[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS gss/doc/specification
From: |
gss-commit |
Subject: |
CVS gss/doc/specification |
Date: |
Wed, 1 Feb 2006 12:50:08 +0100 |
Update of /home/cvs/gss/doc/specification
In directory dopio:/tmp/cvs-serv19488/doc/specification
Added Files:
draft-ietf-kitten-rfc2853bis-01.txt
Log Message:
Add.
--- /home/cvs/gss/doc/specification/draft-ietf-kitten-rfc2853bis-01.txt
2006/02/01 11:50:08 NONE
+++ /home/cvs/gss/doc/specification/draft-ietf-kitten-rfc2853bis-01.txt
2006/02/01 11:50:08 1.1
Network Working Group M. Upadhyay
Internet-Draft Google
Expires: July 31, 2006 S. Malkani
Sun Microsystems
January 27, 2006
Generic Security Service API Version 2 : Java Bindings Update
draft-ietf-kitten-rfc2853bis-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 31, 2006.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document
updates the Java bindings for the GSS-API that are specified in RFC
2853 [JGSS]. This document obsoletes RFC 2853 [JGSS] by making
specific and incremental clarifications and corrections to it in
response to identification of transcription errors and implementation
Upadhyay & Malkani Expires July 31, 2006 [Page 1]
Internet-Draft Java GSS-API Update January 2006
experience. The only note-worthy changes are in sections 4.12.1,
6.3.2, and 6.8.1 of RFC 2853 [JGSS], which are replaced by the
sections 5.12.1, 7.3.2, and 7.8.1 of this document, where numerical
constants were either added or modified.
The GSS-API is described at a language independent conceptual level
in RFC 2743 [GSSAPIv2-UPDATE]. The GSS-API allows a caller
application to authenticate a principal identity, to delegate rights
to a peer, and to apply security services such as confidentiality and
integrity on a per-message basis. Examples of security mechanisms
defined for GSS-API are The Simple Public-Key GSS-API Mechanism
[SPKM] and The Kerberos Version 5 GSS-API Mechanism [KERBV5].
Table of Contents
1. Conventions Used in This Document . . . . . . . . . . . . . 6
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7
3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 8
4. Additional Controls . . . . . . . . . . . . . . . . . . . . 10
4.1 Delegation . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Mutual Authentication . . . . . . . . . . . . . . . . . . 12
4.3 Replay and Out-of-Sequence Detection . . . . . . . . . . . 12
4.4 Anonymous Authentication . . . . . . . . . . . . . . . . . 13
4.5 Confidentiality . . . . . . . . . . . . . . . . . . . . . 14
4.6 Inter-process Context Transfer . . . . . . . . . . . . . . 14
4.7 The Use of Incomplete Contexts . . . . . . . . . . . . . . 15
5. Calling Conventions . . . . . . . . . . . . . . . . . . . . 16
5.1 Package Name . . . . . . . . . . . . . . . . . . . . . . . 16
5.2 Provider Framework . . . . . . . . . . . . . . . . . . . . 16
5.3 Integer Types . . . . . . . . . . . . . . . . . . . . . . 17
5.4 Opaque Data Types . . . . . . . . . . . . . . . . . . . . 17
5.5 Strings . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.6 Object Identifiers . . . . . . . . . . . . . . . . . . . . 17
5.7 Object Identifier Sets . . . . . . . . . . . . . . . . . . 18
5.8 Credentials . . . . . . . . . . . . . . . . . . . . . . . 18
5.9 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.10 Authentication Tokens . . . . . . . . . . . . . . . . . 20
5.11 Interprocess Tokens . . . . . . . . . . . . . . . . . . 21
5.12 Error Reporting . . . . . . . . . . . . . . . . . . . . 21
5.12.1 GSS Status Codes . . . . . . . . . . . . . . . . . . 21
5.12.2 Mechanism-Specific Status Codes . . . . . . . . . . 24
5.12.3 Supplementary Status Codes . . . . . . . . . . . . . 24
5.13 Names . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.14 Channel Bindings . . . . . . . . . . . . . . . . . . . . 27
5.15 Stream Objects . . . . . . . . . . . . . . . . . . . . . 28
5.16 Optional Parameters . . . . . . . . . . . . . . . . . . 28
6. Introduction to GSS-API Classes and Interfaces . . . . . . . 30
6.1 GSSManager class . . . . . . . . . . . . . . . . . . . . . 30
Upadhyay & Malkani Expires July 31, 2006 [Page 2]
Internet-Draft Java GSS-API Update January 2006
6.2 GSSName interface . . . . . . . . . . . . . . . . . . . . 31
6.3 GSSCredential interface . . . . . . . . . . . . . . . . . 31
6.4 GSSContext interface . . . . . . . . . . . . . . . . . . . 32
6.5 MessageProp class . . . . . . . . . . . . . . . . . . . . 34
6.6 GSSException class . . . . . . . . . . . . . . . . . . . . 34
6.7 Oid class . . . . . . . . . . . . . . . . . . . . . . . . 34
6.8 ChannelBinding class . . . . . . . . . . . . . . . . . . . 35
7. Detailed GSS-API Class Description . . . . . . . . . . . . . 36
7.1 public abstract class GSSManager . . . . . . . . . . . . . 36
7.1.1 Example Code . . . . . . . . . . . . . . . . . . . . . 37
7.1.2 getInstance . . . . . . . . . . . . . . . . . . . . . 37
7.1.3 getMechs . . . . . . . . . . . . . . . . . . . . . . . 37
7.1.4 getNamesForMech . . . . . . . . . . . . . . . . . . . 38
7.1.5 getMechsForName . . . . . . . . . . . . . . . . . . . 38
7.1.6 createName . . . . . . . . . . . . . . . . . . . . . . 38
7.1.7 createName . . . . . . . . . . . . . . . . . . . . . . 39
7.1.8 createName . . . . . . . . . . . . . . . . . . . . . . 39
7.1.9 createName . . . . . . . . . . . . . . . . . . . . . . 40
7.1.10 createCredential . . . . . . . . . . . . . . . . . . 40
7.1.11 createCredential . . . . . . . . . . . . . . . . . . 41
7.1.12 createCredential . . . . . . . . . . . . . . . . . . 41
7.1.13 createContext . . . . . . . . . . . . . . . . . . . 42
7.1.14 createContext . . . . . . . . . . . . . . . . . . . 42
7.1.15 createContext . . . . . . . . . . . . . . . . . . . 43
7.1.16 addProviderAtFront . . . . . . . . . . . . . . . . . 43
7.1.17 Example Code . . . . . . . . . . . . . . . . . . . . 44
7.1.18 addProviderAtEnd . . . . . . . . . . . . . . . . . . 45
7.1.19 Example Code . . . . . . . . . . . . . . . . . . . . 45
7.2 public interface GSSName . . . . . . . . . . . . . . . . . 46
7.2.1 Example Code . . . . . . . . . . . . . . . . . . . . . 46
7.2.2 Static Constants . . . . . . . . . . . . . . . . . . . 47
7.2.3 equals . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2.4 equals . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2.5 canonicalize . . . . . . . . . . . . . . . . . . . . . 49
7.2.6 export . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.7 toString . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.8 getStringNameType . . . . . . . . . . . . . . . . . . 50
7.2.9 isAnonymous . . . . . . . . . . . . . . . . . . . . . 50
7.2.10 isMN . . . . . . . . . . . . . . . . . . . . . . . . 50
7.3 public interface GSSCredential implements Cloneable . . . 50
7.3.1 Example Code . . . . . . . . . . . . . . . . . . . . . 51
7.3.2 Static Constants . . . . . . . . . . . . . . . . . . . 52
7.3.3 dispose . . . . . . . . . . . . . . . . . . . . . . . 52
7.3.4 getName . . . . . . . . . . . . . . . . . . . . . . . 52
7.3.5 getName . . . . . . . . . . . . . . . . . . . . . . . 52
7.3.6 getRemainingLifetime . . . . . . . . . . . . . . . . . 53
7.3.7 getRemainingInitLifetime . . . . . . . . . . . . . . . 53
7.3.8 getRemainingAcceptLifetime . . . . . . . . . . . . . . 53
Upadhyay & Malkani Expires July 31, 2006 [Page 3]
Internet-Draft Java GSS-API Update January 2006
7.3.9 getUsage . . . . . . . . . . . . . . . . . . . . . . . 54
7.3.10 getUsage . . . . . . . . . . . . . . . . . . . . . . 54
7.3.11 getMechs . . . . . . . . . . . . . . . . . . . . . . 54
7.3.12 add . . . . . . . . . . . . . . . . . . . . . . . . 54
7.3.13 equals . . . . . . . . . . . . . . . . . . . . . . . 55
7.4 public interface GSSContext . . . . . . . . . . . . . . . 55
7.4.1 Example Code . . . . . . . . . . . . . . . . . . . . . 56
7.4.2 Static Constants . . . . . . . . . . . . . . . . . . . 58
7.4.3 initSecContext . . . . . . . . . . . . . . . . . . . . 58
7.4.4 Example Code . . . . . . . . . . . . . . . . . . . . . 60
7.4.5 initSecContext . . . . . . . . . . . . . . . . . . . . 60
7.4.6 Example Code . . . . . . . . . . . . . . . . . . . . . 61
7.4.7 acceptSecContext . . . . . . . . . . . . . . . . . . . 62
7.4.8 Example Code . . . . . . . . . . . . . . . . . . . . . 63
7.4.9 acceptSecContext . . . . . . . . . . . . . . . . . . . 64
7.4.10 Example Code . . . . . . . . . . . . . . . . . . . . 64
7.4.11 isEstablished . . . . . . . . . . . . . . . . . . . 65
7.4.12 dispose . . . . . . . . . . . . . . . . . . . . . . 65
7.4.13 getWrapSizeLimit . . . . . . . . . . . . . . . . . . 66
7.4.14 wrap . . . . . . . . . . . . . . . . . . . . . . . . 66
7.4.15 wrap . . . . . . . . . . . . . . . . . . . . . . . . 67
7.4.16 unwrap . . . . . . . . . . . . . . . . . . . . . . . 68
7.4.17 unwrap . . . . . . . . . . . . . . . . . . . . . . . 69
7.4.18 getMIC . . . . . . . . . . . . . . . . . . . . . . . 70
7.4.19 getMIC . . . . . . . . . . . . . . . . . . . . . . . 70
7.4.20 verifyMIC . . . . . . . . . . . . . . . . . . . . . 71
7.4.21 verifyMIC . . . . . . . . . . . . . . . . . . . . . 72
7.4.22 export . . . . . . . . . . . . . . . . . . . . . . . 72
7.4.23 requestMutualAuth . . . . . . . . . . . . . . . . . 73
7.4.24 requestReplayDet . . . . . . . . . . . . . . . . . . 73
7.4.25 requestSequenceDet . . . . . . . . . . . . . . . . . 74
7.4.26 requestCredDeleg . . . . . . . . . . . . . . . . . . 74
7.4.27 requestAnonymity . . . . . . . . . . . . . . . . . . 74
7.4.28 requestConf . . . . . . . . . . . . . . . . . . . . 75
7.4.29 requestInteg . . . . . . . . . . . . . . . . . . . . 75
7.4.30 requestLifetime . . . . . . . . . . . . . . . . . . 75
7.4.31 setChannelBinding . . . . . . . . . . . . . . . . . 75
7.4.32 getCredDelegState . . . . . . . . . . . . . . . . . 76
7.4.33 getMutualAuthState . . . . . . . . . . . . . . . . . 76
7.4.34 getReplayDetState . . . . . . . . . . . . . . . . . 76
7.4.35 getSequenceDetState . . . . . . . . . . . . . . . . 76
7.4.36 getAnonymityState . . . . . . . . . . . . . . . . . 77
7.4.37 isTransferable . . . . . . . . . . . . . . . . . . . 77
7.4.38 isProtReady . . . . . . . . . . . . . . . . . . . . 77
7.4.39 getConfState . . . . . . . . . . . . . . . . . . . . 77
7.4.40 getIntegState . . . . . . . . . . . . . . . . . . . 77
7.4.41 getLifetime . . . . . . . . . . . . . . . . . . . . 77
7.4.42 getSrcName . . . . . . . . . . . . . . . . . . . . . 78
Upadhyay & Malkani Expires July 31, 2006 [Page 4]
Internet-Draft Java GSS-API Update January 2006
7.4.43 getTargName . . . . . . . . . . . . . . . . . . . . 78
7.4.44 getMech . . . . . . . . . . . . . . . . . . . . . . 78
7.4.45 getDelegCred . . . . . . . . . . . . . . . . . . . . 78
7.4.46 isInitiator . . . . . . . . . . . . . . . . . . . . 78
7.5 public class MessageProp . . . . . . . . . . . . . . . . . 78
7.5.1 Constructors . . . . . . . . . . . . . . . . . . . . . 79
7.5.2 getQOP . . . . . . . . . . . . . . . . . . . . . . . . 79
7.5.3 getPrivacy . . . . . . . . . . . . . . . . . . . . . . 80
7.5.4 getMinorStatus . . . . . . . . . . . . . . . . . . . . 80
7.5.5 getMinorString . . . . . . . . . . . . . . . . . . . . 80
7.5.6 setQOP . . . . . . . . . . . . . . . . . . . . . . . . 80
7.5.7 setPrivacy . . . . . . . . . . . . . . . . . . . . . . 80
7.5.8 isDuplicateToken . . . . . . . . . . . . . . . . . . . 80
7.5.9 isOldToken . . . . . . . . . . . . . . . . . . . . . . 81
7.5.10 isUnseqToken . . . . . . . . . . . . . . . . . . . . 81
7.5.11 isGapToken . . . . . . . . . . . . . . . . . . . . . 81
7.5.12 setSupplementaryStates . . . . . . . . . . . . . . . 81
7.6 public class ChannelBinding . . . . . . . . . . . . . . . 82
7.6.1 Constructors . . . . . . . . . . . . . . . . . . . . . 82
7.6.2 getInitiatorAddress . . . . . . . . . . . . . . . . . 83
7.6.3 getAcceptorAddress . . . . . . . . . . . . . . . . . . 83
7.6.4 getApplicationData . . . . . . . . . . . . . . . . . . 83
7.6.5 equals . . . . . . . . . . . . . . . . . . . . . . . . 83
7.7 public class Oid . . . . . . . . . . . . . . . . . . . . . 83
7.7.1 Constructors . . . . . . . . . . . . . . . . . . . . . 84
7.7.2 toString . . . . . . . . . . . . . . . . . . . . . . . 84
7.7.3 equals . . . . . . . . . . . . . . . . . . . . . . . . 85
7.7.4 getDER . . . . . . . . . . . . . . . . . . . . . . . . 85
7.7.5 containedIn . . . . . . . . . . . . . . . . . . . . . 85
7.8 public class GSSException extends Exception . . . . . . . 85
7.8.1 Static Constants . . . . . . . . . . . . . . . . . . . 86
7.8.2 Constructors . . . . . . . . . . . . . . . . . . . . . 88
7.8.3 getMajor . . . . . . . . . . . . . . . . . . . . . . . 89
7.8.4 getMinor . . . . . . . . . . . . . . . . . . . . . . . 89
7.8.5 getMajorString . . . . . . . . . . . . . . . . . . . . 89
7.8.6 getMinorString . . . . . . . . . . . . . . . . . . . . 89
7.8.7 setMinor . . . . . . . . . . . . . . . . . . . . . . . 89
7.8.8 toString . . . . . . . . . . . . . . . . . . . . . . . 89
7.8.9 getMessage . . . . . . . . . . . . . . . . . . . . . . 90
8. Sample Applications . . . . . . . . . . . . . . . . . . . . 91
8.1 Simple GSS Context Initiator . . . . . . . . . . . . . . . 91
8.2 Simple GSS Context Acceptor . . . . . . . . . . . . . . . 94
9. Security Considerations . . . . . . . . . . . . . . . . . . 99
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 100
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 100
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 101
Intellectual Property and Copyright Statements . . . . . . . 102
Upadhyay & Malkani Expires July 31, 2006 [Page 5]
Internet-Draft Java GSS-API Update January 2006
1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Upadhyay & Malkani Expires July 31, 2006 [Page 6]
Internet-Draft Java GSS-API Update January 2006
2. Introduction
This document specifies Java language bindings for the Generic
Security Services Application Programming Interface Version 2 (GSS-
API). GSS-API Version 2 is described in a language independent
format in RFC 2743 [GSSAPIv2-UPDATE]. The GSS-API allows a caller
application to authenticate a principal identity, to delegate rights
to a peer, and to apply security services such as confidentiality and
integrity on a per-message basis.
This document and its predecessor RFC 2853 [JGSS] leverage the work
done by the WG in the area of RFC 2743 [GSSAPIv2-UPDATE] and the
C-bindings RFC 2744 [GSSAPI-C]. Whenever appropriate, text has been
used from the C-bindings RFC 2744 to explain generic concepts and
provide direction to the implementors.
The design goals of this API have been to satisfy all the
functionality defined in RFC 2743 and to provide these services in an
object oriented method. The specification also aims to satisfy the
needs of both types of Java application developers, those who would
like access to a "system-wide" GSS-API implementation, as well as
those who would want to provide their own "custom" implementation.
A "system-wide" implementation is one that is available to all
applications in the form of a library package. It may be the
standard package in the Java runtime environment (JRE) being used or
it may be additionally installed and accessible to any application
via the CLASSPATH.
A "custom" implementation of the GSS-API, on the other hand, is one
that would, in most cases, be bundled with the application during
distribution. It is expected that such an implementation would be
meant to provide for some particular need of the application, such as
support for some specific mechanism.
The design of this API also aims to provide a flexible framework to
add and manage GSS-API mechanisms. GSS-API leverages the Java
Cryptography Architecture (JCA) provider model to support the
plugability of mechanisms. Mechanisms can be added on a "system-
wide" basis, where all users of the framework will have them
available. The specification also allows for the addition of
mechanisms per-instance of the GSS-API.
Lastly, this specification presents an API that will naturally fit
within the operation environment of the Java platform. Readers are
assumed to be familiar with both the GSS-API and the Java platform.
Upadhyay & Malkani Expires July 31, 2006 [Page 7]
Internet-Draft Java GSS-API Update January 2006
3. GSS-API Operational Paradigm
The Generic Security Service Application Programming Interface
Version 2 [GSSAPIv2-UPDATE] defines a generic security API to calling
applications. It allows a communicating application to authenticate
[5312 lines skipped]
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- CVS gss/doc/specification,
gss-commit <=