com.ibm.security.jgss.spi
Interface GSSContextSpi
- public interface GSSContextSpi
The context options can only be requested in state 1. In state 3, the per message operations are available to the callers. The get methods for the context options will return the requested options while in state 1 and 2, and the established values in state 3. Some mechanisms may allow the access to the per-message operations and the context flags before the context is fully established. The isProtReady method is used to indicate that these services are available.
Context establishment tokens are defined in a mechanism independent
format in section 3.1 of RFC 2743. The GSS-Framework will add
and remove the mechanism independent header portion of this token format
depending on whether a token is received or is being sent. The mechanism
should only generate or expect to read the inner-context token portion..
On the other hands, tokens used for per-message calls are generated
entirely by the mechanism. It is possible that the mechanism chooses to
encase inner-level per-message tokens in a header similar to that used
for initial tokens, however, this is upto the mechanism to do. The token
to/from the per-message calls are opaque to the GSS-Framework.
An attempt has been made to allow for reading the peer's tokens from an InputStream and writing tokens for the peer to an OutputStream. This allows applications to pass in streams that are obtained from their network connections and thus minimize the buffer copies that will happen. This is especially important for tokens generated by wrap() which are proportional in size to the length of the application data being wrapped, and are probably also the most frequently used type of tokens.
It is anticipated that most applications will want to use wrap() in a fashion where they obtain the application bytes to wrap from a byte[] but want to output the wrap token straight to an OutputStream. Similarly, they will want to use unwrap() where they read the token directly form an InputStream but output it to some byte[] for the application to process. Unfortunately the high level GSS bindings do not contain overloaded forms of wrap() and unwrap() that do just this, however we have accomodated those cases here with the expectation that this will be rolled into the high level bindings sooner or later.
Method Summary
Modifier and Type | Method and Description |
---|---|
|
acceptSecContext(java.io.InputStream is,int mechTokenSize)
Acceptor's context establishment call.
|
|
dispose()
Releases context resources and terminates the
context between 2 peer.
|
|
export()
Produces a token representing this context.
|
|
getAnonymityState()
|
|
getConfState()
|
|
getCredDelegState()
|
getDelegCred()
|
|
|
getIntegState()
|
|
getLifetime()
|
|
getMech()
|
|
getMIC(byte[] inMsg,int offset,int len,org.ietf.jgss.MessageProp msgProp)
|
|
getMIC(java.io.InputStream is,java.io.OutputStream os,org.ietf.jgss.MessageProp msgProp)
Applies per-message integrity services.
|
|
getMutualAuthState()
|
|
getProvider()
|
|
getReplayDetState()
|
|
getSequenceDetState()
|
getSrcName()
|
|
getTargName()
|
|
|
getWrapSizeLimit(int qop,boolean confReq,int maxTokSize)
Queries the context for largest data size to accomodate
the specified protection and for the token to remain less then
maxTokSize.
|
|
initSecContext(java.io.InputStream is,int mechTokenSize)
Initiator context establishment call.
|
|
isEstablished()
|
|
isProtReady()
|
|
isTransferable()
|
|
requestAnonymity(boolean state)
|
|
requestConf(boolean state)
|
|
requestCredDeleg(boolean state)
|
|
requestInteg(boolean state)
|
|
requestLifetime(int lifetime)
|
|
requestMutualAuth(boolean state)
|
|
requestReplayDet(boolean state)
|
|
requestSequenceDet(boolean state)
|
|
setChannelBinding(org.ietf.jgss.ChannelBinding cb)
|
|
setNegMechs(org.ietf.jgss.Oid[] mechTypes,org.ietf.jgss.GSSCredential credential)
For SPNEGO mechanism.
|
|
unwrap(byte[] inBuf,int inOffset,int len,byte[] outBuf,int outOffset,org.ietf.jgss.MessageProp msgProp)
For apps that care about buffer copies but either cannot use streams
or want to avoid them for whatever reason.
|
|
unwrap(byte[] inBuf,int offset,int len,org.ietf.jgss.MessageProp msgProp)
For apps that want simplicity and dont care about buffer copies.
|
|
unwrap(java.io.InputStream is,byte[] outBuf,int outOffset,org.ietf.jgss.MessageProp msgProp)
For apps that care about buffer copies and want to read
straight from the network, but also want the output in a specific
application provided buffer, say to reduce buffer allocation or
subsequent copy.
|
|
unwrap(java.io.InputStream is,java.io.OutputStream os,org.ietf.jgss.MessageProp msgProp)
Retrieves the message token previously encapsulated in the wrap
call.
|
|
verifyMIC(byte[] inTok,int tokOffset,int tokLen,byte[] inMsg,int msgOffset,int msgLen,org.ietf.jgss.MessageProp msgProp)
|
|
verifyMIC(java.io.InputStream is,java.io.InputStream msgStr,org.ietf.jgss.MessageProp mProp)
Checks the integrity of the supplied tokens.
|
|
wrap(byte[] inBuf,int inOffset,int len,byte[] outBuf,int outOffset,org.ietf.jgss.MessageProp msgProp)
For apps that care about buffer copies but either cannot use streams
or want to avoid them for whatever reason.
|
|
wrap(byte[] inBuf,int offset,int len,org.ietf.jgss.MessageProp msgProp)
For apps that want simplicity and don't care about buffer copies.
|
|
wrap(byte[] inBuf,int offset,int len,java.io.OutputStream os,org.ietf.jgss.MessageProp msgProp)
For apps that want to read from a specific application provided
buffer but want to write directly to the network stream.
|
|
wrap(java.io.InputStream is,java.io.OutputStream os,org.ietf.jgss.MessageProp msgProp)
Provides per-message token encapsulation.
|
Method Detail
getProvider
- java.security.Provider getProvider( )
requestLifetime
- void requestLifetime(int lifetime)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestMutualAuth
- void requestMutualAuth(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestReplayDet
- void requestReplayDet(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestSequenceDet
- void requestSequenceDet(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestCredDeleg
- void requestCredDeleg(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestAnonymity
- void requestAnonymity(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestConf
- void requestConf(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
requestInteg
- void requestInteg(boolean state)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
setChannelBinding
- void setChannelBinding(org.ietf.jgss.ChannelBinding cb)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
getCredDelegState
- boolean getCredDelegState()
getMutualAuthState
- boolean getMutualAuthState()
getReplayDetState
- boolean getReplayDetState()
getSequenceDetState
- boolean getSequenceDetState()
getAnonymityState
- boolean getAnonymityState()
isTransferable
- boolean isTransferable()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
isProtReady
- boolean isProtReady()
getConfState
- boolean getConfState()
getIntegState
- boolean getIntegState()
getLifetime
- int getLifetime()
isEstablished
- boolean isEstablished()
getSrcName
- GSSNameSpi getSrcName()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
getTargName
- GSSNameSpi getTargName()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
getMech
- org.ietf.jgss.Oid getMech()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
getDelegCred
- GSSCredentialSpi getDelegCred()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
initSecContext
- byte[] initSecContext(java.io.InputStream is,
- int mechTokenSize)
- throws org.ietf.jgss.GSSException
is
- contains the inner context token portion of the GSS token
received from the peer. On the first call to initSecContext, there
will be no token hence it will be ignored. mechTokenSize
- the size of the inner context token as read by
the GSS-Framework from the mechanism independent GSS-API level
header. org.ietf.jgss.GSSException
- may be thrown acceptSecContext
- byte[] acceptSecContext(java.io.InputStream is,
- int mechTokenSize)
- throws org.ietf.jgss.GSSException
This method is called by the GSS-Framework when the application calls the acceptSecContext method on the GSSContext implementation that it has a reference to.
All overloaded forms of GSSContext.acceptSecContext() can be handled with this mechanism level acceptSecContext. Since the output token from this method is a fixed size, not exeedingly large, and a one time deal, an overloaded form that takes an OutputStream has not been defined. The GSS-Framwork can write the returned byte[] to any application provided OutputStream. Similarly, any application input int he form of byte arrays will be wrapped in an input stream by the GSS-Framework and then passed here.
The GSS-Framework will strip off the leading mechanism independent GSS-API header. In other words, only the mechanism specific inner-context token of RFC 2743 section 3.1 will be available on the InputStream.
is
- contains the inner context token portion of the GSS token
received from the peer. mechTokenSize
- the size of the inner context token as read by
the GSS-Framework from the mechanism independent GSS-API level
header. org.ietf.jgss.GSSException
- may be thrown getWrapSizeLimit
- int getWrapSizeLimit(int qop,
- boolean confReq,
- int maxTokSize)
- throws org.ietf.jgss.GSSException
qop
- the quality of protection that the context will be
asked to provide. confReq
- a flag indicating whether confidentiality will be
requested or not org.ietf.jgss.GSSException
- may be thrown wrap
- void wrap(java.io.InputStream is,
- java.io.OutputStream os,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
is
- the user-provided message to be protected os
- the token to be sent to the peer. It includes
the message from is with the requested protection. org.ietf.jgss.GSSException
- may be thrown MessageInfo
,
unwrap
wrap
- byte[] wrap(byte[] inBuf,
- int offset,
- int len,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
wrap
- int wrap(byte[] inBuf,
- int inOffset,
- int len,
- byte[] outBuf,
- int outOffset,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
wrap
- void wrap(byte[] inBuf,
- int offset,
- int len,
- java.io.OutputStream os,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
unwrap
- void unwrap(java.io.InputStream is,
- java.io.OutputStream os,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
is
- the token from the peer os
- unprotected message data msgProp
- will contain the applied qop and confidentiality
of the input token and any informatory status values org.ietf.jgss.GSSException
- may be thrown MessageInfo
,
wrap
unwrap
- byte[] unwrap(byte[] inBuf,
- int offset,
- int len,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
unwrap
- int unwrap(byte[] inBuf,
- int inOffset,
- int len,
- byte[] outBuf,
- int outOffset,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
unwrap
- int unwrap(java.io.InputStream is,
- byte[] outBuf,
- int outOffset,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
getMIC
- void getMIC(java.io.InputStream is,
- java.io.OutputStream os,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
is
- the user-provided message os
- the token to be sent to the peer along with the
message token. The message token is not encapsulated. msgProp
- on input the desired QOP and output the applied QOP org.ietf.jgss.GSSException
getMIC
- byte[] getMIC(byte[] inMsg,
- int offset,
- int len,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
verifyMIC
- void verifyMIC(java.io.InputStream is,
- java.io.InputStream msgStr,
- org.ietf.jgss.MessageProp mProp)
- throws org.ietf.jgss.GSSException
is
- token generated by getMIC msgStr
- the message to check integrity for org.ietf.jgss.GSSException
- may be thrown verifyMIC
- void verifyMIC(byte[] inTok,
- int tokOffset,
- int tokLen,
- byte[] inMsg,
- int msgOffset,
- int msgLen,
- org.ietf.jgss.MessageProp msgProp)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
export
- byte[] export()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
- may be thrown dispose
- void dispose()
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
- may be thrown setNegMechs
- void setNegMechs(org.ietf.jgss.Oid[] mechTypes,
- org.ietf.jgss.GSSCredential credential)
- throws org.ietf.jgss.GSSException
org.ietf.jgss.GSSException
This method is called by the GSS-Framework when the application calls the initSecContext method on the GSSContext implementation that it has a reference to.
All overloaded forms of GSSContext.initSecContext() can be handled with this mechanism level initSecContext. Since the output token from this method is a fixed size, not exeedingly large, and a one time deal, an overloaded form that takes an OutputStream has not been defined. The GSS-Framwork can write the returned byte[] to any application provided OutputStream. Similarly, any application input int he form of byte arrays will be wrapped in an input stream by the GSS-Framework and then passed here.
The GSS-Framework will strip off the leading mechanism independent GSS-API header. In other words, only the mechanism specific inner-context token of RFC 2743 section 3.1 will be available on the InputStream.