Internet Engineering Task Force (IETF) S. Josefsson
Request for Comments: 6339 SJD AB
Category: Standards Track L. Hornquist Astrand
ISSN: 2070-1721 Apple, Inc.
August 2011
Internet Engineering Task Force (IETF) S. Josefsson
Request for Comments: 6339 SJD AB
Category: Standards Track L. Hornquist Astrand
ISSN: 2070-1721 Apple, Inc.
August 2011
Context Token Encapsulate/Decapsulate and OID Comparison Functions for the Generic Security Service Application Program Interface (GSS-API)
通用安全服务应用程序接口(GSS-API)的上下文令牌封装/解封和OID比较函数
Abstract
摘要
This document describes three abstract Generic Security Service Application Program Interface (GSS-API) interfaces used to encapsulate/decapsulate context tokens and compare OIDs. This document also specifies C bindings for the abstract interfaces.
本文档描述了三个抽象通用安全服务应用程序接口(GSS-API)接口,用于封装/解封上下文令牌和比较OID。本文档还指定了抽象接口的C绑定。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6339.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6339.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . . 2
3. GSS_Encapsulate_token Call . . . . . . . . . . . . . . . . . . 3
3.1. gss_encapsulate_token . . . . . . . . . . . . . . . . . . . 3
4. GSS_Decapsulate_token Call . . . . . . . . . . . . . . . . . . 4
4.1. gss_decapsulate_token . . . . . . . . . . . . . . . . . . . 5
5. GSS_OID_equal Call . . . . . . . . . . . . . . . . . . . . . . 6
5.1. gss_oid_equal . . . . . . . . . . . . . . . . . . . . . . . 6
6. Test Vector . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . . 7
9.2. Informative Reference . . . . . . . . . . . . . . . . . . . 8
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . . 2
3. GSS_Encapsulate_token Call . . . . . . . . . . . . . . . . . . 3
3.1. gss_encapsulate_token . . . . . . . . . . . . . . . . . . . 3
4. GSS_Decapsulate_token Call . . . . . . . . . . . . . . . . . . 4
4.1. gss_decapsulate_token . . . . . . . . . . . . . . . . . . . 5
5. GSS_OID_equal Call . . . . . . . . . . . . . . . . . . . . . . 6
5.1. gss_oid_equal . . . . . . . . . . . . . . . . . . . . . . . 6
6. Test Vector . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . . 7
9.2. Informative Reference . . . . . . . . . . . . . . . . . . . 8
The Generic Security Service Application Program Interface (GSS-API) [RFC2743] is a framework that provides security services to applications using a variety of authentication mechanisms. There are widely implemented C bindings [RFC2744] for the abstract interface.
通用安全服务应用程序接口(GSS-API)[RFC2743]是一个框架,它使用各种身份验证机制为应用程序提供安全服务。抽象接口有广泛实现的C绑定[RFC2744]。
For initial context tokens, a mechanism-independent token format may be used (see Section 3.1 of [RFC2743]). Some protocols, e.g., Simple Authentication and Security Layer (SASL) GS2 [RFC5801], need the ability to add and remove this token header, which contains some ASN.1 tags, a length, and the mechanism OID to and from context tokens. This document adds two GSS-API interfaces (GSS_Encapsulate_token and GSS_Decapsulate_token) so that GSS-API libraries can provide this functionality.
对于初始上下文令牌,可使用独立于机制的令牌格式(见[RFC2743]第3.1节)。一些协议,例如简单身份验证和安全层(SASL)GS2[RFC5801],需要能够添加和删除该令牌头,该令牌头包含一些ASN.1标记、长度以及与上下文令牌之间的机制OID。本文档添加了两个GSS-API接口(GSS_封装_令牌和GSS_去封装_令牌),以便GSS-API库可以提供此功能。
Being able to compare OIDs is useful, for example, when validating that a negotiated mechanism matches the requested one. This document adds one GSS-API interface (GSS_OID_equal) for this purpose.
例如,在验证协商机制是否与请求的机制匹配时,能够比较OID非常有用。本文档为此目的添加了一个GSS-API接口(GSS_OID_equal)。
Text from this specification can be used as implementation documentation, and for this reason, Sections 3, 4, 5, 6, and 8 should be considered code components.
本规范中的文本可用作实现文档,因此,第3、4、5、6和8节应视为代码组件。
The document uses terms from, and is structured in a similar way as, [RFC2743] and [RFC2744]. The normative reference to [RFC5587] is for the C types "gss_const_buffer_t" and "gss_const_OID"; nothing else from that document is required to implement this document.
本文件使用[RFC2743]和[RFC2744]中的术语,其结构与之类似。[RFC5587]的规范性参考适用于C类“gss_const_buffer_t”和“gss_const_OID”;执行本文件不需要该文件中的任何其他内容。
Inputs:
投入:
o input_token OCTET STRING -- buffer with token data to encapsulate
o input_token八位字节字符串——包含要封装的令牌数据的缓冲区
o token_oid OBJECT IDENTIFIER -- object identifier of mechanism for the token
o 令牌\ oid对象标识符--令牌机制的对象标识符
Outputs:
产出:
o major_status INTEGER
o 主状态整数
o output_token OCTET STRING -- Encapsulated token data; caller must release with GSS_Release_buffer()
o 输出_令牌八位字符串——封装的令牌数据;调用方必须使用GSS_release_buffer()释放
Return major_status codes:
返回主要_状态代码:
o GSS_S_COMPLETE indicates that completion was successful and that output parameters hold correct information.
o GSS_S_COMPLETE表示完成成功,并且输出参数包含正确的信息。
o GSS_S_FAILURE indicates that encapsulation failed for reasons unspecified at the GSS-API level.
o GSS_S_故障表示封装因GSS-API级别未指定的原因而失败。
GSS_Encapsulate_token() is used to add the mechanism-independent token header to GSS-API context token data.
GSS_enclosure_token()用于向GSS-API上下文令牌数据添加与机制无关的令牌头。
OM_uint32 gss_encapsulate_token ( gss_const_buffer_t input_token, gss_const_OID token_oid, gss_buffer_t output_token)
OM_uint32 gss_封装_令牌(gss_常量_缓冲区_t输入_令牌、gss_常量_id令牌、gss_缓冲区_t输出_令牌)
Purpose:
目的:
Add the mechanism-independent token header to GSS-API context token data.
将独立于机制的令牌头添加到GSS-API上下文令牌数据。
Parameters:
参数:
input_token buffer, opaque, read Buffer with GSS-API context token data.
输入\令牌缓冲区,不透明,读取缓冲区和GSS-API上下文令牌数据。
token_oid Object ID, read Object identifier of token.
令牌\ oid对象ID,读取令牌的对象标识符。
output_token buffer, opaque, modify Encapsulated token data; caller must release with gss_release_buffer().
输出令牌缓冲区,不透明,修改封装的令牌数据;调用方必须使用gss\u release\u buffer()释放。
Function values: GSS status codes
功能值:GSS状态代码
GSS_S_COMPLETE Indicates that completion was successful and that output parameters hold correct information.
GSS_S_COMPLETE表示完成成功,并且输出参数包含正确的信息。
GSS_S_FAILURE Indicates that encapsulation failed for reasons unspecified at the GSS-API level.
GSS_S_故障表示封装因GSS-API级别未指定的原因而失败。
Inputs:
投入:
o input_token OCTET STRING -- buffer with token to decapsulate
o input_token八位字节字符串--缓冲区,带要解除封装的令牌
o token_oid OBJECT IDENTIFIER -- expected object identifier of token
o 令牌\ oid对象标识符--令牌的预期对象标识符
Outputs:
产出:
o major_status INTEGER
o 主状态整数
o output_token OCTET STRING -- Decapsulated token data; caller must release with GSS_Release_buffer()
o 输出_令牌八位字节字符串——解除封装的令牌数据;调用方必须使用GSS_release_buffer()释放
Return major_status codes:
返回主要_状态代码:
o GSS_S_COMPLETE indicates that completion was successful and that output parameters hold correct information.
o GSS_S_COMPLETE表示完成成功,并且输出参数包含正确的信息。
o GSS_S_DEFECTIVE_TOKEN means that the token failed consistency checks (e.g., OID mismatch or ASN.1 DER length errors).
o GSS_S_缺陷_令牌表示令牌未通过一致性检查(例如,OID不匹配或ASN.1 DER长度错误)。
o GSS_S_FAILURE indicates that decapsulation failed for reasons unspecified at the GSS-API level.
o GSS_S_故障表示由于GSS-API级别未指定的原因,脱封失败。
GSS_Decapsulate_token() is used to remove the mechanism-independent token header from an initial GSS-API context token.
GSS_Decapsulate_token()用于从初始GSS-API上下文令牌中删除与机制无关的令牌头。
OM_uint32 gss_decapsulate_token ( gss_const_buffer_t input_token, gss_const_OID token_oid, gss_buffer_t output_token)
OM_uint32 gss_解封_令牌(gss_常量_缓冲区_t输入_令牌、gss_常量_id令牌、gss_缓冲区_t输出_令牌)
Purpose:
目的:
Remove the mechanism-independent token header from an initial GSS-API context token.
从初始GSS-API上下文令牌中删除独立于机制的令牌头。
Parameters:
参数:
input_token buffer, opaque, read Buffer with GSS-API context token.
输入令牌缓冲区,不透明,带GSS-API上下文令牌的读取缓冲区。
token_oid Object ID, read Expected object identifier of token.
令牌\ oid对象ID,读取令牌的预期对象标识符。
output_token buffer, opaque, modify Decapsulated token data; caller must release with gss_release_buffer().
输出_令牌缓冲区,不透明,修改未封装的令牌数据;调用方必须使用gss\u release\u buffer()释放。
Function values: GSS status codes
功能值:GSS状态代码
GSS_S_COMPLETE Indicates that completion was successful and that output parameters hold correct information.
GSS_S_COMPLETE表示完成成功,并且输出参数包含正确的信息。
GSS_S_DEFECTIVE_TOKEN Means that the token failed consistency checks (e.g., OID mismatch or ASN.1 DER length errors).
GSS_S_缺陷_令牌表示令牌未通过一致性检查(例如,OID不匹配或ASN.1 DER长度错误)。
GSS_S_FAILURE Indicates that decapsulation failed for reasons unspecified at the GSS-API level.
GSS_S_故障表示由于GSS-API级别未指定的原因,脱封失败。
Inputs:
投入:
o first_oid OBJECT IDENTIFIER -- first object identifier to compare
o 第一个对象标识符--要比较的第一个对象标识符
o second_oid OBJECT IDENTIFIER -- second object identifier to compare
o 第二个对象标识符--要比较的第二个对象标识符
Return codes:
返回代码:
o non-0 when neither OID is GSS_C_NO_OID and the two OIDs are equal.
o 当两个OID都不是GSS_C_NO_OID且两个OID相等时,为非0。
o 0 when the two OIDs are not identical or either OID is equal to GSS_C_NO_OID.
o 当两个OID不相同或任一OID等于GSS_C_NO_OID时为0。
GSS_OID_equal() is used to add compare two OIDs for equality. The value GSS_C_NO_OID will not match any OID, including GSS_C_NO_OID itself.
GSS_OID_equal()用于添加比较两个OID是否相等。值GSS_C_NO_OID与任何OID都不匹配,包括GSS_C_NO_OID本身。
extern int gss_oid_equal ( gss_const_OID first_oid, gss_const_OID second_oid )
外部内部gss_oid_相等(gss_常数_oid第一个,gss_常数_oid第二个)
Purpose:
目的:
Compare two OIDs for equality. The value GSS_C_NO_OID will not match any OID, including GSS_C_NO_OID itself.
比较两个OID是否相等。值GSS_C_NO_OID与任何OID都不匹配,包括GSS_C_NO_OID本身。
Parameters:
参数:
first_oid Object ID, read First object identifier to compare.
第一个对象ID,读取要比较的第一个对象标识符。
second_oid Object ID, read Second object identifier to compare.
第二个对象ID,读取第二个对象标识符进行比较。
Function values: GSS status codes
功能值:GSS状态代码
non-0 Neither OID is GSS_C_NO_OID, and the two OIDs are equal.
non-0 NORE OID是GSS_C_NO_OID,且两个OID相等。
0 The two OIDs are not identical, or either OID is equal to GSS_C_NO_OID.
0两个OID不相同,或者任一OID等于GSS_C_NO_OID。
For the GSS_Encapsulate_token function, if the "input_token" buffer is the 3-byte octet sequence "foo" and the "token_oid" OID is 1.2.840.113554.1.2.2, which encoded corresponds to the 9-byte-long octet sequence (using C notation) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", the output should be the 16-byte-long octet sequence (again in C notation) "\x60\x0e\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x66\x6f\x6f". These values may also be used to test the GSS_Decapsulate_token interface.
对于GSS_封装_令牌函数,如果“输入_令牌”缓冲区是3字节八位字节序列“foo”,而“令牌_oid”oid是1.2.840.113554.1.2.2,其编码对应于9字节长的八位字节序列(使用C表示法)“\x2a\x86\x48\x86\xf7\x12\x01\x02\x02”,则输出应该是16字节长的八位字节序列(同样使用C表示法)“\x60\x0e\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x66\x6f\x6f”。这些值也可用于测试GSS_去封装\u令牌接口。
Greg Hudson pointed out the 'const' problem with the C bindings in earlier versions of this document, and Luke Howard suggested to resolve it by using the [RFC5587] types. Stephen Farrell suggested several editorial improvements and the security consideration regarding absent security features of the encapsulation function. Chris Lonvick suggested some improvements.
Greg Hudson指出了本文档早期版本中C绑定的“const”问题,Luke Howard建议使用[RFC5587]类型来解决这个问题。Stephen Farrell针对封装函数缺少的安全特性提出了一些编辑改进和安全考虑。克里斯·朗维克提出了一些改进建议。
The security considerations of the base GSS-API specification ([RFC2743]) and the base C bindings ([RFC2744]) are inherited.
基本GSS-API规范([RFC2743])和基本C绑定([RFC2744])的安全注意事项是继承的。
Encapsulation of data does not provide any kind of integrity or confidentiality.
数据封装不提供任何类型的完整性或机密性。
Implementations need to treat input as potentially untrustworthy for purposes of dereferencing memory objects to avoid security vulnerabilities. In particular, ASN.1 DER length fields are a common source of mistakes.
为了解除对内存对象的引用以避免安全漏洞,实现需要将输入视为可能不可信。特别是,ASN.1顺序长度字段是常见的错误源。
[RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2743]Linn,J.,“通用安全服务应用程序接口版本2,更新1”,RFC 2743,2000年1月。
[RFC2744] Wray, J., "Generic Security Service API Version 2 : C-bindings", RFC 2744, January 2000.
[RFC2744]Wray,J.,“通用安全服务API第2版:C-绑定”,RFC 2744,2000年1月。
[RFC5587] Williams, N., "Extended Generic Security Service Mechanism Inquiry APIs", RFC 5587, July 2009.
[RFC5587]Williams,N.,“扩展通用安全服务机制查询API”,RFC5587,2009年7月。
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family", RFC 5801, July 2010.
[RFC5801]Josefsson,S.和N.Williams,“在简单身份验证和安全层(SASL)中使用通用安全服务应用程序接口(GSS-API)机制:GS2机制系列”,RFC 58012010年7月。
Authors' Addresses
作者地址
Simon Josefsson SJD AB Hagagatan 24 Stockholm 113 47 SE
西蒙·约瑟夫松SJD AB哈加坦24斯德哥尔摩113 47东南
EMail: simon@josefsson.org
URI: http://josefsson.org/
EMail: simon@josefsson.org
URI: http://josefsson.org/
Love Hornquist Astrand Apple, Inc.
爱霍恩奎斯特阿斯特兰苹果公司。
EMail: lha@apple.com
EMail: lha@apple.com