summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5653.txt
blob: fbf4a34848039798c666a8dcec12d5d125bd7e4f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004
5005
5006
5007
5008
5009
5010
5011
5012
5013
5014
5015
5016
5017
5018
5019
5020
5021
5022
5023
5024
5025
5026
5027
5028
5029
5030
5031
5032
5033
5034
5035
5036
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
5051
5052
5053
5054
5055
5056
5057
5058
5059
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080
5081
5082
5083
5084
5085
5086
5087
5088
5089
5090
5091
5092
5093
5094
5095
5096
5097
5098
5099
5100
5101
5102
5103
5104
5105
5106
5107
5108
5109
5110
5111
5112
5113
5114
5115
5116
5117
5118
5119
5120
5121
5122
5123
5124
5125
5126
5127
5128
5129
5130
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155
5156
5157
5158
5159
5160
5161
5162
5163
5164
5165
5166
5167
5168
5169
5170
5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221
5222
5223
5224
5225
5226
5227
5228
5229
5230
5231
5232
5233
5234
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279
5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350
5351
5352
5353
5354
5355
5356
5357
5358
5359
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
5473
5474
5475
5476
5477
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
5489
5490
5491
5492
5493
5494
5495
5496
5497
5498
5499
5500
5501
5502
5503
5504
5505
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546
5547
Network Working Group                                        M. Upadhyay
Request for Comments: 5653                                        Google
Obsoletes: 2853                                               S. Malkani
Category: Standards Track                                  ActivIdentity
                                                             August 2009


      Generic Security Service API Version 2: Java Bindings Update

Abstract

   The Generic Security Services Application Program Interface (GSS-API)
   offers application programmers uniform access to security services
   atop a variety of underlying cryptographic mechanisms.  This document
   updates the Java bindings for the GSS-API that are specified in
   "Generic Security Service API Version 2 : Java Bindings" (RFC 2853).
   This document obsoletes RFC 2853 by making specific and incremental
   clarifications and corrections to it in response to identification of
   transcription errors and implementation experience.

   The GSS-API is described at a language-independent conceptual level
   in "Generic Security Service Application Program Interface Version 2,
   Update 1" (RFC 2743).  The GSS-API allows a caller application to
   authenticate a principal identity, to delegate rights to a peer, and
   to apply security services such as confidentiality and integrity on a
   per-message basis.  Examples of security mechanisms defined for GSS-
   API are "The Simple Public-Key GSS-API Mechanism" (RFC 2025) and "The
   Kerberos Version 5 Generic Security Service Application Program
   Interface (GSS-API) Mechanism: Version 2" (RFC 4121).

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.



Upadhyay & Malkani          Standards Track                     [Page 1]
^L
RFC 5653                  Java GSS-API Update                August 2009


   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1. Introduction ....................................................6
   2. Conventions and Licenses ........................................7
   3. GSS-API Operational Paradigm ....................................8
   4. Additional Controls .............................................9
      4.1. Delegation ................................................10
      4.2. Mutual Authentication .....................................11
      4.3. Replay and Out-of-Sequence Detection ......................11
      4.4. Anonymous Authentication ..................................12
      4.5. Confidentiality ...........................................13
      4.6. Inter-process Context Transfer ............................13
      4.7. The Use of Incomplete Contexts ............................14
   5. Calling Conventions ............................................15
      5.1. Package Name ..............................................15
      5.2. Provider Framework ........................................15
      5.3. Integer Types .............................................16
      5.4. Opaque Data Types .........................................16
      5.5. Strings ...................................................16
      5.6. Object Identifiers ........................................16
      5.7. Object Identifier Sets ....................................17
      5.8. Credentials ...............................................17
      5.9. Contexts ..................................................19
      5.10. Authentication Tokens ....................................19
      5.11. Inter-Process Tokens .....................................20
      5.12. Error Reporting ..........................................20
           5.12.1. GSS Status Codes ..................................21
           5.12.2. Mechanism-Specific Status Codes ...................23
           5.12.3. Supplementary Status Codes ........................23
      5.13. Names ....................................................24
      5.14. Channel Bindings .........................................26
      5.15. Stream Objects ...........................................27
      5.16. Optional Parameters ......................................28
   6. Introduction to GSS-API Classes and Interfaces .................28
      6.1. GSSManager Class ..........................................28
      6.2. GSSName Interface .........................................29



Upadhyay & Malkani          Standards Track                     [Page 2]
^L
RFC 5653                  Java GSS-API Update                August 2009


      6.3. GSSCredential Interface ...................................30
      6.4. GSSContext Interface ......................................30
      6.5. MessageProp Class .........................................31
      6.6. GSSException Class ........................................32
      6.7. Oid Class .................................................32
      6.8. ChannelBinding Class ......................................32
   7. Detailed GSS-API Class Description .............................33
      7.1. public abstract class GSSManager ..........................33
           7.1.1. Example Code .......................................34
           7.1.2. getInstance ........................................34
           7.1.3. getMechs ...........................................35
           7.1.4. getNamesForMech ....................................35
           7.1.5. getMechsForName ....................................35
           7.1.6. createName .........................................35
           7.1.7. createName .........................................36
           7.1.8. createName .........................................36
           7.1.9. createName .........................................37
           7.1.10. createCredential ..................................38
           7.1.11. createCredential ..................................38
           7.1.12. createCredential ..................................39
           7.1.13. createContext .....................................39
           7.1.14. createContext .....................................40
           7.1.15. createContext .....................................40
           7.1.16. addProviderAtFront ................................41
           7.1.17. Example Code ......................................41
           7.1.18. addProviderAtEnd ..................................42
           7.1.19. Example Code ......................................43
      7.2. public interface GSSName ..................................44
           7.2.1. Example Code .......................................44
           7.2.2. Static Constants ...................................45
           7.2.3. equals .............................................46
           7.2.4. equals .............................................46
           7.2.5. canonicalize .......................................46
           7.2.6. export .............................................47
           7.2.7. toString ...........................................47
           7.2.8. getStringNameType ..................................47
           7.2.9. isAnonymous ........................................47
           7.2.10. isMN ..............................................47
      7.3. public interface GSSCredential implements Cloneable .......47
           7.3.1. Example Code .......................................49
           7.3.2. Static Constants ...................................49
           7.3.3. dispose ............................................50
           7.3.4. getName ............................................50
           7.3.5. getName ............................................50
           7.3.6. getRemainingLifetime ...............................50
           7.3.7. getRemainingInitLifetime ...........................51
           7.3.8. getRemainingAcceptLifetime .........................51
           7.3.9. getUsage ...........................................51



Upadhyay & Malkani          Standards Track                     [Page 3]
^L
RFC 5653                  Java GSS-API Update                August 2009


           7.3.10. getUsage ..........................................51
           7.3.11. getMechs ..........................................52
           7.3.12. add ...............................................52
           7.3.13. equals ............................................53
      7.4. public interface GSSContext ...............................53
           7.4.1. Example Code .......................................54
           7.4.2. Static Constants ...................................56
           7.4.3. initSecContext .....................................56
           7.4.4. Example Code .......................................57
           7.4.5. initSecContext .....................................58
           7.4.6. Example Code .......................................58
           7.4.7. acceptSecContext ...................................59
           7.4.8. Example Code .......................................60
           7.4.9. acceptSecContext ...................................61
           7.4.10. Example Code ......................................61
           7.4.11. isEstablished .....................................62
           7.4.12. dispose ...........................................62
           7.4.13. getWrapSizeLimit ..................................63
           7.4.14. wrap ..............................................63
           7.4.15. wrap ..............................................64
           7.4.16. unwrap ............................................65
           7.4.17. unwrap ............................................66
           7.4.18. getMIC ............................................67
           7.4.19. getMIC ............................................68
           7.4.20. verifyMIC .........................................68
           7.4.21. verifyMIC .........................................69
           7.4.22. export ............................................70
           7.4.23. requestMutualAuth .................................71
           7.4.24. requestReplayDet ..................................71
           7.4.25. requestSequenceDet ................................71
           7.4.26. requestCredDeleg ..................................71
           7.4.27. requestAnonymity ..................................72
           7.4.28. requestConf .......................................72
           7.4.29. requestInteg ......................................72
           7.4.30. requestLifetime ...................................73
           7.4.31. setChannelBinding .................................73
           7.4.32. getCredDelegState .................................73
           7.4.33. getMutualAuthState ................................73
           7.4.34. getReplayDetState .................................74
           7.4.35. getSequenceDetState ...............................74
           7.4.36. getAnonymityState .................................74
           7.4.37. isTransferable ....................................74
           7.4.38. isProtReady .......................................74
           7.4.39. getConfState ......................................75
           7.4.40. getIntegState .....................................75
           7.4.41. getLifetime .......................................75
           7.4.42. getSrcName ........................................75
           7.4.43. getTargName .......................................75



Upadhyay & Malkani          Standards Track                     [Page 4]
^L
RFC 5653                  Java GSS-API Update                August 2009


           7.4.44. getMech ...........................................76
           7.4.45. getDelegCred ......................................76
           7.4.46. isInitiator .......................................76
      7.5. public class MessageProp ..................................76
           7.5.1. Constructors .......................................77
           7.5.2. getQOP .............................................77
           7.5.3. getPrivacy .........................................77
           7.5.4. getMinorStatus .....................................77
           7.5.5. getMinorString .....................................77
           7.5.6. setQOP .............................................78
           7.5.7. setPrivacy .........................................78
           7.5.8. isDuplicateToken ...................................78
           7.5.9. isOldToken .........................................78
           7.5.10. isUnseqToken ......................................78
           7.5.11. isGapToken ........................................78
           7.5.12. setSupplementaryStates ............................79
      7.6. public class ChannelBinding ...............................79
           7.6.1. Constructors .......................................80
           7.6.2. getInitiatorAddress ................................80
           7.6.3. getAcceptorAddress .................................80
           7.6.4. getApplicationData .................................81
           7.6.5. equals .............................................81
      7.7. public class Oid ..........................................81
           7.7.1. Constructors .......................................81
           7.7.2. toString ...........................................82
           7.7.3. equals .............................................82
           7.7.4. getDER .............................................82
           7.7.5. containedIn ........................................83
      7.8. public class GSSException extends Exception ...............83
           7.8.1. Static Constants ...................................83
           7.8.2. Constructors .......................................86
           7.8.3. getMajor ...........................................86
           7.8.4. getMinor ...........................................86
           7.8.5. getMajorString .....................................87
           7.8.6. getMinorString .....................................87
           7.8.7. setMinor ...........................................87
           7.8.8. toString ...........................................87
           7.8.9. getMessage .........................................87
   8. Sample Applications ............................................88
      8.1. Simple GSS Context Initiator ..............................88
      8.2. Simple GSS Context Acceptor ...............................92
   9. Security Considerations ........................................96
   10. Acknowledgments ...............................................96
   11. Changes since RFC 2853 ........................................97
   12. References ....................................................98
      12.1. Normative References .....................................98
      12.2. Informative References ...................................98




Upadhyay & Malkani          Standards Track                     [Page 5]
^L
RFC 5653                  Java GSS-API Update                August 2009


1.  Introduction

   This document specifies Java language bindings for the Generic
   Security Services Application Programming Interface version 2 (GSS-
   API).  GSS-API version 2 is described in a language-independent
   format in RFC 2743 [GSSAPIv2-UPDATE].  The GSS-API allows a caller
   application to authenticate a principal identity, to delegate rights
   to a peer, and to apply security services such as confidentiality and
   integrity on a per-message basis.

   This document and its predecessor, RFC 2853 [RFC2853], leverage the
   work done by the working group (WG) in the area of RFC 2743
   [GSSAPIv2-UPDATE] and the C-bindings of RFC 2744 [GSSAPI-Cbind].
   Whenever appropriate, text has been used from the C-bindings document
   (RFC 2744) to explain generic concepts and provide direction to the
   implementors.

   The design goals of this API have been to satisfy all the
   functionality defined in RFC 2743 [GSSAPIv2-UPDATE] and to provide
   these services in an object-oriented method.  The specification also
   aims to satisfy the needs of both types of Java application
   developers, those who would like access to a "system-wide" GSS-API
   implementation, as well as those who would want to provide their own
   "custom" implementation.

   A system-wide implementation is one that is available to all
   applications in the form of a library package.  It may be the
   standard package in the Java runtime environment (JRE) being used or
   it may be additionally installed and accessible to any application
   via the CLASSPATH.

   A custom implementation of the GSS-API, on the other hand, is one
   that would, in most cases, be bundled with the application during
   distribution.  It is expected that such an implementation would be
   meant to provide for some particular need of the application, such as
   support for some specific mechanism.

   The design of this API also aims to provide a flexible framework to
   add and manage GSS-API mechanisms.  GSS-API leverages the Java
   Cryptography Architecture (JCA) provider model to support the
   plugability of mechanisms.  Mechanisms can be added on a system-wide
   basis, where all users of the framework will have them available.
   The specification also allows for the addition of mechanisms per-
   instance of the GSS-API.

   Lastly, this specification presents an API that will naturally fit
   within the operation environment of the Java platform.  Readers are
   assumed to be familiar with both the GSS-API and the Java platform.



Upadhyay & Malkani          Standards Track                     [Page 6]
^L
RFC 5653                  Java GSS-API Update                August 2009


2.  Conventions and Licenses

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   The following license applies to all code segments included in this
   specification.  If code is extracted from this specification, please
   include the following text in the code:

/*
--   Copyright (c) 2009 IETF Trust and the persons identified as
--   authors of the code.  All rights reserved.
--
--   Redistribution and use in source and binary forms, with or without
--   modification, are permitted provided that the following conditions
--   are met:
--
--   - Redistributions of source code must retain the above copyright
--     notice, this list of conditions and the following disclaimer.
--
--   - Redistributions in binary form must reproduce the above copyright
--     notice, this list of conditions and the following disclaimer in
--     the documentation and/or other materials provided with the
--     distribution.
--
--   - Neither the name of Internet Society, IETF or IETF Trust, nor the
--     names of specific contributors, may be used to endorse or promote
--     products derived from this software without specific prior
--     written permission.
--
--   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
--   CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES,
--   INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
--   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--   DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
--   BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
--   EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
--   TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
--   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
--   ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
--   OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
--   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
--   POSSIBILITY OF SUCH DAMAGE.
--
--   This code is part of RFC 5653; see the RFC itself for full legal
--   notices.
*/



Upadhyay & Malkani          Standards Track                     [Page 7]
^L
RFC 5653                  Java GSS-API Update                August 2009


3.  GSS-API Operational Paradigm

   "Generic Security Service Application Programming Interface, Version
   2" [GSSAPIv2-UPDATE] defines a generic security API to calling
   applications.  It allows a communicating application to authenticate
   the user associated with another application, to delegate rights to
   another application, and to apply security services such as
   confidentiality and integrity on a per-message basis.

   There are four stages to using GSS-API:

   1) The application acquires a set of credentials with which it may
      prove its identity to other processes.  The application's
      credentials vouch for its global identity, which may or may not be
      related to any local username under which it may be running.

   2) A pair of communicating applications establish a joint security
      context using their credentials.  The security context
      encapsulates shared state information, which is required in order
      that per-message security services may be provided.  Examples of
      state information that might be shared between applications as
      part of a security context are cryptographic keys and message
      sequence numbers.  As part of the establishment of a security
      context, the context initiator is authenticated to the responder,
      and may require that the responder is authenticated back to the
      initiator.  The initiator may optionally give the responder the
      right to initiate further security contexts, acting as an agent or
      delegate of the initiator.  This transfer of rights is termed
      "delegation", and is achieved by creating a set of credentials,
      similar to those used by the initiating application, but which may
      be used by the responder.

      A GSSContext object is used to establish and maintain the shared
      information that makes up the security context.  Certain
      GSSContext methods will generate a token, which applications treat
      as cryptographically protected, opaque data.  The caller of such a
      GSSContext method is responsible for transferring the token to the
      peer application, encapsulated if necessary in an application-to-
      application protocol.  On receipt of such a token, the peer
      application should pass it to a corresponding GSSContext method
      which will decode the token and extract the information, updating
      the security context state information accordingly.









Upadhyay & Malkani          Standards Track                     [Page 8]
^L
RFC 5653                  Java GSS-API Update                August 2009


   3) Per-message services are invoked on a GSSContext object to apply
      either:

      integrity and data origin authentication, or

      confidentiality, integrity and data origin authentication

      to application data, which are treated by GSS-API as arbitrary
      octet-strings.  An application transmitting a message that it
      wishes to protect will call the appropriate GSSContext method
      (getMIC or wrap) to apply protection, and send the resulting token
      to the receiving application.  The receiver will pass the received
      token (and, in the case of data protected by getMIC, the
      accompanying message-data) to the corresponding decoding method of
      the GSSContext interface (verifyMIC or unwrap) to remove the
      protection and validate the data.

   4) At the completion of a communications session (which may extend
      across several transport connections), each application uses a
      GSSContext method to invalidate the security context and release
      any system or cryptographic resources held.  Multiple contexts may
      also be used (either successively or simultaneously) within a
      single communications association, at the discretion of the
      applications.

4.  Additional Controls

   This section discusses the optional services that a context initiator
   may request of the GSS-API before the context establishment.  Each of
   these services is requested by calling the appropriate mutator method
   in the GSSContext object before the first call to init is performed.
   Only the context initiator can request context flags.

   The optional services defined are:

      Delegation: The (usually temporary) transfer of rights from
      initiator to acceptor, enabling the acceptor to authenticate
      itself as an agent of the initiator.

      Mutual Authentication: In addition to the initiator authenticating
      its identity to the context acceptor, the context acceptor should
      also authenticate itself to the initiator.

      Replay Detection: In addition to providing message integrity
      services, GSSContext per-message operations of getMIC and wrap
      should include message numbering information to enable verifyMIC
      and unwrap to detect if a message has been duplicated.




Upadhyay & Malkani          Standards Track                     [Page 9]
^L
RFC 5653                  Java GSS-API Update                August 2009


      Out-of-Sequence Detection: In addition to providing message
      integrity services, GSSContext per-message operations (getMIC and
      wrap) should include message sequencing information to enable
      verifyMIC and unwrap to detect if a message has been received out
      of sequence.

      Anonymous Authentication: The establishment of the security
      context should not reveal the initiator's identity to the context
      acceptor.

   Some mechanisms may not support all optional services, and some
   mechanisms may only support some services in conjunction with others.
   The GSSContext interface offers query methods to allow the
   verification by the calling application of which services will be
   available from the context when the establishment phase is complete.
   In general, if the security mechanism is capable of providing a
   requested service, it should do so even if additional services must
   be enabled in order to provide the requested service.  If the
   mechanism is incapable of providing a requested service, it should
   proceed without the service leaving the application to abort the
   context establishment process if it considers the requested service
   to be mandatory.

   Some mechanisms may specify that support for some services is
   optional, and that implementors of the mechanism need not provide it.
   This is most commonly true of the confidentiality service, often
   because of legal restrictions on the use of data-encryption, but may
   apply to any of the services.  Such mechanisms are required to send
   at least one token from acceptor to initiator during context
   establishment when the initiator indicates a desire to use such a
   service, so that the initiating GSS-API can correctly indicate
   whether the service is supported by the acceptor's GSS-API.

4.1.  Delegation

   The GSS-API allows delegation to be controlled by the initiating
   application via the requestCredDeleg method before the first call to
   init has been issued.  Some mechanisms do not support delegation, and
   for such mechanisms, attempts by an application to enable delegation
   are ignored.

   The acceptor of a security context, for which the initiator enabled
   delegation, can check if delegation was enabled by using the
   getCredDelegState method of the GSSContext interface.  In cases when
   it is enabled, the delegated credential object can be obtained by
   calling the getDelegCred method.  The obtained GSSCredential object
   may then be used to initiate subsequent GSS-API security contexts as
   an agent or delegate of the initiator.  If the original initiator's



Upadhyay & Malkani          Standards Track                    [Page 10]
^L
RFC 5653                  Java GSS-API Update                August 2009


   identity is "A" and the delegate's identity is "B", then, depending
   on the underlying mechanism, the identity embodied by the delegated
   credential may be either "A" or "B acting for A".

   For many mechanisms that support delegation, a simple boolean does
   not provide enough control.  Examples of additional aspects of
   delegation control that a mechanism might provide to an application
   are duration of delegation, network addresses from which delegation
   is valid, and constraints on the tasks that may be performed by a
   delegate.  Such controls are presently outside the scope of the GSS-
   API.  GSS-API implementations supporting mechanisms offering
   additional controls should provide extension routines that allow
   these controls to be exercised (perhaps by modifying the initiator's
   GSS-API credential object prior to its use in establishing a
   context).  However, the simple delegation control provided by GSS-API
   should always be able to override other mechanism-specific delegation
   controls.  If the application instructs the GSSContext object that
   delegation is not desired, then the implementation must not permit
   delegation to occur.  This is an exception to the general rule that a
   mechanism may enable services even if they are not requested --
   delegation may only be provided at the explicit request of the
   application.

4.2.  Mutual Authentication

   Usually, a context acceptor will require that a context initiator
   authenticate itself so that the acceptor may make an access-control
   decision prior to performing a service for the initiator.  In some
   cases, the initiator may also request that the acceptor authenticate
   itself.  GSS-API allows the initiating application to request this
   mutual authentication service by calling the requestMutualAuth method
   of the GSSContext interface with a "true" parameter before making the
   first call to init.  The initiating application is informed as to
   whether or not the context acceptor has authenticated itself.  Note
   that some mechanisms may not support mutual authentication, and other
   mechanisms may always perform mutual authentication, whether or not
   the initiating application requests it.  In particular, mutual
   authentication may be required by some mechanisms in order to support
   replay or out-of-sequence message detection, and for such mechanisms,
   a request for either of these services will automatically enable
   mutual authentication.

4.3.  Replay and Out-of-Sequence Detection

   The GSS-API may provide detection of mis-ordered messages once a
   security context has been established.  Protection may be applied to
   messages by either application, by calling either getMIC or wrap




Upadhyay & Malkani          Standards Track                    [Page 11]
^L
RFC 5653                  Java GSS-API Update                August 2009


   methods of the GSSContext interface, and verified by the peer
   application by calling verifyMIC or unwrap for the peer's GSSContext
   object.

   The getMIC method calculates a cryptographic checksum of an
   application message, and returns that checksum in a token.  The
   application should pass both the token and the message to the peer
   application, which presents them to the verifyMIC method of the
   peer's GSSContext object.

   The wrap method calculates a cryptographic checksum of an application
   message, and places both the checksum and the message inside a single
   token.  The application should pass the token to the peer
   application, which presents it to the unwrap method of the peer's
   GSSContext object to extract the message and verify the checksum.

   Either pair of routines may be capable of detecting out-of-sequence
   message delivery or the duplication of messages.  Details of such
   mis-ordered messages are indicated through supplementary query
   methods of the MessageProp object that is filled in by each of these
   routines.

   A mechanism need not maintain a list of all tokens that have been
   processed in order to support these status codes.  A typical
   mechanism might retain information about only the most recent "N"
   tokens processed, allowing it to distinguish duplicates and missing
   tokens within the most recent "N" messages; the receipt of a token
   older than the most recent "N" would result in the isOldToken method
   of the instance of MessageProp to return "true".

4.4.  Anonymous Authentication

   In certain situations, an application may wish to initiate the
   authentication process to authenticate a peer, without revealing its
   own identity.  As an example, consider an application providing
   access to a database containing medical information and offering
   unrestricted access to the service.  A client of such a service might
   wish to authenticate the service (in order to establish trust in any
   information retrieved from it), but might not wish the service to be
   able to obtain the client's identity (perhaps due to privacy concerns
   about the specific inquiries, or perhaps simply to avoid being placed
   on mailing-lists).

   In normal use of the GSS-API, the initiator's identity is made
   available to the acceptor as a result of the context establishment
   process.  However, context initiators may request that their identity
   not be revealed to the context acceptor.  Many mechanisms do not
   support anonymous authentication, and for such mechanisms, the



Upadhyay & Malkani          Standards Track                    [Page 12]
^L
RFC 5653                  Java GSS-API Update                August 2009


   request will not be honored.  An authentication token will still be
   generated, but the application is always informed if a requested
   service is unavailable, and has the option to abort context
   establishment if anonymity is valued above the other security
   services that would require a context to be established.

   In addition to informing the application that a context is
   established anonymously (via the isAnonymous method of the GSSContext
   class), the getSrcName method of the acceptor's GSSContext object
   will, for such contexts, return a reserved internal-form name,
   defined by the implementation.

   The toString method for a GSSName object representing an anonymous
   entity will return a printable name.  The returned value will be
   syntactically distinguishable from any valid principal name supported
   by the implementation.  The associated name-type object identifier
   will be an oid representing the value of NT_ANONYMOUS.  This name-
   type oid will be defined as a public, static Oid object of the
   GSSName class.  The printable form of an anonymous name should be
   chosen such that it implies anonymity, since this name may appear in,
   for example, audit logs.  For example, the string "<anonymous>" might
   be a good choice, if no valid printable names supported by the
   implementation can begin with "<" and end with ">".

   When using the equal method of the GSSName interface, and one of the
   operands is a GSSName instance representing an anonymous entity, the
   method must return "false".

4.5.  Confidentiality

   If a GSSContext supports the confidentiality service, wrap method may
   be used to encrypt application messages.  Messages are selectively
   encrypted, under the control of the setPrivacy method of the
   MessageProp object used in the wrap method.

4.6.  Inter-process Context Transfer

   GSS-APIv2 provides functionality that allows a security context to be
   transferred between processes on a single machine.  These are
   implemented using the export method of GSSContext and a byte array
   constructor of the same class.  The most common use for such a
   feature is a client-server design where the server is implemented as
   a single process that accepts incoming security contexts, which then
   launches child processes to deal with the data on these contexts.  In
   such a design, the child processes must have access to the security
   context object created within the parent so that they can use per-
   message protection services and delete the security context when the
   communication session ends.



Upadhyay & Malkani          Standards Track                    [Page 13]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Since the security context data structure is expected to contain
   sequencing information, it is impractical in general to share a
   context between processes.  Thus, the GSSContext interface provides
   an export method that the process, which currently owns the context,
   can call to declare that it has no intention to use the context
   subsequently, and to create an inter-process token containing
   information needed by the adopting process to successfully recreate
   the context.  After successful completion of export, the original
   security context is made inaccessible to the calling process by GSS-
   API, and any further usage of this object will result in failures.
   The originating process transfers the inter-process token to the
   adopting process, which creates a new GSSContext object using the
   byte array constructor.  The properties of the context are equivalent
   to that of the original context.

   The inter-process token may contain sensitive data from the original
   security context (including cryptographic keys).  Applications using
   inter-process tokens to transfer security contexts must take
   appropriate steps to protect these tokens in transit.

   Implementations are not required to support the inter-process
   transfer of security contexts.  Calling the isTransferable method of
   the GSSContext interface will indicate if the context object is
   transferable.

4.7.  The Use of Incomplete Contexts

   Some mechanisms may allow the per-message services to be used before
   the context establishment process is complete.  For example, a
   mechanism may include sufficient information in its initial context-
   level tokens for the context acceptor to immediately decode messages
   protected with wrap or getMIC.  For such a mechanism, the initiating
   application need not wait until subsequent context-level tokens have
   been sent and received before invoking the per-message protection
   services.

   An application can invoke the isProtReady method of the GSSContext
   class to determine if the per-message services are available in
   advance of complete context establishment.  Applications wishing to
   use per-message protection services on partially established contexts
   should query this method before attempting to invoke wrap or getMIC.










Upadhyay & Malkani          Standards Track                    [Page 14]
^L
RFC 5653                  Java GSS-API Update                August 2009


5.  Calling Conventions

   Java provides the implementors with not just a syntax for the
   language, but also an operational environment.  For example, memory
   is automatically managed and does not require application
   intervention.  These language features have allowed for a simpler API
   and have led to the elimination of certain GSS-API functions.

   Moreover, the JCA defines a provider model that allows for
   implementation-independent access to security services.  Using this
   model, applications can seamlessly switch between different
   implementations and dynamically add new services.  The GSS-API
   specification leverages these concepts by the usage of providers for
   the mechanism implementations.

5.1.  Package Name

   The classes and interfaces defined in this document reside in the
   package called "org.ietf.jgss".  Applications that wish to make use
   of this API should import this package name as shown in section 8.

5.2.  Provider Framework

   The Java security API's use a provider architecture that allows
   applications to be implementation independent and security API
   implementations to be modular and extensible.  The
   java.security.Provider class is an abstract class that a vendor
   extends.  This class maps various properties that represent different
   security services that are available to the names of the actual
   vendor classes that implement those services.  When requesting a
   service, an application simply specifies the desired provider and the
   API delegates the request to service classes available from that
   provider.

   Using the Java security provider model insulates applications from
   implementation details of the services they wish to use.
   Applications can switch between providers easily and new providers
   can be added as needed, even at runtime.

   The GSS-API may use providers to find components for specific
   underlying security mechanisms.  For instance, a particular provider
   might contain components that will allow the GSS-API to support the
   Kerberos v5 mechanism [RFC4121] and another might contain components
   to support the Simple Public-Key GSS-API Mechanism (SPKM) [RFC2025].
   By delegating mechanism-specific functionality to the components
   obtained from providers, the GSS-API can be extended to support an
   arbitrary list of mechanism.




Upadhyay & Malkani          Standards Track                    [Page 15]
^L
RFC 5653                  Java GSS-API Update                August 2009


   How the GSS-API locates and queries these providers is beyond the
   scope of this document and is being deferred to a Service Provider
   Interface (SPI) specification.  The availability of such an SPI
   specification is not mandatory for the adoption of this API
   specification nor is it mandatory to use providers in the
   implementation of a GSS-API framework.  However, by using the
   provider framework together with an SPI specification, one can create
   an extensible and implementation-independent GSS-API framework.

5.3.  Integer Types

   All numeric values are declared as "int" primitive Java type.  The
   Java specification guarantees that this will be a 32-bit two's
   complement signed number.

   Throughout this API, the "boolean" primitive Java type is used
   wherever a boolean value is required or returned.

5.4.  Opaque Data Types

   Java byte arrays are used to represent opaque data types that are
   consumed and produced by the GSS-API in the form of tokens.  Java
   arrays contain a length field that enables the users to easily
   determine their size.  The language has automatic garbage collection
   that alleviates the need by developers to release memory and
   simplifies buffer ownership issues.

5.5.  Strings

   The String object will be used to represent all textual data.  The
   Java String object transparently treats all characters as two-byte
   Unicode characters, which allows support for many locals.  All
   routines returning or accepting textual data will use the String
   object.

5.6.  Object Identifiers

   An Oid object will be used to represent Universal Object Identifiers
   (Oids).  Oids are ISO-defined, hierarchically globally interpretable
   identifiers used within the GSS-API framework to identify security
   mechanisms and name formats.  The Oid object can be created from a
   string representation of its dot notation (e.g., "1.3.6.1.5.6.2") as
   well as from its ASN.1 DER encoding.  Methods are also provided to
   test equality and provide the DER representation for the object.







Upadhyay & Malkani          Standards Track                    [Page 16]
^L
RFC 5653                  Java GSS-API Update                August 2009


   An important feature of the Oid class is that its instances are
   immutable -- i.e., there are no methods defined that allow one to
   change the contents of an Oid.  This property allows one to treat
   these objects as "statics" without the need to perform copies.

   Certain routines allow the usage of a default oid.  A "null" value
   can be used in those cases.

5.7.  Object Identifier Sets

   The Java bindings represent object identifier sets as arrays of Oid
   objects.  All Java arrays contain a length field, which allows for
   easy manipulation and reference.

   In order to support the full functionality of RFC 2743 [GSSAPIv2-
   UPDATE], the Oid class includes a method that checks for existence of
   an Oid object within a specified array.  This is equivalent in
   functionality to gss_test_oid_set_member.  The use of Java arrays and
   Java's automatic garbage collection has eliminated the need for the
   following routines: gss_create_empty_oid_set, gss_release_oid_set,
   and gss_add_oid_set_member.  Java GSS-API implementations will not
   contain them.  Java's automatic garbage collection and the immutable
   property of the Oid object eliminates the memory management issues of
   the C counterpart.

   Whenever a default value for an Object Identifier Set is required, a
   "null" value can be used.  Please consult the detailed method
   description for details.

5.8.  Credentials

   GSS-API credentials are represented by the GSSCredential interface.
   The interface contains several constructs to allow for the creation
   of most common credential objects for the initiator and the acceptor.
   Comparisons are performed using the interface's "equals" method.  The
   following general description of GSS-API credentials is included from
   the C-bindings specification:

      GSS-API credentials can contain mechanism-specific principal
      authentication data for multiple mechanisms.  A GSS-API credential
      is composed of a set of credential-elements, each of which is
      applicable to a single mechanism.  A credential may contain at
      most one credential-element for each supported mechanism.  A
      credential-element identifies the data needed by a single
      mechanism to authenticate a single principal, and conceptually
      contains two credential-references that describe the actual
      mechanism-specific authentication data, one to be used by GSS-API
      for initiating contexts, and one to be used for accepting



Upadhyay & Malkani          Standards Track                    [Page 17]
^L
RFC 5653                  Java GSS-API Update                August 2009


      contexts.  For mechanisms that do not distinguish between acceptor
      and initiator credentials, both references would point to the same
      underlying mechanism-specific authentication data.

   Credentials describe a set of mechanism-specific principals, and give
   their holder the ability to act as any of those principals.  All
   principal identities asserted by a single GSS-API credential should
   belong to the same entity, although enforcement of this property is
   an implementation-specific matter.  A single GSSCredential object
   represents all the credential elements that have been acquired.

   The creation of an GSSContext object allows the value of "null" to be
   specified as the GSSCredential input parameter.  This will indicate a
   desire by the application to act as a default principal.  While
   individual GSS-API implementations are free to determine such default
   behavior as appropriate to the mechanism, the following default
   behavior by these routines is recommended for portability:

   For the initiator side of the context:

   1) If there is only a single principal capable of initiating security
      contexts for the chosen mechanism that the application is
      authorized to act on behalf of, then that principal shall be used;
      otherwise,

   2) If the platform maintains a concept of a default network-identity
      for the chosen mechanism, and if the application is authorized to
      act on behalf of that identity for the purpose of initiating
      security contexts, then the principal corresponding to that
      identity shall be used; otherwise,

   3) If the platform maintains a concept of a default local identity,
      and provides a means to map local identities into network-
      identities for the chosen mechanism, and if the application is
      authorized to act on behalf of the network-identity image of the
      default local identity for the purpose of initiating security
      contexts using the chosen mechanism, then the principal
      corresponding to that identity shall be used; otherwise,

   4) A user-configurable default identity should be used.

   For the acceptor side of the context:

   1) If there is only a single authorized principal identity capable of
      accepting security contexts for the chosen mechanism, then that
      principal shall be used; otherwise,





Upadhyay & Malkani          Standards Track                    [Page 18]
^L
RFC 5653                  Java GSS-API Update                August 2009


   2) If the mechanism can determine the identity of the target
      principal by examining the context-establishment token processed
      during the accept method, and if the accepting application is
      authorized to act as that principal for the purpose of accepting
      security contexts using the chosen mechanism, then that principal
      identity shall be used; otherwise,

   3) If the mechanism supports context acceptance by any principal, and
      if mutual authentication was not requested, any principal that the
      application is authorized to accept security contexts under using
      the chosen mechanism may be used; otherwise,

   4) A user-configurable default identity shall be used.

   The purpose of the above rules is to allow security contexts to be
   established by both initiator and acceptor using the default behavior
   whenever possible.  Applications requesting default behavior are
   likely to be more portable across mechanisms and implementations than
   ones that instantiate an GSSCredential object representing a specific
   identity.

5.9.  Contexts

   The GSSContext interface is used to represent one end of a GSS-API
   security context, storing state information appropriate to that end
   of the peer communication, including cryptographic state information.
   The instantiation of the context object is done differently by the
   initiator and the acceptor.  After the context has been instantiated,
   the initiator may choose to set various context options that will
   determine the characteristics of the desired security context.  When
   all the application-desired characteristics have been set, the
   initiator will call the initSecContext method, which will produce a
   token for consumption by the peer's acceptSecContext method.  It is
   the responsibility of the application to deliver the authentication
   token(s) between the peer applications for processing.  Upon
   completion of the context-establishment phase, context attributes can
   be retrieved, by both the initiator and acceptor, using the accessor
   methods.  These will reflect the actual attributes of the established
   context.  At this point, the context can be used by the application
   to apply cryptographic services to its data.

5.10.  Authentication Tokens

   A token is a caller-opaque type that GSS-API uses to maintain
   synchronization between each end of the GSS-API security context.
   The token is a cryptographically protected octet-string, generated by





Upadhyay & Malkani          Standards Track                    [Page 19]
^L
RFC 5653                  Java GSS-API Update                August 2009


   the underlying mechanism at one end of a GSS-API security context for
   use by the peer mechanism at the other end.  Encapsulation (if
   required) within the application protocol and transfer of the token
   are the responsibility of the peer applications.

   Java GSS-API uses byte arrays to represent authentication tokens.
   Overloaded methods exist that allow the caller to supply input and
   output streams that will be used for the reading and writing of the
   token data.

5.11.  Inter-Process Tokens

   Certain GSS-API routines are intended to transfer data between
   processes in multi-process programs.  These routines use a caller-
   opaque octet-string, generated by the GSS-API in one process for use
   by the GSS-API in another process.  The calling application is
   responsible for transferring such tokens between processes.  Note
   that, while GSS-API implementors are encouraged to avoid placing
   sensitive information within inter-process tokens, or to
   cryptographically protect them, many implementations will be unable
   to avoid placing key material or other sensitive data within them.
   It is the application's responsibility to ensure that inter-process
   tokens are protected in transit, and transferred only to processes
   that are trustworthy.  An inter-process token is represented using a
   byte array emitted from the export method of the GSSContext
   interface.  The receiver of the inter-process token would initialize
   an GSSContext object with this token to create a new context.  Once a
   context has been exported, the GSSContext object is invalidated and
   is no longer available.

5.12.  Error Reporting

   RFC 2743 [GSSAPIv2-UPDATE] defined the usage of major and minor
   status values for the signaling of GSS-API errors.  The major code,
   also called GSS status code, is used to signal errors at the GSS-API
   level, independent of the underlying mechanism(s).  The minor status
   value or Mechanism status code, is a mechanism-defined error value
   indicating a mechanism-specific error code.

   Java GSS-API uses exceptions implemented by the GSSException class to
   signal both minor and major error values.  Both mechanism-specific
   errors and GSS-API level errors are signaled through instances of
   this class.  The usage of exceptions replaces the need for major and
   minor codes to be used within the API calls.  The GSSException class
   also contains methods to obtain textual representations for both the
   major and minor values, which is equivalent to the functionality of
   gss_display_status.




Upadhyay & Malkani          Standards Track                    [Page 20]
^L
RFC 5653                  Java GSS-API Update                August 2009


5.12.1.  GSS Status Codes

   GSS status codes indicate errors that are independent of the
   underlying mechanism(s) used to provide the security service.  The
   errors that can be indicated via a GSS status code are generic API
   routine errors (errors that are defined in the GSS-API
   specification).  These bindings take advantage of the Java exceptions
   mechanism, thus, eliminating the need for calling errors.

   A GSS status code indicates a single fatal generic API error from the
   routine that has thrown the GSSException.  Using exceptions announces
   that a fatal error has occurred during the execution of the method.
   The GSS-API operational model also allows for the signaling of
   supplementary status information from the per-message calls.  These
   need to be handled as return values since using exceptions is not
   appropriate for informatory or warning-like information.  The methods
   that are capable of producing supplementary information are the two
   per-message methods GSSContext.verifyMIC() and GSSContext.unwrap().
   These methods fill the supplementary status codes in the MessageProp
   object that was passed in.

   A GSSException object, along with providing the functionality for
   setting of the various error codes and translating them into textual
   representation, also contains the definitions of all the numeric
   error values.  The following table lists the definitions of error
   codes:

      Table: GSS Status Codes

      Name                   Value   Meaning

      BAD_BINDINGS             1     Incorrect channel bindings were
                                     supplied.

      BAD_MECH                 2     An unsupported mechanism
                                     was requested.

      BAD_NAME                 3     An invalid name was supplied.

      BAD_NAMETYPE             4     A supplied name was of an
                                     unsupported type.

      BAD_STATUS               5     An invalid status code was
                                     supplied.

      BAD_MIC                  6     A token had an invalid MIC.

      CONTEXT_EXPIRED          7     The context has expired.



Upadhyay & Malkani          Standards Track                    [Page 21]
^L
RFC 5653                  Java GSS-API Update                August 2009


      CREDENTIALS_EXPIRED      8     The referenced credentials
                                     have expired.

      DEFECTIVE_CREDENTIAL     9     A supplied credential was
                                     invalid.

      DEFECTIVE_TOKEN         10     A supplied token was invalid.

      FAILURE                 11     Miscellaneous failure,
                                     unspecified at the GSS-API
                                     level.

      NO_CONTEXT              12     Invalid context has been
                                     supplied.

      NO_CRED                 13     No credentials were supplied, or
                                     the credentials were unavailable
                                     or inaccessible.

      BAD_QOP                 14     The quality-of-protection (QOP)
                                     requested could not be provided.

      UNAUTHORIZED            15     The operation is forbidden by
                                     the local security policy.

      UNAVAILABLE             16     The operation or option is
                                     unavailable.

      DUPLICATE_ELEMENT       17     The requested credential
                                     element already exists.

      NAME_NOT_MN             18     The provided name was not a
                                     mechanism name.

      The following four status codes (DUPLICATE_TOKEN, OLD_TOKEN,
      UNSEQ_TOKEN, and GAP_TOKEN) are contained in a GSSException
      only if detected during context establishment, in which case it
      is a fatal error. (During per-message calls, these values are
      indicated as supplementary information contained in the
      MessageProp object.) They are:

      DUPLICATE_TOKEN         19     The token was a duplicate of an
                                     earlier version.


      OLD_TOKEN               20     The token's validity period has
                                     expired.




Upadhyay & Malkani          Standards Track                    [Page 22]
^L
RFC 5653                  Java GSS-API Update                August 2009


      UNSEQ_TOKEN             21     A later token has already been
                                     processed.

      GAP_TOKEN               22     The expected token was not
                                     received.

   The GSS major status code of FAILURE is used to indicate that the
   underlying mechanism detected an error for which no specific GSS
   status code is defined.  The mechanism-specific status code can
   provide more details about the error.

   The different major status codes that can be contained in the
   GSSException object thrown by the methods in this specification are
   the same as the major status codes returned by the corresponding
   calls in RFC 2743 [GSSAPIv2-UPDATE].

5.12.2.  Mechanism-Specific Status Codes

   Mechanism-specific status codes are communicated in two ways, they
   are part of any GSSException thrown from the mechanism-specific layer
   to signal a fatal error, or they are part of the MessageProp object
   that the per-message calls use to signal non-fatal errors.

   A default value of 0 in either the GSSException object or the
   MessageProp object will be used to represent the absence of any
   mechanism-specific status code.

5.12.3.  Supplementary Status Codes

   Supplementary status codes are confined to the per-message methods of
   the GSSContext interface.  Because of the informative nature of these
   errors it is not appropriate to use exceptions to signal them.
   Instead, the per-message operations of the GSSContext interface
   return these values in a MessageProp object.

   The MessageProp class defines query methods that return boolean
   values indicating the following supplementary states:

      Table: Supplementary Status Methods

      Method Name        Meaning when "true" is returned

      isDuplicateToken   The token was a duplicate of an
                         earlier token.

      isOldToken         The token's validity period has
                         expired.




Upadhyay & Malkani          Standards Track                    [Page 23]
^L
RFC 5653                  Java GSS-API Update                August 2009


      isUnseqToken       A later token has already been
                         processed.

      isGapToken         An expected per-message token was
                         not received.

   A "true" return value for any of the above methods indicates that the
   token exhibited the specified property.  The application must
   determine the appropriate course of action for these supplementary
   values.  They are not treated as errors by the GSS-API.

5.13.  Names

   A name is used to identify a person or entity.  GSS-API authenticates
   the relationship between a name and the entity claiming the name.

   Since different authentication mechanisms may employ different
   namespaces for identifying their principals, GSS-API's naming support
   is necessarily complex in multi-mechanism environments (or even in
   some single-mechanism environments where the underlying mechanism
   supports multiple namespaces).

   Two distinct conceptual representations are defined for names:

   1) A GSS-API form represented by implementations of the GSSName
      interface: A single GSSName object may contain multiple names from
      different namespaces, but all names should refer to the same
      entity.  An example of such an internal name would be the name
      returned from a call to the getName method of the GSSCredential
      interface, when applied to a credential containing credential
      elements for multiple authentication mechanisms employing
      different namespaces.  This GSSName object will contain a distinct
      name for the entity for each authentication mechanism.

      For GSS-API implementations supporting multiple namespaces,
      GSSName implementations must contain sufficient information to
      determine the namespace to which each primitive name belongs.

   2) Mechanism-specific contiguous byte array and string forms:
      Different GSSName initialization methods are provided to handle
      both byte array and string formats and to accommodate various
      calling applications and name types.  These formats are capable of
      containing only a single name (from a single namespace).
      Contiguous string names are always accompanied by an object
      identifier specifying the namespace to which the name belongs, and
      their format is dependent on the authentication mechanism that
      employs that name.  The string name forms are assumed to be
      printable, and may therefore be used by GSS-API applications for



Upadhyay & Malkani          Standards Track                    [Page 24]
^L
RFC 5653                  Java GSS-API Update                August 2009


      communication with their users.  The byte array name formats are
      assumed to be in non-printable formats (e.g., the byte array
      returned from the export method of the GSSName interface).

   A GSSName object can be converted to a contiguous representation by
   using the toString method.  This will guarantee that the name will be
   converted to a printable format.  Different initialization methods in
   the GSSName interface are defined allowing support for multiple
   syntaxes for each supported namespace, and allowing users the freedom
   to choose a preferred name representation.  The toString method
   should use an implementation-chosen printable syntax for each
   supported name type.  To obtain the printable name type,
   getStringNameType method can be used.

   There is no guarantee that calling the toString method on the GSSName
   interface will produce the same string form as the original imported
   string name.  Furthermore, it is possible that the name was not even
   constructed from a string representation.  The same applies to
   namespace identifiers, which may not necessarily survive unchanged
   after a journey through the internal name form.  An example of this
   might be a mechanism that authenticates X.500 names, but provides an
   algorithmic mapping of Internet DNS names into X.500.  That
   mechanism's implementation of GSSName might, when presented with a
   DNS name, generate an internal name that contained both the original
   DNS name and the equivalent X.500 name.  Alternatively, it might only
   store the X.500 name.  In the latter case, the toString method of
   GSSName would most likely generate a printable X.500 name, rather
   than the original DNS name.

   The context acceptor can obtain a GSSName object representing the
   entity performing the context initiation (through the usage of
   getSrcName method).  Since this name has been authenticated by a
   single mechanism, it contains only a single name (even if the
   internal name presented by the context initiator to the GSSContext
   object had multiple components).  Such names are termed internal-
   mechanism names (or MNs), and the names emitted by GSSContext
   interface in the getSrcName and getTargName are always of this type.
   Since some applications may require MNs without wanting to incur the
   overhead of an authentication operation, creation methods are
   provided that take not only the name buffer and name type, but also
   the mechanism oid for which this name should be created.  When
   dealing with an existing GSSName object, the canonicalize method may
   be invoked to convert a general internal name into an MN.

   GSSName objects can be compared using their equal method, which
   returns "true" if the two names being compared refer to the same
   entity.  This is the preferred way to perform name comparisons
   instead of using the printable names that a given GSS-API



Upadhyay & Malkani          Standards Track                    [Page 25]
^L
RFC 5653                  Java GSS-API Update                August 2009


   implementation may support.  Since GSS-API assumes that all primitive
   names contained within a given internal name refer to the same
   entity, equal can return "true" if the two names have at least one
   primitive name in common.  If the implementation embodies knowledge
   of equivalence relationships between names taken from different
   namespaces, this knowledge may also allow successful comparisons of
   internal names containing no overlapping primitive elements.

   When used in large access control lists, the overhead of creating a
   GSSName object on each name and invoking the equal method on each
   name from the Access Control List (ACL) may be prohibitive.  As an
   alternative way of supporting this case, GSS-API defines a special
   form of the contiguous byte array name, which may be compared
   directly (byte by byte).  Contiguous names suitable for comparison
   are generated by the export method.  Exported names may be re-
   imported by using the byte array constructor and specifying the
   NT_EXPORT_NAME as the name type object identifier.  The resulting
   GSSName name will also be a MN.

   The GSSName interface defines public static Oid objects representing
   the standard name types.  Structurally, an exported name object
   consists of a header containing an OID identifying the mechanism that
   authenticated the name, and a trailer containing the name itself,
   where the syntax of the trailer is defined by the individual
   mechanism specification.  Detailed description of the format is
   specified in the language-independent GSS-API specification
   [GSSAPIv2-UPDATE].

   Note that the results obtained by using the equals method will in
   general be different from those obtained by invoking canonicalize and
   export, and then comparing the byte array output.  The first series
   of operation determines whether two (unauthenticated) names identify
   the same principal; the second whether a particular mechanism would
   authenticate them as the same principal.  These two operations will
   in general give the same results only for MNs.

   It is important to note that the above are guidelines as to how
   GSSName implementations should behave, and are not intended to be
   specific requirements of how name objects must be implemented.  The
   mechanism designers are free to decide on the details of their
   implementations of the GSSName interface as long as the behavior
   satisfies the above guidelines.

5.14.  Channel Bindings

   GSS-API supports the use of user-specified tags to identify a given
   context to the peer application.  These tags are intended to be used
   to identify the particular communications channel that carries the



Upadhyay & Malkani          Standards Track                    [Page 26]
^L
RFC 5653                  Java GSS-API Update                August 2009


   context.  Channel bindings are communicated to the GSS-API using the
   ChannelBinding object.  The application may use byte arrays to
   specify the application data to be used in the channel binding as
   well as using instances of the InetAddress.  The InetAddress for the
   initiator and/or acceptor can be used within an instance of a
   ChannelBinding.  ChannelBinding can be set for the GSSContext object
   using the setChannelBinding method before the first call to init or
   accept has been performed.  Unless the setChannelBinding method has
   been used to set the ChannelBinding for a GSSContext object, "null"
   ChannelBinding will be assumed.  InetAddress is currently the only
   address type defined within the Java platform and as such, it is the
   only one supported within the ChannelBinding class.  Applications
   that use other types of addresses can include them as part of the
   application-specific data.

   Conceptually, the GSS-API concatenates the initiator and acceptor
   address information, and the application-supplied byte array to form
   an octet-string.  The mechanism calculates a Message Integrity Code
   (MIC) over this octet-string and binds the MIC to the context
   establishment token emitted by the init method of the GSSContext
   interface.  The same bindings are set by the context acceptor for its
   GSSContext object and during processing of the accept method, a MIC
   is calculated in the same way.  The calculated MIC is compared with
   that found in the token, and if the MICs differ, accept will throw a
   GSSException with the major code set to BAD_BINDINGS, and the context
   will not be established.  Some mechanisms may include the actual
   channel binding data in the token (rather than just a MIC);
   applications should therefore not use confidential data as channel-
   binding components.

   Individual mechanisms may impose additional constraints on addresses
   that may appear in channel bindings.  For example, a mechanism may
   verify that the initiator address field of the channel binding
   contains the correct network address of the host system.  Portable
   applications should therefore ensure that they either provide correct
   information for the address fields, or omit the setting of the
   addressing information.

5.15.  Stream Objects

   The context object provides overloaded methods that use input and
   output streams as the means to convey authentication and per-message
   GSS-API tokens.  It is important to note that the streams are
   expected to contain the usual GSS-API tokens, which would otherwise
   be handled through the usage of byte arrays.  The tokens are expected
   to have a definite start and an end.  The callers are responsible for





Upadhyay & Malkani          Standards Track                    [Page 27]
^L
RFC 5653                  Java GSS-API Update                August 2009


   ensuring that the supplied streams will not block, or expect to block
   until a full token is processed by the GSS-API method.  Only a single
   GSS-API token will be processed per invocation of the stream-based
   method.

   The usage of streams allows the callers to have control and
   management of the supplied buffers.  Because streams are non-
   primitive objects, the callers can make the streams as complicated or
   as simple as desired simply by using the streams defined in the
   java.io package or creating their own through the use of inheritance.
   This will allow for the application's greatest flexibility.

5.16.  Optional Parameters

   Whenever the application wishes to omit an optional parameter the
   "null" value shall be used.  The detailed method descriptions
   indicate which parameters are optional.  Method overloading has also
   been used as a technique to indicate default parameters.

6.  Introduction to GSS-API Classes and Interfaces

   This section presents a brief description of the classes and
   interfaces that constitute the GSS-API.  The implementations of these
   are obtained from the CLASSPATH defined by the application.  If Java
   GSS becomes part of the standard Java APIs, then these classes will
   be available by default on all systems as part of the JRE's system
   classes.

   This section also shows the corresponding RFC 2743 [GSSAPIv2-UPDATE]
   functionality implemented by each of the classes.  Detailed
   description of these classes and their methods is presented in
   section 7.

6.1.  GSSManager Class

   This abstract class serves as a factory to instantiate
   implementations of the GSS-API interfaces and also provides methods
   to make queries about underlying security mechanisms.

   A default implementation can be obtained using the static method
   getInstance().  Applications that desire to provide their own
   implementation of the GSSManager class can simply extend the abstract
   class themselves.

   This class contains equivalents of the following RFC 2743 [GSSAPIv2-
   UPDATE] routines:





Upadhyay & Malkani          Standards Track                    [Page 28]
^L
RFC 5653                  Java GSS-API Update                August 2009


      RFC 2743 Routine             Function                   Section(s)

      gss_import_name              Create an internal name from  7.1.6-
                                   the supplied information.     7.1.9

      gss_acquire_cred             Acquire credential            7.1.10-
                                   for use.                      7.1.12

      gss_import_sec_context       Create a previously exported  7.1.15
                                   context.

      gss_indicate_mechs           List the mechanisms           7.1.3
                                   supported by this GSS-API
                                   implementation.

      gss_inquire_mechs_for_name   List the mechanisms           7.1.5
                                   supporting the
                                   specified name type.

      gss_inquire_names_for_mech   List the name types           7.1.4
                                   supported by the
                                   specified mechanism.

6.2.  GSSName Interface

   GSS-API names are represented in the Java bindings through the
   GSSName interface.  Different name formats and their definitions are
   identified with Universal Object Identifiers (oids).  The format of
   the names can be derived based on the unique oid of each name type.
   The following GSS-API routines are provided by the GSSName interface:

      RFC 2743 Routine        Function                       Section(s)

      gss_display_name        Covert internal name             7.2.7
                              representation to text format.

      gss_compare_name        Compare two internal names.      7.2.3,
                                                               7.2.4

      gss_release_name        Release resources associated     N/A
                              with the internal name.

      gss_canonicalize_name   Convert an internal name to a    7.2.5
                              mechanism name.

      gss_export_name         Convert a mechanism name to      7.2.6
                              export format.




Upadhyay & Malkani          Standards Track                    [Page 29]
^L
RFC 5653                  Java GSS-API Update                August 2009


      gss_duplicate_name      Create a copy of the internal    N/A
                              name.

   The gss_release_name call is not provided as Java does its own
   garbage collection.  The gss_duplicate_name call is also redundant;
   the GSSName interface has no mutator methods that can change the
   state of the object so it is safe for sharing across threads.

6.3.  GSSCredential Interface

   The GSSCredential interface is responsible for the encapsulation of
   GSS-API credentials.  Credentials identify a single entity and
   provide the necessary cryptographic information to enable the
   creation of a context on behalf of that entity.  A single credential
   may contain multiple mechanism-specific credentials, each referred to
   as a credential element.  The GSSCredential interface provides the
   functionality of the following GSS-API routines:

      RFC 2743 Routine           Function                    Section(s)

      gss_add_cred               Constructs credentials        7.3.12
                                 incrementally.

      gss_inquire_cred           Obtain information about      7.3.4-
                                 credential.                   7.3.11

      gss_inquire_cred_by_mech   Obtain per-mechanism          7.3.5-
                                 information about             7.3.10
                                 a credential.

      gss_release_cred           Dispose of credentials        7.3.3
                                 after use.

6.4.  GSSContext Interface

   This interface encapsulates the functionality of context-level calls
   required for security context establishment and management between
   peers as well as the per-message services offered to applications.  A
   context is established between a pair of peers and allows the usage
   of security services on a per-message basis on application data.  It
   is created over a single security mechanism.  The GSSContext
   interface provides the functionality of the following GSS-API
   routines:

      RFC 2743 Routine         Function                       Section(s)

      gss_init_sec_context     Initiate the creation of a       7.4.3-
                               security context with a peer.    7.4.6



Upadhyay & Malkani          Standards Track                    [Page 30]
^L
RFC 5653                  Java GSS-API Update                August 2009


      gss_accept_sec_context   Accept a security context        7.4.7-
                               initiated by a peer.             7.4.10

      gss_delete_sec_context   Destroy a security context.      7.4.12

      gss_context_time         Obtain remaining context         7.4.41
                               time.

      gss_inquire_context      Obtain context                   7.4.32-
                               characteristics.                 7.4.46

      gss_wrap_size_limit      Determine token-size limit       7.4.13
                               for gss_wrap.

      gss_export_sec_context   Transfer security context        7.4.22
                               to another process.


      gss_get_mic              Calculate a cryptographic        7.4.18,
                               Message Integrity Code (MIC)     7.4.19
                               for a message.

      gss_verify_mic           Verify integrity on a received   7.4.20,
                               message.                         7.4.21

      gss_wrap                 Attach a MIC to a message and    7.4.14,
                               optionally encrypt the message   7.4.15
                               content.

      gss_unwrap               Obtain a previously wrapped      7.4.16,
                               application message verifying    7.4.17
                               its integrity and optionally
                               decrypting it.

   The functionality offered by the gss_process_context_token routine
   has not been included in the Java bindings specification.  The
   corresponding functionality of gss_delete_sec_context has also been
   modified to not return any peer tokens.  This has been proposed in
   accordance to the recommendations stated in RFC 2743 [GSSAPIv2-
   UPDATE].  GSSContext does offer the functionality of destroying the
   locally stored context information.

6.5.  MessageProp Class

   This helper class is used in the per-message operations on the
   context.  An instance of this class is created by the application and
   then passed into the per-message calls.  In some cases, the
   application conveys information to the GSS-API implementation through



Upadhyay & Malkani          Standards Track                    [Page 31]
^L
RFC 5653                  Java GSS-API Update                August 2009


   this object and in other cases the GSS-API returns information to the
   application by setting it in this object.  See the description of the
   per-message operations wrap, unwrap, getMIC, and verifyMIC in the
   GSSContext interfaces for details.

6.6.  GSSException Class

   Exceptions are used in the Java bindings to signal fatal errors to
   the calling applications.  This replaces the major and minor codes
   used in the C-bindings specification as a method of signaling
   failures.  The GSSException class handles both minor and major codes,
   as well as their translation into textual representation.  All GSS-
   API methods are declared as throwing this exception.

      RFC 2743 Routine     Function                  Section

      gss_display_status   Retrieve textual          7.8.5, 7.8.6,
                           representation of error   7.8.8, 7.8.9
                           codes.

6.7.  Oid Class

   This utility class is used to represent Universal Object Identifiers
   and their associated operations.  GSS-API uses object identifiers to
   distinguish between security mechanisms and name types.  This class,
   aside from being used whenever an object identifier is needed,
   implements the following GSS-API functionality:

      RFC 2743 Routine          Function                         Section

      gss_test_oid_set_member   Determine if the specified oid   7.7.5
                                is part of a set of oids.

6.8.  ChannelBinding Class

   An instance of this class is used to specify channel binding
   information to the GSSContext object before the start of a security
   context establishment.  The application may use a byte array to
   specify application data to be used in the channel binding as well as
   to use instances of the InetAddress.  InetAddress is currently the
   only address type defined within the Java platform and as such, it is
   the only one supported within the ChannelBinding class.  Applications
   that use other types of addresses can include them as part of the
   application data.







Upadhyay & Malkani          Standards Track                    [Page 32]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.  Detailed GSS-API Class Description

   This section lists a detailed description of all the public methods
   that each of the GSS-API classes and interfaces must provide.

7.1.  public abstract class GSSManager

   The GSSManager class is an abstract class that serves as a factory
   for three GSS interfaces: GSSName, GSSCredential, and GSSContext.  It
   also provides methods for applications to determine what mechanisms
   are available from the GSS implementation and what name types these
   mechanisms support.  An instance of the default GSSManager subclass
   may be obtained through the static method getInstance(), but
   applications are free to instantiate other subclasses of GSSManager.

   All but one method in this class are declared abstract.  This means
   that subclasses have to provide the complete implementation for those
   methods.  The only exception to this is the static method
   getInstance(), which will have platform-specific code to return an
   instance of the default subclass.

   Platform providers of GSS are required not to add any constructors to
   this class, private, public, or protected.  This will ensure that all
   subclasses invoke only the default constructor provided to the base
   class by the compiler.

   A subclass extending the GSSManager abstract class may be implemented
   as a modular provider-based layer that utilizes some well-known
   service provider specification.  The GSSManager API provides the
   application with methods to set provider preferences on such an
   implementation.  These methods also allow the implementation to throw
   a well-defined exception in case provider-based configuration is not
   supported.  Applications that expect to be portable should be aware
   of this and recover cleanly by catching the exception.

   It is envisioned that there will be three most common ways in which
   providers will be used:

   1) The application does not care about what provider is used (the
      default case).

   2) The application wants a particular provider to be used
      preferentially, either for a particular mechanism or all the time,
      irrespective of the mechanism.

   3) The application wants to use the locally configured providers as
      far as possible, but if support is missing for one or more
      mechanisms, then it wants to fall back on its own provider.



Upadhyay & Malkani          Standards Track                    [Page 33]
^L
RFC 5653                  Java GSS-API Update                August 2009


   The GSSManager class has two methods that enable these modes of
   usage: addProviderAtFront() and addProviderAtEnd().  These methods
   have the effect of creating an ordered list of <provider, oid> pairs
   where each pair indicates a preference of provider for a given oid.

   The use of these methods does not require any knowledge of whatever
   service provider specification the GSSManager subclass follows.  It
   is hoped that these methods will serve the needs of most
   applications.  Additional methods may be added to an extended
   GSSManager that could be part of a service provider specification
   that is standardized later.

7.1.1.  Example Code

      GSSManager mgr = GSSManager.getInstance();

      // What mechs are available to us?

      Oid[] supportedMechs = mgr.getMechs();

      // Set a preference for the provider to be used when support
      // is needed for the mechanisms:
      //  "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".

      Oid krb = new Oid("1.2.840.113554.1.2.2");
      Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");

      Provider p = (Provider) (new com.foo.security.Provider());

      mgr.addProviderAtFront(p, krb);
      mgr.addProviderAtFront(p, spkm1);

      // What name types does this spkm implementation support?
      Oid[] nameTypes = mgr.getNamesForMech(spkm1);

7.1.2.  getInstance

   public static GSSManager getInstance()

   Returns the default GSSManager implementation.











Upadhyay & Malkani          Standards Track                    [Page 34]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.1.3.  getMechs

   public abstract Oid[] getMechs()

   Returns an array of Oid objects indicating the mechanisms available
   to GSS-API callers.  A "null" value is returned when no mechanism are
   available (an example of this would be when mechanism are dynamically
   configured, and currently no mechanisms are installed).

7.1.4.  getNamesForMech

   public abstract Oid[] getNamesForMech(Oid mech)
                         throws GSSException

   Returns name type Oid's supported by the specified mechanism.

   Parameters:

      mech:         The Oid object for the mechanism to query.

7.1.5.  getMechsForName

   public abstract Oid[] getMechsForName(Oid nameType)

   Returns an array of Oid objects corresponding to the mechanisms that
   support the specific name type. "null" is returned when no mechanisms
   are found to support the specified name type.

   Parameters:

      nameType:     The Oid object for the name type.

7.1.6.  createName

   public abstract GSSName createName(String nameStr, Oid nameType)
                   throws GSSException

   Factory method to convert a contiguous string name from the specified
   namespace to a GSSName object.  In general, the GSSName object
   created will not be an MN; two examples that are exceptions to this
   are when the namespace type parameter indicates NT_EXPORT_NAME or
   when the GSS-API implementation is not multi-mechanism.

   Parameters:

      nameStr:      The string representing a printable form of the name
                    to create.




Upadhyay & Malkani          Standards Track                    [Page 35]
^L
RFC 5653                  Java GSS-API Update                August 2009


      nameType:     The Oid specifying the namespace of the printable
                    name is supplied.  Note that nameType serves to
                    describe and qualify the interpretation of the input
                    nameStr, it does not necessarily imply a type for
                    the output GSSName implementation.  The "null" value
                    can be used to specify that a mechanism-specific
                    default printable syntax should be assumed by each
                    mechanism that examines nameStr.

7.1.7.  createName

   public abstract GSSName createName(byte[] name, Oid nameType)
                   throws GSSException

   Factory method to convert a contiguous byte array containing a name
   from the specified namespace to a GSSName object.  In general, the
   GSSName object created will not be an MN; two examples that are
   exceptions to this are when the namespace type parameter indicates
   NT_EXPORT_NAME or when the GSS-API implementation is not multi-
   mechanism.

   Parameters:

      name:         The byte array containing the name to create.

      nameType:     The Oid specifying the namespace of the name
                    supplied in the byte array.  Note that nameType
                    serves to describe and qualify the interpretation of
                    the input name byte array; it does not necessarily
                    imply a type for the output GSSName implementation.
                    The "null" value can be used to specify that a
                    mechanism-specific default syntax should be assumed
                    by each mechanism that examines the byte array.

7.1.8.  createName

   public abstract GSSName createName(String nameStr, Oid nameType,
                   Oid mech) throws GSSException

   Factory method to convert a contiguous string name from the specified
   namespace to a GSSName object that is a mechanism name (MN).  In
   other words, this method is a utility that does the equivalent of two
   steps: the createName described in section 7.1.6, and then also the
   GSSName.canonicalize() described in section 7.2.5.







Upadhyay & Malkani          Standards Track                    [Page 36]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Parameters:

      nameStr:      The string representing a printable form of the name
                    to create.

      nameType:     The Oid specifying the namespace of the printable
                    name supplied.  Note that nameType serves to
                    describe and qualify the interpretation of the input
                    nameStr; it does not necessarily imply a type for
                    the output GSSName implementation.  The "null" value
                    can be used to specify that a mechanism-specific
                    default printable syntax should be assumed when the
                    mechanism examines nameStr.

      mech:         Oid specifying the mechanism for which this name
                    should be created.

7.1.9.  createName

   public abstract GSSName createName(byte[] name, Oid nameType,
                   Oid mech) throws GSSException

   Factory method to convert a contiguous byte array containing a name
   from the specified namespace to a GSSName object that is an MN.  In
   other words, this method is a utility that does the equivalent of two
   steps: the createName described in section 7.1.7, and then also the
   GSSName.canonicalize() described in section 7.2.5.

   Parameters:

      name:         The byte array representing the name to create.

      nameType:     The Oid specifying the namespace of the name
                    supplied in the byte array.  Note that nameType
                    serves to describe and qualify the interpretation of
                    the input name byte array, it does not necessarily
                    imply a type for the output GSSName implementation.
                    The "null" value can be used to specify that a
                    mechanism-specific default syntax should be assumed
                    by each mechanism that examines the byte array.

      mech:         Oid specifying the mechanism for which this name
                    should be created.








Upadhyay & Malkani          Standards Track                    [Page 37]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.1.10.  createCredential

   public abstract GSSCredential createCredential(int usage)
                   throws GSSException

   Factory method for acquiring default credentials.  This will cause
   the GSS-API to use system-specific defaults for the set of
   mechanisms, name, and a DEFAULT lifetime.

   Parameters:

      usage:        The intended usage for this credential object.  The
                    value of this parameter must be one of:

                    GSSCredential.INITIATE_AND_ACCEPT(0),
                    GSSCredential.INITIATE_ONLY(1), or
                    GSSCredential.ACCEPT_ONLY(2)

7.1.11.  createCredential

   public abstract GSSCredential createCredential(GSSName aName,
                   int lifetime, Oid mech, int usage)
                   throws GSSException

   Factory method for acquiring a single mechanism credential.

   Parameters:

      aName:        Name of the principal for whom this credential is to
                    be acquired.  Use "null" to specify the default
                    principal.

      lifetime:     The number of seconds that credentials should remain
                    valid.  Use GSSCredential.INDEFINITE_LIFETIME to
                    request that the credentials have the maximum
                    permitted lifetime.  Use
                    GSSCredential.DEFAULT_LIFETIME to request default
                    credential lifetime.

      mech:         The oid of the desired mechanism.  Use "(Oid) null"
                    to request the default mechanism(s).










Upadhyay & Malkani          Standards Track                    [Page 38]
^L
RFC 5653                  Java GSS-API Update                August 2009


      usage:        The intended usage for this credential object.  The
                    value of this parameter must be one of:

                    GSSCredential.INITIATE_AND_ACCEPT(0),
                    GSSCredential.INITIATE_ONLY(1), or
                    GSSCredential.ACCEPT_ONLY(2)

7.1.12.  createCredential

   public abstract GSSCredential createCredential(GSSName aName,
                   int lifetime, Oid[] mechs, int usage)
                   throws GSSException

   Factory method for acquiring credentials over a set of mechanisms.
   Acquires credentials for each of the mechanisms specified in the
   array called mechs.  To determine the list of mechanisms' for which
   the acquisition of credentials succeeded, the caller should use the
   GSSCredential.getMechs() method.

   Parameters:

      aName:        Name of the principal for whom this credential is to
                    be acquired.  Use "null" to specify the default
                    principal.

      lifetime:     The number of seconds that credentials should remain
                    valid.  Use GSSCredential.INDEFINITE_LIFETIME to
                    request that the credentials have the maximum
                    permitted lifetime.  Use
                    GSSCredential.DEFAULT_LIFETIME to request default
                    credential lifetime.

      mechs:        The array of mechanisms over which the credential is
                    to be acquired.  Use "(Oid[]) null" for requesting a
                    system-specific default set of mechanisms.

      usage:        The intended usage for this credential object.  The
                    value of this parameter must be one of:

                    GSSCredential.INITIATE_AND_ACCEPT(0),
                    GSSCredential.INITIATE_ONLY(1), or
                    GSSCredential.ACCEPT_ONLY(2)

7.1.13.  createContext

   public abstract GSSContext createContext(GSSName peer, Oid mech,
                   GSSCredential myCred, int lifetime)
                   throws GSSException



Upadhyay & Malkani          Standards Track                    [Page 39]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Factory method for creating a context on the initiator's side.
   Context flags may be modified through the mutator methods prior to
   calling GSSContext.initSecContext().

   Parameters:

      peer:         Name of the target peer.

      mech:         Oid of the desired mechanism.  Use "(Oid) null" to
                    request the default mechanism.

      myCred:       Credentials of the initiator.  Use "null" to act as
                    a default initiator principal.

      lifetime:     The request lifetime, in seconds, for the context.
                    Use GSSContext.INDEFINITE_LIFETIME and
                    GSSContext.DEFAULT_LIFETIME to request indefinite or
                    default context lifetime.

7.1.14.  createContext

   public abstract GSSContext createContext(GSSCredential myCred)
                   throws GSSException

   Factory method for creating a context on the acceptor' side.  The
   context's properties will be determined from the input token supplied
   to the accept method.

   Parameters:

      myCred:       Credentials for the acceptor.  Use "null" to act as
                    a default acceptor principal.

7.1.15.  createContext

   public abstract GSSContext createContext(byte[] interProcessToken)
                   throws GSSException

   Factory method for creating a previously exported context.  The
   context properties will be determined from the input token and can't
   be modified through the set methods.

   Parameters:

      interProcessToken: The token previously emitted from the export
                         method.





Upadhyay & Malkani          Standards Track                    [Page 40]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.1.16.  addProviderAtFront

   public abstract void addProviderAtFront(Provider p, Oid mech)
                   throws GSSException

   This method is used to indicate to the GSSManager that the
   application would like a particular provider to be used ahead of all
   others when support is desired for the given mechanism.  When a value
   of "null" is used instead of an Oid for the mechanism, the GSSManager
   must use the indicated provider ahead of all others no matter what
   the mechanism is.  Only when the indicated provider does not support
   the needed mechanism should the GSSManager move on to a different
   provider.

   Calling this method repeatedly preserves the older settings but
   lowers them in preference thus forming an ordered list of provider
   and Oid pairs that grows at the top.

   Calling addProviderAtFront with a null Oid will remove all previous
   preferences that were set for this provider in the GSSManager
   instance.  Calling addProviderAtFront with a non-null Oid will remove
   any previous preference that was set using this mechanism and this
   provider together.

   If the GSSManager implementation does not support an SPI with a
   pluggable provider architecture, it should throw a GSSException with
   the status code GSSException.UNAVAILABLE to indicate that the
   operation is unavailable.

   Parameters:

      p:            The provider instance that should be used whenever
                    support is needed for mech.

      mech:         The mechanism for which the provider is being set.

7.1.17.  Example Code

   Suppose an application desired that the provider A always be checked
   first when any mechanism is needed, it would call:

      GSSManager mgr = GSSManager.getInstance();
      // mgr may at this point have its own pre-configured list
      // of provider preferences.  The following will prepend to
      // any such list:

      mgr.addProviderAtFront(A, null);




Upadhyay & Malkani          Standards Track                    [Page 41]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Now if it also desired that the mechanism of Oid m1 always be
   obtained from the provider B before the previously set A was checked,
   it would call:

      mgr.addProviderAtFront(B, m1);

   The GSSManager would then first check with B if m1 was needed.  In
   case B did not provide support for m1, the GSSManager would continue
   on to check with A.  If any mechanism m2 is needed where m2 is
   different from m1, then the GSSManager would skip B and check with A
   directly.

   Suppose, at a later time, the following call is made to the same
   GSSManager instance:

      mgr.addProviderAtFront(B, null)

   then the previous setting with the pair (B, m1) is subsumed by this
   and should be removed.  Effectively, the list of preferences now
   becomes {(B, null), (A, null), ... //followed by the pre-configured
   list.

   Please note, however, that the following call:

      mgr.addProviderAtFront(A, m3)

   does not subsume the previous setting of (A, null), and the list will
   effectively become {(A, m3), (B, null), (A, null), ...}

7.1.18.  addProviderAtEnd

   public abstract void addProviderAtEnd(Provider p, Oid mech)
                   throws GSSException

   This method is used to indicate to the GSSManager that the
   application would like a particular provider to be used if no other
   provider can be found that supports the given mechanism.  When a
   value of "null" is used instead of an Oid for the mechanism, the
   GSSManager must use the indicated provider for any mechanism.

   Calling this method repeatedly preserves the older settings, but
   raises them above newer ones in preference thus forming an ordered
   list of providers and Oid pairs that grows at the bottom.  Thus, the
   older provider settings will be utilized first before this one is.

   If there are any previously existing preferences that conflict with
   the preference being set here, then the GSSManager should ignore this
   request.



Upadhyay & Malkani          Standards Track                    [Page 42]
^L
RFC 5653                  Java GSS-API Update                August 2009


   If the GSSManager implementation does not support an SPI with a
   pluggable provider architecture, it should throw a GSSException with
   the status code GSSException.UNAVAILABLE to indicate that the
   operation is unavailable.

   Parameters:

      p:            The provider instance that should be used whenever
                    support is needed for mech.

      mech:         The mechanism for which the provider is being set.

7.1.19.  Example Code

   Suppose an application desired that when a mechanism of Oid m1 is
   needed, the system default providers always be checked first, and
   only when they do not support m1 should a provider A be checked.  It
   would then make the call:

      GSSManager mgr = GSSManager.getInstance();

      mgr.addProviderAtEnd(A, m1);

   Now, if it also desired that for all mechanisms the provider B be
   checked after all configured providers have been checked, it would
   then call:

      mgr.addProviderAtEnd(B, null);

   Effectively, the list of preferences now becomes {..., (A, m1), (B,
   null)}.

   Suppose, at a later time, the following call is made to the same
   GSSManager instance:

      mgr.addProviderAtEnd(B, m2)

   then the previous setting with the pair (B, null) subsumes this;
   therefore, this request should be ignored.  The same would happen if
   a request is made for the already existing pairs of (A, m1) or (B,
   null).

   Please note, however, that the following call:

      mgr.addProviderAtEnd(A, null)

   is not subsumed by the previous setting of (A, m1) and the list will
   effectively become {..., (A, m1), (B, null), (A, null)}.



Upadhyay & Malkani          Standards Track                    [Page 43]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.2.  public interface GSSName

   This interface encapsulates a single GSS-API principal entity.
   Different name formats and their definitions are identified with
   Universal Object Identifiers (Oids).  The format of the names can be
   derived based on the unique oid of its namespace type.

7.2.1.  Example Code

   Included below are code examples utilizing the GSSName interface.
   The code below creates a GSSName, converts it to a mechanism name
   (MN), performs a comparison, obtains a printable representation of
   the name, exports it and then re-imports to obtain a new GSSName.

      GSSManager mgr = GSSManager.getInstance();

      // create a host-based service name
      GSSName name = mgr.createName("service@host",
                      GSSName.NT_HOSTBASED_SERVICE);

      Oid krb5 = new Oid("1.2.840.113554.1.2.2");

      GSSName mechName = name.canonicalize(krb5);

      // the above two steps are equivalent to the following
      GSSName mechName = mgr.createName("service@host",
                      GSSName.NT_HOSTBASED_SERVICE, krb5);

      // perform name comparison
      if (name.equals(mechName))
              print("Names are equals.");

      // obtain textual representation of name and its printable
      // name type
      print(mechName.toString() +
            mechName.getStringNameType().toString());

      // export and re-import the name
      byte[] exportName = mechName.export();

      // create a new name object from the exported buffer
      GSSName newName = mgr.createName(exportName,
                        GSSName.NT_EXPORT_NAME);








Upadhyay & Malkani          Standards Track                    [Page 44]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.2.2.  Static Constants

   public static final Oid NT_HOSTBASED_SERVICE

   Oid indicating a host-based service name form.  It is used to
   represent services associated with host computers.  This name form is
   constructed using two elements, "service" and "hostname", as follows:

      service@hostname

   Values for the "service" element are registered with the IANA.  It
   represents the following value: { iso(1) member-body(2) Unites
   States(840) mit(113554) infosys(1) gssapi(2) generic(1)
   service_name(4) }

   public static final Oid NT_USER_NAME

   Name type to indicate a named user on a local system.  It represents
   the following value: { iso(1) member-body(2) United States(840)
   mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }

   public static final Oid NT_MACHINE_UID_NAME

   Name type to indicate a numeric user identifier corresponding to a
   user on a local system (e.g., Uid).  It represents the following
   value: { iso(1) member-body(2) United States(840) mit(113554)
   infosys(1) gssapi(2) generic(1) machine_uid_name(2) }

   public static final Oid NT_STRING_UID_NAME

   Name type to indicate a string of digits representing the numeric
   user identifier of a user on a local system.  It represents the
   following value: { iso(1) member-body(2) United States(840)
   mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) }

   public static final Oid NT_ANONYMOUS

   Name type for representing an anonymous entity.  It represents the
   following value: { iso(1), org(3), dod(6), internet(1), security(5),
   nametypes(6), gss-anonymous-name(3) }

   public static final Oid NT_EXPORT_NAME

   Name type used to indicate an exported name produced by the export
   method.  It represents the following value: { iso(1), org(3), dod(6),
   internet(1), security(5), nametypes(6), gss-api-exported-name(4) }





Upadhyay & Malkani          Standards Track                    [Page 45]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.2.3.  equals

   public boolean equals(GSSName another) throws GSSException

   Compares two GSSName objects to determine whether they refer to the
   same entity.  This method may throw a GSSException when the names
   cannot be compared.  If either of the names represents an anonymous
   entity, the method will return "false".

   Parameters:

      another:      GSSName object with which to compare.

7.2.4.  equals

      public boolean equals(Object another)

      A variation of the equals method, described in section 7.2.3, that
      is provided to override the Object.equals() method that the
      implementing class will inherit.  The behavior is exactly the same
      as that in section 7.2.3 except that no GSSException is thrown;
      instead, "false" will be returned in the situation where an error
      occurs.  (Note that the Java language specification requires that
      two objects that are equal according to the equals(Object) method
      must return the same integer result when the hashCode() method is
      called on them.)

      Parameters:

      another:      GSSName object with which to compare.

7.2.5.  canonicalize

      public GSSName canonicalize(Oid mech) throws GSSException

      Creates a mechanism name (MN) from an arbitrary internal name.
      This is equivalent to using the factory methods described in
      sections 7.1.8 or 7.1.9 that take the mechanism name as one of
      their parameters.

      Parameters:

      mech:         The oid for the mechanism for which the canonical
                    form of the name is requested.







Upadhyay & Malkani          Standards Track                    [Page 46]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.2.6.  export

   public byte[] export() throws GSSException

   Returns a canonical contiguous byte representation of a mechanism
   name (MN), suitable for direct, byte-by-byte comparison by
   authorization functions.  If the name is not an MN, implementations
   may throw a GSSException with the NAME_NOT_MN status code.  If an
   implementation chooses not to throw an exception, it should use some
   system-specific default mechanism to canonicalize the name and then
   export it.  The format of the header of the output buffer is
   specified in RFC 2743 [GSSAPIv2-UPDATE].

7.2.7.  toString

   public String toString()

   Returns a textual representation of the GSSName object.  To retrieve
   the printed name format, which determines the syntax of the returned
   string, the getStringNameType method can be used.

7.2.8.  getStringNameType

   public Oid getStringNameType() throws GSSException

   Returns the oid representing the type of name returned through the
   toString method.  Using this oid, the syntax of the printable name
   can be determined.

7.2.9.  isAnonymous

   public boolean isAnonymous()

   Tests if this name object represents an anonymous entity.  Returns
   "true" if this is an anonymous name.

7.2.10.  isMN

   public boolean isMN()

   Tests if this name object contains only one mechanism element and is
   thus a mechanism name as defined by RFC 2743 [GSSAPIv2-UPDATE].

7.3.  public interface GSSCredential implements Cloneable

   This interface encapsulates the GSS-API credentials for an entity.  A
   credential contains all the necessary cryptographic information to
   enable the creation of a context on behalf of the entity that it



Upadhyay & Malkani          Standards Track                    [Page 47]
^L
RFC 5653                  Java GSS-API Update                August 2009


   represents.  It may contain multiple, distinct, mechanism-specific
   credential elements, each containing information for a specific
   security mechanism, but all referring to the same entity.

   A credential may be used to perform context initiation, acceptance,
   or both.

   GSS-API implementations must impose a local access-control policy on
   callers to prevent unauthorized callers from acquiring credentials to
   which they are not entitled.  GSS-API credential creation is not
   intended to provide a "login to the network" function, as such a
   function would involve the creation of new credentials rather than
   merely acquiring a handle to existing credentials.  Such functions,
   if required, should be defined in implementation-specific extensions
   to the API.

   If credential acquisition is time-consuming for a mechanism, the
   mechanism may choose to delay the actual acquisition until the
   credential is required (e.g., by GSSContext).  Such mechanism-
   specific implementation decisions should be invisible to the calling
   application; thus, the query methods immediately following the
   creation of a credential object must return valid credential data,
   and may therefore incur the overhead of a deferred credential
   acquisition.

   Applications will create a credential object passing the desired
   parameters.  The application can then use the query methods to obtain
   specific information about the instantiated credential object
   (equivalent to the gss_inquire routines).  When the credential is no
   longer needed, the application should call the dispose (equivalent to
   gss_release_cred) method to release any resources held by the
   credential object and to destroy any cryptographically sensitive
   information.

   Classes implementing this interface also implement the Cloneable
   interface.  This indicates that the class will support the clone()
   method that will allow the creation of duplicate credentials.  This
   is useful when called just before the add() call to retain a copy of
   the original credential.












Upadhyay & Malkani          Standards Track                    [Page 48]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.3.1.  Example Code

   This example code demonstrates the creation of a GSSCredential
   implementation for a specific entity, querying of its fields, and its
   release when it is no longer needed.

      GSSManager mgr = GSSManager.getInstance();

      // start by creating a name object for the entity
      GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);

      // now acquire credentials for the entity
      GSSCredential cred = mgr.createCredential(name,
                           GSSCredential.ACCEPT_ONLY);

      // display credential information - name, remaining lifetime,
      // and the mechanisms it has been acquired over
      print(cred.getName().toString());
      print(cred.getRemainingLifetime());

      Oid[] mechs = cred.getMechs();
      if (mechs != null) {
         for (int i = 0; i < mechs.length; i++)
             print(mechs[i].toString());
      }
      // release system resources held by the credential
      cred.dispose();

7.3.2.  Static Constants

   public static final int INITIATE_AND_ACCEPT

   Credential usage flag requesting that it be able to be used for both
   context initiation and acceptance.  The value of this constant is 0.

   public static final int INITIATE_ONLY

   Credential usage flag requesting that it be able to be used for
   context initiation only.  The value of this constant is 1.

   public static final int ACCEPT_ONLY

   Credential usage flag requesting that it be able to be used for
   context acceptance only.  The value of this constant is 2.

   public static final int DEFAULT_LIFETIME

   A lifetime constant representing the default credential lifetime.



Upadhyay & Malkani          Standards Track                    [Page 49]
^L
RFC 5653                  Java GSS-API Update                August 2009


   The value of this constant is 0.

   public static final int INDEFINITE_LIFETIME

   A lifetime constant representing indefinite credential lifetime.  The
   value of this constant is the maximum integer value in Java -
   Integer.MAX_VALUE.

7.3.3.  dispose

   public void dispose() throws GSSException

   Releases any sensitive information that the GSSCredential object may
   be containing.  Applications should call this method as soon as the
   credential is no longer needed to minimize the time any sensitive
   information is maintained.

7.3.4.  getName

   public GSSName getName() throws GSSException

   Retrieves the name of the entity that the credential asserts.

7.3.5.  getName

   public GSSName getName(Oid mechOID) throws GSSException

   Retrieves a mechanism name of the entity that the credential asserts.
   Equivalent to calling canonicalize() on the name returned by section
   7.3.4.

   Parameters:

      mechOID:      The mechanism for which information should be
                    returned.

7.3.6.  getRemainingLifetime

   public int getRemainingLifetime() throws GSSException

   Returns the remaining lifetime in seconds for a credential.  The
   remaining lifetime is the minimum lifetime for any of the underlying
   credential mechanisms.  A return value of
   GSSCredential.INDEFINITE_LIFETIME indicates that the credential does
   not expire.  A return value of 0 indicates that the credential is
   already expired.





Upadhyay & Malkani          Standards Track                    [Page 50]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.3.7.  getRemainingInitLifetime

   public int getRemainingInitLifetime(Oid mech) throws GSSException

   Returns the remaining lifetime in seconds for the credential to
   remain capable of initiating security contexts under the specified
   mechanism.  A return value of GSSCredential.INDEFINITE_LIFETIME
   indicates that the credential does not expire for context initiation.
   A return value of 0 indicates that the credential is already expired.

   Parameters:

      mechOID:      The mechanism for which information should be
                    returned.

7.3.8.  getRemainingAcceptLifetime

   public int getRemainingAcceptLifetime(Oid mech) throws GSSException

   Returns the remaining lifetime in seconds for the credential to
   remain capable of accepting security contexts under the specified
   mechanism.  A return value of GSSCredential.INDEFINITE_LIFETIME
   indicates that the credential does not expire for context acceptance.
   A return value of 0 indicates that the credential is already expired.

   Parameters:

      mechOID:      The mechanism for which information should be
                    returned.

7.3.9.  getUsage

   public int getUsage() throws GSSException

   Returns the credential usage flag as a union over all mechanisms.
   The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0),
   GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).

7.3.10.  getUsage

   public int getUsage(Oid mechOID) throws GSSException

   Returns the credential usage flag for the specified mechanism only.
   The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0),
   GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).






Upadhyay & Malkani          Standards Track                    [Page 51]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Parameters:

      mechOID:      The mechanism for which information should be
                    returned.

7.3.11.  getMechs

   public Oid[] getMechs() throws GSSException

   Returns an array of mechanisms supported by this credential.

7.3.12.  add

   public void add(GSSName aName, int initLifetime, int acceptLifetime,
                   Oid mech, int usage) throws GSSException

   Adds a mechanism-specific credential-element to an existing
   credential.  This method allows the construction of credentials one
   mechanism at a time.

   This routine is envisioned to be used mainly by context acceptors
   during the creation of acceptance credentials, which are to be used
   with a variety of clients using different security mechanisms.

   This routine adds the new credential element "in-place".  To add the
   element in a new credential, first call clone() to obtain a copy of
   this credential, then call its add() method.

   Parameters:

      aName:             Name of the principal for whom this credential
                         is to be acquired.  Use "null" to specify the
                         default principal.

      initLifetime:      The number of seconds that credentials should
                         remain valid for initiating of security
                         contexts.  Use
                         GSSCredential.INDEFINITE_LIFETIME to request
                         that the credentials have the maximum permitted
                         lifetime.  Use GSSCredential.DEFAULT_LIFETIME
                         to request default credential lifetime.

      acceptLifetime:    The number of seconds that credentials should
                         remain valid for accepting of security
                         contexts.






Upadhyay & Malkani          Standards Track                    [Page 52]
^L
RFC 5653                  Java GSS-API Update                August 2009


                         Use GSSCredential.INDEFINITE_LIFETIME to
                         request that the credentials have the maximum
                         permitted lifetime.  Use
                         GSSCredential.DEFAULT_LIFETIME to request
                         default credential lifetime.

      mech:              The mechanisms over which the credential is to
                         be acquired.

      usage:             The intended usage for this credential object.
                         The value of this parameter must be one of:

                         GSSCredential.INITIATE_AND_ACCEPT(0),
                         GSSCredential.INITIATE_ONLY(1), or
                         GSSCredential.ACCEPT_ONLY(2)

7.3.13.  equals

   public boolean equals(Object another)

   Tests if this GSSCredential refers to the same entity as the supplied
   object.  The two credentials must be acquired over the same
   mechanisms and must refer to the same principal.  Returns "true" if
   the two GSSCredentials refer to the same entity; "false" otherwise.
   (Note that the Java language specification [JLS] requires that two
   objects that are equal according to the equals(Object) method must
   return the same integer result when the hashCode() method is called
   on them.)

   Parameters:

      another:      Another GSSCredential object for comparison.

7.4.  public interface GSSContext

   This interface encapsulates the GSS-API security context and provides
   the security services (wrap, unwrap, getMIC, verifyMIC) that are
   available over the context.  Security contexts are established
   between peers using locally acquired credentials.  Multiple contexts
   may exist simultaneously between a pair of peers, using the same or
   different set of credentials.  GSS-API functions in a manner
   independent of the underlying transport protocol and depends on its
   calling application to transport its tokens between peers.








Upadhyay & Malkani          Standards Track                    [Page 53]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Before the context establishment phase is initiated, the context
   initiator may request specific characteristics desired of the
   established context.  These can be set using the set methods.  After
   the context is established, the caller can check the actual
   characteristic and services offered by the context using the query
   methods.

   The context establishment phase begins with the first call to the
   init method by the context initiator.  During this phase, the
   initSecContext and acceptSecContext methods will produce GSS-API
   authentication tokens, which the calling application needs to send to
   its peer.  If an error occurs at any point, an exception will get
   thrown and the code will start executing in a catch block.  If not,
   the normal flow of code continues and the application can make a call
   to the isEstablished() method.  If this method returns "false" it
   indicates that a token is needed from its peer in order to continue
   the context establishment phase.  A return value of "true" signals
   that the local end of the context is established.  This may still
   require that a token be sent to the peer, if one is produced by GSS-
   API.  During the context establishment phase, the isProtReady()
   method may be called to determine if the context can be used for the
   per-message operations.  This allows applications to use per-message
   operations on contexts that aren't fully established.

   After the context has been established or the isProtReady() method
   returns "true", the query routines can be invoked to determine the
   actual characteristics and services of the established context.  The
   application can also start using the per-message methods of wrap and
   getMIC to obtain cryptographic operations on application supplied
   data.

   When the context is no longer needed, the application should call
   dispose to release any system resources the context may be using.

7.4.1.  Example Code

   The example code presented below demonstrates the usage of the
   GSSContext interface for the initiating peer.  Different operations
   on the GSSContext object are presented, including: object
   instantiation, setting of desired flags, context establishment, query
   of actual context flags, per-message operations on application data,
   and finally context deletion.

      GSSManager mgr = GSSManager.getInstance();

      // start by creating the name for a service entity
      GSSName targetName = mgr.createName("service@host",
                           GSSName.NT_HOSTBASED_SERVICE);



Upadhyay & Malkani          Standards Track                    [Page 54]
^L
RFC 5653                  Java GSS-API Update                August 2009


      // create a context using default credentials for the above entity
      // and the implementation-specific default mechanism
      GSSContext context = mgr.createContext(targetName,
                      null,   /* default mechanism */
                      null,   /* default credentials */
                      GSSContext.INDEFINITE_LIFETIME);

      // set desired context options - all others are "false" by default
      context.requestConf(true);
      context.requestMutualAuth(true);
      context.requestReplayDet(true);
      context.requestSequenceDet(true);

      // establish a context between peers - using byte arrays
      byte[]inTok = new byte[0];

      try {
          do {
              byte[] outTok = context.initSecContext(inTok, 0,
                                                    inTok.length);

              // send the token if present
              if (outTok != null)
                  sendToken(outTok);

              // check if we should expect more tokens
              if (context.isEstablished())
                  break;

              // another token expected from peer
              inTok = readToken();

          } while (true);

      } catch (GSSException e) {
          print("GSSAPI error: " + e.getMessage());
      }

      // display context information
      print("Remaining lifetime in seconds = " + context.getLifetime());
      print("Context mechanism = " + context.getMech().toString());
      print("Initiator = " + context.getSrcName().toString());
      print("Acceptor = " + context.getTargName().toString());

      if (context.getConfState())
          print("Confidentiality security service available");

      if (context.getIntegState())



Upadhyay & Malkani          Standards Track                    [Page 55]
^L
RFC 5653                  Java GSS-API Update                August 2009


          print("Integrity security service available");

      // perform wrap on an application-supplied message, appMsg,
      // using QOP = 0, and requesting privacy service
      byte[] appMsg ...

      MessageProp mProp = new MessageProp(0, true);

      byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp);

      if (mProp.getPrivacy())
          print("Message protected with privacy.");

      sendToken(tok);

      // release the local end of the context
      context.dispose();

7.4.2.  Static Constants

   public static final int DEFAULT_LIFETIME

   A lifetime constant representing the default context lifetime.  The
   value of this constant is 0.

   public static final int INDEFINITE_LIFETIME

   A lifetime constant representing indefinite context lifetime.  The
   value of this constant is the maximum integer value in Java -
   Integer.MAX_VALUE.

7.4.3.  initSecContext

   public byte[] initSecContext(byte[] inputBuf, int offset, int len)
                 throws GSSException

   Called by the context initiator to start the context creation
   process.  This is equivalent to the stream-based method except that
   the token buffers are handled as byte arrays instead of using stream
   objects.  This method may return an output token that the application
   will need to send to the peer for processing by the accept call.
   Typically, the application would do so by calling the flush() method
   on an OutputStream that encapsulates the connection between the two
   peers.  The application can call isEstablished() to determine if the
   context establishment phase is complete for this peer.  A return
   value of "false" from isEstablished() indicates that more tokens are
   expected to be supplied to the initSecContext() method.  Note that it
   is possible that the initSecContext() method will return a token for



Upadhyay & Malkani          Standards Track                    [Page 56]
^L
RFC 5653                  Java GSS-API Update                August 2009


   the peer and isEstablished() will return "true" also.  This indicates
   that the token needs to be sent to the peer, but the local end of the
   context is now fully established.

   Upon completion of the context establishment, the available context
   options may be queried through the get methods.

   Parameters:

      inputBuf:     Token generated by the peer.  This parameter is
                    ignored on the first call.

      offset:       The offset within the inputBuf where the token
                    begins.

      len:          The length of the token within the inputBuf
                    (starting at the offset).

7.4.4.  Example Code

      // Create a new GSSContext implementation object.
      // GSSContext wrapper implements interface GSSContext.
      GSSContext context = mgr.createContext(...);

      byte[] inTok = new byte[0];

      try {
          do {
              byte[] outTok = context.initSecContext(inTok, 0,
                              inTok.length);

              // send the token if present
              if (outTok != null)
                  sendToken(outTok);

              // check if we should expect more tokens
              if (context.isEstablished())
                  break;

              // another token expected from peer
              inTok = readToken();
          } while (true);

      } catch (GSSException e) {
         print("GSSAPI error: " + e.getMessage());
      }





Upadhyay & Malkani          Standards Track                    [Page 57]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.5.  initSecContext

   public int initSecContext(InputStream inStream,
              OutputStream outStream) throws GSSException

   Called by the context initiator to start the context creation
   process.  This is equivalent to the byte-array-based method.  This
   method may write an output token to the outStream, which the
   application will need to send to the peer for processing by the
   accept call.  Typically, the application would do so by calling the
   flush() method on an OutputStream that encapsulates the connection
   between the two peers.  The application can call isEstablished() to
   determine if the context establishment phase is complete for this
   peer.  A return value of "false" from isEstablished indicates that
   more tokens are expected to be supplied to the initSecContext method.
   Note that it is possible that the initSecContext() method will return
   a token for the peer and isEstablished() will return "true" also.
   This indicates that the token needs to be sent to the peer, but the
   local end of the context is now fully established.

   The GSS-API authentication tokens contain a definitive start and end.
   This method will attempt to read one of these tokens per invocation,
   and may block on the stream if only part of the token is available.

   Upon completion of the context establishment, the available context
   options may be queried through the get methods.

   Parameters:

      inStream:     Contains the token generated by the peer.  This
                    parameter is ignored on the first call.

      outStream:    Output stream where the output token will be
                    written.  During the final stage of context
                    establishment, there may be no bytes written.

7.4.6.  Example Code

   This sample code merely demonstrates the token exchange during the
   context establishment phase.  It is expected that most Java
   applications will use custom implementations of the Input and Output
   streams that encapsulate the communication routines.  For instance, a
   simple read on the application InputStream, when called by the
   Context, might cause a token to be read from the peer, and a simple
   flush() on the application OutputStream might cause a previously
   written token to be transmitted to the peer.





Upadhyay & Malkani          Standards Track                    [Page 58]
^L
RFC 5653                  Java GSS-API Update                August 2009


      // Create a new GSSContext implementation object.
      // GSSContext wrapper implements interface GSSContext.
      GSSContext context = mgr.createContext(...);
      // use standard java.io stream objects
      ByteArrayOutputStream os = new ByteArrayOutputStream();
      ByteArrayInputStream is = null;

      try {
          do {
              context.initSecContext(is, os);

              // send token if present
              if (os.size() > 0)
                  sendToken(os);

              // check if we should expect more tokens
              if (context.isEstablished())
                  break;

              // another token expected from peer
              is = recvToken();

          } while (true);

      } catch (GSSException e) {
          print("GSSAPI error: " + e.getMessage());
      }

7.4.7.  acceptSecContext

   public byte[] acceptSecContext(byte[] inTok, int offset, int len)
              throws GSSException

   Called by the context acceptor upon receiving a token from the peer.
   This call is equivalent to the stream-based method except that the
   token buffers are handled as byte arrays instead of using stream
   objects.

   This method may return an output token that the application will need
   to send to the peer for further processing by the init call.

   The "null" return value indicates that no token needs to be sent to
   the peer.  The application can call isEstablished() to determine if
   the context establishment phase is complete for this peer.  A return
   value of "false" from isEstablished() indicates that more tokens are
   expected to be supplied to this method.





Upadhyay & Malkani          Standards Track                    [Page 59]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Note that it is possible that acceptSecContext() will return a token
   for the peer and isEstablished() will return "true" also.  This
   indicates that the token needs to be sent to the peer, but the local
   end of the context is now fully established.

   Upon completion of the context establishment, the available context
   options may be queried through the get methods.

   Parameters:

      inTok:        Token generated by the peer.

      offset:       The offset within the inTok where the token begins.

      len:          The length of the token within the inTok (starting
                    at the offset).

7.4.8.  Example Code

      // acquire server credentials
      GSSCredential server = mgr.createCredential(...);

      // create acceptor GSS-API context from the default provider
      GSSContext context = mgr.createContext(server, null);

      try {
          do {
              byte[] inTok = readToken();

              byte[] outTok = context.acceptSecContext(inTok, 0,
                              inTok.length);

              // possibly send token to peer
              if (outTok != null)
                  sendToken(outTok);

              // check if local context establishment is complete
              if (context.isEstablished())
                  break;
          } while (true);

      } catch (GSSException e) {
         print("GSS-API error: " + e.getMessage());
      }







Upadhyay & Malkani          Standards Track                    [Page 60]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.9.  acceptSecContext

   public void acceptSecContext(InputStream inStream,
                    OutputStream outStream) throws GSSException

   Called by the context acceptor upon receiving a token from the peer.
   This call is equivalent to the byte array method.  It may write an
   output token to the outStream, which the application will need to
   send to the peer for processing by its initSecContext method.
   Typically, the application would do so by calling the flush() method
   on an OutputStream that encapsulates the connection between the two
   peers.  The application can call isEstablished() to determine if the
   context establishment phase is complete for this peer.  A return
   value of "false" from isEstablished() indicates that more tokens are
   expected to be supplied to this method.

   Note that it is possible that acceptSecContext() will return a token
   for the peer and isEstablished() will return "true" also.  This
   indicates that the token needs to be sent to the peer, but the local
   end of the context is now fully established.

   The GSS-API authentication tokens contain a definitive start and end.
   This method will attempt to read one of these tokens per invocation,
   and may block on the stream if only part of the token is available.

   Upon completion of the context establishment, the available context
   options may be queried through the get methods.

   Parameters:

      inStream:     Contains the token generated by the peer.

      outStream:    Output stream where the output token will be
                    written.  During the final stage of context
                    establishment, there may be no bytes written.

7.4.10.  Example Code

   This sample code merely demonstrates the token exchange during the
   context establishment phase.  It is expected that most Java
   applications will use custom implementations of the Input and Output
   streams that encapsulate the communication routines.  For instance, a
   simple read on the application InputStream, when called by the
   Context, might cause a token to be read from the peer, and a simple
   flush() on the application OutputStream might cause a previously
   written token to be transmitted to the peer.





Upadhyay & Malkani          Standards Track                    [Page 61]
^L
RFC 5653                  Java GSS-API Update                August 2009


      // acquire server credentials
      GSSCredential server = mgr.createCredential(...);

      // create acceptor GSS-API context from the default provider
      GSSContext context = mgr.createContext(server, null);

      // use standard java.io stream objects
      ByteArrayOutputStream os = new ByteArrayOutputStream();
      ByteArrayInputStream is = null;

      try {
          do {

              is = recvToken();

              context.acceptSecContext(is, os);

              // possibly send token to peer
              if (os.size() > 0)
                  sendToken(os);

              // check if local context establishment is complete
              if (context.isEstablished())
                  break;
          } while (true);

      } catch (GSSException e) {
          print("GSS-API error: " + e.getMessage());
      }

7.4.11.  isEstablished

   public boolean isEstablished()

   Used during context establishment to determine the state of the
   context.  Returns "true" if this is a fully established context on
   the caller's side and no more tokens are needed from the peer.
   Should be called after a call to initSecContext() or
   acceptSecContext() when no GSSException is thrown.

7.4.12.  dispose

   public void dispose() throws GSSException

   Releases any system resources and cryptographic information stored in
   the context object.  This will invalidate the context.





Upadhyay & Malkani          Standards Track                    [Page 62]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.13.  getWrapSizeLimit

   public int getWrapSizeLimit(int qop, boolean confReq,
              int maxTokenSize) throws GSSException

   Returns the maximum message size that, if presented to the wrap
   method with the same confReq and qop parameters, will result in an
   output token containing no more than the maxTokenSize bytes.

   This call is intended for use by applications that communicate over
   protocols that impose a maximum message size.  It enables the
   application to fragment messages prior to applying protection.

   GSS-API implementations are recommended but not required to detect
   invalid QOP values when getWrapSizeLimit is called.  This routine
   guarantees only a maximum message size, not the availability of
   specific QOP values for message protection.

   Successful completion of this call does not guarantee that wrap will
   be able to protect a message of the computed length, since this
   ability may depend on the availability of system resources at the
   time that wrap is called.  However, if the implementation itself
   imposes an upper limit on the length of messages that may be
   processed by wrap, the implementation should not return a value that
   is greater than this length.

   Parameters:

      qop:          Indicates the level of protection wrap will be asked
                    to provide.

      confReq:      Indicates if wrap will be asked to provide privacy
                    service.

      maxTokenSize: The desired maximum size of the token emitted by
                    wrap.

7.4.14.  wrap

   public byte[] wrap(byte[] inBuf, int offset, int len,
                      MessageProp msgProp) throws GSSException

   Applies per-message security services over the established security
   context.  The method will return a token with a cryptographic MIC and
   may optionally encrypt the specified inBuf.  This method is
   equivalent in functionality to its stream counterpart.  The returned
   byte array will contain both the MIC and the message.




Upadhyay & Malkani          Standards Track                    [Page 63]
^L
RFC 5653                  Java GSS-API Update                August 2009


   The MessageProp object is instantiated by the application and used to
   specify a QOP value that selects cryptographic algorithms, and a
   privacy service to optionally encrypt the message.  The underlying
   mechanism that is used in the call may not be able to provide the
   privacy service.  It sets the actual privacy service that it does
   provide in this MessageProp object, which the caller should then
   query upon return.  If the mechanism is not able to provide the
   requested QOP, it throws a GSSException with the BAD_QOP code.

   Since some application-level protocols may wish to use tokens emitted
   by wrap to provide "secure framing", implementations should support
   the wrapping of zero-length messages.

   The application will be responsible for sending the token to the
   peer.

   Parameters:

      inBuf:        Application data to be protected.

      offset:       The offset within the inBuf where the data begins.

      len:          The length of the data within the inBuf (starting at
                    the offset).

      msgProp:      Instance of MessageProp that is used by the
                    application to set the desired QOP and privacy
                    state.  Set the desired QOP to 0 to request the
                    default QOP.  Upon return from this method, this
                    object will contain the actual privacy state that
                    was applied to the message by the underlying
                    mechanism.

7.4.15.  wrap

   public void wrap(InputStream inStream, OutputStream outStream,
                    MessageProp msgProp) throws GSSException

   Allows to apply per-message security services over the established
   security context.  The method will produce a token with a
   cryptographic MIC and may optionally encrypt the message in inStream.
   The outStream will contain both the MIC and the message.

   The MessageProp object is instantiated by the application and used to
   specify a QOP value that selects cryptographic algorithms, and a
   privacy service to optionally encrypt the message.  The underlying
   mechanism that is used in the call may not be able to provide the
   privacy service.  It sets the actual privacy service that it does



Upadhyay & Malkani          Standards Track                    [Page 64]
^L
RFC 5653                  Java GSS-API Update                August 2009


   provide in this MessageProp object, which the caller should then
   query upon return.  If the mechanism is not able to provide the
   requested QOP, it throws a GSSException with the BAD_QOP code.

   Since some application-level protocols may wish to use tokens emitted
   by wrap to provide "secure framing", implementations should support
   the wrapping of zero-length messages.

   The application will be responsible for sending the token to the
   peer.

   Parameters:

      inStream:     Input stream containing the application data to be
                    protected.

      outStream:    The output stream to which to write the protected
                    message.  The application is responsible for sending
                    this to the other peer for processing in its unwrap
                    method.

      msgProp:      Instance of MessageProp that is used by the
                    application to set the desired QOP and privacy
                    state.  Set the desired QOP to 0 to request the
                    default QOP.  Upon return from this method, this
                    object will contain the actual privacy state that
                    was applied to the message by the underlying
                    mechanism.

7.4.16.  unwrap

   public byte[] unwrap(byte[] inBuf, int offset, int len,
                        MessageProp msgProp) throws GSSException

   Used by the peer application to process tokens generated with the
   wrap call.  This call is equal in functionality to its stream
   counterpart.  The method will return the message supplied in the peer
   application to the wrap call, verifying the embedded MIC.

   The MessageProp object is instantiated by the application and is used
   by the underlying mechanism to return information to the caller such
   as the QOP, whether confidentiality was applied to the message, and
   other supplementary message state information.

   Since some application-level protocols may wish to use tokens emitted
   by wrap to provide "secure framing", implementations should support
   the wrapping and unwrapping of zero-length messages.




Upadhyay & Malkani          Standards Track                    [Page 65]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Parameters:

      inBuf:        GSS-API wrap token received from peer.

      offset:       The offset within the inBuf where the token begins.

      len:          The length of the token within the inBuf (starting
                    at the offset).

      msgProp:      Upon return from the method, this object will
                    contain the applied QOP, the privacy state of the
                    message, and supplementary information, described in
                    section 5.12.3, stating whether the token was a
                    duplicate, old, out of sequence, or arriving after a
                    gap.

7.4.17.  unwrap

   public void unwrap(InputStream inStream, OutputStream outStream,
                      MessageProp msgProp) throws GSSException

   Used by the peer application to process tokens generated with the
   wrap call.  This call is equal in functionality to its byte array
   counterpart.  It will produce the message supplied in the peer
   application to the wrap call, verifying the embedded MIC.

   The MessageProp object is instantiated by the application and is used
   by the underlying mechanism to return information to the caller such
   as the QOP, whether confidentiality was applied to the message, and
   other supplementary message state information.

   Since some application-level protocols may wish to use tokens emitted
   by wrap to provide "secure framing", implementations should support
   the wrapping and unwrapping of zero-length messages.

   Parameters:

      inStream:     Input stream containing the GSS-API wrap token
                    received from the peer.

      outStream:    The output stream to which to write the application
                    message.









Upadhyay & Malkani          Standards Track                    [Page 66]
^L
RFC 5653                  Java GSS-API Update                August 2009


      msgProp:      Upon return from the method, this object will
                    contain the applied QOP, the privacy state of the
                    message, and supplementary information, described in
                    section 5.12.3, stating whether the token was a
                    duplicate, old, out of sequence, or arriving after a
                    gap.

7.4.18.  getMIC

   public byte[] getMIC(byte[] inMsg, int offset, int len,
                        MessageProp msgProp) throws GSSException

   Returns a token containing a cryptographic MIC for the supplied
   message for transfer to the peer application.  Unlike wrap, which
   encapsulates the user message in the returned token, only the message
   MIC is returned in the output token.  This method is identical in
   functionality to its stream counterpart.

   Note that privacy can only be applied through the wrap call.

   Since some application-level protocols may wish to use tokens emitted
   by getMIC to provide "secure framing", implementations should support
   derivation of MICs from zero-length messages.

   Parameters:

      inMsg:        Message over which to generate MIC.

      offset:       The offset within the inMsg where the token begins.

      len:          The length of the token within the inMsg (starting
                    at the offset).

      msgProp:      Instance of MessageProp that is used by the
                    application to set the desired QOP.  Set the desired
                    QOP to 0 in msgProp to request the default QOP.
                    Alternatively, pass in "null" for msgProp to request
                    default QOP.













Upadhyay & Malkani          Standards Track                    [Page 67]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.19.  getMIC

   public void getMIC(InputStream inStream, OutputStream outStream,
                      MessageProp msgProp) throws GSSException

   Produces a token containing a cryptographic MIC for the supplied
   message, for transfer to the peer application.  Unlike wrap, which
   encapsulates the user message in the returned token, only the message
   MIC is produced in the output token.  This method is identical in
   functionality to its byte array counterpart.

   Note that privacy can only be applied through the wrap call.

   Since some application-level protocols may wish to use tokens emitted
   by getMIC to provide "secure framing", implementations should support
   derivation of MICs from zero-length messages.

   Parameters:

      inStream:     Input stream containing the message over which to
                    generate MIC.

      outStream:    Output stream to which to write the GSS-API output
                    token.

      msgProp:      Instance of MessageProp that is used by the
                    application to set the desired QOP.  Set the desired
                    QOP to 0 in msgProp to request the default QOP.
                    Alternatively, pass in "null" for msgProp to request
                    default QOP.

7.4.20.  verifyMIC

   public void verifyMIC(byte[] inTok, int tokOffset, int tokLen,
                         byte[] inMsg, int msgOffset, int msgLen,
                         MessageProp msgProp) throws GSSException

   Verifies the cryptographic MIC, contained in the token parameter,
   over the supplied message.  This method is equivalent in
   functionality to its stream counterpart.

   The MessageProp object is instantiated by the application and is used
   by the underlying mechanism to return information to the caller such
   as the QOP indicating the strength of protection that was applied to
   the message and other supplementary message state information.






Upadhyay & Malkani          Standards Track                    [Page 68]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Since some application-level protocols may wish to use tokens emitted
   by getMIC to provide "secure framing", implementations should support
   the calculation and verification of MICs over zero-length messages.

   Parameters:

      inTok:        Token generated by peer's getMIC method.

      tokOffset:    The offset within the inTok where the token begins.

      tokLen:       The length of the token within the inTok (starting
                    at the offset).

      inMsg:        Application message over which to verify the
                    cryptographic MIC.

      msgOffset:    The offset within the inMsg where the message
                    begins.

      msgLen:       The length of the message within the inMsg (starting
                    at the offset).

      msgProp:      Upon return from the method, this object will
                    contain the applied QOP and supplementary
                    information, described in section 5.12.3, stating
                    whether the token was a duplicate, old, out of
                    sequence, or arriving after a gap.  The
                    confidentiality state will be set to "false".

7.4.21.  verifyMIC

   public void verifyMIC(InputStream tokStream, InputStream msgStream,
                         MessageProp msgProp) throws GSSException

   Verifies the cryptographic MIC, contained in the token parameter,
   over the supplied message.  This method is equivalent in
   functionality to its byte array counterpart.

   The MessageProp object is instantiated by the application and is used
   by the underlying mechanism to return information to the caller such
   as the QOP indicating the strength of protection that was applied to
   the message and other supplementary message state information.

   Since some application-level protocols may wish to use tokens emitted
   by getMIC to provide "secure framing", implementations should support
   the calculation and verification of MICs over zero-length messages.





Upadhyay & Malkani          Standards Track                    [Page 69]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Parameters:

      tokStream:    Input stream containing the token generated by the
                    peer's getMIC method.

      msgStream:    Input stream containing the application message over
                    which to verify the cryptographic MIC.

      msgProp:      Upon return from the method, this object will
                    contain the applied QOP and supplementary
                    information, described in section 5.12.3, stating
                    whether the token was a duplicate, old, out of
                    sequence, or arriving after a gap.  The
                    confidentiality state will be set to "false".

7.4.22.  export

   public byte[] export() throws GSSException

   Provided to support the sharing of work between multiple processes.
   This routine will typically be used by the context acceptor, in an
   application where a single process receives incoming connection
   requests and accepts security contexts over them, then passes the
   established context to one or more other processes for message
   exchange.

   This method deactivates the security context and creates an inter-
   process token which, when passed to the byte array constructor of the
   GSSContext interface in another process, will re-activate the context
   in the second process.  Only a single instantiation of a given
   context may be active at any one time; a subsequent attempt by a
   context exporter to access the exported security context will fail.

   The implementation may constrain the set of processes by which the
   inter-process token may be imported, either as a function of local
   security policy, or as a result of implementation decisions.  For
   example, some implementations may constrain contexts to be passed
   only between processes that run under the same account, or which are
   part of the same process group.

   The inter-process token may contain security-sensitive information
   (for example, cryptographic keys).  While mechanisms are encouraged
   to either avoid placing such sensitive information within inter-
   process tokens or to encrypt the token before returning it to the
   application, in a typical GSS-API implementation, this may not be
   possible.  Thus, the application must take care to protect the
   inter-process token, and ensure that any process to which the token
   is transferred is trustworthy.



Upadhyay & Malkani          Standards Track                    [Page 70]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.23.  requestMutualAuth

   public void requestMutualAuth(boolean state) throws GSSException

   Sets the request state of the mutual authentication flag for the
   context.  This method is only valid before the context creation
   process begins and only for the initiator.

   Parameters:

      state:        Boolean representing if mutual authentication should
                    be requested during context establishment.

7.4.24.  requestReplayDet

   public void requestReplayDet(boolean state) throws GSSException

   Sets the request state of the replay detection service for the
   context.  This method is only valid before the context creation
   process begins and only for the initiator.

   Parameters:

      state:        Boolean representing if replay detection is desired
                    over the established context.

7.4.25.  requestSequenceDet

   public void requestSequenceDet(boolean state) throws GSSException

   Sets the request state for the sequence checking service of the
   context.  This method is only valid before the context creation
   process begins and only for the initiator.

   Parameters:

      state:        Boolean representing if sequence detection is
                    desired over the established context.

7.4.26.  requestCredDeleg

   public void requestCredDeleg(boolean state) throws GSSException

   Sets the request state for the credential delegation flag for the
   context.  This method is only valid before the context creation
   process begins and only for the initiator.





Upadhyay & Malkani          Standards Track                    [Page 71]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Parameters:

      state:        Boolean representing if credential delegation is
                    desired.

7.4.27.  requestAnonymity

   public void requestAnonymity(boolean state) throws GSSException

   Requests anonymous support over the context.  This method is only
   valid before the context creation process begins and only for the
   initiator.

   Parameters:

      state:        Boolean representing if anonymity support is
                    requested.

7.4.28.  requestConf

   public void requestConf(boolean state) throws GSSException

   Requests that confidentiality service be available over the context.
   This method is only valid before the context creation process begins
   and only for the initiator.

   Parameters:

      state:        Boolean indicating if confidentiality services are
                    to be requested for the context.

7.4.29.  requestInteg

   public void requestInteg(boolean state) throws GSSException

   Requests that integrity services be available over the context.  This
   method is only valid before the context creation process begins and
   only for the initiator.

   Parameters:

      state:        Boolean indicating if integrity services are to be
                    requested for the context.








Upadhyay & Malkani          Standards Track                    [Page 72]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.30.  requestLifetime

   public void requestLifetime(int lifetime) throws GSSException

   Sets the desired lifetime for the context in seconds.  This method is
   only valid before the context creation process begins and only for
   the initiator.  Use GSSContext.INDEFINITE_LIFETIME and
   GSSContext.DEFAULT_LIFETIME to request indefinite or default context
   lifetime.

   Parameters:

      lifetime:     The desired context lifetime in seconds.

7.4.31.  setChannelBinding

   public void setChannelBinding(ChannelBinding cb) throws GSSException

   Sets the channel bindings to be used during context establishment.
   This method is only valid before the context creation process begins.

   Parameters:

      cb:           Channel bindings to be used.

7.4.32.  getCredDelegState

   public boolean getCredDelegState()

   Returns the state of the delegated credentials for the context.  When
   issued before context establishment is completed or when the
   isProtReady method returns "false", it returns the desired state;
   otherwise, it will indicate the actual state over the established
   context.

7.4.33.  getMutualAuthState

   public boolean getMutualAuthState()

   Returns the state of the mutual authentication option for the
   context.  When issued before context establishment completes or when
   the isProtReady method returns "false", it returns the desired state;
   otherwise, it will indicate the actual state over the established
   context.







Upadhyay & Malkani          Standards Track                    [Page 73]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.34.  getReplayDetState

   public boolean getReplayDetState()

   Returns the state of the replay detection option for the context.
   When issued before context establishment completes or when the
   isProtReady method returns "false", it returns the desired state;
   otherwise, it will indicate the actual state over the established
   context.

7.4.35.  getSequenceDetState

   public boolean getSequenceDetState()

   Returns the state of the sequence detection option for the context.
   When issued before context establishment completes or when the
   isProtReady method returns "false", it returns the desired state;
   otherwise, it will indicate the actual state over the established
   context.

7.4.36.  getAnonymityState

   public boolean getAnonymityState()

   Returns "true" if this is an anonymous context.  When issued before
   context establishment completes or when the isProtReady method
   returns "false", it returns the desired state; otherwise, it will
   indicate the actual state over the established context.

7.4.37.  isTransferable

   public boolean isTransferable() throws GSSException

   Returns "true" if the context is transferable to other processes
   through the use of the export method.  This call is only valid on
   fully established contexts.

7.4.38.  isProtReady

   public boolean isProtReady()

   Returns "true" if the per-message operations can be applied over the
   context.  Some mechanisms may allow the usage of per-message
   operations before the context is fully established.  This will also
   indicate that the get methods will return actual context state
   characteristics instead of the desired ones.





Upadhyay & Malkani          Standards Track                    [Page 74]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.39.  getConfState

   public boolean getConfState()

   Returns the confidentiality service state over the context.  When
   issued before context establishment completes or when the isProtReady
   method returns "false", it returns the desired state; otherwise, it
   will indicate the actual state over the established context.

7.4.40.  getIntegState

   public boolean getIntegState()

   Returns the integrity service state over the context.  When issued
   before context establishment completes or when the isProtReady method
   returns "false", it returns the desired state; otherwise, it will
   indicate the actual state over the established context.

7.4.41.  getLifetime

   public int getLifetime()

   Returns the context lifetime in seconds.  When issued before context
   establishment completes or when the isProtReady method returns
   "false", it returns the desired lifetime; otherwise, it will indicate
   the remaining lifetime for the context.

7.4.42.  getSrcName

   public GSSName getSrcName() throws GSSException

   Returns the name of the context initiator.  This call is valid only
   after the context is fully established or the isProtReady method
   returns "true".  It is guaranteed to return an MN.

7.4.43.  getTargName

   public GSSName getTargName() throws GSSException

   Returns the name of the context target (acceptor).  This call is
   valid only after the context is fully established or the isProtReady
   method returns "true".  It is guaranteed to return an MN.









Upadhyay & Malkani          Standards Track                    [Page 75]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.4.44.  getMech

   public Oid getMech() throws GSSException

   Returns the mechanism oid for this context.  This method may be
   called before the context is fully established, but the mechanism
   returned may change on successive calls in negotiated mechanism case.

7.4.45.  getDelegCred

   public GSSCredential getDelegCred() throws GSSException

   Returns the delegated credential object on the acceptor's side.  To
   check for availability of delegated credentials call
   getDelegCredState.  This call is only valid on fully established
   contexts.

7.4.46.  isInitiator

   public boolean isInitiator() throws GSSException

   Returns "true" if this is the initiator of the context.  This call is
   only valid after the context creation process has started.

7.5.  public class MessageProp

   This is a utility class used within the per-message GSSContext
   methods to convey per-message properties.

   When used with the GSSContext interface's wrap and getMIC methods, an
   instance of this class is used to indicate the desired QOP and to
   request if confidentiality services are to be applied to caller
   supplied data (wrap only).  To request default QOP, the value of 0
   should be used for QOP.

   When used with the unwrap and verifyMIC methods of the GSSContext
   interface, an instance of this class will be used to indicate the
   applied QOP and confidentiality services over the supplied message.
   In the case of verifyMIC, the confidentiality state will always be
   "false".  Upon return from these methods, this object will also
   contain any supplementary status values applicable to the processed
   token.  The supplementary status values can indicate old tokens, out
   of sequence tokens, gap tokens, or duplicate tokens.








Upadhyay & Malkani          Standards Track                    [Page 76]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.5.1.  Constructors

   public MessageProp(boolean privState)

   Constructor that sets QOP to 0 indicating that the default QOP is
   requested.

   Parameters:

      privState:    The desired privacy state. "true" for privacy and
                    "false" for integrity only.

   public MessageProp(int qop, boolean privState)

   Constructor that sets the values for the qop and privacy state.

   Parameters:

      qop:          The desired QOP.  Use 0 to request a default QOP.

      privState:    The desired privacy state. "true" for privacy and
                    "false" for integrity only.

7.5.2.  getQOP

   public int getQOP()

   Retrieves the QOP value.

7.5.3.  getPrivacy

   public boolean getPrivacy()

   Retrieves the privacy state.

7.5.4.  getMinorStatus

   public int getMinorStatus()

   Retrieves the minor status that the underlying mechanism might have
   set.

7.5.5.  getMinorString

   public String getMinorString()

   Returns a string explaining the mechanism-specific error code. "null"
   will be returned when no mechanism error code has been set.



Upadhyay & Malkani          Standards Track                    [Page 77]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.5.6.  setQOP

   public void setQOP(int qopVal)

   Sets the QOP value.

   Parameters:

      qopVal:       The QOP value to be set.  Use 0 to request a default
                    QOP value.

7.5.7.  setPrivacy

   public void setPrivacy(boolean privState)

   Sets the privacy state.

   Parameters:

      privState:    The privacy state to set.

7.5.8.  isDuplicateToken

   public boolean isDuplicateToken()

   Returns "true" if this is a duplicate of an earlier token.

7.5.9.  isOldToken

   public boolean isOldToken()

   Returns "true" if the token's validity period has expired.

7.5.10.  isUnseqToken

   public boolean isUnseqToken()

   Returns "true" if a later token has already been processed.

7.5.11.  isGapToken

   public boolean isGapToken()

   Returns "true" if an expected per-message token was not received.







Upadhyay & Malkani          Standards Track                    [Page 78]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.5.12.  setSupplementaryStates

   public void setSupplementaryStates(boolean duplicate,
                  boolean old, boolean unseq, boolean gap,
                  int minorStatus, String minorString)

   This method sets the state for the supplementary information flags
   and the minor status in MessageProp.  It is not used by the
   application but by the GSS implementation to return this information
   to the caller of a per-message context method.

   Parameters:

      duplicate:    "true" if the token was a duplicate of an earlier
                    token; otherwise, "false".

      old:          "true" if the token's validity period has expired;
                    otherwise, "false".

      unseq:        "true" if a later token has already been processed;
                    otherwise, "false".

      gap:          "true" if one or more predecessor tokens have not
                    yet been successfully processed; otherwise, "false".

      minorStatus:  The integer minor status code that the underlying
                    mechanism wants to set.

      minorString:  The textual representation of the minorStatus value.

7.6.  public class ChannelBinding

   The GSS-API accommodates the concept of caller-provided channel
   binding information.  Channel bindings are used to strengthen the
   quality with which peer entity authentication is provided during
   context establishment.  They enable the GSS-API callers to bind the
   establishment of the security context to relevant characteristics
   like addresses or to application-specific data.

   The caller initiating the security context must determine the
   appropriate channel binding values to set in the GSSContext object.
   The acceptor must provide an identical binding in order to validate
   that received tokens possess correct channel-related characteristics.

   Use of channel bindings is optional in GSS-API.  Since channel-
   binding information may be transmitted in context establishment
   tokens, applications should therefore not use confidential data as
   channel-binding components.



Upadhyay & Malkani          Standards Track                    [Page 79]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.6.1.  Constructors

   public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr,
                         byte[] appData)

   Create a ChannelBinding object with user-supplied address information
   and data. "null" values can be used for any fields that the
   application does not want to specify.

   Parameters:

      initAddr:     The address of the context initiator. "null" value
                    can be supplied to indicate that the application
                    does not want to set this value.

      acceptAddr:   The address of the context acceptor. "null" value
                    can be supplied to indicate that the application
                    does not want to set this value.

      appData:      Application-supplied data to be used as part of the
                    channel bindings. "null" value can be supplied to
                    indicate that the application does not want to set
                    this value.

   public ChannelBinding(byte[] appData)

   Creates a ChannelBinding object without any addressing information.

   Parameters:

      appData:      Application supplied data to be used as part of the
                    channel bindings.

7.6.2.  getInitiatorAddress

   public InetAddress getInitiatorAddress()

   Returns the initiator's address for this channel binding. "null" is
   returned if the address has not been set.

7.6.3.  getAcceptorAddress

   public InetAddress getAcceptorAddress()

   Returns the acceptor's address for this channel binding. "null" is
   returned if the address has not been set.





Upadhyay & Malkani          Standards Track                    [Page 80]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.6.4.  getApplicationData

   public byte[] getApplicationData()

   Returns application data being used as part of the ChannelBinding.
   "null" is returned if no application data has been specified for the
   channel binding.

7.6.5.  equals

   public boolean equals(Object obj)

   Returns "true" if two channel bindings match.  (Note that the Java
   language specification requires that two objects that are equal
   according to the equals(Object) method must return the same integer
   result when the hashCode() method is called on them.)

   Parameters:

      obj:          Another channel binding with which to compare.

7.7.  public class Oid

   This class represents Universal Object Identifiers (Oids) and their
   associated operations.

   Oids are hierarchically globally interpretable identifiers used
   within the GSS-API framework to identify mechanisms and name formats.

   The structure and encoding of Oids is defined in ISOIEC-8824 and
   ISOIEC-8825.  For example, the Oid representation of the Kerberos v5
   mechanism is "1.2.840.113554.1.2.2".

   The GSSName name class contains public static Oid objects
   representing the standard name types defined in GSS-API.

7.7.1.  Constructors

   public Oid(String strOid) throws GSSException

   Creates an Oid object from a string representation of its integer
   components (e.g., "1.2.840.113554.1.2.2").

   Parameters:

      strOid:       The string representation for the oid.

   public Oid(InputStream derOid) throws GSSException



Upadhyay & Malkani          Standards Track                    [Page 81]
^L
RFC 5653                  Java GSS-API Update                August 2009


   Creates an Oid object from its DER encoding.  This refers to the full
   encoding including tag and length.  The structure and encoding of
   Oids is defined in ISOIEC-8824 and ISOIEC-8825.  This method is
   identical in functionality to its byte array counterpart.

   Parameters:

      derOid:       Stream containing the DER-encoded oid.

   public Oid(byte[] DEROid) throws GSSException

   Creates an Oid object from its DER encoding.  This refers to the full
   encoding including tag and length.  The structure and encoding of
   Oids is defined in ISOIEC-8824 and ISOIEC-8825.  This method is
   identical in functionality to its byte array counterpart.

   Parameters:

      derOid:       Byte array storing a DER-encoded oid.

7.7.2.  toString

   public String toString()

   Returns a string representation of the oid's integer components in
   dot separated notation (e.g., "1.2.840.113554.1.2.2").

7.7.3.  equals

   public boolean equals(Object Obj)

   Returns "true" if the two Oid objects represent the same oid value.
   (Note that the Java language specification [JLS] requires that two
   objects that are equal according to the equals(Object) method must
   return the same integer result when the hashCode() method is called
   on them.)

   Parameters:

      obj:          Another Oid object with which to compare.

7.7.4.  getDER

   public byte[] getDER()

   Returns the full ASN.1 DER encoding for this oid object, which
   includes the tag and length.




Upadhyay & Malkani          Standards Track                    [Page 82]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.7.5.  containedIn

   public boolean containedIn(Oid[] oids)

   A utility method to test if an Oid object is contained within the
   supplied Oid object array.

   Parameters:

      oids:         An array of oids to search.

7.8.  public class GSSException extends Exception

   This exception is thrown whenever a fatal GSS-API error occurs
   including mechanism-specific errors.  It may contain both, the major
   and minor, GSS-API status codes.  The mechanism implementors are
   responsible for setting appropriate minor status codes when throwing
   this exception.  Aside from delivering the numeric error code(s) to
   the caller, this class performs the mapping from their numeric values
   to textual representations.  All Java GSS-API methods are declared
   throwing this exception.

   All implementations are encouraged to use the Java
   internationalization techniques to provide local translations of the
   message strings.

7.8.1.  Static Constants

   All valid major GSS-API error code values are declared as constants
   in this class.

   public static final int BAD_BINDINGS

   Channel bindings mismatch error.  The value of this constant is 1.

   public static final int BAD_MECH

   Unsupported mechanism requested error.  The value of this constant is
   2.

   public static final int BAD_NAME

   Invalid name provided error.  The value of this constant is 3.

   public static final int BAD_NAMETYPE

   Name of unsupported type provided error.  The value of this constant
   is 4.



Upadhyay & Malkani          Standards Track                    [Page 83]
^L
RFC 5653                  Java GSS-API Update                August 2009


   public static final int BAD_STATUS

   Invalid status code error - this is the default status value.  The
   value of this constant is 5.

   public static final int BAD_MIC

   Token had invalid integrity check error.  The value of this constant
   is 6.

   public static final int CONTEXT_EXPIRED

   Specified security context expired error.  The value of this constant
   is 7.

   public static final int CREDENTIALS_EXPIRED

   Expired credentials detected error.  The value of this constant is 8.

   public static final int DEFECTIVE_CREDENTIAL

   Defective credential error.  The value of this constant is 9.

   public static final int DEFECTIVE_TOKEN

   Defective token error.  The value of this constant is 10.

   public static final int FAILURE

   General failure, unspecified at GSS-API level.  The value of this
   constant is 11.

   public static final int NO_CONTEXT

   Invalid security context error.  The value of this constant is 12.

   public static final int NO_CRED

   Invalid credentials error.  The value of this constant is 13.

   public static final int BAD_QOP

   Unsupported QOP value error.  The value of this constant is 14.

   public static final int UNAUTHORIZED

   Operation unauthorized error.  The value of this constant is 15.




Upadhyay & Malkani          Standards Track                    [Page 84]
^L
RFC 5653                  Java GSS-API Update                August 2009


   public static final int UNAVAILABLE

   Operation unavailable error.  The value of this constant is 16.

   public static final int DUPLICATE_ELEMENT

   Duplicate credential element requested error.  The value of this
   constant is 17.

   public static final int NAME_NOT_MN

   Name contains multi-mechanism elements error.  The value of this
   constant is 18.

   public static final int DUPLICATE_TOKEN

   The token was a duplicate of an earlier token.  This is contained in
   an exception only when detected during context establishment, in
   which case it is considered a fatal error.  (Non-fatal supplementary
   codes are indicated via the MessageProp object.)  The value of this
   constant is 19.

   public static final int OLD_TOKEN

   The token's validity period has expired.  This is contained in an
   exception only when detected during context establishment, in which
   case it is considered a fatal error.  (Non-fatal supplementary codes
   are indicated via the MessageProp object.)  The value of this
   constant is 20.

   public static final int UNSEQ_TOKEN

   A later token has already been processed.  This is contained in an
   exception only when detected during context establishment, in which
   case it is considered a fatal error.  (Non-fatal supplementary codes
   are indicated via the MessageProp object.)  The value of this
   constant is 21.

   public static final int GAP_TOKEN

   An expected per-message token was not received.  This is contained in
   an exception only when detected during context establishment, in
   which case it is considered a fatal error.  (Non-fatal supplementary
   codes are indicated via the MessageProp object.)  The value of this
   constant is 22.






Upadhyay & Malkani          Standards Track                    [Page 85]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.8.2.  Constructors

   public GSSException(int majorCode)

   Creates a GSSException object with a specified major code.

   Parameters:

      majorCode:    The GSS error code causing this exception to be
                    thrown.

   public GSSException(int majorCode, int minorCode, String minorString)

   Creates a GSSException object with the specified major code, minor
   code, and minor code textual explanation.  This constructor is to be
   used when the exception is originating from the security mechanism.
   It allows to specify the GSS code and the mechanism code.

   Parameters:

      majorCode:    The GSS error code causing this exception to be
                    thrown.

      minorCode:    The mechanism error code causing this exception to
                    be thrown.

      minorString:  The textual explanation of the mechanism error code.

7.8.3.  getMajor

   public int getMajor()

   Returns the major code representing the GSS error code that caused
   this exception to be thrown.

7.8.4.  getMinor

   public int getMinor()

   Returns the mechanism error code that caused this exception.  The
   minor code is set by the underlying mechanism.  Value of 0 indicates
   that mechanism error code is not set.









Upadhyay & Malkani          Standards Track                    [Page 86]
^L
RFC 5653                  Java GSS-API Update                August 2009


7.8.5.  getMajorString

   public String getMajorString()

   Returns a string explaining the GSS major error code causing this
   exception to be thrown.

7.8.6.  getMinorString

   public String getMinorString()

   Returns a string explaining the mechanism-specific error code. "null"
   will be returned when no mechanism error code has been set.

7.8.7.  setMinor

   public void setMinor(int minorCode, String message)

   Used internally by the GSS-API implementation and the underlying
   mechanisms to set the minor code and its textual representation.

   Parameters:

      minorCode:    The mechanism-specific error code.

      message:      A textual explanation of the mechanism error code.

7.8.8.  toString

   public String toString()

   Returns a textual representation of both the major and minor status
   codes.

7.8.9.  getMessage

   public String getMessage()

   Returns a detailed message of this exception.  Overrides
   Throwable.getMessage.  It is customary in Java to use this method to
   obtain exception information.










Upadhyay & Malkani          Standards Track                    [Page 87]
^L
RFC 5653                  Java GSS-API Update                August 2009


8.  Sample Applications

8.1.  Simple GSS Context Initiator

      import org.ietf.jgss.*;

      /**
       * This is a partial sketch for a simple client program that acts
       * as a GSS context initiator.  It illustrates how to use the Java
       * bindings for the GSS-API specified in
       * Generic Security Service API Version 2 : Java bindings
       *
       *
       * This code sketch assumes the existence of a GSS-API
       * implementation that supports the mechanism that it will need
       * and is present as a library package (org.ietf.jgss) either as
       * part of the standard JRE or in the CLASSPATH the application
       * specifies.
       */

       public class SimpleClient {

           private String serviceName; // name of peer (i.e., server)
           private GSSCredential clientCred = null;
           private GSSContext context = null;
           private Oid mech; // underlying mechanism to use

           private GSSManager mgr = GSSManager.getInstance();

           ...
           ...

           private void clientActions() {
               initializeGSS();
               establishContext();
               doCommunication();
           }

          /**
           * Acquire credentials for the client.
           */
           private void initializeGSS() {

             try {

               clientCred = mgr.createCredential(null /*default princ*/,
                   GSSCredential.INDEFINITE_LIFETIME /* max lifetime */,
                   mech /* mechanism to use */,



Upadhyay & Malkani          Standards Track                    [Page 88]
^L
RFC 5653                  Java GSS-API Update                August 2009


                   GSSCredential.INITIATE_ONLY /* init context */);

               print("GSSCredential created for " +
                        cred.getName().toString());
               print("Credential lifetime (sec)=" +
                        cred.getRemainingLifetime());
              } catch (GSSException e) {
                  print("GSS-API error in credential acquisition: "
                        + e.getMessage());
                      ...
                      ...
              }

              ...
              ...
            }

           /**
            * Does the security context establishment with the
            * server.
            */
            private void establishContext() {

                byte[] inToken = new byte[0];
                byte[] outToken = null;

              try {

                   GSSName peer = mgr.createName(serviceName,
                                          GSSName.NT_HOSTBASED_SERVICE);
                   context = mgr.createContext(peer, mech, gssCred,
                          GSSContext.INDEFINITE_LIFETIME/*lifetime*/);

                   // Will need to support confidentiality
                   context.requestConf(true);

                   while (!context.isEstablished()) {

                      outToken = context.initSecContext(inToken, 0,
                                                        inToken.length);

                      if (outToken != null)
                          writeGSSToken(outToken);

                      if (!context.isEstablished())
                          inToken = readGSSToken();
                   }




Upadhyay & Malkani          Standards Track                    [Page 89]
^L
RFC 5653                  Java GSS-API Update                August 2009


                   GSSName peer = context.getSrcName();
                   print("Security context established with " + peer +
                     " using underlying mechanism " + mech.toString());
              } catch (GSSException e) {
                   print("GSS-API error during context establishment: "
                         + e.getMessage());
                   ...
                   ...
              }

              ...
              ...
          }

          /**
           * Sends some data to the server and reads back the
           * response.
           */
          private void doCommunication()  {
                 byte[] inToken = null;
                 byte[] outToken = null;
                 byte[] buffer;

                 // Container for multiple input-output arguments to and
                 // from the per-message routines (e.g., wrap/unwrap).
                 MessageProp messgInfo = new MessageProp();

                 try {

                      /*
                       * Now send some bytes to the server to be
                       * processed.  They will be integrity protected
                       * but not encrypted for privacy.
                       */

                      buffer = readFromFile();

                      // Set privacy to "false" and use the default QOP
                      messgInfo.setPrivacy(false);

                      outToken = context.wrap(buffer, 0, buffer.length,
                                              messgInfo);

                      writeGSSToken(outToken);

                      /*
                       * Now read the response from the server.
                       */



Upadhyay & Malkani          Standards Track                    [Page 90]
^L
RFC 5653                  Java GSS-API Update                August 2009


                      inToken = readGSSToken();
                      buffer = context.unwrap(inToken, 0,
                                    inToken.length, messgInfo);
                      // All ok if no exception was thrown!

                      GSSName peer = context.getSrcName();

                      print("Message from "  + peer.toString()
                            + " arrived.");
                      print("Was it encrypted? "  +
                            messgInfo.getPrivacy());
                      print("Duplicate Token? "   +
                            messgInfo.isDuplicateToken());
                      print("Old Token? "         +
                            messgInfo.isOldToken());
                      print("Unsequenced Token? " +
                            messgInfo.isUnseqToken());
                      print("Gap Token? "         +
                            messgInfo.isGapToken());

                      ...
                      ...

                  } catch (GSSException e) {
                      print("GSS-API error in per-message calls: "
                            + e.getMessage());
                      ...
                      ...

                }

                  ...

                  ...

          } // end of doCommunication method

          ...
          ...

      } // end of class SimpleClient










Upadhyay & Malkani          Standards Track                    [Page 91]
^L
RFC 5653                  Java GSS-API Update                August 2009


8.2.  Simple GSS Context Acceptor

      import org.ietf.jgss.*;

      /**
       * This is a partial sketch for a simple server program that acts
       * as a GSS context acceptor.  It illustrates how to use the Java
       * bindings for the GSS-API specified in
       * Generic Security Service API Version 2 : Java bindings.
       *
       * This code sketch assumes the existence of a GSS-API
       * implementation that supports the mechanisms that it will need
       * and is present as a library package (org.ietf.jgss) either as
       * part of the standard JRE or in the CLASSPATH the application
       * specifies.
       */

      import org.ietf.jgss.*;

      public class SimpleServer {

           private String serviceName;
           private GSSName name;
           private GSSCredential cred;

           private GSSManager mgr;

           ...
           ...

           /**
            * Wait for client connections, establish security contexts
            * and provide service.
            */
              private void loop() {

              ...
              ...

              mgr = GSSManager.getInstance();

              name = mgr.createName(serviceName,
                        GSSName.NT_HOSTBASED_SERVICE);

              cred = mgr.createCredential(name,
                        GSSCredential.INDEFINITE_LIFETIME,
                        null,
                        GSSCredential.ACCEPT_ONLY);



Upadhyay & Malkani          Standards Track                    [Page 92]
^L
RFC 5653                  Java GSS-API Update                August 2009


              // Loop infinitely
              while (true) {

                   Socket s = serverSock.accept();

                   // Start a new thread to serve this connection
                   Thread serverThread = new ServerThread(s);
                   serverThread.start();

              }
          }

          /**
           * Inner class ServerThread whose run() method provides the
           * secure service to a connection.
           */

          private class ServerThread extends Thread {

          ...
          ...

              /**
               * Deals with the connection from one client.  It also
               * handles all GSSException's thrown while talking to
               * this client.
               */
              public void run() {

                   byte[] inToken = null;
                   byte[] outToken = null;
                   byte[] buffer;

                   GSSName peer;

                   // Container for multiple input-output arguments to
                   // and from the per-message routines
                   // (i.e., wrap/unwrap).
                   MessageProp supplInfo = new MessageProp();
                   GSSContext secContext = null;

                   try {


                      // Now do the context establishment loop

                      GSSContext context = mgr.createContext(cred);




Upadhyay & Malkani          Standards Track                    [Page 93]
^L
RFC 5653                  Java GSS-API Update                August 2009


                      while (!context.isEstablished()) {

                          inToken = readGSSToken();

                          outToken = context.acceptSecContext(inToken,
                                                   0, inToken.length);

                          if (outToken != null)
                              writeGSSToken(outToken);

                      }


                      // SimpleServer wants confidentiality to be
                      // available.  Check for it.
                      if (!context.getConfState()){
                          ...
                          ...
                      }

                      GSSName peer = context.getSrcName();
                      Oid mech = context.getMech();
                      print("Security context established with " +
                             peer.toString() +
                            " using underlying mechanism " +
                            mech.toString() +
                            " from Provider " +
                            context.getProvider().getName());

                      // Now read the bytes sent by the client to be
                      // processed.
                      inToken = readGSSToken();

                      // Unwrap the message
                      buffer = context.unwrap(inToken, 0,
                                  inToken.length, supplInfo);
                      // All ok if no exception was thrown!

                      // Print other supplementary per-message status
                      // information.

                      print("Message from " +
                              peer.toString() + " arrived.");
                      print("Was it encrypted? " +
                              supplInfo.getPrivacy());
                      print("Duplicate Token? " +
                              supplInfo.isDuplicateToken());
                      print("Old Token? "  + supplInfo.isOldToken());



Upadhyay & Malkani          Standards Track                    [Page 94]
^L
RFC 5653                  Java GSS-API Update                August 2009


                      print("Unsequenced Token? " +
                              supplInfo.isUnseqToken());
                      print("Gap Token? "  + supplInfo.isGapToken());

                      /*
                       * Now process the bytes and send back an
                       * encrypted response.
                       */

                      buffer = serverProcess(buffer);

                      // Encipher it and send it across

                      supplInfo.setPrivacy(true); // privacy requested
                      supplInfo.setQOP(0); // default QOP
                      outToken = context.wrap(buffer, 0, buffer.length,
                                                 supplInfo);
                      writeGSSToken(outToken);

                  } catch (GSSException e) {
                      print("GSS-API Error: " + e.getMessage());
                      // Alternatively, could call e.getMajorMessage()
                      // and e.getMinorMessage()
                      print("Abandoning security context.");

                      ...
                      ...

                  }

                  ...
                  ...

              } // end of run method in ServerThread

           } // end of inner class ServerThread

           ...
           ...

          } // end of class SimpleServer










Upadhyay & Malkani          Standards Track                    [Page 95]
^L
RFC 5653                  Java GSS-API Update                August 2009


9.  Security Considerations

   The Java language security model allows platform providers to have
   policy-based fine-grained access control over any resource that an
   application wants.  When using a Java security manager (such as, but
   not limited to, the case of applets running in browsers) the
   application code is in a sandbox by default.

   Administrators of the platform JRE determine what permissions, if
   any, are to be given to source from different codebases.  Thus, the
   administrator has to be aware of any special requirements that the
   GSS provider might have for system resources.  For instance, a
   Kerberos provider might wish to make a network connection to the Key
   Distribution Center (KDC) to obtain initial credentials.  This would
   not be allowed under the sandbox unless the administrator had granted
   permissions for this.  Also, note that this granting and checking of
   permissions happens transparently to the application and is outside
   the scope of this document.

   The Java language allows administrators to pre-configure a list of
   security service providers in the <JRE>/lib/security/java.security
   file.  At runtime, the system approaches these providers in order of
   preference when looking for security related services.  Applications
   have a means to modify this list through methods in the "Security"
   class in the "java.security" package.  However, since these
   modifications would be visible in the entire Java Virtual Machine
   (JVM) and thus affect all code executing in it, this operation is not
   available in the sandbox and requires special permissions to perform.
   Thus, when a GSS application has special needs that are met by a
   particular security provider, it has two choices:

   1) To install the provider on a JVM-wide basis using the
      java.security.Security class and then depend on the system to find
      the right provider automatically when the need arises.  (This
      would require the application to be granted a "insertProvider
      SecurityPermission".)

   2) To pass an instance of the provider to the local instance of
      GSSManager so that only factory calls going through that
      GSSManager use the desired provider.  (This would not require any
      permissions.)

10.  Acknowledgments

   This proposed API leverages earlier work performed by the IETF's CAT
   WG as outlined in both RFC 2743 [GSSAPIv2-UPDATE] and RFC 2744
   [GSSAPI-Cbind].  Many conceptual definitions, implementation
   directions, and explanations have been included from these documents.



Upadhyay & Malkani          Standards Track                    [Page 96]
^L
RFC 5653                  Java GSS-API Update                August 2009


   We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael
   Saltz, and other members of Sun's development team for their helpful
   input, comments, and suggestions.

   We would also like to thank Joe Salowey, and Michael Smith for many
   insightful ideas and suggestions that have contributed to this
   document.

11.  Changes since RFC 2853

   This document has following changes:

   1) Major GSS Status Code Constant Values

      RFC 2853 listed all the GSS status code values in two different
      sections: section 4.12.1 defined numeric values for them, and
      section 6.8.1 defined them as static constants in the GSSException
      class without assigning any values.  Due to an inconsistent
      ordering between these two sections, all of the GSS major status
      codes resulted in misalignment, and a subsequent disagreement
      between deployed implementations.

      This document defines the numeric values of the GSS status codes
      in both sections, while maintaining the original ordering from
      section 6.8.1 of RFC 2853 [RFC2853], and obsoletes the GSS status
      code values defined in section 4.12.1.  The relevant sections in
      this document are sections 5.12.1 and 7.8.1.

   2) GSS Credential Usage Constant Values

      RFC 2853 section 6.3.2 defines static constants for the
      GSSCredential usage flags.  However, the values of these constants
      were not defined anywhere in RFC 2853 [RFC2853].

      This document defines the credential usage values in section
      7.3.2.  The original ordering of these values from section 6.3.2
      of RFC 2853 [RFC2853] is maintained.

   3) GSS Host-Based Service Name

      RFC 2853 [RFC2853], section 6.2.2, defines the static constant for
      the GSS host-based service OID NT_HOSTBASED_SERVICE, using a
      deprecated OID value.

      This document updates the NT_HOSTBASED_SERVICE OID value in
      section 7.2.2 to be consistent with the C-bindings in RFC 2744
      [GSSAPI-Cbind].




Upadhyay & Malkani          Standards Track                    [Page 97]
^L
RFC 5653                  Java GSS-API Update                August 2009


12.  References

12.1.  Normative References

   [GSSAPI-Cbind]
              Wray, J., "Generic Security Service API Version 2 :
              C-bindings", RFC 2744, January 2000.

   [GSSAPIv2-UPDATE]
              Linn, J., "Generic Security Service Application Program
              Interface Version 2, Update 1", RFC 2743, January 2000.

   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism
              (SPKM)", RFC 2025, October 1996.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2853]  Kabat, J. and M. Upadhyay, "Generic Security Service API
              Version 2 : Java Bindings", RFC 2853, June 2000.

   [RFC4121]  Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
              Version 5 Generic Security Service Application Program
              Interface (GSS-API) Mechanism: Version 2", RFC 4121, July
              2005.

12.2.  Informative References

   [JLS]      Gosling, J., Joy, B., Steele, G., and G. Bracha "The Java
              Language Specification", Third Edition,
              http://java.sun.com/docs/books/jls/.




















Upadhyay & Malkani          Standards Track                    [Page 98]
^L
RFC 5653                  Java GSS-API Update                August 2009


Authors' Addresses

   Mayank D. Upadhyay
   Google Inc.
   1600 Amphitheatre Parkway
   Mountain View, CA  94043
   USA

   EMail: m.d.upadhyay+ietf@gmail.com


   Seema Malkani
   ActivIdentity Corp.
   6623 Dumbarton Circle
   Fremont, California 94555
   USA

   EMail: Seema.Malkani@gmail.com

































Upadhyay & Malkani          Standards Track                    [Page 99]
^L