com.sun.gssapi

Class GSSContext


public class GSSContext
extends java.lang.Object

This class represents the JGSS security context and its associated operations. JGSS security contexts are established between peers using locally established credentials. Multiple contexts may exist simultaneously between a pair of peers, using the same or different set of credentials. The JGSS is independent of the underlying transport protocols and depends on its callers to transport the tokens between peers.

The context object can be thought of as having 3 implicit states: before it is established, during its context establishment, and after a fully established context exists.

Before the context establishment phase is initiated, the context initiator may request specific characteristics desired of the established context. These can be set using the set methods. After the context is established, the caller can check the actual characteristic and services offered by the context using the query methods.

The context establishment phase begins with the first call to the init method by the context initiator. During this phase the init and accept methods will produce GSS-API authentication tokens which the calling application needs to send to its peer. The init and accept methods may return a CONTINUE_NEEDED code which indicates that a token is needed from its peer in order to continue the context establishment phase. A return code of COMPLETE signals that the local end of the context is established. This may still require that a token be sent to the peer, depending if one is produced by GSS-API. The isEstablished method can also be used to determine if the local end of the context has been fully established. During the context establishment phase, the isProtReady method may be called to determine if the context can be used for the per-message operations. This allows implementation to use per-message operations on contexts which aren't fully established.

After the context has been established or the isProtReady method returns "true", the query routines can be invoked to determine the actual characteristics and services of the established context. The application can also start using the per-message methods of wrap and getMIC to obtain cryptographic operations on application supplied data.

When the context is no longer needed, the application should call dispose to release any system resources the context may be using.

RFC 2078

Field Summary

static int
ANON
Context option flag - anonymity.
static int
COMPLETE
Return value from either accept or init stating that the context creation phase is complete for this peer.
static int
CONF
Context option flag - confidentiality.
static int
CONTINUE_NEEDED
Return value from either accept or init stating that another token is required from the peer to continue context creation.
static int
CRED_DELEG
Context option flag - credential delegation.
static int
INDEFINITE
Indefinite lifetime value for a context.
static int
INTG
Context option flag - integrity.
static int
MUTUAL_AUTH
Context option flag - mutual authentication.
static int
REPLAY_DET
Context option flag - replay detection.
static int
SEQUENCE_DET
Context option flag - sequence detection.
static int
TRANS
Context option flag - transferability (output flag only).

Constructor Summary

GSSContext(byte[] interProcessToken)
Constructor for creating a GSSContext from a previously exported context.
GSSContext(GSSCredential myCred)
Constructor for creating a context on the acceptor' side.
GSSContext(GSSName peer, Oid mechOid, GSSCredential myCred, int lifetime)
Constructor for creating a context on the initiator's side.

Method Summary

int
accept(InputStream inputBuf, OutputStream outputBuf)
Called by the context acceptor upon receiving a token from the peer.
byte[]
accept(byte[] inTok, int offset, int length)
Called by the context acceptor upon receiving a token from the peer.
void
dispose()
Release any system resources and cryptographic information stored in the context object.
byte[]
export()
Provided to support the sharing of work between multiple processes.
boolean
getAnonymityState()
Returns true if this is an anonymous context.
boolean
getConfState()
Returns the confidentiality service state over the context.
GSSCredential
getDelegCred()
Returns the delegated credential object on the acceptor's side.
boolean
getDelegCredState()
Returns the state of the delegated credentials for the context.
boolean
getIntegState()
Returns the integrity service state over the context.
int
getLifetime()
Returns the context lifetime in seconds.
void
getMIC(InputStream inBuf, OutputStream outBuf, MessageProp msgProp)
Produces a token containing a cryptographic MIC for the supplied message, for transfer to the peer application.
byte[]
getMIC(byte[] inMsg, int offset, int length, MessageProp msgProp)
Returns a token containing a cryptographic MIC for the supplied message, for transfer to the peer application.
Oid
getMech()
Returns the mechanism oid for the context.
boolean
getMutualAuthState()
Returns the state of the mutual authentication option for the context.
boolean
getReplayDetState()
Returns the state of the replay detection service for the context.
boolean
getSequenceDetState()
Returns the state of the sequence detection service for the context.
GSSName
getSrcName()
Retrieves the name of the context initiator.
GSSName
getTargName()
Retrieves the name of the context target (acceptor).
int
getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize)
Returns the maximum message size that, if presented to the wrap method with the same confReq and qop parameters will result in an output token containing no more then maxTokenSize bytes.
int
init(InputStream inputBuf, OutputStream outputBuf)
Called by the context initiator to start the context creation process.
byte[]
init(byte[] inputBuf, int offset, int length)
Called by the context initiator to start the context creation process.
boolean
isEstablished()
Returns true is this is a fully established context.
boolean
isInitiator()
Returns true if this is the initiator of the context.
boolean
isProtReady()
Indicates if the per message operations can be applied over the context.
boolean
isTransferable()
Indicates if the context is transferable to other processes through the use of the export method.
void
requestAnonymity(boolean state)
Requests anonymous support over the context.
void
requestConf(boolean state)
Requests that confidentiality service be available over the context.
void
requestCredDeleg(boolean state)
Sets the request state of the credential delegation flag for the context.
void
requestInteg(boolean state)
Requests that integrity service be available over the context.
void
requestLifetime(int lifetime)
Sets the desired lifetime for the context in seconds.
void
requestMutualAuth(boolean state)
Sets the request state of the mutual authentication flag for the context.
void
requestReplayDet(boolean state)
Sets the request state of the replay detection service for the context.
void
requestSequenceDet(boolean state)
Sets the request state of the sequence checking service for the context.
void
setChannelBinding(ChannelBinding cb)
Sets the channel bindings to be used during context establishment.
void
unwrap(InputStream inBuf, OutputStream outBuf, MessageProp msgProp)
Used by the peer application to process tokens generated with the wrap call.
byte[]
unwrap(byte[] inBuf, int offset, int length, MessageProp msgProp)
Used by the peer application to process tokens generated with the wrap call.
void
verifyMIC(InputStream inTok, InputStream inMsg, MessageProp msgProp)
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message.
void
verifyMIC(byte[] inTok, int tokOffset, int tokLen, byte[] inMsg, int msgOffset, int msgLen, MessageProp msgProp)
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message.
void
wrap(InputStream inBuf, OutputStream outBuf, MessageProp msgProp)
Allows to apply per-message security services over the established security context.
byte[]
wrap(byte[] inBuf, int offset, int length, MessageProp msgProp)
Allows to apply per-message security services over the established security context.

Field Details

ANON

public static final int ANON
Context option flag - anonymity.
Field Value:
16

COMPLETE

public static final int COMPLETE
Return value from either accept or init stating that the context creation phase is complete for this peer.
Field Value:
0
See Also:
init, accept

CONF

public static final int CONF
Context option flag - confidentiality.
Field Value:
32

CONTINUE_NEEDED

public static final int CONTINUE_NEEDED
Return value from either accept or init stating that another token is required from the peer to continue context creation. This may be returned several times indicating multiple token exchanges.
Field Value:
1
See Also:
init, accept

CRED_DELEG

public static final int CRED_DELEG
Context option flag - credential delegation.
Field Value:
1

INDEFINITE

public static final int INDEFINITE
Indefinite lifetime value for a context. Set to the largest value for an int in Java.

INTG

public static final int INTG
Context option flag - integrity.
Field Value:
64

MUTUAL_AUTH

public static final int MUTUAL_AUTH
Context option flag - mutual authentication.
Field Value:
2

REPLAY_DET

public static final int REPLAY_DET
Context option flag - replay detection.
Field Value:
4

SEQUENCE_DET

public static final int SEQUENCE_DET
Context option flag - sequence detection.
Field Value:
8

TRANS

public static final int TRANS
Context option flag - transferability (output flag only). Indicates if context may be transferred by using export().
Field Value:
128

Constructor Details

GSSContext

public GSSContext(byte[] interProcessToken)
            throws GSSException
Constructor for creating a GSSContext from a previously exported context. The context properties will be determined from the input token.

RFC 2078
Parameters:
interProcessToken - the token emitted from export routine
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED, NO_CONTEXT, DEFECTIVE_TOKEN, UNAVAILABLE, UNAUTHORIZED, FAILURE
See Also:
export()

GSSContext

public GSSContext(GSSCredential myCred)
            throws GSSException
Constructor for creating a context on the acceptor' side. The context's properties will be determined from the input token supplied to accept().
Parameters:
myCred - GSSCredential for the acceptor. Use null to request usage of default credentials.
Throws:
GSSException - with possible major codes of BAD_NAME, BAD_MECH, BAD_NAMETYPE.
See Also:
accept

GSSContext

public GSSContext(GSSName peer,
                  Oid mechOid,
                  GSSCredential myCred,
                  int lifetime)
            throws GSSException
Constructor for creating a context on the initiator's side. Context flags may be modified through the set methods prior to calling init().
Parameters:
peer - Name of the target peer.
mechOid - Oid of the desired mechanism; may be null to indicate the default mechanism
myCred - the credentials for the initiator; may be null to indicate desire to use the default credentials
lifetime - the request lifetime, in seconds, for the context
Throws:
GSSException - with possible major codes of BAD_NAME, BAD_MECH, BAD_NAMETYPE.
See Also:
init

Method Details

accept

public int accept(InputStream inputBuf,
                  OutputStream outputBuf)
            throws GSSException
Called by the context acceptor upon receiving a token from the peer. This call is equivalent to the byte array method. It may write an output token to the outputBuf, which the application will need to send to the peer for processing by its init method. 0 bytes written to the output stream indicate that no token needs to be sent to the peer. The method will return either COMPLETE or CONTINUE_NEEDED indicating the status of the current context. A return value of COMPLETE indicates that the context establishment phase is complete for this peer, while CONTINUE_NEEDED means that another token is expected from the peer. The isEstablished method can also be used to determine this state. Note that it is possible to have a token for the peer while this method returns COMPLETE. This indicates that the local end of the context is established, but the token needs to be sent to the peer to complete the context establishment.

The GSS-API authentication tokens contain a definitive start and end. This method will attempt to read one of these tokens per invocation, and may block on the stream if only part of the token is available.

Upon completion of the context establishment, the available context options may be queried through the get methods.

RFC 2078
Parameters:
Returns:
creation state of either COMPLETE or CONTINUE_NEEDED
Throws:
GSSException - may be thrown with major status values of DEFECTIVE_TOKEN, DEFECTIVE_CREDENTIAL, BAD_SIG, NO_CRED, CREDENTIALS_EXPIRED, BAD_BINDINGS, OLD_TOKEN, DUPLICATE_ELEMENT, BAD_MECH, and FAILURE

accept

public byte[] accept(byte[] inTok,
                     int offset,
                     int length)
            throws GSSException
Called by the context acceptor upon receiving a token from the peer. This call is equivalent to the stream based method except that the token buffers are handled as byte arrays instead of using stream objects.

This method may return an output token which the application will need to send to the peer for further processing by the init call. "null" return value indicates that no token needs to be sent to the peer. The application can call isEstablished to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished indicates that more tokens are expected to be supplied to this method.

Please note that the accept method may return a token for the peer, and isEstablished return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.

Upon completion of the context establishment, the available context options may be queried through the get methods. Called by the context acceptor upon receiving a token from the peer. May need to be called again if returns CONTINUE_NEEDED.

RFC 2078
Parameters:
Returns:
creation state of either COMPLETE or CONTINUE_NEEDED
Throws:
GSSException - may be thrown with major status values of DEFECTIVE_TOKEN, DEFECTIVE_CREDENTIAL, BAD_SIG, NO_CRED, CREDENTIALS_EXPIRED, BAD_BINDINGS, OLD_TOKEN, DUPLICATE_ELEMENT, BAD_MECH, and FAILURE

dispose

public void dispose()
            throws GSSException
Release any system resources and cryptographic information stored in the context object. This will invalidate the context.

RFC 2078
Throws:
GSSException - with major codes NO_CONTEXT or FAILURE

export

public byte[] export()
            throws GSSException
Provided to support the sharing of work between multiple processes. This routine will typically be used by the context-acceptor, in an application where a single process receives incoming connection requests and accepts security contexts over them, then passes the established context to one or more other processes for message exchange.

This method deactivates the security context and creates an interprocess token which, when passed to the byte array constructor of the GSSContext class in another process, will re-activate the context in the second process.

Only a single instantiation of a given context may be active at any one time; a subsequent attempt by a context exporter to access the exported security context will fail.

RFC 2078
Returns:
inter-process token representing the context in export form
Throws:
GSSException - with possible major codes of UNAVAILABLE, CONTEXT_EXPIRED, NO_CONTEXT, FAILURE.

getAnonymityState

public boolean getAnonymityState()
Returns true if this is an anonymous context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating anonymity state

getConfState

public boolean getConfState()
Returns the confidentiality service state over the context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating confidentiality state

getDelegCred

public GSSCredential getDelegCred()
            throws GSSException
Returns the delegated credential object on the acceptor's side. To check for availability of delegated credentials call getDelegCredState. This call is only valid on fully established contexts.

RFC 2078
Returns:
delegated credential object for the context
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED and FAILURE

getDelegCredState

public boolean getDelegCredState()
Returns the state of the delegated credentials for the context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating if delegated credentials are available

getIntegState

public boolean getIntegState()
Returns the integrity service state over the context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating integrity state

getLifetime

public int getLifetime()
Returns the context lifetime in seconds. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired lifetime, otherwise it will indicate the actual lifetime over the established context.

RFC 2078
Returns:
lifetime in seconds

getMIC

public void getMIC(InputStream inBuf,
                   OutputStream outBuf,
                   MessageProp msgProp)
            throws GSSException
Produces a token containing a cryptographic MIC for the supplied message, for transfer to the peer application. Unlike wrap, which encapsulates the user message in the returned token, only the message MIC is produced in the output token. This method is identical in functionality to its byte array counterpart.

Note that privacy can only be applied through the wrap call.

Supports the derivation of MICs from zero-length messages.

RFC 2078
Parameters:
inBuf - Buffer containing the message to generate MIC over.
outBuf - The buffer to write the GSS-API output token into.
msgProp - Indicates the desired QOP to be used. Use QOP of 0 to indicate default value. The confidentiality flag is ignored. Upon return from this method, this object will contain the actual QOP applied (in case 0 was selected).
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED, BAD_QOP, FAILURE.

getMIC

public byte[] getMIC(byte[] inMsg,
                     int offset,
                     int length,
                     MessageProp msgProp)
            throws GSSException
Returns a token containing a cryptographic MIC for the supplied message, for transfer to the peer application. Unlike wrap, which encapsulates the user message in the returned token, only the message MIC is returned in the output token. This method is identical in functionality to its stream counterpart.

Note that privacy can only be applied through the wrap call.

Supports the derivation of MICs from zero-length messages.

RFC 2078
Parameters:
offset - The offset within the inMsg where the token begins.
length - the length of the application message
msgProp - Indicates the desired QOP to be used. Use QOP of 0 to indicate default value. The confidentiality flag is ignored. Upon return from this method, this object will contain the actual QOP applied (in case 0 was selected).
Returns:
token containing cryptographic information for the requested security service over the passed in message
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED, BAD_QOP, FAILURE.
See Also:
getMIC(InputStream,OutputStream,MessageProp), verifyMIC(byte[],int,int,MessageProp), MessageProp

getMech

public Oid getMech()
            throws GSSException
Returns the mechanism oid for the context.

RFC 2078
Returns:
Oid object for the context's mechanism
Throws:
GSSException - may be thrown when the mechanism oid can't be determined

getMutualAuthState

public boolean getMutualAuthState()
Returns the state of the mutual authentication option for the context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating state of mutual authentication option

getReplayDetState

public boolean getReplayDetState()
Returns the state of the replay detection service for the context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating replay detection state

getSequenceDetState

public boolean getSequenceDetState()
Returns the state of the sequence detection service for the context. When issued before context establishment completes or when the isProtReady method returns false, it returns the desired state, otherwise it will indicate the actual state over the established context.

RFC 2078
Returns:
boolean indicating sequence detection state

getSrcName

public GSSName getSrcName()
            throws GSSException
Retrieves the name of the context initiator. This call is valid only after context has been fully established or when the isProtReady methods returns true.

RFC 2078
Returns:
name of the context initiator
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED and FAILURE
See Also:
isProtReady()

getTargName

public GSSName getTargName()
            throws GSSException
Retrieves the name of the context target (acceptor). This call is only valid on fully established contexts or when the isProtReady methods returns true.

RFC 2078
Returns:
name of the context target (acceptor)
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED and FAILURE
See Also:
isProtReady()

getWrapSizeLimit

public int getWrapSizeLimit(int qop,
                            boolean confReq,
                            int maxTokenSize)
            throws GSSException
Returns the maximum message size that, if presented to the wrap method with the same confReq and qop parameters will result in an output token containing no more then maxTokenSize bytes.

RFC 2078
Parameters:
qop - quality of protection to apply to the message
confReq - boolean indicating if privacy should be applied
maxTokenSize - the maximum size of the token to be emitted from wrap
Returns:
maximum input buffer size for encapsulation by wrap using the specified QOP and confReq without exceeding the maxTokenSize
Throws:
GSSException - with the possible major codes of BAD_QOP, CONTEXT_EXPIRED, and FAILURE.
See Also:
wrap

init

public int init(InputStream inputBuf,
                OutputStream outputBuf)
            throws GSSException
Called by the context initiator to start the context creation process. This is equivalent to the byte array based method. This method may write an output token to the outputBuf, which the application will need to send to the peer for processing by the accept call. 0 bytes written to the output stream indicate that no token needs to be sent to the peer. The method will return either COMPLETE or CONTINUE_NEEDED indicating the status of the current context. A return value of COMPLETE indicates that the context establishment phase is complete for this peer, while CONTINUE_NEEDED means that another token is expected from the peer. The isEstablished method can also be used to determine this state. Note that it is possible to have a token for the peer while this method returns COMPLETE. This indicates that the local end of the context is established, but the token needs to be sent to the peer to complete the context establishment.

The GSS-API authentication tokens contain a definitive start and end. This method will attempt to read one of these tokens per invocation, and may block on the stream if only part of the token is available.

Upon completion of the context establishment, the available context options may be queried through the get methods.

RFC 2078
Parameters:
inputBuf - token generated by the peer; this parameter is ignored on the first call
outputBuf - token generated for the peer; this may be empty
Returns:
establishment state of either COMPLETE or CONTINUE_NEEDED
Throws:
GSSException - with possible major values of DEFECTIVE_TOKEN, DEFECTIVE_CREDENTIAL, BAD_SIG, NO_CRED, CREDENTIALS_EXPIRED, BAD_BINDINGS, OLD_TOKEN, DUPLICATE_ELEMENT, BAD_NAMETYPE, BAD_NAME, BAD_MECH, and FAILURE

init

public byte[] init(byte[] inputBuf,
                   int offset,
                   int length)
            throws GSSException
Called by the context initiator to start the context creation process. This is equivalent to the stream based method except that the token buffers are handled as byte arrays instead of using stream objects. This method may return an output token which the application will need to send to the peer for processing by the accept call. "null" return value indicates that no token needs to be sent to the peer. The application can call isEstablished to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished indicates that more tokens are expected to be supplied to the init method. Please note that the init method may return a token for the peer, and isEstablished return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.

Upon completion of the context establishment, the available context options may be queried through the get methods.

RFC 2078
Parameters:
inputBuf - token generated by the peer; this parameter is ignored on the first call
Returns:
establishment state of either COMPLETE or CONTINUE_NEEDED
Throws:
GSSException - with possible major values of DEFECTIVE_TOKEN, DEFECTIVE_CREDENTIAL, BAD_SIG, NO_CRED, CREDENTIALS_EXPIRED, BAD_BINDINGS, OLD_TOKEN, DUPLICATE_ELEMENT, BAD_NAMETYPE, BAD_NAME, BAD_MECH, and FAILURE

isEstablished

public boolean isEstablished()
Returns true is this is a fully established context. Used after the init and accept methods to check if more tokens are needed from the peer.
Returns:
boolean indicating if this side of the context is fully established.

isInitiator

public boolean isInitiator()
            throws GSSException
Returns true if this is the initiator of the context. This call is only valid after the context creation process has started.

RFC 2078
Returns:
true if this is the context initiator
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED and FAILURE

isProtReady

public boolean isProtReady()
Indicates if the per message operations can be applied over the context. Some mechanisms may allow to apply per-message operations before the context is fully established. This will also indicate that the get methods will return actual context state characteristics instead of the desired ones.

RFC 2078
Returns:
boolean indicating if per message operations are available

isTransferable

public boolean isTransferable()
            throws GSSException
Indicates if the context is transferable to other processes through the use of the export method. This call is only valid on fully established contexts.

RFC 2078
Returns:
boolean indicating the transferability of the context
Throws:
GSSException - may be thrown
See Also:
export()

requestAnonymity

public void requestAnonymity(boolean state)
            throws GSSException
Requests anonymous support over the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

requestConf

public void requestConf(boolean state)
            throws GSSException
Requests that confidentiality service be available over the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

requestCredDeleg

public void requestCredDeleg(boolean state)
            throws GSSException
Sets the request state of the credential delegation flag for the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

requestInteg

public void requestInteg(boolean state)
            throws GSSException
Requests that integrity service be available over the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

requestLifetime

public void requestLifetime(int lifetime)
            throws GSSException
Sets the desired lifetime for the context in seconds. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown
See Also:
getLifetime()

requestMutualAuth

public void requestMutualAuth(boolean state)
            throws GSSException
Sets the request state of the mutual authentication flag for the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

requestReplayDet

public void requestReplayDet(boolean state)
            throws GSSException
Sets the request state of the replay detection service for the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

requestSequenceDet

public void requestSequenceDet(boolean state)
            throws GSSException
Sets the request state of the sequence checking service for the context. This method is only valid before the context creation process begins and only for the initiator.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

setChannelBinding

public void setChannelBinding(ChannelBinding cb)
            throws GSSException
Sets the channel bindings to be used during context establishment. This method is only valid before the context creation process begins.

RFC 2078
Parameters:
Throws:
GSSException - may be thrown

unwrap

public void unwrap(InputStream inBuf,
                   OutputStream outBuf,
                   MessageProp msgProp)
            throws GSSException
Used by the peer application to process tokens generated with the wrap call. This call is equal in functionality to its byte array counterpart. It will produce the message supplied in the peer application to the wrap call, verifying the embedded MIC. The msgProp parameter will indicate whether the message was encrypted and will contain the QOP indicating the strength of protection that was used to provide the confidentiality and integrity services. The msgProp object will also contain the supplementary status information for the token.

Supports the wrapping and unwrapping of zero-length messages.

RFC 2078
Parameters:
inBuf - token received from peer application which was generated by call to wrap
outBuf - original message passed into wrap
msgProp - Upon return from the this method, will contain QOP and privacy state of the supplied message as well as any supplementary status values.
Throws:
GSSException - with possible major codes of DEFECTIVE_TOKEN, BAD_SIG, CONTEXT_EXPIRED, CREDENTIALS_EXPIRED, and FAILURE.

unwrap

public byte[] unwrap(byte[] inBuf,
                     int offset,
                     int length,
                     MessageProp msgProp)
            throws GSSException
Used by the peer application to process tokens generated with the wrap call. This call is equal in functionality to its stream counterpart. The method will return the message supplied in the peer application to the wrap call, verifying the embedded MIC. The msgProp instance will indicate whether the message was encrypted and will contain the QOP indicating the strength of protection that was used to provide the confidentiality and integrity services.

Supports the wrapping and unwrapping of zero-length messages.

RFC 2078
Parameters:
inBuf - token received from peer application which was generated by call to wrap
offset - within the inBuf where the token begins.
length - The length of the token in inBuf.
msgProp - Upon return from the this method, will contain QOP and privacy state of the supplied message as well as any supplementary status values.
Returns:
the application message used in the wrap call
Throws:
GSSException - with possible major codes of DEFECTIVE_TOKEN, BAD_SIG, CONTEXT_EXPIRED, CREDENTIALS_EXPIRED, and FAILURE.

verifyMIC

public void verifyMIC(InputStream inTok,
                      InputStream inMsg,
                      MessageProp msgProp)
            throws GSSException
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message. The msgProp parameter will contain the QOP indicating the strength of protection that was applied to the message. This method is equivalent in functionality to its byte array counterpart.

RFC 2078
Parameters:
msgProp - upon return from this method, this object will contain the applied QOP and supplementary statustatus values for the supplied token. The privacy state will always be set to false.
Throws:
GSSException - with possible major codes DEFECTIVE_TOKEN, BAD_SIG, CONTEXT_EXPIRED
See Also:
verifyMIC(byte[],int,int,byte[],int,int,MessageProp), wrap(InputStream,OutputStream), MessageProp

verifyMIC

public void verifyMIC(byte[] inTok,
                      int tokOffset,
                      int tokLen,
                      byte[] inMsg,
                      int msgOffset,
                      int msgLen,
                      MessageProp msgProp)
            throws GSSException
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message. The msgProp parameter will contain the QOP indicating the strength of protection that was applied to the message and any supplementary status values for the token. This method is equivalent in functionality to its stream counterpart.

RFC 2078
Parameters:
inTok - token generated by peer's getMIC method
tokOffset - the offset within the inTok where the token begins
tokLen - the length of the token
inMsg - Application message to verify the Cryptographic MIC over.
msgOffset - the offset within the inMsg where the message begins
msgLen - the length of the message
msgProp - upon return from this method, this object will contain the applied QOP and supplementary status values for the supplied token. The privacy state will always be set to false.
Throws:
GSSException - with possible major codes DEFECTIVE_TOKEN, BAD_SIG, CONTEXT_EXPIRED

wrap

public void wrap(InputStream inBuf,
                 OutputStream outBuf,
                 MessageProp msgProp)
            throws GSSException
Allows to apply per-message security services over the established security context. The method will produce a token with a cryptographic MIC and may optionally encrypt the specified inBuf. The outBuf will contain both the MIC and the message. The msgProp object is used to specify a QOP value to select cryptographic algorithms, and a privacy service, if supported by the chosen mechanism.

Supports the wrapping and unwrapping of zero-length messages.

The application will be responsible for sending the token to the peer.

RFC 2078
Parameters:
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED, CREDENTIALS_EXPIRED, BAD_QOP, FAILURE.
See Also:
wrap(byte,int,int,MessageProp), unwrap(InputStream,OutputStream,MessageProp), MessageProp

wrap

public byte[] wrap(byte[] inBuf,
                   int offset,
                   int length,
                   MessageProp msgProp)
            throws GSSException
Allows to apply per-message security services over the established security context. The method will return a token with a cryptographic MIC and may optionally encrypt the specified inBuf. This method is equivalent i functionality to its stream counterpart. The returned byte array will contain both the MIC and the message. The msgProp object is used to specify a QOP value which selects cryptographic algorithms, and a privacy service, if supported by the chosen mechanism.

Supports the wrapping and unwrapping of zero-length messages.

The application will be responsible for sending the token to the peer.

RFC 2078
Parameters:
inBuf - the application data to be protected
offset - the offset in the inBuf where the data begins
length - the length of the data starting at offset
Returns:
buffer to be sent to the peer for processing by unwrap
Throws:
GSSException - with possible major codes of CONTEXT_EXPIRED, CREDENTIALS_EXPIRED, BAD_QOP, FAILURE.