idnits 2.17.1 draft-ietf-kitten-gssapi-csharp-bindings-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 13. -- Found old boilerplate from RFC 3978, Section 5.5 on line 4097. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 4074. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 4081. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 4087. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The abstract seems to contain references ([RFC2853], [RFC2743]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 8, 2005) is 6742 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 3700 ** Obsolete normative reference: RFC 2853 (Obsoleted by RFC 5653) ** Obsolete normative reference: RFC 1509 (Obsoleted by RFC 2744) Summary: 7 errors (**), 0 flaws (~~), 2 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 NETWORK WORKING GROUP J. C. Luciani 2 INTERNET-DRAFT Novell, Inc. 3 Expires: April 8, 2006 November 8, 2005 5 GSS_API V2: C# Bindings 6 draft-ietf-kitten-gssapi-csharp-bindings-00.txt 8 Status of this Memo 10 By submitting this Internet-Draft, each author represents that any 11 applicable patent or other IPR claims of which he or she is aware 12 have been or will be disclosed, and any of which he or she becomes 13 aware will be disclosed, in accordance with Section 6 of BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as 18 Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Abstract 33 The Generic Security Services Application Program Interface (GSS-API) 34 offers application programmers uniform access to security services 35 atop a variety of underlying cryptographic mechanisms. This document 36 specifies the C# language bindings for GSS-API which is described at 37 a language independent conceptual level in RFC 2743 [RFC2743]. 39 The GSS-API C# bindings were designed to emulate the Java bindings as 40 defined in RFC 2853 [RFC2853]. 42 Table of Contents 44 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 45 2. GSS-API Operational Paradigm. . . . . . . . . . . . . . . . . . . . 6 46 3. Additional Controls . . . . . . . . . . . . . . . . . . . . . . . . 7 47 3.1. Delegation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 48 3.2. Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . 9 49 3.3. Replay and Out-of-Sequence Detection. . . . . . . . . . . . . . 10 50 3.4. Anonymous Authentication. . . . . . . . . . . . . . . . . . . . 11 51 3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . 12 52 3.6. Inter-process Context Transfer. . . . . . . . . . . . . . . . . 12 53 3.7. The Use of Incomplete Contexts. . . . . . . . . . . . . . . . . 13 54 4. C# GSS-API Overview . . . . . . . . . . . . . . . . . . . . . . . 13 55 4.1. Object Identifiers. . . . . . . . . . . . . . . . . . . . . . . 14 56 4.2. Object Identifier Sets. . . . . . . . . . . . . . . . . . . . . 14 57 4.3. Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 14 58 4.4. Contexts. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 59 4.5. Authentication Tokens . . . . . . . . . . . . . . . . . . . . . 17 60 4.6. Interprocess Tokens . . . . . . . . . . . . . . . . . . . . . . 17 61 4.7. Error Reporting . . . . . . . . . . . . . . . . . . . . . . . . 17 62 4.7.1. GSS Status Codes. . . . . . . . . . . . . . . . . . . . . . . 18 63 4.7.2. Mechanism-specific Codes. . . . . . . . . . . . . . . . . . . 20 64 4.7.3. Suplementary Status Codes . . . . . . . . . . . . . . . . . . 20 65 4.8. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 66 4.9. Channel Bindings. . . . . . . . . . . . . . . . . . . . . . . . 23 67 5. Introduction to GSS-API Classes and Interfaces. . . . . . . . . . 24 68 5.1. GSSManager Class. . . . . . . . . . . . . . . . . . . . . . . . 24 69 5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . . . . 25 70 5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . . . . 25 71 5.4. GSSContext Interface. . . . . . . . . . . . . . . . . . . . . . 26 72 5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . . . . 27 73 5.6. GSSException Class. . . . . . . . . . . . . . . . . . . . . . . 27 74 5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 75 5.8. ChannelBinding Class. . . . . . . . . . . . . . . . . . . . . . 27 76 5.9. GSSConstants Class. . . . . . . . . . . . . . . . . . . . . . . 28 77 5.10. GSSNameTypes Class . . . . . . . . . . . . . . . . . . . . . . 28 78 5.11. GSSCredentialUsage Enumeration . . . . . . . . . . . . . . . . 28 79 6. Detailed GSS-API Description. . . . . . . . . . . . . . . . . . . 28 80 6.1. public abstract class GSSManager. . . . . . . . . . . . . . . . 28 81 6.1.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . . 29 82 6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . . . . . 29 83 6.1.3. getMechs. . . . . . . . . . . . . . . . . . . . . . . . . . . 29 84 6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . . . . . 29 85 6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . . . . . 29 86 6.1.6. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 30 87 6.1.7. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 30 88 6.1.8. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 31 89 6.1.9. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 32 90 6.1.10. createCredential . . . . . . . . . . . . . . . . . . . . . . 32 91 6.1.11. createCredential . . . . . . . . . . . . . . . . . . . . . . 33 92 6.1.12. createCredential . . . . . . . . . . . . . . . . . . . . . . 33 93 6.1.13. createContext. . . . . . . . . . . . . . . . . . . . . . . . 34 94 6.1.14. createContext. . . . . . . . . . . . . . . . . . . . . . . . 35 95 6.1.15. createContext. . . . . . . . . . . . . . . . . . . . . . . . 35 96 6.2. public class GSSConstants . . . . . . . . . . . . . . . . . . . 35 97 6.2.1. DEFAULT_LIFETIME. . . . . . . . . . . . . . . . . . . . . . . 35 98 6.2.2. INDEFINITE_LIFETIME . . . . . . . . . . . . . . . . . . . . . 36 99 6.3. public class GSSNameTypes . . . . . . . . . . . . . . . . . . . 36 100 6.3.1. NT_HOSTBASED_SERVICE. . . . . . . . . . . . . . . . . . . . . 36 101 6.3.2. NT_USER_NAME. . . . . . . . . . . . . . . . . . . . . . . . . 36 102 6.3.3. NT_MACHINE_UID_NAME . . . . . . . . . . . . . . . . . . . . . 36 103 6.3.4. NT_STRING_UID_NAME. . . . . . . . . . . . . . . . . . . . . . 37 104 6.3.5. NT_ANONYMOUS. . . . . . . . . . . . . . . . . . . . . . . . . 37 105 6.3.6. NT_EXPORT_NAME. . . . . . . . . . . . . . . . . . . . . . . . 37 106 6.4. public interface GSSName. . . . . . . . . . . . . . . . . . . . 38 107 6.4.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . . 38 108 6.4.2. Equals. . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 109 6.4.3. Equals. . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 110 6.4.4. canonicalize. . . . . . . . . . . . . . . . . . . . . . . . . 39 111 6.4.5. export. . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 112 6.4.6. ToString. . . . . . . . . . . . . . . . . . . . . . . . . . . 40 113 6.4.7. stringNameType. . . . . . . . . . . . . . . . . . . . . . . . 40 114 6.4.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . . . . . 40 115 6.4.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 116 6.5. public enum GSSCredentialUsage. . . . . . . . . . . . . . . . . 41 117 6.5.1. INITIATE_AND_ACCEPT . . . . . . . . . . . . . . . . . . . . . 41 118 6.5.2. INITIATE_ONLY . . . . . . . . . . . . . . . . . . . . . . . . 41 119 6.5.3. ACCEPT_ONLY . . . . . . . . . . . . . . . . . . . . . . . . . 41 120 6.6. public interface GSSCredential. . . . . . . . . . . . . . . . . 41 121 6.6.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . . 42 122 6.6.2. dispose . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 123 6.6.3. getName . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 124 6.6.4. getName . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 125 6.6.5. getRemainingLifetime. . . . . . . . . . . . . . . . . . . . . 43 126 6.6.6. getRemainingInitLifetime. . . . . . . . . . . . . . . . . . . 44 127 6.6.7. getRemainingAcceptLifetime. . . . . . . . . . . . . . . . . . 44 128 6.6.8. getUsage. . . . . . . . . . . . . . . . . . . . . . . . . . . 44 129 6.6.9. getUsage. . . . . . . . . . . . . . . . . . . . . . . . . . . 45 130 6.6.10. getMechs . . . . . . . . . . . . . . . . . . . . . . . . . . 45 131 6.6.11. add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 132 6.6.12. Equals . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 133 6.7. public interface GSSContext . . . . . . . . . . . . . . . . . . 47 134 6.7.1. Example Context . . . . . . . . . . . . . . . . . . . . . . . 48 135 6.7.2. initSecContext. . . . . . . . . . . . . . . . . . . . . . . . 50 136 6.7.2.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 51 137 6.7.3. initSecContext. . . . . . . . . . . . . . . . . . . . . . . . 52 138 6.7.3.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 53 139 6.7.4. acceptSecContext. . . . . . . . . . . . . . . . . . . . . . . 54 140 6.7.4.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 55 141 6.7.5. acceptSecContext. . . . . . . . . . . . . . . . . . . . . . . 56 142 6.7.5.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 57 143 6.7.6. isEstablished . . . . . . . . . . . . . . . . . . . . . . . . 57 144 6.7.7. dispose . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 145 6.7.8. getWrapSizeLimit. . . . . . . . . . . . . . . . . . . . . . . 58 146 6.7.9. wrap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 147 6.7.10. wrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 148 6.7.11. unWrap . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 149 6.7.12. unWrap . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 150 6.7.13. getMIC . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 151 6.7.14. getMIC . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 152 6.7.15. verifyMIC. . . . . . . . . . . . . . . . . . . . . . . . . . 65 153 6.7.16. verifyMIC. . . . . . . . . . . . . . . . . . . . . . . . . . 66 154 6.7.17. export . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 155 6.7.18. mutualAuthenitcation . . . . . . . . . . . . . . . . . . . . 67 156 6.7.19. replayDetection. . . . . . . . . . . . . . . . . . . . . . . 68 157 6.7.20. sequenceDetection. . . . . . . . . . . . . . . . . . . . . . 68 158 6.7.21. credentialDelegation . . . . . . . . . . . . . . . . . . . . 68 159 6.7.22. anonymity. . . . . . . . . . . . . . . . . . . . . . . . . . 69 160 6.7.23. confidentiality. . . . . . . . . . . . . . . . . . . . . . . 69 161 6.7.24. integrity. . . . . . . . . . . . . . . . . . . . . . . . . . 69 162 6.7.25. lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . 70 163 6.7.26. channelBinding . . . . . . . . . . . . . . . . . . . . . . . 70 164 6.7.27. isTransferable . . . . . . . . . . . . . . . . . . . . . . . 70 165 6.7.28. isProtReady. . . . . . . . . . . . . . . . . . . . . . . . . 70 166 6.7.29. srcName. . . . . . . . . . . . . . . . . . . . . . . . . . . 71 167 6.7.30. targName . . . . . . . . . . . . . . . . . . . . . . . . . . 71 168 6.7.31. mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . 71 169 6.7.32. delegatedCredential. . . . . . . . . . . . . . . . . . . . . 71 170 6.7.33. isInitiator. . . . . . . . . . . . . . . . . . . . . . . . . 72 171 6.8. public class MessageProp. . . . . . . . . . . . . . . . . . . . 72 172 6.8.1. Constructors. . . . . . . . . . . . . . . . . . . . . . . . . 73 173 6.8.2. QOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 174 6.8.3. privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 175 6.8.4. minorStatus . . . . . . . . . . . . . . . . . . . . . . . . . 74 176 6.8.5. minorString . . . . . . . . . . . . . . . . . . . . . . . . . 74 177 6.8.6. isDuplicateToken. . . . . . . . . . . . . . . . . . . . . . . 74 178 6.8.7. isOldToken. . . . . . . . . . . . . . . . . . . . . . . . . . 74 179 6.8.8. isUnseqToken. . . . . . . . . . . . . . . . . . . . . . . . . 74 180 6.8.9. isGapToken. . . . . . . . . . . . . . . . . . . . . . . . . . 75 181 6.9. public class ChannelBinding . . . . . . . . . . . . . . . . . . 75 182 6.9.1. Constructors. . . . . . . . . . . . . . . . . . . . . . . . . 76 183 6.9.2. initiatorAddress. . . . . . . . . . . . . . . . . . . . . . . 76 184 6.9.3. acceptorAddress . . . . . . . . . . . . . . . . . . . . . . . 77 185 6.9.4. applicationData . . . . . . . . . . . . . . . . . . . . . . . 77 186 6.9.5. Equals. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 187 6.10. public class Oid . . . . . . . . . . . . . . . . . . . . . . . 77 188 6.10.1. Constructor. . . . . . . . . . . . . . . . . . . . . . . . . 78 189 6.10.2. ToString . . . . . . . . . . . . . . . . . . . . . . . . . . 78 190 6.10.3. Equals . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 191 6.10.4. DER. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 192 6.10.5. containedIn. . . . . . . . . . . . . . . . . . . . . . . . . 79 193 6.11. public class GSSException. . . . . . . . . . . . . . . . . . . 79 194 6.11.1. Constants. . . . . . . . . . . . . . . . . . . . . . . . . . 80 195 6.11.2. Constructors . . . . . . . . . . . . . . . . . . . . . . . . 82 196 6.11.3. major. . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 197 6.11.4. minor. . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 198 6.11.5. majorString. . . . . . . . . . . . . . . . . . . . . . . . . 83 199 6.11.6. minorString. . . . . . . . . . . . . . . . . . . . . . . . . 83 200 6.11.7. ToString . . . . . . . . . . . . . . . . . . . . . . . . . . 83 201 6.11.8. Message. . . . . . . . . . . . . . . . . . . . . . . . . . . 83 202 7. Sample Applications . . . . . . . . . . . . . . . . . . . . . . . 84 203 7.1. Simple GSS Context Initiator. . . . . . . . . . . . . . . . . . 84 204 7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . . . . 89 205 8. Security Considerations . . . . . . . . . . . . . . . . . . . . . 93 206 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . . 93 207 10. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . 93 208 11. Normative References . . . . . . . . . . . . . . . . . . . . . . 94 209 12. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 94 210 13. Intellectual Property Statement. . . . . . . . . . . . . . . . . 94 211 14. Disclaimer of Validity . . . . . . . . . . . . . . . . . . . . . 95 212 15. Copyright Statement. . . . . . . . . . . . . . . . . . . . . . . 95 213 1.Introduction 215 This document specifies the C# language bindings for the Generic 216 Security Services Application Programming Interface Version 2 217 (GSS-API v2). GSS-API allows a caller application to authenticate a 218 principal identity, to delegate rights to a peer, and to apply 219 security services such as confidentiality and integrity on a per- 220 message basis. 222 One of the design goals utilized when defining the C# bindings for 223 GSS-API was to emulate the Java bindings specified in RFC 2853 as 224 much as possible while still taking advantage of C# features such 225 as Properties. By emulating the Java bindings, we hoped to leverage 226 work already done and to make life easier for developers utilizing 227 GSS-API under C# and Java. As a result of this design goal, the C# 228 bindings match the Java bindings very closely. 230 Because of the similarity between the Java and C# bindings and in the 231 spirit of leveraging work already done, this document borrows heavily 232 from RFC 2853. 234 2.GSS-API Operational Paradigm 236 The Generic Security Service Application Programming Interface 237 Version 2 defines a generic security API to calling applications. It 238 allows a communicating application to authenticate a user associated 239 with another application, to delegate rights to another application, 240 and to apply security services such as confidentiality and integrity 241 on a per-message basis. 243 There are four stages to using GSS-API: 245 1) The application acquires a set of credentials with which it may 246 prove its identity to other processes. The application's 247 credentials vouch for its global identity, which may or may not 248 be related to any local username under which it may be running. 250 2) A pair of communicating applications establish a joint security 251 context using their credentials. The security context 252 encapsulates shared state information, which is required in 253 order that per-message security services may be provided. 254 Examples of state information that might be shared between 255 applications as part of a security context are cryptographic 256 keys, and message sequence numbers. As part of the 257 establishment of a security context, the context initiator is 258 authenticated to the responder, and may require that the 259 responder is authenticated back to the initiator. The 260 initiator may optionally give the responder the right to 261 initiate further security contexts, acting as an agent or 262 delegate of the initiator. This transfer of rights is termed 263 "delegation", and is achieved by creating a set of credentials, 264 similar to those used by the initiating application, but which 265 may be used by the responder. 267 A GSSContext object is used to establish and maintain the 268 shared information that makes up the security context. Certain 269 GSSContext methods will generate a token, which applications 270 treat as cryptographically protected, opaque data. The caller 271 of such GSSContext method is responsible for transferring the 272 token to the peer application, encapsulated if necessary in an 273 application-to-application protocol. On receipt of such a 274 token, the peer application should pass it to a corresponding 275 GSSContext method which will decode the token and extract the 276 information, updating the security context state information 277 accordingly. 279 3) Per-message services are invoked on a GSSContext object to 280 apply either: 282 integrity and data origin authentication, or 284 confidentiality, integrity and data origin authentication 286 to application data, which are treated by GSS-API as arbitrary 287 octet-strings. An application transmitting a message that it 288 wishes to protect will call the appropriate GSSContext method 289 (getMIC or wrap) to apply protection, and send the resulting 290 token to the receiving application. The receiver will pass the 291 received token (and, in the case of data protected by getMIC, 292 the accompanying message-data) to the corresponding decoding 293 method of the GSSContext interface (verifyMIC or unwrap) to 294 remove the protection and validate the data. 296 4) At the completion of a communications session (which may extend 297 across several transport connections), each application uses a 298 GSSContext method to invalidate the security context and 299 release any system or cryptographic resources held. Multiple 300 contexts may also be used (either successively or 301 simultaneously) within a single communications association, at 302 the discretion of the applications. 304 3. Additional Controls 306 This section discusses the optional services that a context initiator 307 may request of the GSS-API before the context establishment. Each of 308 these services is requested by manipulating the appropriate property 309 of the GSSContext interface before the first call to init is 310 performed. 312 Only the context initiator can request context flags. 314 The optional services defined are: 316 Delegation 317 The (usually temporary) transfer of rights from initiator to 318 acceptor, enabling the acceptor to authenticate itself as an 319 agent of the initiator. 321 Mutual Authentication 322 In addition to the initiator authenticating its identity to the 323 context acceptor, the context acceptor should also authenticate 324 itself to the initiator. 326 Replay Detection 327 In addition to providing message integrity services, GSSContext 328 per-message operations of getMIC and wrap should include 329 message numbering information to enable verifyMIC and unwrap to 330 detect if a message has been duplicated. 332 Out-of-Sequence Detection 333 In addition to providing message integrity services, GSSContext 334 per-message operations (getMIC and wrap) should include 335 message sequencing information to enable verifyMIC and unwrap 336 to detect if a message has been received out of sequence. 338 Anonymous Authentication 339 The establishment of the security context should not reveal the 340 initiator's identity to the context acceptor. 342 Some mechanisms may not support all optional services, and some 343 mechanisms may only support some services in conjunction with others. 344 The GSSContext interface offers query methods to allow the 345 verification by the calling application of which services will be 346 available from the context when the establishment phase is complete. 347 In general, if the security mechanism is capable of providing a 348 requested service, it should do so even if additional services must 349 be enabled in order to provide the requested service. If the 350 mechanism is incapable of providing a requested service, it should 351 proceed without the service leaving the application to abort the 352 context establishment process if it considers the requested service 353 to be mandatory. 355 Some mechanisms may specify that support for some services is 356 optional, and that implementers of the mechanism need not provide it. 357 This is most commonly true of the confidentiality service, often 358 because of legal restrictions on the use of data-encryption, but may 359 apply to any of the services. Such mechanisms are required to send 360 at least one token from acceptor to initiator during context 361 establishment when the initiator indicates a desire to use such a 362 service, so that the initiating GSS-API can correctly indicate 363 whether the service is supported by the acceptor's GSS-API. 365 3.1. Delegation 367 The GSS-API allows delegation to be controlled by the initiating 368 application via manipulation of the credential delegation property 369 before the first call to init has been issued. Some mechanisms do 370 not support delegation, and for such mechanisms attempts by an 371 application to enable delegation are ignored. 373 The acceptor of a security context, for which the initiator enabled 374 delegation, can check if delegation was enabled by reading the 375 credential delegation property of the GSSContext object. In cases 376 when it is, the delegated credential object can be obtained by 377 reading the delegated credential property. The obtained GSSCredential 378 object may then be used to initiate subsequent GSS-API security 379 contexts as an agent or delegate of the initiator. If the original 380 initiator's identity is "A" and the delegate's identity is "B", then, 381 depending on the underlying mechanism, the identity embodied by the 382 delegated credential may be either "A" or "B acting for A". 384 For many mechanisms that support delegation, a simple boolean does 385 not provide enough control. Examples of additional aspects of 386 delegation control that a mechanism might provide to an application 387 are duration of delegation, network addresses from which delegation 388 is valid, and constraints on the tasks that may be performed by a 389 delegate. Such controls are presently outside the scope of the GSS- 390 API. GSS-API implementations supporting mechanisms offering 391 additional controls should provide extension routines that allow 392 these controls to be exercised (perhaps by modifying the initiator's 393 GSS-API credential object prior to its use in establishing a 394 context). However, the simple delegation control provided by GSS-API 395 should always be able to over-ride other mechanism-specific 396 delegation controls. If the application instructs the GSSContext 397 object that delegation is not desired, then the implementation must 398 not permit delegation to occur. This is an exception to the general 399 rule that a mechanism may enable services even if they are not 400 requested - delegation may only be provided at the explicit request 401 of the application. 403 3.2. Mutual Authentication 405 Usually, a context acceptor will require that a context initiator 406 authenticate itself so that the acceptor may make an access-control 407 decision prior to performing a service for the initiator. In some 408 cases, the initiator may also request that the acceptor authenticate 409 itself. GSS-API allows the initiating application to request this 410 mutual authentication service by setting the mutual authentication 411 property of the GSSContext object to "true" before making the first 412 call to init. The initiating application is informed as to whether 413 or not the context acceptor has authenticated itself. Note that some 414 mechanisms may not support mutual authentication, and other 415 mechanisms may always perform mutual authentication, whether or not 416 the initiating application requests it. In particular, mutual 417 authentication may be required by some mechanisms in order to support 418 replay or out-of-sequence message detection, and for such mechanisms 419 a request for either of these services will automatically enable 420 mutual authentication. 422 3.3. Replay and Out-of-Sequence Detection 424 The GSS-API may provide detection of mis-ordered messages once a 425 security context has been established. Protection may be applied to 426 messages by either application, by calling either getMIC or wrap 427 methods of the GSSContext object, and verified by the peer 428 application by calling verifyMIC or unwrap for the peer's GSSContext 429 object. 431 The getMIC method calculates a cryptographic checksum of an 432 application message, and returns that checksum in a token. The 433 application should pass both the token and the message to the peer 434 application, which presents them to the verifyMIC method of the 435 peer's GSSContext object. 437 The wrap method calculates a cryptographic checksum of an application 438 message, and places both the checksum and the message inside a single 439 token. The application should pass the token to the peer 440 application, which presents it to the unwrap method of the peer's 441 GSSContext object to extract the message and verify the checksum. 443 Either pair of routines may be capable of detecting out-of-sequence 444 message delivery, or duplication of messages. Details of such mis- 445 ordered messages are indicated through supplementary query methods of 446 the MessageProp object that is filled in by each of these routines. 448 A mechanism need not maintain a list of all tokens that have been 449 processed in order to support these status codes. A typical 450 mechanism might retain information about only the most recent "N" 451 tokens processed, allowing it to distinguish duplicates and missing 452 tokens within the most recent "N" messages; the receipt of a token 453 older than the most recent "N" would result in the isOldToken 454 property of the instance of MessageProp to be set to "true". 456 3.4. Anonymous Authentication 458 In certain situations, an application may wish to initiate the 459 authentication process to authenticate a peer, without revealing its 460 own identity. As an example, consider an application providing 461 access to a database containing medical information, and offering 462 unrestricted access to the service. A client of such a service might 463 wish to authenticate the service (in order to establish trust in any 464 information retrieved from it), but might not wish the service to be 465 able to obtain the client's identity (perhaps due to privacy concerns 466 about the specific inquiries, or perhaps simply to avoid being placed 467 on mailing-lists). 469 In normal use of the GSS-API, the initiator's identity is made 470 available to the acceptor as a result of the context establishment 471 process. However, context initiators may request that their identity 472 not be revealed to the context acceptor. Many mechanisms do not 473 support anonymous authentication, and for such mechanisms the request 474 will not be honored. An authentication token will still be 475 generated, but the application is always informed if a requested 476 service is unavailable, and has the option to abort context 477 establishment if anonymity is valued above the other security 478 services that would require a context to be established. 480 In addition to informing the application that a context is 481 established anonymously (via the isAnonymous property of the 482 GSSContext interface), the srcName property of the acceptor's 483 GSSContext object will, for such contexts, be set to a reserved 484 internal-form name, defined by the implementation. 486 The ToString method for a GSSName object representing an anonymous 487 entity will return a printable name. The returned value will be 488 syntactically distinguishable from any valid principal name supported 489 by the implementation. The associated name-type object identifier 490 will be an oid representing the value of GSSNameTypes.NT_ANONYMOUS. 491 This name-type oid will be defined as a public, static Oid object of 492 the GSSName interface. The printable form of an anonymous name 493 should be chosen such that it implies anonymity, since this name may 494 appear in, for example, audit logs. For example, the string 495 "" might be a good choice, if no valid printable names 496 supported by the implementation can begin with "<" and end with ">". 498 When using the equal method of the GSSName interface, and one of the 499 operands is a GSSName instance representing an anonymous entity, the 500 method must return "false". 502 3.5. Confidentiality 504 If a GSSContext supports the confidentiality service, wrap method may 505 be used to encrypt application messages. Messages are selectively 506 encrypted, under the control of the setPrivacy property of the 507 MessageProp object used in the wrap method. 509 3.6. Inter-process Context Transfer 511 GSS-API V2 provides functionality which allows a security context to 512 be transferred between processes on a single machine. These are 513 implemented using the export method of GSSContext and a byte array 514 constructor of the same interface. The most common use for such a 515 feature is a client-server design where the server is implemented as 516 a single process that accepts incoming security contexts, which then 517 launches child processes to deal with the data on these contexts. In 518 such a design, the child processes must have access to the security 519 context object created within the parent so that they can use per- 520 message protection services and delete the security context when the 521 communication session ends. 523 Since the security context data structure is expected to contain 524 sequencing information, it is impractical in general to share a 525 context between processes. Thus GSSContext interface provides an 526 export method that the process, which currently owns the context, can 527 call to declare that it has no intention to use the context 528 subsequently, and to create an inter-process token containing 529 information needed by the adopting process to successfully re-create 530 the context. After successful completion of export, the original 531 security context is made inaccessible to the calling process by GSS- 532 API and any further usage of this object will result in failures. 533 The originating process transfers the inter-process token to the 534 adopting process, which creates a new GSSContext object using the 535 byte array constructor. The properties of the context are equivalent 536 to that of the original context. 538 The inter-process token may contain sensitive data from the original 539 security context (including cryptographic keys). Applications using 540 inter-process tokens to transfer security contexts must take 541 appropriate steps to protect these tokens in transit. 543 Implementations are not required to support the inter-process 544 transfer of security contexts. Reading the isTransferable property 545 of the GSSContext interface will indicate if the context object is 546 transferable. 548 3.7. The Use of Incomplete Contexts 550 Some mechanisms may allow the per-message services to be used before 551 the context establishment process is complete. For example, a 552 mechanism may include sufficient information in its initial context- 553 level tokens for the context acceptor to immediately decode messages 554 protected with wrap or getMIC. For such a mechanism, the initiating 555 application need not wait until subsequent context-level tokens have 556 been sent and received before invoking the per-message protection 557 services. 559 An application can read the isProtReady property of the GSSContext 560 object to determine if the per-message services are available in 561 advance of complete context establishment. Applications wishing to 562 use per-message protection services on partially-established contexts 563 should query this method before attempting to invoke wrap or getMIC. 565 4. C# GSS-API Overview 567 The C# GSS-API leverages many of the native C# types as well as 568 features of the operating environment such as automatic garbage 569 collection, exception handling, and encapsulation. This allows for an 570 API that is simpler and with fewer functions than the API described 571 in RFC 1509 [RFC1509]. 573 The assemblies implementing GSS-API are not part of the .NET and Mono 574 frameworks. Because of this, it is necessary for the assemblies to 575 be installed before they can be used by applications. 577 C# GSS-API, unlike its Java counterpart does not allow applications 578 to choose between different security providers. The provider utilized 579 by the application is determine at application build time based on 580 the C# GSS-API assemblies linked in. The mechanisms supported by the 581 C# GSS-API assemblies are not controlled by the application. C# 582 GSS-API assemblies are vendor specific. 584 The GSS-API types are present in the org.ietf.gss namespace. 586 Applications need to include the following line at the top of their 587 listings to make use of the GSS-API types: 589 using org.ietf.gss; 591 4.1. Object Identifiers 593 An Oid object will be used to represent Universal Object Identifiers 594 (Oids). Oids are ISO-defined, hierarchically globally-interpretable 595 identifiers used within the GSS-API framework to identify security 596 mechanisms and name formats. The Oid object can be created from a 597 string representation of its dot notation (e.g. "1.3.6.1.5.6.2") as 598 well as from its ASN.1 DER encoding. Methods are also provided to 599 test equality and provide the DER representation for the object. 601 An important feature of the Oid class is that its instances are 602 immutable - i.e. there are no methods defined that allow one to 603 change the contents of an Oid. This property allows one to treat 604 these objects as "statics" without the need to perform copies. 606 Certain routines allow the usage of a default oid. A "null" value 607 can be used in those cases. 609 4.2. Object Identifier Sets 611 Object identifiers sets are represented as arrays of Oid 612 objects. C# arrays contain a length field which allows for 613 easy manipulation and reference. 615 In order to support the full functionality of RFC 2743, the Oid class 616 includes a method which checks for existence of an Oid object within 617 a specified array. This is equivalent in functionality to 618 gss_test_oid_set_member. The use of C# arrays and C#'s automatic 619 garbage collection has eliminated the need for the following 620 routines: gss_create_empty_oid_set, gss_release_oid_set, and 621 gss_add_oid_set_member. C# GSS-API implementations will not 622 contain them. C#'s automatic garbage collection and the immutable 623 property of the Oid object eliminates the complicated memory 624 management issues of the C counterpart. 626 When ever a default value for an Object Identifier Set is required, a 627 "null" value can be used. Please consult the detailed method 628 description for details. 630 4.3. Credentials 632 GSS-API credentials are represented by the GSSCredential interface. 633 The interface contains several constructs to allow for the creation 634 of most common credential objects for the initiator and the acceptor. 635 Comparisons are performed using the interface's "Equals" method. The 636 following general description of GSS-API credentials is included from 637 the C-bindings specification: 639 GSS-API credentials can contain mechanism-specific principal 640 authentication data for multiple mechanisms. A GSS-API credential is 641 composed of a set of credential-elements, each of which is applicable 642 to a single mechanism. A credential may contain at most one 643 credential-element for each supported mechanism. A credential- 644 element identifies the data needed by a single mechanism to 645 authenticate a single principal, and conceptually contains two 646 credential-references that describe the actual mechanism-specific 647 authentication data, one to be used by GSS-API for initiating 648 contexts, and one to be used for accepting contexts. For mechanisms 649 that do not distinguish between acceptor and initiator credentials, 650 both references would point to the same underlying mechanism-specific 651 authentication data. 653 Credentials describe a set of mechanism-specific principals, and give 654 their holder the ability to act as any of those principals. All 655 principal identities asserted by a single GSS-API credential should 656 belong to the same entity, although enforcement of this property is 657 an implementation-specific matter. A single GSSCredential object 658 represents all the credential elements that have been acquired. 660 The creation's of an GSSContext object allows the value of "null" to 661 be specified as the GSSCredential input parameter. This will 662 indicate a desire by the application to act as a default principal. 663 While individual GSS-API implementations are free to determine such 664 default behavior as appropriate to the mechanism, the following 665 default behavior by these routines is recommended for portability: 667 For the initiator side of the context: 669 1) If there is only a single principal capable of initiating 670 security contexts for the chosen mechanism that the application 671 is authorized to act on behalf of, then that principal shall be 672 used, otherwise 674 2) If the platform maintains a concept of a default network- 675 identity for the chosen mechanism, and if the application is 676 authorized to act on behalf of that identity for the purpose of 677 initiating security contexts, then the principal corresponding 678 to that identity shall be used, otherwise 680 3) If the platform maintains a concept of a default local 681 identity, and provides a means to map local identities into 682 network-identities for the chosen mechanism, and if the 683 application is authorized to act on behalf of the network- 684 identity image of the default local identity for the purpose of 685 initiating security contexts using the chosen mechanism, then 686 the principal corresponding to that identity shall be used, 687 otherwise 689 4) A user-configurable default identity should be used. 691 and for the acceptor side of the context 693 1) If there is only a single authorized principal identity capable 694 of accepting security contexts for the chosen mechanism, then 695 that principal shall be used, otherwise 697 2) If the mechanism can determine the identity of the target 698 principal by examining the context-establishment token 699 processed during the accept method, and if the accepting 700 application is authorized to act as that principal for the 701 purpose of accepting security contexts using the chosen 702 mechanism, then that principal identity shall be used, 703 otherwise 705 3) If the mechanism supports context acceptance by any principal, 706 and if mutual authentication was not requested, any principal 707 that the application is authorized to accept security contexts 708 under using the chosen mechanism may be used, otherwise 710 4) A user-configurable default identity shall be used. 712 The purpose of the above rules is to allow security contexts to be 713 established by both initiator and acceptor using the default behavior 714 whenever possible. Applications requesting default behavior are 715 likely to be more portable across mechanisms and implementations than 716 ones that instantiate an GSSCredential object representing a specific 717 identity. 719 4.4. Contexts 721 The GSSContext interface is used to represent one end of a GSS-API 722 security context, storing state information appropriate to that end 723 of the peer communication, including cryptographic state information. 724 The instantiation of the context object is done differently by the 725 initiator and the acceptor. After the context has been instantiated, 726 the initiator may choose to set various context options which will 727 determine the characteristics of the desired security context. When 728 all the application desired characteristics have been set, the 729 initiator will call the initSecContext method which will produce a 730 token for consumption by the peer's acceptSecContext method. It is 731 the responsibility of the application to deliver the authentication 732 token(s) between the peer applications for processing. Upon 733 completion of the context establishment phase, context attributes can 734 be retrieved, by both the initiator and acceptor, reading the 735 properties of the GSSContext object. These will reflect the actual 736 attributes of the established context. At this point the context can 737 be used by the application to apply cryptographic services to its 738 data. 740 4.5. Authentication Tokens 742 A token is a caller-opaque type that GSS-API uses to maintain 743 synchronization between each end of the GSS-API security context. 744 The token is a cryptographically protected octet-string, generated by 745 the underlying mechanism at one end of a GSS-API security context for 746 use by the peer mechanism at the other end. Encapsulation (if 747 required) within the application protocol and transfer of the token 748 are the responsibility of the peer applications. 750 C# GSS-API uses byte arrays to represent authentication tokens. 751 Overloaded methods exist which allow the caller to supply streams 752 which will be used for the reading and writing of the token data. 754 4.6. Interprocess Tokens 756 Certain GSS-API routines are intended to transfer data between 757 processes in multi-process programs. These routines use a caller- 758 opaque octet-string, generated by the GSS-API in one process for use 759 by the GSS-API in another process. The calling application is 760 responsible for transferring such tokens between processes. Note 761 that, while GSS-API implementors are encouraged to avoid placing 762 sensitive information within interprocess tokens, or to 763 cryptographically protect them, many implementations will be unable 764 to avoid placing key material or other sensitive data within them. 765 It is the application's responsibility to ensure that interprocess 766 tokens are protected in transit, and transferred only to processes 767 that are trustworthy. An interprocess token is represented using a 768 byte array emitted from the export method of the GSSContext 769 interface. The receiver of the interprocess token would initialize 770 a GSSContext object with this token to create a new context. Once a 771 context has been exported, the GSSContext object is invalidated. 773 4.7. Error Reporting 775 RFC 2743 defined the usage of major and minor status values for 776 signaling of GSS-API errors. The major code, also called GSS status 777 code, is used to signal errors at the GSS-API level independent of 778 the underlying mechanism(s). The minor status value or Mechanism 779 status code, is a mechanism defined error value indicating a 780 mechanism specific error code. 782 C# GSS-API uses exceptions implemented by the GSSException class to 783 signal both minor and major error values. Both mechanism specific 784 errors and GSS-API level errors are signaled through instances of 785 this class. The usage of exceptions replaces the need for major and 786 minor codes to be used within the API calls. GSSException class also 787 contains methods to obtain textual representations for both the major 788 and minor values, which is equivalent to the functionality of 789 gss_display_status. 791 4.7.1. GSS Status Codes 793 GSS status codes indicate errors that are independent of the 794 underlying mechanism(s) used to provide the security service. The 795 errors that can be indicated via a GSS status code are generic API 796 routine errors (errors that are defined in the GSS-API 797 specification). These bindings take advantage of the C# exceptions 798 mechanism, thus eliminating the need for calling errors. 800 A GSS status code indicates a single fatal generic API error from the 801 routine that has thrown the GSSException. Using exceptions announces 802 that a fatal error has occurred during the execution of the method. 803 The GSS-API operational model also allows for the signaling of 804 supplementary status information from the per-message calls. These 805 need to be handled as return values since using exceptions is not 806 appropriate for informatory or warning-like information. The methods 807 that are capable of producing supplementary information are the two 808 per-message methods GSSContext.verifyMIC() and GSSContext.unwrap(). 809 These methods fill the supplementary status codes in the MessageProp 810 object that was passed in. 812 GSSException object, along with providing the functionality for 813 setting of the various error codes and translating them into textual 814 representation, also contains the definitions of all the numeric 815 error values. The following table lists the definitions of error 816 codes: 818 Table: GSS Status Codes 820 Name Value Meaning 822 BAD_MECH 1 An unsupported mechanism 823 was requested. 825 BAD_NAME 2 An invalid name was supplied. 827 BAD_NAMETYPE 3 A supplied name was of an 828 unsupported type. 830 BAD_BINDINGS 4 Incorrect channel bindings were 831 supplied. 833 BAD_STATUS 5 An invalid status code was 834 supplied. 836 BAD_MIC 6 A token had an invalid MIC. 838 NO_CRED 7 No credentials were supplied, or 839 the credentials were unavailable 840 or inaccessible. 842 NO_CONTEXT 8 Invalid context has been 843 supplied. 845 DEFECTIVE_TOKEN 9 A supplied token was invalid. 847 DEFECTIVE_CREDENTIAL 10 A supplied credential was 848 invalid. 850 CREDENTIALS_EXPIRED 11 The referenced credentials 851 have expired. 853 CONTEXT_EXPIRED 12 The context has expired. 855 FAILURE 13 Miscellaneous failure, 856 unspecified at the GSS-API level. 858 BAD_QOP 14 The quality-of-protection 859 requested could not be provided. 861 UNAUTHORIZED 15 The operation is forbidden by 862 local security policy. 864 UNAVAILABLE 16 The operation or option is 865 unavailable. 867 DUPLICATE_ELEMENT 17 The requested credential 868 element already exists. 870 NAME_NOT_MN 18 The provided name was not a 871 mechanism name. 873 OLD_TOKEN 19 The token's validity period has 874 expired. 876 DUPLICATE_TOKEN 20 The token was a duplicate of an 877 earlier version. 879 The GSS major status code of FAILURE is used to indicate that the 880 underlying mechanism detected an error for which no specific GSS 881 status code is defined. The mechanism-specific status code can 882 provide more details about the error. 884 The different major status codes that can be contained in the 885 GSSException object thrown by the methods in this specification are 886 the same as the major status codes returned by the corresponding 887 calls in RFC 2743. 889 4.7.2. Mechanism-specific Status Codes 891 Mechanism-specific status codes are communicated in two ways, they 892 are part of any GSSException thrown from the mechanism specific layer 893 to signal a fatal error, or they are part of the MessageProp object 894 that the per-message calls use to signal non-fatal errors. 896 A default value of 0 in either the GSSException object or the 897 MessageProp object will be used to represent the absence of any 898 mechanism specific status code. 900 4.7.3. Supplementary Status Codes 902 Supplementary status codes are confined to the per-message methods of 903 the GSSContext interface. Because of the informative nature of these 904 errors it is not appropriate to use exceptions to signal them. 905 Instead, the per-message operations of the GSSContext interface 906 return these values in a MessageProp object. 908 The MessageProp class defines boolean properties indicating the 909 following supplementary states: 911 Table: Supplementary Status Methods 913 Method Name Meaning when set to "true" 915 isDuplicateToken The token was a duplicate of an 916 earlier token. 918 isOldToken The token's validity period has 919 expired. 921 isUnseqToken A later token has already been 922 processed. 924 isGapToken An expected per-message token was 925 not received. 927 A "true" value for any of the above properties indicates that the 928 token exhibited the specified property. The application must 929 determine the appropriate course of action for these supplementary 930 values. They are not treated as errors by the GSS-API. 932 4.8. Names 934 A name is used to identify a person or entity. GSS-API authenticates 935 the relationship between a name and the entity claiming the name. 937 Since different authentication mechanisms may employ different 938 namespaces for identifying their principals, GSS-API's naming support 939 is necessarily complex in multi-mechanism environments (or even in 940 some single-mechanism environments where the underlying mechanism 941 supports multiple namespaces). 943 Two distinct conceptual representations are defined for names: 945 1) A GSS-API form represented by implementations of the GSSName 946 interface: A single GSSName object may contain multiple names from 947 different namespaces, but all names should refer to the same 948 entity. An example of such an internal name would be the name 949 returned from a call to the getName method of the GSSCredential 950 interface, when applied to a credential containing credential 951 elements for multiple authentication mechanisms employing 952 different namespaces. This GSSName object will contain a distinct 953 name for the entity for each authentication mechanism. 955 For GSS-API implementations supporting multiple namespaces, 956 GSSName implementations must contain sufficient information to 957 determine the namespace to which each primitive name belongs. 959 2) Mechanism-specific contiguous byte array and string forms: 960 Different GSSName initialization methods are provided to handle 961 both byte array and string formats and to accommodate various 962 calling applications and name types. These formats are capable of 963 containing only a single name (from a single namespace). 964 Contiguous string names are always accompanied by an object 965 identifier specifying the namespace to which the name belongs, and 966 their format is dependent on the authentication mechanism that 967 employs that name. The string name forms are assumed to be 968 printable, and may therefore be used by GSS-API applications for 969 communication with their users. The byte array name formats are 970 assumed to be in non-printable formats (e.g. the byte array 971 returned from the export method of the GSSName interface). 973 A GSSName object can be converted to a contiguous representation by 974 using the ToString method. This will guarantee that the name will be 975 converted to a printable format. Different initialization methods in 976 the GSSName interface are defined allowing support for multiple 977 syntaxes for each supported namespace, and allowing users the freedom 978 to choose a preferred name representation. The ToString method 979 should use an implementation-chosen printable syntax for each 980 supported name-type. To obtain the printable name type, the 981 getStringNameType method can be used. 983 There is no guarantee that calling the ToString method on the GSSName 984 interface will produce the same string form as the original imported 985 string name. Furthermore, it is possible that the name was not even 986 constructed from a string representation. The same applies to name- 987 space identifiers which may not necessarily survive unchanged after a 988 journey through the internal name-form. An example of this might be 989 a mechanism that authenticates X.500 names, but provides an 990 algorithmic mapping of Internet DNS names into X.500. That 991 mechanism's implementation of GSSName might, when presented with a 992 DNS name, generate an internal name that contained both the original 993 DNS name and the equivalent X.500 name. Alternatively, it might only 994 store the X.500 name. In the latter case, the ToString method of 995 GSSName would most likely generate a printable X.500 name, rather 996 than the original DNS name. 998 The context acceptor can obtain a GSSName object representing the 999 entity performing the context initiation (by reading the srcName 1000 property). Since this name has been authenticated by a 1001 single mechanism, it contains only a single name (even if the 1002 internal name presented by the context initiator to the GSSContext 1003 object had multiple components). Such names are termed internal 1004 mechanism names, or "MN"s and the property values srcName and 1005 targName of the GSSContext interface are always of this type. 1006 Since some applications may require MNs without wanting to incur the 1007 overhead of an authentication operation, creation methods are 1008 provided that take not only the name buffer and name type, but also 1009 the mechanism oid for which this name should be created. When 1010 dealing with an existing GSSName object, the canonicalize method may 1011 be invoked to convert a general internal name into an MN. 1013 GSSName objects can be compared using their Equal method, which 1014 returns "true" if the two names being compared refer to the same 1015 entity. This is the preferred way to perform name comparisons 1016 instead of using the printable names that a given GSS-API 1017 implementation may support. Since GSS-API assumes that all primitive 1018 names contained within a given internal name refer to the same 1019 entity, equal can return "true" if the two names have at least one 1020 primitive name in common. If the implementation embodies knowledge 1021 of equivalence relationships between names taken from different 1022 namespaces, this knowledge may also allow successful comparisons of 1023 internal names containing no overlapping primitive elements. 1025 When used in large access control lists, the overhead of creating an 1026 GSSName object on each name and invoking the equal method on each 1027 name from the ACL may be prohibitive. As an alternative way of 1028 supporting this case, GSS-API defines a special form of the 1029 contiguous byte array name which may be compared directly (byte by 1030 byte). Contiguous names suitable for comparison are generated by the 1031 export method. Exported names may be re-imported by using the byte 1032 array constructor and specifying the GSSNameTypes.NT_EXPORT_NAME as 1033 the name type object identifier. The resulting GSSName name will 1034 also be a MN. The GSSName interface defines public static Oid 1035 objects representing the standard name types. Structurally, an 1036 exported name object consists of a header containing an OID 1037 identifying the mechanism that authenticated the name, and a trailer 1038 containing the name itself, where the syntax of the trailer is 1039 defined by the individual mechanism specification. Detailed 1040 description of the format is specified in the language-independent 1041 GSS-API specification [RFC2743]. 1043 Note that the results obtained by using the Equals method will in 1044 general be different from those obtained by invoking canonicalize and 1045 export, and then comparing the byte array output. The first series 1046 of operation determines whether two (unauthenticated) names identify 1047 the same principal; the second whether a particular mechanism would 1048 authenticate them as the same principal. These two operations will 1049 in general give the same results only for MNs. 1051 It is important to note that the above are guidelines as how GSSName 1052 implementations should behave, and are not intended to be specific 1053 requirements of how names objects must be implemented. The mechanism 1054 designers are free to decide on the details of their implementations 1055 of the GSSName interface as long as the behavior satisfies the above 1056 guidelines. 1058 4.9. Channel Bindings 1060 GSS-API supports the use of user-specified tags to identify a given 1061 context to the peer application. These tags are intended to be used 1062 to identify the particular communications channel that carries the 1063 context. Channel bindings are communicated to the GSS-API using the 1064 ChannelBinding object. The application may use byte arrays to 1065 specify the application data to be used in the channel binding as 1066 well as using instances of the EndPoint class. The EndPoint for the 1067 initiator and/or acceptor can be used within an instance of a 1068 ChannelBinding. ChannelBinding can be set for the GSSContext object 1069 by setting the channelBinding property before the first call to init 1070 or accept has been performed. The channelBinding property of a 1071 GSSContext object defaults to "null". Currently the ChannelBinding 1072 class only supports addresses of type IP. Applications that use 1073 other types of addresses can include them as part of the application 1074 specific data. 1076 Conceptually, the GSS-API concatenates the initiator and acceptor 1077 address information, and the application supplied byte array to form 1078 an octet string. The mechanism calculates a MIC over this octet 1079 string and binds the MIC to the context establishment token emitted 1080 by init method of the GSSContext interface. The same bindings are 1081 set by the context acceptor for its GSSContext object and during 1082 processing of the accept method a MIC is calculated in the same way. 1083 The calculated MIC is compared with that found in the token, and if 1084 the MICs differ, accept will throw a GSSException with the major 1085 code set to BAD_BINDINGS, and the context will not be established. 1086 Some mechanisms may include the actual channel binding data in the 1087 token (rather than just a MIC); applications should therefore not use 1088 confidential data as channel-binding components. 1090 Individual mechanisms may impose additional constraints on addresses 1091 that may appear in channel bindings. For example, a mechanism may 1092 verify that the initiator address field of the channel binding 1093 contains the correct network address of the host system. Portable 1094 applications should therefore ensure that they either provide correct 1095 information for the address fields, or omit setting of the addressing 1096 information. 1098 5. Introduction to GSS-API Classes and Interfaces 1100 This section presents a brief description of the classes and 1101 interfaces that constitute the GSS-API. 1103 This section also shows the corresponding RFC 2743 functionality 1104 implemented by each of the classes. Detailed description of these 1105 classes and their methods is presented in section 6. 1107 5.1. GSSManager Class 1109 This abstract class serves as a factory to instantiate 1110 implementations of the GSS-API interfaces and also provides methods 1111 to make queries about underlying security mechanisms. 1113 A default implementation can be obtained using the static method 1114 getInstance(). Applications that desire to provide their own 1115 implementation of the GSSManager class can simply extend the abstract 1116 class themselves. 1118 This class contains equivalents of the following RFC 2743 routines: 1120 gss_import_name Create an internal name from the 1121 supplied information. 1123 gss_acquire_cred Acquire credential for use. 1125 gss_import_sec_context Create a previously exported context. 1127 gss_indicate_mechs List the mechanisms supported by this 1128 GSS-API implementation. 1130 gss_inquire_mechs_for_name List the mechanisms supporting the 1131 specified name type. 1133 gss_inquire_names_for_mech List the name types supported by the 1134 specified mechanism. 1136 5.2. GSSName Interface 1138 GSS-API names are represented in the C# bindings through the 1139 GSSName interface. Different name formats and their definitions are 1140 identified with universal Object Identifiers (oids). The format of 1141 the names can be derived based on the unique oid of each name type. 1142 The following GSS-API routines are provided by the GSSName interface: 1144 RFC 2743 Routine Function 1146 gss_display_name Covert internal name representation to text 1147 format. 1149 gss_compare_name Compare two internal names. 1151 gss_canonicalize_name Convert an internal name to a mechanism name. 1153 gss_export_name Convert a mechanism name to export format. 1155 The gss_release_name call is not provided as C# does its own 1156 garbage collection. The gss_duplicate_name call is also redundant; 1157 the GSSName interface has no methods that can change the state of the 1158 object so it is safe for sharing. 1160 5.3. GSSCredential Interface 1162 The GSSCredential interface is responsible for the encapsulation of 1163 GSS-API credentials. Credentials identify a single entity and 1164 provide the necessary cryptographic information to enable the 1165 creation of a context on behalf of that entity. A single credential 1166 may contain multiple mechanism specific credentials, each referred to 1167 as a credential element. The GSSCredential interface provides the 1168 functionality of the following GSS-API routines: 1170 RFC 2743 Routine Function 1172 gss_add_cred Constructs credentials incrementally. 1174 gss_inquire_cred Obtain information about credential. 1176 gss_inquire_cred_by_mech Obtain per-mechanism information about 1177 a credential. 1179 gss_release_cred Disposes of credentials after use. 1181 5.4. GSSContext Interface 1183 This interface encapsulates the functionality of context-level calls 1184 required for security context establishment and management between 1185 peers as well as the per-message services offered to applications. A 1186 context is established between a pair of peers and allows the usage 1187 of security services on a per-message basis on application data. It 1188 is created over a single security mechanism. The GSSContext 1189 interface provides the functionality of the following GSS-API 1190 routines: 1192 RFC 2743 Routine Function 1194 gss_init_sec_context Initiate the creation of a security context 1195 with a peer. 1197 gss_accept_sec_context Accept a security context initiated by a 1198 peer. 1200 gss_delete_sec_context Destroy a security context. 1202 gss_context_time Obtain remaining context time. 1204 gss_inquire_context Obtain context characteristics. 1206 gss_wrap_size_limit Determine token-size limit for gss_wrap. 1208 gss_export_sec_context Transfer security context to another 1209 process. 1211 gss_get_mic Calculate a cryptographic Message Integrity 1212 Code (MIC) for a message. 1214 gss_verify_mic Verify integrity on a received message. 1216 gss_wrap Attach a MIC to a message and optionally 1217 encrypt the message content. 1219 gss_unwrap Obtain a previously wrapped application 1220 message verifying its integrity and 1221 optionally decrypting it. 1223 The functionality offered by the gss_process_context_token routine 1224 has not been included in the C# bindings specification. The 1225 corresponding functionality of gss_delete_sec_context has also been 1226 modified to not return any peer tokens. This has been proposed in 1227 accordance to the recommendations stated in RFC 2743. GSSContext 1228 does offer the functionality of destroying the locally-stored context 1229 information. 1231 5.5. MessageProp Class 1233 This helper class is used in the per-message operations on the 1234 context. An instance of this class is created by the application and 1235 then passed into the per-message calls. In some cases, the 1236 application conveys information to the GSS-API implementation through 1237 this object and in other cases the GSS-API returns information to the 1238 application by setting it in this object. See the description of the 1239 per-message operations wrap, unwrap, getMIC, and verifyMIC in the 1240 GSSContext interface for details. 1242 5.6. GSSException Class 1244 Exceptions are used in the C# bindings to signal fatal errors to 1245 the calling applications. This replaces the major and minor codes 1246 used in the C-bindings specification as a method of signaling 1247 failures. The GSSException class handles both minor and major codes, 1248 as well as their translation into textual representation. All GSS- 1249 API methods can throw this exception. 1251 RFC 2743 Routine Function 1253 gss_display_status Retrieve textual representation of 1254 error codes. 1256 5.7. Oid Class 1258 This utility class is used to represent Universal Object Identifiers 1259 and their associated operations. GSS-API uses object identifiers to 1260 distinguish between security mechanisms and name types. This class, 1261 aside from being used whenever an object identifier is needed, 1262 implements the following GSS-API functionality: 1264 RFC 2743 Routine Function 1266 gss_test_oid_set_member Determine if the specified oid is part of a 1267 set of oids. 1269 5.8. ChannelBinding Class 1271 An instance of this class is used to specify channel binding 1272 information to the GSSContext object before the start of a security 1273 context establishment. The application may use a byte array to 1274 specify application data to be used in the channel binding as well as 1275 use instances of the EndPoint. Currently the ChannelBinding class 1276 only supports addresses of type IP. Applications that use other 1277 types of addresses can include them as part of the application 1278 specific data. 1280 5.9. GSSConstants Class 1282 This utility class defines various constants utilized throughout the 1283 API. 1285 5.10. GSSNameTypes Class 1287 This class defines OIDs which specify different types of GSSNames. 1289 5.11. GSSCredentialUsage Enumeration 1291 This enumeration defines the usage categories for GSSCredentials. 1292 GSSCredentials can be used for context initiation and context 1293 acceptance or only one of those functions. 1295 6. Detailed GSS-API Description 1297 This section lists a detailed description of all the public methods 1298 that each of the GSS-API classes and interfaces must provide. 1300 6.1. public abstract class GSSManager 1302 The GSSManager class is an abstract class that serves as a factory 1303 for three GSS interfaces: GSSName, GSSCredential, and GSSContext. It 1304 also provides methods for applications to determine what mechanisms 1305 are available from the GSS implementation and what nametypes these 1306 mechanisms support. An instance of the default GSSManager subclass 1307 may be obtained through the static method getInstance(), but 1308 applications are free to instantiate other subclasses of GSSManager. 1310 All but one method in this class are declared abstract. This means 1311 that subclasses have to provide the complete implementation for those 1312 methods. The only exception to this is the static method 1313 getInstance() which will have platform specific code to return an 1314 instance of the default subclass. 1316 Platform providers of GSS are required not to add any constructors to 1317 this class, private, public, or protected. This will ensure that all 1318 subclasses invoke only the default constructor provided to the base 1319 class by the compiler. 1321 6.1.1. Example Code 1323 GSSManager mgr = GSSManager.getInstance(); 1325 // What mechs are available to us? 1326 Oid[] supportedMechs = mgr.getMechs(); 1328 // What name types does this spkm implementation support? 1329 Oid[] nameTypes = mgr.getNamesForMech(spkm1); 1331 6.1.2. getInstance 1333 public static GSSManager getInstance(); 1335 Returns the default GSSManager implementation. 1337 Throws GSSException if an error is detected. 1339 6.1.3. getMechs 1341 public abstract Oid[] getMechs(); 1343 Returns an array of Oid objects indicating mechanisms available to 1344 GSS-API callers. A "null" value is returned when no mechanism are 1345 available (an example of this would be when mechanism are dynamically 1346 configured, and currently no mechanisms are installed). 1348 Throws GSSException if an error is detected. 1350 6.1.4. getNamesForMech 1352 public abstract Oid[] getNamesForMech(Oid mech); 1354 Returns name type Oid's supported by the specified mechanism. 1356 Throws GSSException if an error is detected. 1358 Parameters: 1360 mech The Oid object for the mechanism to query. 1362 6.1.5. getMechsForName 1364 public abstract Oid[] getMechsForName(Oid nameType); 1366 Returns an array of Oid objects corresponding to the mechanisms that 1367 support the specific name type. "null" is returned when no 1368 mechanisms are found to support the specified name type. 1370 Throws GSSException if an error is detected. 1372 Parameters: 1374 nameType The Oid object for the name type. 1376 6.1.6. createName 1378 public abstract GSSName createName(string nameStr, 1379 Oid nameType); 1381 Factory method to convert a contiguous string name from the specified 1382 namespace to a GSSName object. In general, the GSSName object 1383 created will not be an MN; two examples that are exceptions to this 1384 are when the namespace type parameter indicates 1385 GSSNameTypes.NT_EXPORT_NAME or when the GSS-API implementation is not 1386 multi-mechanism. 1388 Throws GSSException if an error is detected. 1390 Parameters: 1392 nameStr The string representing a printable form of the name 1393 to create. 1395 nameType The Oid specifying the namespace of the printable name 1396 supplied. Note that nameType serves to describe and 1397 qualify the interpretation of the input nameStr, it 1398 does not necessarily imply a type for the output 1399 GSSName implementation. "null" value specifies that a 1400 mechanism specific default printable syntax should be 1401 assumed by each mechanism that examines nameStr. 1403 6.1.7. createName 1405 public abstract GSSName createName(byte[] name, 1406 Oid nameType); 1408 Factory method to convert a contiguous byte array containing a name 1409 from the specified namespace to a GSSName object. In general, the 1410 GSSName object created will not be an MN; two examples that are 1411 exceptions to this are when the namespace type parameter indicates 1412 GSSNameTypes.NT_EXPORT_NAME or when the GSS-API implementation is not 1413 multi-mechanism. 1415 Throws GSSException if an error is detected. 1417 Parameters: 1419 name The byte array containing the name to create. 1421 nameType The Oid specifying the namespace of the name supplied 1422 in the byte array. Note that nameType serves to 1423 describe and qualify the interpretation of the input 1424 name byte array, it does not necessarily imply a type 1425 for the output GSSName implementation. "null" value can 1426 be used to specify that a mechanism specific default 1427 syntax should be assumed by each mechanism that examines 1428 the byte array. 1430 6.1.8. createName 1432 public abstract GSSName createName(string nameStr, 1433 Oid nameType, 1434 Oid mech); 1436 Factory method to convert a contiguous string name from the specified 1437 namespace to an GSSName object that is a mechanism name (MN). In 1438 other words, this method is a utility that does the equivalent of two 1439 steps: the createName described in 6.1.6 and then also the 1440 GSSName.canonicalize() described in 6.2.5. 1442 Throws GSSException if an error is detected. 1444 Parameters: 1446 nameStr The string representing a printable form of the name 1447 to create. 1449 nameType The Oid specifying the namespace of the printable name 1450 supplied. Note that nameType serves to describe and 1451 qualify the interpretation of the input nameStr, it 1452 does not necessarily imply a type for the output 1453 GSSName implementation. "null" value can be used to 1454 specify that a mechanism specific default printable 1455 syntax should be assumed when the mechanism examines 1456 nameStr. 1458 mech Oid specifying the mechanism for which this name 1459 should be created. 1461 6.1.9. createName 1463 public abstract GSSName createName(byte[] name, 1464 Oid nameType, 1465 Oid mech); 1467 Throws GSSException if an error is detected. 1469 Factory method to convert a contiguous byte array containing a name 1470 from the specified namespace to a GSSName object that is an MN. In 1471 other words, this method is a utility that does the equivalent of two 1472 steps: the createName described in 6.1.7 and then also the 1473 GSSName.canonicalize() described in 6.2.5. 1475 Parameters: 1477 name The byte array representing the name to create. 1479 nameType The Oid specifying the namespace of the name supplied 1480 in the byte array. Note that nameType serves to 1481 describe and qualify the interpretation of the input 1482 name byte array, it does not necessarily imply a type 1483 for the output GSSName implementation. "null" value 1484 can be used to specify that a mechanism specific 1485 default syntax should be assumed by each mechanism 1486 that examines the byte array. 1488 mech Oid specifying the mechanism for which this name 1489 should be created. 1491 6.1.10. createCredential 1493 public abstract GSSCredential createCredential(int usage); 1495 Factory method for acquiring default credentials. This will cause 1496 the GSS-API to use system specific defaults for the set of 1497 mechanisms, name, and a DEFAULT lifetime. 1499 Throws GSSException if an error is detected. 1501 Parameters: 1503 usage The intended usage for this credential object. The 1504 value of this parameter must be one of: 1506 GSSCredential.ACCEPT_AND_INITIATE 1507 GSSCredential.ACCEPT_ONLY 1508 GSSCredential.INITIATE_ONLY 1510 6.1.11. createCredential 1512 public abstract GSSCredential createCredential(GSSName aName, 1513 int lifetime, 1514 Oid mech, 1515 int usage); 1517 Throws GSSException if an error is detected. 1519 Factory method for acquiring a single mechanism credential. 1521 Parameters: 1523 aName Name of the principal for whom this credential is to 1524 be acquired. Use "null" to specify the default 1525 principal. 1527 lifetime The number of seconds that credentials should remain 1528 valid. Use GSSCredential.INDEFINITE_LIFETIME to 1529 request that the credentials have the maximum 1530 permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME 1531 to request default credential lifetime. 1533 mech The oid of the desired mechanism. Use "(Oid) null" to 1534 request the default mechanism(s). 1536 usage The intended usage for this credential object. The 1537 value of this parameter must be one of: 1539 GSSCredential.ACCEPT_AND_INITIATE 1540 GSSCredential.ACCEPT_ONLY 1541 GSSCredential.INITIATE_ONLY 1543 6.1.12. createCredential 1545 public abstract GSSCredential createCredential(GSSName aName, 1546 int lifetime, 1547 Oid mechs[], 1548 int usage); 1550 Factory method for acquiring credentials over a set of mechanisms. 1551 Acquires credentials for each of the mechanisms specified in the 1552 array called mechs. To determine the list of mechanisms for which 1553 the acquisition of credentials succeeded, the caller should use the 1554 GSSCredential.getMechs() method. 1556 Throws GSSException if an error is detected. 1558 Parameters: 1560 aName Name of the principal for whom this credential is to 1561 be acquired. Use "null" to specify the default 1562 principal. 1564 lifetime The number of seconds that credentials should remain 1565 valid. Use GSSCredential.INDEFINITE_LIFETIME to 1566 request that the credentials have the maximum 1567 permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME 1568 to request default credential lifetime. 1570 mechs The array of mechanisms over which the credential is 1571 to be acquired. Use "(Oid[]) null" for requesting a 1572 system specific default set of mechanisms. 1574 usage The intended usage for this credential object. The 1575 value of this parameter must be one of: 1577 GSSCredential.ACCEPT_AND_INITIATE 1578 GSSCredential.ACCEPT_ONLY 1579 GSSCredential.INITIATE_ONLY 1581 6.1.13. createContext 1583 public abstract GSSContext createContext(GSSName peer, 1584 Oid mech, 1585 GSSCredential myCred, 1586 int lifetime); 1588 Factory method for creating a context on the initiator's side. 1589 Context flags may be modified through the mutator methods prior to 1590 calling GSSContext.initSecContext(). 1592 Throws GSSException if an error is detected. 1594 Parameters: 1596 peer Name of the target peer. 1598 mech Oid of the desired mechanism. Use "(Oid) null" to 1599 request default mechanism. 1601 myCred Credentials of the initiator. Use "null" to act as a 1602 default initiator principal. 1604 lifetime The request lifetime, in seconds, for the context. 1605 Use GSSContext.INDEFINITE_LIFETIME and 1606 GSSContext.DEFAULT_LIFETIME to request indefinite or 1607 default context lifetime. 1609 6.1.14. createContext 1611 public abstract GSSContext createContext(GSSCredential myCred); 1613 Factory method for creating a context on the acceptor' side. The 1614 context's properties will be determined from the input token supplied 1615 to the accept method. 1617 Throws GSSException if an error is detected. 1619 Parameters: 1621 myCred Credentials for the acceptor. Use "null" to act as a 1622 default acceptor principal. 1624 6.1.15. createContext 1626 public abstract GSSContext createContext(byte[] interProcessToken); 1628 Factory method for creating a previously exported context. The 1629 context properties will be determined from the input token and can't 1630 be modified through the set methods. 1632 Throws GSSException if an error is detected. 1634 Parameters: 1636 interProcessToken The token previously emitted from the export 1637 method. 1639 6.2. public class GSSConstants 1641 This class defines constants that are common among various interfaces 1642 and/or classes of the API. 1644 6.2.1. DEFAULT_LIFETIME 1646 const int DEFAULT_LIFETIME = 0; 1648 A constant representing the default lifetime for a context or 1649 credential. 1651 6.2.2. INDEFINITE_LIFETIME 1653 const int INDEFINITE_LIFETIME = Int32.MaxValue; 1655 A constant representing indefinite lifetime for a context or 1656 credential. 1658 6.3. public class GSSNameTypes 1660 This class defines the various types of GSSNames. 1662 6.3.1. NT_HOSTBASED_SERVICE 1664 public static Oid NT_HOSTBASED_SERVICE; 1666 Property which indicates Oid of name type of a host-based service 1667 name form. It is used to represent services associated with host 1668 computers. This name form is constructed using two elements, 1669 "service" and "hostname", as follows: 1671 service@hostname 1673 Values for the "service" element are registered with the IANA. It 1674 represents the following value: { 1(iso), 3(org), 6(dod), 1675 1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) } 1677 6.3.2. NT_USER_NAME 1679 public static Oid NT_USER_NAME; 1681 Property which indicates Oid of name type of a named user on a local 1682 system. It represents the following value: { 1(iso), 2(member-body), 1683 840(United States), 113554(mit), 1(infosys), 2(gssapi), 1(generic), 1684 1(user_name) } 1686 6.3.3. NT_MACHINE_UID_NAME 1688 public static Oid NT_MACHINE_UID_NAME; 1690 Property which indicates Oid of name type of a numeric user 1691 identifier corresponding to a user on a local system. (e.g. Uid). 1692 It represents the following value: { 1(iso), 2(member-body), 1693 840(United States), 113554(mit), 1(infosys), 2(gssapi), 1(generic), 1694 2(machine_uid_name) } 1696 6.3.4. NT_STRING_UID_NAME 1698 public static Oid NT_STRING_UID_NAME; 1700 Property which indicates Oid of name type of a string of digits 1701 representing the numeric user identifier of a user on a local system. 1702 It represents the following value: { 1(iso), 2(member-body), 1703 840(United States), 113554(mit), 1(infosys), 2(gssapi), 1(generic), 1704 3(string_uid_name) } 1706 6.3.5. NT_ANONYMOUS 1708 public static Oid NT_ANONYMOUS; 1710 Property which indicates Oid of name type of an anonymous entity. 1711 It represents the following value: { 1(iso), 3(org), 6(dod), 1712 1(internet), 5(security), 6(nametypes), 3(gss-anonymous-name) } 1714 6.3.6. NT_EXPORT_NAME 1716 public static Oid NT_EXPORT_NAME; 1718 Property which indicates Oid of name type of an exported name 1719 produced by the export method. It represents the following value: 1720 { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 1721 4(gss-api-exported-name) } 1723 6.4. public interface GSSName 1725 This interface encapsulates a single GSS-API principal entity. 1726 Different name formats and their definitions are identified with 1727 universal Object Identifiers (Oids). The format of the names can be 1728 derived based on the unique oid of its namespace type. 1730 6.4.1. Example Code 1732 Included below are code examples utilizing the GSSName interface. 1733 The code below creates a GSSName, converts it to a mechanism name 1734 (MN), performs a comparison, obtains a printable representation of 1735 the name, exports it and then re-imports to obtain a new GSSName. 1737 GSSManager mgr = GSSManager.getInstance(); 1739 // create a host based service name 1740 GSSName name = mgr.createName("service@host", 1741 GSSNameTypes.NT_HOSTBASED_SERVICE); 1743 Oid krb5 = new Oid("1.2.840.113554.1.2.2"); 1745 GSSName mechName = name.canonicalize(krb5); 1747 // the above two steps are equivalent to the following 1748 GSSName mechName = mgr.createName("service@host", 1749 GSSNameTypes.NT_HOSTBASED_SERVICE, 1750 krb5); 1752 // perform name comparison 1753 if (name.Equals(mechName)) 1754 Console.WriteLine("Names are equals."); 1756 // obtain textual representation of name and its printable 1757 // name type 1758 Console.WriteLine(mechName.ToString() + 1759 mechName.getStringNameType().ToString()); 1761 // export and re-import the name 1762 byte[] exportName = mechName.export(); 1764 // create a new name object from the exported buffer 1765 GSSName newName = mgr.createName(exportName, 1766 GSSNameTypes.NT_EXPORT_NAME); 1768 6.4.2. Equals 1770 bool Equals(GSSName another); 1772 Compares two GSSName objects to determine whether they refer to the 1773 same entity. If either of the names represents an anonymous 1774 entity, the method will return "false". 1776 Throws GSSException if an error is detected. 1778 Parameters: 1780 another GSSName object to compare with. 1782 6.4.3. Equals 1784 bool Equals(Object another); 1786 A variation of the equals method described in 6.2.3 that is provided 1787 to override the Object.Equals() method that the implementing class 1788 will inherit. The behavior is exactly the same as that in 6.2.3 1789 except that no GSSException is thrown; instead, false will be 1790 returned in the situation where an error occurs. (Note that the C# 1791 language specification requires that two objects that are equal 1792 according to the Equals(Object) method must return the same integer 1793 result when the GetHashCode() method is called on them.) 1795 Parameters: 1797 another GSSName object to compare with. 1799 6.4.4. canonicalize 1801 GSSName canonicalize(Oid mech); 1803 Creates a mechanism name (MN) from an arbitrary internal name. This 1804 is equivalent to using the factory methods described in 6.1.8 or 1805 6.1.9 that take the mechanism name as one of their parameters. 1807 Throws GSSException if an error is detected. 1809 Parameters: 1811 mech The oid for the mechanism for which the canonical form 1812 of the name is requested. 1814 6.4.5. export 1816 byte[] export(); 1818 Returns a canonical contiguous byte representation of a mechanism 1819 name (MN), suitable for direct, byte by byte comparison by 1820 authorization functions. If the name is not an MN, implementations 1821 may throw a GSSException with the NAME_NOT_MN status code. If an 1822 implementation chooses not to throw an exception, it should use some 1823 system specific default mechanism to canonicalize the name and then 1824 export it. The format of the header of the output buffer is 1825 specified in RFC 2743. 1827 6.4.6. ToString 1829 string ToString(); 1831 Returns a textual representation of the GSSName object. To retrieve 1832 the printed name format, which determines the syntax of the returned 1833 string, the getStringNameType method can be used. 1835 Throws GSSException if an error is detected. 1837 6.4.7. stringNameType 1839 Oid stringNameType; 1841 Property of the object containing the oid representing the type of 1842 name returned through the ToString method. Using this oid, the 1843 syntax of the printable name can be determined. 1845 Throws GSSException if an error is detected. 1847 6.4.8. isAnonymous 1849 bool isAnonymous; 1851 Property which indicates whether the name object represents an 1852 anonymous entity or not. If "true" then it is an anonymous name. 1854 6.4.9. isMN 1856 bool isMN; 1858 Property which indicates whether the name object contains only one 1859 mechanism element and is a mechanism name as defined by RFC 2743. 1861 6.5. public enum GSSCredentialUsage 1863 This enumeration defines the usage categories for credentials. 1865 6.5.1. INITIATE_AND_ACCEPT 1867 Credentials of this type can be used for both context initiation 1868 and acceptance. 1870 6.5.2. INITIATE_ONLY 1872 Credentials of this type can be used for context initiation only. 1874 6.5.3. ACCEPT_ONLY 1876 Credentials of this type can be used for context acceptance only. 1878 6.6. public interface GSSCredential: ICloneable 1880 This interface encapsulates the GSS-API credentials for an entity. A 1881 credential contains all the necessary cryptographic information to 1882 enable the creation of a context on behalf of the entity that it 1883 represents. It may contain multiple, distinct, mechanism specific 1884 credential elements, each containing information for a specific 1885 security mechanism, but all referring to the same entity. 1887 A credential may be used to perform context initiation, acceptance, 1888 or both. 1890 GSS-API implementations must impose a local access-control policy on 1891 callers to prevent unauthorized callers from acquiring credentials to 1892 which they are not entitled. GSS-API credential creation is not 1893 intended to provide a "login to the network" function, as such a 1894 function would involve the creation of new credentials rather than 1895 merely acquiring a handle to existing credentials. Such functions, 1896 if required, should be defined in implementation-specific extensions 1897 to the API. 1899 If credential acquisition is time-consuming for a mechanism, the 1900 mechanism may choose to delay the actual acquisition until the 1901 credential is required (e.g. by GSSContext). Such mechanism- 1902 specific implementation decisions should be invisible to the calling 1903 application; thus the query methods immediately following the 1904 creation of a credential object must return valid credential data, 1905 and may therefore incur the overhead of a deferred credential 1906 acquisition. 1908 Applications will create a credential object passing the desired 1909 parameters. The application can then use the query methods to obtain 1910 specific information about the instantiated credential object 1911 (equivalent to the gss_inquire routines). When the credential is no 1912 longer needed, the application should call the dispose (equivalent to 1913 gss_release_cred) method to release any resources held by the 1914 credential object and to destroy any cryptographically sensitive 1915 information. 1917 Classes implementing this interface also implement the ICloneable 1918 interface. This indicates that the class will support the Clone() 1919 method that will allow the creation of duplicate credentials. This 1920 is useful when called just before the add() call to retain a copy of 1921 the original credential. 1923 6.6.1. Example Code 1925 This example code demonstrates the creation of a GSSCredential 1926 implementation for a specific entity, querying of its fields, and its 1927 release when it is no longer needed. 1929 GSSManager mgr = GSSManager.getInstance(); 1931 // start by creating a name object for the entity 1932 GSSName name = mgr.createName("userName", GSSNameTypes.NT_USER_NAME); 1934 // now acquire credentials for the entity 1935 GSSCredential cred = mgr.createCredential(name, 1936 GSSCredentialUsage.ACCEPT_ONLY); 1938 // display credential information - name, remaining lifetime, 1939 // and the mechanisms it has been acquired over 1940 Console.WriteLine(cred.getName().ToString()); 1941 Console.WriteLine(cred.getRemainingLifetime()); 1943 Oid[] mechs = cred.getMechs(); 1944 if (mechs != null) { 1945 for (int i = 0; i < mechs.length; i++) 1946 Console.WriteLine(mechs[i].ToString()); 1947 } 1949 // release system resources held by the credential 1950 cred.dispose(); 1952 6.6.2. dispose 1954 void dispose(); 1956 Releases any sensitive information that the GSSCredential object may 1957 be containing. Applications should call this method as soon as the 1958 credential is no longer needed to minimize the time any sensitive 1959 information is maintained. 1961 Throws GSSException if an error is detected. 1963 6.6.3. getName 1965 GSSName getName(); 1967 Retrieves the name of the entity that the credential asserts. 1969 Throws GSSException if an error is detected. 1971 6.6.4. getName 1973 GSSName getName(Oid mechOID); 1975 Retrieves a mechanism name of the entity that the credential asserts. 1977 Throws GSSException if an error is detected. 1979 Parameters: 1981 mechOID The mechanism for which information should be 1982 returned. 1984 6.6.5. getRemainingLifetime 1986 int getRemainingLifetime(); 1988 Returns the remaining lifetime in seconds for a credential. The 1989 remaining lifetime is the minimum lifetime for any of the underlying 1990 credential mechanisms. A return value of 1991 GSSConstants.INDEFINITE_LIFETIME indicates that the credential does 1992 not expire. A return value of 0 indicates that the credential is 1993 already expired. 1995 Throws GSSException if an error is detected. 1997 6.6.6. getRemainingInitLifetime 1999 int getRemainingInitLifetime(Oid mech); 2001 Returns the remaining lifetime is seconds for the credential to 2002 remain capable of initiating security contexts under the specified 2003 mechanism. A return value of GSSConstants.INDEFINITE_LIFETIME 2004 indicates that the credential does not expire for context initiation. 2005 A return value of 0 indicates that the credential is already expired. 2007 Throws GSSException if an error is detected. 2009 Parameters: 2011 mechOID The mechanism for which information should be 2012 returned. 2014 6.6.7. getRemainingAcceptLifetime 2016 int getRemainingAcceptLifetime(Oid mech); 2018 Returns the remaining lifetime is seconds for the credential to 2019 remain capable of accepting security contexts under the specified 2020 mechanism. A return value of GSSConstants.INDEFINITE_LIFETIME 2021 indicates that the credential does not expire for context acceptance. 2022 A return value of 0 indicates that the credential is already expired. 2024 Throws GSSException if an error is detected. 2026 Parameters: 2028 mechOID The mechanism for which information should be 2029 returned. 2031 6.6.8. getUsage 2033 GSSCredentialUsage getUsage(); 2035 Returns the usage category for the credential. 2037 Throws GSSException if an error is detected. 2039 6.6.9. getUsage 2041 GSSCredentialUsage getUsage(Oid mechOID); 2043 Returns the usage category for the specified credential mechanism. 2045 Throws GSSException if an error is detected. 2047 Parameters: 2049 mechOID The mechanism for which information should be 2050 returned. 2052 6.6.10. getMechs 2054 Oid[] getMechs(); 2056 Returns an array of mechanisms supported by this credential. 2058 Throws GSSException if an error is detected. 2060 6.6.11. add 2062 void add(GSSName aName, 2063 int initLifetime, 2064 int acceptLifetime, 2065 Oid mech, 2066 int usage); 2068 Adds a mechanism specific credential-element to an existing 2069 credential. This method allows the construction of credentials one 2070 mechanism at a time. 2072 This routine is envisioned to be used mainly by context acceptors 2073 during the creation of acceptance credentials which are to be used 2074 with a variety of clients using different security mechanisms. 2076 This routine adds the new credential element "in-place". To add the 2077 element in a new credential, first call Clone() to obtain a copy of 2078 this credential, then call its add() method. 2080 Throws GSSException if an error is detected. 2082 Parameters: 2084 aName Name of the principal for whom this credential is to 2085 be acquired. Use "null" to specify the default 2086 principal. 2088 initLifetime 2089 The number of seconds that credentials should remain 2090 valid for initiating of security contexts. Use 2091 GSSCredential.INDEFINITE_LIFETIME to request that the 2092 credentials have the maximum permitted lifetime. Use 2093 GSSCredential.DEFAULT_LIFETIME to request default 2094 credential lifetime. 2096 acceptLifetime 2097 The number of seconds that credentials should remain 2098 valid for accepting of security contexts. Use 2099 GSSCredential.INDEFINITE_LIFETIME to request that the 2100 credentials have the maximum permitted lifetime. Use 2101 GSSCredential.DEFAULT_LIFETIME to request default 2102 credential lifetime. 2104 mech The mechanisms over which the credential is to be 2105 acquired. 2107 usage The intended usage for this credential object. The 2108 value of this parameter must be one of: 2109 GSSCredential.ACCEPT_AND_INITIATE, 2110 GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY 2112 6.6.12. Equals 2114 bool Equals(Object another); 2116 Tests if this GSSCredential refers to the same entity as the supplied 2117 object. The two credentials must be acquired over the same 2118 mechanisms and must refer to the same principal. Returns "true" if 2119 the two GSSCredentials refer to the same entity; "false" otherwise. 2121 Parameters: 2123 another Another GSSCredential object for comparison. 2125 6.7. public interface GSSContext 2127 This interface encapsulates the GSS-API security context and provides 2128 the security services (wrap, unwrap, getMIC, verifyMIC) that are 2129 available over the context. Security contexts are established 2130 between peers using locally acquired credentials. Multiple contexts 2131 may exist simultaneously between a pair of peers, using the same or 2132 different set of credentials. GSS-API functions in a manner 2133 independent of the underlying transport protocol and depends on its 2134 calling application to transport its tokens between peers. 2136 Before the context establishment phase is initiated, the context 2137 initiator may request specific characteristics desired of the 2138 established context. These can be set by manipulating the 2139 GSSContext properties. After the context is established, the caller 2140 can check the actual characteristic and services offered by the 2141 context by examining the GSSContext properties. 2143 The context establishment phase begins with the first call to the 2144 init method by the context initiator. During this phase the 2145 initSecContext and acceptSecContext methods will produce GSS-API 2146 authentication tokens which the calling application needs to send to 2147 its peer. If an error occurs at any point, an exception will get 2148 thrown and the code will start executing in a catch block. If not, 2149 the normal flow of code continues and the application can read the 2150 isEstablished property. If this property is false it indicates that 2151 a token is needed from its peer in order to continue the context 2152 establishment phase. A setting of true signals that the local end of 2153 the context is established. This may still require that a token be 2154 sent to the peer, if one is produced by GSS-API. During the context 2155 establishment phase, the isProtReady property indicates whether or 2156 not the context can be used for the per-message operations. This 2157 allows applications to use per-message operations on contexts which 2158 aren't fully established. 2160 After the context has been established or the isProtReady property is 2161 "true", the query routines can be invoked to determine the actual 2162 characteristics and services of the established context. The 2163 application can also start using the per-message methods of wrap and 2164 getMIC to obtain cryptographic operations on application supplied 2165 data. 2167 When the context is no longer needed, the application should call 2168 dispose to release any system resources the context may be using. 2170 6.7.1. Example Code 2172 The example code presented below demonstrates the usage of the 2173 GSSContext interface for the initiating peer. Different operations 2174 on the GSSContext object are presented, including: object 2175 instantiation, setting of desired flags, context establishment, query 2176 of actual context flags, per-message operations on application data, 2177 and finally context deletion. 2179 GSSManager mgr = GSSManager.getInstance(); 2181 // start by creating the name for a service entity 2182 GSSName targetName = mgr.createName("service@host", 2183 GSSNameTypes.NT_HOSTBASED_SERVICE); 2185 // create a context using default credentials for the above entity 2186 // and the implementation specific default mechanism 2187 GSSContext context = mgr.createContext(targetName, 2188 null, /* default mechanism */ 2189 null, /* default credentials */ 2190 GSSConstants.INDEFINITE_LIFETIME); 2192 // set desired context options - all others are false by default 2193 context.confidentiality = true; 2194 context.mutualAuthentication = true; 2195 context.replayDetection = true; 2196 context.sequenceDetection = true; 2198 // establish a context between peers - using byte arrays 2199 byte[] inTok = new byte[0]; 2201 try { 2202 do { 2203 byte[] outTok = context.initSecContext(inTok, 2204 0, 2205 inTok.length); 2207 // send the token if present 2208 if (outTok != null) 2209 sendToken(outTok); 2211 // check if we should expect more tokens 2212 if (context.isEstablished) 2213 break; 2215 // another token expected from peer 2216 inTok = readToken(); 2218 } while (true); 2220 } catch (GSSException e) { 2221 Console.Writeline("GSSAPI error: " + e.Message); 2222 } 2224 // display context information 2225 Console.Writeline("Remaining lifetime in seconds = " + 2226 context.lifetime); 2227 Console.Writeline("Context mechanism = " + context.Mech.ToString()); 2228 Console.Writeline("Initiator = " + context.srcName.ToString()); 2229 Console.Writeline("Acceptor = " + context.targName.ToString()); 2231 if (context.confidentiality) 2232 Console.Writeline("Confidentiality security service available"); 2234 if (context.integrity) 2235 Console.Writeline("Integrity security service available"); 2237 // perform wrap on an application supplied message, appMsg, 2238 // using QOP = 0, and requesting privacy service 2239 byte[] appMsg ... 2241 MessageProp mProp = new MessageProp(0, true); 2243 byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp); 2245 if (mProp.privacy) 2246 Console.Writeline("Message protected with privacy."); 2248 sendToken(tok); 2250 // release the local-end of the context 2251 context.dispose(); 2253 6.7.2. initSecContext 2255 byte[] initSecContext(byte[] inputBuf, 2256 int offset, 2257 int len); 2259 Called by the context initiator to start the context creation 2260 process. This is equivalent to the stream based method except that 2261 the token buffers are handled as byte arrays instead of using stream 2262 objects. This method may return an output token which the 2263 application will need to send to the peer for processing by the 2264 accept call. The application can check the isEstablished property to 2265 determine if the context establishment phase is complete for this 2266 peer. A value of "false" for isEstablished indicates that more 2267 tokens are expected to be supplied to the initSecContext method. 2268 Note that it is possible for the initSecContext() method to return a 2269 token for the peer when isEstablished is set to "true". This 2270 indicates that the token needs to be sent to the peer, but the local 2271 end of the context is now fully established. 2273 Throws GSSException if an error is detected. 2275 Parameters: 2277 inputBuf Token generated by the peer. This parameter is ignored 2278 on the first call. 2280 offset The offset within the inputBuf where the token begins. 2282 len The length of the token within the inputBuf (starting 2283 at the offset). 2285 6.7.2.1. Example Code 2287 // Create a new GSSContext implementation object. 2288 // GSSContext wrapper implements interface GSSContext. 2289 GSSContext context = mgr.createContext(...); 2291 byte[] inTok = new byte[0]; 2293 try { 2294 do { 2295 byte[] outTok = context.initSecContext(inTok, 2296 0, 2297 inTok.length); 2299 // send the token if present 2300 if (outTok != null) 2301 sendToken(outTok); 2303 // check if we should expect more tokens 2304 if (context.isEstablished) 2305 break; 2307 // another token expected from peer 2308 inTok = readToken(); 2310 } while (true); 2312 } catch (GSSException e) { 2313 Console.Writeline("GSSAPI error: " + e.Message); 2314 } 2316 6.7.3. initSecContext 2318 void initSecContext(Stream inStream, 2319 Stream outStream); 2321 Called by the context initiator to start the context creation 2322 process. This is equivalent to the byte array based method. This 2323 method may write an output token to the outStream, which the 2324 application will need to send to the peer for processing by the 2325 accept call. The application can check the isEstablished property to 2326 determine if the context establishment phase is complete for this 2327 peer. A value of "false" for isEstablished indicates that more 2328 tokens are expected to be supplied to the initSecContext method. 2329 Note that it is possible that the initSecContext() method to return a 2330 token for the peer when isEstablished is set to "true". This 2331 indicates that the token needs to be sent to the peer, but the local 2332 end of the context is now fully established. 2334 The GSS-API authentication tokens contain a definitive start and end. 2335 This method will attempt to read one of these tokens per invocation, 2336 and may block on the stream if only part of the token is available. 2338 Throws GSSException if an error is detected. 2340 Parameters: 2342 inStream Stream to read the token generated by the peer. This 2343 parameter is ignored on the first call. 2345 outStream Stream where the output token will be written. 2346 During the final stage of context establishment, there 2347 may be no bytes written. 2349 6.7.3.1. Example Code 2351 // Create a new GSSContext implementation object. 2353 // GSSContext wrapper implements interface GSSContext. 2354 GSSContext context = mgr.createContext(...); 2356 MemoryStream os = new MemoryStream(); 2357 Stream is = null; 2359 try { 2360 do { 2361 context.initSecContext(is, os); 2363 // send token if present 2364 if (os.Length > 0) 2365 sendToken(os); 2367 // check if we should expect more tokens 2368 if (context.isEstablished) 2369 break; 2371 // another token expected from peer 2372 is = recvToken(); 2374 } while (true); 2376 } catch (GSSException e) { 2377 Console.Writeline("GSSAPI error: " + e.Message); 2378 } 2380 6.7.4. acceptSecContext 2382 byte[] acceptSecContext(byte[] inTok, 2383 int offset, 2384 int len); 2386 Called by the context acceptor upon receiving a token from the peer. 2387 This call is equivalent to the stream based method except that the 2388 token buffers are handled as byte arrays instead of using stream 2389 objects. 2391 This method may return an output token which the application will 2392 need to send to the peer for further processing by the init call. 2394 A "null" return value indicates that no token needs to be sent to the 2395 peer. The application can check the isEstablished property to 2396 determine if the context establishment phase is complete for this 2397 peer. A value of "false" for isEstablished indicates that more 2398 tokens are expected to be supplied to this method. Note that it is 2399 possible that the acceptSecContext() method to return a token for the 2400 peer when isEstablished is set to "true". This indicates that the 2401 token needs to be sent to the peer, but the local end of the context 2402 is now fully established. 2404 Upon completion of the context establishment, the available context 2405 options may be queried through the get methods. 2407 Throws GSSException if an error is detected. 2409 Parameters: 2411 inTok Token generated by the peer. 2413 offset The offset within the inTok where the token begins. 2415 len The length of the token within the inTok (starting at 2416 the offset). 2418 6.7.4.1. Example Code 2420 // acquire server credentials 2421 GSSCredential server = mgr.createCredential(...); 2423 // create acceptor GSS-API context from the default provider 2424 GSSContext context = mgr.createContext(server, null); 2426 try { 2427 do { 2428 byte[] inTok = readToken(); 2430 byte[] outTok = context.acceptSecContext(inTok, 2431 0, 2432 inTok.length); 2434 // possibly send token to peer 2435 if (outTok != null) 2436 sendToken(outTok); 2438 // check if local context establishment is complete 2439 if (context.isEstablished) 2440 break; 2441 } while (true); 2443 } catch (GSSException e) { 2444 Console.Writeline("GSS-API error: " + e.Message); 2445 } 2447 6.7.5. acceptSecContext 2449 void acceptSecContext(Stream inStream, 2450 Stream outStream); 2452 Called by the context acceptor upon receiving a token from the peer. 2453 This call is equivalent to the byte array method. It may write an 2454 output token to the outStream, which the application will need to 2455 send to the peer for processing by its initSecContext method. The 2456 application can check the isEstablished property to determine if the 2457 context establishment phase is complete for this peer. A value of 2458 "false" for isEstablished indicates that more tokens are expected to 2459 be supplied to this method. Note that it is possible for the 2460 acceptSecContext() method to return a token for the peer when 2461 isEstablished is set to "true". This indicates that the token needs 2462 to be sent to the peer, but the local end of the context is now fully 2463 established. 2465 The GSS-API authentication tokens contain a definitive start and end. 2466 This method will attempt to read one of these tokens per invocation, 2467 and may block on the stream if only part of the token is available. 2469 Throws GSSException if an error is detected. 2471 Parameters: 2473 inStream Contains the token generated by the peer. 2475 outStream Stream where the output token will be written. 2476 During the final stage of context establishment, there 2477 may be no bytes written. 2479 6.7.5.1. Example Code 2481 // acquire server credentials 2482 GSSCredential server = mgr.createCredential(...); 2484 // create acceptor GSS-API context from the default provider 2485 GSSContext context = mgr.createContext(server, null); 2487 MemoryStream os = new MemoryStream(); 2488 Stream is = null; 2490 try { 2491 do { 2492 is = recvToken(); 2494 context.acceptSecContext(is, os); 2496 // possibly send token to peer 2497 if (os.Length > 0) 2498 sendToken(os); 2500 // check if local context establishment is complete 2501 if (context.isEstablished) 2502 break; 2503 } while (true); 2505 } catch (GSSException e) { 2506 Console.Writeline("GSS-API error: " + e.Message); 2507 } 2509 6.7.6. isEstablished 2511 bool isEstablished; 2513 Property which indicates the state of the context. A setting of 2514 "true" for the property indicates that the context has been fully 2515 established on the caller's side and no more tokens are needed from 2516 the peer. The property should be examined after calls to 2517 initSecContext() or acceptSecContext() when no GSSException is 2518 thrown. 2520 6.7.7. dispose 2522 void dispose(); 2524 Releases any system resources and cryptographic information stored in 2525 the context object. This will invalidate the context. 2527 Throws GSSException if an error is detected. 2529 6.7.8. getWrapSizeLimit 2531 int getWrapSizeLimit(int qop, 2532 bool confReq, 2533 int maxTokenSize); 2535 Returns the maximum message size that, if presented to the wrap 2536 method with the same confReq and qop parameters, will result in an 2537 output token containing no more than the maxTokenSize bytes. 2539 This call is intended for use by applications that communicate over 2540 protocols that impose a maximum message size. It enables the 2541 application to fragment messages prior to applying protection. 2543 GSS-API implementations are recommended but not required to detect 2544 invalid QOP values when getWrapSizeLimit is called. This routine 2545 guarantees only a maximum message size, not the availability of 2546 specific QOP values for message protection. 2548 Successful completion of this call does not guarantee that wrap will 2549 be able to protect a message of the computed length, since this 2550 ability may depend on the availability of system resources at the 2551 time that wrap is called. However, if the implementation itself 2552 imposes an upper limit on the length of messages that may be 2553 processed by wrap, the implementation should not return a value that 2554 is greater than this length. 2556 Throws GSSException if an error is detected. 2558 Parameters: 2560 qop Indicates the level of protection wrap will be asked 2561 to provide. 2563 confReq Indicates if wrap will be asked to provide privacy 2564 service. 2566 maxTokenSize 2567 The desired maximum size of the token emitted by wrap. 2569 6.7.9. wrap 2571 byte[] wrap(byte[] inBuf, 2572 int offset, 2573 int len, 2574 MessageProp msgProp); 2576 Applies per-message security services over the established security 2577 context. The method will return a token with a cryptographic MIC and 2578 may optionally encrypt the specified inBuf. This method is 2579 equivalent in functionality to its stream counterpart. The returned 2580 byte array will contain both the MIC and the message. 2582 The MessageProp object is instantiated by the application and used to 2583 specify a QOP value which selects cryptographic algorithms, and a 2584 privacy service to optionally encrypt the message. The underlying 2585 mechanism that is used in the call may not be able to provide the 2586 privacy service. It sets the actual privacy service that it does 2587 provide in this MessageProp object which the caller should then query 2588 upon return. If the mechanism is not able to provide the requested 2589 QOP, it throws a GSSException with the BAD_QOP code. 2591 Since some application-level protocols may wish to use tokens emitted 2592 by wrap to provide "secure framing", implementations should support 2593 the wrapping of zero-length messages. 2595 The application will be responsible for sending the token to the 2596 peer. 2598 Throws GSSException if an error is detected. 2600 Parameters: 2602 inBuf Application data to be protected. 2604 offset The offset within the inBuf where the data begins. 2606 len The length of the data within the inBuf (starting at 2607 the offset). 2609 msgProp Instance of MessageProp that is used by the 2610 application to set the desired QOP and privacy state. 2611 Set the desired QOP to 0 to request the default QOP. 2612 Upon return from this method, this object will contain 2613 the actual privacy state that was applied to the 2614 message by the underlying mechanism. 2616 6.7.10. wrap 2618 void wrap(Stream inStream, 2619 Stream outStream, 2620 MessageProp msgProp); 2622 Applies per-message security services over the established 2623 security context. The method will produce a token with a 2624 cryptographic MIC and may optionally encrypt the message in inStream. 2625 The outStream will contain both the MIC and the message. 2627 The MessageProp object is instantiated by the application and used to 2628 specify a QOP value which selects cryptographic algorithms, and a 2629 privacy service to optionally encrypt the message. The underlying 2630 mechanism that is used in the call may not be able to provide the 2631 privacy service. It sets the actual privacy service that it does 2632 provide in this MessageProp object which the caller should then query 2633 upon return. If the mechanism is not able to provide the requested 2634 QOP, it throws a GSSException with the BAD_QOP code. 2636 Since some application-level protocols may wish to use tokens emitted 2637 by wrap to provide "secure framing", implementations should support 2638 the wrapping of zero-length messages. 2640 The application will be responsible for sending the token to the 2641 peer. 2643 Throws GSSException if an error is detected. 2645 Parameters: 2647 inStream Stream containing the application data to be 2648 protected. 2650 outStream The stream to write the protected message to. 2651 The application is responsible for sending this to the 2652 other peer for processing in its unwrap method. 2654 msgProp Instance of MessageProp that is used by the 2655 application to set the desired QOP and privacy state. 2656 Set the desired QOP to 0 to request the default QOP. 2657 Upon return from this method, this object will contain 2658 the the actual privacy state that was applied to the 2659 message by the underlying mechanism. 2661 6.7.11. unwrap 2663 byte[] unwrap(byte[] inBuf, 2664 int offset, 2665 int len, 2666 MessageProp msgProp); 2668 Used by the peer application to process tokens generated with the 2669 wrap call. This call is equal in functionality to its stream 2670 counterpart. The method will return the message supplied in the peer 2671 application to the wrap call, verifying the embedded MIC. 2673 The MessageProp object is instantiated by the application and is used 2674 by the underlying mechanism to return information to the caller such 2675 as the QOP, whether confidentiality was applied to the message, and 2676 other supplementary message state information. 2678 Since some application-level protocols may wish to use tokens emitted 2679 by wrap to provide "secure framing", implementations should support 2680 the wrapping and unwrapping of zero-length messages. 2682 Throws GSSException if an error is detected. 2684 Parameters: 2686 inBuf GSS-API wrap token received from peer. 2688 offset The offset within the inBuf where the token begins. 2690 len The length of the token within the inBuf (starting at 2691 the offset). 2693 msgProp Upon return from the method, this object will contain 2694 the applied QOP, the privacy state of the message, and 2695 supplementary information stating whether the token was 2696 a duplicate, old, out of sequence or arriving after a 2697 gap. 2699 6.7.12. unwrap 2701 void unwrap(Stream inStream, 2702 Stream outStream, 2703 MessageProp msgProp); 2705 Used by the peer application to process tokens generated with the 2706 wrap call. This call is equal in functionality to its byte array 2707 counterpart. It will produce the message supplied in the peer 2708 application to the wrap call, verifying the embedded MIC. 2710 The MessageProp object is instantiated by the application and is used 2711 by the underlying mechanism to return information to the caller such 2712 as the QOP, whether confidentiality was applied to the message, and 2713 other supplementary message state information. 2715 Since some application-level protocols may wish to use tokens emitted 2716 by wrap to provide "secure framing", implementations should support 2717 the wrapping and unwrapping of zero-length messages. 2719 Throws GSSException if an error is detected. 2721 Parameters: 2723 inStream Stream containing the GSS-API wrap token received from 2724 the peer. 2726 outStream The stream to write the application message to. 2728 msgProp Upon return from the method, this object will contain 2729 the applied QOP, the privacy state of the message, and 2730 supplementary information stating whether the token was 2731 a duplicate, old, out of sequence or arriving after a 2732 gap. 2734 6.7.13. getMIC 2736 byte[] getMIC(byte[] inMsg, 2737 int offset, 2738 int len, 2739 MessageProp msgProp); 2741 Produces a token containing a cryptographic MIC for the supplied 2742 message, for transfer to the peer application. Unlike wrap, which 2743 encapsulates the user message in the returned token, only the message 2744 MIC is returned in the output token. This method is identical in 2745 functionality to its stream counterpart. 2747 Note that privacy can only be applied through the wrap call. 2749 Since some application-level protocols may wish to use tokens emitted 2750 by getMIC to provide "secure framing", implementations should support 2751 derivation of MICs from zero-length messages. 2753 Throws GSSException if an error is detected. 2755 Parameters: 2757 inMsg Message to generate MIC over. 2759 offset The offset within the inMsg where the token begins. 2761 len The length of the token within the inMsg (starting at 2762 the offset). 2764 msgProp Instance of MessageProp that is used by the 2765 application to set the desired QOP. Set the desired 2766 QOP to 0 in msgProp to request the default QOP. 2767 Alternatively pass in "null" for msgProp to request 2768 default QOP. 2770 6.7.14. getMIC 2772 void getMIC(Stream inStream, 2773 Stream outStream, 2774 MessageProp msgProp); 2776 Produces a token containing a cryptographic MIC for the supplied 2777 message, for transfer to the peer application. Unlike wrap, which 2778 encapsulates the user message in the returned token, only the message 2779 MIC is produced in the output token. This method is identical in 2780 functionality to its byte array counterpart. 2782 Note that privacy can only be applied through the wrap call. 2784 Since some application-level protocols may wish to use tokens emitted 2785 by getMIC to provide "secure framing", implementations should support 2786 derivation of MICs from zero-length messages. 2788 Throws GSSException if an error is detected. 2790 Parameters: 2792 inStream Stream containing the message to generate MIC over. 2794 outStream Stream to write the GSS-API output token to. 2796 msgProp Instance of MessageProp that is used by the 2797 application to set the desired QOP. Set the desired 2798 QOP to 0 in msgProp to request the default QOP. 2799 Alternatively pass in "null" for msgProp to request 2800 default QOP. 2802 6.7.15. verifyMIC 2804 void verifyMIC(byte[] inTok, 2805 int tokOffset, 2806 int tokLen, 2807 byte[] inMsg, 2808 int msgOffset, 2809 int msgLen, 2810 MessageProp msgProp); 2812 Verifies the cryptographic MIC, contained in the token parameter, 2813 over the supplied message. This method is equivalent in 2814 functionality to its stream counterpart. 2816 The MessageProp object is instantiated by the application and is used 2817 by the underlying mechanism to return information to the caller such 2818 as the QOP indicating the strength of protection that was applied to 2819 the message and other supplementary message state information. 2821 Since some application-level protocols may wish to use tokens emitted 2822 by getMIC to provide "secure framing", implementations should support 2823 the calculation and verification of MICs over zero-length messages. 2825 Throws GSSException if an error is detected. 2827 Parameters: 2829 inTok Token generated by peer's getMIC method. 2831 tokOffset The offset within the inTok where the token begins. 2833 tokLen The length of the token within the inTok (starting at 2834 the offset). 2836 inMsg Application message to verify the cryptographic MIC 2837 over. 2839 msgOffset The offset within the inMsg where the message begins. 2841 msgLen The length of the message within the inMsg (starting 2842 at the offset). 2844 msgProp Upon return from the method, this object will contain 2845 the applied QOP and supplementary information stating 2846 whether the token was a duplicate, old, out of sequence 2847 or arriving after a gap. The confidentiality state will 2848 be set to "false". 2850 6.7.16. verifyMIC 2852 void verifyMIC(Stream tokStream, 2853 Stream msgStream, 2854 MessageProp msgProp); 2856 Verifies the cryptographic MIC, contained in the token parameter, 2857 over the supplied message. This method is equivalent in 2858 functionality to its byte array counterpart. 2860 The MessageProp object is instantiated by the application and is used 2861 by the underlying mechanism to return information to the caller such 2862 as the QOP indicating the strength of protection that was applied to 2863 the message and other supplementary message state information. 2865 Since some application-level protocols may wish to use tokens emitted 2866 by getMIC to provide "secure framing", implementations should support 2867 the calculation and verification of MICs over zero-length messages. 2869 Throws GSSException if an error is detected. 2871 Parameters: 2873 tokStream Stream containing the token generated by peer's 2874 getMIC method. 2876 msgStream Stream containing the application message to 2877 verify the cryptographic MIC over. 2879 msgProp Upon return from the method, this object will contain 2880 the applied QOP and supplementary information stating 2881 whether the token was a duplicate, old, out of sequence 2882 or arriving after a gap. The confidentiality state will 2883 be set to "false". 2885 6.7.17. export 2887 byte[] export(); 2889 Provided to support the sharing of work between multiple processes. 2890 This routine will typically be used by the context-acceptor, in an 2891 application where a single process receives incoming connection 2892 requests and accepts security contexts over them, then passes the 2893 established context to one or more other processes for message 2894 exchange. 2896 This method deactivates the security context and creates an 2897 interprocess token which, when passed to the byte array constructor 2898 of the GSSContext interface in another process, will re-activate the 2899 context in the second process. Only a single instantiation of a 2900 given context may be active at any one time; a subsequent attempt by 2901 a context exporter to access the exported security context will fail. 2903 The implementation may constrain the set of processes by which the 2904 interprocess token may be imported, either as a function of local 2905 security policy, or as a result of implementation decisions. For 2906 example, some implementations may constrain contexts to be passed 2907 only between processes that run under the same account, or which are 2908 part of the same process group. 2910 The interprocess token may contain security-sensitive information 2911 (for example cryptographic keys). While mechanisms are encouraged to 2912 either avoid placing such sensitive information within interprocess 2913 tokens, or to encrypt the token before returning it to the 2914 application, in a typical GSS-API implementation this may not be 2915 possible. Thus the application must take care to protect the 2916 interprocess token, and ensure that any process to which the token is 2917 transferred is trustworthy. 2919 Throws GSSException if an error is detected. 2921 6.7.18. mutualAuthentication 2923 bool mutualAuthentication; 2925 Mutual Authentication context property. When the value of this 2926 property is set to "true" before the context creation process 2927 begins then it indicates to the underlying mechanisms that mutual 2928 authentication should be requested during context establishment. 2929 The value of this property after context establishment is completed 2930 indicates whether or not mutual authentication was performed when 2931 the context was established. 2933 Throws GSSException if an error is detected. 2935 6.7.19. replayDetection 2937 bool replayDetection; 2939 Replay Detection context property. When the value of this 2940 property is set to "true" before the context creation process 2941 begins then it indicates to the underlying mechanisms that the 2942 replay detection service should be requested during context 2943 establishment. The value of this property after context 2944 establishment is completed or after the value of the isProtReady 2945 property becomes "true" indicates whether or not the replay 2946 detection service is in effect for the context. 2948 Throws GSSException if an error is detected. 2950 6.7.20. sequenceDetection 2952 bool sequenceDetection; 2954 Sequence Detection context property. When the value of this 2955 property is set to "true" before the context creation process 2956 begins then it indicates to the underlying mechanisms that the 2957 sequence checking service should be requested during context 2958 establishment. The value of this property after context 2959 establishment is completed or after the value of the isProtReady 2960 property becomes "true" indicates whether or not the sequence 2961 checking service is in effect for the context. 2963 Throws GSSException if an error is detected. 2965 6.7.21. credentialDelegation 2967 bool credentialDelegation; 2969 Credential Delegate context property. When the value of this 2970 property is set to "true" before the context creation process 2971 begins then it indicates to the underlying mechanisms that 2972 credential delegation is desired. The value of this property after 2973 context establishment is completed or after the value of the 2974 isProtReady property becomes "true" indicates whether or not 2975 credential delegation was performed when the context was established. 2977 Throws GSSException if an error is detected. 2979 6.7.22. anonymity 2981 bool anonymity; 2983 Anonimity context property. When the value of this property is set 2984 to "true" before the context creation process begins then it 2985 indicates to the underlying mechanisms that anonymity has been 2986 requested. The value of this property after context establishment is 2987 completed or after the value of the isProtReady property becomes 2988 "true" indicates whether or not anonymity was used during the 2989 establishment of the context. 2991 Throws GSSException if an error is detected. 2993 6.7.23. confidentiality 2995 bool confidentiality; 2997 Confidentiality context property. When the value of this 2998 property is set to "true" before the context creation process 2999 begins then it indicates to the underlying mechanisms that the 3000 confidentiality service should be requested during context 3001 establishment. The value of this property after context 3002 establishment is completed or after the value of the isProtReady 3003 property becomes "true" indicates whether or not the confidentiality 3004 service is in effect for the context. 3006 Throws GSSException if an error is detected. 3008 6.7.24. integrity 3010 bool integrity; 3012 Integrity context property. When the value of this property is set 3013 to "true" before the context creation process begins then it 3014 indicates to the underlying mechanisms that the integrity service 3015 should be requested during context establishment. The value of this 3016 property after context establishment is completed or after the value 3017 of the isProtReady property becomes "true" indicates whether or not 3018 the integrity service is in effect for the context. 3020 Throws GSSException if an error is detected. 3022 6.7.25. lifetime 3024 int lifetime; 3026 Lifetime context property. The value of this property indicates 3027 the lifetime in seconds for the context. This property can only be 3028 set by the initiator before the context creation process is 3029 started. Set the property to GSSConstants.INDEFINITE_LIFETIME and 3030 GSSConstants.DEFAULT_LIFETIME to request indefinite or default 3031 context lifetime. The value of this property after context 3032 establishment is completed or after the value of the isProtReady 3033 property becomes "true" indicates the remaining lifetime for the 3034 context. 3036 Throws GSSException if an error is detected. 3038 6.7.26. channelBinding 3040 ChannelBinding channelBinding; 3042 Channel Binding context property. This value of this property can be 3043 set to specify a Channel Binding to be used during context 3044 establishment. This property can only be set before the context 3045 creation process begins. 3047 Throws GSSException if an error is detected. 3049 6.7.27. isTransferable 3051 bool isTransferable; 3053 Property which indicates whether or not the context can be 3054 transferred to other processes. The value of this property is only 3055 valid on fully established contexts. 3057 Throws GSSException if an error is detected. 3059 6.7.28. isProtReady 3061 bool isProtReady; 3063 Property which indicates whether or not per message operations can 3064 be applied over the context. Some mechanisms may allow the usage of 3065 per-message operations before the context is fully established. 3067 Throws GSSException if an error is detected. 3069 6.7.29. srcName 3071 GSSName srcName; 3073 Property which contains the name of the context initiator. The 3074 value of this property is valid only after the context is fully 3075 established or the isProtReady property is set to "true". The 3076 property is guaranteed to be set to an MN after it becomes valid. 3078 Throws GSSException if an error is detected. 3080 6.7.30. targName 3082 GSSName targName; 3084 Property which contains the name of the context target (acceptor). 3085 The value of this property is valid only after the context is fully 3086 established or the isProtReady property is set to "true". The 3087 property is guaranteed to be set to an MN after it becomes valid. 3089 Throws GSSException if an error is detected. 3091 6.7.31. mechanism 3093 Oid mechanism; 3095 Property which contains the mechanism oid for the context. 3096 The value of this property may change from time to time if mechanism 3097 negotiation takes place. 3099 Throws GSSException if an error is detected. 3101 6.7.32. delegatedCredential 3103 GSSCredential delegatedCredential; 3105 Property which contains the credential delegated by the context 3106 initiator. The value of this property is only valid on the 3107 acceptors side after the context has been fully established and if 3108 the credentialDelegation property is set to "true". 3110 Throws GSSException if an error is detected. 3112 6.7.33. isInitiator 3114 bool isInitiator; 3116 Property which contains indication of whether or not the context 3117 creation process started on this side. The value of this property 3118 is only valid after the context creation process has started. 3120 Throws GSSException if an error is detected. 3122 6.8. public class MessageProp 3124 This is a utility class used within the per-message GSSContext 3125 methods to convey per-message properties. 3127 When used with the GSSContext interface's wrap and getMIC methods, an 3128 instance of this class is used to indicate the desired QOP and to 3129 request if confidentiality services are to be applied to caller 3130 supplied data (wrap only). To request default QOP, the value of 0 3131 should be used for QOP. 3133 When used with the unwrap and verifyMIC methods of the GSSContext 3134 interface, an instance of this class will be used to indicate the 3135 applied QOP and confidentiality services over the supplied message. 3136 In the case of verifyMIC, the confidentiality state will always be 3137 "false". Upon return from these methods, this object will also 3138 contain any supplementary status values applicable to the processed 3139 token. The supplementary status values can indicate old tokens, out 3140 of sequence tokens, gap tokens or duplicate tokens. 3142 6.8.1. Constructors 3144 public MessageProp(bool privState); 3146 Constructor which sets QOP to 0 indicating that the default QOP is 3147 requested. 3149 Throws GSSException if an error is detected. 3151 Parameters: 3153 privState The desired privacy state. "true" for privacy and 3154 "false" for integrity only. 3156 public MessageProp(int qop, bool privState); 3158 Constructor which sets the values for the qop and privacy state. 3160 Throws GSSException if an error is detected. 3162 Parameters: 3164 qop The desired QOP. Use 0 to request a default QOP. 3166 privState The desired privacy state. "true" for privacy and 3167 "false" for integrity only. 3169 6.8.2. QOP 3171 public int QOP; 3173 QOP property. Use this to set or get the value of the QOP property. 3174 Set to 0 to request the default value. 3176 Throws GSSException if an error is detected. 3178 6.8.3. privacy 3180 public bool privacy; 3182 Privacy property. Use this to set or get the value of the privacy 3183 property. 3185 Throws GSSException if an error is detected. 3187 6.8.4. minorStatus 3189 public int minorStatus; 3191 Minor Status property. This property maintains the minor status that 3192 the underlying mechanism might have set. 3194 Throws GSSException if an error is detected. 3196 6.8.5. minorString 3198 public string minorString; 3200 Minor String property. This property maintains a string explaining 3201 the mechanism specific error code. The string will be empty if no 3202 mechanism error code has been set. 3204 Throws GSSException if an error is detected. 3206 6.8.6. isDuplicateToken 3208 public bool isDuplicateToken; 3210 Is Duplicate Token property. The value of this property indicates 3211 whether or not the token is a duplicate of an earlier token. 3213 Throws GSSException if an error is detected. 3215 6.8.7. isOldToken 3217 public bool isOldToken; 3219 Is Old Token property. The value of this property indicates whether 3220 or not the token's validity period has expired. 3222 Throws GSSException if an error is detected. 3224 6.8.8. isUnseqToken 3226 public bool isUnseqToken; 3228 Is Un-sequenced Token property. The value of this property indicates 3229 whether or not the token is being processed out of sequence. 3231 Throws GSSException if an error is detected. 3233 6.8.9. isGapToken 3235 public bool isGapToken; 3237 Is Gap Token property. The value of this property indicates 3238 whether or not an expected per-message was not received. 3240 Throws GSSException if an error is detected. 3242 6.9. public class ChannelBinding 3244 The GSS-API accommodates the concept of caller-provided channel 3245 binding information. Channel bindings are used to strengthen the 3246 quality with which peer entity authentication is provided during 3247 context establishment. They enable the GSS-API callers to bind the 3248 establishment of the security context to relevant characteristics 3249 like addresses or to application specific data. 3251 The caller initiating the security context must determine the 3252 appropriate channel binding values to set in the GSSContext object. 3253 The acceptor must provide an identical binding in order to validate 3254 that received tokens possess correct channel-related characteristics. 3256 Use of channel bindings is optional in GSS-API. Since channel- 3257 binding information may be transmitted in context establishment 3258 tokens, applications should therefore not use confidential data as 3259 channel-binding components. 3261 6.9.1. Constructors 3263 public ChannelBinding(EndPoint initAddr, 3264 EndPoint acceptAddr, 3265 byte[] appData); 3267 Create a ChannelBinding object with user supplied address information 3268 and data. "null" values can be used for any fields which the 3269 application does not want to specify. 3271 Throws GSSException if an error is detected. 3273 Parameters: 3275 initAddr The address of the context initiator. "null" value 3276 can be supplied to indicate that the application does 3277 not want to set this value. 3279 acceptAddrThe address of the context acceptor. "null" value can 3280 be supplied to indicate that the application does not 3281 want to set this value. 3283 appData Application supplied data to be used as part of the 3284 channel bindings. "null" value can be supplied to 3285 indicate that the application does not want to set 3286 this value. 3288 public ChannelBinding(byte[] appData); 3290 Creates a ChannelBinding object without any addressing information. 3292 Throws GSSException if an error is detected. 3294 Parameters: 3296 appData Application supplied data to be used as part of the 3297 channel bindings. 3299 6.9.2. initiatorAddress 3301 public EndPoint initiatorAddress; 3303 Initiator Address property. The value of this property indicates 3304 the initiator's address for the channel binding. The property value 3305 will be set to "null" if not set. 3307 Throws GSSException if an error is detected. 3309 6.9.3. acceptorAddress 3311 public EndPoint acceptorAddress; 3313 Acceptor Address property. The value of this property indicates 3314 the acceptor's address for the channel binding. The property value 3315 will be set to "null" if not set. 3317 Throws GSSException if an error is detected. 3319 6.9.4. applicationData 3321 public byte[] applicationData; 3323 Application Data property. The value of this property indicates 3324 the application data being used for the channel binding. The 3325 property value will be set to "null" if not set. 3327 Throws GSSException if an error is detected. 3329 6.9.8. Equals 3331 public override bool Equals(Object obj); 3333 Tests whether or not two channel binding objects match. 3335 Throws GSSException if an error is detected. 3337 Parameters: 3339 obj Another channel binding to compare with. 3341 6.10. public class Oid 3343 This class represents Universal Object Identifiers (Oids) and their 3344 associated operations. 3346 Oids are hierarchically globally-interpretable identifiers used 3347 within the GSS-API framework to identify mechanisms and name formats. 3349 The structure and encoding of Oids is defined in ISOIEC-8824 and 3350 ISOIEC-8825. For example the Oid representation of Kerberos V5 3351 mechanism is "1.2.840.113554.1.2.2" 3353 The GSSName name class contains public static Oid objects 3354 representing the standard name types defined in GSS-API. 3356 6.10.1. Constructors 3358 public Oid(string strOid); 3360 Creates an Oid object from a string representation of its integer 3361 components (e.g. "1.2.840.113554.1.2.2"). 3363 Throws GSSException if an error is detected. 3365 Parameters: 3367 strOid The string representation for the oid. 3369 public Oid(Stream derOid); 3371 Creates an Oid object from its DER encoding. This refers to the full 3372 encoding including tag and length. The structure and encoding of 3373 Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is 3374 identical in functionality to its byte array counterpart. 3376 Throws GSSException if an error is detected. 3378 Parameters: 3380 derOid Stream containing the DER encoded oid. 3382 public Oid(byte[] DEROid); 3384 Creates an Oid object from its DER encoding. This refers to the full 3385 encoding including tag and length. The structure and encoding of 3386 Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is 3387 identical in functionality to its byte array counterpart. 3389 Throws GSSException if an error is detected. 3391 Parameters: 3393 derOid Byte array storing a DER encoded oid. 3395 6.10.2. ToString 3397 public override string ToString(); 3399 Returns a string representation of the oid's integer components in 3400 dot separated notation (e.g. "1.2.840.113554.1.2.2"). 3402 Throws GSSException if an error is detected. 3404 6.10.3. Equals 3406 public override bool Equals(Object Obj); 3408 Tests if two OID objects represent the same oid value. 3410 Throws GSSException if an error is detected. 3412 Parameters: 3414 obj Another Oid object to compare with. 3416 6.10.4. DER 3418 public byte[] DER; 3420 DER property. Property of the object which refers to its full ASN.1 3421 DER encoding, the property includes the tag and length. 3423 Throws GSSException if an error is detected. 3425 6.10.5. containedIn 3427 public bool containedIn(Oid[] oids); 3429 Method to test if an Oid object is contained within the 3430 supplied Oid object array. 3432 Throws GSSException if an error is detected. 3434 Parameters: 3436 oids An array of oids to search. 3438 6.11. public class GSSException : Exception 3440 This exception is thrown whenever a fatal GSS-API error occurs 3441 including mechanism specific errors. It may contain both, the major 3442 and minor, GSS-API status codes. The mechanism implementers are 3443 responsible for setting appropriate minor status codes when throwing 3444 this exception. Aside from delivering the numeric error code(s) to 3445 the caller, this class performs the mapping from their numeric values 3446 to textual representations. All C# GSS-API methods and properties 3447 are declared throwing this exception. 3449 6.11.1. Constants 3451 All valid major GSS-API error code values are declared as constants 3452 in this class. 3454 public const int BAD_BINDINGS 3456 Channel bindings mismatch error. 3458 public const int BAD_MECH 3460 Unsupported mechanism requested error. 3462 public const int BAD_NAME 3464 Invalid name provided error. 3466 public const int BAD_NAMETYPE 3468 Name of unsupported type provided error. 3470 public const int BAD_STATUS 3472 Invalid status code error - this is the default status value. 3474 public const int BAD_MIC 3476 Token had invalid integrity check error. 3478 public const int CONTEXT_EXPIRED 3480 Specified security context expired error. 3482 public const int CREDENTIALS_EXPIRED 3484 Expired credentials detected error. 3486 public const int DEFECTIVE_CREDENTIAL 3488 Defective credential error. 3490 public const int DEFECTIVE_TOKEN 3492 Defective token error. 3494 public const int FAILURE 3496 General failure, unspecified at GSS-API level. 3498 public const int NO_CONTEXT 3500 Invalid security context error. 3502 public const int NO_CRED 3504 Invalid credentials error. 3506 public const int BAD_QOP 3508 Unsupported QOP value error. 3510 public const int UNAUTHORIZED 3512 Operation unauthorized error. 3514 public const int UNAVAILABLE 3516 Operation unavailable error. 3518 public const int DUPLICATE_ELEMENT 3520 Duplicate credential element requested error. 3522 public const int NAME_NOT_MN 3524 Name contains multi-mechanism elements error. 3526 public const int DUPLICATE_TOKEN 3528 The token was a duplicate of an earlier token. This is a fatal error 3529 code that may occur during context establishment. It is not used to 3530 indicate supplementary status values. The MessageProp object is used 3531 for that purpose. 3533 public const int OLD_TOKEN 3535 The token's validity period has expired. This is a fatal error code 3536 that may occur during context establishment. It is not used to 3537 indicate supplementary status values. The MessageProp object is used 3538 for that purpose. 3540 public const int UNSEQ_TOKEN 3542 A later token has already been processed. This is a fatal error code 3543 that may occur during context establishment. It is not used to 3544 indicate supplementary status values. The MessageProp object is used 3545 for that purpose. 3547 public const int GAP_TOKEN 3549 An expected per-message token was not received. This is a fatal 3550 error code that may occur during context establishment. It is not 3551 used to indicate supplementary status values. The MessageProp object 3552 is used for that purpose. 3554 6.11.2. Constructors 3556 public GSSException(int majorCode); 3558 Creates a GSSException object with a specified major code. 3560 Parameters: 3562 majorCode The GSS error code causing this exception to be 3563 thrown. 3565 public GSSException(int majorCode, int minorCode, 3566 string minorString); 3568 Creates a GSSException object with the specified major code, minor 3569 code, and minor code textual explanation. This constructor is to be 3570 used when the exception is originating from the security mechanism. 3571 It allows to specify the GSS code and the mechanism code. 3573 Parameters: 3575 majorCode The GSS error code causing this exception to be 3576 thrown. 3578 minorCode The mechanism error code causing this exception 3579 to be thrown. 3581 minorString The textual explanation of the mechanism error 3582 code. 3584 6.11.3. major 3586 public int major; 3588 Major code property. Property of the object representing the GSS 3589 error code that caused the exception to be thrown. 3591 6.11.4. minor 3593 public int minor; 3595 Minor code property. Property of the object representing the 3596 mechanism error code that caused the exception to be thrown. The 3597 minor code property is set by the underlying mechanism. A setting of 3598 0 for this property indicates that the mechanism error code is not 3599 set. 3601 6.11.5. majorString 3603 public string majorString; 3605 Major string property. Property of the object explaining the GSS 3606 major error code causing the exception to be thrown. 3608 6.11.6. minorString 3610 public string minorString; 3612 Minor string property. Property of the object explaining the 3613 mechanism specific error code causing the exception to be thrown. 3614 The string will be empty if no mechanism error code has been set. 3616 6.11.7. ToString 3618 public override string ToString(); 3620 Returns a textual representation of both the major and minor status 3621 codes. 3623 6.11.8. Message 3625 public string Message; 3627 Message property. Error message explaining the reason for the 3628 exception. 3630 7. Sample Applications 3632 7.1. Simple GSS Context Initiator 3634 using org.ietf.gss; 3636 /** 3637 * This is a partial sketch for a simple client program that acts 3638 * as a GSS context initiator. It illustrates how to use the C# 3639 * bindings for the GSS-API specified in 3640 * Generic Security Service API Version 2 : C# bindings 3641 * 3642 * 3643 * This code sketch assumes the existence of a GSS-API 3644 * implementation that supports the mechanism that it will need and 3645 * is present as a library package (org.ietf.jgss) either as part of 3646 * the standard JRE or in the CLASSPATH the application specifies. 3647 */ 3649 public class SimpleClient { 3651 private string serviceName; // name of peer (ie. server) 3652 private GSSCredential clientCred = null; 3653 private GSSContext context = null; 3654 private Oid mech; // underlying mechanism to use 3656 private GSSManager mgr = GSSManager.getInstance(); 3658 ... 3659 ... 3661 private void clientActions() { 3663 initializeGSS(); 3664 establishContext(); 3665 doCommunication(); 3666 } 3667 /** 3668 * Acquire credentials for the client. 3669 */ 3670 private void initializeGSS() { 3672 try { 3674 clientCred = mgr.createCredential(null /*default princ*/, 3675 GSSConstants.INDEFINITE_LIFETIME /* max lifetime */, 3676 mech /* mechanism to use */, 3677 GSSCredentialUsage.INITIATE_ONLY /* init context */); 3679 Console.Writeline("GSSCredential created for " + 3680 cred.getName().ToString()); 3681 Console.Writeline("Credential lifetime (sec)=" + 3682 cred.getRemainingLifetime()); 3684 } catch (GSSException e) { 3685 Console.Writeline("GSS-API error in credential acquisition:" 3686 + e.Message); 3687 ... 3688 ... 3689 } 3691 ... 3692 ... 3693 } 3694 /** 3695 * Does the security context establishment with the 3696 * server. 3697 */ 3698 private void establishContext() { 3700 byte[] inToken = new byte[0]; 3701 byte[] outToken = null; 3703 try { 3705 GSSName peer = mgr.createName( 3706 serviceName, 3707 GSSNameTypes.NT_HOSTBASED_SERVICE); 3709 context = mgr.createContext( 3710 peer, 3711 mech, 3712 gssCred, 3713 GSSConstants.INDEFINITE_LIFETIME/*lifetime*/); 3715 // Will need to support confidentiality 3716 context.confidentiality = true; 3718 while (!context.isEstablished) { 3720 outToken = context.initSecContext(inToken, 3721 0, 3722 inToken.length); 3724 if (outToken != null) 3725 writeGSSToken(outToken); 3727 if (!context.isEstablished) 3728 inToken = readGSSToken(); 3729 } 3731 GSSName peer = context.srcName; 3732 Console.Writeline( 3733 "Security context established with " + 3734 peer + 3735 " using underlying mechanism " + mech.toString()); 3737 } catch (GSSException e) { 3738 Console.Writeline( 3739 "GSS-API error during context establishment: " + 3740 e.Message); 3741 } 3742 ... 3743 } 3744 /** 3745 * Sends some data to the server and reads back the 3746 * response. 3747 */ 3748 private void doCommunication() { 3750 byte[] inToken = null; 3751 byte[] outToken = null; 3752 byte[] buffer; 3754 // Container for multiple input-output arguments to and 3755 // from the per-message routines (e.g., wrap/unwrap). 3756 MessageProp messgInfo = new MessageProp(); 3758 try { 3760 /* 3761 * Now send some bytes to the server to be 3762 * processed. They will be integrity protected but 3763 * not encrypted for privacy. 3764 */ 3766 buffer = readFromFile(); 3768 // Set privacy to false and use the default QOP 3769 messgInfo.privacy = false; 3771 outToken = context.wrap(buffer, 3772 0, 3773 buffer.length, 3774 messgInfo); 3776 writeGSSToken(outToken); 3778 /* 3779 * Now read the response from the server. 3780 */ 3782 inToken = readGSSToken(); 3783 buffer = context.unwrap(inToken, 3784 0, 3785 inToken.length, 3786 messgInfo); 3788 // All ok if no exception was thrown! 3790 GSSName peer = context.srcName; 3792 Console.Writeline("Message from " + 3793 peer.ToString() + 3794 " arrived."); 3795 Console.Writeline("Was it encrypted? " + 3796 messgInfo.privacy); 3797 Console.Writeline("Duplicate Token? " + 3798 messgInfo.isDuplicateToken); 3799 Console.Writeline("Old Token? " + 3800 messgInfo.isOldToken); 3801 Console.Writeline("Unsequenced Token? " + 3802 messgInfo.isUnseqToken); 3803 Console.Writeline("Gap Token? " + 3804 messgInfo.isGapToken); 3806 ... 3807 ... 3809 } catch (GSSException e) { 3810 Console.Writeline("GSS-API error in per-message calls: " + 3811 e.Message); 3812 ... 3813 ... 3815 } 3817 ... 3818 ... 3820 } // end of doCommunication method 3822 ... 3823 ... 3825 } // end of class SimpleClient 3827 7.2. Simple GSS Context Acceptor 3829 using org.ietf.gss; 3831 /** 3832 * This is a partial sketch for a simple server program that acts 3833 * as a GSS context acceptor. It illustrates how to use the C# 3834 * bindings for the GSS-API specified in 3835 * Generic Security Service API Version 2 : C# bindings 3836 * 3837 * This code sketch assumes the existence of a GSS-API 3838 * implementation that supports the mechanisms that it will need and 3839 * is present as a library package (org.ietf.jgss) either as part of 3840 * the standard JRE or in the CLASSPATH the application specifies. 3841 */ 3843 public class SimpleServer { 3845 private string serviceName; 3846 private GSSName name; 3847 private GSSCredential cred; 3849 private GSSManager mgr; 3851 ... 3852 ... 3854 /** 3855 * Wait for client connections, establish security contexts and 3856 * provide service. 3857 */ 3858 private void loop() { 3860 ... 3861 ... 3863 mgr = GSSManager.getInstance(); 3865 name = mgr.createName(serviceName, 3866 GSSNameTypes.NT_HOSTBASED_SERVICE); 3868 cred = mgr.createCredential(name, 3869 GSSConstants.INDEFINITE_LIFETIME, 3870 null, 3871 GSSCredentialUsage.ACCEPT_ONLY); 3873 // Loop infinitely 3874 while (true) { 3876 Socket s = serverSock.accept(); 3878 // Start a new thread to serve this connection 3879 Thread serverThread = new ServerThread(s); 3880 serverThread.start(); 3882 } 3883 } 3885 /** 3886 * Inner class ServerThread whose run() method provides the 3887 * secure service to a connection. 3888 */ 3890 private class ServerThread extends Thread { 3892 ... 3893 ... 3895 /** 3896 * Deals with the connection from one client. It also 3897 * handles all GSSException's thrown while talking to 3898 * this client. 3899 */ 3900 public void run() { 3902 byte[] inToken = null; 3903 byte[] outToken = null; 3904 byte[] buffer; 3906 GSSName peer; 3908 // Container for multiple input-output arguments to and 3909 // from the per-message routines (ie. wrap/unwrap). 3910 MessageProp supplInfo = new MessageProp(); 3912 GSSContext secContext = null; 3914 try { 3916 // Now do the context establishment loop 3918 GSSContext context = mgr.createContext(cred); 3919 while (!context.isEstablished) { 3921 inToken = readGSSToken(); 3923 outToken = context.acceptSecContext(inToken, 3924 0, 3925 inToken.length); 3927 if (outToken != null) 3928 writeGSSToken(outToken); 3930 } 3932 // SimpleServer wants confidentiality to be 3933 // available. Check for it. 3934 if (!context.confidentiality) { 3935 ... 3936 ... 3937 } 3939 GSSName peer = context.srcName; 3940 Oid mech = context.getMech(); 3941 Console.Writeline("Security context established with " + 3942 peer.ToString() + 3943 " using underlying mechanism " + 3944 mech.ToString()); 3946 // Now read the bytes sent by the client to be 3947 // processed. 3948 inToken = readGSSToken(); 3950 // Unwrap the message 3951 buffer = context.unwrap(inToken, 3952 0, 3953 inToken.length, 3954 supplInfo); 3956 // All ok if no exception was thrown! 3957 // Print other supplementary per-message status 3958 // information 3959 Console.Writeline("Message from " + 3960 peer.ToString() + 3961 " arrived."); 3962 Console.Writeline("Was it encrypted? " + 3963 supplInfo.privacy); 3964 Console.Writeline("Duplicate Token? " + 3965 supplInfo.isDuplicateToken); 3966 Console.Writeline("Old Token? " + supplInfo.isOldToken); 3967 Console.Writeline("Unsequenced Token? " + 3968 supplInfo.isUnseqToken); 3969 Console.Writeline("Gap Token? " + supplInfo.isGapToken); 3971 /* 3972 * Now process the bytes and send back an encrypted 3973 * response. 3974 */ 3976 buffer = serverProcess(buffer); 3978 // Encipher it and send it across 3979 supplInfo.privacy = true; // privacy requested 3980 supplInfo.QOP = 0; // default QOP 3981 outToken = context.wrap(buffer, 3982 0, 3983 buffer.length, 3984 supplInfo); 3985 writeGSSToken(outToken); 3987 } catch (GSSException e) { 3989 Console.Writeline("GSS-API Error: " + e.Message); 3991 // Alternatively, could read the e.majorString 3992 // and the e.minorString properties. 3994 Console.Writeline("Abandoning security context."); 3996 ... 3997 ... 3998 } 4000 ... 4001 ... 4003 } // end of run method in ServerThread 4005 } // end of inner class ServerThread 4006 ... 4007 ... 4009 } // end of class SimpleServer 4011 8. Security Considerations 4013 The level of security that can be obtained by using GSS-API is 4014 dependent on the following factors: 4016 - The integrity of the libraries being utilized. 4017 - The integrity of the systems where the application executes. 4018 - The GSS-API mechanism utilized. 4019 - The GSS-API services utilized by the application. 4020 - The way that the application utilizes GSS-API. 4022 Application as well as system installers need to be aware of 4023 the factors mentioned above to avoid security vulnerabilities. 4025 9. IANA Considerations 4027 This document has no actions for IANA. 4029 10. Acknowledgments 4031 The author would like to thank the following: 4033 Kabat, J. and Upadhyay, M. for writing the Generic Security Service 4034 API Version 2 : Java Bindings specification [RFC2853] that 4035 constitutes the basis of this work. 4037 Jeff Altman for his support and suggestions. 4039 Corby Morris for his initial implementation. 4041 Funding for the RFC Editor function is currently provided by the 4042 Internet Society. 4044 11. Normative References 4046 [RFC2743] Linn, J., "Generic Security Service Application Program 4047 Interface Version 2, Update 1", RFC 2743, January 2000. 4049 [RFC2853] Kabat, J. and Upadhyay, M., "Generic Security Service API 4050 Version 2 : Java Bindings", RFC 2853, June 2000. 4052 [RFC1509] Wray, J., "Generic Security Service API : C-bindings", 4053 RFC 1509, September 1993. 4055 12. Authors' Addresses 4057 Juan Carlos Luciani 4058 Novell, Inc. 4059 1800 South Novell Place 4060 Provo, Utah 84606 4061 US 4063 EMail: jluciani@novell.com 4065 13. Intellectual Property Statement 4067 The IETF takes no position regarding the validity or scope of any 4068 Intellectual Property Rights or other rights that might be claimed to 4069 pertain to the implementation or use of the technology described in 4070 this document or the extent to which any license under such rights 4071 might or might not be available; nor does it represent that it has 4072 made any independent effort to identify any such rights. Information 4073 on the procedures with respect to rights in RFC documents can be 4074 found in BCP 78 and BCP 79. 4076 Copies of IPR disclosures made to the IETF Secretariat and any 4077 assurances of licenses to be made available, or the result of an 4078 attempt made to obtain a general license or permission for the use of 4079 such proprietary rights by implementers or users of this 4080 specification can be obtained from the IETF on-line IPR repository at 4081 http://www.ietf.org/ipr. 4083 The IETF invites any interested party to bring to its attention any 4084 copyrights, patents or patent applications, or other proprietary 4085 rights that may cover technology that may be required to implement 4086 this standard. Please address the information to the IETF at 4087 ietf-ipr@ietf.org. 4089 14. Disclaimer of Validity 4091 This document and the information contained herein are provided on an 4092 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 4093 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 4094 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 4095 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 4096 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 4097 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 4099 15. Copyright Statement 4101 Copyright (C) The Internet Society (2005). This document is subject 4102 to the rights, licenses and restrictions contained in BCP 78, and 4103 except as set forth therein, the authors retain all their rights.