provided to well as from its ASN.1 DER encoding. Methods are also provided to
test equality and provide the DER representation for the object. test equality and provide the DER representation for the object.
An important feature of the Oid class is that its instances are An important feature of the Oid class is that its instances are
immutable -- i.e., there are no methods defined that allow one to immutable -- i.e., there are no methods defined that allow one to
change the contents of an Oid. This property allows one to treat change the contents of an Oid object. This property allows one to
these objects as "statics" without the need to perform copies. treat these objects as "statics" without the need to perform copies.
Certain routines allow the usage of a default oid. A "null" value Certain routines allow the usage of a default OID. A "null" value
can be used in those cases. can be used in those cases.
5.7. Object Identifier Sets 5.7. Object Identifier Sets
The Java bindings represent object identifier sets as arrays of Oid The Java bindings represent Object Identifier sets as arrays of Oid
objects. All Java arrays contain a length field, which allows for objects. All Java arrays contain a length field, which allows for
easy manipulation and reference. easy manipulation and reference.
In order to support the full functionality of RFC 2743 [RFC2743], the In order to support the full functionality of RFC 2743 [RFC2743], the
Oid class includes a method that checks for existence of an Oid Oid class includes a method that checks for existence of an Oid
object within a specified array. This is equivalent in functionality object within a specified array. This is equivalent in functionality
to gss_test_oid_set_member. The use of Java arrays and Java's to gss_test_oid_set_member. The use of Java arrays and Java's
automatic garbage collection has eliminated the need for the automatic garbage collection has eliminated the need for the
following routines: gss_create_empty_oid_set, gss_release_oid_set, following routines: gss_create_empty_oid_set, gss_release_oid_set,
and gss_add_oid_set_member. Java GSS-API implementations will not and gss_add_oid_set_member. Java GSS-API implementations will not
contain them. Java's automatic garbage collection and the immutable contain them. Java's automatic garbage collection and the immutable
property of the Oid object eliminates the memory management issues of property of the Oid object eliminates the memory management issues of
the C counterpart. the C counterpart.
Whenever a default value for an Object Identifier Set is required, a Whenever a default value for an Object Identifier set is required, a
"null" value can be used. Please consult the detailed method "null" value can be used. Please consult the detailed method
description for details. description for details.
5.8. Credentials 5.8. Credentials
GSS-API credentials are represented by the GSSCredential interface. GSS-API credentials are represented by the GSSCredential interface.
The interface contains several constructs to allow for the creation The interface contains several constructs to allow for the creation
of most common credential objects for the initiator and the acceptor. of most common credential objects for the initiator and the acceptor.
Comparisons are performed using the interface's "equals" method. The Comparisons are performed using the interface's "equals" method. The
following general description of GSS-API credentials is included from following general description of GSS-API credentials is included from
the C-bindings specification: the C-bindings specification [RFC2744]:
GSS-API credentials can contain mechanism-specific principal GSS-API credentials can contain mechanism-specific principal
authentication data for multiple mechanisms. A GSS-API credential authentication data for multiple mechanisms. A GSS-API credential
is composed of a set of credential-elements, each of which is is composed of a set of credential-elements, each of which is
applicable to a single mechanism. A credential may contain at applicable to a single mechanism. A credential may contain at
most one credential-element for each supported mechanism. A most one credential-element for each supported mechanism. A
credential-element identifies the data needed by a single credential-element identifies the data needed by a single
mechanism to authenticate a single principal, and conceptually mechanism to authenticate a single principal, and conceptually
contains two credential-references that describe the actual contains two credential-references that describe the actual
mechanism-specific authentication data, one to be used by GSS-API mechanism-specific authentication data, one to be used by GSS-API
for initiating contexts, and one to be used for accepting for initiating contexts, and one to be used for accepting
contexts. For mechanisms that do not distinguish between acceptor contexts. For mechanisms that do not distinguish between acceptor
and initiator credentials, both references would point to the same and initiator credentials, both references would point to the same
underlying mechanism-specific authentication data. underlying mechanism-specific authentication data.
Credentials describe a set of mechanism-specific principals, and give Credentials describe a set of mechanism-specific principals and give
their holder the ability to act as any of those principals. All their holder the ability to act as any of those principals. All
principal identities asserted by a single GSS-API credential SHOULD principal identities asserted by a single GSS-API credential SHOULD
belong to the same entity, although enforcement of this property is belong to the same entity, although enforcement of this property is
an implementation-specific matter. A single GSSCredential object an implementation-specific matter. A single GSSCredential object
represents all the credential elements that have been acquired. represents all the credential elements that have been acquired.
The creation of an GSSContext object allows the value of "null" to be The creation of a GSSContext object allows the value of "null" to be
specified as the GSSCredential input parameter. This will indicate a specified as the GSSCredential input parameter. This will indicate a
desire by the application to act as a default principal. While desire by the application to act as a default principal. While
individual GSS-API implementations are free to determine such default individual GSS-API implementations are free to determine such default
behavior as appropriate to the mechanism, the following default behavior as appropriate to the mechanism, the following default
behavior by these routines is RECOMMENDED for portability: behavior by these routines is RECOMMENDED for portability:
For the initiator side of the context: For the initiator side of the context:
1) If there is only a single principal capable of initiating security 1) If there is only a single principal capable of initiating security
contexts for the chosen mechanism that the application is contexts for the chosen mechanism that the application is
authorized to act on behalf of, then that principal shall be used; authorized to act on behalf of, then that principal shall be used;
otherwise, otherwise,
2) If the platform maintains a concept of a default network-identity 2) If the platform maintains a concept of a default network identity
for the chosen mechanism, and if the application is authorized to for the chosen mechanism, and if the application is authorized to
act on behalf of that identity for the purpose of initiating act on behalf of that identity for the purpose of initiating
security contexts, then the principal corresponding to that security contexts, then the principal corresponding to that
identity shall be used; otherwise, identity shall be used; otherwise,
3) If the platform maintains a concept of a default local identity, 3) If the platform maintains a concept of a default local identity,
and provides a means to map local identities into network- and provides a means to map local identities into network
identities for the chosen mechanism, and if the application is identities for the chosen mechanism, and if the application is
authorized to act on behalf of the network-identity image of the authorized to act on behalf of the network-identity image of the
default local identity for the purpose of initiating security default local identity for the purpose of initiating security
contexts using the chosen mechanism, then the principal contexts using the chosen mechanism, then the principal
corresponding to that identity shall be used; otherwise, corresponding to that identity shall be used; otherwise,
4) A user-configurable default identity should be used. 4) A user-configurable default identity should be used.
For the acceptor side of the context: For the acceptor side of the context:
skipping to change at page 18, line 41 skipping to change at page 19, line 23
if mutual authentication was not requested, any principal that the if mutual authentication was not requested, any principal that the
application is authorized to accept security contexts under using application is authorized to accept security contexts under using
the chosen mechanism may be used; otherwise, the chosen mechanism may be used; otherwise,
4) A user-configurable default identity shall be used. 4) A user-configurable default identity shall be used.
The purpose of the above rules is to allow security contexts to be The purpose of the above rules is to allow security contexts to be
established by both initiator and acceptor using the default behavior established by both initiator and acceptor using the default behavior
whenever possible. Applications requesting default behavior are whenever possible. Applications requesting default behavior are
likely to be more portable across mechanisms and implementations than likely to be more portable across mechanisms and implementations than
ones that instantiate an GSSCredential object representing a specific ones that instantiate a GSSCredential object representing a specific
identity. identity.
5.9. Contexts 5.9. Contexts
The GSSContext interface is used to represent one end of a GSS-API The GSSContext interface is used to represent one end of a GSS-API
security context, storing state information appropriate to that end security context, storing state information appropriate to that end
of the peer communication, including cryptographic state information. of the peer communication, including cryptographic state information.
The instantiation of the context object is done differently by the The instantiation of the context object is done differently by the
initiator and the acceptor. After the context has been instantiated, initiator and the acceptor. After the context has been instantiated,
the initiator MAY choose to set various context options that will the initiator MAY choose to set various context options that will
skipping to change at page 19, line 24 skipping to change at page 20, line 9
retrieved attribute does not match the desired value but it is retrieved attribute does not match the desired value but it is
necessary for the application protocol, the application SHOULD necessary for the application protocol, the application SHOULD
destroy the security context and not use it for application traffic. destroy the security context and not use it for application traffic.
Otherwise, at this point, the context can be used by the application Otherwise, at this point, the context can be used by the application
to apply cryptographic services to its data. to apply cryptographic services to its data.
5.10. Authentication Tokens 5.10. Authentication Tokens
A token is a caller-opaque type that GSS-API uses to maintain A token is a caller-opaque type that GSS-API uses to maintain
synchronization between each end of the GSS-API security context. synchronization between each end of the GSS-API security context.
The token is a cryptographically protected octet-string, generated by The token is a cryptographically protected octet string, generated by
the underlying mechanism at one end of a GSS-API security context for the underlying mechanism at one end of a GSS-API security context for
use by the peer mechanism at the other end. Encapsulation (if use by the peer mechanism at the other end. Encapsulation (if
required) within the application protocol and transfer of the token required) within the application protocol and transfer of the token
are the responsibility of the peer applications. are the responsibility of the peer applications.
Java GSS-API uses byte arrays to represent authentication tokens. Java GSS-API uses byte arrays to represent authentication tokens.
5.11. Inter-Process Tokens 5.11. Inter-process Tokens
Certain GSS-API routines are intended to transfer data between Certain GSS-API routines are intended to transfer data between
processes in multi-process programs. These routines use a caller- processes in multi-process programs. These routines use a caller-
opaque octet-string, generated by the GSS-API in one process for use opaque octet string, generated by the GSS-API in one process for use
by the GSS-API in another process. The calling application is by the GSS-API in another process. The calling application is
responsible for transferring such tokens between processes. Note responsible for transferring such tokens between processes. Note
that, while GSS-API implementors are encouraged to avoid placing that, while GSS-API implementors are encouraged to avoid placing
sensitive information within inter-process tokens, or to sensitive information within inter-process tokens, or to
cryptographically protect them, many implementations will be unable cryptographically protect them, many implementations will be unable
to avoid placing key material or other sensitive data within them. to avoid placing key material or other sensitive data within them.
It is the application's responsibility to ensure that inter-process It is the application's responsibility to ensure that inter-process
tokens are protected in transit, and transferred only to processes tokens are protected in transit and transferred only to processes
that are trustworthy. An inter-process token is represented using a that are trustworthy. An inter-process token is represented using a
byte array emitted from the export method of the GSSContext byte array emitted from the export method of the GSSContext
interface. The receiver of the inter-process token would initialize interface. The receiver of the inter-process token would initialize
an GSSContext object with this token to create a new context. Once a a GSSContext object with this token to create a new context. Once a
context has been exported, the GSSContext object is invalidated and context has been exported, the GSSContext object is invalidated and
is no longer available. is no longer available.
5.12. Error Reporting 5.12. Error Reporting
RFC 2743 [RFC2743] defined the usage of major and minor status values RFC 2743 [RFC2743] defined the usage of major and minor status values
for the signaling of GSS-API errors. The major code, also called GSS for the signaling of GSS-API errors. The major code, also called the
status code, is used to signal errors at the GSS-API level, GSS status code, is used to signal errors at the GSS-API level,
independent of the underlying mechanism(s). The minor status value independent of the underlying mechanism(s). The minor status value
or Mechanism status code, is a mechanism-defined error value or Mechanism status code, is a mechanism-defined error value
indicating a mechanism-specific error code. indicating a mechanism-specific error code.
Java GSS-API uses exceptions implemented by the GSSException class to Java GSS-API uses exceptions implemented by the GSSException class to
signal both minor and major error values. Both mechanism-specific signal both minor and major error values. Both mechanism-specific
errors and GSS-API level errors are signaled through instances of errors and GSS-API level errors are signaled through instances of
this class. The usage of exceptions replaces the need for major and this class. The usage of exceptions replaces the need for major and
minor codes to be used within the API calls. The GSSException class minor codes to be used within the API calls. The GSSException class
also contains methods to obtain textual representations for both the also contains methods to obtain textual representations for both the
skipping to change at page 20, line 35 skipping to change at page 21, line 19
negotiation has failed and the GSSContext object MUST be abandoned. negotiation has failed and the GSSContext object MUST be abandoned.
If it is thrown in a per-message call, the context MAY remain useful. If it is thrown in a per-message call, the context MAY remain useful.
5.12.1. GSS Status Codes 5.12.1. GSS Status Codes
GSS status codes indicate errors that are independent of the GSS status codes indicate errors that are independent of the
underlying mechanism(s) used to provide the security service. The underlying mechanism(s) used to provide the security service. The
errors that can be indicated via a GSS status code are generic API errors that can be indicated via a GSS status code are generic API
routine errors (errors that are defined in the GSS-API routine errors (errors that are defined in the GSS-API
specification). These bindings take advantage of the Java exceptions specification). These bindings take advantage of the Java exceptions
mechanism, thus, eliminating the need for calling errors. mechanism, thus eliminating the need for calling errors.
A GSS status code indicates a single fatal generic API error from the A GSS status code indicates a single fatal generic API error from the
routine that has thrown the GSSException. Using exceptions announces routine that has thrown the GSSException. Using exceptions announces
that a fatal error has occurred during the execution of the method. that a fatal error has occurred during the execution of the method.
The GSS-API operational model also allows for the signaling of The GSS-API operational model also allows for the signaling of
supplementary status information from the per-message calls. These supplementary status information from the per-message calls. These
need to be handled as return values since using exceptions is not need to be handled as return values since using exceptions is not
appropriate for informatory or warning-like information. The methods appropriate for informatory or warning-like information. The methods
that are capable of producing supplementary information are the two that are capable of producing supplementary information are the two
per-message methods GSSContext.verifyMIC() and GSSContext.unwrap(). per-message methods GSSContext.verifyMIC() and GSSContext.unwrap().
These methods fill the supplementary status codes in the MessageProp These methods fill the supplementary status codes in the MessageProp
object that was passed in. object that was passed in.
A GSSException object, along with providing the functionality for A GSSException object, along with providing the functionality for
setting of the various error codes and translating them into textual setting the various error codes and translating them into textual
representation, also contains the definitions of all the numeric representation, also contains the definitions of all the numeric
error values. The following table lists the definitions of error error values. The following table lists the definitions of error
codes: codes:
Table: GSS Status Codes Table: GSS Status Codes
+----------------------+-------+------------------------------------+ +----------------------+-------+------------------------------------+
| Name | Value | Meaning | | Name | Value | Meaning |
+----------------------+-------+------------------------------------+ +----------------------+-------+------------------------------------+
| BAD_BINDINGS | 1 | Incorrect channel bindings were | | BAD_BINDINGS | 1 | Incorrect channel bindings were |
| | | supplied. | | | | supplied. |
| | | |
| BAD_MECH | 2 | An unsupported mechanism was | | BAD_MECH | 2 | An unsupported mechanism was |
| | | requested. | | | | requested. |
| | | |
| BAD_NAME | 3 | An invalid name was supplied. | | BAD_NAME | 3 | An invalid name was supplied. |
| | | |
| BAD_NAMETYPE | 4 | A supplied name was of an | | BAD_NAMETYPE | 4 | A supplied name was of an |
| | | unsupported type. | | | | unsupported type. |
| | | |
| BAD_STATUS | 5 | An invalid status code was | | BAD_STATUS | 5 | An invalid status code was |
| | | supplied. | | | | supplied. |
| | | |
| BAD_MIC | 6 | A token had an invalid MIC. | | BAD_MIC | 6 | A token had an invalid MIC. |
| | | |
| CONTEXT_EXPIRED | 7 | The context has expired. | | CONTEXT_EXPIRED | 7 | The context has expired. |
| | | |
| CREDENTIALS_EXPIRED | 8 | The referenced credentials have | | CREDENTIALS_EXPIRED | 8 | The referenced credentials have |
| | | expired. | | | | expired. |
| | | |
| DEFECTIVE_CREDENTIAL | 9 | A supplied credential was invalid. | | DEFECTIVE_CREDENTIAL | 9 | A supplied credential was invalid. |
| | | |
| DEFECTIVE_TOKEN | 10 | A supplied token was invalid. | | DEFECTIVE_TOKEN | 10 | A supplied token was invalid. |
| | | |
| FAILURE | 11 | Miscellaneous failure, unspecified | | FAILURE | 11 | Miscellaneous failure, unspecified |
| | | at the GSS-API level. | | | | at the GSS-API level. |
| | | |
| NO_CONTEXT | 12 | Invalid context has been supplied. | | NO_CONTEXT | 12 | Invalid context has been supplied. |
| | | |
| NO_CRED | 13 | No credentials were supplied, or | | NO_CRED | 13 | No credentials were supplied, or |
| | | the credentials were unavailable | | | | the credentials were unavailable |
| | | or inaccessible. | | | | or inaccessible. |
| | | | | BAD_QOP | 14 | The quality of protection (QOP) |
| BAD_QOP | 14 | The quality-of-protection (QOP) |
| | | requested could not be provided. | | | | requested could not be provided. |
| | | |
| UNAUTHORIZED | 15 | The operation is forbidden by the | | UNAUTHORIZED | 15 | The operation is forbidden by the |
| | | local security policy. | | | | local security policy. |
| | | |
| UNAVAILABLE | 16 | The operation or option is | | UNAVAILABLE | 16 | The operation or option is |
| | | unavailable. | | | | unavailable. |
| | | |
| DUPLICATE_ELEMENT | 17 | The requested credential element | | DUPLICATE_ELEMENT | 17 | The requested credential element |
| | | already exists. | | | | already exists. |
| | | |
| NAME_NOT_MN | 18 | The provided name was not a | | NAME_NOT_MN | 18 | The provided name was not a |
| | | mechanism name. | | | | mechanism name. |
+----------------------+-------+------------------------------------+ +----------------------+-------+------------------------------------+
The following four status codes (DUPLICATE_TOKEN, OLD_TOKEN, The following four status codes (DUPLICATE_TOKEN, OLD_TOKEN,
UNSEQ_TOKEN, and GAP_TOKEN) are contained in a GSSException only if UNSEQ_TOKEN, and GAP_TOKEN) are contained in a GSSException only if
detected during context establishment, in which case it is a fatal detected during context establishment, in which case it is a fatal
error. (During per-message calls, these values are indicated as error. (During per-message calls, these values are indicated as
supplementary information contained in the MessageProp object.) They supplementary information contained in the MessageProp object.) They
are: are:
+-----------------+-------+-----------------------------------------+ +-----------------+-------+-----------------------------------------+
| Name | Value | Meaning | | Name | Value | Meaning |
+-----------------+-------+-----------------------------------------+ +-----------------+-------+-----------------------------------------+
skipping to change at page 22, line 26 skipping to change at page 23, line 16
detected during context establishment, in which case it is a fatal detected during context establishment, in which case it is a fatal
error. (During per-message calls, these values are indicated as error. (During per-message calls, these values are indicated as
supplementary information contained in the MessageProp object.) They supplementary information contained in the MessageProp object.) They
are: are:
+-----------------+-------+-----------------------------------------+ +-----------------+-------+-----------------------------------------+
| Name | Value | Meaning | | Name | Value | Meaning |
+-----------------+-------+-----------------------------------------+ +-----------------+-------+-----------------------------------------+
| DUPLICATE_TOKEN | 19 | The token was a duplicate of an earlier | | DUPLICATE_TOKEN | 19 | The token was a duplicate of an earlier |
| | | version. | | | | version. |
| | | |
| OLD_TOKEN | 20 | The token's validity period has | | OLD_TOKEN | 20 | The token's validity period has |
| | | expired. | | | | expired. |
| | | |
| UNSEQ_TOKEN | 21 | A later token has already been | | UNSEQ_TOKEN | 21 | A later token has already been |
| | | processed. | | | | processed. |
| | | |
| GAP_TOKEN | 22 | The expected token was not received. | | GAP_TOKEN | 22 | The expected token was not received. |
+-----------------+-------+-----------------------------------------+ +-----------------+-------+-----------------------------------------+
The GSS major status code of FAILURE is used to indicate that the The GSS major status code of FAILURE is used to indicate that the
underlying mechanism detected an error for which no specific GSS underlying mechanism detected an error for which no specific GSS
status code is defined. The mechanism-specific status code can status code is defined. The mechanism-specific status code can
provide more details about the error. provide more details about the error.
The different major status codes that can be contained in the The different major status codes that can be contained in the
GSSException object thrown by the methods in this specification are GSSException object thrown by the methods in this specification are
the same as the major status codes returned by the corresponding the same as the major status codes returned by the corresponding
calls in RFC 2743 [RFC2743]. calls in RFC 2743 [RFC2743].
5.12.2. Mechanism-Specific Status Codes 5.12.2. Mechanism-Specific Status Codes
Mechanism-specific status codes are communicated in two ways, they Mechanism-specific status codes are communicated in two ways: they
are part of any GSSException thrown from the mechanism-specific layer are part of any GSSException thrown from the mechanism-specific layer
to signal a fatal error, or they are part of the MessageProp object to signal a fatal error, or they are part of the MessageProp object
that the per-message calls use to signal non-fatal errors. that the per-message calls use to signal non-fatal errors.
A default value of 0 in either the GSSException object or the A default value of 0 in either the GSSException object or the
MessageProp object will be used to represent the absence of any MessageProp object will be used to represent the absence of any
mechanism-specific status code. mechanism-specific status code.
5.12.3. Supplementary Status Codes 5.12.3. Supplementary Status Codes
Supplementary status codes are confined to the per-message methods of Supplementary status codes are confined to the per-message methods of
the GSSContext interface. Because of the informative nature of these the GSSContext interface. Because of the informative nature of these
errors it is not appropriate to use exceptions to signal them. errors, it is not appropriate to use exceptions to signal them.
Instead, the per-message operations of the GSSContext interface Instead, the per-message operations of the GSSContext interface
return these values in a MessageProp object. return these values in a MessageProp object.
The MessageProp class defines query methods that return boolean The MessageProp class defines query methods that return boolean
values indicating the following supplementary states: values indicating the following supplementary states:
Table: Supplementary Status Methods Table: Supplementary Status Methods
+------------------+------------------------------------------------+ +------------------+------------------------------------------------+
| Method Name | Meaning when "true" is returned | | Method Name | Meaning when "true" is returned |
+------------------+------------------------------------------------+ +------------------+------------------------------------------------+
| isDuplicateToken | The token was a duplicate of an earlier token. | | isDuplicateToken | The token was a duplicate of an earlier token. |
| | |
| isOldToken | The token's validity period has expired. | | isOldToken | The token's validity period has expired. |
| | |
| isUnseqToken | A later token has already been processed. | | isUnseqToken | A later token has already been processed. |
| | |
| isGapToken | An expected per-message token was not | | isGapToken | An expected per-message token was not |
| | received. | | | received. |
+------------------+------------------------------------------------+ +------------------+------------------------------------------------+
A "true" return value for any of the above methods indicates that the A "true" return value for any of the above methods indicates that the
token exhibited the specified property. The application MUST token exhibited the specified property. The application MUST
determine the appropriate course of action for these supplementary determine the appropriate course of action for these supplementary
values. They are not treated as errors by the GSS-API. values. They are not treated as errors by the GSS-API.
5.13. Names 5.13. Names
skipping to change at page 24, line 24 skipping to change at page 25, line 10
For GSS-API implementations supporting multiple namespaces, For GSS-API implementations supporting multiple namespaces,
GSSName implementations MUST contain sufficient information to GSSName implementations MUST contain sufficient information to
determine the namespace to which each primitive name belongs. determine the namespace to which each primitive name belongs.
2) Mechanism-specific contiguous byte array and string forms: 2) Mechanism-specific contiguous byte array and string forms:
Different GSSName initialization methods are provided to handle Different GSSName initialization methods are provided to handle
both byte array and string formats and to accommodate various both byte array and string formats and to accommodate various
calling applications and name types. These formats are capable of calling applications and name types. These formats are capable of
containing only a single name (from a single namespace). containing only a single name (from a single namespace).
Contiguous string names are always accompanied by an object Contiguous string names are always accompanied by an Object
identifier specifying the namespace to which the name belongs, and Identifier specifying the namespace to which the name belongs, and
their format is dependent on the authentication mechanism that their format is dependent on the authentication mechanism that
employs that name. The string name forms are assumed to be employs that name. The string name forms are assumed to be
printable, and may therefore be used by GSS-API applications for printable and may therefore be used by GSS-API applications for
communication with their users. The byte array name formats are communication with their users. The byte array name formats are
assumed to be in non-printable formats (e.g., the byte array assumed to be in non-printable formats (e.g., the byte array
returned from the export method of the GSSName interface). returned from the export method of the GSSName interface).
A GSSName object can be converted to a contiguous representation by A GSSName object can be converted to a contiguous representation by
using the toString method. This will guarantee that the name will be using the toString method. This will guarantee that the name will be
converted to a printable format. Different initialization methods in converted to a printable format. Different initialization methods in
the GSSName interface are defined allowing support for multiple the GSSName interface are defined to allow support for multiple
syntaxes for each supported namespace, and allowing users the freedom syntaxes for each supported namespace and to allow users the freedom
to choose a preferred name representation. The toString method to choose a preferred name representation. The toString method
SHOULD use an implementation-chosen printable syntax for each SHOULD use an implementation-chosen printable syntax for each
supported name type. To obtain the printable name type, supported name type. To obtain the printable name type, the
getStringNameType method can be used. getStringNameType method can be used.
There is no guarantee that calling the toString method on the GSSName There is no guarantee that calling the toString method on the GSSName
interface will produce the same string form as the original imported interface will produce the same string form as the original imported
string name. Furthermore, it is possible that the name was not even string name. Furthermore, it is possible that the name was not even
constructed from a string representation. The same applies to constructed from a string representation. The same applies to
namespace identifiers, which may not necessarily survive unchanged namespace identifiers, which may not necessarily survive unchanged
after a journey through the internal name form. An example of this after a journey through the internal name form. An example of this
might be a mechanism that authenticates X.500 names, but provides an might be a mechanism that authenticates X.500 names but provides an
algorithmic mapping of Internet DNS names into X.500. That algorithmic mapping of Internet DNS names into X.500. That
mechanism's implementation of GSSName might, when presented with a mechanism's implementation of GSSName might, when presented with a
DNS name, generate an internal name that contained both the original DNS name, generate an internal name that contained both the original
DNS name and the equivalent X.500 name. Alternatively, it might only DNS name and the equivalent X.500 name. Alternatively, it might only
store the X.500 name. In the latter case, the toString method of store the X.500 name. In the latter case, the toString method of
GSSName would most likely generate a printable X.500 name, rather GSSName would most likely generate a printable X.500 name, rather
than the original DNS name. than the original DNS name.
The context acceptor can obtain a GSSName object representing the The context acceptor can obtain a GSSName object representing the
entity performing the context initiation (through the usage of entity performing the context initiation (through the usage of the
getSrcName method). Since this name has been authenticated by a getSrcName method). Since this name has been authenticated by a
single mechanism, it contains only a single name (even if the single mechanism, it contains only a single name (even if the
internal name presented by the context initiator to the GSSContext internal name presented by the context initiator to the GSSContext
object had multiple components). Such names are termed internal- object had multiple components). Such names are termed internal-
mechanism names (or MNs), and the names emitted by GSSContext mechanism names (or MNs), and the names emitted by the GSSContext
interface in the getSrcName and getTargName are always of this type. interface's getSrcName and getTargName methods are always of this
Since some applications may require MNs without wanting to incur the type. Since some applications may require MNs without wanting to
overhead of an authentication operation, creation methods are incur the overhead of an authentication operation, creation methods
provided that take not only the name buffer and name type, but also are provided that take not only the name buffer and name type but
the mechanism oid for which this name should be created. When also the mechanism OID for which this name should be created. When
dealing with an existing GSSName object, the canonicalize method may dealing with an existing GSSName object, the canonicalize method may
be invoked to convert a general internal name into an MN. be invoked to convert a general internal name into an MN.
GSSName objects can be compared using their equal method, which GSSName objects can be compared using their equal method, which
returns "true" if the two names being compared refer to the same returns "true" if the two names being compared refer to the same
entity. This is the preferred way to perform name comparisons entity. This is the preferred way to perform name comparisons
instead of using the printable names that a given GSS-API instead of using the printable names that a given GSS-API
implementation may support. Since GSS-API assumes that all primitive implementation may support. Since GSS-API assumes that all primitive
names contained within a given internal name refer to the same names contained within a given internal name refer to the same
entity, equal can return "true" if the two names have at least one entity, equal can return "true" if the two names have at least one
primitive name in common. If the implementation embodies knowledge primitive name in common. If the implementation embodies knowledge
of equivalence relationships between names taken from different of equivalence relationships between names taken from different
namespaces, this knowledge may also allow successful comparisons of namespaces, this knowledge may also allow successful comparisons of
internal names containing no overlapping primitive elements. internal names containing no overlapping primitive elements.
However, applications SHOULD note that to avoid surpising behavior, However, applications SHOULD note that to avoid surprising behavior,
it is best to ensure that the names being compared are either both it is best to ensure that the names being compared are either both
mechanism names for the same mechanism, or both internal names that mechanism names for the same mechanism or both internal names that
are not mechanism names. This holds whether the equals method is are not mechanism names. This holds whether the equals method is
used directly, or the export method is used to generate byte strings used directly or the export method is used to generate byte strings
that are then compared byte-by-byte. that are then compared byte-by-byte.
When used in large access control lists, the overhead of creating a When used in large access control lists, the overhead of creating a
GSSName object on each name and invoking the equal method on each GSSName object on each name and invoking the equal method on each
name from the Access Control List (ACL) may be prohibitive. As an name from the Access Control List (ACL) may be prohibitive. As an
alternative way of supporting this case, GSS-API defines a special alternative way of supporting this case, GSS-API defines a special
form of the contiguous byte array name, which MAY be compared form of the contiguous byte array name, which MAY be compared
directly (byte by byte). Contiguous names suitable for comparison directly (byte by byte). Contiguous names suitable for comparison
are generated by the export method. Exported names MAY be re- are generated by the export method. Exported names MAY be
imported by using the byte array constructor and specifying the re-imported by using the byte array constructor and specifying the
NT_EXPORT_NAME as the name type object identifier. The resulting NT_EXPORT_NAME as the name type Object Identifier. The resulting
GSSName name will also be a MN. GSSName name will also be an MN.
The GSSName interface defines public static Oid objects representing The GSSName interface defines public static Oid objects representing
the standard name types. Structurally, an exported name object the standard name types. Structurally, an exported name object
consists of a header containing an OID identifying the mechanism that consists of a header containing an OID identifying the mechanism that
authenticated the name, and a trailer containing the name itself, authenticated the name, and a trailer containing the name itself,
where the syntax of the trailer is defined by the individual where the syntax of the trailer is defined by the individual
mechanism specification. Detailed description of the format is mechanism specification. Detailed description of the format is
specified in the language-independent GSS-API specification specified in the language-independent GSS-API specification
[RFC2743]. [RFC2743].
Note that the results obtained by using the equals method will in Note that the results obtained by using the equals method will in
general be different from those obtained by invoking canonicalize and general be different from those obtained by invoking canonicalize and
export, and then comparing the byte array output. The first series export and then comparing the byte array output. The first series of
of operation determines whether two (unauthenticated) names identify operation determines whether two (unauthenticated) names identify the
the same principal; the second whether a particular mechanism would same principal; the second determines whether a particular mechanism
authenticate them as the same principal. These two operations will would authenticate them as the same principal. These two operations
in general give the same results only for MNs. will in general give the same results only for MNs.
It is important to note that the above are guidelines as to how It is important to note that the above are guidelines as to how
GSSName implementations SHOULD behave, and are not intended to be GSSName implementations SHOULD behave and are not intended to be
specific requirements of how name objects must be implemented. The specific requirements of how name objects must be implemented. The
mechanism designers are free to decide on the details of their mechanism designers are free to decide on the details of their
implementations of the GSSName interface as long as the behavior implementations of the GSSName interface as long as the behavior
satisfies the above guidelines. satisfies the above guidelines.
5.14. Channel Bindings 5.14. Channel Bindings
GSS-API supports the use of user-specified tags to identify a given GSS-API supports the use of user-specified tags to identify a given
context to the peer application. These tags are intended to be used context to the peer application. These tags are intended to be used
to identify the particular communications channel that carries the to identify the particular communications channel that carries the
context. Channel bindings are communicated to the GSS-API using the context. Channel bindings are communicated to the GSS-API using the
ChannelBinding object. The application MAY use byte arrays to ChannelBinding object. The application MAY use byte arrays as well
specify the application data to be used in the channel binding as as instances of InetAddress to specify the application data to be
well as using instances of the InetAddress. The InetAddress for the used in the channel binding. The InetAddress for the initiator and/
initiator and/or acceptor can be used within an instance of a or acceptor can be used within an instance of a ChannelBinding.
ChannelBinding. ChannelBinding can be set for the GSSContext object ChannelBinding can be set for the GSSContext object using the
using the setChannelBinding method before the first call to init or setChannelBinding method before the first call to init or accept has
accept has been performed. Unless the setChannelBinding method has been performed. Unless the setChannelBinding method has been used to
been used to set the ChannelBinding for a GSSContext object, "null" set the ChannelBinding for a GSSContext object, "null" ChannelBinding
ChannelBinding will be assumed. InetAddress is currently the only will be assumed. InetAddress is currently the only address type
address type defined within the Java platform and as such, it is the defined within the Java platform and as such, it is the only one
only one supported within the ChannelBinding class. Applications supported within the ChannelBinding class. Applications that use
that use other types of addresses can include them as part of the other types of addresses can include them as part of the application-
application-specific data. specific data.
Conceptually, the GSS-API concatenates the initiator and acceptor Conceptually, the GSS-API concatenates the initiator and acceptor
address information, and the application-supplied byte array to form address information and the application-supplied byte array to form
an octet-string. The mechanism calculates a Message Integrity Code an octet string. The mechanism calculates a Message Integrity Code
(MIC) over this octet-string and binds the MIC to the context (MIC) over this octet string and binds the MIC to the context
establishment token emitted by the init method of the GSSContext establishment token emitted by the init method of the GSSContext
interface. The same bindings are set by the context acceptor for its interface. The same bindings are set by the context acceptor for its
GSSContext object and during processing of the accept method, a MIC GSSContext object, and during processing of the accept method, a MIC
is calculated in the same way. The calculated MIC is compared with is calculated in the same way. The calculated MIC is compared with
that found in the token, and if the MICs differ, accept will throw a that found in the token, and if the MICs differ, accept will throw a
GSSException with the major code set to BAD_BINDINGS, and the context GSSException with the major code set to BAD_BINDINGS, and the context
will not be established. Some mechanisms may include the actual will not be established. Some mechanisms may include the actual
channel binding data in the token (rather than just a MIC); channel-binding data in the token (rather than just a MIC);
applications SHOULD therefore not use confidential data as channel- applications SHOULD therefore not use confidential data as channel-
binding components. binding components.
Individual mechanisms may impose additional constraints on addresses Individual mechanisms may impose additional constraints on addresses
that may appear in channel bindings. For example, a mechanism may that may appear in channel bindings. For example, a mechanism may
verify that the initiator address field of the channel binding verify that the initiator address field of the channel binding
contains the correct network address of the host system. Portable contains the correct network address of the host system. Portable
applications SHOULD therefore ensure that they either provide correct applications SHOULD therefore ensure that they either provide correct
information for the address fields, or omit the setting of the information for the address fields or omit the setting of the
addressing information. addressing information.
5.15. Optional Parameters 5.15. Optional Parameters
Whenever the application wishes to omit an optional parameter the Whenever the application wishes to omit an optional parameter, the
"null" value SHALL be used. The detailed method descriptions "null" value SHALL be used. The detailed method descriptions
indicate which parameters are optional. Method overloading has also indicate which parameters are optional. Method overloading has also
been used as a technique to indicate default parameters. been used as a technique to indicate default parameters.
6. Introduction to GSS-API Classes and Interfaces 6. Introduction to GSS-API Classes and Interfaces
This section presents a brief description of the classes and This section presents a brief description of the classes and
interfaces that constitute the GSS-API. The implementations of these interfaces that constitute the GSS-API. The implementations of these
are obtained from the CLASSPATH defined by the application. If Java are obtained from the CLASSPATH defined by the application. If Java
GSS becomes part of the standard Java APIs, then these classes will GSS becomes part of the standard Java APIs, then these classes will
be available by default on all systems as part of the JRE's system be available by default on all systems as part of the JRE's system
classes. classes.
This section also shows the corresponding RFC 2743 [RFC2743] This section also shows the corresponding RFC 2743 [RFC2743]
functionality implemented by each of the classes. Detailed functionality implemented by each of the classes. Detailed
description of these classes and their methods is presented in description of these classes and their methods is presented in
section 7 Section 7.
6.1. GSSManager Class 6.1. GSSManager Class
This abstract class serves as a factory to instantiate This abstract class serves as a factory to instantiate
implementations of the GSS-API interfaces and also provides methods implementations of the GSS-API interfaces and also provides methods
to make queries about underlying security mechanisms. to make queries about underlying security mechanisms.
A default implementation can be obtained using the static method A default implementation can be obtained using the static method
getInstance(). Applications that desire to provide their own getInstance(). Applications that desire to provide their own
implementation of the GSSManager class can simply extend the abstract implementation of the GSSManager class can simply extend the abstract
skipping to change at page 28, line 16 skipping to change at page 29, line 14
This class contains equivalents of the following RFC 2743 [RFC2743] This class contains equivalents of the following RFC 2743 [RFC2743]
routines: routines:
+----------------------------+-------------------------+------------+ +----------------------------+-------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+----------------------------+-------------------------+------------+ +----------------------------+-------------------------+------------+
| gss_import_name | Create an internal name | 7.1.5 - | | gss_import_name | Create an internal name | 7.1.5 - |
| | from the supplied | 7.1.8 | | | from the supplied | 7.1.8 |
| | information. | | | | information. | |
| | | |
| gss_acquire_cred | Acquire credential for | 7.1.9 - | | gss_acquire_cred | Acquire credential for | 7.1.9 - |
| | use. | 7.1.11 | | | use. | 7.1.11 |
| | | |
| gss_import_sec_context | Create a previously | 7.1.14 | | gss_import_sec_context | Create a previously | 7.1.14 |
| | exported context. | | | | exported context. | |
| | | |
| gss_indicate_mechs | List the mechanisms | 7.1.2 | | gss_indicate_mechs | List the mechanisms | 7.1.2 |
| | supported by this GSS- | | | | supported by this GSS- | |
| | API implementation. | | | | API implementation. | |
| | | |
| gss_inquire_mechs_for_name | List the mechanisms | 7.1.4 | | gss_inquire_mechs_for_name | List the mechanisms | 7.1.4 |
| | supporting the | | | | supporting the | |
| | specified name type. | | | | specified name type. | |
| | | |
| gss_inquire_names_for_mech | List the name types | 7.1.3 | | gss_inquire_names_for_mech | List the name types | 7.1.3 |
| | supported by the | | | | supported by the | |
| | specified mechanism. | | | | specified mechanism. | |
+----------------------------+-------------------------+------------+ +----------------------------+-------------------------+------------+
6.2. GSSName Interface 6.2. GSSName Interface
GSS-API names are represented in the Java bindings through the GSS-API names are represented in the Java bindings through the
GSSName interface. Different name formats and their definitions are GSSName interface. Different name formats and their definitions are
identified with Universal Object Identifiers (oids). The format of identified with Universal OIDs. The format of the names can be
the names can be derived based on the unique oid of each name type. derived based on the unique OID of each name type. The following
The following GSS-API routines are provided by the GSSName interface: GSS-API routines are provided by the GSSName interface:
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
| gss_display_name | Convert internal name | 7.2.6 | | gss_display_name | Convert internal name | 7.2.6 |
| | representation to text | | | | representation to text | |
| | format. | | | | format. | |
| | | |
| gss_compare_name | Compare two internal names. | 7.2.2, | | gss_compare_name | Compare two internal names. | 7.2.2, |
| | | 7.2.3 | | | | 7.2.3 |
| | | |
| gss_release_name | Release resources associated | N/A | | gss_release_name | Release resources associated | N/A |
| | with the internal name. | | | | with the internal name. | |
| | | |
| gss_canonicalize_name | Convert an internal name to | 7.2.4 | | gss_canonicalize_name | Convert an internal name to | 7.2.4 |
| | a mechanism name. | | | | a mechanism name. | |
| | | |
| gss_export_name | Convert a mechanism name to | 7.2.5 | | gss_export_name | Convert a mechanism name to | 7.2.5 |
| | export format. | | | | export format. | |
| | | |
| gss_duplicate_name | Create a copy of the | N/A | | gss_duplicate_name | Create a copy of the | N/A |
| | internal name. | | | | internal name. | |
+-----------------------+------------------------------+------------+ +-----------------------+------------------------------+------------+
The gss_release_name call is not provided as Java does its own The gss_release_name call is not provided as Java does its own
garbage collection. The gss_duplicate_name call is also redundant; garbage collection. The gss_duplicate_name call is also redundant;
the GSSName interface has no mutator methods that can change the the GSSName interface has no mutator methods that can change the
state of the object so it is safe for sharing across threads. state of the object, so it is safe for sharing across threads.
6.3. GSSCredential Interface 6.3. GSSCredential Interface
The GSSCredential interface is responsible for the encapsulation of The GSSCredential interface is responsible for the encapsulation of
GSS-API credentials. Credentials identify a single entity and GSS-API credentials. Credentials identify a single entity and
provide the necessary cryptographic information to enable the provide the necessary cryptographic information to enable the
creation of a context on behalf of that entity. A single credential creation of a context on behalf of that entity. A single credential
may contain multiple mechanism-specific credentials, each referred to may contain multiple mechanism-specific credentials, each referred to
as a credential element. The GSSCredential interface provides the as a credential element. The GSSCredential interface provides the
functionality of the following GSS-API routines: functionality of the following GSS-API routines:
+--------------------------+---------------------------+------------+ +--------------------------+---------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+--------------------------+---------------------------+------------+ +--------------------------+---------------------------+------------+
| gss_add_cred | Constructs credentials | 7.3.11 | | gss_add_cred | Constructs credentials | 7.3.11 |
| | incrementally. | | | | incrementally. | |
| | | |
| gss_inquire_cred | Obtain information about | 7.3.3 - | | gss_inquire_cred | Obtain information about | 7.3.3 - |
| | credential. | 7.3.10 | | | credential. | 7.3.10 |
| | | |
| gss_inquire_cred_by_mech | Obtain per-mechanism | 7.3.4 - | | gss_inquire_cred_by_mech | Obtain per-mechanism | 7.3.4 - |
| | information about a | 7.3.9 | | | information about a | 7.3.9 |
| | credential. | | | | credential. | |
| | | |
| gss_release_cred | Dispose of credentials | 7.3.2 | | gss_release_cred | Dispose of credentials | 7.3.2 |
| | after use. | | | | after use. | |
+--------------------------+---------------------------+------------+ +--------------------------+---------------------------+------------+
6.4. GSSContext Interface 6.4. GSSContext Interface
This interface encapsulates the functionality of context-level calls This interface encapsulates the functionality of context-level calls
required for security context establishment and management between required for security context establishment and management between
peers as well as the per-message services offered to applications. A peers as well as the per-message services offered to applications. A
context is established between a pair of peers and allows the usage context is established between a pair of peers and allows the usage
skipping to change at page 31, line 11 skipping to change at page 31, line 22
is created over a single security mechanism. The GSSContext is created over a single security mechanism. The GSSContext
interface provides the functionality of the following GSS-API interface provides the functionality of the following GSS-API
routines: routines:
+------------------------+-----------------------------+------------+ +------------------------+-----------------------------+------------+
| RFC 2743 Routine | Function | Section(s) | | RFC 2743 Routine | Function | Section(s) |
+------------------------+-----------------------------+------------+ +------------------------+-----------------------------+------------+
| gss_init_sec_context | Initiate the creation of a | 7.4.2 | | gss_init_sec_context | Initiate the creation of a | 7.4.2 |
| | security context with a | | | | security context with a | |
| | peer. | | | | peer. | |
| | | |
| gss_accept_sec_context | Accept a security context | 7.4.3 | | gss_accept_sec_context | Accept a security context | 7.4.3 |
| | initiated by a peer. | | | | initiated by a peer. | |
| | | |
| gss_delete_sec_context | Destroy a security context. | 7.4.5 | | gss_delete_sec_context | Destroy a security context. | 7.4.5 |
| | | |
| gss_context_time | Obtain remaining context | 7.4.30 | | gss_context_time | Obtain remaining context | 7.4.30 |
| | time. | | | | time. | |
| | | |
| gss_inquire_context | Obtain context | 7.4.21 - | | gss_inquire_context | Obtain context | 7.4.21 - |
| | characteristics. | 7.4.35 | | | characteristics. | 7.4.35 |
| | | |
| gss_wrap_size_limit | Determine token-size limit | 7.4.6 | | gss_wrap_size_limit | Determine token-size limit | 7.4.6 |
| | for gss_wrap. | | | | for gss_wrap. | |
| | | |
| gss_export_sec_context | Transfer security context | 7.4.11 | | gss_export_sec_context | Transfer security context | 7.4.11 |
| | to another process. | | | | to another process. | |
| | | |
| gss_get_mic | Calculate a cryptographic | 7.4.9 | | gss_get_mic | Calculate a cryptographic | 7.4.9 |
| | Message Integrity Code | | | | Message Integrity Code | |
| | (MIC) for a message. | | | | (MIC) for a message. | |
| | | |
| gss_verify_mic | Verify integrity on a | 7.4.10 | | gss_verify_mic | Verify integrity on a | 7.4.10 |
| | received message. | | | | received message. | |
| | | |
| gss_wrap | Attach a MIC to a message | 7.4.7 | | gss_wrap | Attach a MIC to a message | 7.4.7 |
| | and optionally encrypt the | | | | and optionally encrypt the | |
| | message content. | | | | message content. | |
| | | |
| gss_unwrap | Obtain a previously wrapped | 7.4.8 | | gss_unwrap | Obtain a previously wrapped | 7.4.8 |
| | application message | | | | application message | |
| | verifying its integrity and | | | | verifying its integrity and | |
| | optionally decrypting it. | | | | optionally decrypting it. | |
+------------------------+-----------------------------+------------+ +------------------------+-----------------------------+------------+
The functionality offered by the gss_process_context_token routine The functionality offered by the gss_process_context_token routine
has not been included in the Java bindings specification. The has not been included in the Java bindings specification. The
corresponding functionality of gss_delete_sec_context has also been corresponding functionality of gss_delete_sec_context has also been
modified to not return any peer tokens. This has been proposed in modified to not return any peer tokens. This has been proposed in
accordance to the recommendations stated in RFC 2743 [RFC2743]. accordance to the recommendations stated in RFC 2743 [RFC2743].
GSSContext does offer the functionality of destroying the locally GSSContext does offer the functionality of destroying the locally
stored context information. stored context information.
6.5. MessageProp Class 6.5. MessageProp Class
This helper class is used in the per-message operations on the This helper class is used in the per-message operations on the
context. An instance of this class is created by the application and context. An instance of this class is created by the application and
then passed into the per-message calls. In some cases, the then passed into the per-message calls. In some cases, the
application conveys information to the GSS-API implementation through application conveys information to the GSS-API implementation through
this object and in other cases the GSS-API returns information to the this object, and in other cases, the GSS-API returns information to
application by setting it in this object. See the description of the the application by setting it in this object. See the description of
per-message operations wrap, unwrap, getMIC, and verifyMIC in the the per-message operations wrap, unwrap, getMIC, and verifyMIC in the
GSSContext interfaces for details. GSSContext interfaces for details.
6.6. GSSException Class 6.6. GSSException Class
Exceptions are used in the Java bindings to signal fatal errors to Exceptions are used in the Java bindings to signal fatal errors to
the calling applications. This replaces the major and minor codes the calling applications. This replaces the major and minor codes
used in the C-bindings specification as a method of signaling used in the C-bindings specification as a method of signaling
failures. The GSSException class handles both minor and major codes, failures. The GSSException class handles both minor and major codes,
as well as their translation into textual representation. All GSS- as well as their translation into textual representation. All
API methods are declared as throwing this exception. GSS-API methods are declared as throwing this exception.
+--------------------+----------------------------+-----------------+ +--------------------+----------------------------+-----------------+
| RFC 2743 Routine | Function | Section | | RFC 2743 Routine | Function | Section |
+--------------------+----------------------------+-----------------+ +--------------------+----------------------------+-----------------+
| gss_display_status | Retrieve textual | 7.8.5, 7.8.6, | | gss_display_status | Retrieve textual | 7.8.5, 7.8.6, |
| | representation of error | 7.8.9, 7.8.10 | | | representation of error | 7.8.9, 7.8.10 |
| | codes. | | | | codes. | |
+--------------------+----------------------------+-----------------+ +--------------------+----------------------------+-----------------+
6.7. Oid Class 6.7. Oid Class
This utility class is used to represent Universal Object Identifiers This utility class is used to represent Universal Object Identifiers
and their associated operations. GSS-API uses object identifiers to and their associated operations. GSS-API uses Object Identifiers to
distinguish between security mechanisms and name types. This class, distinguish between security mechanisms and name types. This class,
aside from being used whenever an object identifier is needed, aside from being used whenever an Object Identifier is needed,
implements the following GSS-API functionality: implements the following GSS-API functionality:
+-------------------------+-------------------------------+---------+ +-------------------------+-------------------------------+---------+
| RFC 2743 Routine | Function | Section | | RFC 2743 Routine | Function | Section |
+-------------------------+-------------------------------+---------+ +-------------------------+-------------------------------+---------+
| gss_test_oid_set_member | Determine if the specified | 7.7.5 | | gss_test_oid_set_member | Determine if the specified | 7.7.5 |
| | oid is part of a set of oids. | | | | OID is part of a set of OIDs. | |
+-------------------------+-------------------------------+---------+ +-------------------------+-------------------------------+---------+
6.8. ChannelBinding Class 6.8. ChannelBinding Class
An instance of this class is used to specify channel binding An instance of this class is used to specify channel-binding
information to the GSSContext object before the start of a security information to the GSSContext object before the start of a security
context establishment. The application may use a byte array to context establishment. The application may use a byte array to
specify application data to be used in the channel binding as well as specify application data to be used in the channel binding as well as
to use instances of the InetAddress. InetAddress is currently the to use instances of the InetAddress. InetAddress is currently the
only address type defined within the Java platform and as such, it is only address type defined within the Java platform and as such, it is
the only one supported within the ChannelBinding class. Applications the only one supported within the ChannelBinding class. Applications
that use other types of addresses can include them as part of the that use other types of addresses can include them as part of the
application data. application data.
7. Detailed GSS-API Class Description 7. Detailed GSS-API Class Description
skipping to change at page 33, line 33 skipping to change at page 33, line 39
MAY be obtained through the static method getInstance(), but MAY be obtained through the static method getInstance(), but
applications are free to instantiate other subclasses of GSSManager. applications are free to instantiate other subclasses of GSSManager.
All but one method in this class are declared abstract. This means All but one method in this class are declared abstract. This means
that subclasses have to provide the complete implementation for those that subclasses have to provide the complete implementation for those
methods. The only exception to this is the static method methods. The only exception to this is the static method
getInstance(), which will have platform-specific code to return an getInstance(), which will have platform-specific code to return an
instance of the default subclass. instance of the default subclass.
Platform providers of GSS are REQUIRED not to add any constructors to Platform providers of GSS are REQUIRED not to add any constructors to
this class, private, public, or protected. This will ensure that all this class, whether the constructor is private, public, or protected.
subclasses invoke only the default constructor provided to the base This will ensure that all subclasses invoke only the default
class by the compiler. constructor provided to the base class by the compiler.
A subclass extending the GSSManager abstract class MAY be implemented A subclass extending the GSSManager abstract class MAY be implemented
as a modular provider-based layer that utilizes some well-known as a modular provider-based layer that utilizes some well-known
service provider specification. The GSSManager API provides the service provider specification. The GSSManager API provides the
application with methods to set provider preferences on such an application with methods to set provider preferences on such an
implementation. These methods also allow the implementation to throw implementation. These methods also allow the implementation to throw
a well-defined exception in case provider-based configuration is not a well-defined exception in case provider-based configuration is not
supported. Applications that expect to be portable SHOULD be aware supported. Applications that expect to be portable SHOULD be aware
of this and recover cleanly by catching the exception. of this and recover cleanly by catching the exception.
skipping to change at page 34, line 15 skipping to change at page 34, line 21
2) The application wants a particular provider to be used 2) The application wants a particular provider to be used
preferentially, either for a particular mechanism or all the time, preferentially, either for a particular mechanism or all the time,
irrespective of the mechanism. irrespective of the mechanism.
3) The application wants to use the locally configured providers as 3) The application wants to use the locally configured providers as
far as possible, but if support is missing for one or more far as possible, but if support is missing for one or more
mechanisms, then it wants to fall back on its own provider. mechanisms, then it wants to fall back on its own provider.
The GSSManager class has two methods that enable these modes of The GSSManager class has two methods that enable these modes of
usage: addProviderAtFront() and addProviderAtEnd(). These methods usage: addProviderAtFront() and addProviderAtEnd(). These methods
have the effect of creating an ordered list of <provider, oid> pairs have the effect of creating an ordered list of <provider, OID> pairs
where each pair indicates a preference of provider for a given oid. where each pair indicates a preference of provider for a given OID.
The use of these methods does not require any knowledge of whatever The use of these methods does not require any knowledge of whatever
service provider specification the GSSManager subclass follows. It service provider specification the GSSManager subclass follows. It
is hoped that these methods will serve the needs of most is hoped that these methods will serve the needs of most
applications. Additional methods MAY be added to an extended applications. Additional methods MAY be added to an extended
GSSManager that could be part of a service provider specification GSSManager that could be part of a service provider specification
that is standardized later. that is standardized later.
When neither of the methods is called, the implementation SHOULD When neither of the methods is called, the implementation SHOULD
choose a default provider for each mechanism it supports. choose a default provider for each mechanism it supports.
skipping to change at page 34, line 39 skipping to change at page 34, line 45
public static GSSManager getInstance() public static GSSManager getInstance()
Returns the default GSSManager implementation. Returns the default GSSManager implementation.
7.1.2. getMechs 7.1.2. getMechs
public abstract Oid[] getMechs() public abstract Oid[] getMechs()
Returns an array of Oid objects indicating the mechanisms available Returns an array of Oid objects indicating the mechanisms available
to GSS-API callers. A "null" value is returned when no mechanism are to GSS-API callers. A "null" value is returned when no mechanisms
available (an example of this would be when mechanism are dynamically are available (an example of this would be when mechanisms are
configured, and currently no mechanisms are installed). dynamically configured, and currently no mechanisms are installed).
7.1.3. getNamesForMech 7.1.3. getNamesForMech
public abstract Oid[] getNamesForMech(Oid mech) public abstract Oid[] getNamesForMech(Oid mech)
throws GSSException throws GSSException
Returns name type Oid's supported by the specified mechanism. Returns name type OIDs supported by the specified mechanism.
Parameters: Parameters:
mech The Oid object for the mechanism to query. mech The Oid object for the mechanism to query.
7.1.4. getMechsForName 7.1.4. getMechsForName
public abstract Oid[] getMechsForName(Oid nameType) public abstract Oid[] getMechsForName(Oid nameType)
Returns an array of Oid objects corresponding to the mechanisms that Returns an array of Oid objects corresponding to the mechanisms that
skipping to change at page 35, line 26 skipping to change at page 35, line 37
7.1.5. createName 7.1.5. createName
public abstract GSSName createName(String nameStr, Oid nameType) public abstract GSSName createName(String nameStr, Oid nameType)
throws GSSException throws GSSException
Factory method to convert a contiguous string name from the specified Factory method to convert a contiguous string name from the specified
namespace to a GSSName object. In general, the GSSName object namespace to a GSSName object. In general, the GSSName object
created will not be an MN; two examples that are exceptions to this created will not be an MN; two examples that are exceptions to this
are when the namespace type parameter indicates NT_EXPORT_NAME or are when the namespace type parameter indicates NT_EXPORT_NAME or
when the GSS-API implementation is not multi-mechanism. when the GSS-API implementation does not support multiple mechanisms.
Parameters: Parameters:
nameStr The string representing a printable form of the nameStr The string representing a printable form of the
name to create. name to create.
nameType The Oid specifying the namespace of the printable nameType The OID specifying the namespace of the printable
name is supplied. Note that nameType serves to name is supplied. Note that nameType serves to
describe and qualify the interpretation of the describe and qualify the interpretation of the
input nameStr, it does not necessarily imply a input nameStr; it does not necessarily imply a
type for the output GSSName implementation. The type for the output GSSName implementation. The
"null" value can be used to specify that a "null" value can be used to specify that a
mechanism-specific default printable syntax mechanism-specific default printable syntax
SHOULD be assumed by each mechanism that examines SHOULD be assumed by each mechanism that examines
nameStr. nameStr.
7.1.6. createName 7.1.6. createName
public abstract GSSName createName(byte[] name, Oid nameType) public abstract GSSName createName(byte[] name, Oid nameType)
throws GSSException throws GSSException
Factory method to convert a contiguous byte array containing a name Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object. In general, the from the specified namespace to a GSSName object. In general, the
GSSName object created will not be an MN; two examples that are GSSName object created will not be an MN; two examples that are
exceptions to this are when the namespace type parameter indicates exceptions to this are when the namespace type parameter indicates
NT_EXPORT_NAME or when the GSS-API implementation is not multi- NT_EXPORT_NAME or when the GSS-API implementation is not a multi-
mechanism. mechanism.
Parameters: Parameters:
name The byte array containing the name to create. name The byte array containing the name to create.
nameType The Oid specifying the namespace of the name nameType The OID specifying the namespace of the name
supplied in the byte array. Note that nameType supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation serves to describe and qualify the interpretation
of the input name byte array; it does not of the input name byte array; it does not
necessarily imply a type for the output GSSName necessarily imply a type for the output GSSName
implementation. The "null" value can be used to implementation. The "null" value can be used to
specify that a mechanism-specific default syntax specify that a mechanism-specific default syntax
SHOULD be assumed by each mechanism that examines SHOULD be assumed by each mechanism that examines
the byte array. the byte array.
7.1.7. createName 7.1.7. createName
public abstract GSSName createName(String nameStr, Oid nameType, public abstract GSSName createName(String nameStr, Oid nameType,
Oid mech) throws GSSException Oid mech) throws GSSException
Factory method to convert a contiguous string name from the specified Factory method to convert a contiguous string name from the specified
namespace to a GSSName object that is a mechanism name (MN). In namespace to a GSSName object that is a mechanism name (MN). In
other words, this method is a utility that does the equivalent of two other words, this method is a utility that does the equivalent of two
steps: the createName described in section 7.1.5, and then also the steps: the createName described in Section 7.1.5 and also the
GSSName.canonicalize() described in section 7.2.4. GSSName.canonicalize() described in Section 7.2.4.
Parameters: Parameters:
nameStr The string representing a printable form of the nameStr The string representing a printable form of the
name to create. name to create.
nameType The Oid specifying the namespace of the printable nameType The OID specifying the namespace of the printable
name supplied. Note that nameType serves to name supplied. Note that nameType serves to
describe and qualify the interpretation of the describe and qualify the interpretation of the
input nameStr; it does not necessarily imply a input nameStr; it does not necessarily imply a
type for the output GSSName implementation. The type for the output GSSName implementation. The
"null" value can be used to specify that a "null" value can be used to specify that a
mechanism-specific default printable syntax mechanism-specific default printable syntax
SHOULD be assumed when the mechanism examines SHOULD be assumed when the mechanism examines
nameStr. nameStr.
mech Oid specifying the mechanism for which this name mech OID specifying the mechanism for which this name
should be created. should be created.
7.1.8. createName 7.1.8. createName
public abstract GSSName createName(byte[] name, Oid nameType, public abstract GSSName createName(byte[] name, Oid nameType,
Oid mech) throws GSSException Oid mech) throws GSSException
Factory method to convert a contiguous byte array containing a name Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object that is an MN. In from the specified namespace to a GSSName object that is an MN. In
other words, this method is a utility that does the equivalent of two other words, this method is a utility that does the equivalent of two
steps: the createName described in section 7.1.6, and then also the steps: the createName described in Section 7.1.6 and also the
GSSName.canonicalize() described in section 7.2.4. GSSName.canonicalize() described in Section 7.2.4.
Parameters: Parameters:
name The byte array representing the name to create. name The byte array representing the name to create.
nameType The Oid specifying the namespace of the name nameType The OID specifying the namespace of the name
supplied in the byte array. Note that nameType supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation serves to describe and qualify the interpretation
of the input name byte array, it does not of the input name byte array; it does not
necessarily imply a type for the output GSSName necessarily imply a type for the output GSSName
implementation. The "null" value can be used to implementation. The "null" value can be used to
specify that a mechanism-specific default syntax specify that a mechanism-specific default syntax
SHOULD be assumed by each mechanism that examines SHOULD be assumed by each mechanism that examines
the byte array. the byte array.
mech Oid specifying the mechanism for which this name mech OID specifying the mechanism for which this name
should be created. should be created.
7.1.9. createCredential 7.1.9. createCredential
public abstract GSSCredential createCredential(int usage) public abstract GSSCredential createCredential(int usage)
throws GSSException throws GSSException
Factory method for acquiring default credentials. This will cause Factory method for acquiring default credentials. This will cause
the GSS-API to use system-specific defaults for the set of the GSS-API to use system-specific defaults for the set of
mechanisms, name, and a DEFAULT lifetime. mechanisms, name, and a DEFAULT lifetime.
skipping to change at page 38, line 11 skipping to change at page 38, line 29
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
7.1.10. createCredential 7.1.10. createCredential
public abstract GSSCredential createCredential(GSSName aName, public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid mech, int usage) int lifetime, Oid mech, int usage)
throws GSSException throws GSSException
Factory method for acquiring a single mechanism credential. Factory method for acquiring a single-mechanism credential.
Parameters: Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
to be acquired. Use "null" to specify the to be acquired. Use "null" to specify the
default principal. default principal.
lifetime The number of seconds that credentials should lifetime The number of seconds that credentials should
remain valid. Use remain valid. Use
GSSCredential.INDEFINITE_LIFETIME to request that GSSCredential.INDEFINITE_LIFETIME to request that
the credentials have the maximum permitted the credentials have the maximum permitted
lifetime. Use GSSCredential.DEFAULT_LIFETIME to lifetime. Use GSSCredential.DEFAULT_LIFETIME to
request default credential lifetime. request default credential lifetime.
mech The oid of the desired mechanism. Use "(Oid) mech The OID of the desired mechanism. Use "(Oid)
null" to request the default mechanism(s). null" to request the default mechanism.
usage The intended usage for this credential object. usage The intended usage for this credential object.
The value of this parameter MUST be one of: The value of this parameter MUST be one of:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
7.1.11. createCredential 7.1.11. createCredential
public abstract GSSCredential createCredential(GSSName aName, public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid[] mechs, int usage) int lifetime, Oid[] mechs, int usage)
throws GSSException throws GSSException
Factory method for acquiring credentials over a set of mechanisms. Factory method for acquiring credentials over a set of mechanisms.
Acquires credentials for each of the mechanisms specified in the Acquires credentials for each of the mechanisms specified in the
array called mechs. To determine the list of mechanisms' for which array called mechs. To determine the list of mechanisms for which
the acquisition of credentials succeeded, the caller should use the the acquisition of credentials succeeded, the caller should use the
GSSCredential.getMechs() method. GSSCredential.getMechs() method.
Parameters: Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
to be acquired. Use "null" to specify the to be acquired. Use "null" to specify the
default principal. default principal.
lifetime The number of seconds that credentials should lifetime The number of seconds that credentials should
skipping to change at page 39, line 38 skipping to change at page 40, line 9
throws GSSException throws GSSException
Factory method for creating a context on the initiator's side. Factory method for creating a context on the initiator's side.
Context flags may be modified through the mutator methods prior to Context flags may be modified through the mutator methods prior to
calling GSSContext.initSecContext(). calling GSSContext.initSecContext().
Parameters: Parameters:
peer Name of the target peer. peer Name of the target peer.
mech Oid of the desired mechanism. Use "(Oid) null" mech OID of the desired mechanism. Use "(Oid) null"
to request the default mechanism. to request the default mechanism.
myCred Credentials of the initiator. Use "null" to act myCred Credentials of the initiator. Use "null" to act
as a default initiator principal. as a default initiator principal.
lifetime The request lifetime, in seconds, for the lifetime The request lifetime, in seconds, for the
context. Use GSSContext.INDEFINITE_LIFETIME and context. Use GSSContext.INDEFINITE_LIFETIME and
GSSContext.DEFAULT_LIFETIME to request indefinite GSSContext.DEFAULT_LIFETIME to request indefinite
or default context lifetime. or default context lifetime.
7.1.13. createContext 7.1.13. createContext
public abstract GSSContext createContext(GSSCredential myCred) public abstract GSSContext createContext(GSSCredential myCred)
throws GSSException throws GSSException
Factory method for creating a context on the acceptor' side. The Factory method for creating a context on the acceptor's side. The
context's properties will be determined from the input token supplied context's properties will be determined from the input token supplied
to the accept method. to the accept method.
Parameters: Parameters:
myCred Credentials for the acceptor. Use "null" to act myCred Credentials for the acceptor. Use "null" to act
as a default acceptor principal. as a default acceptor principal.
7.1.14. createContext 7.1.14. createContext
skipping to change at page 40, line 41 skipping to change at page 41, line 13
method. method.
7.1.15. addProviderAtFront 7.1.15. addProviderAtFront
public abstract void addProviderAtFront(Provider p, Oid mech) public abstract void addProviderAtFront(Provider p, Oid mech)
throws GSSException throws GSSException
This method is used to indicate to the GSSManager that the This method is used to indicate to the GSSManager that the
application would like a particular provider to be used ahead of all application would like a particular provider to be used ahead of all
others when support is desired for the given mechanism. When a value others when support is desired for the given mechanism. When a value
of "null" is used instead of an Oid for the mechanism, the GSSManager of "null" is used instead of an Oid object for the mechanism, the
MUST use the indicated provider ahead of all others no matter what GSSManager MUST use the indicated provider ahead of all others no
the mechanism is. Only when the indicated provider does not support matter what the mechanism is. Only when the indicated provider does
the needed mechanism should the GSSManager move on to a different not support the needed mechanism should the GSSManager move on to a
provider. different provider.
Calling this method repeatedly preserves the older settings but Calling this method repeatedly preserves the older settings but
lowers them in preference thus forming an ordered list of provider lowers them in preference thus forming an ordered list of provider
and Oid pairs that grows at the top. and OID pairs that grows at the top.
Calling addProviderAtFront with a null Oid will remove all previous Calling addProviderAtFront with a null Oid will remove all previous
preferences that were set for this provider in the GSSManager preferences that were set for this provider in the GSSManager
instance. Calling addProviderAtFront with a non-null Oid will remove instance. Calling addProviderAtFront with a non-null Oid will remove
any previous preference that was set using this mechanism and this any previous preference that was set using this mechanism and this
provider together. provider together.
If the GSSManager implementation does not support an SPI with a If the GSSManager implementation does not support an SPI with a
pluggable provider architecture, it SHOULD throw a GSSException with pluggable provider architecture, it SHOULD throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the the status code GSSException.UNAVAILABLE to indicate that the
skipping to change at page 41, line 23 skipping to change at page 42, line 7
Parameters: Parameters:
p The provider instance that should be used p The provider instance that should be used
whenever support is needed for mech. whenever support is needed for mech.
mech The mechanism for which the provider is being mech The mechanism for which the provider is being
set. set.
7.1.15.1. addProviderAtFront Example Code 7.1.15.1. addProviderAtFront Example Code
Suppose an application desired that the provider A always be checked Suppose an application desired that provider A always be checked
first when any mechanism is needed, it would call: first when any mechanism is needed, it would call:
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
// mgr may at this point have its own pre-configured list // mgr may at this point have its own pre-configured list
// of provider preferences. The following will prepend to // of provider preferences. The following will prepend to
// any such list: // any such list:
mgr.addProviderAtFront(A, null); mgr.addProviderAtFront(A, null);
<CODE ENDS> <CODE ENDS>
Now if it also desired that the mechanism of Oid m1 always be Now if it also desired that the mechanism of OID m1 always be
obtained from the provider B before the previously set A was checked, obtained from provider B before the previous set A was checked, it
it would call: would call:
<CODE BEGINS> <CODE BEGINS>
mgr.addProviderAtFront(B, m1); mgr.addProviderAtFront(B, m1);
<CODE ENDS> <CODE ENDS>
The GSSManager would then first check with B if m1 was needed. In The GSSManager would then first check with B if m1 was needed. In
case B did not provide support for m1, the GSSManager would continue case B did not provide support for m1, the GSSManager would continue
on to check with A. If any mechanism m2 is needed where m2 is on to check with A. If any mechanism m2 is needed where m2 is
different from m1, then the GSSManager would skip B and check with A different from m1, then the GSSManager would skip B and check with A
directly. directly.
skipping to change at page 42, line 31 skipping to change at page 43, line 13
effectively become {(A, m3), (B, null), (A, null), ...} effectively become {(A, m3), (B, null), (A, null), ...}
7.1.16. addProviderAtEnd 7.1.16. addProviderAtEnd
public abstract void addProviderAtEnd(Provider p, Oid mech) public abstract void addProviderAtEnd(Provider p, Oid mech)
throws GSSException throws GSSException
This method is used to indicate to the GSSManager that the This method is used to indicate to the GSSManager that the
application would like a particular provider to be used if no other application would like a particular provider to be used if no other
provider can be found that supports the given mechanism. When a provider can be found that supports the given mechanism. When a
value of "null" is used instead of an Oid for the mechanism, the value of "null" is used instead of an Oid object for the mechanism,
GSSManager MUST use the indicated provider for any mechanism. the GSSManager MUST use the indicated provider for any mechanism.
Calling this method repeatedly preserves the older settings, but Calling this method repeatedly preserves the older settings but
raises them above newer ones in preference thus forming an ordered raises them above newer ones in preference, thus forming an ordered
list of providers and Oid pairs that grows at the bottom. Thus, the list of providers and OID pairs that grows at the bottom. Thus, the
older provider settings will be utilized first before this one is. older provider settings will be utilized first before this one is.
If there are any previously existing preferences that conflict with If there are any previously existing preferences that conflict with
the preference being set here, then the GSSManager SHOULD ignore this the preference being set here, then the GSSManager SHOULD ignore this
request. request.
If the GSSManager implementation does not support an SPI with a If the GSSManager implementation does not support an SPI with a
pluggable provider architecture, it SHOULD throw a GSSException with pluggable provider architecture, it SHOULD throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the the status code GSSException.UNAVAILABLE to indicate that the
operation is unavailable. operation is unavailable.
skipping to change at page 43, line 10 skipping to change at page 43, line 40
Parameters: Parameters:
p The provider instance that should be used p The provider instance that should be used
whenever support is needed for mech. whenever support is needed for mech.
mech The mechanism for which the provider is being mech The mechanism for which the provider is being
set. set.
7.1.16.1. addProviderAtEnd Example Code 7.1.16.1. addProviderAtEnd Example Code
Suppose an application desired that when a mechanism of Oid m1 is Suppose an application desired that when a mechanism of OID m1 is
needed, the system default providers always be checked first, and needed, the system default providers always be checked first, and
only when they do not support m1 should a provider A be checked. It only when they do not support m1 should a provider A be checked. It
would then make the call: would then make the call:
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
mgr.addProviderAtEnd(A, m1); mgr.addProviderAtEnd(A, m1);
<CODE ENDS> <CODE ENDS>
Now, if it also desired that provider B be checked for all mechanisms
Now, if it also desired that for all mechanisms the provider B be after all configured providers have been checked, it would then call:
checked after all configured providers have been checked, it would
then call:
<CODE BEGINS> <CODE BEGINS>
mgr.addProviderAtEnd(B, null); mgr.addProviderAtEnd(B, null);
<CODE ENDS> <CODE ENDS>
Effectively, the list of preferences now becomes {..., (A, m1), (B, Effectively, the list of preferences now becomes {..., (A, m1), (B,
null)}. null)}.
Suppose, at a later time, the following call is made to the same Suppose, at a later time, the following call is made to the same
GSSManager instance: GSSManager instance:
skipping to change at page 43, line 50 skipping to change at page 44, line 32
therefore, this request SHOULD be ignored. The same would happen if therefore, this request SHOULD be ignored. The same would happen if
a request is made for the already existing pairs of (A, m1) or (B, a request is made for the already existing pairs of (A, m1) or (B,
null). null).
Please note, however, that the following call: Please note, however, that the following call:
<CODE BEGINS> <CODE BEGINS>
mgr.addProviderAtEnd(A, null) mgr.addProviderAtEnd(A, null)
<CODE ENDS> <CODE ENDS>
is not subsumed by the previous setting of (A, m1) and the list will is not subsumed by the previous setting of (A, m1), and the list will
effectively become {..., (A, m1), (B, null), (A, null)}. effectively become {..., (A, m1), (B, null), (A, null)}.
7.1.17. Example Code 7.1.17. Example Code
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
// What mechs are available to us? // What mechs are available to us?
Oid[] supportedMechs = mgr.getMechs(); Oid[] supportedMechs = mgr.getMechs();
skipping to change at page 44, line 34 skipping to change at page 45, line 15
mgr.addProviderAtFront(p, spkm1); mgr.addProviderAtFront(p, spkm1);
// What name types does this spkm implementation support? // What name types does this spkm implementation support?
Oid[] nameTypes = mgr.getNamesForMech(spkm1); Oid[] nameTypes = mgr.getNamesForMech(spkm1);
<CODE ENDS> <CODE ENDS>
7.2. public interface GSSName 7.2. public interface GSSName
This interface encapsulates a single GSS-API principal entity. This interface encapsulates a single GSS-API principal entity.
Different name formats and their definitions are identified with Different name formats and their definitions are identified with
Universal Object Identifiers (Oids). The format of the names can be Universal OIDs. The format of the names can be derived based on the
derived based on the unique oid of its namespace type. unique OID of its namespace type.
7.2.1. Static Constants 7.2.1. Static Constants
public static final Oid NT_HOSTBASED_SERVICE public static final Oid NT_HOSTBASED_SERVICE
Oid indicating a host-based service name form. It is used to OID indicating a host-based service name form. It is used to
represent services associated with host computers. This name form is represent services associated with host computers. This name form is
constructed using two elements, "service" and "hostname", as follows: constructed using two elements, "service" and "hostname", as follows:
service@hostname service@hostname
Values for the "service" element are registered with the IANA. It Values for the "service" element are registered with the IANA. It
represents the following value: { iso(1) member-body(2) Unites represents the following value: { iso(1) member-body(2) United
States(840) mit(113554) infosys(1) gssapi(2) generic(1) States(840) mit(113554) infosys(1) gssapi(2) generic(1)
service_name(4) } service_name(4) }
public static final Oid NT_USER_NAME public static final Oid NT_USER_NAME
Name type to indicate a named user on a local system. It represents Name type to indicate a named user on a local system. It represents
the following value: { iso(1) member-body(2) United States(840) the following value: { iso(1) member-body(2) United States(840)
mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) } mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
public static final Oid NT_MACHINE_UID_NAME public static final Oid NT_MACHINE_UID_NAME
Name type to indicate a numeric user identifier corresponding to a Name type to indicate a numeric user identifier corresponding to a
user on a local system (e.g., Uid). It represents the following user on a local system (e.g., Uid). It represents the following
value: { iso(1) member-body(2) United States(840) mit(113554) value: { iso(1) member-body(2) United States(840) mit(113554)
infosys(1) gssapi(2) generic(1) machine_uid_name(2) } infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
skipping to change at page 46, line 4 skipping to change at page 46, line 32
cannot be compared. If either of the names represents an anonymous cannot be compared. If either of the names represents an anonymous
entity, the method will return "false". entity, the method will return "false".
Parameters: Parameters:
another GSSName object with which to compare. another GSSName object with which to compare.
7.2.3. equals 7.2.3. equals
public boolean equals(Object another) public boolean equals(Object another)
A variation of the equals method, described in section 7.2.2, that is
A variation of the equals method, described in Section 7.2.2, that is
provided to override the Object.equals() method that the implementing provided to override the Object.equals() method that the implementing
class will inherit. The behavior is exactly the same as that in class will inherit. The behavior is exactly the same as that in
section 7.2.2 except that no GSSException is thrown; instead, "false" Section 7.2.2 except that no GSSException is thrown; instead, "false"
will be returned in the situation where an error occurs. (Note that will be returned in the situation where an error occurs. (Note that
the Java language specification requires that two objects that are the Java language specification requires that two objects that are
equal according to the equals(Object) method MUST return the same equal according to the equals(Object) method MUST return the same
integer result when the hashCode() method is called on them.) integer result when the hashCode() method is called on them.)
Parameters: Parameters:
another GSSName object with which to compare. another GSSName object with which to compare.
7.2.4. canonicalize 7.2.4. canonicalize
public GSSName canonicalize(Oid mech) throws GSSException public GSSName canonicalize(Oid mech) throws GSSException
Creates a mechanism name (MN) from an arbitrary internal name. This Creates an MN from an arbitrary internal name. This is equivalent to
is equivalent to using the factory methods described in sections using the factory methods described in Sections 7.1.7 or 7.1.8 that
7.1.7 or 7.1.8 that take the mechanism name as one of their take the mechanism name as one of their parameters.
parameters.
Parameters: Parameters:
mech The oid for the mechanism for which the canonical mech The OID for the mechanism for which the canonical
form of the name is requested. form of the name is requested.
7.2.5. export 7.2.5. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Returns a canonical contiguous byte representation of a mechanism Returns a canonical contiguous byte representation of an MN, suitable
name (MN), suitable for direct, byte-by-byte comparison by for direct, byte-by-byte comparison by authorization functions. If
authorization functions. If the name is not an MN, implementations the name is not an MN, implementations MAY throw a GSSException with
MAY throw a GSSException with the NAME_NOT_MN status code. If an the NAME_NOT_MN status code. If an implementation chooses not to
implementation chooses not to throw an exception, it SHOULD use some throw an exception, it SHOULD use some system-specific default
system-specific default mechanism to canonicalize the name and then mechanism to canonicalize the name and then export it. The format of
export it. The format of the header of the output buffer is the header of the output buffer is specified in RFC 2743 [RFC2743].
specified in RFC 2743 [RFC2743].
7.2.6. toString 7.2.6. toString
public String toString() public String toString()
Returns a textual representation of the GSSName object. To retrieve Returns a textual representation of the GSSName object. To retrieve
the printed name format, which determines the syntax of the returned the printed name format, which determines the syntax of the returned
string, the getStringNameType method can be used. string, the getStringNameType method can be used.
7.2.7. getStringNameType 7.2.7. getStringNameType
public Oid getStringNameType() throws GSSException public Oid getStringNameType() throws GSSException
Returns the oid representing the type of name returned through the Returns the OID representing the type of name returned through the
toString method. Using this oid, the syntax of the printable name toString method. Using this OID, the syntax of the printable name
can be determined. can be determined.
7.2.8. isAnonymous 7.2.8. isAnonymous
public boolean isAnonymous() public boolean isAnonymous()
Tests if this name object represents an anonymous entity. Returns Tests if this name object represents an anonymous entity. Returns
"true" if this is an anonymous name. "true" if this is an anonymous name.
7.2.9. isMN 7.2.9. isMN
public boolean isMN() public boolean isMN()
Tests if this name object contains only one mechanism element and is Tests if this name object contains only one mechanism element and is
thus a mechanism name as defined by RFC 2743 [RFC2743]. thus a mechanism name as defined by RFC 2743 [RFC2743].
7.2.10. Example Code 7.2.10. Example Code
Included below are code examples utilizing the GSSName interface. Included below are code examples utilizing the GSSName interface.
The code below creates a GSSName, converts it to a mechanism name The code below creates a GSSName, converts it to an MN, performs a
(MN), performs a comparison, obtains a printable representation of comparison, obtains a printable representation of the name, exports
the name, exports it and then re-imports to obtain a new GSSName. it, and then re-imports to obtain a new GSSName.
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
// create a host-based service name // create a host-based service name
GSSName name = mgr.createName("service@host", GSSName name = mgr.createName("service@host",
GSSName.NT_HOSTBASED_SERVICE); GSSName.NT_HOSTBASED_SERVICE);
Oid krb5 = new Oid("1.2.840.113554.1.2.2"); Oid krb5 = new Oid("1.2.840.113554.1.2.2");
skipping to change at page 49, line 14 skipping to change at page 49, line 31
function would involve the creation of new credentials rather than function would involve the creation of new credentials rather than
merely acquiring a handle to existing credentials. Such functions, merely acquiring a handle to existing credentials. Such functions,
if required, SHOULD be defined in implementation-specific extensions if required, SHOULD be defined in implementation-specific extensions
to the API. to the API.
If credential acquisition is time-consuming for a mechanism, the If credential acquisition is time-consuming for a mechanism, the
mechanism MAY choose to delay the actual acquisition until the mechanism MAY choose to delay the actual acquisition until the
credential is required (e.g., by GSSContext). Such mechanism- credential is required (e.g., by GSSContext). Such mechanism-
specific implementation decisions SHOULD be invisible to the calling specific implementation decisions SHOULD be invisible to the calling
application; thus, the query methods immediately following the application; thus, the query methods immediately following the
creation of a credential object MUST return valid credential data, creation of a credential object MUST return valid credential data and
and may therefore incur the overhead of a deferred credential may therefore incur the overhead of a deferred credential
acquisition. acquisition.
Applications will create a credential object passing the desired Applications will create a credential object passing the desired
parameters. The application can then use the query methods to obtain parameters. The application can then use the query methods to obtain
specific information about the instantiated credential object specific information about the instantiated credential object
(equivalent to the gss_inquire routines). When the credential is no (equivalent to the gss_inquire routines). When the credential is no
longer needed, the application SHOULD call the dispose (equivalent to longer needed, the application SHOULD call the dispose (equivalent to
gss_release_cred) method to release any resources held by the gss_release_cred) method to release any resources held by the
credential object and to destroy any cryptographically sensitive credential object and to destroy any cryptographically sensitive
information. information.
skipping to change at page 50, line 4 skipping to change at page 50, line 23
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context initiation only. The value of this constant is 1. context initiation only. The value of this constant is 1.
public static final int ACCEPT_ONLY public static final int ACCEPT_ONLY
Credential usage flag requesting that it be able to be used for Credential usage flag requesting that it be able to be used for
context acceptance only. The value of this constant is 2. context acceptance only. The value of this constant is 2.
public static final int DEFAULT_LIFETIME public static final int DEFAULT_LIFETIME
A lifetime constant representing the default credential lifetime. A lifetime constant representing the default credential lifetime.
The value of this constant is 0. The value of this constant is 0.
public static final int INDEFINITE_LIFETIME public static final int INDEFINITE_LIFETIME
A lifetime constant representing indefinite credential lifetime. The A lifetime constant representing indefinite credential lifetime. The
value of this constant is the maximum integer value in Java - value of this constant is the maximum integer value in Java --
Integer.MAX_VALUE. Integer.MAX_VALUE.
7.3.2. dispose 7.3.2. dispose
public void dispose() throws GSSException public void dispose() throws GSSException
Releases any sensitive information that the GSSCredential object may Releases any sensitive information that the GSSCredential object may
be containing. Applications SHOULD call this method as soon as the be containing. Applications SHOULD call this method as soon as the
credential is no longer needed to minimize the time any sensitive credential is no longer needed to minimize the time any sensitive
information is maintained. information is maintained.
skipping to change at page 50, line 33 skipping to change at page 51, line 10
public GSSName getName() throws GSSException public GSSName getName() throws GSSException
Retrieves the name of the entity that the credential asserts. Retrieves the name of the entity that the credential asserts.
7.3.4. getName 7.3.4. getName
public GSSName getName(Oid mechOID) throws GSSException public GSSName getName(Oid mechOID) throws GSSException
Retrieves a mechanism name of the entity that the credential asserts. Retrieves a mechanism name of the entity that the credential asserts.
Equivalent to calling canonicalize() on the name returned by section Equivalent to calling canonicalize() on the name returned by
7.3.3. Section 7.3.3.
Parameters: Parameters:
mechOID The mechanism for which information should be mechOID The mechanism for which information should be
returned. returned.
7.3.5. getRemainingLifetime 7.3.5. getRemainingLifetime
public int getRemainingLifetime() throws GSSException public int getRemainingLifetime() throws GSSException
skipping to change at page 52, line 29 skipping to change at page 52, line 48
public Oid[] getMechs() throws GSSException public Oid[] getMechs() throws GSSException
Returns an array of mechanisms supported by this credential. Returns an array of mechanisms supported by this credential.
7.3.11. add 7.3.11. add
public void add(GSSName aName, int initLifetime, int acceptLifetime, public void add(GSSName aName, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException Oid mech, int usage) throws GSSException
Adds a mechanism-specific credential-element to an existing Adds a mechanism-specific credential element to an existing
credential. This method allows the construction of credentials one credential. This method allows the construction of credentials one
mechanism at a time. mechanism at a time.
This routine is envisioned to be used mainly by context acceptors This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials, which are to be used during the creation of acceptance credentials, which are to be used
with a variety of clients using different security mechanisms. with a variety of clients using different security mechanisms.
This routine adds the new credential element "in-place". To add the This routine adds the new credential element "in-place". To add the
element in a new credential, first call clone() to obtain a copy of element in a new credential, first call clone() to obtain a copy of
this credential, then call its add() method. this credential, then call its add() method.
Parameters: Parameters:
aName Name of the principal for whom this credential is aName Name of the principal for whom this credential is
to be acquired. Use "null" to specify the to be acquired. Use "null" to specify the
default principal. default principal.
initLifetime The number of seconds that credentials should initLifetime The number of seconds that credentials should
remain valid for initiating of security contexts. remain valid for initiating security contexts.
Use GSSCredential.INDEFINITE_LIFETIME to request Use GSSCredential.INDEFINITE_LIFETIME to request
that the credentials have the maximum permitted that the credentials have the maximum permitted
lifetime. Use GSSCredential.DEFAULT_LIFETIME to lifetime. Use GSSCredential.DEFAULT_LIFETIME to
request default credential lifetime. request default credential lifetime.
acceptLifetime The number of seconds that credentials should acceptLifetime The number of seconds that credentials should
remain valid for accepting of security contexts. remain valid for accepting security contexts.
Use GSSCredential.INDEFINITE_LIFETIME to request Use GSSCredential.INDEFINITE_LIFETIME to request
that the credentials that the credentials
have the maximum permitted lifetime. Use have the maximum permitted lifetime. Use
GSSCredential.DEFAULT_LIFETIME to request default GSSCredential.DEFAULT_LIFETIME to request default
credential lifetime. credential lifetime.
mech The mechanisms over which the credential is to be mech The mechanisms over which the credential is to be
acquired. acquired.
skipping to change at page 53, line 31 skipping to change at page 53, line 52
GSSCredential.INITIATE_ONLY(1), or GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2) GSSCredential.ACCEPT_ONLY(2)
7.3.12. equals 7.3.12. equals
public boolean equals(Object another) public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied Tests if this GSSCredential refers to the same entity as the supplied
object. The two credentials MUST be acquired over the same object. The two credentials MUST be acquired over the same
mechanisms and MUST refer to the same principal. Returns "true" if mechanisms and MUST refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise. the two GSSCredentials refer to the same entity, or "false"
(Note that the Java language specification [JLS] requires that two otherwise. (Note that the Java language specification [JLS] requires
objects that are equal according to the equals(Object) method MUST that two objects that are equal according to the equals(Object)
return the same integer result when the hashCode() method is called method MUST return the same integer result when the hashCode() method
on them.) is called on them.)
Parameters: Parameters:
another Another GSSCredential object for comparison. another Another GSSCredential object for comparison.
7.3.13. Example Code 7.3.13. Example Code
This example code demonstrates the creation of a GSSCredential This example code demonstrates the creation of a GSSCredential
implementation for a specific entity, querying of its fields, and its implementation for a specific entity, querying of its fields, and its
release when it is no longer needed. release when it is no longer needed.
<CODE BEGINS> <CODE BEGINS>
GSSManager mgr = GSSManager.getInstance(); GSSManager mgr = GSSManager.getInstance();
// start by creating a name object for the entity // start by creating a name object for the entity
GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME); GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// now acquire credentials for the entity // now acquire credentials for the entity
GSSCredential cred = mgr.createCredential(name, GSSCredential cred = mgr.createCredential(name,
GSSCredential.ACCEPT_ONLY); GSSCredential.INDEFINITE_LIFETIME,
(Oid[])null,
GSSCredential.ACCEPT_ONLY);
// display credential information - name, remaining lifetime, // display credential information - name, remaining lifetime,
// and the mechanisms it has been acquired over // and the mechanisms it has been acquired over
print(cred.getName().toString()); print(cred.getName().toString());
print(cred.getRemainingLifetime()); print(cred.getRemainingLifetime());
Oid[] mechs = cred.getMechs(); Oid[] mechs = cred.getMechs();
if (mechs != null) { if (mechs != null) {
for (int i = 0; i < mechs.length; i++) for (int i = 0; i < mechs.length; i++)
print(mechs[i].toString()); print(mechs[i].toString());
} }
// release system resources held by the credential // release system resources held by the credential
cred.dispose(); cred.dispose();
<CODE ENDS> <CODE ENDS>
7.4. public interface GSSContext 7.4. public interface GSSContext
This interface encapsulates the GSS-API security context and provides This interface encapsulates the GSS-API security context and provides
the security services (wrap, unwrap, getMIC, verifyMIC) that are the security services (wrap, unwrap, getMIC, and verifyMIC) that are
available over the context. Security contexts are established available over the context. Security contexts are established
between peers using locally acquired credentials. Multiple contexts between peers using locally acquired credentials. Multiple contexts
may exist simultaneously between a pair of peers, using the same or may exist simultaneously between a pair of peers, using the same or
different set of credentials. GSS-API functions in a manner different set of credentials. GSS-API functions in a manner
independent of the underlying transport protocol and depends on its independent of the underlying transport protocol and depends on its
calling application to transport its tokens between peers. calling application to transport its tokens between peers.
Before the context establishment phase is initiated, the context Before the context establishment phase is initiated, the context
initiator may request specific characteristics desired of the initiator may request specific characteristics desired of the
established context. These can be set using the set methods. After established context. These can be set using the set methods. After
skipping to change at page 55, line 6 skipping to change at page 55, line 23
methods. methods.
The context establishment phase begins with the first call to the The context establishment phase begins with the first call to the
init method by the context initiator. During this phase, the init method by the context initiator. During this phase, the
initSecContext and acceptSecContext methods will produce GSS-API initSecContext and acceptSecContext methods will produce GSS-API
authentication tokens, which the calling application needs to send to authentication tokens, which the calling application needs to send to
its peer. If an error occurs at any point, an exception will get its peer. If an error occurs at any point, an exception will get
thrown and the code will start executing in a catch block where the thrown and the code will start executing in a catch block where the
exception may contain an output token that should be sent to the peer exception may contain an output token that should be sent to the peer
for debugging or informational purpose. If not, the normal flow of for debugging or informational purpose. If not, the normal flow of
code continues and the application can make a call to the code continues, and the application can make a call to the
isEstablished() method. If this method returns "false" it indicates isEstablished() method. If this method returns "false", it indicates
that a token is needed from its peer in order to continue the context that a token is needed from its peer in order to continue the context
establishment phase. A return value of "true" signals that the local establishment phase. A return value of "true" signals that the local
end of the context is established. This may still require that a end of the context is established. This may still require that a
token be sent to the peer, if one is produced by GSS-API. During the token be sent to the peer, if one is produced by GSS-API. During the
context establishment phase, the isProtReady() method may be called context establishment phase, the isProtReady() method may be called
to determine if the context can be used for the per-message to determine if the context can be used for the per-message
operations. This allows applications to use per-message operations operations. This allows applications to use per-message operations
on contexts that aren't fully established. on contexts that aren't fully established.
After the context has been established or the isProtReady() method After the context has been established or the isProtReady() method
returns "true", the query routines can be invoked to determine the returns "true", the query routines can be invoked to determine the
actual characteristics and services of the established context. The actual characteristics and services of the established context. The
application can also start using the per-message methods of wrap and application can also start using the per-message methods of wrap and
getMIC to obtain cryptographic operations on application supplied getMIC to obtain cryptographic operations on application-supplied
data. data.
When the context is no longer needed, the application SHOULD call When the context is no longer needed, the application SHOULD call
dispose to release any system resources the context may be using. dispose to release any system resources the context may be using.
7.4.1. Static Constants 7.4.1. Static Constants
public static final int DEFAULT_LIFETIME public static final int DEFAULT_LIFETIME
A lifetime constant representing the default context lifetime. The A lifetime constant representing the default context lifetime. The
value of this constant is 0. value of this constant is 0.
public static final int INDEFINITE_LIFETIME public static final int INDEFINITE_LIFETIME
A lifetime constant representing indefinite context lifetime. The A lifetime constant representing indefinite context lifetime. The
value of this constant is the maximum integer value in Java - value of this constant is the maximum integer value in Java --
Integer.MAX_VALUE. Integer.MAX_VALUE.
7.4.2. initSecContext 7.4.2. initSecContext
public byte[] initSecContext(byte[] inputBuf, int offset, int len) public byte[] initSecContext(byte[] inputBuf, int offset, int len)
throws GSSException throws GSSException
Called by the context initiator to start the context creation Called by the context initiator to start the context creation
process. This method MAY return an output token that the application process. This method MAY return an output token that the application
will need to send to the peer for processing by the accept call. The will need to send to the peer for processing by the accept call. The
skipping to change at page 58, line 35 skipping to change at page 59, line 6
public byte[] wrap(byte[] inBuf, int offset, int len, public byte[] wrap(byte[] inBuf, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Applies per-message security services over the established security Applies per-message security services over the established security
context. The method will return a token with a cryptographic MIC and context. The method will return a token with a cryptographic MIC and
MAY optionally encrypt the specified inBuf. The returned byte array MAY optionally encrypt the specified inBuf. The returned byte array
will contain both the MIC and the message. will contain both the MIC and the message.
The MessageProp object is instantiated by the application and used to The MessageProp object is instantiated by the application and used to
specify a QOP value that selects cryptographic algorithms, and a specify a QOP value that selects cryptographic algorithms and a
privacy service to optionally encrypt the message. The underlying privacy service to optionally encrypt the message. The underlying
mechanism that is used in the call may not be able to provide the mechanism that is used in the call may not be able to provide the
privacy service. It sets the actual privacy service that it does privacy service. It sets the actual privacy service that it does
provide in this MessageProp object, which the caller SHOULD then provide in this MessageProp object, which the caller SHOULD then
query upon return. If the mechanism is not able to provide the query upon return. If the mechanism is not able to provide the
requested QOP, it throws a GSSException with the BAD_QOP code. requested QOP, it throws a GSSException with the BAD_QOP code.
Since some application-level protocols may wish to use tokens emitted Since some application-level protocols may wish to use tokens emitted
by wrap to provide "secure framing", implementations SHOULD support by wrap to provide "secure framing", implementations SHOULD support
the wrapping of zero-length messages. the wrapping of zero-length messages.
skipping to change at page 59, line 50 skipping to change at page 60, line 22
offset The offset within the inBuf where the token offset The offset within the inBuf where the token
begins. begins.
len The length of the token within the inBuf len The length of the token within the inBuf
(starting at the offset). (starting at the offset).
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain the applied QOP, the privacy state of the contain the applied QOP, the privacy state of the
message, and supplementary information, described message, and supplementary information, described
in section 5.12.3, stating whether the token was in Section 5.12.3, stating whether the token was
a duplicate, old, out of sequence, or arriving a duplicate, old, out of sequence, or arriving
after a gap. after a gap.
7.4.9. getMIC 7.4.9. getMIC
public byte[] getMIC(byte[] inMsg, int offset, int len, public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException MessageProp msgProp) throws GSSException
Returns a token containing a cryptographic MIC for the supplied Returns a token containing a cryptographic MIC for the supplied
message for transfer to the peer application. Unlike wrap, which message for transfer to the peer application. Unlike wrap, which
skipping to change at page 61, line 30 skipping to change at page 62, line 7
cryptographic MIC. cryptographic MIC.
msgOffset The offset within the inMsg where the message msgOffset The offset within the inMsg where the message
begins. begins.
msgLen The length of the message within the inMsg msgLen The length of the message within the inMsg
(starting at the offset). (starting at the offset).
msgProp Upon return from the method, this object will msgProp Upon return from the method, this object will
contain the applied QOP and supplementary contain the applied QOP and supplementary
information, described in section 5.12.3, stating information, described in Section 5.12.3, stating
whether the token was a duplicate, old, out of whether the token was a duplicate, old, out of
sequence, or arriving after a gap. The sequence, or arriving after a gap. The
confidentiality state will be set to "false". confidentiality state will be set to "false".
7.4.11. export 7.4.11. export
public byte[] export() throws GSSException public byte[] export() throws GSSException
Provided to support the sharing of work between multiple processes. Provided to support the sharing of work between multiple processes.
This routine will typically be used by the context acceptor, in an This routine will typically be used by the context acceptor, in an
application where a single process receives incoming connection application where a single process receives incoming connection
requests and accepts security contexts over them, then passes the requests and accepts security contexts over them, then passes the
established context to one or more other processes for message established context to one or more other processes for message
exchange. exchange.
This method deactivates the security context and creates an inter- This method deactivates the security context and creates an inter-
process token which, when passed to the byte array constructor of the process token that, when passed to the byte array constructor of the
GSSContext interface in another process, will re-activate the context GSSContext interface in another process, will re-activate the context
in the second process. Only a single instantiation of a given in the second process. Only a single instantiation of a given
context may be active at any one time; a subsequent attempt by a context may be active at any one time; a subsequent attempt by a
context exporter to access the exported security context will fail. context exporter to access the exported security context will fail.
The implementation MAY constrain the set of processes by which the The implementation MAY constrain the set of processes by which the
inter-process token may be imported, either as a function of local inter-process token may be imported, either as a function of local
security policy, or as a result of implementation decisions. For security policy or as a result of implementation decisions. For
example, some implementations may constrain contexts to be passed example, some implementations may constrain contexts to be passed
only between processes that run under the same account, or which are only between processes that run under the same account, or which are
part of the same process group. part of the same process group.
The inter-process token MAY contain security-sensitive information The inter-process token MAY contain security-sensitive information
(for example, cryptographic keys). While mechanisms are encouraged (for example, cryptographic keys). While mechanisms are encouraged
to either avoid placing such sensitive information within inter- either to avoid placing such sensitive information within inter-
process tokens or to encrypt the token before returning it to the process tokens or to encrypt the token before returning it to the
application, in a typical GSS-API implementation, this may not be application, in a typical GSS-API implementation, this may not be
possible. Thus, the application MUST take care to protect the inter- possible. Thus, the application MUST take care to protect the inter-
process token, and ensure that any process to which the token is process token and ensure that any process to which the token is
transferred is trustworthy. transferred is trustworthy.
7.4.12. requestMutualAuth 7.4.12. requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException public void requestMutualAuth(boolean state) throws GSSException
Sets the request state of the mutual authentication flag for the Sets the request state of the mutual authentication flag for the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
skipping to change at page 63, line 4 skipping to change at page 63, line 26
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if replay detection is state Boolean representing if replay detection is
desired over the established context. desired over the established context.
7.4.14. requestSequenceDet 7.4.14. requestSequenceDet
public void requestSequenceDet(boolean state) throws GSSException public void requestSequenceDet(boolean state) throws GSSException
Sets the request state for the sequence checking service of the
Sets the request state for the sequence-checking service of the
context. This method is only valid before the context creation context. This method is only valid before the context creation
process begins and only for the initiator. process begins and only for the initiator.
Parameters: Parameters:
state Boolean representing if sequence detection is state Boolean representing if sequence detection is
desired over the established context. desired over the established context.
7.4.15. requestCredDeleg 7.4.15. requestCredDeleg
skipping to change at page 67, line 17 skipping to change at page 67, line 43
public GSSName getTargName() throws GSSException public GSSName getTargName() throws GSSException
Returns the name of the context target (acceptor). This call is Returns the name of the context target (acceptor). This call is
valid only after the context is fully established or the isProtReady valid only after the context is fully established or the isProtReady
method returns "true". It is guaranteed to return an MN. method returns "true". It is guaranteed to return an MN.
7.4.33. getMech 7.4.33. getMech
public Oid getMech() throws GSSException public Oid getMech() throws GSSException
Returns the mechanism oid for this context. This method MAY be Returns the mechanism OID for this context. This method MAY be
called before the context is fully established, but the mechanism called before the context is fully established, but the mechanism
returned MAY change on successive calls in negotiated mechanism case. returned MAY change on successive calls in a negotiated mechanism
case.
7.4.34. getDelegCred 7.4.34. getDelegCred
public GSSCredential getDelegCred() throws GSSException public GSSCredential getDelegCred() throws GSSException
Returns the delegated credential object on the acceptor's side. To Returns the delegated credential object on the acceptor's side. To
check for availability of delegated credentials call check for availability of delegated credentials, call
getDelegCredState. This call is only valid on fully established getDelegCredState. This call is only valid on fully established
contexts. contexts.
7.4.35. isInitiator 7.4.35. isInitiator
public boolean isInitiator() throws GSSException public boolean isInitiator() throws GSSException
Returns "true" if this is the initiator of the context. This call is Returns "true" if this is the initiator of the context. This call is
only valid after the context creation process has started. only valid after the context creation process has started.
skipping to change at page 68, line 17 skipping to change at page 68, line 50
null, /* default credentials */ null, /* default credentials */
GSSContext.INDEFINITE_LIFETIME); GSSContext.INDEFINITE_LIFETIME);
// set desired context options - all others are "false" by default // set desired context options - all others are "false" by default
context.requestConf(true); context.requestConf(true);
context.requestMutualAuth(true); context.requestMutualAuth(true);
context.requestReplayDet(true); context.requestReplayDet(true);
context.requestSequenceDet(true); context.requestSequenceDet(true);
// establish a context between peers - using byte arrays // establish a context between peers - using byte arrays
byte[]inTok = new byte[0]; byte[] inTok = new byte[0];
try { try {
do { do {
byte[] outTok = context.initSecContext(inTok, 0, byte[] outTok = context.initSecContext(inTok, 0,
inTok.length); inTok.length);
// send the token if present // send the token if present
if (outTok != null) if (outTok != null)
sendToken(outTok); sendToken(outTok);
// check if we should expect more tokens // check if we should expect more tokens
skipping to change at page 69, line 38 skipping to change at page 70, line 22
context.dispose(); context.dispose();
<CODE ENDS> <CODE ENDS>
7.5. public class MessageProp 7.5. public class MessageProp
This is a utility class used within the per-message GSSContext This is a utility class used within the per-message GSSContext
methods to convey per-message properties. methods to convey per-message properties.
When used with the GSSContext interface's wrap and getMIC methods, an When used with the GSSContext interface's wrap and getMIC methods, an
instance of this class is used to indicate the desired QOP and to instance of this class is used to indicate the desired QOP and to
request if confidentiality services are to be applied to caller request if confidentiality services are to be applied to caller-
supplied data (wrap only). To request default QOP, the value of 0 supplied data (wrap only). To request default QOP, the value of 0
should be used for QOP. A QOP is an integer value defined by an should be used for QOP. A QOP is an integer value defined by an
mechanism. mechanism.
When used with the unwrap and verifyMIC methods of the GSSContext When used with the unwrap and verifyMIC methods of the GSSContext
interface, an instance of this class will be used to indicate the interface, an instance of this class will be used to indicate the
applied QOP and confidentiality services over the supplied message. applied QOP and confidentiality services over the supplied message.
In the case of verifyMIC, the confidentiality state will always be In the case of verifyMIC, the confidentiality state will always be
"false". Upon return from these methods, this object will also "false". Upon return from these methods, this object will also
contain any supplementary status values applicable to the processed contain any supplementary status values applicable to the processed
skipping to change at page 70, line 19 skipping to change at page 70, line 50
Constructor that sets QOP to 0 indicating that the default QOP is Constructor that sets QOP to 0 indicating that the default QOP is
requested. requested.
Parameters: Parameters:
privState The desired privacy state. "true" for privacy and privState The desired privacy state. "true" for privacy and
"false" for integrity only. "false" for integrity only.
public MessageProp(int qop, boolean privState) public MessageProp(int qop, boolean privState)
Constructor that sets the values for the qop and privacy state. Constructor that sets the values for the QOP and privacy state.
Parameters: Parameters:
qop The desired QOP. Use 0 to request a default QOP. qop The desired QOP. Use 0 to request a default QOP.
privState The desired privacy state. "true" for privacy and privState The desired privacy state. "true" for privacy and
"false" for integrity only. "false" for integrity only.
7.5.2. getQOP 7.5.2. getQOP
skipping to change at page 72, line 39 skipping to change at page 73, line 28
"false". "false".
minorStatus The integer minor status code that the underlying minorStatus The integer minor status code that the underlying
mechanism wants to set. mechanism wants to set.
minorString The textual representation of the minorStatus minorString The textual representation of the minorStatus
value. value.
7.6. public class ChannelBinding 7.6. public class ChannelBinding
The GSS-API accommodates the concept of caller-provided channel The GSS-API accommodates the concept of caller-provided channel-
binding information. Channel bindings are used to strengthen the binding information. Channel bindings are used to strengthen the
quality with which peer entity authentication is provided during quality with which peer entity authentication is provided during
context establishment. They enable the GSS-API callers to bind the context establishment. They enable the GSS-API callers to bind the
establishment of the security context to relevant characteristics establishment of the security context to relevant characteristics
like addresses or to application-specific data. like addresses or to application-specific data.
The caller initiating the security context MUST determine the The caller initiating the security context MUST determine the
appropriate channel binding values to set in the GSSContext object. appropriate channel-binding values to set in the GSSContext object.
The acceptor MUST provide an identical binding in order to validate The acceptor MUST provide an identical binding in order to validate
that received tokens possess correct channel-related characteristics. that received tokens possess correct channel-related characteristics.
Use of channel bindings is OPTIONAL in GSS-API. Since channel- Use of channel bindings is OPTIONAL in GSS-API. Since channel-
binding information may be transmitted in context establishment binding information may be transmitted in context establishment
tokens, applications SHOULD therefore not use confidential data as tokens, applications SHOULD therefore not use confidential data as
channel-binding components. channel-binding components.
7.6.1. Constructors 7.6.1. Constructors
public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr, public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr,
byte[] appData) byte[] appData)
Create a ChannelBinding object with user-supplied address information Create a ChannelBinding object with user-supplied address information
and data. "null" values can be used for any fields that the and data. "null" values can be used for any fields that the
application does not want to specify. application does not want to specify.
Parameters: Parameters:
initAddr The address of the context initiator. "null" initAddr The address of the context initiator. The "null"
value can be supplied to indicate that the value can be supplied to indicate that the
application does not want to set this value. application does not want to set this value.
acceptAddr The address of the context acceptor. "null" value acceptAddr The address of the context acceptor. The "null"
can be supplied to indicate that the application value can be supplied to indicate that the
does not want to set this value. application does not want to set this value.
appData Application-supplied data to be used as part of appData Application-supplied data to be used as part of
the channel bindings. "null" value can be the channel bindings. The "null" value can be
supplied to indicate that the application does supplied to indicate that the application does
not want to set this value. not want to set this value.
public ChannelBinding(byte[] appData) public ChannelBinding(byte[] appData)
Creates a ChannelBinding object without any addressing information. Creates a ChannelBinding object without any addressing information.
Parameters: Parameters:
appData Application supplied data to be used as part of appData Application-supplied data to be used as part of
the channel bindings. the channel bindings.
7.6.2. getInitiatorAddress 7.6.2. getInitiatorAddress
public InetAddress getInitiatorAddress() public InetAddress getInitiatorAddress()
Returns the initiator's address for this channel binding. "null" is Returns the initiator's address for this channel binding. "null" is
returned if the address has not been set. returned if the address has not been set.
7.6.3. getAcceptorAddress 7.6.3. getAcceptorAddress
skipping to change at page 74, line 30 skipping to change at page 75, line 20
language specification requires that two objects that are equal language specification requires that two objects that are equal
according to the equals(Object) method MUST return the same integer according to the equals(Object) method MUST return the same integer
result when the hashCode() method is called on them.) result when the hashCode() method is called on them.)
Parameters: Parameters:
obj Another channel binding with which to compare. obj Another channel binding with which to compare.
7.7. public class Oid 7.7. public class Oid
This class represents Universal Object Identifiers (Oids) and their This class represents Universal OIDs and their associated operations.
associated operations.
Oids are hierarchically globally interpretable identifiers used OIDs are hierarchically globally interpretable identifiers used
within the GSS-API framework to identify mechanisms and name formats. within the GSS-API framework to identify mechanisms and name formats.
The structure and encoding of Oids is defined in ISOIEC-8824 and The structure and encoding of OIDs is defined in ISOIEC-8824
ISOIEC-8825. For example, the Oid representation of the Kerberos v5 [ISOIEC-8824] and ISOIEC-8825 [ISOIEC-8825]. For example, the OID
mechanism is "1.2.840.113554.1.2.2". representation of the Kerberos v5 mechanism is
"1.2.840.113554.1.2.2".
The GSSName name class contains public static Oid objects The GSSName name class contains public static Oid objects
representing the standard name types defined in GSS-API. representing the standard name types defined in GSS-API.
7.7.1. Constructors 7.7.1. Constructors
public Oid(String strOid) throws GSSException public Oid(String strOid) throws GSSException
Creates an Oid object from a string representation of its integer Creates an Oid object from a string representation of its integer
components (e.g., "1.2.840.113554.1.2.2"). components (e.g., "1.2.840.113554.1.2.2").
Parameters: Parameters:
strOid The string representation for the oid. strOid The string representation for the OID.
public Oid(InputStream derOid) throws GSSException public Oid(InputStream derOid) throws GSSException
Creates an Oid object from its DER encoding. This refers to the full Creates an Oid object from its DER encoding. This refers to the full
encoding including tag and length. The structure and encoding of encoding including tag and length. The structure and encoding of
Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is OIDs is defined in ISOIEC-8824 [ISOIEC-8824] and ISOIEC-8825
identical in functionality to its byte array counterpart. [ISOIEC-8825]. This method is identical in functionality to its byte
array counterpart.
Parameters: Parameters:
derOid Stream containing the DER-encoded oid. derOid Stream containing the DER-encoded OID.
public Oid(byte[] DEROid) throws GSSException public Oid(byte[] derOid) throws GSSException
Creates an Oid object from its DER encoding. This refers to the full Creates an Oid object from its DER encoding. This refers to the full
encoding including tag and length. The structure and encoding of encoding including tag and length. The structure and encoding of
Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is OIDs is defined in ISOIEC-8824 [ISOIEC-8824] and ISOIEC-8825
identical in functionality to its byte array counterpart. [ISOIEC-8825]. This method is identical in functionality to its byte
array counterpart.
Parameters: Parameters:
derOid Byte array storing a DER-encoded oid. derOid Byte array storing a DER-encoded OID.
7.7.2. toString 7.7.2. toString
public String toString() public String toString()
Returns a string representation of the oid's integer components in Returns a string representation of the OID's integer components in
dot separated notation (e.g., "1.2.840.113554.1.2.2"). dot-separated notation (e.g., "1.2.840.113554.1.2.2").
7.7.3. equals 7.7.3. equals
public boolean equals(Object Obj) public boolean equals(Object Obj)
Returns "true" if the two Oid objects represent the same oid value. Returns "true" if the two Oid objects represent the same OID value.
(Note that the Java language specification [JLS] requires that two (Note that the Java language specification [JLS] requires that two
objects that are equal according to the equals(Object) method MUST objects that are equal according to the equals(Object) method MUST
return the same integer result when the hashCode() method is called return the same integer result when the hashCode() method is called
on them.) on them.)
Parameters: Parameters:
obj Another Oid object with which to compare. obj Another Oid object with which to compare.
7.7.4. getDER 7.7.4. getDER
public byte[] getDER() public byte[] getDER()
Returns the full ASN.1 DER encoding for this oid object, which Returns the full ASN.1 DER encoding for this Oid object, which
includes the tag and length. includes the tag and length.
7.7.5. containedIn 7.7.5. containedIn
public boolean containedIn(Oid[] oids) public boolean containedIn(Oid[] oids)
A utility method to test if an Oid object is contained within the A utility method to test if an Oid object is contained within the
supplied Oid object array. supplied Oid object array.
Parameters: Parameters:
oids An array of oids to search. oids An array of OIDs to search.
7.8. public class GSSException extends Exception 7.8. public class GSSException extends Exception
This exception is thrown whenever a fatal GSS-API error occurs This exception is thrown whenever a fatal GSS-API error occurs
including mechanism-specific errors. It MAY contain both, the major including mechanism-specific errors. It MAY contain both, the major
and minor, GSS-API status codes. The mechanism implementors are and minor, GSS-API status codes. The mechanism implementors are
responsible for setting appropriate minor status codes when throwing responsible for setting appropriate minor status codes when throwing
this exception. Aside from delivering the numeric error code(s) to this exception. Aside from delivering the numeric error code(s) to
the caller, this class performs the mapping from their numeric values the caller, this class performs the mapping from their numeric values
to textual representations. This exception MAY also include an to textual representations. This exception MAY also include an
output token that SHOULD be sent to the peer. For example, when an output token that SHOULD be sent to the peer. For example, when an
initSecContext call fails due to a fatal error, the mechanism MAY initSecContext call fails due to a fatal error, the mechanism MAY
define an error token that SHOULD be sent to the peer for debugging define an error token that SHOULD be sent to the peer for debugging
or informational purpose. All Java GSS-API methods are declared or informational purposes. All Java GSS-API methods are declared
throwing this exception. throwing this exception.
All implementations are encouraged to use the Java All implementations are encouraged to use the Java
internationalization techniques to provide local translations of the internationalization techniques to provide local translations of the
message strings. message strings.
7.8.1. Static Constants 7.8.1. Static Constants
All valid major GSS-API error code values are declared as constants All valid major GSS-API error code values are declared as constants
in this class. in this class.
public static final int BAD_BINDINGS public static final int BAD_BINDINGS
Channel bindings mismatch error. The value of this constant is 1. Channel-bindings mismatch error. The value of this constant is 1.
public static final int BAD_MECH public static final int BAD_MECH
Unsupported mechanism requested error. The value of this constant is Unsupported mechanism requested error. The value of this constant is
2. 2.
public static final int BAD_NAME public static final int BAD_NAME
Invalid name provided error. The value of this constant is 3. Invalid name provided error. The value of this constant is 3.
public static final int BAD_NAMETYPE public static final int BAD_NAMETYPE
Name of unsupported type provided error. The value of this constant Name of unsupported type provided error. The value of this constant
skipping to change at page 80, line 31 skipping to change at page 81, line 27
public int getMajor() public int getMajor()
Returns the major code representing the GSS error code that caused Returns the major code representing the GSS error code that caused
this exception to be thrown. this exception to be thrown.
7.8.4. getMinor 7.8.4. getMinor
public int getMinor() public int getMinor()
Returns the mechanism error code that caused this exception. The Returns the mechanism error code that caused this exception. The
minor code is set by the underlying mechanism. Value of 0 indicates minor code is set by the underlying mechanism. The value of 0
that mechanism error code is not set. indicates that the mechanism error code is not set.
7.8.5. getMajorString 7.8.5. getMajorString
public String getMajorString() public String getMajorString()
Returns a string explaining the GSS major error code causing this Returns a string explaining the GSS major error code causing this
exception to be thrown. exception to be thrown.
7.8.6. getMinorString 7.8.6. getMinorString
skipping to change at page 81, line 11 skipping to change at page 82, line 11
Returns a string explaining the mechanism-specific error code. "null" Returns a string explaining the mechanism-specific error code. "null"
will be returned when no string explaining the mechanism error code will be returned when no string explaining the mechanism error code
has been set. has been set.
7.8.7. getOutputToken 7.8.7. getOutputToken
public byte[] getOutputToken public byte[] getOutputToken
Returns the output token in a new byte array. Returns the output token in a new byte array.
If the method (For example, GSSContext#initSecContext) that throws If the method (for example, GSSContext#initSecContext) that throws
this GSSException needs to generate an output token that SHOULD be this GSSException needs to generate an output token that SHOULD be
sent to the peer, that token will be stored in this GSSException and sent to the peer, that token will be stored in this GSSException and
can be retrieved with this method. can be retrieved with this method.
The return value MUST be null if no such token is generated. It MUST The return value MUST be null if no such token is generated. It MUST
NOT be an empty byte array. NOT be an empty byte array.
7.8.8. setMinor 7.8.8. setMinor
public void setMinor(int minorCode, String message) public void setMinor(int minorCode, String message)
skipping to change at page 82, line 4 skipping to change at page 83, line 6
7.8.10. getMessage 7.8.10. getMessage
public String getMessage() public String getMessage()
Returns a detailed message of this exception. Overrides Returns a detailed message of this exception. Overrides
Throwable.getMessage. It is customary in Java to use this method to Throwable.getMessage. It is customary in Java to use this method to
obtain exception information. obtain exception information.
8. Sample Applications 8. Sample Applications
8.1. Simple GSS Context Initiator 8.1. Simple GSS Context Initiator
<CODE BEGINS> <CODE BEGINS>
import org.ietf.jgss.*; import org.ietf.jgss.*;
/** /**
* This is a partial sketch for a simple client program that acts * This is a partial sketch for a simple client program that acts
* as a GSS context initiator. It illustrates how to use the Java * as a GSS context initiator. It illustrates how to use the Java
* bindings for the GSS-API specified in * bindings for the GSS-API specified in RFC 8353.
* Generic Security Service API Version 2 : Java bindings
* *
* *
* This code sketch assumes the existence of a GSS-API * This code sketch assumes the existence of a GSS-API
* implementation that supports the mechanism that it will need * implementation that supports the mechanism that it will need
* and is present as a library package (org.ietf.jgss) either as * and is present as a library package (org.ietf.jgss) either as
* part of the standard JRE or in the CLASSPATH the application * part of the standard JRE or in the CLASSPATH the application
* specifies. * specifies.
*/ */
public class SimpleClient { public class SimpleClient {
skipping to change at page 83, line 6 skipping to change at page 84, line 7
private void initializeGSS() { private void initializeGSS() {
try { try {
clientCred = mgr.createCredential(null /*default princ*/, clientCred = mgr.createCredential(null /*default princ*/,
GSSCredential.INDEFINITE_LIFETIME /* max lifetime */, GSSCredential.INDEFINITE_LIFETIME /* max lifetime */,
mech /* mechanism to use */, mech /* mechanism to use */,
GSSCredential.INITIATE_ONLY /* init context */); GSSCredential.INITIATE_ONLY /* init context */);
print("GSSCredential created for " + print("GSSCredential created for " +
cred.getName().toString()); clientCred.getName().toString());
print("Credential lifetime (sec)=" + print("Credential lifetime (sec)=" +
cred.getRemainingLifetime()); clientCred.getRemainingLifetime());
} catch (GSSException e) { } catch (GSSException e) {
print("GSS-API error in credential acquisition: " print("GSS-API error in credential acquisition: "
+ e.getMessage()); + e.getMessage());
... ...
... ...
} }
... ...
... ...
} }
skipping to change at page 83, line 32 skipping to change at page 84, line 33
*/ */
private void establishContext() { private void establishContext() {
byte[] inToken = new byte[0]; byte[] inToken = new byte[0];
byte[] outToken = null; byte[] outToken = null;
try { try {
GSSName peer = mgr.createName(serviceName, GSSName peer = mgr.createName(serviceName,
GSSName.NT_HOSTBASED_SERVICE); GSSName.NT_HOSTBASED_SERVICE);
context = mgr.createContext(peer, mech, gssCred, context = mgr.createContext(peer, mech, clientCred,
GSSContext.INDEFINITE_LIFETIME/*lifetime*/); GSSContext.INDEFINITE_LIFETIME/*lifetime*/);
// Will need to support confidentiality // Will need to support confidentiality
context.requestConf(true); context.requestConf(true);
while (!context.isEstablished()) { while (!context.isEstablished()) {
outToken = context.initSecContext(inToken, 0, outToken = context.initSecContext(inToken, 0,
inToken.length); inToken.length);
if (outToken != null) if (outToken != null)
writeGSSToken(outToken); writeGSSToken(outToken);
if (!context.isEstablished()) if (!context.isEstablished())
inToken = readGSSToken(); inToken = readGSSToken();
} }
GSSName peer = context.getSrcName(); peer = context.getTargName();
print("Security context established with " + peer + print("Security context established with " + peer +
" using underlying mechanism " + mech.toString()); " using underlying mechanism " + mech.toString());
} catch (GSSException e) { } catch (GSSException e) {
print("GSS-API error during context establishment: " print("GSS-API error during context establishment: "
+ e.getMessage()); + e.getMessage());
// If the exception contains an output token, // If the exception contains an output token,
// it should be sent to the acceptor. // it should be sent to the acceptor.
byte[] outTok = e.getOutputToken(); byte[] outTok = e.getOutputToken();
if (outTok != null) { if (outTok != null) {
writeGSSToken(outTok); writeGSSToken(outTok);
} }
skipping to change at page 84, line 33 skipping to change at page 85, line 34
* Sends some data to the server and reads back the * Sends some data to the server and reads back the
* response. * response.
*/ */
private void doCommunication() { private void doCommunication() {
byte[] inToken = null; byte[] inToken = null;
byte[] outToken = null; byte[] outToken = null;
byte[] buffer; byte[] buffer;
// Container for multiple input-output arguments to and // Container for multiple input-output arguments to and
// from the per-message routines (e.g., wrap/unwrap). // from the per-message routines (e.g., wrap/unwrap).
MessageProp messgInfo = new MessageProp(); MessageProp messgInfo = new MessageProp(true);
try { try {
/* /*
* Now send some bytes to the server to be * Now send some bytes to the server to be
* processed. They will be integrity protected * processed. They will be integrity protected
* but not encrypted for privacy. * but not encrypted for privacy.
*/ */
buffer = readFromFile(); buffer = readFromFile();
skipping to change at page 85, line 4 skipping to change at page 86, line 6
buffer = readFromFile(); buffer = readFromFile();
// Set privacy to "false" and use the default QOP // Set privacy to "false" and use the default QOP
messgInfo.setPrivacy(false); messgInfo.setPrivacy(false);
outToken = context.wrap(buffer, 0, buffer.length, outToken = context.wrap(buffer, 0, buffer.length,
messgInfo); messgInfo);
writeGSSToken(outToken); writeGSSToken(outToken);
/* /*
* Now read the response from the server. * Now read the response from the server.
*/ */
inToken = readGSSToken(); inToken = readGSSToken();
buffer = context.unwrap(inToken, 0, buffer = context.unwrap(inToken, 0,
inToken.length, messgInfo); inToken.length, messgInfo);
// All ok if no exception was thrown! // All ok if no exception was thrown!
GSSName peer = context.getSrcName(); GSSName peer = context.getTargName();
print("Message from " + peer.toString() print("Message from " + peer.toString()
+ " arrived."); + " arrived.");
print("Was it encrypted? " + print("Was it encrypted? " +
messgInfo.getPrivacy()); messgInfo.getPrivacy());
print("Duplicate Token? " + print("Duplicate Token? " +
messgInfo.isDuplicateToken()); messgInfo.isDuplicateToken());
print("Old Token? " + print("Old Token? " +
messgInfo.isOldToken()); messgInfo.isOldToken());
print("Unsequenced Token? " + print("Unsequenced Token? " +
skipping to change at page 86, line 6 skipping to change at page 87, line 14
8.2. Simple GSS Context Acceptor 8.2. Simple GSS Context Acceptor
<CODE BEGINS> <CODE BEGINS>
import org.ietf.jgss.*; import org.ietf.jgss.*;
/** /**
* This is a partial sketch for a simple server program that acts * This is a partial sketch for a simple server program that acts
* as a GSS context acceptor. It illustrates how to use the Java * as a GSS context acceptor. It illustrates how to use the Java
* bindings for the GSS-API specified in * bindings for the GSS-API specified in
* Generic Security Service API Version 2 : Java bindings. * Generic Security Service API Version 2 : Java Bindings.
* *
* This code sketch assumes the existence of a GSS-API * This code sketch assumes the existence of a GSS-API
* implementation that supports the mechanisms that it will need * implementation that supports the mechanisms that it will need
* and is present as a library package (org.ietf.jgss) either as * and is present as a library package (org.ietf.jgss) either as
* part of the standard JRE or in the CLASSPATH the application * part of the standard JRE or in the CLASSPATH the application
* specifies. * specifies.
*/ */
import org.ietf.jgss.*; import org.ietf.jgss.*;
skipping to change at page 86, line 29 skipping to change at page 87, line 37
private String serviceName; private String serviceName;
private GSSName name; private GSSName name;
private GSSCredential cred; private GSSCredential cred;
private GSSManager mgr; private GSSManager mgr;
... ...
... ...
/** /**
* Wait for client connections, establish security contexts * Wait for client connections, establish security contexts,
* and provide service. * and provide service.
*/ */
private void loop() { private void loop() throws Exception {
... ...
... ...
mgr = GSSManager.getInstance(); mgr = GSSManager.getInstance();
name = mgr.createName(serviceName, name = mgr.createName(serviceName,
GSSName.NT_HOSTBASED_SERVICE); GSSName.NT_HOSTBASED_SERVICE);
cred = mgr.createCredential(name, cred = mgr.createCredential(name,
GSSCredential.INDEFINITE_LIFETIME, GSSCredential.INDEFINITE_LIFETIME,
null, (Oid[])null,
GSSCredential.ACCEPT_ONLY); GSSCredential.ACCEPT_ONLY);
// Loop infinitely // Loop infinitely
while (true) { while (true) {
Socket s = serverSock.accept(); Socket s = serverSock.accept();
// Start a new thread to serve this connection // Start a new thread to serve this connection
Thread serverThread = new ServerThread(s); Thread serverThread = new ServerThread(s);
serverThread.start(); serverThread.start();
} }
} }
/** /**
* Inner class ServerThread whose run() method provides the * Inner class ServerThread whose run() method provides the
* secure service to a connection. * secure service to a connection.
*/ */
private class ServerThread extends Thread { private class ServerThread extends Thread {
skipping to change at page 87, line 29 skipping to change at page 88, line 36
* Deals with the connection from one client. It also * Deals with the connection from one client. It also
* handles all GSSException's thrown while talking to * handles all GSSException's thrown while talking to
* this client. * this client.
*/ */
public void run() { public void run() {
byte[] inToken = null; byte[] inToken = null;
byte[] outToken = null; byte[] outToken = null;
byte[] buffer; byte[] buffer;
GSSName peer;
// Container for multiple input-output arguments to // Container for multiple input-output arguments to
// and from the per-message routines // and from the per-message routines
// (i.e., wrap/unwrap). // (i.e., wrap/unwrap).
MessageProp supplInfo = new MessageProp(); MessageProp supplInfo = new MessageProp(true);
GSSContext secContext = null;
try { try {
// Now do the context establishment loop // Now do the context establishment loop
GSSContext context = mgr.createContext(cred); GSSContext context = mgr.createContext(cred);
while (!context.isEstablished()) { while (!context.isEstablished()) {
inToken = readGSSToken(); inToken = readGSSToken();
outToken = context.acceptSecContext(inToken, outToken = context.acceptSecContext(inToken,
0, inToken.length); 0, inToken.length);
skipping to change at page 88, line 13 skipping to change at page 89, line 19
if (!context.getConfState()){ if (!context.getConfState()){
... ...
... ...
} }
GSSName peer = context.getSrcName(); GSSName peer = context.getSrcName();
Oid mech = context.getMech(); Oid mech = context.getMech();
print("Security context established with " + print("Security context established with " +
peer.toString() + peer.toString() +
" using underlying mechanism " + " using underlying mechanism " +
mech.toString() + mech.toString());
" from Provider " +
context.getProvider().getName());
// Now read the bytes sent by the client to be // Now read the bytes sent by the client to be
// processed. // processed.
inToken = readGSSToken(); inToken = readGSSToken();
// Unwrap the message // Unwrap the message
buffer = context.unwrap(inToken, 0, buffer = context.unwrap(inToken, 0,
inToken.length, supplInfo); inToken.length, supplInfo);
// All ok if no exception was thrown! // All ok if no exception was thrown!
skipping to change at page 89, line 39 skipping to change at page 90, line 44
... ...
} // end of class SimpleServer } // end of class SimpleServer
<CODE ENDS> <CODE ENDS>
9. Security Considerations 9. Security Considerations
The Java language security model allows platform providers to have The Java language security model allows platform providers to have
policy-based fine-grained access control over any resource that an policy-based fine-grained access control over any resource that an
application wants. When using a Java security manager (such as, but application wants. When using a Java security manager (such as, but
not limited to, the case of applets running in browsers) the not limited to, the case of applets running in browsers), the
application code is in a sandbox by default. application code is in a sandbox by default.
Administrators of the platform JRE determine what permissions, if Administrators of the platform JRE determine what permissions, if
any, are to be given to source from different codebases. Thus, the any, are to be given to source from different codebases. Thus, the
administrator has to be aware of any special requirements that the administrator has to be aware of any special requirements that the
GSS provider might have for system resources. For instance, a GSS provider might have for system resources. For instance, a
Kerberos provider might wish to make a network connection to the Key Kerberos provider might wish to make a network connection to the Key
Distribution Center (KDC) to obtain initial credentials. This would Distribution Center (KDC) to obtain initial credentials. This would
not be allowed under the sandbox unless the administrator had granted not be allowed under the sandbox unless the administrator had granted
permissions for this. Also, note that this granting and checking of permissions for this. Also, note that this granting and checking of
permissions happens transparently to the application and is outside permissions happens transparently to the application and is outside
the scope of this document. the scope of this document.
The Java language allows administrators to pre-configure a list of The Java language allows administrators to pre-configure a list of
security service providers in the <JRE>/lib/security/java.security security service providers in the <JRE>/lib/security/java.security
file. At runtime, the system approaches these providers in order of file. At runtime, the system approaches these providers in order of
preference when looking for security related services. Applications preference when looking for security-related services. Applications
have a means to modify this list through methods in the "Security" have a means to modify this list through methods in the "Security"
class in the "java.security" package. However, since these class in the "java.security" package. However, since these
modifications would be visible in the entire Java Virtual Machine modifications would be visible in the entire Java Virtual Machine
(JVM) and thus affect all code executing in it, this operation is not (JVM) and thus affect all code executing in it, this operation is not
available in the sandbox and requires special permissions to perform. available in the sandbox and requires special permissions to perform.
Thus, when a GSS application has special needs that are met by a Thus, when a GSS application has special needs that are met by a
particular security provider, it has two choices: particular security provider, it has two choices:
1) To install the provider on a JVM-wide basis using the 1) Install the provider on a JVM-wide basis using the
java.security.Security class and then depend on the system to find java.security.Security class and then depend on the system to find
the right provider automatically when the need arises. (This the right provider automatically when the need arises. (This
would require the application to be granted a "insertProvider would require the application to be granted a "insertProvider
SecurityPermission".) SecurityPermission".)
2) To pass an instance of the provider to the local instance of 2) Pass an instance of the provider to the local instance of
GSSManager so that only factory calls going through that GSSManager so that only factory calls going through that
GSSManager use the desired provider. (This would not require any GSSManager use the desired provider. (This would not require any
permissions.) permissions.)
10. IANA Considerations 10. IANA Considerations
This document has no actions for IANA. This document has no IANA actions.
11. Acknowledgments
This proposed API leverages earlier work performed by the IETF's CAT
WG as outlined in both RFC 2743 [RFC2743] and RFC 2744 [RFC2744].
Many conceptual definitions, implementation directions, and
explanations have been included from these documents.
We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael
Saltz, and other members of Sun's development team for their helpful
input, comments, and suggestions.
We would also like to thank Joe Salowey, and Michael Smith for many
insightful ideas and suggestions that have contributed to this
document.
12. Changes since RFC 5653 11. Changes since RFC 5653
This document has following changes: This document has following changes:
1) New error token embedded in GSSException 1) New error token embedded in GSSException
There is a design flaw in the initSecContext and acceptSecContext There is a design flaw in the initSecContext and acceptSecContext
methods of the GSSContext class defined in Generic Security methods of the GSSContext class defined in "Generic Security
Service API Version 2: Java Bindings Update [RFC5653]. Service API Version 2: Java Bindings Update" [RFC5653].
The methods could either return a token (possibly null if no more The methods could either return a token (possibly null if no more
tokens are needed) when the call succeeds or throw a GSSException tokens are needed) when the call succeeds or throw a GSSException
if there is a failure, but NOT both. On the other hand, the C if there is a failure, but NOT both. On the other hand, the
bindings of GSS-API [RFC2744] can return both, that is to say, a C-bindings of GSS-API [RFC2744] can return both; that is to say, a
call to the GSS_Init_sec_context() function can return a major call to the GSS_Init_sec_context() function can return a major
status code, and at the same time, fill in the output_token status code, and at the same time, fill in the output_token
argument if there is one. argument if there is one.
Without the ability to emit an error token when there is a Without the ability to emit an error token when there is a
failure, a Java application has no mechanism to tell the other failure, a Java application has no mechanism to tell the other
side what the error is. For example, a "reject" NegTokenResp side what the error is. For example, a "reject" NegTokenResp
token can never be transmitted for the SPNEGO mechanism [RFC4178]. token can never be transmitted for the SPNEGO mechanism [RFC4178].
While a Java method can never return a value and throw an While a Java method can never return a value and throw an
exception at the same time, we can embed the error token inside exception at the same time, we can embed the error token inside
the exception so that the caller has a chance to retrieve it. the exception so that the caller has a chance to retrieve it.
This update adds a new GSSException constructor to include this This update adds a new GSSException constructor to include this
token inside a GSSException object, and a getOutputToken() method token inside a GSSException object and a getOutputToken() method
to retrieve the token. The specification for the initSecContext to retrieve the token. The specification for the initSecContext
and acceptSecContext methods are updated to describe the new and acceptSecContext methods are updated to describe the new
behavior. Various examples are also updated. behavior. Various examples are also updated.
New JGSS programs SHOULD make use of this new feature but it is New JGSS programs SHOULD make use of this new feature, but it is
not mandatory. A program that intends to run with both old and not mandatory. A program that intends to run with both old and
new GSS Java bindings can use reflection to check the availability new GSS Java bindings can use reflection to check the availability
of this new method and call it accordingly. of this new method and call it accordingly.
2) Removing stream-based GSSContext methods 2) Removing Stream-Based GSSContext Methods
The overloaded methods of GSSContext that use input and output The overloaded methods of GSSContext that use input and output
streams as the means to convey authentication and per-message GSS- streams as the means to convey authentication and per-message
API tokens as described in Section 5.15 of RFC 5653 [RFC5653] are GSS-API tokens as described in Section 5.15 of RFC 5653 [RFC5653]
removed in this update as the wire protocol should be defined by are removed in this update as the wire protocol should be defined
an application and not a library. It's also impossible to by an application and not a library. It's also impossible to
implement these methods correctly when the token has no self- implement these methods correctly when the token has no self-
framing (where the end cannot be determined) or the library has no framing (where the end cannot be determined), or the library has
knowledge of the token format (for example, as a bridge talking to no knowledge of the token format (for example, as a bridge talking
another GSS library). These methods include initSecContext to another GSS library). These methods include initSecContext
(Section 7.4.5 of RFC 5653 [RFC5653]), acceptSecContext (Section 7.4.5 of RFC 5653 [RFC5653]), acceptSecContext
(Section 7.4.9 of RFC 5653 [RFC5653]), wrap (Section 7.4.15 of RFC (Section 7.4.9 of RFC 5653 [RFC5653]), wrap (Section 7.4.15 of RFC
5653 [RFC5653]), unwrap (Section 7.4.17 of RFC 5653 [RFC5653]), 5653 [RFC5653]), unwrap (Section 7.4.17 of RFC 5653 [RFC5653]),
getMIC (Section 7.4.19 of RFC 5653 [RFC5653]), and verifyMIC getMIC (Section 7.4.19 of RFC 5653 [RFC5653]), and verifyMIC
(Section 7.4.21 of RFC 5653 [RFC5653]). (Section 7.4.21 of RFC 5653 [RFC5653]).
13. Changes since RFC 2853 12. Changes since RFC 2853
This document has following changes: This document has the following changes:
1) Major GSS Status Code Constant Values 1) Major GSS Status Code Constant Values
RFC 2853 listed all the GSS status code values in two different RFC 2853 listed all the GSS status code values in two different
sections: section 4.12.1 defined numeric values for them, and sections: Section 4.12.1 defined numeric values for them, and
section 6.8.1 defined them as static constants in the GSSException Section 6.8.1 defined them as static constants in the GSSException
class without assigning any values. Due to an inconsistent class without assigning any values. Due to an inconsistent
ordering between these two sections, all of the GSS major status ordering between these two sections, all of the GSS major status
codes resulted in misalignment, and a subsequent disagreement codes resulted in misalignment and a subsequent disagreement
between deployed implementations. between deployed implementations.
This document defines the numeric values of the GSS status codes This document defines the numeric values of the GSS status codes
in both sections, while maintaining the original ordering from in both sections, while maintaining the original ordering from
section 6.8.1 of RFC 2853 [RFC2853], and obsoletes the GSS status Section 6.8.1 of RFC 2853 [RFC2853], and it obsoletes the GSS
code values defined in section 4.12.1. The relevant sections in status code values defined in Section 4.12.1. The relevant
this document are sections 5.12.1 and 7.8.1. sections in this document are Sections 5.12.1 and 7.8.1.
2) GSS Credential Usage Constant Values 2) GSS Credential Usage Constant Values
RFC 2853 section 6.3.2 defines static constants for the RFC 2853, Section 6.3.2 defines static constants for the
GSSCredential usage flags. However, the values of these constants GSSCredential usage flags. However, the values of these constants
were not defined anywhere in RFC 2853 [RFC2853]. were not defined anywhere in RFC 2853 [RFC2853].
This document defines the credential usage values in section This document defines the credential usage values in
7.3.1. The original ordering of these values from section 6.3.2 Section 7.3.1. The original ordering of these values from
of RFC 2853 [RFC2853] is maintained. Section 6.3.2 of RFC 2853 [RFC2853] is maintained.
3) GSS Host-Based Service Name 3) GSS Host-Based Service Name
RFC 2853 [RFC2853], section 6.2.2, defines the static constant for RFC 2853 [RFC2853], Section 6.2.2 defines the static constant for
the GSS host-based service OID NT_HOSTBASED_SERVICE, using a the GSS host-based service OID NT_HOSTBASED_SERVICE, using a
deprecated OID value. deprecated OID value.
This document updates the NT_HOSTBASED_SERVICE OID value in This document updates the NT_HOSTBASED_SERVICE OID value in
section 7.2.1 to be consistent with the C-bindings in RFC 2744 Section 7.2.1 to be consistent with the C-bindings in RFC 2744
[RFC2744]. [RFC2744].
14. References 13. References
14.1. Normative References 13.1. Normative References
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, DOI 10.17487/RFC2025, October 1996, (SPKM)", RFC 2025, DOI 10.17487/RFC2025, October 1996,
<https://www.rfc-editor.org/info/rfc2025>. <https://www.rfc-editor.org/info/rfc2025>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 93, line 45 skipping to change at page 95, line 5
[RFC5653] Upadhyay, M. and S. Malkani, "Generic Security Service API [RFC5653] Upadhyay, M. and S. Malkani, "Generic Security Service API
Version 2: Java Bindings Update", RFC 5653, Version 2: Java Bindings Update", RFC 5653,
DOI 10.17487/RFC5653, August 2009, DOI 10.17487/RFC5653, August 2009,
<https://www.rfc-editor.org/info/rfc5653>. <https://www.rfc-editor.org/info/rfc5653>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
14.2. Informative References 13.2. Informative References
[JLS] Gosling, J., Joy, B., Steele, G., and G. Bracha, "The Java [ISOIEC-8824]
Language Specification", Third Edition, 2005, International Organization for Standardization,
<http://java.sun.com/docs/books/jls/>. "Information technology -- Abstract Syntax Notation One
(ASN.1): Specification of basic notation", ISO/
IEC 8824-1:2014, November 2015,
<https://www.iso.org/standard/68350.html>.
[ISOIEC-8825]
International Organization for Standardization,
"Information technology -- ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ISO/IEC 8825-1:2015, November 2015,
<https://www.iso.org/standard/68345.html>.
[JLS] Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.,
and D. Smith, "The Java Language Specification", Java SE
10 Edition, February 2018,
<https://docs.oracle.com/javase/specs/jls/se10/html/
index.html>.
Acknowledgments
We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael
Saltz, and other members of Sun's development team for their helpful
input, comments, and suggestions.
We would also like to thank Greg Hudson, Benjamin Kaduk, Joe Salowey
and Michael Smith for many insightful ideas and suggestions that have
contributed to this document.
Authors' Addresses Authors' Addresses
Mayank D. Upadhyay Mayank D. Upadhyay
Google Inc. Google Inc.
1600 Amphitheatre Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
USA United States of America
Email: m.d.upadhyay+ietf@gmail.com Email: m.d.upadhyay+ietf@gmail.com
Seema Malkani Seema Malkani
ActivIdentity Corp. ActivIdentity Corp.
6623 Dumbarton Circle 6623 Dumbarton Circle
Fremont, California 94555 Fremont, California 94555
USA United States of America
Email: Seema.Malkani@gmail.com Email: Seema.Malkani@gmail.com
Wang Weijun Weijun Wang
Oracle Oracle
Building No. 24, Zhongguancun Software Park Building No. 24, Zhongguancun Software Park
Beijing 100193 Beijing 100193
China China
Email: weijun.wang@oracle.com Email: weijun.wang@oracle.com
 End of changes. 304 change blocks. 
545 lines changed or deleted 507 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/