Internet Engineering Task Force (IETF) M. Upadhyay Request for Comments: 8353 Google Obsoletes: 5653 S. Malkani Category: Standards Track ActivIdentity ISSN: 2070-1721 W. Wang Oracle May 2018
Internet Engineering Task Force (IETF) M. Upadhyay Request for Comments: 8353 Google Obsoletes: 5653 S. Malkani Category: Standards Track ActivIdentity ISSN: 2070-1721 W. Wang Oracle May 2018
Generic Security Service API Version 2: Java Bindings Update
通用安全服务API第2版:Java绑定更新
Abstract
摘要
The Generic Security Services Application Programming Interface (GSS-API) offers application programmers uniform access to security services atop a variety of underlying cryptographic mechanisms. This document updates the Java bindings for the GSS-API that are specified in "Generic Security Service API Version 2: Java Bindings Update" (RFC 5653). This document obsoletes RFC 5653 by adding a new output token field to the GSSException class so that when the initSecContext or acceptSecContext methods of the GSSContext class fail, it has a chance to emit an error token that can be sent to the peer for debugging or informational purpose. The stream-based GSSContext methods are also removed in this version.
通用安全服务应用程序编程接口(GSS-API)为应用程序程序员提供了对各种底层加密机制之上的安全服务的统一访问。本文档更新了“通用安全服务API版本2:Java绑定更新”(RFC 5653)中指定的GSS-API的Java绑定。本文档通过向GSSException类添加一个新的输出令牌字段来淘汰RFC 5653,以便当GSSCContext类的initSecContext或acceptSecContext方法失败时,它有机会发出一个错误令牌,可以发送给对等方进行调试或提供信息。此版本中还删除了基于流的GSSContext方法。
The GSS-API is described at a language-independent conceptual level in "Generic Security Service Application Program Interface Version 2, Update 1" (RFC 2743). The GSS-API allows a caller application to authenticate a principal identity, to delegate rights to a peer, and to apply security services such as confidentiality and integrity on a per-message basis. Examples of security mechanisms defined for GSS-API are "The Simple Public-Key GSS-API Mechanism (SPKM)" (RFC 2025) and "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2" (RFC 4121).
GSS-API在“通用安全服务应用程序接口版本2,更新1”(RFC 2743)中以独立于语言的概念级别进行了描述。GSS-API允许调用方应用程序对主体身份进行身份验证,将权限委托给对等方,并基于每条消息应用保密性和完整性等安全服务。为GSS-API定义的安全机制的示例有“简单公钥GSS-API机制(SPKM)”(RFC 2025)和“Kerberos版本5通用安全服务应用程序接口(GSS-API)机制:版本2”(RFC 4121)。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8353.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8353.
Copyright Notice
版权公告
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2018 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 7 3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7 4. Additional Controls . . . . . . . . . . . . . . . . . . . . . 9 4.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 11 4.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11 4.4. Anonymous Authentication . . . . . . . . . . . . . . . . 12 4.5. Integrity and Confidentiality . . . . . . . . . . . . . . 13 4.6. Inter-process Context Transfer . . . . . . . . . . . . . 13 4.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 14 5. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 15 5.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 15 5.2. Provider Framework . . . . . . . . . . . . . . . . . . . 15 5.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 16 5.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 16 5.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16 5.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 17 5.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 17 5.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 19 5.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 20 5.11. Inter-process Tokens . . . . . . . . . . . . . . . . . . 20 5.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 20 5.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 21 5.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 23 5.12.3. Supplementary Status Codes . . . . . . . . . . . . . 23 5.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 27 5.15. Optional Parameters . . . . . . . . . . . . . . . . . . . 28 6. Introduction to GSS-API Classes and Interfaces . . . . . . . 28 6.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 28 6.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 29 6.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 30 6.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 31 6.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32 6.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32 6.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32 6.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 33 7. Detailed GSS-API Class Description . . . . . . . . . . . . . 33 7.1. public abstract class GSSManager . . . . . . . . . . . . 33 7.1.1. getInstance . . . . . . . . . . . . . . . . . . . . . 34 7.1.2. getMechs . . . . . . . . . . . . . . . . . . . . . . 34 7.1.3. getNamesForMech . . . . . . . . . . . . . . . . . . . 35 7.1.4. getMechsForName . . . . . . . . . . . . . . . . . . . 35 7.1.5. createName . . . . . . . . . . . . . . . . . . . . . 35
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 7 3. GSS-API Operational Paradigm . . . . . . . . . . . . . . . . 7 4. Additional Controls . . . . . . . . . . . . . . . . . . . . . 9 4.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Mutual Authentication . . . . . . . . . . . . . . . . . . 11 4.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 11 4.4. Anonymous Authentication . . . . . . . . . . . . . . . . 12 4.5. Integrity and Confidentiality . . . . . . . . . . . . . . 13 4.6. Inter-process Context Transfer . . . . . . . . . . . . . 13 4.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 14 5. Calling Conventions . . . . . . . . . . . . . . . . . . . . . 15 5.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 15 5.2. Provider Framework . . . . . . . . . . . . . . . . . . . 15 5.3. Integer Types . . . . . . . . . . . . . . . . . . . . . . 16 5.4. Opaque Data Types . . . . . . . . . . . . . . . . . . . . 16 5.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 16 5.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 17 5.8. Credentials . . . . . . . . . . . . . . . . . . . . . . . 17 5.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 19 5.10. Authentication Tokens . . . . . . . . . . . . . . . . . . 20 5.11. Inter-process Tokens . . . . . . . . . . . . . . . . . . 20 5.12. Error Reporting . . . . . . . . . . . . . . . . . . . . . 20 5.12.1. GSS Status Codes . . . . . . . . . . . . . . . . . . 21 5.12.2. Mechanism-Specific Status Codes . . . . . . . . . . 23 5.12.3. Supplementary Status Codes . . . . . . . . . . . . . 23 5.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.14. Channel Bindings . . . . . . . . . . . . . . . . . . . . 27 5.15. Optional Parameters . . . . . . . . . . . . . . . . . . . 28 6. Introduction to GSS-API Classes and Interfaces . . . . . . . 28 6.1. GSSManager Class . . . . . . . . . . . . . . . . . . . . 28 6.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . 29 6.3. GSSCredential Interface . . . . . . . . . . . . . . . . . 30 6.4. GSSContext Interface . . . . . . . . . . . . . . . . . . 31 6.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . 32 6.6. GSSException Class . . . . . . . . . . . . . . . . . . . 32 6.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . 32 6.8. ChannelBinding Class . . . . . . . . . . . . . . . . . . 33 7. Detailed GSS-API Class Description . . . . . . . . . . . . . 33 7.1. public abstract class GSSManager . . . . . . . . . . . . 33 7.1.1. getInstance . . . . . . . . . . . . . . . . . . . . . 34 7.1.2. getMechs . . . . . . . . . . . . . . . . . . . . . . 34 7.1.3. getNamesForMech . . . . . . . . . . . . . . . . . . . 35 7.1.4. getMechsForName . . . . . . . . . . . . . . . . . . . 35 7.1.5. createName . . . . . . . . . . . . . . . . . . . . . 35
7.1.6. createName . . . . . . . . . . . . . . . . . . . . . 36 7.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36 7.1.8. createName . . . . . . . . . . . . . . . . . . . . . 37 7.1.9. createCredential . . . . . . . . . . . . . . . . . . 38 7.1.10. createCredential . . . . . . . . . . . . . . . . . . 38 7.1.11. createCredential . . . . . . . . . . . . . . . . . . 39 7.1.12. createContext . . . . . . . . . . . . . . . . . . . . 39 7.1.13. createContext . . . . . . . . . . . . . . . . . . . . 40 7.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40 7.1.15. addProviderAtFront . . . . . . . . . . . . . . . . . 41 7.1.15.1. addProviderAtFront Example Code . . . . . . . . 42 7.1.16. addProviderAtEnd . . . . . . . . . . . . . . . . . . 43 7.1.16.1. addProviderAtEnd Example Code . . . . . . . . . 43 7.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 44 7.2. public interface GSSName . . . . . . . . . . . . . . . . 45 7.2.1. Static Constants . . . . . . . . . . . . . . . . . . 45 7.2.2. equals . . . . . . . . . . . . . . . . . . . . . . . 46 7.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 46 7.2.4. canonicalize . . . . . . . . . . . . . . . . . . . . 47 7.2.5. export . . . . . . . . . . . . . . . . . . . . . . . 47 7.2.6. toString . . . . . . . . . . . . . . . . . . . . . . 47 7.2.7. getStringNameType . . . . . . . . . . . . . . . . . . 47 7.2.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . 47 7.2.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . 48 7.2.10. Example Code . . . . . . . . . . . . . . . . . . . . 48 7.3. public interface GSSCredential implements Cloneable . . . 49 7.3.1. Static Constants . . . . . . . . . . . . . . . . . . 50 7.3.2. dispose . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.3. getName . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 51 7.3.5. getRemainingLifetime . . . . . . . . . . . . . . . . 51 7.3.6. getRemainingInitLifetime . . . . . . . . . . . . . . 51 7.3.7. getRemainingAcceptLifetime . . . . . . . . . . . . . 51 7.3.8. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 7.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 7.3.10. getMechs . . . . . . . . . . . . . . . . . . . . . . 52 7.3.11. add . . . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.12. equals . . . . . . . . . . . . . . . . . . . . . . . 53 7.3.13. Example Code . . . . . . . . . . . . . . . . . . . . 54 7.4. public interface GSSContext . . . . . . . . . . . . . . . 54 7.4.1. Static Constants . . . . . . . . . . . . . . . . . . 55 7.4.2. initSecContext . . . . . . . . . . . . . . . . . . . 56 7.4.3. acceptSecContext . . . . . . . . . . . . . . . . . . 56 7.4.4. isEstablished . . . . . . . . . . . . . . . . . . . . 57 7.4.5. dispose . . . . . . . . . . . . . . . . . . . . . . . 57 7.4.6. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 58 7.4.7. wrap . . . . . . . . . . . . . . . . . . . . . . . . 58 7.4.8. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59
7.1.6. createName . . . . . . . . . . . . . . . . . . . . . 36 7.1.7. createName . . . . . . . . . . . . . . . . . . . . . 36 7.1.8. createName . . . . . . . . . . . . . . . . . . . . . 37 7.1.9. createCredential . . . . . . . . . . . . . . . . . . 38 7.1.10. createCredential . . . . . . . . . . . . . . . . . . 38 7.1.11. createCredential . . . . . . . . . . . . . . . . . . 39 7.1.12. createContext . . . . . . . . . . . . . . . . . . . . 39 7.1.13. createContext . . . . . . . . . . . . . . . . . . . . 40 7.1.14. createContext . . . . . . . . . . . . . . . . . . . . 40 7.1.15. addProviderAtFront . . . . . . . . . . . . . . . . . 41 7.1.15.1. addProviderAtFront Example Code . . . . . . . . 42 7.1.16. addProviderAtEnd . . . . . . . . . . . . . . . . . . 43 7.1.16.1. addProviderAtEnd Example Code . . . . . . . . . 43 7.1.17. Example Code . . . . . . . . . . . . . . . . . . . . 44 7.2. public interface GSSName . . . . . . . . . . . . . . . . 45 7.2.1. Static Constants . . . . . . . . . . . . . . . . . . 45 7.2.2. equals . . . . . . . . . . . . . . . . . . . . . . . 46 7.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . 46 7.2.4. canonicalize . . . . . . . . . . . . . . . . . . . . 47 7.2.5. export . . . . . . . . . . . . . . . . . . . . . . . 47 7.2.6. toString . . . . . . . . . . . . . . . . . . . . . . 47 7.2.7. getStringNameType . . . . . . . . . . . . . . . . . . 47 7.2.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . 47 7.2.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . 48 7.2.10. Example Code . . . . . . . . . . . . . . . . . . . . 48 7.3. public interface GSSCredential implements Cloneable . . . 49 7.3.1. Static Constants . . . . . . . . . . . . . . . . . . 50 7.3.2. dispose . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.3. getName . . . . . . . . . . . . . . . . . . . . . . . 50 7.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 51 7.3.5. getRemainingLifetime . . . . . . . . . . . . . . . . 51 7.3.6. getRemainingInitLifetime . . . . . . . . . . . . . . 51 7.3.7. getRemainingAcceptLifetime . . . . . . . . . . . . . 51 7.3.8. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 7.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . 52 7.3.10. getMechs . . . . . . . . . . . . . . . . . . . . . . 52 7.3.11. add . . . . . . . . . . . . . . . . . . . . . . . . . 52 7.3.12. equals . . . . . . . . . . . . . . . . . . . . . . . 53 7.3.13. Example Code . . . . . . . . . . . . . . . . . . . . 54 7.4. public interface GSSContext . . . . . . . . . . . . . . . 54 7.4.1. Static Constants . . . . . . . . . . . . . . . . . . 55 7.4.2. initSecContext . . . . . . . . . . . . . . . . . . . 56 7.4.3. acceptSecContext . . . . . . . . . . . . . . . . . . 56 7.4.4. isEstablished . . . . . . . . . . . . . . . . . . . . 57 7.4.5. dispose . . . . . . . . . . . . . . . . . . . . . . . 57 7.4.6. getWrapSizeLimit . . . . . . . . . . . . . . . . . . 58 7.4.7. wrap . . . . . . . . . . . . . . . . . . . . . . . . 58 7.4.8. unwrap . . . . . . . . . . . . . . . . . . . . . . . 59
7.4.9. getMIC . . . . . . . . . . . . . . . . . . . . . . . 60 7.4.10. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 61 7.4.11. export . . . . . . . . . . . . . . . . . . . . . . . 62 7.4.12. requestMutualAuth . . . . . . . . . . . . . . . . . . 62 7.4.13. requestReplayDet . . . . . . . . . . . . . . . . . . 63 7.4.14. requestSequenceDet . . . . . . . . . . . . . . . . . 63 7.4.15. requestCredDeleg . . . . . . . . . . . . . . . . . . 63 7.4.16. requestAnonymity . . . . . . . . . . . . . . . . . . 64 7.4.17. requestConf . . . . . . . . . . . . . . . . . . . . . 64 7.4.18. requestInteg . . . . . . . . . . . . . . . . . . . . 64 7.4.19. requestLifetime . . . . . . . . . . . . . . . . . . . 64 7.4.20. setChannelBinding . . . . . . . . . . . . . . . . . . 65 7.4.21. getCredDelegState . . . . . . . . . . . . . . . . . . 65 7.4.22. getMutualAuthState . . . . . . . . . . . . . . . . . 65 7.4.23. getReplayDetState . . . . . . . . . . . . . . . . . . 65 7.4.24. getSequenceDetState . . . . . . . . . . . . . . . . . 66 7.4.25. getAnonymityState . . . . . . . . . . . . . . . . . . 66 7.4.26. isTransferable . . . . . . . . . . . . . . . . . . . 66 7.4.27. isProtReady . . . . . . . . . . . . . . . . . . . . . 66 7.4.28. getConfState . . . . . . . . . . . . . . . . . . . . 66 7.4.29. getIntegState . . . . . . . . . . . . . . . . . . . . 67 7.4.30. getLifetime . . . . . . . . . . . . . . . . . . . . . 67 7.4.31. getSrcName . . . . . . . . . . . . . . . . . . . . . 67 7.4.32. getTargName . . . . . . . . . . . . . . . . . . . . . 67 7.4.33. getMech . . . . . . . . . . . . . . . . . . . . . . . 67 7.4.34. getDelegCred . . . . . . . . . . . . . . . . . . . . 68 7.4.35. isInitiator . . . . . . . . . . . . . . . . . . . . . 68 7.4.36. Example Code . . . . . . . . . . . . . . . . . . . . 68 7.5. public class MessageProp . . . . . . . . . . . . . . . . 70 7.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 70 7.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 71 7.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 71 7.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 71 7.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 71 7.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 71 7.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 72 7.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 72 7.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 72 7.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 72 7.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 72 7.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 72 7.6. public class ChannelBinding . . . . . . . . . . . . . . . 73 7.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 73 7.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 74 7.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 74 7.6.4. getApplicationData . . . . . . . . . . . . . . . . . 74 7.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 75
7.4.9. getMIC . . . . . . . . . . . . . . . . . . . . . . . 60 7.4.10. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 61 7.4.11. export . . . . . . . . . . . . . . . . . . . . . . . 62 7.4.12. requestMutualAuth . . . . . . . . . . . . . . . . . . 62 7.4.13. requestReplayDet . . . . . . . . . . . . . . . . . . 63 7.4.14. requestSequenceDet . . . . . . . . . . . . . . . . . 63 7.4.15. requestCredDeleg . . . . . . . . . . . . . . . . . . 63 7.4.16. requestAnonymity . . . . . . . . . . . . . . . . . . 64 7.4.17. requestConf . . . . . . . . . . . . . . . . . . . . . 64 7.4.18. requestInteg . . . . . . . . . . . . . . . . . . . . 64 7.4.19. requestLifetime . . . . . . . . . . . . . . . . . . . 64 7.4.20. setChannelBinding . . . . . . . . . . . . . . . . . . 65 7.4.21. getCredDelegState . . . . . . . . . . . . . . . . . . 65 7.4.22. getMutualAuthState . . . . . . . . . . . . . . . . . 65 7.4.23. getReplayDetState . . . . . . . . . . . . . . . . . . 65 7.4.24. getSequenceDetState . . . . . . . . . . . . . . . . . 66 7.4.25. getAnonymityState . . . . . . . . . . . . . . . . . . 66 7.4.26. isTransferable . . . . . . . . . . . . . . . . . . . 66 7.4.27. isProtReady . . . . . . . . . . . . . . . . . . . . . 66 7.4.28. getConfState . . . . . . . . . . . . . . . . . . . . 66 7.4.29. getIntegState . . . . . . . . . . . . . . . . . . . . 67 7.4.30. getLifetime . . . . . . . . . . . . . . . . . . . . . 67 7.4.31. getSrcName . . . . . . . . . . . . . . . . . . . . . 67 7.4.32. getTargName . . . . . . . . . . . . . . . . . . . . . 67 7.4.33. getMech . . . . . . . . . . . . . . . . . . . . . . . 67 7.4.34. getDelegCred . . . . . . . . . . . . . . . . . . . . 68 7.4.35. isInitiator . . . . . . . . . . . . . . . . . . . . . 68 7.4.36. Example Code . . . . . . . . . . . . . . . . . . . . 68 7.5. public class MessageProp . . . . . . . . . . . . . . . . 70 7.5.1. Constructors . . . . . . . . . . . . . . . . . . . . 70 7.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . 71 7.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . 71 7.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . 71 7.5.5. getMinorString . . . . . . . . . . . . . . . . . . . 71 7.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . 71 7.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . 72 7.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . 72 7.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . 72 7.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 72 7.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 72 7.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 72 7.6. public class ChannelBinding . . . . . . . . . . . . . . . 73 7.6.1. Constructors . . . . . . . . . . . . . . . . . . . . 73 7.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 74 7.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . 74 7.6.4. getApplicationData . . . . . . . . . . . . . . . . . 74 7.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . 75
7.7. public class Oid . . . . . . . . . . . . . . . . . . . . 75 7.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 75 7.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 76 7.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 76 7.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 76 7.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 77 7.8. public class GSSException extends Exception . . . . . . . 77 7.8.1. Static Constants . . . . . . . . . . . . . . . . . . 77 7.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 80 7.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 81 7.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 81 7.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 81 7.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 81 7.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 82 7.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 82 7.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 82 7.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 82 8. Sample Applications . . . . . . . . . . . . . . . . . . . . . 83 8.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 83 8.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 87 9. Security Considerations . . . . . . . . . . . . . . . . . . . 90 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 91 11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 91 12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 93 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 94 13.1. Normative References . . . . . . . . . . . . . . . . . . 94 13.2. Informative References . . . . . . . . . . . . . . . . . 95 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
7.7. public class Oid . . . . . . . . . . . . . . . . . . . . 75 7.7.1. Constructors . . . . . . . . . . . . . . . . . . . . 75 7.7.2. toString . . . . . . . . . . . . . . . . . . . . . . 76 7.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . 76 7.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . 76 7.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 77 7.8. public class GSSException extends Exception . . . . . . . 77 7.8.1. Static Constants . . . . . . . . . . . . . . . . . . 77 7.8.2. Constructors . . . . . . . . . . . . . . . . . . . . 80 7.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . 81 7.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . 81 7.8.5. getMajorString . . . . . . . . . . . . . . . . . . . 81 7.8.6. getMinorString . . . . . . . . . . . . . . . . . . . 81 7.8.7. getOutputToken . . . . . . . . . . . . . . . . . . . 82 7.8.8. setMinor . . . . . . . . . . . . . . . . . . . . . . 82 7.8.9. toString . . . . . . . . . . . . . . . . . . . . . . 82 7.8.10. getMessage . . . . . . . . . . . . . . . . . . . . . 82 8. Sample Applications . . . . . . . . . . . . . . . . . . . . . 83 8.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 83 8.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . 87 9. Security Considerations . . . . . . . . . . . . . . . . . . . 90 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 91 11. Changes since RFC 5653 . . . . . . . . . . . . . . . . . . . 91 12. Changes since RFC 2853 . . . . . . . . . . . . . . . . . . . 93 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 94 13.1. Normative References . . . . . . . . . . . . . . . . . . 94 13.2. Informative References . . . . . . . . . . . . . . . . . 95 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
This document specifies Java language bindings for the Generic Security Services Application Programming Interface (GSS-API) version 2. GSS-API version 2 is described in a language-independent format in RFC 2743 [RFC2743]. The GSS-API allows a caller application to authenticate a principal identity, delegate rights to a peer, and apply security services such as confidentiality and integrity on a per-message basis.
本文档指定了通用安全服务应用程序编程接口(GSS-API)版本2的Java语言绑定。GSS-API版本2在RFC 2743[RFC2743]中以独立于语言的格式进行了描述。GSS-API允许调用方应用程序对主体身份进行身份验证,将权限委托给对等方,并基于每条消息应用保密性和完整性等安全服务。
This document and its predecessors, RFC 2853 [RFC2853] and RFC 5653 [RFC5653], leverage the work done by the working group (WG) in the area of RFC 2743 [RFC2743] and the C-bindings of RFC 2744 [RFC2744]. Whenever appropriate, text has been used from the C-bindings document (RFC 2744) to explain generic concepts and provide direction to the implementors.
本文件及其前身RFC 2853[RFC2853]和RFC 5653[RFC5653]利用了工作组(WG)在RFC 2743[RFC2743]和RFC 2744[RFC2744]的C-绑定方面所做的工作。在适当的情况下,可以使用C-bindings文档(RFC2744)中的文本来解释通用概念,并为实现者提供指导。
The design goals of this API have been to satisfy all the functionality defined in RFC 2743 [RFC2743] and to provide these services in an object-oriented method. The specification also aims to satisfy the needs of both types of Java application developers, those who would like access to a "system-wide" GSS-API implementation, as well as those who would want to provide their own "custom" implementation.
该API的设计目标是满足RFC 2743[RFC2743]中定义的所有功能,并以面向对象的方法提供这些服务。该规范还旨在满足两种类型的Java应用程序开发人员的需求,即希望访问“系统范围”GSS-API实现的开发人员,以及希望提供自己的“自定义”实现的开发人员。
A system-wide implementation is one that is available to all applications in the form of a library package. It may be the standard package in the Java runtime environment (JRE) being used, or it may be additionally installed and accessible to any application via the CLASSPATH.
系统范围的实现是以库包的形式提供给所有应用程序的实现。它可能是正在使用的Java运行时环境(JRE)中的标准包,也可能是额外安装的,任何应用程序都可以通过类路径访问它。
A custom implementation of the GSS-API, on the other hand, is one that would, in most cases, be bundled with the application during distribution. It is expected that such an implementation would be meant to provide for some particular need of the application, such as support for some specific mechanism.
另一方面,GSS-API的自定义实现在大多数情况下会在发布期间与应用程序捆绑在一起。预计这种实现将意味着提供应用程序的某些特定需求,例如支持某些特定机制。
The design of this API also aims to provide a flexible framework to add and manage GSS-API mechanisms. GSS-API leverages the Java Cryptography Architecture (JCA) provider model to support the plugability of mechanisms. Mechanisms can be added on a system-wide basis, where all users of the framework will have them available. The specification also allows for the addition of mechanisms per instance of the GSS-API.
该API的设计还旨在提供一个灵活的框架来添加和管理GSS-API机制。GSS-API利用Java加密体系结构(JCA)提供程序模型来支持机制的可插入性。可以在全系统范围内添加机制,框架的所有用户都可以使用这些机制。该规范还允许为GSS-API的每个实例添加机制。
Lastly, this specification presents an API that will naturally fit within the operation environment of the Java platform. Readers are assumed to be familiar with both the GSS-API and the Java platform.
最后,本规范提供了一个API,它自然适合Java平台的操作环境。假定读者熟悉GSS-API和Java平台。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
"Generic Security Service Application Programming Interface, Version 2" [RFC2743] defines a generic security API to calling applications. It allows a communicating application to authenticate the user associated with another application, to delegate rights to another application, and to apply security services such as confidentiality and integrity on a per-message basis.
“通用安全服务应用程序编程接口,版本2”[RFC2743]定义了调用应用程序的通用安全API。它允许通信应用程序对与另一个应用程序关联的用户进行身份验证,将权限委托给另一个应用程序,并基于每条消息应用保密性和完整性等安全服务。
There are four stages to using GSS-API:
使用GSS-API分为四个阶段:
1) The application acquires a set of credentials with which it may prove its identity to other processes. The application's credentials vouch for its global identity, which may or may not be related to any local username under which it may be running.
1) 应用程序获取一组凭据,可以使用这些凭据向其他进程证明其身份。应用程序的凭据保证其全局标识,该标识可能与应用程序运行时使用的任何本地用户名相关,也可能与此无关。
2) A pair of communicating applications establish a joint security context using their credentials. The security context encapsulates shared state information, which is required in order that per-message security services may be provided. Examples of state information that might be shared between applications as part of a security context are cryptographic keys and message sequence numbers. As part of the establishment of a security context, the context initiator is authenticated to the responder and may require that the responder is authenticated back to the initiator. The initiator may optionally give the responder the right to initiate further security contexts, acting as an agent or delegate of the initiator. This transfer of rights is termed "delegation" and is achieved by creating a set of credentials, similar to those used by the initiating application, but which may be used by the responder.
2) 一对通信应用程序使用其凭据建立联合安全上下文。安全上下文封装共享状态信息,这是提供每条消息安全服务所必需的。作为安全上下文的一部分,应用程序之间可能共享的状态信息的示例有加密密钥和消息序列号。作为建立安全上下文的一部分,上下文发起方向响应方进行身份验证,并且可能要求响应方向发起方进行身份验证。发起者可以任选地给予响应者作为发起者的代理或委托来发起进一步的安全上下文的权利。这种权利的转移称为“委托”,通过创建一组凭证来实现,类似于发起应用程序使用的凭证,但响应者可以使用这些凭证。
A GSSContext object is used to establish and maintain the shared information that makes up the security context. Certain GSSContext methods will generate a token, which applications treat as cryptographically protected, opaque data. The caller of such a GSSContext method is responsible for transferring the token to the peer application, encapsulated if necessary in an application-to-application protocol. On receipt of such a token, the peer application should pass it to a corresponding GSSContext method, which will decode the token and extract the information, updating the security context state information accordingly.
GSSContext对象用于建立和维护组成安全上下文的共享信息。某些GSSContext方法将生成令牌,应用程序将其视为受加密保护的不透明数据。这种GSSContext方法的调用方负责将令牌传输到对等应用程序,必要时封装在应用程序到应用程序协议中。在收到这样的令牌后,对等应用程序应将其传递给相应的GSSContext方法,该方法将解码令牌并提取信息,相应地更新安全上下文状态信息。
3) Per-message services are invoked on a GSSContext object to apply either:
3) 在GSSContext对象上调用每消息服务以应用:
integrity and data origin authentication, or
完整性和数据源身份验证,或
confidentiality, integrity, and data origin authentication
机密性、完整性和数据源身份验证
to application data, which are treated by GSS-API as arbitrary octet strings. An application transmitting a message that it wishes to protect will call the appropriate GSSContext method (getMIC or wrap) to apply protection before sending the resulting token to the receiving application. The receiver will pass the received token (and, in the case of data protected by getMIC, the
应用程序数据,GSS-API将其视为任意八位字节字符串。发送其希望保护的消息的应用程序将调用适当的GSSContext方法(getMIC或wrap),以在将生成的令牌发送到接收应用程序之前应用保护。接收器将传递接收到的令牌(如果数据受getMIC保护,则传递
accompanying message data) to the corresponding decoding method of the GSSContext interface (verifyMIC or unwrap) to remove the protection and validate the data.
随附消息数据)到GSSContext接口的相应解码方法(verifyMIC或unwrap),以移除保护并验证数据。
4) At the completion of a communications session (which may extend across several transport connections), each application uses a GSSContext method to invalidate the security context and release any system or cryptographic resources held. Multiple contexts may also be used (either successively or simultaneously) within a single communications association, at the discretion of the applications.
4) 在通信会话(可能扩展到多个传输连接)完成时,每个应用程序使用GSSContext方法使安全上下文无效,并释放所持有的任何系统或加密资源。应用程序可自行决定在单个通信关联中使用多个上下文(连续或同时)。
This section discusses the OPTIONAL services that a context initiator may request of the GSS-API before the context establishment. Each of these services is requested by calling the appropriate mutator method in the GSSContext object before the first call to init is performed. Only the context initiator can request context flags.
本节讨论上下文启动器在上下文建立之前可能向GSS-API请求的可选服务。在执行对init的第一次调用之前,通过在GSSContext对象中调用适当的mutator方法来请求这些服务。只有上下文启动器才能请求上下文标志。
The OPTIONAL services defined are:
定义的可选服务包括:
Delegation: The (usually temporary) transfer of rights from initiator to acceptor, enabling the acceptor to authenticate itself as an agent of the initiator.
委托:权利从发起人转移到接受人(通常是暂时的),使接受人能够将自己作为发起人的代理人进行身份验证。
Mutual Authentication: In addition to the initiator authenticating its identity to the context acceptor, the context acceptor SHOULD also authenticate itself to the initiator.
相互身份验证:除了启动器向上下文接受者验证其身份之外,上下文接受者还应向启动器验证其自身。
Replay Detection: In addition to providing message integrity services, GSSContext per-message operations of getMIC and wrap SHOULD include message numbering information to enable verifyMIC and unwrap to detect if a message has been duplicated.
回放检测:除了提供消息完整性服务外,getMIC和wrap的GSSContext per message操作还应包括消息编号信息,以使verifyMIC和unwrap能够检测消息是否被复制。
Out-of-Sequence Detection: In addition to providing message integrity services, GSSContext per-message operations (getMIC and wrap) SHOULD include message sequencing information to enable verifyMIC and unwrap to detect if a message has been received out of sequence.
失序检测:除了提供消息完整性服务外,GSSContext每条消息操作(getMIC和wrap)还应包括消息序列信息,以使verifyMIC和unwrap能够检测是否收到了失序消息。
Anonymous Authentication: The establishment of the security context SHOULD NOT reveal the initiator's identity to the context acceptor.
匿名身份验证:安全上下文的建立不应向上下文接受者透露启动器的身份。
Some mechanisms may not support all OPTIONAL services, and some mechanisms may only support some services in conjunction with others. The GSSContext interface offers query methods to allow the
有些机制可能不支持所有可选服务,有些机制可能只支持某些服务与其他服务结合使用。GSSContext接口提供了查询方法,允许
verification by the calling application of which services will be available from the context when the establishment phase is complete. In general, if the security mechanism is capable of providing a requested service, it SHOULD do so even if additional services must be enabled in order to provide the requested service. If the mechanism is incapable of providing a requested service, it SHOULD proceed without the service leaving the application to abort the context establishment process if it considers the requested service to be mandatory.
当建立阶段完成时,由调用应用程序验证哪些服务将从上下文中可用。通常,如果安全机制能够提供请求的服务,那么即使必须启用附加服务才能提供请求的服务,它也应该这样做。如果该机制无法提供请求的服务,则如果该机制认为请求的服务是强制性的,则该机制应在服务不离开应用程序的情况下继续,以中止上下文建立过程。
Some mechanisms MAY specify that support for some services is optional and that implementors of the mechanism need not provide it. This is most commonly true of the confidentiality service, often because of legal restrictions on the use of data encryption, but it may apply to any of the services. Such mechanisms are required to send at least one token from acceptor to initiator during context establishment when the initiator indicates a desire to use such a service, so that the initiating GSS-API can correctly indicate whether the service is supported by the acceptor's GSS-API.
一些机制可能指定对某些服务的支持是可选的,并且该机制的实现者不需要提供它。这在保密服务中最常见,通常是因为数据加密的使用受到法律限制,但它可能适用于任何服务。当发起方表示希望使用这样的服务时,需要这样的机制在上下文建立期间从接受方向发起方发送至少一个令牌,以便发起GSS-API能够正确指示该服务是否受接受方的GSS-API支持。
The GSS-API allows delegation to be controlled by the initiating application via the requestCredDeleg method before the first call to init has been issued. Some mechanisms do not support delegation, and for such mechanisms, attempts by an application to enable delegation are ignored.
GSS-API允许发起应用程序在发出对init的第一次调用之前,通过RequestCredDelege方法控制委派。有些机制不支持委托,对于这种机制,应用程序启用委托的尝试将被忽略。
The acceptor of a security context, for which the initiator enabled delegation, can check if delegation was enabled by using the getCredDelegState method of the GSSContext interface. In cases when it is enabled, the delegated credential object can be obtained by calling the getDelegCred method. The obtained GSSCredential object may then be used to initiate subsequent GSS-API security contexts as an agent or delegate of the initiator. If the original initiator's identity is "A" and the delegate's identity is "B", then, depending on the underlying mechanism, the identity embodied by the delegated credential may be either "A" or "B acting for A".
安全上下文的接受者(启动器为其启用了委派)可以使用GSSContext接口的getCredDelegState方法检查是否启用了委派。在启用委托凭证对象的情况下,可以通过调用getDelegCredential方法来获取委托凭证对象。然后,所获得的GSSCredential对象可作为启动器的代理或委托用于启动后续GSS-API安全上下文。如果原始发起人的身份是“A”,而委托人的身份是“B”,则根据基础机制,委托凭证体现的身份可以是“A”或“代表A的B”。
For many mechanisms that support delegation, a simple boolean does not provide enough control. Examples of additional aspects of delegation control that a mechanism might provide to an application are duration of delegation, network addresses from which delegation is valid, and constraints on the tasks that may be performed by a delegate. Such controls are presently outside the scope of the GSS-API. GSS-API implementations supporting mechanisms offering additional controls SHOULD provide extension routines that allow these controls to be exercised (perhaps by modifying the initiator's
对于许多支持委托的机制,简单的布尔值不能提供足够的控制。机制可能向应用程序提供的委托控制的其他方面的示例包括委托持续时间、委托有效的网络地址以及委托可能执行的任务的约束。此类控制目前不在GSS-API的范围内。支持提供额外控件的机制的GSS-API实现应提供允许执行这些控件的扩展例程(可能通过修改启动器的
GSS-API credential object prior to its use in establishing a context). However, the simple delegation control provided by GSS-API SHOULD always be able to override other mechanism-specific delegation controls. If the application instructs the GSSContext object that delegation is not desired, then the implementation MUST NOT permit delegation to occur. This is an exception to the general rule that a mechanism may enable services even if they are not requested -- delegation may only be provided at the explicit request of the application.
GSS-API凭证对象(在用于建立上下文之前)。但是,GSS-API提供的简单委托控制应该始终能够覆盖其他特定于机制的委托控制。如果应用程序指示GSSContext对象不需要委派,则实现不得允许委派发生。这是一般规则的一个例外,即即使未请求服务,机制也可以启用服务——委托只能在应用程序明确请求时提供。
Usually, a context acceptor will require that a context initiator authenticate itself so that the acceptor may make an access-control decision prior to performing a service for the initiator. In some cases, the initiator may also request that the acceptor authenticate itself. GSS-API allows the initiating application to request this mutual authentication service by calling the requestMutualAuth method of the GSSContext interface with a "true" parameter before making the first call to init. The initiating application is informed as to whether or not the context acceptor has authenticated itself. Note that some mechanisms may not support mutual authentication, and other mechanisms may always perform mutual authentication, whether or not the initiating application requests it. In particular, mutual authentication may be required by some mechanisms in order to support replay or out-of-sequence message detection, and for such mechanisms, a request for either of these services will automatically enable mutual authentication.
通常,上下文接受者将要求上下文发起者进行自身身份验证,以便接受者可以在为发起者执行服务之前做出访问控制决策。在某些情况下,发起者还可以请求接受者对自己进行身份验证。GSS-API允许发起应用程序通过在第一次调用init之前使用“true”参数调用GSSContext接口的requestMutualAuth方法来请求此相互身份验证服务。启动应用程序被告知上下文接受者是否已对自身进行了身份验证。请注意,某些机制可能不支持相互身份验证,而其他机制可能始终执行相互身份验证,无论启动应用程序是否请求它。特别地,一些机制可能需要相互认证,以支持重播或无序消息检测,并且对于此类机制,对这些服务中的任何一个的请求将自动启用相互认证。
The GSS-API MAY provide detection of mis-ordered messages once a security context has been established. Protection MAY be applied to messages by either application, by calling either getMIC or wrap methods of the GSSContext interface, and verified by the peer application by calling verifyMIC or unwrap for the peer's GSSContext object.
一旦建立了安全上下文,GSS-API可提供错误排序消息的检测。通过调用GSSContext接口的getMIC或wrap方法,可通过任一应用程序对消息应用保护,并通过调用对等方的GSSContext对象的verifyMIC或unwrap,由对等方应用程序进行验证。
The getMIC method calculates a cryptographic checksum (authentication tag) of an application message, and returns that checksum in a token. The application SHOULD pass both the token and the message to the peer application, which presents them to the verifyMIC method of the peer's GSSContext object.
getMIC方法计算应用程序消息的加密校验和(身份验证标记),并在令牌中返回该校验和。应用程序应将令牌和消息传递给对等应用程序,对等应用程序将它们呈现给对等方的GSSContext对象的verifyMIC方法。
The wrap method calculates a cryptographic checksum of an application message, and places both the checksum and the message inside a single token. The application SHOULD pass the token to the peer application, which presents it to the unwrap method of the peer's GSSContext object to extract the message and verify the checksum.
wrap方法计算应用程序消息的加密校验和,并将校验和消息放在单个令牌中。应用程序应将令牌传递给对等应用程序,对等应用程序将令牌呈现给对等方的GSSContext对象的unwrap方法,以提取消息并验证校验和。
Either pair of routines may be capable of detecting out-of-sequence message delivery or the duplication of messages. Details of such mis-ordered messages are indicated through supplementary query methods of the MessageProp object that is filled in by each of these routines.
这两个例程中的任何一个都能够检测到顺序错误的消息传递或消息的重复。这些错误排序的消息的详细信息通过这些例程中的每个例程填写的MessageProp对象的补充查询方法来指示。
A mechanism need not maintain a list of all tokens that have been processed in order to support these status codes. A typical mechanism might retain information about only the most recent "N" tokens processed, allowing it to distinguish duplicates and missing tokens within the most recent "N" messages; the receipt of a token older than the most recent "N" would result in the isOldToken method of the instance of MessageProp to return "true".
为了支持这些状态代码,机制不需要维护已处理的所有令牌的列表。典型的机制可能只保留有关最近处理的“N”令牌的信息,允许它在最近的“N”消息中区分重复的和丢失的令牌;接收到比最近的“N”早的令牌将导致MessageProp实例的isOldToken方法返回“true”。
In certain situations, an application may wish to initiate the authentication process to authenticate a peer, without revealing its own identity. As an example, consider an application providing access to a database containing medical information and offering unrestricted access to the service. A client of such a service might wish to authenticate the service (in order to establish trust in any information retrieved from it), but might not wish the service to be able to obtain the client's identity (perhaps due to privacy concerns about the specific inquiries, or perhaps simply to avoid being placed on mailing-lists).
在某些情况下,应用程序可能希望启动身份验证过程以对对等方进行身份验证,而不透露其自身的身份。作为一个例子,考虑一个应用程序,提供对包含医疗信息的数据库的访问,并提供对服务的无限制访问。此类服务的客户可能希望验证该服务(以便对从中检索到的任何信息建立信任),但可能不希望该服务能够获得客户的身份(可能是由于对特定查询的隐私问题,或者可能只是为了避免被列入邮件列表)。
In normal use of the GSS-API, the initiator's identity is made available to the acceptor as a result of the context establishment process. However, context initiators may request that their identity not be revealed to the context acceptor. Many mechanisms do not support anonymous authentication, and for such mechanisms, the request will not be honored. An authentication token will still be generated, but the application is always informed if a requested service is unavailable, and has the option to abort context establishment if anonymity is valued above the other security services that would require a context to be established.
在GSS-API的正常使用中,作为上下文建立过程的结果,发起者的身份可供接受者使用。然而,上下文发起者可以请求不向上下文接受者透露其身份。许多机制不支持匿名身份验证,对于此类机制,请求将不会得到满足。仍将生成身份验证令牌,但如果请求的服务不可用,应用程序始终会得到通知,并且如果匿名性的价值高于需要建立上下文的其他安全服务,则应用程序可以选择中止上下文建立。
In addition to informing the application that a context is established anonymously (via the isAnonymous method of the GSSContext class), the getSrcName method of the acceptor's GSSContext object
除了通知应用程序上下文是匿名建立的(通过GSSContext类的isAnonymous方法),接受方的GSSContext对象的getSrcName方法
will, for such contexts, return a reserved internal-form name, defined by the implementation.
对于此类上下文,将返回由实现定义的保留内部表单名称。
The toString method for a GSSName object representing an anonymous entity will return a printable name. The returned value will be syntactically distinguishable from any valid principal name supported by the implementation. The associated name-type Object Identifier (OID) will be an OID representing the value of NT_ANONYMOUS. This name-type OID will be defined as a public, static Oid object of the GSSName class. The printable form of an anonymous name SHOULD be chosen such that it implies anonymity, since this name may appear in, for example, audit logs. For example, the string "<anonymous>" might be a good choice, if no valid printable names supported by the implementation can begin with "<" and end with ">".
代表匿名实体的GSSName对象的toString方法将返回一个可打印的名称。返回值将在语法上与实现支持的任何有效主体名称区分开来。关联的名称类型对象标识符(OID)将是表示NT_ANONYMOUS值的OID。此名称类型OID将定义为GSSName类的公共静态OID对象。应选择匿名名称的可打印形式,以使其暗示匿名性,因为该名称可能出现在例如审计日志中。例如,如果实现不支持以“<”开头并以“>”结尾的有效可打印名称,那么字符串“<anonymous>”可能是一个不错的选择。
When using the equal method of the GSSName interface, and one of the operands is a GSSName instance representing an anonymous entity, the method MUST return "false".
当使用GSSName接口的equal方法,并且其中一个操作数是表示匿名实体的GSSName实例时,该方法必须返回“false”。
If a GSSContext supports the integrity service, the getMic method may be used to create message integrity check tokens on application messages.
如果GSSContext支持完整性服务,则可以使用getMic方法在应用程序消息上创建消息完整性检查令牌。
If a GSSContext supports the confidentiality service, the wrap method may be used to encrypt application messages. Messages are selectively encrypted, under the control of the setPrivacy method of the MessageProp object used in the wrap method. Confidentiality will be applied if the privacy state is set to true.
如果GSSContext支持保密服务,则可以使用wrap方法加密应用程序消息。消息在wrap方法中使用的MessageProp对象的setPrivacy方法的控制下被选择性地加密。如果隐私状态设置为true,则将应用机密性。
GSS-APIv2 provides functionality that allows a security context to be transferred between processes on a single machine. These are implemented using the export method of GSSContext and a byte array constructor of the same class. The most common use for such a feature is a client-server design where the server is implemented as a single process that accepts incoming security contexts, which then launches child processes to deal with the data on these contexts. In such a design, the child processes must have access to the security context object created within the parent so that they can use per-message protection services and delete the security context when the communication session ends.
GSS-APIv2提供了允许在一台机器上的进程之间传输安全上下文的功能。它们是使用GSSContext的导出方法和同一类的字节数组构造函数实现的。这种特性最常见的用途是客户机-服务器设计,其中服务器被实现为单个进程,该进程接受传入的安全上下文,然后启动子进程来处理这些上下文中的数据。在这种设计中,子进程必须能够访问在父进程中创建的安全上下文对象,以便它们可以使用每消息保护服务,并在通信会话结束时删除安全上下文。
Since the security context data structure is expected to contain sequencing information, it is impractical in general to share a context between processes. Thus, the GSSContext interface provides
由于安全上下文数据结构预期包含排序信息,因此在进程之间共享上下文通常是不切实际的。因此,GSSContext接口提供
an export method that the process, which currently owns the context, can call to declare that it has no intention to use the context subsequently and to create an inter-process token containing information needed by the adopting process to successfully recreate the context. After successful completion of export, the original security context is made inaccessible to the calling process by GSS-API, and any further usage of this object will result in failures. The originating process transfers the inter-process token to the adopting process, which creates a new GSSContext object using the byte array constructor. The properties of the context are equivalent to that of the original context.
一种导出方法,当前拥有上下文的进程可以调用该方法来声明它无意随后使用上下文,并创建一个进程间令牌,该令牌包含进程成功重新创建上下文所需的信息。成功完成导出后,GSS-API将使调用进程无法访问原始安全上下文,进一步使用此对象将导致失败。发起进程将进程间令牌传输给采用进程,采用进程使用字节数组构造函数创建一个新的GSSContext对象。上下文的属性等同于原始上下文的属性。
The inter-process token MAY contain sensitive data from the original security context (including cryptographic keys). Applications using inter-process tokens to transfer security contexts MUST take appropriate steps to protect these tokens in transit.
进程间令牌可能包含来自原始安全上下文(包括加密密钥)的敏感数据。使用进程间令牌传输安全上下文的应用程序必须采取适当的步骤来保护传输中的这些令牌。
Implementations are not required to support the inter-process transfer of security contexts. Calling the isTransferable method of the GSSContext interface will indicate if the context object is transferable.
实现不需要支持安全上下文的进程间传输。调用GSSContext接口的isTransferable方法将指示上下文对象是否可转移。
Some mechanisms may allow the per-message services to be used before the context establishment process is complete. For example, a mechanism may include sufficient information in its initial context-level tokens for the context acceptor to immediately decode messages protected with wrap or getMIC. For such a mechanism, the initiating application need not wait until subsequent context-level tokens have been sent and received before invoking the per-message protection services.
某些机制可能允许在上下文建立过程完成之前使用每消息服务。例如,机制可以在其初始上下文级别令牌中包括足够的信息,以便上下文接受者立即解码受wrap或getMIC保护的消息。对于这种机制,在调用每消息保护服务之前,发起应用程序无需等待后续上下文级令牌被发送和接收。
An application can invoke the isProtReady method of the GSSContext class to determine if the per-message services are available in advance of complete context establishment. Applications wishing to use per-message protection services on partially established contexts SHOULD query this method before attempting to invoke wrap or getMIC.
应用程序可以调用GSSContext类的isProtReady方法,以确定在完全建立上下文之前每消息服务是否可用。希望在部分建立的上下文上使用每消息保护服务的应用程序应在尝试调用wrap或getMIC之前查询此方法。
Java provides the implementors with not just a syntax for the language but also an operational environment. For example, memory is automatically managed and does not require application intervention. These language features have allowed for a simpler API and have led to the elimination of certain GSS-API functions.
Java不仅为实现者提供了该语言的语法,还提供了一个操作环境。例如,内存是自动管理的,不需要应用程序干预。这些语言特性允许使用更简单的API,并消除了某些GSS-API函数。
Moreover, the JCA defines a provider model that allows for implementation-independent access to security services. Using this model, applications can seamlessly switch between different implementations and dynamically add new services. The GSS-API specification leverages these concepts by the usage of providers for the mechanism implementations.
此外,JCA定义了一个提供者模型,允许对安全服务进行独立于实现的访问。使用此模型,应用程序可以在不同实现之间无缝切换,并动态添加新服务。GSS-API规范通过为机制实现使用提供程序来利用这些概念。
The classes and interfaces defined in this document reside in the package called "org.ietf.jgss". Applications that wish to make use of this API should import this package name as shown in Section 8.
本文档中定义的类和接口位于名为“org.ietf.jgss”的包中。希望使用此API的应用程序应导入此包名称,如第8节所示。
Java security APIs use a provider architecture that allows applications to be implementation independent and security API implementations to be modular and extensible. The java.security.Provider class is an abstract class that a vendor extends. This class maps various properties that represent different security services that are available to the names of the actual vendor classes that implement those services. When requesting a service, an application simply specifies the desired provider, and the API delegates the request to service classes available from that provider.
Java安全API使用提供者体系结构,该体系结构允许应用程序独立于实现,安全API实现模块化和可扩展。提供者类是供应商扩展的抽象类。此类映射表示不同安全服务的各种属性,这些安全服务可用于实现这些服务的实际供应商类的名称。当请求服务时,应用程序只指定所需的提供者,API将请求委托给该提供者提供的服务类。
Using the Java security provider model insulates applications from implementation details of the services they wish to use. Applications can switch between providers easily, and new providers can be added as needed, even at runtime.
使用Java安全提供者模型将应用程序与它们希望使用的服务的实现细节隔离开来。应用程序可以在提供程序之间轻松切换,并且可以根据需要添加新的提供程序,即使在运行时也是如此。
The GSS-API may use providers to find components for specific underlying security mechanisms. For instance, a particular provider might contain components that will allow the GSS-API to support the Kerberos v5 mechanism [RFC4121], and another might contain components to support the Simple Public-Key GSS-API Mechanism (SPKM) [RFC2025]. By delegating mechanism-specific functionality to the components obtained from providers, the GSS-API can be extended to support an arbitrary list of mechanisms.
GSS-API可以使用提供程序查找特定底层安全机制的组件。例如,一个特定的提供程序可能包含允许GSS-API支持Kerberos v5机制[RFC4121]的组件,另一个提供程序可能包含支持简单公钥GSS-API机制(SPKM)[RFC2025]的组件。通过将特定于机制的功能委托给从提供者获得的组件,GSS-API可以扩展为支持任意机制列表。
How the GSS-API locates and queries these providers is beyond the scope of this document and is being deferred to a Service Provider Interface (SPI) specification. The availability of such an SPI specification is not mandatory for the adoption of this API specification nor is it mandatory to use providers in the implementation of a GSS-API framework. However, by using the provider framework together with an SPI specification, one can create an extensible and implementation-independent GSS-API framework.
GSS-API如何定位和查询这些提供程序超出了本文档的范围,将推迟到服务提供程序接口(SPI)规范。此类SPI规范的可用性对于采用本API规范不是强制性的,在GSS-API框架的实现中使用提供者也不是强制性的。但是,通过将提供者框架与SPI规范一起使用,可以创建一个可扩展且独立于实现的GSS-API框架。
All numeric values are declared as the "int" primitive Java type. The Java specification guarantees that this will be a 32-bit two's complement signed number.
所有数值都声明为“int”原语Java类型。Java规范保证这将是一个32位2的补码有符号数。
Throughout this API, the "boolean" primitive Java type is used wherever a boolean value is required or returned.
在整个API中,“boolean”原语Java类型用于任何需要或返回布尔值的地方。
Java byte arrays are used to represent opaque data types that are consumed and produced by the GSS-API in the form of tokens. Java arrays contain a length field that enables the users to easily determine their size. The language has automatic garbage collection that alleviates the need by developers to release memory and simplifies buffer ownership issues.
Java字节数组用于表示GSS-API以令牌形式使用和生成的不透明数据类型。Java数组包含一个长度字段,使用户可以轻松确定其大小。该语言具有自动垃圾收集功能,可减轻开发人员释放内存的需要,并简化缓冲区所有权问题。
The String object will be used to represent all textual data. The Java String object transparently treats all characters as two-byte Unicode characters, which allows support for many locals. All routines returning or accepting textual data will use the String object.
字符串对象将用于表示所有文本数据。Java字符串对象透明地将所有字符视为双字节Unicode字符,这允许支持许多局部变量。所有返回或接受文本数据的例程都将使用String对象。
An Oid object will be used to represent Universal Object Identifiers (OIDs). OIDs are ISO-defined, hierarchically globally interpretable identifiers used within the GSS-API framework to identify security mechanisms and name formats. The Oid object can be created from a string representation of its dot notation (e.g., "1.3.6.1.5.6.2") as well as from its ASN.1 DER encoding. Methods are also provided to test equality and provide the DER representation for the object.
Oid对象将用于表示通用对象标识符(Oid)。OID是在GSS-API框架内使用的ISO定义的、分层的全局可解释标识符,用于标识安全机制和名称格式。Oid对象可以通过点符号的字符串表示(例如,“1.3.6.1.5.6.2”)以及ASN.1 DER编码创建。还提供了测试相等性的方法,并为对象提供DER表示。
An important feature of the Oid class is that its instances are immutable -- i.e., there are no methods defined that allow one to change the contents of an Oid object. This property allows one to treat these objects as "statics" without the need to perform copies.
Oid类的一个重要特性是其实例是不可变的——即,没有定义允许更改Oid对象内容的方法。此属性允许将这些对象视为“静态”,而无需执行复制。
Certain routines allow the usage of a default OID. A "null" value can be used in those cases.
某些例程允许使用默认OID。在这些情况下,可以使用“null”值。
The Java bindings represent Object Identifier sets as arrays of Oid objects. All Java arrays contain a length field, which allows for easy manipulation and reference.
Java绑定将对象标识符集表示为Oid对象的数组。所有Java数组都包含一个长度字段,允许轻松操作和引用。
In order to support the full functionality of RFC 2743 [RFC2743], the Oid class includes a method that checks for existence of an Oid object within a specified array. This is equivalent in functionality to gss_test_oid_set_member. The use of Java arrays and Java's automatic garbage collection has eliminated the need for the following routines: gss_create_empty_oid_set, gss_release_oid_set, and gss_add_oid_set_member. Java GSS-API implementations will not contain them. Java's automatic garbage collection and the immutable property of the Oid object eliminates the memory management issues of the C counterpart.
为了支持RFC 2743[RFC2743]的全部功能,Oid类包含一个方法,用于检查指定数组中是否存在Oid对象。这在功能上等同于gss_test_oid_set_成员。使用Java数组和Java的自动垃圾收集消除了对以下例程的需要:gss_创建_空_oid_集、gss_发布_oid_集和gss_添加_oid_集成员。Java GSS-API实现将不包含它们。Java的自动垃圾收集和Oid对象的不可变属性消除了C对象的内存管理问题。
Whenever a default value for an Object Identifier set is required, a "null" value can be used. Please consult the detailed method description for details.
只要需要对象标识符集的默认值,就可以使用“null”值。有关详细信息,请参阅详细的方法说明。
GSS-API credentials are represented by the GSSCredential interface. The interface contains several constructs to allow for the creation of most common credential objects for the initiator and the acceptor. Comparisons are performed using the interface's "equals" method. The following general description of GSS-API credentials is included from the C-bindings specification [RFC2744]:
GSS-API凭据由GSSCredential接口表示。该接口包含多个构造,以允许为发起方和接受方创建最常见的凭据对象。使用接口的“equals”方法执行比较。C-bindings规范[RFC2744]中包含以下GSS-API凭据的一般说明:
GSS-API credentials can contain mechanism-specific principal authentication data for multiple mechanisms. A GSS-API credential is composed of a set of credential-elements, each of which is applicable to a single mechanism. A credential may contain at most one credential-element for each supported mechanism. A credential-element identifies the data needed by a single mechanism to authenticate a single principal, and conceptually contains two credential-references that describe the actual mechanism-specific authentication data, one to be used by GSS-API for initiating contexts, and one to be used for accepting
GSS-API凭据可以包含多个机制的特定于机制的主体身份验证数据。GSS-API凭据由一组凭据元素组成,每个元素都适用于单个机制。对于每个受支持的机制,凭证最多可以包含一个凭证元素。credential元素标识单个机制对单个主体进行身份验证所需的数据,概念上包含两个描述实际机制特定身份验证数据的凭证引用,一个用于GSS-API启动上下文,另一个用于接受
contexts. For mechanisms that do not distinguish between acceptor and initiator credentials, both references would point to the same underlying mechanism-specific authentication data.
上下文。对于不区分接受方凭据和发起方凭据的机制,两个引用将指向相同的底层机制特定身份验证数据。
Credentials describe a set of mechanism-specific principals and give their holder the ability to act as any of those principals. All principal identities asserted by a single GSS-API credential SHOULD belong to the same entity, although enforcement of this property is an implementation-specific matter. A single GSSCredential object represents all the credential elements that have been acquired.
凭证描述一组特定于机制的主体,并使其持有者能够充当这些主体中的任何一个。由单个GSS-API凭据声明的所有主体标识都应属于同一实体,尽管此属性的强制执行是一个特定于实现的问题。单个GSSCredential对象表示已获取的所有凭证元素。
The creation of a GSSContext object allows the value of "null" to be specified as the GSSCredential input parameter. This will indicate a desire by the application to act as a default principal. While individual GSS-API implementations are free to determine such default behavior as appropriate to the mechanism, the following default behavior by these routines is RECOMMENDED for portability:
GSSContext对象的创建允许将“null”值指定为GSSCredential输入参数。这将表明应用程序希望充当默认主体。虽然各个GSS-API实现可以自由确定适合于该机制的默认行为,但为了便于移植,建议使用这些例程的以下默认行为:
For the initiator side of the context:
对于上下文的启动器端:
1) If there is only a single principal capable of initiating security contexts for the chosen mechanism that the application is authorized to act on behalf of, then that principal shall be used; otherwise,
1) 如果只有一个主体能够为应用程序授权代表的所选机制启动安全上下文,则应使用该主体;否则
2) If the platform maintains a concept of a default network identity for the chosen mechanism, and if the application is authorized to act on behalf of that identity for the purpose of initiating security contexts, then the principal corresponding to that identity shall be used; otherwise,
2) 如果平台为所选机制维护默认网络身份的概念,并且如果应用程序被授权代表该身份启动安全上下文,则应使用与该身份对应的主体;否则
3) If the platform maintains a concept of a default local identity, and provides a means to map local identities into network identities for the chosen mechanism, and if the application is authorized to act on behalf of the network-identity image of the default local identity for the purpose of initiating security contexts using the chosen mechanism, then the principal corresponding to that identity shall be used; otherwise,
3) 如果平台维护默认本地标识的概念,并提供将本地标识映射到所选机制的网络标识的方法,并且如果应用程序被授权代表默认本地标识的网络标识映像,以便使用所选机制启动安全上下文,则应使用与该身份对应的主体;否则
4) A user-configurable default identity should be used.
4) 应使用用户可配置的默认标识。
For the acceptor side of the context:
对于上下文的接受方:
1) If there is only a single authorized principal identity capable of accepting security contexts for the chosen mechanism, then that principal shall be used; otherwise,
1) 如果只有一个授权主体标识能够接受所选机制的安全上下文,则应使用该主体;否则
2) If the mechanism can determine the identity of the target principal by examining the context-establishment token processed during the accept method, and if the accepting application is authorized to act as that principal for the purpose of accepting security contexts using the chosen mechanism, then that principal identity shall be used; otherwise,
2) 如果该机制可以通过检查在接受方法期间处理的上下文建立令牌来确定目标主体的身份,并且如果接受应用程序被授权作为该主体使用所选机制接受安全上下文,则应使用该主体身份;否则
3) If the mechanism supports context acceptance by any principal, and if mutual authentication was not requested, any principal that the application is authorized to accept security contexts under using the chosen mechanism may be used; otherwise,
3) 如果该机制支持任何主体接受上下文,并且如果未请求相互认证,则可以使用应用程序被授权在使用所选机制的情况下接受安全上下文的任何主体;否则
4) A user-configurable default identity shall be used.
4) 应使用用户可配置的默认标识。
The purpose of the above rules is to allow security contexts to be established by both initiator and acceptor using the default behavior whenever possible. Applications requesting default behavior are likely to be more portable across mechanisms and implementations than ones that instantiate a GSSCredential object representing a specific identity.
上述规则的目的是允许发起方和接受方尽可能使用默认行为来建立安全上下文。与实例化表示特定身份的GSSCredential对象的应用程序相比,请求默认行为的应用程序可能更易于跨机制和实现移植。
The GSSContext interface is used to represent one end of a GSS-API security context, storing state information appropriate to that end of the peer communication, including cryptographic state information. The instantiation of the context object is done differently by the initiator and the acceptor. After the context has been instantiated, the initiator MAY choose to set various context options that will determine the characteristics of the desired security context. When all the application-desired characteristics have been set, the initiator will call the initSecContext method, which will produce a token for consumption by the peer's acceptSecContext method. It is the responsibility of the application to deliver the authentication token(s) between the peer applications for processing. Upon completion of the context-establishment phase, context attributes can be retrieved, by both the initiator and acceptor, using the accessor methods. These will reflect the actual attributes of the established context and might not match the initiator-requested values. If any retrieved attribute does not match the desired value but it is necessary for the application protocol, the application SHOULD destroy the security context and not use it for application traffic. Otherwise, at this point, the context can be used by the application to apply cryptographic services to its data.
GSSContext接口用于表示GSS-API安全上下文的一端,存储适用于对等通信一端的状态信息,包括加密状态信息。上下文对象的实例化由发起方和接受方以不同的方式完成。在上下文被实例化之后,发起方可以选择设置各种上下文选项,这些选项将确定所需安全上下文的特征。设置了所有应用程序所需的特征后,启动器将调用initSecContext方法,该方法将生成一个令牌供对等方的acceptSecContext方法使用。应用程序负责在对等应用程序之间传递身份验证令牌以进行处理。上下文建立阶段完成后,发起方和接受方都可以使用访问器方法检索上下文属性。这些将反映已建立上下文的实际属性,并且可能与启动器请求的值不匹配。如果检索到的任何属性与所需的值不匹配,但这是应用程序协议所必需的,则应用程序应销毁安全上下文,而不是将其用于应用程序通信。否则,此时应用程序可以使用上下文将加密服务应用于其数据。
A token is a caller-opaque type that GSS-API uses to maintain synchronization between each end of the GSS-API security context. The token is a cryptographically protected octet string, generated by the underlying mechanism at one end of a GSS-API security context for use by the peer mechanism at the other end. Encapsulation (if required) within the application protocol and transfer of the token are the responsibility of the peer applications.
令牌是一种调用方不透明类型,GSS-API使用它来维护GSS-API安全上下文各端之间的同步。令牌是受加密保护的八位字节字符串,由GSS-API安全上下文一端的底层机制生成,供另一端的对等机制使用。应用程序协议中的封装(如果需要)和令牌的传输由对等应用程序负责。
Java GSS-API uses byte arrays to represent authentication tokens.
JavaGSS-API使用字节数组表示身份验证令牌。
Certain GSS-API routines are intended to transfer data between processes in multi-process programs. These routines use a caller-opaque octet string, generated by the GSS-API in one process for use by the GSS-API in another process. The calling application is responsible for transferring such tokens between processes. Note that, while GSS-API implementors are encouraged to avoid placing sensitive information within inter-process tokens, or to cryptographically protect them, many implementations will be unable to avoid placing key material or other sensitive data within them. It is the application's responsibility to ensure that inter-process tokens are protected in transit and transferred only to processes that are trustworthy. An inter-process token is represented using a byte array emitted from the export method of the GSSContext interface. The receiver of the inter-process token would initialize a GSSContext object with this token to create a new context. Once a context has been exported, the GSSContext object is invalidated and is no longer available.
某些GSS-API例程用于在多进程程序中的进程之间传输数据。这些例程使用一个调用方不透明八位字节字符串,该字符串由GSS-API在一个进程中生成,供GSS-API在另一个进程中使用。调用应用程序负责在进程之间传输此类令牌。请注意,虽然鼓励GSS-API实现者避免在进程间令牌中放置敏感信息,或对其进行加密保护,但许多实现将无法避免在其中放置关键材料或其他敏感数据。应用程序的责任是确保进程间令牌在传输过程中受到保护,并且仅传输到可信的进程。进程间令牌使用从GSSContext接口的导出方法发出的字节数组表示。进程间令牌的接收方将使用该令牌初始化GSSContext对象以创建新上下文。导出上下文后,GSSContext对象将失效,不再可用。
RFC 2743 [RFC2743] defined the usage of major and minor status values for the signaling of GSS-API errors. The major code, also called the GSS status code, is used to signal errors at the GSS-API level, independent of the underlying mechanism(s). The minor status value or Mechanism status code, is a mechanism-defined error value indicating a mechanism-specific error code.
RFC 2743[RFC2743]定义了GSS-API错误信号的主要和次要状态值的用法。主代码也称为GSS状态代码,用于在GSS-API级别发出错误信号,与底层机制无关。次要状态值或机构状态代码是机构定义的错误值,指示特定于机构的错误代码。
Java GSS-API uses exceptions implemented by the GSSException class to signal both minor and major error values. Both mechanism-specific errors and GSS-API level errors are signaled through instances of this class. The usage of exceptions replaces the need for major and minor codes to be used within the API calls. The GSSException class also contains methods to obtain textual representations for both the
JavaGSS-API使用GSSException类实现的异常来表示次要和主要错误值。特定于机制的错误和GSS-API级别的错误都通过此类的实例发出信号。异常的使用取代了在API调用中使用主要和次要代码的需要。GSSException类还包含用于获取两个对象的文本表示的方法
major and minor values, which is equivalent to the functionality of gss_display_status. A GSSException object MAY also include an output token that SHOULD be sent to the peer.
主要值和次要值,相当于gss_显示_状态的功能。GSSException对象还可能包括应发送给对等方的输出令牌。
If an exception is thrown during context establishment, the context negotiation has failed and the GSSContext object MUST be abandoned. If it is thrown in a per-message call, the context MAY remain useful.
如果在上下文建立期间引发异常,则上下文协商失败,必须放弃GSSContext对象。如果在每消息调用中抛出,则上下文可能仍然有用。
GSS status codes indicate errors that are independent of the underlying mechanism(s) used to provide the security service. The errors that can be indicated via a GSS status code are generic API routine errors (errors that are defined in the GSS-API specification). These bindings take advantage of the Java exceptions mechanism, thus eliminating the need for calling errors.
GSS状态代码表示独立于用于提供安全服务的底层机制的错误。可通过GSS状态代码指示的错误是通用API例程错误(GSS-API规范中定义的错误)。这些绑定利用了Java异常机制,因此无需调用错误。
A GSS status code indicates a single fatal generic API error from the routine that has thrown the GSSException. Using exceptions announces that a fatal error has occurred during the execution of the method. The GSS-API operational model also allows for the signaling of supplementary status information from the per-message calls. These need to be handled as return values since using exceptions is not appropriate for informatory or warning-like information. The methods that are capable of producing supplementary information are the two per-message methods GSSContext.verifyMIC() and GSSContext.unwrap(). These methods fill the supplementary status codes in the MessageProp object that was passed in.
GSS状态代码表示抛出GSSException的例程中的一个致命通用API错误。使用异常会宣布在方法执行期间发生了致命错误。GSS-API操作模型还允许从每消息调用发出补充状态信息的信令。这些需要作为返回值处理,因为使用异常不适合于信息性或类似警告的信息。能够生成补充信息的方法是每消息两个方法GSSContext.verifyMIC()和GSSContext.unwrap()。这些方法在传入的MessageProp对象中填充补充状态代码。
A GSSException object, along with providing the functionality for setting the various error codes and translating them into textual representation, also contains the definitions of all the numeric error values. The following table lists the definitions of error codes:
GSSException对象除了提供设置各种错误代码并将其转换为文本表示的功能外,还包含所有数字错误值的定义。下表列出了错误代码的定义:
Table: GSS Status Codes
表:GSS状态代码
+----------------------+-------+------------------------------------+ | Name | Value | Meaning | +----------------------+-------+------------------------------------+ | BAD_BINDINGS | 1 | Incorrect channel bindings were | | | | supplied. | | BAD_MECH | 2 | An unsupported mechanism was | | | | requested. | | BAD_NAME | 3 | An invalid name was supplied. | | BAD_NAMETYPE | 4 | A supplied name was of an | | | | unsupported type. | | BAD_STATUS | 5 | An invalid status code was | | | | supplied. | | BAD_MIC | 6 | A token had an invalid MIC. | | CONTEXT_EXPIRED | 7 | The context has expired. | | CREDENTIALS_EXPIRED | 8 | The referenced credentials have | | | | expired. | | DEFECTIVE_CREDENTIAL | 9 | A supplied credential was invalid. | | DEFECTIVE_TOKEN | 10 | A supplied token was invalid. | | FAILURE | 11 | Miscellaneous failure, unspecified | | | | at the GSS-API level. | | NO_CONTEXT | 12 | Invalid context has been supplied. | | NO_CRED | 13 | No credentials were supplied, or | | | | the credentials were unavailable | | | | or inaccessible. | | BAD_QOP | 14 | The quality of protection (QOP) | | | | requested could not be provided. | | UNAUTHORIZED | 15 | The operation is forbidden by the | | | | local security policy. | | UNAVAILABLE | 16 | The operation or option is | | | | unavailable. | | DUPLICATE_ELEMENT | 17 | The requested credential element | | | | already exists. | | NAME_NOT_MN | 18 | The provided name was not a | | | | mechanism name. | +----------------------+-------+------------------------------------+
+----------------------+-------+------------------------------------+ | Name | Value | Meaning | +----------------------+-------+------------------------------------+ | BAD_BINDINGS | 1 | Incorrect channel bindings were | | | | supplied. | | BAD_MECH | 2 | An unsupported mechanism was | | | | requested. | | BAD_NAME | 3 | An invalid name was supplied. | | BAD_NAMETYPE | 4 | A supplied name was of an | | | | unsupported type. | | BAD_STATUS | 5 | An invalid status code was | | | | supplied. | | BAD_MIC | 6 | A token had an invalid MIC. | | CONTEXT_EXPIRED | 7 | The context has expired. | | CREDENTIALS_EXPIRED | 8 | The referenced credentials have | | | | expired. | | DEFECTIVE_CREDENTIAL | 9 | A supplied credential was invalid. | | DEFECTIVE_TOKEN | 10 | A supplied token was invalid. | | FAILURE | 11 | Miscellaneous failure, unspecified | | | | at the GSS-API level. | | NO_CONTEXT | 12 | Invalid context has been supplied. | | NO_CRED | 13 | No credentials were supplied, or | | | | the credentials were unavailable | | | | or inaccessible. | | BAD_QOP | 14 | The quality of protection (QOP) | | | | requested could not be provided. | | UNAUTHORIZED | 15 | The operation is forbidden by the | | | | local security policy. | | UNAVAILABLE | 16 | The operation or option is | | | | unavailable. | | DUPLICATE_ELEMENT | 17 | The requested credential element | | | | already exists. | | NAME_NOT_MN | 18 | The provided name was not a | | | | mechanism name. | +----------------------+-------+------------------------------------+
The following four status codes (DUPLICATE_TOKEN, OLD_TOKEN, UNSEQ_TOKEN, and GAP_TOKEN) are contained in a GSSException only if detected during context establishment, in which case it is a fatal error. (During per-message calls, these values are indicated as supplementary information contained in the MessageProp object.) They are:
只有在上下文建立期间检测到以下四个状态代码(重复的\u令牌、旧的\u令牌、取消查询的\u令牌和间隙的\u令牌)时,才会将其包含在GSSException中,在这种情况下,这是一个致命错误。(在每消息调用期间,这些值表示为MessageProp对象中包含的补充信息。)它们是:
+-----------------+-------+-----------------------------------------+ | Name | Value | Meaning | +-----------------+-------+-----------------------------------------+ | DUPLICATE_TOKEN | 19 | The token was a duplicate of an earlier | | | | version. | | OLD_TOKEN | 20 | The token's validity period has | | | | expired. | | UNSEQ_TOKEN | 21 | A later token has already been | | | | processed. | | GAP_TOKEN | 22 | The expected token was not received. | +-----------------+-------+-----------------------------------------+
+-----------------+-------+-----------------------------------------+ | Name | Value | Meaning | +-----------------+-------+-----------------------------------------+ | DUPLICATE_TOKEN | 19 | The token was a duplicate of an earlier | | | | version. | | OLD_TOKEN | 20 | The token's validity period has | | | | expired. | | UNSEQ_TOKEN | 21 | A later token has already been | | | | processed. | | GAP_TOKEN | 22 | The expected token was not received. | +-----------------+-------+-----------------------------------------+
The GSS major status code of FAILURE is used to indicate that the underlying mechanism detected an error for which no specific GSS status code is defined. The mechanism-specific status code can provide more details about the error.
GSS主要故障状态代码用于指示底层机制检测到未定义特定GSS状态代码的错误。特定于机制的状态代码可以提供有关错误的更多详细信息。
The different major status codes that can be contained in the GSSException object thrown by the methods in this specification are the same as the major status codes returned by the corresponding calls in RFC 2743 [RFC2743].
本规范中的方法抛出的GSSException对象中可以包含的不同主要状态代码与RFC 2743[RFC2743]中相应调用返回的主要状态代码相同。
Mechanism-specific status codes are communicated in two ways: they are part of any GSSException thrown from the mechanism-specific layer to signal a fatal error, or they are part of the MessageProp object that the per-message calls use to signal non-fatal errors.
特定于机制的状态代码以两种方式进行通信:它们是从特定于机制的层抛出的任何GSSException的一部分,以表示致命错误,或者它们是MessageProp对象的一部分,per message调用使用MessageProp对象来表示非致命错误。
A default value of 0 in either the GSSException object or the MessageProp object will be used to represent the absence of any mechanism-specific status code.
GSSException对象或MessageProp对象中的默认值0将用于表示没有任何机制特定的状态代码。
Supplementary status codes are confined to the per-message methods of the GSSContext interface. Because of the informative nature of these errors, it is not appropriate to use exceptions to signal them. Instead, the per-message operations of the GSSContext interface return these values in a MessageProp object.
补充状态代码仅限于GSSContext接口的每条消息方法。由于这些错误的信息性,使用异常来通知它们是不合适的。相反,GSSContext接口的每消息操作在MessageProp对象中返回这些值。
The MessageProp class defines query methods that return boolean values indicating the following supplementary states:
MessageProp类定义了返回指示以下补充状态的布尔值的查询方法:
Table: Supplementary Status Methods
表:补充地位法
+------------------+------------------------------------------------+ | Method Name | Meaning when "true" is returned | +------------------+------------------------------------------------+ | isDuplicateToken | The token was a duplicate of an earlier token. | | isOldToken | The token's validity period has expired. | | isUnseqToken | A later token has already been processed. | | isGapToken | An expected per-message token was not | | | received. | +------------------+------------------------------------------------+
+------------------+------------------------------------------------+ | Method Name | Meaning when "true" is returned | +------------------+------------------------------------------------+ | isDuplicateToken | The token was a duplicate of an earlier token. | | isOldToken | The token's validity period has expired. | | isUnseqToken | A later token has already been processed. | | isGapToken | An expected per-message token was not | | | received. | +------------------+------------------------------------------------+
A "true" return value for any of the above methods indicates that the token exhibited the specified property. The application MUST determine the appropriate course of action for these supplementary values. They are not treated as errors by the GSS-API.
上述任何方法的“true”返回值表示令牌显示了指定的属性。应用程序必须为这些补充值确定适当的操作过程。GSS-API不会将其视为错误。
A name is used to identify a person or entity. GSS-API authenticates the relationship between a name and the entity claiming the name.
姓名用于识别个人或实体。GSS-API验证名称和声明名称的实体之间的关系。
Since different authentication mechanisms may employ different namespaces for identifying their principals, GSS-API's naming support is necessarily complex in multi-mechanism environments (or even in some single-mechanism environments where the underlying mechanism supports multiple namespaces).
由于不同的身份验证机制可能使用不同的名称空间来标识其主体,因此GSS-API的命名支持在多机制环境中(甚至在底层机制支持多个名称空间的某些单机制环境中)必然非常复杂。
Two distinct conceptual representations are defined for names:
为名称定义了两种不同的概念表示:
1) A GSS-API form represented by implementations of the GSSName interface: A single GSSName object MAY contain multiple names from different namespaces, but all names SHOULD refer to the same entity. An example of such an internal name would be the name returned from a call to the getName method of the GSSCredential interface, when applied to a credential containing credential elements for multiple authentication mechanisms employing different namespaces. This GSSName object will contain a distinct name for the entity for each authentication mechanism.
1) 由GSSName接口的实现表示的GSS-API表单:单个GSSName对象可能包含来自不同名称空间的多个名称,但所有名称都应引用同一实体。这种内部名称的一个示例是,当应用于包含使用不同名称空间的多个身份验证机制的凭据元素的凭据时,调用GSSCredential接口的getName方法返回的名称。此GSSName对象将包含每个身份验证机制的实体的不同名称。
For GSS-API implementations supporting multiple namespaces, GSSName implementations MUST contain sufficient information to determine the namespace to which each primitive name belongs.
对于支持多个名称空间的GSS-API实现,GSSName实现必须包含足够的信息来确定每个原语名称所属的名称空间。
2) Mechanism-specific contiguous byte array and string forms: Different GSSName initialization methods are provided to handle both byte array and string formats and to accommodate various calling applications and name types. These formats are capable of containing only a single name (from a single namespace). Contiguous string names are always accompanied by an Object Identifier specifying the namespace to which the name belongs, and their format is dependent on the authentication mechanism that employs that name. The string name forms are assumed to be printable and may therefore be used by GSS-API applications for communication with their users. The byte array name formats are assumed to be in non-printable formats (e.g., the byte array returned from the export method of the GSSName interface).
2) 特定于机制的连续字节数组和字符串形式:提供了不同的GSSName初始化方法来处理字节数组和字符串格式,并适应各种调用应用程序和名称类型。这些格式只能包含单个名称(来自单个名称空间)。连续字符串名称始终伴随着一个对象标识符,该标识符指定名称所属的命名空间,其格式取决于使用该名称的身份验证机制。假定字符串名称表单是可打印的,因此GSS-API应用程序可以使用它与用户通信。字节数组名称格式假定为不可打印格式(例如,从GSSName接口的导出方法返回的字节数组)。
A GSSName object can be converted to a contiguous representation by using the toString method. This will guarantee that the name will be converted to a printable format. Different initialization methods in the GSSName interface are defined to allow support for multiple syntaxes for each supported namespace and to allow users the freedom to choose a preferred name representation. The toString method SHOULD use an implementation-chosen printable syntax for each supported name type. To obtain the printable name type, the getStringNameType method can be used.
可以使用toString方法将GSSName对象转换为连续表示。这将保证名称将转换为可打印格式。GSSName接口中定义了不同的初始化方法,以允许为每个受支持的命名空间支持多个语法,并允许用户自由选择首选名称表示。toString方法应该为每个支持的名称类型使用一个实现选择的可打印语法。要获得可打印的名称类型,可以使用getStringNameType方法。
There is no guarantee that calling the toString method on the GSSName interface will produce the same string form as the original imported string name. Furthermore, it is possible that the name was not even constructed from a string representation. The same applies to namespace identifiers, which may not necessarily survive unchanged after a journey through the internal name form. An example of this might be a mechanism that authenticates X.500 names but provides an algorithmic mapping of Internet DNS names into X.500. That mechanism's implementation of GSSName might, when presented with a DNS name, generate an internal name that contained both the original DNS name and the equivalent X.500 name. Alternatively, it might only store the X.500 name. In the latter case, the toString method of GSSName would most likely generate a printable X.500 name, rather than the original DNS name.
无法保证在GSSName接口上调用toString方法将产生与原始导入字符串名称相同的字符串形式。此外,名称甚至可能不是由字符串表示形式构造的。这同样适用于名称空间标识符,在经过内部名称表单之后,名称空间标识符不一定会保持不变。这方面的一个例子可能是一种验证X.500名称的机制,但提供将Internet DNS名称映射到X.500的算法。该机制的GSSName实现可能会在显示DNS名称时生成一个内部名称,该名称包含原始DNS名称和等效的X.500名称。或者,它可能只存储X.500名称。在后一种情况下,GSSName的toString方法很可能生成一个可打印的X.500名称,而不是原始DNS名称。
The context acceptor can obtain a GSSName object representing the entity performing the context initiation (through the usage of the getSrcName method). Since this name has been authenticated by a single mechanism, it contains only a single name (even if the internal name presented by the context initiator to the GSSContext object had multiple components). Such names are termed internal-mechanism names (or MNs), and the names emitted by the GSSContext interface's getSrcName and getTargName methods are always of this type. Since some applications may require MNs without wanting to
上下文接受者可以获得表示执行上下文初始化的实体的GSSName对象(通过使用getSrcName方法)。由于此名称已通过单个机制进行身份验证,因此它只包含一个名称(即使上下文启动器向GSSContext对象提供的内部名称包含多个组件)。此类名称称为内部机制名称(或MN),GSSContext接口的getSrcName和GetArgName方法发出的名称始终属于此类型。因为有些应用程序可能需要MNs而不想
incur the overhead of an authentication operation, creation methods are provided that take not only the name buffer and name type but also the mechanism OID for which this name should be created. When dealing with an existing GSSName object, the canonicalize method may be invoked to convert a general internal name into an MN.
为了增加身份验证操作的开销,提供了创建方法,这些方法不仅采用名称缓冲区和名称类型,还采用应为其创建此名称的机制OID。处理现有GSSName对象时,可以调用规范化方法将通用内部名称转换为MN。
GSSName objects can be compared using their equal method, which returns "true" if the two names being compared refer to the same entity. This is the preferred way to perform name comparisons instead of using the printable names that a given GSS-API implementation may support. Since GSS-API assumes that all primitive names contained within a given internal name refer to the same entity, equal can return "true" if the two names have at least one primitive name in common. If the implementation embodies knowledge of equivalence relationships between names taken from different namespaces, this knowledge may also allow successful comparisons of internal names containing no overlapping primitive elements. However, applications SHOULD note that to avoid surprising behavior, it is best to ensure that the names being compared are either both mechanism names for the same mechanism or both internal names that are not mechanism names. This holds whether the equals method is used directly or the export method is used to generate byte strings that are then compared byte-by-byte.
GSSName对象可以使用其相等方法进行比较,如果要比较的两个名称引用同一实体,则该方法返回“true”。这是执行名称比较的首选方法,而不是使用给定GSS-API实现可能支持的可打印名称。由于GSS-API假定给定内部名称中包含的所有基元名称都引用同一实体,因此,如果两个名称至少有一个共同的基元名称,equal可以返回“true”。如果实现包含来自不同名称空间的名称之间的等价关系的知识,那么该知识还可以允许成功比较不包含重叠基本元素的内部名称。但是,应用程序应该注意,为了避免意外行为,最好确保要比较的名称要么是同一机制的两个机制名称,要么是不是机制名称的两个内部名称。这决定了是直接使用equals方法还是使用export方法生成字节字符串,然后逐字节进行比较。
When used in large access control lists, the overhead of creating a GSSName object on each name and invoking the equal method on each name from the Access Control List (ACL) may be prohibitive. As an alternative way of supporting this case, GSS-API defines a special form of the contiguous byte array name, which MAY be compared directly (byte by byte). Contiguous names suitable for comparison are generated by the export method. Exported names MAY be re-imported by using the byte array constructor and specifying the NT_EXPORT_NAME as the name type Object Identifier. The resulting GSSName name will also be an MN.
在大型访问控制列表中使用时,在每个名称上创建GSSName对象并从访问控制列表(ACL)中调用每个名称上的equal方法的开销可能是不允许的。作为支持这种情况的另一种方式,GSS-API定义了一种特殊形式的连续字节数组名称,可以直接(逐字节)进行比较。export方法生成适合比较的连续名称。导出的名称可以通过使用字节数组构造函数重新导入,并将NT\u导出\u名称指定为名称类型对象标识符。生成的GSSName名称也将是一个MN。
The GSSName interface defines public static Oid objects representing the standard name types. Structurally, an exported name object consists of a header containing an OID identifying the mechanism that authenticated the name, and a trailer containing the name itself, where the syntax of the trailer is defined by the individual mechanism specification. Detailed description of the format is specified in the language-independent GSS-API specification [RFC2743].
GSSName接口定义了表示标准名称类型的公共静态Oid对象。从结构上讲,导出的名称对象由一个标头和一个尾部组成,前者包含标识对名称进行身份验证的机制的OID,后者包含名称本身,其中尾部的语法由各个机制规范定义。与语言无关的GSS-API规范[RFC2743]中规定了格式的详细说明。
Note that the results obtained by using the equals method will in general be different from those obtained by invoking canonicalize and export and then comparing the byte array output. The first series of operation determines whether two (unauthenticated) names identify the
请注意,使用equals方法获得的结果通常与调用规范化和导出,然后比较字节数组输出得到的结果不同。第一系列操作确定两个(未经验证的)名称是否标识
same principal; the second determines whether a particular mechanism would authenticate them as the same principal. These two operations will in general give the same results only for MNs.
同一委托人;第二种方法确定特定机制是否将它们作为同一主体进行身份验证。这两种操作通常仅对MNs产生相同的结果。
It is important to note that the above are guidelines as to how GSSName implementations SHOULD behave and are not intended to be specific requirements of how name objects must be implemented. The mechanism designers are free to decide on the details of their implementations of the GSSName interface as long as the behavior satisfies the above guidelines.
需要注意的是,以上是关于GSSName实现应该如何运行的指南,而不是必须如何实现名称对象的特定要求。只要行为满足上述准则,机制设计者就可以自由决定GSSName接口实现的细节。
GSS-API supports the use of user-specified tags to identify a given context to the peer application. These tags are intended to be used to identify the particular communications channel that carries the context. Channel bindings are communicated to the GSS-API using the ChannelBinding object. The application MAY use byte arrays as well as instances of InetAddress to specify the application data to be used in the channel binding. The InetAddress for the initiator and/ or acceptor can be used within an instance of a ChannelBinding. ChannelBinding can be set for the GSSContext object using the setChannelBinding method before the first call to init or accept has been performed. Unless the setChannelBinding method has been used to set the ChannelBinding for a GSSContext object, "null" ChannelBinding will be assumed. InetAddress is currently the only address type defined within the Java platform and as such, it is the only one supported within the ChannelBinding class. Applications that use other types of addresses can include them as part of the application-specific data.
GSS-API支持使用用户指定的标记来标识对等应用程序的给定上下文。这些标签用于识别承载上下文的特定通信信道。通道绑定使用ChannelBinding对象与GSS-API通信。应用程序可以使用字节数组以及InetAddress实例来指定要在通道绑定中使用的应用程序数据。发起方和/或接受方的InetAddress可以在ChannelBinding的实例中使用。在第一次调用init或accept之前,可以使用setChannelBinding方法为GSSContext对象设置ChannelBinding。除非已使用setChannelBinding方法为GSSContext对象设置ChannelBinding,否则将假定为“null”ChannelBinding。InetAddress目前是Java平台中定义的唯一地址类型,因此,它是ChannelBinding类中唯一受支持的地址类型。使用其他类型地址的应用程序可以将其作为应用程序特定数据的一部分。
Conceptually, the GSS-API concatenates the initiator and acceptor address information and the application-supplied byte array to form an octet string. The mechanism calculates a Message Integrity Code (MIC) over this octet string and binds the MIC to the context establishment token emitted by the init method of the GSSContext interface. The same bindings are set by the context acceptor for its GSSContext object, and during processing of the accept method, a MIC is calculated in the same way. The calculated MIC is compared with that found in the token, and if the MICs differ, accept will throw a GSSException with the major code set to BAD_BINDINGS, and the context will not be established. Some mechanisms may include the actual channel-binding data in the token (rather than just a MIC); applications SHOULD therefore not use confidential data as channel-binding components.
从概念上讲,GSS-API将启动器和接收器地址信息以及应用程序提供的字节数组连接起来,以形成八位字节字符串。该机制计算该八位字节字符串上的消息完整性代码(MIC),并将MIC绑定到GSSContext接口的init方法发出的上下文建立令牌。上下文接受器为其GSSContext对象设置相同的绑定,并且在accept方法的处理过程中,以相同的方式计算MIC。将计算出的MIC与令牌中的MIC进行比较,如果MIC不同,accept将抛出GSSException,主代码设置为BAD_绑定,并且不会建立上下文。一些机制可以包括令牌中的实际信道绑定数据(而不仅仅是MIC);因此,应用程序不应将机密数据用作通道绑定组件。
Individual mechanisms may impose additional constraints on addresses that may appear in channel bindings. For example, a mechanism may verify that the initiator address field of the channel binding contains the correct network address of the host system. Portable applications SHOULD therefore ensure that they either provide correct information for the address fields or omit the setting of the addressing information.
个别机制可能会对可能出现在通道绑定中的地址施加额外的约束。例如,机制可以验证通道绑定的启动器地址字段是否包含主机系统的正确网络地址。因此,便携式应用程序应确保为地址字段提供正确的信息,或省略地址信息的设置。
Whenever the application wishes to omit an optional parameter, the "null" value SHALL be used. The detailed method descriptions indicate which parameters are optional. Method overloading has also been used as a technique to indicate default parameters.
当应用程序希望省略可选参数时,应使用“null”值。详细的方法说明说明了哪些参数是可选的。方法重载也被用作指示默认参数的技术。
This section presents a brief description of the classes and interfaces that constitute the GSS-API. The implementations of these are obtained from the CLASSPATH defined by the application. If Java GSS becomes part of the standard Java APIs, then these classes will be available by default on all systems as part of the JRE's system classes.
本节简要介绍构成GSS-API的类和接口。这些的实现是从应用程序定义的类路径获得的。如果JavaGSS成为标准JavaAPI的一部分,那么默认情况下,这些类将作为JRE系统类的一部分在所有系统上可用。
This section also shows the corresponding RFC 2743 [RFC2743] functionality implemented by each of the classes. Detailed description of these classes and their methods is presented in Section 7.
本节还显示了每个类实现的相应RFC 2743[RFC2743]功能。第7节详细介绍了这些类及其方法。
This abstract class serves as a factory to instantiate implementations of the GSS-API interfaces and also provides methods to make queries about underlying security mechanisms.
这个抽象类作为工厂来实例化GSS-API接口的实现,还提供了查询底层安全机制的方法。
A default implementation can be obtained using the static method getInstance(). Applications that desire to provide their own implementation of the GSSManager class can simply extend the abstract class themselves.
可以使用静态方法getInstance()获得默认实现。希望提供自己的GSSManager类实现的应用程序可以简单地扩展抽象类本身。
This class contains equivalents of the following RFC 2743 [RFC2743] routines:
此类包含以下RFC 2743[RFC2743]例程的等效程序:
+----------------------------+-------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +----------------------------+-------------------------+------------+ | gss_import_name | Create an internal name | 7.1.5 - | | | from the supplied | 7.1.8 | | | information. | | | gss_acquire_cred | Acquire credential for | 7.1.9 - | | | use. | 7.1.11 | | gss_import_sec_context | Create a previously | 7.1.14 | | | exported context. | | | gss_indicate_mechs | List the mechanisms | 7.1.2 | | | supported by this GSS- | | | | API implementation. | | | gss_inquire_mechs_for_name | List the mechanisms | 7.1.4 | | | supporting the | | | | specified name type. | | | gss_inquire_names_for_mech | List the name types | 7.1.3 | | | supported by the | | | | specified mechanism. | | +----------------------------+-------------------------+------------+
+----------------------------+-------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +----------------------------+-------------------------+------------+ | gss_import_name | Create an internal name | 7.1.5 - | | | from the supplied | 7.1.8 | | | information. | | | gss_acquire_cred | Acquire credential for | 7.1.9 - | | | use. | 7.1.11 | | gss_import_sec_context | Create a previously | 7.1.14 | | | exported context. | | | gss_indicate_mechs | List the mechanisms | 7.1.2 | | | supported by this GSS- | | | | API implementation. | | | gss_inquire_mechs_for_name | List the mechanisms | 7.1.4 | | | supporting the | | | | specified name type. | | | gss_inquire_names_for_mech | List the name types | 7.1.3 | | | supported by the | | | | specified mechanism. | | +----------------------------+-------------------------+------------+
GSS-API names are represented in the Java bindings through the GSSName interface. Different name formats and their definitions are identified with Universal OIDs. The format of the names can be derived based on the unique OID of each name type. The following GSS-API routines are provided by the GSSName interface:
GSS-API名称通过GSSName接口在Java绑定中表示。使用通用OID标识不同的名称格式及其定义。可以根据每个名称类型的唯一OID派生名称的格式。GSSName接口提供以下GSS-API例程:
+-----------------------+------------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +-----------------------+------------------------------+------------+ | gss_display_name | Convert internal name | 7.2.6 | | | representation to text | | | | format. | | | gss_compare_name | Compare two internal names. | 7.2.2, | | | | 7.2.3 | | gss_release_name | Release resources associated | N/A | | | with the internal name. | | | gss_canonicalize_name | Convert an internal name to | 7.2.4 | | | a mechanism name. | | | gss_export_name | Convert a mechanism name to | 7.2.5 | | | export format. | | | gss_duplicate_name | Create a copy of the | N/A | | | internal name. | | +-----------------------+------------------------------+------------+
+-----------------------+------------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +-----------------------+------------------------------+------------+ | gss_display_name | Convert internal name | 7.2.6 | | | representation to text | | | | format. | | | gss_compare_name | Compare two internal names. | 7.2.2, | | | | 7.2.3 | | gss_release_name | Release resources associated | N/A | | | with the internal name. | | | gss_canonicalize_name | Convert an internal name to | 7.2.4 | | | a mechanism name. | | | gss_export_name | Convert a mechanism name to | 7.2.5 | | | export format. | | | gss_duplicate_name | Create a copy of the | N/A | | | internal name. | | +-----------------------+------------------------------+------------+
The gss_release_name call is not provided as Java does its own garbage collection. The gss_duplicate_name call is also redundant; the GSSName interface has no mutator methods that can change the state of the object, so it is safe for sharing across threads.
由于Java自己进行垃圾收集,因此不提供gss_release_name调用。gss_duplicate_名称调用也是冗余的;GSSName接口没有可以更改对象状态的mutator方法,因此跨线程共享是安全的。
The GSSCredential interface is responsible for the encapsulation of GSS-API credentials. Credentials identify a single entity and provide the necessary cryptographic information to enable the creation of a context on behalf of that entity. A single credential may contain multiple mechanism-specific credentials, each referred to as a credential element. The GSSCredential interface provides the functionality of the following GSS-API routines:
GSSCredential接口负责GSS-API凭据的封装。凭据标识单个实体并提供必要的加密信息,以支持代表该实体创建上下文。一个凭证可以包含多个特定于机制的凭证,每个凭证都称为凭证元素。GSSCredential接口提供以下GSS-API例程的功能:
+--------------------------+---------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +--------------------------+---------------------------+------------+ | gss_add_cred | Constructs credentials | 7.3.11 | | | incrementally. | | | gss_inquire_cred | Obtain information about | 7.3.3 - | | | credential. | 7.3.10 | | gss_inquire_cred_by_mech | Obtain per-mechanism | 7.3.4 - | | | information about a | 7.3.9 | | | credential. | | | gss_release_cred | Dispose of credentials | 7.3.2 | | | after use. | | +--------------------------+---------------------------+------------+
+--------------------------+---------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +--------------------------+---------------------------+------------+ | gss_add_cred | Constructs credentials | 7.3.11 | | | incrementally. | | | gss_inquire_cred | Obtain information about | 7.3.3 - | | | credential. | 7.3.10 | | gss_inquire_cred_by_mech | Obtain per-mechanism | 7.3.4 - | | | information about a | 7.3.9 | | | credential. | | | gss_release_cred | Dispose of credentials | 7.3.2 | | | after use. | | +--------------------------+---------------------------+------------+
This interface encapsulates the functionality of context-level calls required for security context establishment and management between peers as well as the per-message services offered to applications. A context is established between a pair of peers and allows the usage of security services on a per-message basis on application data. It is created over a single security mechanism. The GSSContext interface provides the functionality of the following GSS-API routines:
此接口封装了对等方之间安全上下文建立和管理所需的上下文级别调用的功能,以及为应用程序提供的每消息服务。在一对对等点之间建立上下文,并允许基于应用程序数据的每条消息使用安全服务。它是通过单个安全机制创建的。GSSContext接口提供以下GSS-API例程的功能:
+------------------------+-----------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +------------------------+-----------------------------+------------+ | gss_init_sec_context | Initiate the creation of a | 7.4.2 | | | security context with a | | | | peer. | | | gss_accept_sec_context | Accept a security context | 7.4.3 | | | initiated by a peer. | | | gss_delete_sec_context | Destroy a security context. | 7.4.5 | | gss_context_time | Obtain remaining context | 7.4.30 | | | time. | | | gss_inquire_context | Obtain context | 7.4.21 - | | | characteristics. | 7.4.35 | | gss_wrap_size_limit | Determine token-size limit | 7.4.6 | | | for gss_wrap. | | | gss_export_sec_context | Transfer security context | 7.4.11 | | | to another process. | | | gss_get_mic | Calculate a cryptographic | 7.4.9 | | | Message Integrity Code | | | | (MIC) for a message. | | | gss_verify_mic | Verify integrity on a | 7.4.10 | | | received message. | | | gss_wrap | Attach a MIC to a message | 7.4.7 | | | and optionally encrypt the | | | | message content. | | | gss_unwrap | Obtain a previously wrapped | 7.4.8 | | | application message | | | | verifying its integrity and | | | | optionally decrypting it. | | +------------------------+-----------------------------+------------+
+------------------------+-----------------------------+------------+ | RFC 2743 Routine | Function | Section(s) | +------------------------+-----------------------------+------------+ | gss_init_sec_context | Initiate the creation of a | 7.4.2 | | | security context with a | | | | peer. | | | gss_accept_sec_context | Accept a security context | 7.4.3 | | | initiated by a peer. | | | gss_delete_sec_context | Destroy a security context. | 7.4.5 | | gss_context_time | Obtain remaining context | 7.4.30 | | | time. | | | gss_inquire_context | Obtain context | 7.4.21 - | | | characteristics. | 7.4.35 | | gss_wrap_size_limit | Determine token-size limit | 7.4.6 | | | for gss_wrap. | | | gss_export_sec_context | Transfer security context | 7.4.11 | | | to another process. | | | gss_get_mic | Calculate a cryptographic | 7.4.9 | | | Message Integrity Code | | | | (MIC) for a message. | | | gss_verify_mic | Verify integrity on a | 7.4.10 | | | received message. | | | gss_wrap | Attach a MIC to a message | 7.4.7 | | | and optionally encrypt the | | | | message content. | | | gss_unwrap | Obtain a previously wrapped | 7.4.8 | | | application message | | | | verifying its integrity and | | | | optionally decrypting it. | | +------------------------+-----------------------------+------------+
The functionality offered by the gss_process_context_token routine has not been included in the Java bindings specification. The corresponding functionality of gss_delete_sec_context has also been modified to not return any peer tokens. This has been proposed in
Java绑定规范中未包含gss_进程_上下文_令牌例程提供的功能。gss_delete_sec_上下文的相应功能也已修改为不返回任何对等令牌。这项建议已于一九九七年提出
accordance to the recommendations stated in RFC 2743 [RFC2743]. GSSContext does offer the functionality of destroying the locally stored context information.
根据RFC 2743[RFC2743]中规定的建议。GSSContext确实提供了销毁本地存储的上下文信息的功能。
This helper class is used in the per-message operations on the context. An instance of this class is created by the application and then passed into the per-message calls. In some cases, the application conveys information to the GSS-API implementation through this object, and in other cases, the GSS-API returns information to the application by setting it in this object. See the description of the per-message operations wrap, unwrap, getMIC, and verifyMIC in the GSSContext interfaces for details.
此帮助器类用于上下文上的每条消息操作。该类的一个实例由应用程序创建,然后传递到每消息调用。在某些情况下,应用程序通过此对象将信息传递给GSS-API实现,而在其他情况下,GSS-API通过在此对象中进行设置将信息返回给应用程序。有关详细信息,请参阅GSSContext接口中每消息操作wrap、unwrap、getMIC和verifyMIC的说明。
Exceptions are used in the Java bindings to signal fatal errors to the calling applications. This replaces the major and minor codes used in the C-bindings specification as a method of signaling failures. The GSSException class handles both minor and major codes, as well as their translation into textual representation. All GSS-API methods are declared as throwing this exception.
Java绑定中使用异常向调用应用程序发出致命错误的信号。这取代了C-bindings规范中使用的主要和次要代码,作为一种发送故障信号的方法。GSSException类处理次要代码和主要代码,以及将它们转换为文本表示。所有GSS-API方法都声明为引发此异常。
+--------------------+----------------------------+-----------------+ | RFC 2743 Routine | Function | Section | +--------------------+----------------------------+-----------------+ | gss_display_status | Retrieve textual | 7.8.5, 7.8.6, | | | representation of error | 7.8.9, 7.8.10 | | | codes. | | +--------------------+----------------------------+-----------------+
+--------------------+----------------------------+-----------------+ | RFC 2743 Routine | Function | Section | +--------------------+----------------------------+-----------------+ | gss_display_status | Retrieve textual | 7.8.5, 7.8.6, | | | representation of error | 7.8.9, 7.8.10 | | | codes. | | +--------------------+----------------------------+-----------------+
This utility class is used to represent Universal Object Identifiers and their associated operations. GSS-API uses Object Identifiers to distinguish between security mechanisms and name types. This class, aside from being used whenever an Object Identifier is needed, implements the following GSS-API functionality:
此实用程序类用于表示通用对象标识符及其关联操作。GSS-API使用对象标识符来区分安全机制和名称类型。此类除了在需要对象标识符时使用外,还实现了以下GSS-API功能:
+-------------------------+-------------------------------+---------+ | RFC 2743 Routine | Function | Section | +-------------------------+-------------------------------+---------+ | gss_test_oid_set_member | Determine if the specified | 7.7.5 | | | OID is part of a set of OIDs. | | +-------------------------+-------------------------------+---------+
+-------------------------+-------------------------------+---------+ | RFC 2743 Routine | Function | Section | +-------------------------+-------------------------------+---------+ | gss_test_oid_set_member | Determine if the specified | 7.7.5 | | | OID is part of a set of OIDs. | | +-------------------------+-------------------------------+---------+
An instance of this class is used to specify channel-binding information to the GSSContext object before the start of a security context establishment. The application may use a byte array to specify application data to be used in the channel binding as well as to use instances of the InetAddress. InetAddress is currently the only address type defined within the Java platform and as such, it is the only one supported within the ChannelBinding class. Applications that use other types of addresses can include them as part of the application data.
此类的实例用于在开始安全上下文建立之前指定GSSContext对象的通道绑定信息。应用程序可以使用字节数组指定要在通道绑定中使用的应用程序数据以及InetAddress实例。InetAddress目前是Java平台中定义的唯一地址类型,因此,它是ChannelBinding类中唯一受支持的地址类型。使用其他类型地址的应用程序可以将其作为应用程序数据的一部分。
This section lists a detailed description of all the public methods that each of the GSS-API classes and interfaces MUST provide.
本节列出了每个GSS-API类和接口必须提供的所有公共方法的详细描述。
The GSSManager class is an abstract class that serves as a factory for three GSS interfaces: GSSName, GSSCredential, and GSSContext. It also provides methods for applications to determine what mechanisms are available from the GSS implementation and what name types these mechanisms support. An instance of the default GSSManager subclass MAY be obtained through the static method getInstance(), but applications are free to instantiate other subclasses of GSSManager.
GSSManager类是一个抽象类,用作三个GSS接口的工厂:GSSName、GSSCredential和GSSContext。它还为应用程序提供了确定GSS实现中可用的机制以及这些机制支持的名称类型的方法。默认GSSManager子类的实例可以通过静态方法getInstance()获得,但应用程序可以自由实例化GSSManager的其他子类。
All but one method in this class are declared abstract. This means that subclasses have to provide the complete implementation for those methods. The only exception to this is the static method getInstance(), which will have platform-specific code to return an instance of the default subclass.
该类中除一个方法外,所有方法都声明为抽象的。这意味着子类必须为这些方法提供完整的实现。唯一的例外是静态方法getInstance(),它将使用特定于平台的代码返回默认子类的实例。
Platform providers of GSS are REQUIRED not to add any constructors to this class, whether the constructor is private, public, or protected. This will ensure that all subclasses invoke only the default constructor provided to the base class by the compiler.
GSS的平台提供程序不需要向此类添加任何构造函数,无论构造函数是私有的、公共的还是受保护的。这将确保所有子类只调用编译器提供给基类的默认构造函数。
A subclass extending the GSSManager abstract class MAY be implemented as a modular provider-based layer that utilizes some well-known service provider specification. The GSSManager API provides the application with methods to set provider preferences on such an implementation. These methods also allow the implementation to throw a well-defined exception in case provider-based configuration is not supported. Applications that expect to be portable SHOULD be aware of this and recover cleanly by catching the exception.
扩展GSSManager抽象类的子类可以实现为基于模块化提供者的层,该层利用一些众所周知的服务提供者规范。GSSManager API为应用程序提供了在此类实现上设置提供程序首选项的方法。如果不支持基于提供程序的配置,这些方法还允许实现抛出定义良好的异常。希望可移植的应用程序应该意识到这一点,并通过捕获异常进行干净的恢复。
It is envisioned that there will be three most common ways in which providers will be used:
预计将有三种最常见的供应商使用方式:
1) The application does not care about what provider is used (the default case).
1) 应用程序不关心使用什么提供程序(默认情况)。
2) The application wants a particular provider to be used preferentially, either for a particular mechanism or all the time, irrespective of the mechanism.
2) 应用程序希望优先使用特定的提供者,无论是用于特定的机制还是始终使用,而不考虑该机制。
3) The application wants to use the locally configured providers as far as possible, but if support is missing for one or more mechanisms, then it wants to fall back on its own provider.
3) 应用程序希望尽可能使用本地配置的提供程序,但是如果缺少对一个或多个机制的支持,那么它希望依靠自己的提供程序。
The GSSManager class has two methods that enable these modes of usage: addProviderAtFront() and addProviderAtEnd(). These methods have the effect of creating an ordered list of <provider, OID> pairs where each pair indicates a preference of provider for a given OID.
GSSManager类有两个方法可以启用这些使用模式:addProviderAtFront()和addProviderAtEnd()。这些方法的作用是创建<provider,OID>对的有序列表,其中每对表示提供者对给定OID的偏好。
The use of these methods does not require any knowledge of whatever service provider specification the GSSManager subclass follows. It is hoped that these methods will serve the needs of most applications. Additional methods MAY be added to an extended GSSManager that could be part of a service provider specification that is standardized later.
使用这些方法不需要了解GSSManager子类遵循的任何服务提供者规范。希望这些方法能满足大多数应用的需要。可以将其他方法添加到扩展GSSManager中,该扩展GSSManager可能是稍后标准化的服务提供商规范的一部分。
When neither of the methods is called, the implementation SHOULD choose a default provider for each mechanism it supports.
当两个方法都没有被调用时,实现应该为它支持的每个机制选择一个默认的提供程序。
public static GSSManager getInstance()
公共静态GSSManager getInstance()
Returns the default GSSManager implementation.
返回默认的GSSManager实现。
public abstract Oid[] getMechs()
公共摘要Oid[]getMechs()
Returns an array of Oid objects indicating the mechanisms available to GSS-API callers. A "null" value is returned when no mechanisms are available (an example of this would be when mechanisms are dynamically configured, and currently no mechanisms are installed).
返回Oid对象数组,指示GSS-API调用方可用的机制。如果没有可用的机制,则返回“null”值(例如,当动态配置了机制,并且当前未安装任何机制时)。
public abstract Oid[] getNamesForMech(Oid mech) throws GSSException
公共抽象Oid[]getNamesForMech(Oid mech)抛出GSSException
Returns name type OIDs supported by the specified mechanism.
返回指定机制支持的名称类型OID。
Parameters:
参数:
mech The Oid object for the mechanism to query.
mech要查询的机制的Oid对象。
public abstract Oid[] getMechsForName(Oid nameType)
公共抽象Oid[]getMechsForName(Oid名称类型)
Returns an array of Oid objects corresponding to the mechanisms that support the specific name type. "null" is returned when no mechanisms are found to support the specified name type.
返回与支持特定名称类型的机制相对应的Oid对象数组。当找不到支持指定名称类型的机制时,返回“null”。
Parameters:
参数:
nameType The Oid object for the name type.
名称类型名称类型的Oid对象。
public abstract GSSName createName(String nameStr, Oid nameType) throws GSSException
公共抽象GSSName createName(字符串nameStr,Oid nameType)引发GSSExException
Factory method to convert a contiguous string name from the specified namespace to a GSSName object. In general, the GSSName object created will not be an MN; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation does not support multiple mechanisms.
方法将指定命名空间中的连续字符串名称转换为GSSName对象。通常,创建的GSSName对象将不是MN;两个例外的例子是当namespace type参数指示NT_EXPORT_NAME时,或者当GSS-API实现不支持多种机制时。
Parameters:
参数:
nameStr The string representing a printable form of the name to create.
nameStr表示要创建的名称的可打印形式的字符串。
nameType The OID specifying the namespace of the printable name is supplied. Note that nameType serves to describe and qualify the interpretation of the input nameStr; it does not necessarily imply a type for the output GSSName implementation. The "null" value can be used to specify that a mechanism-specific default printable syntax SHOULD be assumed by each mechanism that examines nameStr.
nameType提供指定可打印名称的命名空间的OID。注意,nameType用于描述和限定输入nameStr的解释;它不一定意味着输出GSSName实现的类型。“null”值可用于指定检查nameStr的每个机制都应采用特定于机制的默认可打印语法。
public abstract GSSName createName(byte[] name, Oid nameType) throws GSSException
公共抽象GSSName createName(字节[]名称,Oid名称类型)引发GSSExException
Factory method to convert a contiguous byte array containing a name from the specified namespace to a GSSName object. In general, the GSSName object created will not be an MN; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation is not a multi-mechanism.
方法将包含指定命名空间中名称的连续字节数组转换为GSSName对象。通常,创建的GSSName对象将不是MN;两个例外的例子是当namespace type参数指示NT_EXPORT_NAME时,或者当GSS-API实现不是多机制时。
Parameters:
参数:
name The byte array containing the name to create.
命名包含要创建的名称的字节数组。
nameType The OID specifying the namespace of the name supplied in the byte array. Note that nameType serves to describe and qualify the interpretation of the input name byte array; it does not necessarily imply a type for the output GSSName implementation. The "null" value can be used to specify that a mechanism-specific default syntax SHOULD be assumed by each mechanism that examines the byte array.
nameType指定字节数组中提供的名称的命名空间的OID。注意,nameType用于描述和限定输入名称字节数组的解释;它不一定意味着输出GSSName实现的类型。“null”值可用于指定检查字节数组的每个机制都应采用特定于机制的默认语法。
public abstract GSSName createName(String nameStr, Oid nameType, Oid mech) throws GSSException
公共抽象GSSName createName(字符串nameStr、Oid nameType、Oid mech)引发GSSExException
Factory method to convert a contiguous string name from the specified namespace to a GSSName object that is a mechanism name (MN). In other words, this method is a utility that does the equivalent of two steps: the createName described in Section 7.1.5 and also the GSSName.canonicalize() described in Section 7.2.4.
方法将指定命名空间中的连续字符串名称转换为作为机制名称(MN)的GSSName对象。换句话说,这个方法是一个相当于两个步骤的实用程序:第7.1.5节中描述的createName和第7.2.4节中描述的GSSName.canonicalize()。
Parameters:
参数:
nameStr The string representing a printable form of the name to create.
nameStr表示要创建的名称的可打印形式的字符串。
nameType The OID specifying the namespace of the printable name supplied. Note that nameType serves to describe and qualify the interpretation of the input nameStr; it does not necessarily imply a type for the output GSSName implementation. The "null" value can be used to specify that a mechanism-specific default printable syntax SHOULD be assumed when the mechanism examines nameStr.
nameType指定提供的可打印名称的命名空间的OID。注意,nameType用于描述和限定输入nameStr的解释;它不一定意味着输出GSSName实现的类型。“null”值可用于指定在机制检查nameStr时应采用特定于机制的默认可打印语法。
mech OID specifying the mechanism for which this name should be created.
mech OID指定应为其创建此名称的机构。
public abstract GSSName createName(byte[] name, Oid nameType, Oid mech) throws GSSException
公共抽象GSSName createName(字节[]名称、Oid名称类型、Oid机械)引发GSSExException
Factory method to convert a contiguous byte array containing a name from the specified namespace to a GSSName object that is an MN. In other words, this method is a utility that does the equivalent of two steps: the createName described in Section 7.1.6 and also the GSSName.canonicalize() described in Section 7.2.4.
方法将包含指定命名空间中名称的连续字节数组转换为作为MN的GSSName对象。换句话说,这个方法是一个相当于两个步骤的实用程序:第7.1.6节中描述的createName和第7.2.4节中描述的GSSName.canonicalize()。
Parameters:
参数:
name The byte array representing the name to create.
命名表示要创建的名称的字节数组。
nameType The OID specifying the namespace of the name supplied in the byte array. Note that nameType serves to describe and qualify the interpretation of the input name byte array; it does not necessarily imply a type for the output GSSName implementation. The "null" value can be used to specify that a mechanism-specific default syntax SHOULD be assumed by each mechanism that examines the byte array.
nameType指定字节数组中提供的名称的命名空间的OID。注意,nameType用于描述和限定输入名称字节数组的解释;它不一定意味着输出GSSName实现的类型。“null”值可用于指定检查字节数组的每个机制都应采用特定于机制的默认语法。
mech OID specifying the mechanism for which this name should be created.
mech OID指定应为其创建此名称的机构。
public abstract GSSCredential createCredential(int usage) throws GSSException
公共抽象GSSCredential createCredential(int用法)引发GSSExException
Factory method for acquiring default credentials. This will cause the GSS-API to use system-specific defaults for the set of mechanisms, name, and a DEFAULT lifetime.
获取默认凭据的工厂方法。这将导致GSS-API对机制集、名称和默认生存期使用特定于系统的默认值。
Parameters:
参数:
usage The intended usage for this credential object. The value of this parameter MUST be one of:
用法此凭据对象的预期用途。此参数的值必须是以下值之一:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2)
GSSCredential.INITIATE_和_ACCEPT(0)、GSSCredential.INITIATE_ONLY(1)或GSSCredential.ACCEPT_ONLY(2)
public abstract GSSCredential createCredential(GSSName aName, int lifetime, Oid mech, int usage) throws GSSException
公共抽象GSSCredential createCredential(GSSName aName、int life、Oid mech、int usage)抛出GSSException
Factory method for acquiring a single-mechanism credential.
用于获取单个机构凭证的工厂方法。
Parameters:
参数:
aName Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
要为其获取此凭据的主体的名称。使用“null”指定默认主体。
lifetime The number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
生存期凭据应保持有效的秒数。使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
mech The OID of the desired mechanism. Use "(Oid) null" to request the default mechanism.
mech所需机构的OID。使用“(Oid)null”请求默认机制。
usage The intended usage for this credential object. The value of this parameter MUST be one of:
用法此凭据对象的预期用途。此参数的值必须是以下值之一:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2)
GSSCredential.INITIATE_和_ACCEPT(0)、GSSCredential.INITIATE_ONLY(1)或GSSCredential.ACCEPT_ONLY(2)
public abstract GSSCredential createCredential(GSSName aName, int lifetime, Oid[] mechs, int usage) throws GSSException
公共抽象GSSCredential createCredential(GSSName aName,int life,Oid[]mechs,int usage)抛出GSSException
Factory method for acquiring credentials over a set of mechanisms. Acquires credentials for each of the mechanisms specified in the array called mechs. To determine the list of mechanisms for which the acquisition of credentials succeeded, the caller should use the GSSCredential.getMechs() method.
用于通过一组机制获取凭据的工厂方法。获取在名为Mech的数组中指定的每个机制的凭据。要确定成功获取凭据的机制列表,调用方应使用GSSCredential.getMechs()方法。
Parameters:
参数:
aName Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
要为其获取此凭据的主体的名称。使用“null”指定默认主体。
lifetime The number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
生存期凭据应保持有效的秒数。使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
mechs The array of mechanisms over which the credential is to be acquired. Use "(Oid[]) null" for requesting a system-specific default set of mechanisms.
mechs获取凭证的机制阵列。使用“(Oid[])null”请求特定于系统的默认机制集。
usage The intended usage for this credential object. The value of this parameter MUST be one of:
用法此凭据对象的预期用途。此参数的值必须是以下值之一:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2)
GSSCredential.INITIATE_和_ACCEPT(0)、GSSCredential.INITIATE_ONLY(1)或GSSCredential.ACCEPT_ONLY(2)
public abstract GSSContext createContext(GSSName peer, Oid mech, GSSCredential myCred, int lifetime) throws GSSException
公共抽象GSSContext createContext(GSSName peer、Oid mech、GSSCredential myCred、int life)抛出GSSException
Factory method for creating a context on the initiator's side. Context flags may be modified through the mutator methods prior to calling GSSContext.initSecContext().
用于在启动器端创建上下文的工厂方法。在调用GSSContext.initSecContext()之前,可以通过mutator方法修改上下文标志。
Parameters:
参数:
peer Name of the target peer.
目标对等方的对等方名称。
mech OID of the desired mechanism. Use "(Oid) null" to request the default mechanism.
所需机构的机械类型。使用“(Oid)null”请求默认机制。
myCred Credentials of the initiator. Use "null" to act as a default initiator principal.
发起程序的myCred凭据。使用“null”作为默认启动器主体。
lifetime The request lifetime, in seconds, for the context. Use GSSContext.INDEFINITE_LIFETIME and GSSContext.DEFAULT_LIFETIME to request indefinite or default context lifetime.
生存期上下文的请求生存期,以秒为单位。使用GSSContext.infinite_生存期和GSSContext.DEFAULT_生存期请求不确定或默认上下文生存期。
public abstract GSSContext createContext(GSSCredential myCred) throws GSSException
公共抽象GSSContext createContext(GSSCredential myCred)抛出GSSException
Factory method for creating a context on the acceptor's side. The context's properties will be determined from the input token supplied to the accept method.
用于在接受方创建上下文的工厂方法。上下文的属性将由提供给accept方法的输入标记确定。
Parameters:
参数:
myCred Credentials for the acceptor. Use "null" to act as a default acceptor principal.
接受方的myCred凭据。使用“null”作为默认的接受主体。
public abstract GSSContext createContext(byte[] interProcessToken) throws GSSException
公共抽象GSSContext createContext(字节[]interProcessToken)引发GSSExException
Factory method for importing a previously exported context. The context properties will be determined from the input token and can't be modified through the set methods.
用于导入以前导出的上下文的工厂方法。上下文属性将由输入标记确定,不能通过set方法修改。
Parameters:
参数:
interProcessToken The token previously emitted from the export method.
interProcessToken先前从导出方法发出的标记。
public abstract void addProviderAtFront(Provider p, Oid mech) throws GSSException
公共抽象void addProviderAtFront(提供程序p、Oid mech)引发GSSExException
This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism. When a value of "null" is used instead of an Oid object for the mechanism, the GSSManager MUST use the indicated provider ahead of all others no matter what the mechanism is. Only when the indicated provider does not support the needed mechanism should the GSSManager move on to a different provider.
此方法用于向GSSManager指示,当需要对给定机制提供支持时,应用程序希望先使用特定的提供程序。当机制使用值“null”而不是Oid对象时,无论机制是什么,GSSManager都必须先使用指定的提供程序。只有当指定的提供程序不支持所需的机制时,GSSManager才应转到其他提供程序。
Calling this method repeatedly preserves the older settings but lowers them in preference thus forming an ordered list of provider and OID pairs that grows at the top.
重复调用此方法会保留旧的设置,但会降低它们的优先级,从而形成一个有序的提供者和OID对列表,并在顶部增长。
Calling addProviderAtFront with a null Oid will remove all previous preferences that were set for this provider in the GSSManager instance. Calling addProviderAtFront with a non-null Oid will remove any previous preference that was set using this mechanism and this provider together.
使用空Oid调用addProviderAtFront将删除GSSManager实例中为此提供程序设置的所有以前的首选项。使用非空Oid调用addProviderAtFront将删除以前使用此机制和此提供程序一起设置的任何首选项。
If the GSSManager implementation does not support an SPI with a pluggable provider architecture, it SHOULD throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
如果GSSManager实现不支持具有可插拔提供程序体系结构的SPI,则应抛出状态代码为GSSException.UNAVAILABLE的GSSException,以指示该操作不可用。
Parameters:
参数:
p The provider instance that should be used whenever support is needed for mech.
p在需要mech支持时应使用的提供程序实例。
mech The mechanism for which the provider is being set.
mech为其设置提供程序的机制。
Suppose an application desired that provider A always be checked first when any mechanism is needed, it would call:
假设应用程序希望在需要任何机制时始终首先检查提供者A,它将调用:
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance(); // mgr may at this point have its own pre-configured list // of provider preferences. The following will prepend to // any such list:
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance(); // mgr may at this point have its own pre-configured list // of provider preferences. The following will prepend to // any such list:
mgr.addProviderAtFront(A, null); <CODE ENDS>
mgr.addProviderAtFront(A, null); <CODE ENDS>
Now if it also desired that the mechanism of OID m1 always be obtained from provider B before the previous set A was checked, it would call:
现在,如果它还希望OID m1的机制总是在检查前一组A之前从提供者B获得,它将调用:
<CODE BEGINS> mgr.addProviderAtFront(B, m1); <CODE ENDS>
<CODE BEGINS> mgr.addProviderAtFront(B, m1); <CODE ENDS>
The GSSManager would then first check with B if m1 was needed. In case B did not provide support for m1, the GSSManager would continue on to check with A. If any mechanism m2 is needed where m2 is different from m1, then the GSSManager would skip B and check with A directly.
如果需要m1,GSSManager将首先与B进行检查。如果B没有为m1提供支持,则GSSManager将继续与A进行检查。如果m2与m1不同,则需要任何机制m2,则GSSManager将跳过B并直接与A进行检查。
Suppose, at a later time, the following call is made to the same GSSManager instance:
假设稍后对同一GSSManager实例进行以下调用:
<CODE BEGINS> mgr.addProviderAtFront(B, null) <CODE ENDS>
<CODE BEGINS> mgr.addProviderAtFront(B, null) <CODE ENDS>
then the previous setting with the pair (B, m1) is subsumed by this and SHOULD be removed. Effectively, the list of preferences now becomes {(B, null), (A, null), ... //followed by the pre-configured list}.
然后,该对(B,m1)的上一个设置被包含在其中,并且应该被删除。实际上,首选项列表现在变成{(B,null),(A,null),…//后跟预配置的列表}。
Please note, however, that the following call:
但请注意,以下电话:
<CODE BEGINS> mgr.addProviderAtFront(A, m3) <CODE ENDS>
<CODE BEGINS> mgr.addProviderAtFront(A, m3) <CODE ENDS>
does not subsume the previous setting of (A, null), and the list will effectively become {(A, m3), (B, null), (A, null), ...}
不包含以前的(A,null)设置,列表将有效地变成{(A,m3),(B,null),(A,null),…}
public abstract void addProviderAtEnd(Provider p, Oid mech) throws GSSException
公共抽象void addProviderAttend(提供程序p,Oid mech)引发GSSExException
This method is used to indicate to the GSSManager that the application would like a particular provider to be used if no other provider can be found that supports the given mechanism. When a value of "null" is used instead of an Oid object for the mechanism, the GSSManager MUST use the indicated provider for any mechanism.
此方法用于向GSSManager指示,如果找不到支持给定机制的其他提供程序,则应用程序希望使用特定的提供程序。当机制使用值“null”而不是Oid对象时,GSSManager必须为任何机制使用指定的提供程序。
Calling this method repeatedly preserves the older settings but raises them above newer ones in preference, thus forming an ordered list of providers and OID pairs that grows at the bottom. Thus, the older provider settings will be utilized first before this one is.
反复调用此方法会保留旧的设置,但会优先将它们提升到较新的设置之上,从而形成一个有序的提供者和OID对列表,并在底部增长。因此,在使用此设置之前,将首先使用较旧的提供程序设置。
If there are any previously existing preferences that conflict with the preference being set here, then the GSSManager SHOULD ignore this request.
如果有任何先前存在的首选项与此处设置的首选项冲突,那么GSSManager应该忽略此请求。
If the GSSManager implementation does not support an SPI with a pluggable provider architecture, it SHOULD throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
如果GSSManager实现不支持具有可插拔提供程序体系结构的SPI,则应抛出状态代码为GSSException.UNAVAILABLE的GSSException,以指示该操作不可用。
Parameters:
参数:
p The provider instance that should be used whenever support is needed for mech.
p在需要mech支持时应使用的提供程序实例。
mech The mechanism for which the provider is being set.
mech为其设置提供程序的机制。
Suppose an application desired that when a mechanism of OID m1 is needed, the system default providers always be checked first, and only when they do not support m1 should a provider A be checked. It would then make the call:
假设应用程序希望在需要OID m1机制时,总是首先检查系统默认提供程序,并且只有当它们不支持m1时,才应检查提供程序a。然后它会打电话:
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
mgr.addProviderAtEnd(A, m1); <CODE ENDS>
mgr.addProviderAtEnd(A, m1); <CODE ENDS>
Now, if it also desired that provider B be checked for all mechanisms after all configured providers have been checked, it would then call:
现在,如果它还希望在检查所有配置的提供程序之后检查提供程序B的所有机制,那么它将调用:
<CODE BEGINS> mgr.addProviderAtEnd(B, null); <CODE ENDS>
<CODE BEGINS> mgr.addProviderAtEnd(B, null); <CODE ENDS>
Effectively, the list of preferences now becomes {..., (A, m1), (B, null)}.
实际上,首选项列表现在变成了{…,(A,m1),(B,null)}。
Suppose, at a later time, the following call is made to the same GSSManager instance:
假设稍后对同一GSSManager实例进行以下调用:
<CODE BEGINS> mgr.addProviderAtEnd(B, m2) <CODE ENDS>
<CODE BEGINS> mgr.addProviderAtEnd(B, m2) <CODE ENDS>
then the previous setting with the pair (B, null) subsumes this; therefore, this request SHOULD be ignored. The same would happen if a request is made for the already existing pairs of (A, m1) or (B, null).
然后,前面的设置和对(B,null)包含了这一点;因此,应忽略此请求。如果对已经存在的(a,m1)或(B,null)对发出请求,也会发生同样的情况。
Please note, however, that the following call:
但请注意,以下电话:
<CODE BEGINS> mgr.addProviderAtEnd(A, null) <CODE ENDS>
<CODE BEGINS> mgr.addProviderAtEnd(A, null) <CODE ENDS>
is not subsumed by the previous setting of (A, m1), and the list will effectively become {..., (A, m1), (B, null), (A, null)}.
不包含在前面的(A,m1)设置中,列表将有效地变成{…,(A,m1),(B,null),(A,null)}。
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
// What mechs are available to us?
//我们有什么机械装置?
Oid[] supportedMechs = mgr.getMechs();
Oid[] supportedMechs = mgr.getMechs();
// Set a preference for the provider to be used when support // is needed for the mechanisms: // "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".
// Set a preference for the provider to be used when support // is needed for the mechanisms: // "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".
Oid krb = new Oid("1.2.840.113554.1.2.2"); Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
Oid krb = new Oid("1.2.840.113554.1.2.2"); Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
Provider p = (Provider) (new com.foo.security.Provider());
Provider p = (Provider) (new com.foo.security.Provider());
mgr.addProviderAtFront(p, krb); mgr.addProviderAtFront(p, spkm1);
mgr.addProviderAtFront(p, krb); mgr.addProviderAtFront(p, spkm1);
// What name types does this spkm implementation support? Oid[] nameTypes = mgr.getNamesForMech(spkm1); <CODE ENDS>
// What name types does this spkm implementation support? Oid[] nameTypes = mgr.getNamesForMech(spkm1); <CODE ENDS>
This interface encapsulates a single GSS-API principal entity. Different name formats and their definitions are identified with Universal OIDs. The format of the names can be derived based on the unique OID of its namespace type.
此接口封装单个GSS-API主体实体。使用通用OID标识不同的名称格式及其定义。可以根据名称空间类型的唯一OID派生名称的格式。
public static final Oid NT_HOSTBASED_SERVICE
公共静态最终Oid NT\U基于主机的\U服务
OID indicating a host-based service name form. It is used to represent services associated with host computers. This name form is constructed using two elements, "service" and "hostname", as follows:
OID表示基于主机的服务名称表单。它用于表示与主机关联的服务。此名称表单使用两个元素“服务”和“主机名”构建,如下所示:
service@hostname
service@hostname
Values for the "service" element are registered with the IANA. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) service_name(4) }
Values for the "service" element are registered with the IANA. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) service_name(4) }
public static final Oid NT_USER_NAME
公共静态最终Oid NT\u用户名
Name type to indicate a named user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
Name type to indicate a named user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
public static final Oid NT_MACHINE_UID_NAME
公共静态最终Oid NT\u机器\u UID\u名称
Name type to indicate a numeric user identifier corresponding to a user on a local system (e.g., Uid). It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
Name type to indicate a numeric user identifier corresponding to a user on a local system (e.g., Uid). It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
public static final Oid NT_STRING_UID_NAME
公共静态最终Oid NT\u字符串\u UID\u名称
Name type to indicate a string of digits representing the numeric user identifier of a user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) }
Name type to indicate a string of digits representing the numeric user identifier of a user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) }
public static final Oid NT_ANONYMOUS
公共静态最终Oid NT\U匿名
Name type for representing an anonymous entity. It represents the following value: { iso(1), org(3), dod(6), internet(1), security(5), nametypes(6), gss-anonymous-name(3) }
Name type for representing an anonymous entity. It represents the following value: { iso(1), org(3), dod(6), internet(1), security(5), nametypes(6), gss-anonymous-name(3) }
public static final Oid NT_EXPORT_NAME
公共静态最终Oid NT\u导出\u名称
Name type used to indicate an exported name produced by the export method. It represents the following value: { iso(1), org(3), dod(6), internet(1), security(5), nametypes(6), gss-api-exported-name(4) }
Name type used to indicate an exported name produced by the export method. It represents the following value: { iso(1), org(3), dod(6), internet(1), security(5), nametypes(6), gss-api-exported-name(4) }
public boolean equals(GSSName another) throws GSSException
公共布尔等于(GSSName-other)抛出GSSException
Compares two GSSName objects to determine whether they refer to the same entity. This method MAY throw a GSSException when the names cannot be compared. If either of the names represents an anonymous entity, the method will return "false".
比较两个GSSName对象以确定它们是否引用同一实体。当无法比较名称时,此方法可能引发GSSExException。如果其中任何一个名称表示匿名实体,则该方法将返回“false”。
Parameters:
参数:
another GSSName object with which to compare.
要与之进行比较的另一个GSSName对象。
public boolean equals(Object another)
公共布尔等于(另一个对象)
A variation of the equals method, described in Section 7.2.2, that is provided to override the Object.equals() method that the implementing class will inherit. The behavior is exactly the same as that in Section 7.2.2 except that no GSSException is thrown; instead, "false" will be returned in the situation where an error occurs. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method MUST return the same integer result when the hashCode() method is called on them.)
equals方法的一种变体,如第7.2.2节所述,用于重写实现类将继承的Object.equals()方法。该行为与第7.2.2节中的行为完全相同,只是没有抛出GSSException;相反,在发生错误的情况下,将返回“false”。(请注意,Java语言规范要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
another GSSName object with which to compare.
要与之进行比较的另一个GSSName对象。
public GSSName canonicalize(Oid mech) throws GSSException
公共GSSName规范化(Oid mech)引发GSSException
Creates an MN from an arbitrary internal name. This is equivalent to using the factory methods described in Sections 7.1.7 or 7.1.8 that take the mechanism name as one of their parameters.
从任意内部名称创建MN。这相当于使用第7.1.7节或第7.1.8节中描述的工厂方法,将机构名称作为其参数之一。
Parameters:
参数:
mech The OID for the mechanism for which the canonical form of the name is requested.
mech请求名称规范形式的机制的OID。
public byte[] export() throws GSSException
公共字节[]导出()引发GSSExException
Returns a canonical contiguous byte representation of an MN, suitable for direct, byte-by-byte comparison by authorization functions. If the name is not an MN, implementations MAY throw a GSSException with the NAME_NOT_MN status code. If an implementation chooses not to throw an exception, it SHOULD use some system-specific default mechanism to canonicalize the name and then export it. The format of the header of the output buffer is specified in RFC 2743 [RFC2743].
返回MN的规范连续字节表示形式,适用于通过授权函数进行直接逐字节比较。如果名称不是MN,则实现可能会抛出带有名称\u not \u MN状态代码的GSSException。如果实现选择不抛出异常,它应该使用一些特定于系统的默认机制来规范化名称,然后将其导出。RFC 2743[RFC2743]中规定了输出缓冲区的标头格式。
public String toString()
公共字符串toString()
Returns a textual representation of the GSSName object. To retrieve the printed name format, which determines the syntax of the returned string, the getStringNameType method can be used.
返回GSSName对象的文本表示形式。要检索打印的名称格式(它决定返回字符串的语法),可以使用getStringNameType方法。
public Oid getStringNameType() throws GSSException
公共Oid getStringNameType()引发GSSExException
Returns the OID representing the type of name returned through the toString method. Using this OID, the syntax of the printable name can be determined.
返回表示通过toString方法返回的名称类型的OID。使用此OID,可以确定可打印名称的语法。
public boolean isAnonymous()
公共布尔值为nonymous()
Tests if this name object represents an anonymous entity. Returns "true" if this is an anonymous name.
测试此名称对象是否表示匿名实体。如果这是匿名名称,则返回“true”。
public boolean isMN()
公共布尔isMN()
Tests if this name object contains only one mechanism element and is thus a mechanism name as defined by RFC 2743 [RFC2743].
测试此名称对象是否仅包含一个机制元素,因此是RFC 2743[RFC2743]定义的机制名称。
Included below are code examples utilizing the GSSName interface. The code below creates a GSSName, converts it to an MN, performs a comparison, obtains a printable representation of the name, exports it, and then re-imports to obtain a new GSSName.
下面是使用GSSName接口的代码示例。下面的代码创建GSSName,将其转换为MN,执行比较,获取名称的可打印表示形式,将其导出,然后重新导入以获取新的GSSName。
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
// create a host-based service name GSSName name = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE);
// create a host-based service name GSSName name = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE);
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
GSSName mechName = name.canonicalize(krb5);
GSSName mechName = name.canonicalize(krb5);
// the above two steps are equivalent to the following GSSName mechName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE, krb5);
// the above two steps are equivalent to the following GSSName mechName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE, krb5);
// perform name comparison if (name.equals(mechName)) print("Names are equals.");
// perform name comparison if (name.equals(mechName)) print("Names are equals.");
// obtain textual representation of name and its printable // name type print(mechName.toString() + mechName.getStringNameType().toString());
// obtain textual representation of name and its printable // name type print(mechName.toString() + mechName.getStringNameType().toString());
// export the name byte[] exportName = mechName.export();
// export the name byte[] exportName = mechName.export();
// create a new name object from the exported buffer GSSName newName = mgr.createName(exportName, GSSName.NT_EXPORT_NAME); <CODE ENDS>
// create a new name object from the exported buffer GSSName newName = mgr.createName(exportName, GSSName.NT_EXPORT_NAME); <CODE ENDS>
This interface encapsulates the GSS-API credentials for an entity. A credential contains all the necessary cryptographic information to enable the creation of a context on behalf of the entity that it represents. It MAY contain multiple, distinct, mechanism-specific credential elements, each containing information for a specific security mechanism, but all referring to the same entity.
此接口封装实体的GSS-API凭据。凭证包含所有必要的加密信息,以支持代表其所代表的实体创建上下文。它可能包含多个不同的特定于机制的凭证元素,每个元素都包含特定安全机制的信息,但都指向同一实体。
A credential MAY be used to perform context initiation, acceptance, or both.
凭证可用于执行上下文启动、接受或两者。
GSS-API implementations MUST impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. GSS-API credential creation is not intended to provide a "login to the network" function, as such a function would involve the creation of new credentials rather than merely acquiring a handle to existing credentials. Such functions, if required, SHOULD be defined in implementation-specific extensions to the API.
GSS-API实现必须对呼叫者实施本地访问控制策略,以防止未经授权的呼叫者获取他们无权获得的凭据。GSS-API凭证创建并非旨在提供“登录到网络”功能,因为此类功能将涉及新凭证的创建,而不仅仅是获取现有凭证的句柄。如果需要,这些函数应该在API的特定于实现的扩展中定义。
If credential acquisition is time-consuming for a mechanism, the mechanism MAY choose to delay the actual acquisition until the credential is required (e.g., by GSSContext). Such mechanism-specific implementation decisions SHOULD be invisible to the calling application; thus, the query methods immediately following the creation of a credential object MUST return valid credential data and may therefore incur the overhead of a deferred credential acquisition.
如果某个机制的凭证获取非常耗时,则该机制可以选择延迟实际获取,直到需要凭证为止(例如,通过GSSContext)。这种特定于机制的实现决策应该对调用应用程序不可见;因此,紧随凭证对象创建之后的查询方法必须返回有效凭证数据,因此可能导致延迟凭证获取的开销。
Applications will create a credential object passing the desired parameters. The application can then use the query methods to obtain specific information about the instantiated credential object (equivalent to the gss_inquire routines). When the credential is no longer needed, the application SHOULD call the dispose (equivalent to gss_release_cred) method to release any resources held by the credential object and to destroy any cryptographically sensitive information.
应用程序将创建一个传递所需参数的凭证对象。然后,应用程序可以使用查询方法获取有关实例化凭证对象的特定信息(相当于gss_查询例程)。当不再需要凭证时,应用程序应调用dispose(相当于gss_release_cred)方法来释放凭证对象持有的任何资源并销毁任何加密敏感信息。
Classes implementing this interface also implement the Cloneable interface. This indicates that the class will support the clone() method that will allow the creation of duplicate credentials. This is useful when called just before the add() call to retain a copy of the original credential.
实现此接口的类也实现可克隆接口。这表示该类将支持clone()方法,该方法将允许创建重复的凭据。当在add()调用之前调用以保留原始凭证的副本时,这非常有用。
public static final int INITIATE_AND_ACCEPT
公共静态final int INITIATE_和_ACCEPT
Credential usage flag requesting that it be able to be used for both context initiation and acceptance. The value of this constant is 0.
凭证使用标志,要求它能够用于上下文启动和接受。此常量的值为0。
public static final int INITIATE_ONLY
仅限公共静态最终整数初始化
Credential usage flag requesting that it be able to be used for context initiation only. The value of this constant is 1.
凭据使用标志,请求它只能用于上下文初始化。这个常数的值是1。
public static final int ACCEPT_ONLY
公共静态最终整数仅接受
Credential usage flag requesting that it be able to be used for context acceptance only. The value of this constant is 2.
凭证使用标志,请求它只能用于上下文接受。这个常数的值是2。
public static final int DEFAULT_LIFETIME
公共静态最终int默认_生存期
A lifetime constant representing the default credential lifetime. The value of this constant is 0.
表示默认凭据生存期的生存期常量。此常量的值为0。
public static final int INDEFINITE_LIFETIME
公共静态最终int_寿命
A lifetime constant representing indefinite credential lifetime. The value of this constant is the maximum integer value in Java -- Integer.MAX_VALUE.
表示无限凭证生存期的生存期常量。该常量的值是Java中的最大整数值--integer.MAX_value。
public void dispose() throws GSSException
public void dispose()引发GSSExException
Releases any sensitive information that the GSSCredential object may be containing. Applications SHOULD call this method as soon as the credential is no longer needed to minimize the time any sensitive information is maintained.
释放GSSCredential对象可能包含的任何敏感信息。一旦不再需要凭证,应用程序应立即调用此方法,以尽可能缩短任何敏感信息的维护时间。
public GSSName getName() throws GSSException
公共GSSName getName()引发GSSExException
Retrieves the name of the entity that the credential asserts.
检索凭据断言的实体的名称。
public GSSName getName(Oid mechOID) throws GSSException
公共GSSName getName(Oid mechOID)引发GSSException
Retrieves a mechanism name of the entity that the credential asserts. Equivalent to calling canonicalize() on the name returned by Section 7.3.3.
检索凭据断言的实体的机制名称。相当于对第7.3.3节返回的名称调用canonicalize()。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public int getRemainingLifetime() throws GSSException
public int getRemainingLifetime()引发GSSExException
Returns the remaining lifetime in seconds for a credential. The remaining lifetime is the minimum lifetime for any of the underlying credential mechanisms. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire. A return value of 0 indicates that the credential is already expired.
返回凭据的剩余生存期(秒)。剩余生存期是任何基础凭据机制的最小生存期。返回值GSSCredential.u life表示凭证未过期。返回值0表示凭据已过期。
public int getRemainingInitLifetime(Oid mech) throws GSSException
public int getRemainingInitLifetime(Oid mech)引发GSSExException
Returns the remaining lifetime in seconds for the credential to remain capable of initiating security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context initiation. A return value of 0 indicates that the credential is already expired.
返回凭据在指定机制下能够启动安全上下文的剩余生存期(秒)。返回值GSSCredential.u life表示凭据不会因上下文启动而过期。返回值0表示凭据已过期。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public int getRemainingAcceptLifetime(Oid mech) throws GSSException
public int getRemainingAcceptLifetime(Oid mech)引发GSSExException
Returns the remaining lifetime in seconds for the credential to remain capable of accepting security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context acceptance. A return value of 0 indicates that the credential is already expired.
返回凭据在指定机制下能够接受安全上下文的剩余生存期(秒)。返回值GSSCredential.u life表示凭证不会因上下文接受而过期。返回值0表示凭据已过期。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public int getUsage() throws GSSException
public int getUsage()引发GSSExException
Returns the credential usage flag as a union over all mechanisms. The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
将凭证使用标志作为所有机制上的联合返回。返回值将是GSSCredential.INITIATE_和_ACCEPT(0)、GSSCredential.INITIATE_ONLY(1)或GSSCredential.ACCEPT_ONLY(2)中的一个。
Specifically, GSSCredential.INITIATE_AND_ACCEPT(0) SHOULD be returned as long as there exists one credential element allowing context initiation and one credential element allowing context acceptance. These two credential elements are not necessarily the same one, nor do they need to use the same mechanism(s).
具体来说,只要存在一个允许上下文初始化的凭证元素和一个允许上下文接受的凭证元素,就应该返回GSSCredential.INITIATE_和_ACCEPT(0)。这两个凭证元素不一定相同,也不需要使用相同的机制。
public int getUsage(Oid mechOID) throws GSSException
public int getUsage(Oid mechOID)引发GSSExException
Returns the credential usage flag for the specified mechanism only. The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
仅返回指定机制的凭据使用标志。返回值将是GSSCredential.INITIATE_和_ACCEPT(0)、GSSCredential.INITIATE_ONLY(1)或GSSCredential.ACCEPT_ONLY(2)中的一个。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public Oid[] getMechs() throws GSSException
public Oid[]getMechs()引发GSSExException
Returns an array of mechanisms supported by this credential.
返回此凭据支持的机制数组。
public void add(GSSName aName, int initLifetime, int acceptLifetime, Oid mech, int usage) throws GSSException
public void add(GSSName aName、int initlife、int acceptlife、Oid mech、int usage)抛出GSSException
Adds a mechanism-specific credential element to an existing credential. This method allows the construction of credentials one mechanism at a time.
将特定于机制的凭据元素添加到现有凭据。此方法允许一次构造一个机制的凭据。
This routine is envisioned to be used mainly by context acceptors during the creation of acceptance credentials, which are to be used with a variety of clients using different security mechanisms.
该例程主要由上下文接受者在创建接受凭证期间使用,接受凭证将与使用不同安全机制的各种客户端一起使用。
This routine adds the new credential element "in-place". To add the element in a new credential, first call clone() to obtain a copy of this credential, then call its add() method.
此例程添加新的凭证元素“就地”。要在新凭据中添加元素,请首先调用clone()以获取此凭据的副本,然后调用其add()方法。
Parameters:
参数:
aName Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
要为其获取此凭据的主体的名称。使用“null”指定默认主体。
initLifetime The number of seconds that credentials should remain valid for initiating security contexts. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
initLifetime凭据在启动安全上下文时应保持有效的秒数。使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
acceptLifetime The number of seconds that credentials should remain valid for accepting security contexts.
acceptLifetime凭据在接受安全上下文时应保持有效的秒数。
Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
mech The mechanisms over which the credential is to be acquired.
mech用于获取凭证的机制。
usage The intended usage for this credential object. The value of this parameter MUST be one of:
用法此凭据对象的预期用途。此参数的值必须是以下值之一:
GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2)
GSSCredential.INITIATE_和_ACCEPT(0)、GSSCredential.INITIATE_ONLY(1)或GSSCredential.ACCEPT_ONLY(2)
public boolean equals(Object another)
公共布尔等于(另一个对象)
Tests if this GSSCredential refers to the same entity as the supplied object. The two credentials MUST be acquired over the same mechanisms and MUST refer to the same principal. Returns "true" if the two GSSCredentials refer to the same entity, or "false"
测试此GSSCredential是否引用与所提供对象相同的实体。这两个凭证必须通过相同的机制获取,并且必须引用相同的主体。如果两个GSSCredentials引用同一实体,则返回“true”,或返回“false”
otherwise. (Note that the Java language specification [JLS] requires that two objects that are equal according to the equals(Object) method MUST return the same integer result when the hashCode() method is called on them.)
否则(请注意,Java语言规范[JLS]要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
another Another GSSCredential object for comparison.
另一个GSSCredential对象用于比较。
This example code demonstrates the creation of a GSSCredential implementation for a specific entity, querying of its fields, and its release when it is no longer needed.
此示例代码演示了为特定实体创建GSSCredential实现、查询其字段以及在不再需要时发布。
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
// start by creating a name object for the entity GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// start by creating a name object for the entity GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// now acquire credentials for the entity GSSCredential cred = mgr.createCredential(name, GSSCredential.INDEFINITE_LIFETIME, (Oid[])null, GSSCredential.ACCEPT_ONLY);
//现在获取实体GSSCredential cred=mgr.createCredential的凭据(名称,GSSCredential.unfinite_life,(Oid[])null,GSSCredential.ACCEPT_ONLY);
// display credential information - name, remaining lifetime, // and the mechanisms it has been acquired over print(cred.getName().toString()); print(cred.getRemainingLifetime());
// display credential information - name, remaining lifetime, // and the mechanisms it has been acquired over print(cred.getName().toString()); print(cred.getRemainingLifetime());
Oid[] mechs = cred.getMechs(); if (mechs != null) { for (int i = 0; i < mechs.length; i++) print(mechs[i].toString()); } // release system resources held by the credential cred.dispose(); <CODE ENDS>
Oid[] mechs = cred.getMechs(); if (mechs != null) { for (int i = 0; i < mechs.length; i++) print(mechs[i].toString()); } // release system resources held by the credential cred.dispose(); <CODE ENDS>
This interface encapsulates the GSS-API security context and provides the security services (wrap, unwrap, getMIC, and verifyMIC) that are available over the context. Security contexts are established between peers using locally acquired credentials. Multiple contexts may exist simultaneously between a pair of peers, using the same or
此接口封装GSS-API安全上下文,并提供可通过上下文使用的安全服务(wrap、unwrap、getMIC和verifyMIC)。使用本地获取的凭据在对等方之间建立安全上下文。一对对等点之间可以同时存在多个上下文,使用相同或相同的方法
different set of credentials. GSS-API functions in a manner independent of the underlying transport protocol and depends on its calling application to transport its tokens between peers.
不同的凭据集。GSS-API以独立于底层传输协议的方式运行,并依赖其调用应用程序在对等方之间传输其令牌。
Before the context establishment phase is initiated, the context initiator may request specific characteristics desired of the established context. These can be set using the set methods. After the context is established, the caller can check the actual characteristic and services offered by the context using the query methods.
在发起上下文建立阶段之前,上下文发起方可以请求所建立上下文的期望特定特征。可以使用set方法设置这些参数。建立上下文后,调用方可以使用查询方法检查上下文提供的实际特征和服务。
The context establishment phase begins with the first call to the init method by the context initiator. During this phase, the initSecContext and acceptSecContext methods will produce GSS-API authentication tokens, which the calling application needs to send to its peer. If an error occurs at any point, an exception will get thrown and the code will start executing in a catch block where the exception may contain an output token that should be sent to the peer for debugging or informational purpose. If not, the normal flow of code continues, and the application can make a call to the isEstablished() method. If this method returns "false", it indicates that a token is needed from its peer in order to continue the context establishment phase. A return value of "true" signals that the local end of the context is established. This may still require that a token be sent to the peer, if one is produced by GSS-API. During the context establishment phase, the isProtReady() method may be called to determine if the context can be used for the per-message operations. This allows applications to use per-message operations on contexts that aren't fully established.
上下文建立阶段从上下文启动器对init方法的第一次调用开始。在此阶段,initSecContext和acceptSecContext方法将生成GSS-API身份验证令牌,调用应用程序需要将其发送给对等方。如果在任何点发生错误,将抛出异常,代码将开始在catch块中执行,其中异常可能包含一个输出令牌,该令牌应发送给对等方以进行调试或提供信息。否则,正常的代码流将继续,应用程序可以调用isEstablished()方法。如果此方法返回“false”,则表示需要从其对等方获取令牌以继续上下文建立阶段。返回值“true”表示上下文的本地端已建立。这可能仍然需要向对等方发送令牌(如果由GSS-API生成)。在上下文建立阶段,可以调用isProtReady()方法来确定上下文是否可用于每消息操作。这允许应用程序在未完全建立的上下文上使用每消息操作。
After the context has been established or the isProtReady() method returns "true", the query routines can be invoked to determine the actual characteristics and services of the established context. The application can also start using the per-message methods of wrap and getMIC to obtain cryptographic operations on application-supplied data.
在建立上下文或isProtReady()方法返回“true”后,可以调用查询例程来确定所建立上下文的实际特征和服务。应用程序还可以开始使用wrap和getMIC的per-message方法对应用程序提供的数据进行加密操作。
When the context is no longer needed, the application SHOULD call dispose to release any system resources the context may be using.
当不再需要上下文时,应用程序应调用dispose以释放上下文可能正在使用的任何系统资源。
public static final int DEFAULT_LIFETIME
公共静态最终int默认_生存期
A lifetime constant representing the default context lifetime. The value of this constant is 0.
表示默认上下文生存期的生存期常量。此常量的值为0。
public static final int INDEFINITE_LIFETIME
公共静态最终int_寿命
A lifetime constant representing indefinite context lifetime. The value of this constant is the maximum integer value in Java -- Integer.MAX_VALUE.
表示不确定上下文生存期的生存期常量。该常量的值是Java中的最大整数值--integer.MAX_value。
public byte[] initSecContext(byte[] inputBuf, int offset, int len) throws GSSException
公共字节[]initSecContext(字节[]inputBuf,int offset,int len)引发GSSException
Called by the context initiator to start the context creation process. This method MAY return an output token that the application will need to send to the peer for processing by the accept call. The application can call isEstablished() to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished() indicates that more tokens are expected to be supplied to the initSecContext() method. Note that it is possible that the initSecContext() method will return a token for the peer and isEstablished() will return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.
由上下文启动器调用以启动上下文创建过程。此方法可能会返回一个输出令牌,应用程序需要将该令牌发送给对等方,以便通过accept调用进行处理。应用程序可以调用isEstablished()来确定该对等方的上下文建立阶段是否已完成。isEstablished()的返回值为“false”表示需要向initSecContext()方法提供更多的令牌。请注意,initSecContext()方法可能会返回对等方的令牌,isEstablished()也会返回“true”。这表示需要将令牌发送到对等方,但上下文的本地端现在已完全建立。
Upon completion of the context establishment, the available context options may be queried through the get methods.
上下文建立完成后,可以通过get方法查询可用的上下文选项。
A GSSException will be thrown if the call fails. Users SHOULD call its getOutputToken() method to find out if there is a token that can be sent to the acceptor to communicate the reason for the error.
如果调用失败,将引发GSSExException。用户应该调用它的getOutputToken()方法,以确定是否有一个令牌可以发送给接受者以告知错误的原因。
Parameters:
参数:
inputBuf Token generated by the peer. This parameter is ignored on the first call.
由对等方生成的inputBuf令牌。此参数在第一次调用时被忽略。
offset The offset within the inputBuf where the token begins.
偏移标记开始的inputBuf内的偏移量。
len The length of the token within the inputBuf (starting at the offset).
len inputBuf内令牌的长度(从偏移量开始)。
public byte[] acceptSecContext(byte[] inTok, int offset, int len) throws GSSException
公共字节[]acceptSecContext(字节[]inTok,int offset,int len)引发GSSException
Called by the context acceptor upon receiving a token from the peer.
在从对等方接收令牌时由上下文接受者调用。
This method MAY return an output token that the application will need to send to the peer for further processing by the init call.
此方法可能会返回一个输出令牌,应用程序需要将该令牌发送给对等方,以便通过init调用进行进一步处理。
The "null" return value indicates that no token needs to be sent to the peer. The application can call isEstablished() to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished() indicates that more tokens are expected to be supplied to this method.
“null”返回值表示不需要向对等方发送令牌。应用程序可以调用isEstablished()来确定该对等方的上下文建立阶段是否已完成。isEstablished()返回的值为“false”,表示预期将向该方法提供更多令牌。
Note that it is possible that acceptSecContext() will return a token for the peer and isEstablished() will return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.
请注意,acceptSecContext()可能会返回对等方的令牌,isEstablished()也会返回“true”。这表示需要将令牌发送到对等方,但上下文的本地端现在已完全建立。
Upon completion of the context establishment, the available context options may be queried through the get methods.
上下文建立完成后,可以通过get方法查询可用的上下文选项。
A GSSException will be thrown if the call fails. Users SHOULD call its getOutputToken() method to find out if there is a token that can be sent to the initiator to communicate the reason for the error.
如果调用失败,将引发GSSExException。用户应该调用其getOutputToken()方法,以确定是否有令牌可以发送给启动器,以告知错误原因。
Parameters:
参数:
inTok Token generated by the peer.
对等方生成的inTok令牌。
offset The offset within the inTok where the token begins.
偏移令牌开始的inTok内的偏移量。
len The length of the token within the inTok (starting at the offset).
len inTok内令牌的长度(从偏移量开始)。
public boolean isEstablished()
已建立公共数据库()
Used during context establishment to determine the state of the context. Returns "true" if this is a fully established context on the caller's side and no more tokens are needed from the peer. Should be called after a call to initSecContext() or acceptSecContext() when no GSSException is thrown.
在上下文建立期间用于确定上下文的状态。如果这是调用方端完全建立的上下文,并且不需要来自对等方的更多令牌,则返回“true”。当未引发GSSExException时,应在调用initSecContext()或acceptSecContext()后调用。
public void dispose() throws GSSException
public void dispose()引发GSSExException
Releases any system resources and cryptographic information stored in the context object. This will invalidate the context.
释放存储在上下文对象中的任何系统资源和加密信息。这将使上下文无效。
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) throws GSSException
public int getWrapSizeLimit(int-qop、boolean-confReq、int-maxTokenSize)引发GSSExException
Returns the maximum message size that, if presented to the wrap method with the same confReq and qop parameters, will result in an output token containing no more than the maxTokenSize bytes.
返回最大消息大小,如果使用相同的confReq和qop参数呈现给wrap方法,将导致输出令牌包含不超过maxTokenSize字节。
This call is intended for use by applications that communicate over protocols that impose a maximum message size. It enables the application to fragment messages prior to applying protection.
此调用用于通过施加最大消息大小的协议进行通信的应用程序。它使应用程序能够在应用保护之前对消息进行分段。
GSS-API implementations are RECOMMENDED but not required to detect invalid QOP values when getWrapSizeLimit is called. This routine guarantees only a maximum message size, not the availability of specific QOP values for message protection.
建议使用GSS-API实现,但不要求在调用getWrapSizeLimit时检测无效的QOP值。此例程仅保证最大消息大小,而不保证用于消息保护的特定QOP值的可用性。
Successful completion of this call does not guarantee that wrap will be able to protect a message of the computed length, since this ability may depend on the availability of system resources at the time that wrap is called. However, if the implementation itself imposes an upper limit on the length of messages that may be processed by wrap, the implementation SHOULD NOT return a value that is greater than this length.
成功完成此调用并不保证wrap能够保护计算长度的消息,因为此能力可能取决于调用wrap时系统资源的可用性。但是,如果实现本身对wrap可能处理的消息长度施加了上限,则实现不应返回大于此长度的值。
Parameters:
参数:
qop Indicates the level of protection wrap will be asked to provide.
qop表示要求提供的保护级别。
confReq Indicates if wrap will be asked to provide privacy service.
confReq表示是否要求wrap提供隐私服务。
maxTokenSize The desired maximum size of the token emitted by wrap.
maxTokenSize wrap发出的令牌的所需最大大小。
public byte[] wrap(byte[] inBuf, int offset, int len, MessageProp msgProp) throws GSSException
公共字节[]换行(字节[]inBuf,int offset,int len,MessageProp msgProp)引发GSSException
Applies per-message security services over the established security context. The method will return a token with a cryptographic MIC and MAY optionally encrypt the specified inBuf. The returned byte array will contain both the MIC and the message.
在已建立的安全上下文上应用每消息安全服务。该方法将返回带有加密MIC的令牌,并且可以选择加密指定的inBuf。返回的字节数组将包含麦克风和消息。
The MessageProp object is instantiated by the application and used to specify a QOP value that selects cryptographic algorithms and a privacy service to optionally encrypt the message. The underlying mechanism that is used in the call may not be able to provide the privacy service. It sets the actual privacy service that it does provide in this MessageProp object, which the caller SHOULD then query upon return. If the mechanism is not able to provide the requested QOP, it throws a GSSException with the BAD_QOP code.
MessageProp对象由应用程序实例化,用于指定选择加密算法的QOP值和选择加密消息的隐私服务。呼叫中使用的底层机制可能无法提供隐私服务。它设置它在此MessageProp对象中提供的实际隐私服务,调用方在返回时应查询该服务。如果该机制无法提供请求的QOP,它将抛出带有BAD_QOP代码的GSSException。
Since some application-level protocols may wish to use tokens emitted by wrap to provide "secure framing", implementations SHOULD support the wrapping of zero-length messages.
由于一些应用程序级协议可能希望使用wrap发出的令牌来提供“安全帧”,因此实现应该支持零长度消息的包装。
The application will be responsible for sending the token to the peer.
应用程序将负责向对等方发送令牌。
Parameters:
参数:
inBuf Application data to be protected.
要保护的inBuf应用程序数据。
offset The offset within the inBuf where the data begins.
偏移数据开始的inBuf内的偏移量。
len The length of the data within the inBuf (starting at the offset).
len inBuf内数据的长度(从偏移量开始)。
msgProp Instance of MessageProp that is used by the application to set the desired QOP and privacy state. Set the desired QOP to 0 to request the default QOP. Upon return from this method, this object will contain the actual privacy state that was applied to the message by the underlying mechanism.
应用程序用于设置所需QOP和隐私状态的MessageProp的msgProp实例。将所需QOP设置为0以请求默认QOP。从该方法返回后,该对象将包含由底层机制应用于消息的实际隐私状态。
public byte[] unwrap(byte[] inBuf, int offset, int len, MessageProp msgProp) throws GSSException
公共字节[]展开(字节[]inBuf,int offset,int len,MessageProp msgProp)引发GSSException
Used by the peer application to process tokens generated with the wrap call. The method will return the message supplied in the peer application to the wrap call, verifying the embedded MIC.
对等应用程序用于处理wrap调用生成的令牌。该方法将对等应用程序中提供的消息返回到wrap调用,以验证嵌入式麦克风。
The MessageProp object is instantiated by the application and is used by the underlying mechanism to return information to the caller such as the QOP, whether confidentiality was applied to the message, and other supplementary message state information.
MessageProp对象由应用程序实例化,并由底层机制用于向调用者返回信息,如QOP、消息是否应用了机密性以及其他补充消息状态信息。
Since some application-level protocols may wish to use tokens emitted by wrap to provide "secure framing", implementations SHOULD support the wrapping and unwrapping of zero-length messages.
由于一些应用程序级协议可能希望使用wrap发出的令牌来提供“安全帧”,因此实现应该支持零长度消息的包装和展开。
Parameters:
参数:
inBuf GSS-API wrap token received from peer.
从对等方接收到inBuf GSS-API包装令牌。
offset The offset within the inBuf where the token begins.
偏移令牌开始的inBuf内的偏移量。
len The length of the token within the inBuf (starting at the offset).
len inBuf内令牌的长度(从偏移量开始)。
msgProp Upon return from the method, this object will contain the applied QOP, the privacy state of the message, and supplementary information, described in Section 5.12.3, stating whether the token was a duplicate, old, out of sequence, or arriving after a gap.
msgProp从方法返回后,此对象将包含应用的QOP、消息的隐私状态和补充信息,如第5.12.3节所述,说明令牌是重复的、旧的、无序的还是在间隔后到达的。
public byte[] getMIC(byte[] inMsg, int offset, int len, MessageProp msgProp) throws GSSException
公共字节[]getMIC(字节[]inMsg、int offset、int len、MessageProp msgProp)引发GSSException
Returns a token containing a cryptographic MIC for the supplied message for transfer to the peer application. Unlike wrap, which encapsulates the user message in the returned token, only the message MIC is returned in the output token.
返回包含所提供消息的加密MIC的令牌,以便传输到对等应用程序。与wrap不同,wrap将用户消息封装在返回的令牌中,输出令牌中只返回消息MIC。
Note that privacy can only be applied through the wrap call.
请注意,隐私只能通过wrap调用应用。
Since some application-level protocols may wish to use tokens emitted by getMIC to provide "secure framing", implementations SHOULD support derivation of MICs from zero-length messages.
由于一些应用程序级协议可能希望使用getMIC发出的令牌来提供“安全帧”,所以实现应该支持从零长度消息派生MIC。
Parameters:
参数:
inMsg Message over which to generate MIC.
用于生成麦克风的inMsg消息。
offset The offset within the inMsg where the token begins.
偏移标记开始的inMsg内的偏移量。
len The length of the token within the inMsg (starting at the offset).
len inMsg内令牌的长度(从偏移量开始)。
msgProp Instance of MessageProp that is used by the application to set the desired QOP. Set the desired QOP to 0 in msgProp to request the default QOP. Alternatively, pass in "null" for msgProp to request default QOP.
应用程序用于设置所需QOP的MessageProp的msgProp实例。在msgProp中将所需QOP设置为0,以请求默认QOP。或者,为msgProp传入“null”以请求默认QOP。
public void verifyMIC(byte[] inTok, int tokOffset, int tokLen, byte[] inMsg, int msgOffset, int msgLen, MessageProp msgProp) throws GSSException
public void verifyMIC(字节[]inTok、int tokOffset、int tokLen、字节[]inMsg、int msgOffset、int msgLen、MessageProp msgProp)引发GSSException
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message.
通过提供的消息验证令牌参数中包含的加密MIC。
The MessageProp object is instantiated by the application and is used by the underlying mechanism to return information to the caller such as the QOP indicating the strength of protection that was applied to the message and other supplementary message state information.
MessageProp对象由应用程序实例化,并由底层机制用于向调用者返回信息,如QOP,指示应用于消息的保护强度和其他补充消息状态信息。
Since some application-level protocols may wish to use tokens emitted by getMIC to provide "secure framing", implementations SHOULD support the calculation and verification of MICs over zero-length messages.
由于一些应用程序级协议可能希望使用getMIC发出的令牌来提供“安全帧”,因此实现应支持在零长度消息上计算和验证MIC。
Parameters:
参数:
inTok Token generated by peer's getMIC method.
inTok令牌由对等方的getMIC方法生成。
tokOffset The offset within the inTok where the token begins.
tokOffset令牌开始的inTok内的偏移量。
tokLen The length of the token within the inTok (starting at the offset).
tokLen inTok内令牌的长度(从偏移量开始)。
inMsg Application message over which to verify the cryptographic MIC.
用于验证加密麦克风的inMsg应用程序消息。
msgOffset The offset within the inMsg where the message begins.
msgOffset消息开始处inMsg内的偏移量。
msgLen The length of the message within the inMsg (starting at the offset).
msgLen inMsg中消息的长度(从偏移量开始)。
msgProp Upon return from the method, this object will contain the applied QOP and supplementary information, described in Section 5.12.3, stating whether the token was a duplicate, old, out of sequence, or arriving after a gap. The confidentiality state will be set to "false".
msgProp从方法返回时,该对象将包含应用的QOP和补充信息,如第5.12.3节所述,说明令牌是重复的、旧的、无序的还是在间隔后到达的。保密状态将设置为“false”。
public byte[] export() throws GSSException
公共字节[]导出()引发GSSExException
Provided to support the sharing of work between multiple processes. This routine will typically be used by the context acceptor, in an application where a single process receives incoming connection requests and accepts security contexts over them, then passes the established context to one or more other processes for message exchange.
用于支持多个流程之间的工作共享。此例程通常由上下文接受者使用,在应用程序中,单个进程接收传入的连接请求并通过它们接受安全上下文,然后将建立的上下文传递给一个或多个其他进程以进行消息交换。
This method deactivates the security context and creates an inter-process token that, when passed to the byte array constructor of the GSSContext interface in another process, will re-activate the context in the second process. Only a single instantiation of a given context may be active at any one time; a subsequent attempt by a context exporter to access the exported security context will fail.
此方法停用安全上下文并创建进程间令牌,当在另一个进程中传递给GSSContext接口的字节数组构造函数时,该令牌将在第二个进程中重新激活上下文。在任何时候,只有一个给定上下文的实例化是活动的;上下文导出器随后尝试访问导出的安全上下文将失败。
The implementation MAY constrain the set of processes by which the inter-process token may be imported, either as a function of local security policy or as a result of implementation decisions. For example, some implementations may constrain contexts to be passed only between processes that run under the same account, or which are part of the same process group.
作为本地安全策略的功能或作为实现决策的结果,实现可约束可通过其导入进程间令牌的一组进程。例如,某些实现可能会将上下文限制为仅在同一帐户下运行的进程之间传递,或是在同一进程组中传递。
The inter-process token MAY contain security-sensitive information (for example, cryptographic keys). While mechanisms are encouraged either to avoid placing such sensitive information within inter-process tokens or to encrypt the token before returning it to the application, in a typical GSS-API implementation, this may not be possible. Thus, the application MUST take care to protect the inter-process token and ensure that any process to which the token is transferred is trustworthy.
进程间令牌可以包含安全敏感信息(例如,加密密钥)。虽然鼓励机制避免在进程间令牌中放置此类敏感信息,或在将令牌返回到应用程序之前对其进行加密,但在典型的GSS-API实现中,这可能是不可能的。因此,应用程序必须注意保护进程间令牌,并确保令牌传输到的任何进程都是可信的。
public void requestMutualAuth(boolean state) throws GSSException
public void requestMutualAuth(布尔状态)引发GSSException
Sets the request state of the mutual authentication flag for the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的相互身份验证标志的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if mutual authentication should be requested during context establishment.
表示在上下文建立期间是否应请求相互身份验证的状态布尔值。
public void requestReplayDet(boolean state) throws GSSException
public void requestReplayet(布尔状态)引发GSSException
Sets the request state of the replay detection service for the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的重播检测服务的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if replay detection is desired over the established context.
表示在已建立的上下文中是否需要重播检测的状态布尔值。
public void requestSequenceDet(boolean state) throws GSSException
public void requestSequenceDet(布尔状态)引发GSSExException
Sets the request state for the sequence-checking service of the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的序列检查服务的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if sequence detection is desired over the established context.
表示在已建立的上下文中是否需要序列检测的状态布尔值。
public void requestCredDeleg(boolean state) throws GSSException
public void requestCredDeleg(布尔状态)引发GSSExException
Sets the request state for the credential delegation flag for the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的凭据委派标志的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if credential delegation is desired.
表示是否需要凭据委派的状态布尔值。
public void requestAnonymity(boolean state) throws GSSException
public void requestAnonymity(布尔状态)引发GSSExException
Requests anonymous support over the context. This method is only valid before the context creation process begins and only for the initiator.
请求上下文上的匿名支持。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if anonymity support is requested.
表示是否请求匿名性支持的状态布尔值。
public void requestConf(boolean state) throws GSSException
public void requestConf(布尔状态)引发GSSException
Requests that confidentiality service be available over the context. This method is only valid before the context creation process begins and only for the initiator.
请求在上下文中提供保密服务。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean indicating if confidentiality services are to be requested for the context.
状态布尔值,指示是否为上下文请求保密服务。
public void requestInteg(boolean state) throws GSSException
public void requestInteg(布尔状态)引发GSSExException
Requests that integrity services be available over the context. This method is only valid before the context creation process begins and only for the initiator.
请求在上下文中提供完整性服务。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean indicating if integrity services are to be requested for the context.
状态布尔值,指示是否为上下文请求完整性服务。
public void requestLifetime(int lifetime) throws GSSException
public void requestLifetime(int lifetime)引发GSSExException
Sets the desired lifetime for the context in seconds. This method is only valid before the context creation process begins and only for the initiator. Use GSSContext.INDEFINITE_LIFETIME and GSSContext.DEFAULT_LIFETIME to request indefinite or default context lifetime.
设置上下文所需的生存期(秒)。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。使用GSSContext.infinite_生存期和GSSContext.DEFAULT_生存期请求不确定或默认上下文生存期。
Parameters:
参数:
lifetime The desired context lifetime in seconds.
生存期所需的上下文生存期(秒)。
public void setChannelBinding(ChannelBinding cb) throws GSSException
public void setChannelBinding(ChannelBinding cb)引发GSSExException
Sets the channel bindings to be used during context establishment. This method is only valid before the context creation process begins.
设置上下文建立期间要使用的通道绑定。此方法仅在上下文创建过程开始之前有效。
Parameters:
参数:
cb Channel bindings to be used.
要使用的cb通道绑定。
public boolean getCredDelegState()
公共布尔值getCredDelegState()
Returns the state of the delegated credentials for the context. When issued before context establishment is completed or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
返回上下文的委派凭据的状态。当在上下文建立完成之前发出时,或者当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public boolean getMutualAuthState()
公共布尔值getMutualAuthState()
Returns the state of the mutual authentication option for the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
返回上下文的相互身份验证选项的状态。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public boolean getReplayDetState()
公共布尔getReplayDetState()
Returns the state of the replay detection option for the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
返回上下文的重播检测选项的状态。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public boolean getSequenceDetState()
公共布尔getSequenceDetState()
Returns the state of the sequence detection option for the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
返回上下文的序列检测选项的状态。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public boolean getAnonymityState()
公共布尔getAnonymityState()
Returns "true" if this is an anonymous context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
如果这是匿名上下文,则返回“true”。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public boolean isTransferable() throws GSSException
公共布尔值isTransferable()引发GSSExException
Returns "true" if the context is transferable to other processes through the use of the export method. This call is only valid on fully established contexts.
如果上下文可通过使用导出方法转移到其他进程,则返回“true”。此调用仅在完全建立的上下文中有效。
public boolean isProtReady()
公共布尔值isProtReady()
Returns "true" if the per-message operations can be applied over the context. Some mechanisms may allow the usage of per-message operations before the context is fully established. This will also indicate that the get methods will return actual context state characteristics instead of the desired ones.
如果每消息操作可以应用于上下文,则返回“true”。某些机制可能允许在完全建立上下文之前使用每消息操作。这还表明get方法将返回实际的上下文状态特征,而不是所需的特征。
public boolean getConfState()
公共布尔getConfState()
Returns the confidentiality service state over the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
返回上下文上的机密性服务状态。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public boolean getIntegState()
公共布尔getIntegrationState()
Returns the integrity service state over the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state; otherwise, it will indicate the actual state over the established context.
返回上下文上的完整性服务状态。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的状态;否则,它将指示已建立上下文的实际状态。
public int getLifetime()
公共int getLifetime()
Returns the context lifetime in seconds. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired lifetime; otherwise, it will indicate the remaining lifetime for the context.
以秒为单位返回上下文生存期。当在上下文建立完成之前发出或当isProtReady方法返回“false”时,它返回所需的生存期;否则,它将指示上下文的剩余生存期。
public GSSName getSrcName() throws GSSException
公共GSSName getSrcName()引发GSSExException
Returns the name of the context initiator. This call is valid only after the context is fully established or the isProtReady method returns "true". It is guaranteed to return an MN.
返回上下文启动器的名称。只有在完全建立上下文或isProtReady方法返回“true”后,此调用才有效。它保证返回一个MN。
public GSSName getTargName() throws GSSException
公共GSSName getTargName()引发GSSExException
Returns the name of the context target (acceptor). This call is valid only after the context is fully established or the isProtReady method returns "true". It is guaranteed to return an MN.
返回上下文目标(接受器)的名称。只有在完全建立上下文或isProtReady方法返回“true”后,此调用才有效。它保证返回一个MN。
public Oid getMech() throws GSSException
public Oid getMech()引发GSSExException
Returns the mechanism OID for this context. This method MAY be called before the context is fully established, but the mechanism returned MAY change on successive calls in a negotiated mechanism case.
返回此上下文的机制OID。可以在完全建立上下文之前调用此方法,但在协商机制的情况下,返回的机制可能会在连续调用时发生更改。
public GSSCredential getDelegCred() throws GSSException
public GSSCredential getDelegCred()引发GSSException
Returns the delegated credential object on the acceptor's side. To check for availability of delegated credentials, call getDelegCredState. This call is only valid on fully established contexts.
返回接受方的委派凭证对象。要检查委派凭据的可用性,请调用getDelegCredState。此调用仅在完全建立的上下文中有效。
public boolean isInitiator() throws GSSException
公共布尔isInitiator()引发GSSExException
Returns "true" if this is the initiator of the context. This call is only valid after the context creation process has started.
如果这是上下文的发起方,则返回“true”。此调用仅在上下文创建过程启动后有效。
The example code presented below demonstrates the usage of the GSSContext interface for the initiating peer. Different operations on the GSSContext object are presented, including: object instantiation, setting of desired flags, context establishment, query of actual context flags, per-message operations on application data, and finally context deletion.
下面给出的示例代码演示了GSSContext接口在发起对等机中的用法。介绍了GSSContext对象上的不同操作,包括:对象实例化、所需标志的设置、上下文建立、实际上下文标志的查询、对应用程序数据的每条消息操作,以及最后的上下文删除。
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
<CODE BEGINS> GSSManager mgr = GSSManager.getInstance();
// start by creating the name for a service entity GSSName targetName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE); // create a context using default credentials for the above entity // and the implementation-specific default mechanism GSSContext context = mgr.createContext(targetName, null, /* default mechanism */ null, /* default credentials */ GSSContext.INDEFINITE_LIFETIME);
// start by creating the name for a service entity GSSName targetName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE); // create a context using default credentials for the above entity // and the implementation-specific default mechanism GSSContext context = mgr.createContext(targetName, null, /* default mechanism */ null, /* default credentials */ GSSContext.INDEFINITE_LIFETIME);
// set desired context options - all others are "false" by default context.requestConf(true); context.requestMutualAuth(true); context.requestReplayDet(true); context.requestSequenceDet(true);
// set desired context options - all others are "false" by default context.requestConf(true); context.requestMutualAuth(true); context.requestReplayDet(true); context.requestSequenceDet(true);
// establish a context between peers - using byte arrays byte[] inTok = new byte[0];
// establish a context between peers - using byte arrays byte[] inTok = new byte[0];
try { do { byte[] outTok = context.initSecContext(inTok, 0, inTok.length);
try { do { byte[] outTok = context.initSecContext(inTok, 0, inTok.length);
// send the token if present if (outTok != null) sendToken(outTok);
// send the token if present if (outTok != null) sendToken(outTok);
// check if we should expect more tokens if (context.isEstablished()) break;
//检查如果(context.isEstablished())中断,我们是否应该期望更多令牌;
// another token expected from peer inTok = readToken();
// another token expected from peer inTok = readToken();
} while (true);
}虽然(正确);
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage());
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage());
// If the exception contains an output token, // it should be sent to the acceptor. byte[] outTok = e.getOutputToken(); if (outTok != null) { sendToken(outTok); }
// If the exception contains an output token, // it should be sent to the acceptor. byte[] outTok = e.getOutputToken(); if (outTok != null) { sendToken(outTok); }
return; }
return; }
// display context information print("Remaining lifetime in seconds = " + context.getLifetime()); print("Context mechanism = " + context.getMech().toString()); print("Initiator = " + context.getSrcName().toString()); print("Acceptor = " + context.getTargName().toString());
// display context information print("Remaining lifetime in seconds = " + context.getLifetime()); print("Context mechanism = " + context.getMech().toString()); print("Initiator = " + context.getSrcName().toString()); print("Acceptor = " + context.getTargName().toString());
if (context.getConfState()) print("Confidentiality security service available");
如果(context.getConfState())打印(“保密安全服务可用”);
if (context.getIntegState()) print("Integrity security service available");
如果(context.getIntegrationState())打印(“完整性安全服务可用”);
// perform wrap on an application-supplied message, appMsg, // using QOP = 0, and requesting privacy service byte[] appMsg ...
//在应用程序提供的消息appMsg上执行wrap,//使用QOP=0,并请求隐私服务字节[]appMsg。。。
MessageProp mProp = new MessageProp(0, true);
MessageProp mProp = new MessageProp(0, true);
byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp);
byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp);
if (mProp.getPrivacy()) print("Message protected with privacy.");
如果(mProp.getPrivacy())打印(“受隐私保护的邮件”);
sendToken(tok);
sendToken(tok);
// release the local end of the context context.dispose(); <CODE ENDS>
// release the local end of the context context.dispose(); <CODE ENDS>
This is a utility class used within the per-message GSSContext methods to convey per-message properties.
这是一个实用程序类,在每消息GSSContext方法中用于传递每消息属性。
When used with the GSSContext interface's wrap and getMIC methods, an instance of this class is used to indicate the desired QOP and to request if confidentiality services are to be applied to caller-supplied data (wrap only). To request default QOP, the value of 0 should be used for QOP. A QOP is an integer value defined by an mechanism.
当与GSSContext接口的wrap和getMIC方法一起使用时,此类的实例用于指示所需的QOP,并请求是否将保密服务应用于调用方提供的数据(仅限wrap)。要请求默认QOP,QOP应使用0的值。QOP是由机制定义的整数值。
When used with the unwrap and verifyMIC methods of the GSSContext interface, an instance of this class will be used to indicate the applied QOP and confidentiality services over the supplied message. In the case of verifyMIC, the confidentiality state will always be "false". Upon return from these methods, this object will also contain any supplementary status values applicable to the processed token. The supplementary status values can indicate old tokens, out of sequence tokens, gap tokens, or duplicate tokens.
当与GSSContext接口的unwrap和verifyMIC方法一起使用时,此类实例将用于指示所提供消息上应用的QOP和保密服务。在verifyMIC的情况下,保密状态将始终为“假”。从这些方法返回后,此对象还将包含适用于已处理令牌的任何补充状态值。补充状态值可以指示旧令牌、无序令牌、间隙令牌或重复令牌。
public MessageProp(boolean privState)
public MessageProp(布尔privState)
Constructor that sets QOP to 0 indicating that the default QOP is requested.
将QOP设置为0的构造函数,指示请求默认QOP。
Parameters:
参数:
privState The desired privacy state. "true" for privacy and "false" for integrity only.
privState所需的隐私状态。“真”表示隐私,“假”仅表示完整性。
public MessageProp(int qop, boolean privState)
public MessageProp(int-qop,boolean-privState)
Constructor that sets the values for the QOP and privacy state.
为QOP和隐私状态设置值的构造函数。
Parameters:
参数:
qop The desired QOP. Use 0 to request a default QOP.
qop所需的qop。使用0请求默认QOP。
privState The desired privacy state. "true" for privacy and "false" for integrity only.
privState所需的隐私状态。“真”表示隐私,“假”仅表示完整性。
public int getQOP()
公共int getQOP()
Retrieves the QOP value.
检索QOP值。
public boolean getPrivacy()
公共布尔getPrivacy()
Retrieves the privacy state.
检索隐私状态。
public int getMinorStatus()
public int getMinorStatus()
Retrieves the minor status that the underlying mechanism might have set.
检索基础机制可能已设置的次要状态。
public String getMinorString()
公共字符串getMinorString()
Returns a string explaining the mechanism-specific error code. "null" will be returned when no mechanism error code has been set.
返回解释特定于机制的错误代码的字符串。未设置任何机制错误代码时,将返回“null”。
public void setQOP(int qopVal)
公共无效设置QOP(int qopVal)
Sets the QOP value.
设置QOP值。
Parameters:
参数:
qopVal The QOP value to be set. Use 0 to request a default QOP value.
qopVal要设置的QOP值。使用0请求默认QOP值。
public void setPrivacy(boolean privState)
public void setPrivacy(布尔privastate)
Sets the privacy state.
设置隐私状态。
Parameters:
参数:
privState The privacy state to set.
privState要设置的隐私状态。
public boolean isDuplicateToken()
公共布尔值isDuplicateToken()
Returns "true" if this is a duplicate of an earlier token.
如果这是早期令牌的副本,则返回“true”。
public boolean isOldToken()
公共布尔值isOldToken()
Returns "true" if the token's validity period has expired.
如果令牌的有效期已过期,则返回“true”。
public boolean isUnseqToken()
公共布尔值isUnseqToken()
Returns "true" if a later token has already been processed.
如果以后的令牌已被处理,则返回“true”。
public boolean isGapToken()
公共布尔值isGapToken()
Returns "true" if an expected per-message token was not received.
如果未收到预期的每消息令牌,则返回“true”。
public void setSupplementaryStates(boolean duplicate, boolean old, boolean unseq, boolean gap, int minorStatus, String minorString)
public void setupplementstates(布尔值重复、布尔值旧、布尔值unseq、布尔值间隙、int minorStatus、字符串minorString)
This method sets the state for the supplementary information flags and the minor status in MessageProp. It is not used by the application but by the GSS implementation to return this information to the caller of a per-message context method.
此方法在MessageProp中设置补充信息标志的状态和次要状态。应用程序不使用它,但GSS实现使用它将此信息返回给每消息上下文方法的调用方。
Parameters:
参数:
duplicate "true" if the token was a duplicate of an earlier token; otherwise, "false".
如果令牌是早期令牌的副本,则重复“true”;否则,“假”。
old "true" if the token's validity period has expired; otherwise, "false".
如果代币的有效期已过期,则为“真”;否则,“假”。
unseq "true" if a later token has already been processed; otherwise, "false".
unseq“true”,如果已经处理了后续令牌;否则,“假”。
gap "true" if one or more predecessor tokens have not yet been successfully processed; otherwise, "false".
如果一个或多个前置令牌尚未成功处理,则间隙为“true”;否则,“假”。
minorStatus The integer minor status code that the underlying mechanism wants to set.
minorStatus底层机制想要设置的整数次要状态代码。
minorString The textual representation of the minorStatus value.
minorString minorStatus值的文本表示形式。
The GSS-API accommodates the concept of caller-provided channel-binding information. Channel bindings are used to strengthen the quality with which peer entity authentication is provided during context establishment. They enable the GSS-API callers to bind the establishment of the security context to relevant characteristics like addresses or to application-specific data.
GSS-API包含调用方提供的通道绑定信息的概念。通道绑定用于增强上下文建立期间提供对等实体身份验证的质量。它们使GSS-API调用程序能够将安全上下文的建立绑定到相关特征(如地址)或特定于应用程序的数据。
The caller initiating the security context MUST determine the appropriate channel-binding values to set in the GSSContext object. The acceptor MUST provide an identical binding in order to validate that received tokens possess correct channel-related characteristics.
发起安全上下文的调用方必须确定要在GSSContext对象中设置的适当通道绑定值。接受方必须提供相同的绑定,以验证接收到的令牌是否具有正确的通道相关特征。
Use of channel bindings is OPTIONAL in GSS-API. Since channel-binding information may be transmitted in context establishment tokens, applications SHOULD therefore not use confidential data as channel-binding components.
在GSS-API中,通道绑定的使用是可选的。由于信道绑定信息可以在上下文建立令牌中传输,因此应用程序不应将机密数据用作信道绑定组件。
public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr, byte[] appData)
公共通道绑定(InetAddress initAddr、InetAddress acceptddr、byte[]appData)
Create a ChannelBinding object with user-supplied address information and data. "null" values can be used for any fields that the application does not want to specify.
使用用户提供的地址信息和数据创建ChannelBinding对象。“null”值可用于应用程序不希望指定的任何字段。
Parameters:
参数:
initAddr The address of the context initiator. The "null" value can be supplied to indicate that the application does not want to set this value.
initAddr上下文启动器的地址。可以提供“null”值以指示应用程序不希望设置此值。
acceptAddr The address of the context acceptor. The "null" value can be supplied to indicate that the application does not want to set this value.
AcceptAddress上下文接受者的地址。可以提供“null”值以指示应用程序不希望设置此值。
appData Application-supplied data to be used as part of the channel bindings. The "null" value can be supplied to indicate that the application does not want to set this value.
appData应用程序提供的数据将用作通道绑定的一部分。可以提供“null”值以指示应用程序不希望设置此值。
public ChannelBinding(byte[] appData)
公共通道绑定(字节[]appData)
Creates a ChannelBinding object without any addressing information.
创建没有任何寻址信息的ChannelBinding对象。
Parameters:
参数:
appData Application-supplied data to be used as part of the channel bindings.
appData应用程序提供的数据将用作通道绑定的一部分。
public InetAddress getInitiatorAddress()
公共InetAddress getInitiatorAddress()
Returns the initiator's address for this channel binding. "null" is returned if the address has not been set.
返回此通道绑定的启动器地址。如果未设置地址,则返回“null”。
public InetAddress getAcceptorAddress()
公共InetAddress getAcceptorAddress()
Returns the acceptor's address for this channel binding. "null" is returned if the address has not been set.
返回此通道绑定的接收器地址。如果未设置地址,则返回“null”。
public byte[] getApplicationData()
公共字节[]getApplicationData()
Returns application data being used as part of the ChannelBinding. "null" is returned if no application data has been specified for the channel binding.
返回用作ChannelBinding一部分的应用程序数据。如果没有为通道绑定指定应用程序数据,则返回“null”。
public boolean equals(Object obj)
公共布尔等于(对象obj)
Returns "true" if two channel bindings match. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method MUST return the same integer result when the hashCode() method is called on them.)
如果两个通道绑定匹配,则返回“true”。(请注意,Java语言规范要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
obj Another channel binding with which to compare.
obj另一个要与之比较的通道绑定。
This class represents Universal OIDs and their associated operations.
此类表示通用OID及其相关操作。
OIDs are hierarchically globally interpretable identifiers used within the GSS-API framework to identify mechanisms and name formats.
OID是GSS-API框架中用于标识机制和名称格式的分层全局可解释标识符。
The structure and encoding of OIDs is defined in ISOIEC-8824 [ISOIEC-8824] and ISOIEC-8825 [ISOIEC-8825]. For example, the OID representation of the Kerberos v5 mechanism is "1.2.840.113554.1.2.2".
OID的结构和编码在ISOIEC-8824[ISOIEC-8824]和ISOIEC-8825[ISOIEC-8825]中定义。例如,Kerberos v5机制的OID表示为“1.2.840.113554.1.2.2”。
The GSSName name class contains public static Oid objects representing the standard name types defined in GSS-API.
GSSName name类包含表示GSS-API中定义的标准名称类型的公共静态Oid对象。
public Oid(String strOid) throws GSSException
公共Oid(字符串strOid)引发GSSExException
Creates an Oid object from a string representation of its integer components (e.g., "1.2.840.113554.1.2.2").
从其整数组件的字符串表示形式(例如,“1.2.840.113554.1.2.2”)创建Oid对象。
Parameters:
参数:
strOid The string representation for the OID.
strOid OID的字符串表示形式。
public Oid(InputStream derOid) throws GSSException
公共Oid(InputStream derOid)引发GSSExException
Creates an Oid object from its DER encoding. This refers to the full encoding including tag and length. The structure and encoding of OIDs is defined in ISOIEC-8824 [ISOIEC-8824] and ISOIEC-8825 [ISOIEC-8825]. This method is identical in functionality to its byte array counterpart.
从其DER编码创建Oid对象。这是指完整的编码,包括标记和长度。OID的结构和编码在ISOIEC-8824[ISOIEC-8824]和ISOIEC-8825[ISOIEC-8825]中定义。此方法在功能上与对应的字节数组相同。
Parameters:
参数:
derOid Stream containing the DER-encoded OID.
包含DER编码OID的derOid流。
public Oid(byte[] derOid) throws GSSException
公共Oid(字节[]derOid)引发GSSExException
Creates an Oid object from its DER encoding. This refers to the full encoding including tag and length. The structure and encoding of OIDs is defined in ISOIEC-8824 [ISOIEC-8824] and ISOIEC-8825 [ISOIEC-8825]. This method is identical in functionality to its byte array counterpart.
从其DER编码创建Oid对象。这是指完整的编码,包括标记和长度。OID的结构和编码在ISOIEC-8824[ISOIEC-8824]和ISOIEC-8825[ISOIEC-8825]中定义。此方法在功能上与对应的字节数组相同。
Parameters:
参数:
derOid Byte array storing a DER-encoded OID.
存储DER编码的OID的derOid字节数组。
public String toString()
公共字符串toString()
Returns a string representation of the OID's integer components in dot-separated notation (e.g., "1.2.840.113554.1.2.2").
以点分隔表示法(例如,“1.2.840.113554.1.2.2”)返回OID整数组件的字符串表示形式。
public boolean equals(Object Obj)
公共布尔等于(对象Obj)
Returns "true" if the two Oid objects represent the same OID value. (Note that the Java language specification [JLS] requires that two objects that are equal according to the equals(Object) method MUST return the same integer result when the hashCode() method is called on them.)
如果两个Oid对象表示相同的Oid值,则返回“true”。(请注意,Java语言规范[JLS]要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
obj Another Oid object with which to compare.
obj要与之比较的另一个Oid对象。
public byte[] getDER()
公共字节[]getDER()
Returns the full ASN.1 DER encoding for this Oid object, which includes the tag and length.
返回此Oid对象的完整ASN.1 DER编码,其中包括标记和长度。
public boolean containedIn(Oid[] oids)
包含的公共布尔值(Oid[]Oid)
A utility method to test if an Oid object is contained within the supplied Oid object array.
测试Oid对象是否包含在提供的Oid对象数组中的实用方法。
Parameters:
参数:
oids An array of OIDs to search.
OID要搜索的OID数组。
This exception is thrown whenever a fatal GSS-API error occurs including mechanism-specific errors. It MAY contain both, the major and minor, GSS-API status codes. The mechanism implementors are responsible for setting appropriate minor status codes when throwing this exception. Aside from delivering the numeric error code(s) to the caller, this class performs the mapping from their numeric values to textual representations. This exception MAY also include an output token that SHOULD be sent to the peer. For example, when an initSecContext call fails due to a fatal error, the mechanism MAY define an error token that SHOULD be sent to the peer for debugging or informational purposes. All Java GSS-API methods are declared throwing this exception.
每当发生致命的GSS-API错误(包括特定于机制的错误)时,就会引发此异常。它可能包含主要和次要GSS-API状态代码。机制实现者负责在抛出此异常时设置适当的次要状态代码。除了将数字错误代码传递给调用方之外,此类还执行从数字值到文本表示的映射。此异常还可能包括应发送给对等方的输出令牌。例如,当initSecContext调用由于致命错误而失败时,该机制可能会定义一个错误令牌,该令牌应发送给对等方以进行调试或提供信息。所有JavaGSS-API方法都声明引发此异常。
All implementations are encouraged to use the Java internationalization techniques to provide local translations of the message strings.
鼓励所有实现使用Java国际化技术来提供消息字符串的本地翻译。
All valid major GSS-API error code values are declared as constants in this class.
所有有效的主要GSS-API错误代码值在此类中声明为常量。
public static final int BAD_BINDINGS
公共静态final int BAD_绑定
Channel-bindings mismatch error. The value of this constant is 1.
通道绑定不匹配错误。这个常数的值是1。
public static final int BAD_MECH
公共静态最终内部不良机械
Unsupported mechanism requested error. The value of this constant is 2.
不支持的机制请求错误。这个常数的值是2。
public static final int BAD_NAME
公共静态final int BAD_NAME
Invalid name provided error. The value of this constant is 3.
提供的名称无效,出现错误。这个常数的值是3。
public static final int BAD_NAMETYPE
公共静态最终整型错误\名称类型
Name of unsupported type provided error. The value of this constant is 4.
提供的不受支持类型的名称错误。这个常数的值是4。
public static final int BAD_STATUS
公共静态最终int坏_状态
Invalid status code error - this is the default status value. The value of this constant is 5.
无效状态代码错误-这是默认状态值。这个常数的值是5。
public static final int BAD_MIC
公共静态最终整数错误\u麦克风
Token had invalid integrity check error. The value of this constant is 6.
令牌具有无效的完整性检查错误。这个常数的值是6。
public static final int CONTEXT_EXPIRED
公共静态final int CONTEXT_已过期
Specified security context expired error. The value of this constant is 7.
指定的安全上下文已过期错误。这个常数的值是7。
public static final int CREDENTIALS_EXPIRED
公共静态最终整数凭据\u已过期
Expired credentials detected error. The value of this constant is 8.
检测到过期凭据错误。这个常数的值是8。
public static final int DEFECTIVE_CREDENTIAL
公共静态最终整数有缺陷\u凭证
Defective credential error. The value of this constant is 9.
有缺陷的凭证错误。这个常数的值是9。
public static final int DEFECTIVE_TOKEN
公共静态最终整数缺陷\u令牌
Defective token error. The value of this constant is 10.
有缺陷的令牌错误。这个常数的值是10。
public static final int FAILURE
公共静态最终int失败
General failure, unspecified at GSS-API level. The value of this constant is 11.
一般故障,GSS-API级别未指定。这个常数的值是11。
public static final int NO_CONTEXT
公共静态final int NO_上下文
Invalid security context error. The value of this constant is 12.
无效的安全上下文错误。这个常数的值是12。
public static final int NO_CRED
公共静态最终整数不可信
Invalid credentials error. The value of this constant is 13.
无效凭据错误。这个常数的值是13。
public static final int BAD_QOP
公共静态最终整数错误
Unsupported QOP value error. The value of this constant is 14.
不支持的QOP值错误。这个常数的值是14。
public static final int UNAUTHORIZED
公共静态最终int未经授权
Operation unauthorized error. The value of this constant is 15.
未经授权的操作错误。这个常数的值是15。
public static final int UNAVAILABLE
公共静态最终整数不可用
Operation unavailable error. The value of this constant is 16.
操作不可用错误。这个常数的值是16。
public static final int DUPLICATE_ELEMENT
公共静态final int DUPLICATE_元素
Duplicate credential element requested error. The value of this constant is 17.
重复凭证元素请求错误。这个常数的值是17。
public static final int NAME_NOT_MN
公共静态最终整型名称\u NOT \u MN
Name contains multi-mechanism elements error. The value of this constant is 18.
名称包含多个机制元素错误。这个常数的值是18。
public static final int DUPLICATE_TOKEN
公共静态最终整数重复\u令牌
The token was a duplicate of an earlier token. This is contained in an exception only when detected during context establishment, in which case it is considered a fatal error. (Non-fatal supplementary codes are indicated via the MessageProp object.) The value of this constant is 19.
该令牌是早期令牌的副本。只有在上下文建立期间检测到异常时,才会将其包含在异常中,在这种情况下,它被视为致命错误。(非致命补充代码通过MessageProp对象指示。)此常量的值为19。
public static final int OLD_TOKEN
公共静态final int OLD_令牌
The token's validity period has expired. This is contained in an exception only when detected during context establishment, in which case it is considered a fatal error. (Non-fatal supplementary codes are indicated via the MessageProp object.) The value of this constant is 20.
令牌的有效期已过期。只有在上下文建立期间检测到异常时,才会将其包含在异常中,在这种情况下,它被视为致命错误。(非致命补充代码通过MessageProp对象指示。)该常量的值为20。
public static final int UNSEQ_TOKEN
公共静态最终int UNSEQ_令牌
A later token has already been processed. This is contained in an exception only when detected during context establishment, in which case it is considered a fatal error. (Non-fatal supplementary codes are indicated via the MessageProp object.) The value of this constant is 21.
稍后的令牌已被处理。只有在上下文建立期间检测到异常时,才会将其包含在异常中,在这种情况下,它被视为致命错误。(非致命补充代码通过MessageProp对象指示。)该常量的值为21。
public static final int GAP_TOKEN
公共静态最终整数间隔\u令牌
An expected per-message token was not received. This is contained in an exception only when detected during context establishment, in which case it is considered a fatal error. (Non-fatal supplementary codes are indicated via the MessageProp object.) The value of this constant is 22.
未收到预期的每消息令牌。只有在上下文建立期间检测到异常时,才会将其包含在异常中,在这种情况下,它被视为致命错误。(非致命补充代码通过MessageProp对象指示。)该常量的值为22。
public GSSException(int majorCode)
公共GSSException(国际主要代码)
Creates a GSSException object with a specified major code.
使用指定的主代码创建GSSException对象。
Calling this constructor is equivalent to calling GSSException(majorCode, null, 0, null, null).
调用此构造函数相当于调用GSSException(majorCode,null,0,null,null)。
public GSSException(int majorCode, int minorCode, String minorString)
公共GSSExException(int majorCode、int minorCode、String minorString)
Creates a GSSException object with the specified major code, minor code, and minor code textual explanation. This constructor is to be used when the exception is originating from the security mechanism. It allows to specify the GSS code and the mechanism code.
使用指定的主要代码、次要代码和次要代码文本解释创建GSSException对象。当异常源于安全机制时,将使用此构造函数。它允许指定GSS代码和机构代码。
Calling this constructor is equivalent to calling GSSException(majorCode, null, minorCode, minorString, null).
调用此构造函数相当于调用GSSException(majorCode,null,minorCode,minorString,null)。
public GSSException(int majorCode, String majorString, int minorCode, String minorString, byte[] outputToken)
公共GSSExException(int-majorCode、String-majorString、int-minorCode、String-minorString、byte[]outputToken)
Creates a GSSException object with the specified major code, major code textual explanation, minor code, minor code textual explanation, and an output token. This is a general-purpose constructor that can be used to create any type of GSSException.
使用指定的主要代码、主要代码文本解释、次要代码、次要代码文本解释和输出标记创建GSSException对象。这是一个通用构造函数,可用于创建任何类型的GSSException。
Parameters:
参数:
majorCode The GSS error code causing this exception to be thrown.
majorCode导致引发此异常的GSS错误代码。
majorString The textual explanation of the GSS error code. If null is provided, a default explanation that matches the majorCode will be set.
主要字符串GSS错误代码的文本解释。如果提供null,将设置与majorCode匹配的默认解释。
minorCode The mechanism error code causing this exception to be thrown. Can be 0 if no mechanism error code is available.
minorCode导致引发此异常的机制错误代码。如果没有可用的机制错误代码,则可以为0。
minorString The textual explanation of the mechanism error code. Can be null if no textual explanation is available.
minorString机制错误代码的文本解释。如果没有文本解释,则可以为空。
outputToken The output token that SHOULD be sent to the peer. Can be null if no such token is available. It MUST NOT be an empty array. When provided, the array will be cloned to protect against subsequent modifications.
outputToken应该发送给对等方的输出令牌。如果没有此类令牌可用,则可以为null。它不能是空数组。提供时,将克隆阵列以防止后续修改。
public int getMajor()
公共int getMajor()
Returns the major code representing the GSS error code that caused this exception to be thrown.
返回表示引发此异常的GSS错误代码的主代码。
public int getMinor()
公共int getMinor()
Returns the mechanism error code that caused this exception. The minor code is set by the underlying mechanism. The value of 0 indicates that the mechanism error code is not set.
返回导致此异常的机制错误代码。次要代码由底层机制设置。值0表示未设置机构错误代码。
public String getMajorString()
公共字符串getMajorString()
Returns a string explaining the GSS major error code causing this exception to be thrown.
返回一个字符串,解释导致引发此异常的GSS主要错误代码。
public String getMinorString()
公共字符串getMinorString()
Returns a string explaining the mechanism-specific error code. "null" will be returned when no string explaining the mechanism error code has been set.
返回解释特定于机制的错误代码的字符串。当未设置解释机制错误代码的字符串时,将返回“null”。
public byte[] getOutputToken
公共字节[]getOutputToken
Returns the output token in a new byte array.
返回新字节数组中的输出标记。
If the method (for example, GSSContext#initSecContext) that throws this GSSException needs to generate an output token that SHOULD be sent to the peer, that token will be stored in this GSSException and can be retrieved with this method.
如果抛出此GSSException的方法(例如,GSSContext#initSecContext)需要生成应发送给对等方的输出令牌,则该令牌将存储在此GSSException中,并可使用此方法检索。
The return value MUST be null if no such token is generated. It MUST NOT be an empty byte array.
如果未生成此类令牌,则返回值必须为null。它不能是空字节数组。
public void setMinor(int minorCode, String message)
公共void setMinor(int minorCode,字符串消息)
Used internally by the GSS-API implementation and the underlying mechanisms to set the minor code and its textual representation.
GSS-API实现和底层机制在内部用于设置次要代码及其文本表示。
Parameters:
参数:
minorCode The mechanism-specific error code.
minorCode机制特定的错误代码。
message A textual explanation of the mechanism error code.
消息机制错误代码的文本解释。
public String toString()
公共字符串toString()
Returns a textual representation of both the major and minor status codes.
返回主要和次要状态代码的文本表示形式。
public String getMessage()
公共字符串getMessage()
Returns a detailed message of this exception. Overrides Throwable.getMessage. It is customary in Java to use this method to obtain exception information.
返回此异常的详细消息。覆盖Throwable.getMessage。Java中习惯使用此方法来获取异常信息。
<CODE BEGINS> import org.ietf.jgss.*;
<CODE BEGINS> import org.ietf.jgss.*;
/** * This is a partial sketch for a simple client program that acts * as a GSS context initiator. It illustrates how to use the Java * bindings for the GSS-API specified in RFC 8353. * * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanism that it will need * and is present as a library package (org.ietf.jgss) either as * part of the standard JRE or in the CLASSPATH the application * specifies. */
/** * This is a partial sketch for a simple client program that acts * as a GSS context initiator. It illustrates how to use the Java * bindings for the GSS-API specified in RFC 8353. * * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanism that it will need * and is present as a library package (org.ietf.jgss) either as * part of the standard JRE or in the CLASSPATH the application * specifies. */
public class SimpleClient {
公共类SimpleClient{
private String serviceName; // name of peer (i.e., server) private GSSCredential clientCred = null; private GSSContext context = null; private Oid mech; // underlying mechanism to use
private String serviceName; // name of peer (i.e., server) private GSSCredential clientCred = null; private GSSContext context = null; private Oid mech; // underlying mechanism to use
private GSSManager mgr = GSSManager.getInstance();
private GSSManager mgr = GSSManager.getInstance();
... ...
... ...
private void clientActions() { initializeGSS(); establishContext(); doCommunication(); }
private void clientActions() { initializeGSS(); establishContext(); doCommunication(); }
/** * Acquire credentials for the client. */ private void initializeGSS() {
/** * Acquire credentials for the client. */ private void initializeGSS() {
try {
试一试{
clientCred = mgr.createCredential(null /*default princ*/, GSSCredential.INDEFINITE_LIFETIME /* max lifetime */, mech /* mechanism to use */,
clientCred = mgr.createCredential(null /*default princ*/, GSSCredential.INDEFINITE_LIFETIME /* max lifetime */, mech /* mechanism to use */,
GSSCredential.INITIATE_ONLY /* init context */);
GSSCredential.INITIATE_ONLY /* init context */);
print("GSSCredential created for " + clientCred.getName().toString()); print("Credential lifetime (sec)=" + clientCred.getRemainingLifetime()); } catch (GSSException e) { print("GSS-API error in credential acquisition: " + e.getMessage()); ... ... } ... ... }
print("GSSCredential created for " + clientCred.getName().toString()); print("Credential lifetime (sec)=" + clientCred.getRemainingLifetime()); } catch (GSSException e) { print("GSS-API error in credential acquisition: " + e.getMessage()); ... ... } ... ... }
/** * Does the security context establishment with the * server. */ private void establishContext() {
/** * Does the security context establishment with the * server. */ private void establishContext() {
byte[] inToken = new byte[0]; byte[] outToken = null;
byte[] inToken = new byte[0]; byte[] outToken = null;
try {
试一试{
GSSName peer = mgr.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE); context = mgr.createContext(peer, mech, clientCred, GSSContext.INDEFINITE_LIFETIME/*lifetime*/);
GSSName peer = mgr.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE); context = mgr.createContext(peer, mech, clientCred, GSSContext.INDEFINITE_LIFETIME/*lifetime*/);
// Will need to support confidentiality context.requestConf(true);
// Will need to support confidentiality context.requestConf(true);
while (!context.isEstablished()) {
while (!context.isEstablished()) {
outToken = context.initSecContext(inToken, 0, inToken.length);
outToken=context.initSecContext(inToken,0,inToken.length);
if (outToken != null) writeGSSToken(outToken);
if (outToken != null) writeGSSToken(outToken);
if (!context.isEstablished()) inToken = readGSSToken(); }
if (!context.isEstablished()) inToken = readGSSToken(); }
peer = context.getTargName();
peer = context.getTargName();
print("Security context established with " + peer + " using underlying mechanism " + mech.toString()); } catch (GSSException e) { print("GSS-API error during context establishment: " + e.getMessage());
print("Security context established with " + peer + " using underlying mechanism " + mech.toString()); } catch (GSSException e) { print("GSS-API error during context establishment: " + e.getMessage());
// If the exception contains an output token, // it should be sent to the acceptor. byte[] outTok = e.getOutputToken(); if (outTok != null) { writeGSSToken(outTok); } ... ... } ... ... }
// If the exception contains an output token, // it should be sent to the acceptor. byte[] outTok = e.getOutputToken(); if (outTok != null) { writeGSSToken(outTok); } ... ... } ... ... }
/** * Sends some data to the server and reads back the * response. */ private void doCommunication() { byte[] inToken = null; byte[] outToken = null; byte[] buffer;
/** * Sends some data to the server and reads back the * response. */ private void doCommunication() { byte[] inToken = null; byte[] outToken = null; byte[] buffer;
// Container for multiple input-output arguments to and // from the per-message routines (e.g., wrap/unwrap). MessageProp messgInfo = new MessageProp(true);
// Container for multiple input-output arguments to and // from the per-message routines (e.g., wrap/unwrap). MessageProp messgInfo = new MessageProp(true);
try {
试一试{
/* * Now send some bytes to the server to be * processed. They will be integrity protected * but not encrypted for privacy. */
/* * Now send some bytes to the server to be * processed. They will be integrity protected * but not encrypted for privacy. */
buffer = readFromFile();
buffer = readFromFile();
// Set privacy to "false" and use the default QOP messgInfo.setPrivacy(false);
// Set privacy to "false" and use the default QOP messgInfo.setPrivacy(false);
outToken = context.wrap(buffer, 0, buffer.length, messgInfo);
outToken=context.wrap(buffer,0,buffer.length,messgInfo);
writeGSSToken(outToken);
writeGSSToken(outToken);
/* * Now read the response from the server. */
/* * Now read the response from the server. */
inToken = readGSSToken(); buffer = context.unwrap(inToken, 0, inToken.length, messgInfo); // All ok if no exception was thrown!
inToken = readGSSToken(); buffer = context.unwrap(inToken, 0, inToken.length, messgInfo); // All ok if no exception was thrown!
GSSName peer = context.getTargName();
GSSName peer = context.getTargName();
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + messgInfo.getPrivacy()); print("Duplicate Token? " + messgInfo.isDuplicateToken()); print("Old Token? " + messgInfo.isOldToken()); print("Unsequenced Token? " + messgInfo.isUnseqToken()); print("Gap Token? " + messgInfo.isGapToken()); ... ... } catch (GSSException e) { print("GSS-API error in per-message calls: " + e.getMessage()); ... ... } ... ... } // end of doCommunication method
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + messgInfo.getPrivacy()); print("Duplicate Token? " + messgInfo.isDuplicateToken()); print("Old Token? " + messgInfo.isOldToken()); print("Unsequenced Token? " + messgInfo.isUnseqToken()); print("Gap Token? " + messgInfo.isGapToken()); ... ... } catch (GSSException e) { print("GSS-API error in per-message calls: " + e.getMessage()); ... ... } ... ... } // end of doCommunication method
... ...
... ...
} // end of class SimpleClient <CODE ENDS>
} // end of class SimpleClient <CODE ENDS>
<CODE BEGINS> import org.ietf.jgss.*;
<CODE BEGINS> import org.ietf.jgss.*;
/** * This is a partial sketch for a simple server program that acts * as a GSS context acceptor. It illustrates how to use the Java * bindings for the GSS-API specified in * Generic Security Service API Version 2 : Java Bindings. * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanisms that it will need * and is present as a library package (org.ietf.jgss) either as * part of the standard JRE or in the CLASSPATH the application * specifies. */
/** * This is a partial sketch for a simple server program that acts * as a GSS context acceptor. It illustrates how to use the Java * bindings for the GSS-API specified in * Generic Security Service API Version 2 : Java Bindings. * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanisms that it will need * and is present as a library package (org.ietf.jgss) either as * part of the standard JRE or in the CLASSPATH the application * specifies. */
import org.ietf.jgss.*;
导入org.ietf.jgss.*;
public class SimpleServer {
公共类SimpleServer{
private String serviceName; private GSSName name; private GSSCredential cred;
private String serviceName; private GSSName name; private GSSCredential cred;
private GSSManager mgr;
私人物料供应经理;;
... ...
... ...
/** * Wait for client connections, establish security contexts, * and provide service. */ private void loop() throws Exception { ... ... mgr = GSSManager.getInstance();
/** * Wait for client connections, establish security contexts, * and provide service. */ private void loop() throws Exception { ... ... mgr = GSSManager.getInstance();
name = mgr.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
name=mgr.createName(serviceName,GSSName.NT\u基于主机的\u服务);
cred = mgr.createCredential(name, GSSCredential.INDEFINITE_LIFETIME, (Oid[])null, GSSCredential.ACCEPT_ONLY);
cred=mgr.createCredential(名称,GSSCredential.unfinite_生存期,(Oid[])null,GSSCredential.ACCEPT_ONLY);
// Loop infinitely while (true) { Socket s = serverSock.accept();
// Loop infinitely while (true) { Socket s = serverSock.accept();
// Start a new thread to serve this connection Thread serverThread = new ServerThread(s); serverThread.start(); } }
// Start a new thread to serve this connection Thread serverThread = new ServerThread(s); serverThread.start(); } }
/** * Inner class ServerThread whose run() method provides the * secure service to a connection. */
/** * Inner class ServerThread whose run() method provides the * secure service to a connection. */
private class ServerThread extends Thread {
私有类ServerThread扩展线程{
... ...
... ...
/** * Deals with the connection from one client. It also * handles all GSSException's thrown while talking to * this client. */ public void run() {
/** * Deals with the connection from one client. It also * handles all GSSException's thrown while talking to * this client. */ public void run() {
byte[] inToken = null; byte[] outToken = null; byte[] buffer;
byte[] inToken = null; byte[] outToken = null; byte[] buffer;
// Container for multiple input-output arguments to // and from the per-message routines // (i.e., wrap/unwrap). MessageProp supplInfo = new MessageProp(true);
// Container for multiple input-output arguments to // and from the per-message routines // (i.e., wrap/unwrap). MessageProp supplInfo = new MessageProp(true);
try { // Now do the context establishment loop GSSContext context = mgr.createContext(cred);
try { // Now do the context establishment loop GSSContext context = mgr.createContext(cred);
while (!context.isEstablished()) {
while (!context.isEstablished()) {
inToken = readGSSToken(); outToken = context.acceptSecContext(inToken, 0, inToken.length); if (outToken != null) writeGSSToken(outToken);
inToken = readGSSToken(); outToken = context.acceptSecContext(inToken, 0, inToken.length); if (outToken != null) writeGSSToken(outToken);
}
}
// SimpleServer wants confidentiality to be // available. Check for it. if (!context.getConfState()){ ... ... }
// SimpleServer wants confidentiality to be // available. Check for it. if (!context.getConfState()){ ... ... }
GSSName peer = context.getSrcName(); Oid mech = context.getMech(); print("Security context established with " + peer.toString() + " using underlying mechanism " + mech.toString());
GSSName peer = context.getSrcName(); Oid mech = context.getMech(); print("Security context established with " + peer.toString() + " using underlying mechanism " + mech.toString());
// Now read the bytes sent by the client to be // processed. inToken = readGSSToken();
// Now read the bytes sent by the client to be // processed. inToken = readGSSToken();
// Unwrap the message buffer = context.unwrap(inToken, 0, inToken.length, supplInfo); // All ok if no exception was thrown!
// Unwrap the message buffer = context.unwrap(inToken, 0, inToken.length, supplInfo); // All ok if no exception was thrown!
// Print other supplementary per-message status // information.
//按消息状态//打印其他补充信息。
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + supplInfo.getPrivacy()); print("Duplicate Token? " + supplInfo.isDuplicateToken()); print("Old Token? " + supplInfo.isOldToken()); print("Unsequenced Token? " + supplInfo.isUnseqToken()); print("Gap Token? " + supplInfo.isGapToken());
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + supplInfo.getPrivacy()); print("Duplicate Token? " + supplInfo.isDuplicateToken()); print("Old Token? " + supplInfo.isOldToken()); print("Unsequenced Token? " + supplInfo.isUnseqToken()); print("Gap Token? " + supplInfo.isGapToken());
/* * Now process the bytes and send back an * encrypted response. */
/* * Now process the bytes and send back an * encrypted response. */
buffer = serverProcess(buffer);
buffer = serverProcess(buffer);
// Encipher it and send it across
//对它进行加密并发送出去
supplInfo.setPrivacy(true); // privacy requested supplInfo.setQOP(0); // default QOP outToken = context.wrap(buffer, 0, buffer.length, supplInfo); writeGSSToken(outToken);
supplInfo.setPrivacy(true); // privacy requested supplInfo.setQOP(0); // default QOP outToken = context.wrap(buffer, 0, buffer.length, supplInfo); writeGSSToken(outToken);
} catch (GSSException e) { print("GSS-API Error: " + e.getMessage()); // Alternatively, could call e.getMajorMessage() // and e.getMinorMessage()
} catch (GSSException e) { print("GSS-API Error: " + e.getMessage()); // Alternatively, could call e.getMajorMessage() // and e.getMinorMessage()
// If the exception contains an output token, // it should be sent to the initiator. byte[] outTok = e.getOutputToken(); if (outTok != null) { writeGSSToken(outTok); } print("Abandoning security context."); ... ... } ... ... } // end of run method in ServerThread
// If the exception contains an output token, // it should be sent to the initiator. byte[] outTok = e.getOutputToken(); if (outTok != null) { writeGSSToken(outTok); } print("Abandoning security context."); ... ... } ... ... } // end of run method in ServerThread
} // end of inner class ServerThread
} // end of inner class ServerThread
... ...
... ...
} // end of class SimpleServer <CODE ENDS>
} // end of class SimpleServer <CODE ENDS>
The Java language security model allows platform providers to have policy-based fine-grained access control over any resource that an application wants. When using a Java security manager (such as, but not limited to, the case of applets running in browsers), the application code is in a sandbox by default.
Java语言安全模型允许平台提供者对应用程序需要的任何资源进行基于策略的细粒度访问控制。使用Java安全管理器时(例如但不限于浏览器中运行的小程序),默认情况下应用程序代码位于沙箱中。
Administrators of the platform JRE determine what permissions, if any, are to be given to source from different codebases. Thus, the administrator has to be aware of any special requirements that the GSS provider might have for system resources. For instance, a Kerberos provider might wish to make a network connection to the Key
平台JRE的管理员决定从不同的代码库向源代码授予哪些权限(若有)。因此,管理员必须了解GSS提供商可能对系统资源的任何特殊要求。例如,Kerberos提供程序可能希望与密钥建立网络连接
Distribution Center (KDC) to obtain initial credentials. This would not be allowed under the sandbox unless the administrator had granted permissions for this. Also, note that this granting and checking of permissions happens transparently to the application and is outside the scope of this document.
配送中心(KDC)以获取初始凭据。除非管理员授予此权限,否则沙箱下不允许此操作。另外,请注意,权限的授予和检查对应用程序是透明的,不在本文档的范围内。
The Java language allows administrators to pre-configure a list of security service providers in the <JRE>/lib/security/java.security file. At runtime, the system approaches these providers in order of preference when looking for security-related services. Applications have a means to modify this list through methods in the "Security" class in the "java.security" package. However, since these modifications would be visible in the entire Java Virtual Machine (JVM) and thus affect all code executing in it, this operation is not available in the sandbox and requires special permissions to perform. Thus, when a GSS application has special needs that are met by a particular security provider, it has two choices:
Java语言允许管理员在<JRE>/lib/security/Java.security文件中预先配置安全服务提供商列表。在运行时,系统在查找与安全相关的服务时,会按优先顺序接近这些提供者。应用程序可以通过“java.Security”包中“Security”类中的方法修改此列表。但是,由于这些修改将在整个Java虚拟机(JVM)中可见,因此会影响其中执行的所有代码,因此此操作在沙箱中不可用,需要特殊权限才能执行。因此,当GSS应用程序具有特定安全提供商满足的特殊需求时,它有两种选择:
1) Install the provider on a JVM-wide basis using the java.security.Security class and then depend on the system to find the right provider automatically when the need arises. (This would require the application to be granted a "insertProvider SecurityPermission".)
1) 使用java.security.security类在JVM范围内安装提供程序,然后在需要时依靠系统自动找到正确的提供程序。(这将要求向应用程序授予“insertProvider SecurityPermission”。)
2) Pass an instance of the provider to the local instance of GSSManager so that only factory calls going through that GSSManager use the desired provider. (This would not require any permissions.)
2) 将提供程序的实例传递给GSSManager的本地实例,以便只有通过该GSSManager的工厂调用才能使用所需的提供程序。(这不需要任何权限。)
This document has no IANA actions.
本文档没有IANA操作。
This document has following changes:
本文件有以下更改:
1) New error token embedded in GSSException
1) GSSException中嵌入的新错误令牌
There is a design flaw in the initSecContext and acceptSecContext methods of the GSSContext class defined in "Generic Security Service API Version 2: Java Bindings Update" [RFC5653].
“通用安全服务API版本2:Java绑定更新”[RFC5653]中定义的GSSContext类的initSecContext和acceptSecContext方法中存在设计缺陷。
The methods could either return a token (possibly null if no more tokens are needed) when the call succeeds or throw a GSSException if there is a failure, but NOT both. On the other hand, the C-bindings of GSS-API [RFC2744] can return both; that is to say, a
这些方法可以在调用成功时返回一个令牌(如果不需要更多令牌,则可能为null),或者在调用失败时抛出一个GSSException,但不能同时返回这两个令牌。另一方面,GSS-API[RFC2744]的C-绑定可以同时返回这两个值;也就是说,a
call to the GSS_Init_sec_context() function can return a major status code, and at the same time, fill in the output_token argument if there is one.
调用GSS_Init_sec_context()函数可以返回一个主要状态代码,同时,如果有输出_令牌参数,则填写该参数。
Without the ability to emit an error token when there is a failure, a Java application has no mechanism to tell the other side what the error is. For example, a "reject" NegTokenResp token can never be transmitted for the SPNEGO mechanism [RFC4178].
如果没有在出现故障时发出错误标记的能力,Java应用程序就没有告诉另一方错误是什么的机制。例如,“拒绝”NegTokenResp令牌永远不能为SPNEGO机制传输[RFC4178]。
While a Java method can never return a value and throw an exception at the same time, we can embed the error token inside the exception so that the caller has a chance to retrieve it. This update adds a new GSSException constructor to include this token inside a GSSException object and a getOutputToken() method to retrieve the token. The specification for the initSecContext and acceptSecContext methods are updated to describe the new behavior. Various examples are also updated.
虽然Java方法永远不能同时返回值和抛出异常,但我们可以将错误标记嵌入异常中,以便调用方有机会检索它。此更新添加了一个新的GSSException构造函数,将此令牌包含在GSSException对象中,并添加了一个getOutputToken()方法来检索令牌。initSecContext和acceptSecContext方法的规范已更新,以描述新的行为。还更新了各种示例。
New JGSS programs SHOULD make use of this new feature, but it is not mandatory. A program that intends to run with both old and new GSS Java bindings can use reflection to check the availability of this new method and call it accordingly.
新的JGSS程序应该利用这一新功能,但这不是强制性的。打算使用新旧GSS Java绑定运行的程序可以使用反射来检查这个新方法的可用性,并相应地调用它。
2) Removing Stream-Based GSSContext Methods
2) 删除基于流的GSSContext方法
The overloaded methods of GSSContext that use input and output streams as the means to convey authentication and per-message GSS-API tokens as described in Section 5.15 of RFC 5653 [RFC5653] are removed in this update as the wire protocol should be defined by an application and not a library. It's also impossible to implement these methods correctly when the token has no self-framing (where the end cannot be determined), or the library has no knowledge of the token format (for example, as a bridge talking to another GSS library). These methods include initSecContext (Section 7.4.5 of RFC 5653 [RFC5653]), acceptSecContext (Section 7.4.9 of RFC 5653 [RFC5653]), wrap (Section 7.4.15 of RFC 5653 [RFC5653]), unwrap (Section 7.4.17 of RFC 5653 [RFC5653]), getMIC (Section 7.4.19 of RFC 5653 [RFC5653]), and verifyMIC (Section 7.4.21 of RFC 5653 [RFC5653]).
如RFC 5653[RFC5653]第5.15节所述,使用输入和输出流作为传递身份验证和每消息GSS-API令牌的方式的GSSContext重载方法在本更新中被删除,因为有线协议应由应用程序而不是库定义。当令牌没有自帧(无法确定端点)或库不知道令牌格式(例如,作为与另一个GSS库对话的桥梁)时,也不可能正确实现这些方法。这些方法包括initSecContext(RFC 5653[RFC5653]第7.4.5节)、acceptSecContext(RFC 5653[RFC5653]第7.4.9节)、wrap(RFC 5653[RFC5653]第7.4.15节)、unwrap(RFC 5653[RFC5653]第7.4.17节)、getMIC(RFC 5653[RFC5653]第7.4.19节)和verifyMIC(RFC 5653[RFC5653]第7.4.21节)。
This document has the following changes:
本文档有以下更改:
1) Major GSS Status Code Constant Values
1) 主要GSS状态代码常量值
RFC 2853 listed all the GSS status code values in two different sections: Section 4.12.1 defined numeric values for them, and Section 6.8.1 defined them as static constants in the GSSException class without assigning any values. Due to an inconsistent ordering between these two sections, all of the GSS major status codes resulted in misalignment and a subsequent disagreement between deployed implementations.
RFC 2853在两个不同的章节中列出了所有GSS状态代码值:第4.12.1节为它们定义了数值,第6.8.1节将它们定义为GSSException类中的静态常量,而不指定任何值。由于这两个部分之间的顺序不一致,所有GSS主要状态代码都会导致未对齐,并在部署的实现之间产生后续分歧。
This document defines the numeric values of the GSS status codes in both sections, while maintaining the original ordering from Section 6.8.1 of RFC 2853 [RFC2853], and it obsoletes the GSS status code values defined in Section 4.12.1. The relevant sections in this document are Sections 5.12.1 and 7.8.1.
本文件在保留RFC 2853[RFC2853]第6.8.1节中的原始顺序的同时,定义了两个章节中GSS状态代码的数值,并废除了第4.12.1节中定义的GSS状态代码值。本文件中的相关章节为第5.12.1节和第7.8.1节。
2) GSS Credential Usage Constant Values
2) GSS凭据使用常量值
RFC 2853, Section 6.3.2 defines static constants for the GSSCredential usage flags. However, the values of these constants were not defined anywhere in RFC 2853 [RFC2853].
RFC 2853第6.3.2节定义了GSSCredential使用标志的静态常数。然而,RFC 2853[RFC2853]中没有定义这些常数的值。
This document defines the credential usage values in Section 7.3.1. The original ordering of these values from Section 6.3.2 of RFC 2853 [RFC2853] is maintained.
本文件定义了第7.3.1节中的凭证使用值。保留RFC 2853[RFC2853]第6.3.2节中这些值的原始顺序。
3) GSS Host-Based Service Name
3) 基于主机的服务名称
RFC 2853 [RFC2853], Section 6.2.2 defines the static constant for the GSS host-based service OID NT_HOSTBASED_SERVICE, using a deprecated OID value.
RFC 2853[RFC2853],第6.2.2节使用不推荐使用的OID值定义GSS基于主机的服务OID NT_基于主机的服务的静态常量。
This document updates the NT_HOSTBASED_SERVICE OID value in Section 7.2.1 to be consistent with the C-bindings in RFC 2744 [RFC2744].
本文档更新了第7.2.1节中的NT_HOSTBASED_服务OID值,以与RFC 2744[RFC2744]中的C绑定一致。
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism (SPKM)", RFC 2025, DOI 10.17487/RFC2025, October 1996, <https://www.rfc-editor.org/info/rfc2025>.
[RFC2025]Adams,C.“简单公钥GSS-API机制(SPKM)”,RFC 2025,DOI 10.17487/RFC2025,1996年10月<https://www.rfc-editor.org/info/rfc2025>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, DOI 10.17487/RFC2743, January 2000, <https://www.rfc-editor.org/info/rfc2743>.
[RFC2743]Linn,J.,“通用安全服务应用程序接口版本2,更新1”,RFC 2743,DOI 10.17487/RFC2743,2000年1月<https://www.rfc-editor.org/info/rfc2743>.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : C-bindings", RFC 2744, DOI 10.17487/RFC2744, January 2000, <https://www.rfc-editor.org/info/rfc2744>.
[RFC2744]Wray,J.,“通用安全服务API第2版:C-绑定”,RFC 2744,DOI 10.17487/RFC2744,2000年1月<https://www.rfc-editor.org/info/rfc2744>.
[RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service API Version 2 : Java Bindings", RFC 2853, DOI 10.17487/RFC2853, June 2000, <https://www.rfc-editor.org/info/rfc2853>.
[RFC2853]Kabat,J.和M.Upadhyay,“通用安全服务API第2版:Java绑定”,RFC 2853,DOI 10.17487/RFC2853,2000年6月<https://www.rfc-editor.org/info/rfc2853>.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2", RFC 4121, DOI 10.17487/RFC4121, July 2005, <https://www.rfc-editor.org/info/rfc4121>.
[RFC4121]Zhu,L.,Jaganathan,K.,和S.Hartman,“Kerberos版本5通用安全服务应用程序接口(GSS-API)机制:版本2”,RFC 4121,DOI 10.17487/RFC4121,2005年7月<https://www.rfc-editor.org/info/rfc4121>.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism", RFC 4178, DOI 10.17487/RFC4178, October 2005, <https://www.rfc-editor.org/info/rfc4178>.
[RFC4178]Zhu,L.,Leach,P.,Jaganathan,K.,和W.Ingersoll,“简单和受保护的通用安全服务应用程序接口(GSS-API)协商机制”,RFC 4178,DOI 10.17487/RFC4178,2005年10月<https://www.rfc-editor.org/info/rfc4178>.
[RFC5653] Upadhyay, M. and S. Malkani, "Generic Security Service API Version 2: Java Bindings Update", RFC 5653, DOI 10.17487/RFC5653, August 2009, <https://www.rfc-editor.org/info/rfc5653>.
[RFC5653]Upadhyay,M.和S.Malkani,“通用安全服务API第2版:Java绑定更新”,RFC 5653,DOI 10.17487/RFC5653,2009年8月<https://www.rfc-editor.org/info/rfc5653>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[ISOIEC-8824] International Organization for Standardization, "Information technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notation", ISO/ IEC 8824-1:2014, November 2015, <https://www.iso.org/standard/68350.html>.
[ISOIEC-8824]国际标准化组织,“信息技术——抽象语法符号一(ASN.1):基本符号规范”,ISO/IEC 8824-1:2014,2015年11月<https://www.iso.org/standard/68350.html>.
[ISOIEC-8825] International Organization for Standardization, "Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ISO/IEC 8825-1:2015, November 2015, <https://www.iso.org/standard/68345.html>.
[ISOIEC-8825]国际标准化组织,“信息技术——ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范”,ISO/IEC 8825-1:2015,2015年11月<https://www.iso.org/standard/68345.html>.
[JLS] Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A., and D. Smith, "The Java Language Specification", Java SE 10 Edition, February 2018, <https://docs.oracle.com/javase/specs/jls/se10/html/ index.html>.
[JLS]Gosling,J.,Joy,B.,Steele,G.,Bracha,G.,Buckley,A.,和D.Smith,“Java语言规范”,Java SE 10版,2018年2月<https://docs.oracle.com/javase/specs/jls/se10/html/ index.html>。
Acknowledgments
致谢
We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael Saltz, and other members of Sun's development team for their helpful input, comments, and suggestions.
我们要感谢Mike Eisler、Lin Ling、Ram Marti、Michael Saltz和Sun开发团队的其他成员提供了有益的意见、评论和建议。
We would also like to thank Greg Hudson, Benjamin Kaduk, Joe Salowey and Michael Smith for many insightful ideas and suggestions that have contributed to this document.
我们还要感谢Greg Hudson、Benjamin Kaduk、Joe Salowey和Michael Smith为本文件提供了许多有见地的想法和建议。
Authors' Addresses
作者地址
Mayank D. Upadhyay Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 United States of America
Mayank D.Upadhyay Google Inc.美国加利福尼亚州山景大道1600号圆形剧场,邮编94043
Email: m.d.upadhyay+ietf@gmail.com
Email: m.d.upadhyay+ietf@gmail.com
Seema Malkani ActivIdentity Corp. 6623 Dumbarton Circle Fremont, California 94555 United States of America
Seema Malkani ActivIdentity Corp.6623 Dumbarton Circle Fremont,加利福尼亚州94555美利坚合众国
Email: Seema.Malkani@gmail.com
Email: Seema.Malkani@gmail.com
Weijun Wang Oracle Building No. 24, Zhongguancun Software Park Beijing 100193 China
中国北京中关村软件园24号王伟军甲骨文大厦100193
Email: weijun.wang@oracle.com
Email: weijun.wang@oracle.com