One document matched: draft-ietf-cat-xgssapi-acc-cntrl-02.txt
Differences from draft-ietf-cat-xgssapi-acc-cntrl-01.txt
Internet-Draft March 25 , 1997
such delegate credentials to be directly used for initiating further
security contexts. Note that it is the caller's responsibility to
free any received credentials returned from gss_get_received_creds
via gss_release_cred.
7.3. ACCEPTOR CONTROL HANDLING CALLS
The following construct is used in both the GSS_Set_cred_controls
and GSS_Get_sec_controls calls:
AcceptorControl ::= SEQUENCE {
targetOnly SEQUENCE OF SecAttribute OPTIONAL,
delegateOnly SEQUENCE OF SecAttribute OPTIONAL,
delegateTarget SEQUENCE OF SecAttribute OPTIONAL,
delegationMode DelegationMode OPTIONAL,}
DelegationMode ::= ENUMERATED {
default (0),
simple (1),
composite (2),
traced (3),}
The fields targetOnly, delegateOnly and delegateTarget specify one
or several qualifier attributes describing the acceptors (as
targets, delegates or delegate/targets) for which controls are to
apply.
* the targetOnly specifies that the qualifier(s) are identifying
one or more targets, none of which may use the credentials as a
delegate.
* the delegateOnly choice specifies that the qualifier(s) are
identifying one or more delegates, none of which should use the
privilege attributes in the credentials when authorising access to
their own protected resources, but which may use the received
credentials as a delegate.
* the delegateTarget choice specifies that the qualifier is
identifying one or more delegate/targets any of which can use the
received credentials as a delegate and can also use the privileges
attributes in the the credentials when authorising access to its
own protected resources.
delegationMode
Indicates the mode of delegation required.
Currently three delegation modes and one default are specified:
- default: whatever mode of delegation has been set as default (this
may be no delegation).
- simple: only the original initiator's credentials have to be
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 13]
Internet-Draft March 25 , 1997
forwarded in the security context being established,
- composite: the credentials of the original initiator and of the
immediate caller have to be forwarded,
- traced: the credentials of the original initiator, of all the
delegates, including the immediate caller have to be forwarded.
7.3.1. GSS_Set_cred_controls call
Input :
- cred_handle OCTET STRING,
- required_acceptor_control AcceptorControl,
- replace_old_controls BOOLEAN
- new_cred_req BOOLEAN
- commit_cred_req BOOLEAN
Output :
- output_cred_handle OCTET STRING
Return major_status code:
- GSS_S_COMPLETE indicates that the controls
have been set.
- GSS_S_CREDENTIALS_EXPIRED indicates that the specified
credentials have expired.
- GSS_S_DEFECTIVE_CREDENTIAL indicates that defective
credentials have been detected.
- GSS_S_FAILURE indicates a failure,
unspecified at the GSS-API
level.
- GSS_S_UNAUTHORIZED indicates that the function, or
an argument of the function was
not authorised.
- GSS_S_UNAVAILABLE indicates that the operation is
not supported.
This function supports requests to set context acceptor controls,
optionally replacing existing credentials controls or creating a new
set of credentials with new controls. The effect of this interface
is either cumulative or not depending on the value of the
replace_old_controls parameter.
Parameters for GSS_Set_cred_controls:
cred_handle
Handle for credentials claimed, it refers to an authenticated
principal. Supply NULL to use default credentials.
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 14]
Internet-Draft March 25 , 1997
required_acceptor_control
The control settings required.
replace_old_controls
TRUE to replace acceptor controls existing in original credentials.
FALSE to specify additional controls.
new_cred_req
TRUE for a new credentials set, FALSE to modify the original.
commit_cred_req
TRUE for immediate action, FALSE for deferred action.
output_cred_handle
GSS_Set_cred_controls produces a modified version of the input
credentials (cred_handle). The original credentials are directly
changed if duplicate_cred_req is FALSE, otherwise the
output_cred_handle references a new, and potentially different, copy
of the original input credentials (which remain untouched).
gss_release_cred can be used when the caller is finished with any
new credentials created by this function.
7.3.2. GSS_Get_sec_controls call
Input :
- cred_handle OCTET STRING,
- context_handle INTEGER,
Output :
- acceptor_controls SET OF AcceptorControl,
Return major_status code :
- GSS_S_COMPLETE indicates that the acceptor
control
information has been returned
- GSS_S_CREDENTIALS_EXPIRED indicates that the specified
credentials have expired.
- GSS_S_DEFECTIVE_CREDENTIAL indicates that defective
credentials have been detected.
- GSS_S_FAILURE indicates a failure,
unspecified at the GSS-API
level.
- GSS_S_UNAVAILABLE indicates that the operation is
not supported.
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 15]
Internet-Draft March 25 , 1997
This function enables a caller to enquire the current value of the
acceptor controls in the specified credentials or context.
This function can be used by context initiators and context
acceptors to query acceptor controls in credentials or security
contexts.
Parameters for GSS_Get_sec_controls:
cred_handle
Handle to credentials. It refers to an authenticated principal.
Supply NULL to use default credentials, or a context handle.
context_handle
GSS-API security context handle, context_handle refers to a security
context that is part of an established association. Context_handle
is ignored if a non-NULL cred_handle is presented. (Note: it is
typically only necessary to use a context_handle parameter rather
than cred_handle for the case when a security context is emitted by
gss_accept_sec_context, but not with an accompanying set of
delegated credentials).
acceptor_controls
A set of acceptor controls. Acceptor controls are described in
section 6.2.
7.3.3. GSS_Compound_creds call
Input :
- delegated_cred_handle OCTET STRING
- cred_handle OCTET STRING,
Output :
- cred_handle_new OCTET STRING
Return major_status code :
GSS_S_COMPLETE indicates that the credentials
were successfully compounded
- GSS_S_CREDENTIALS_EXPIRED indicates that one or more of
the specified credentials have
expired.
- GSS_S_DEFECTIVE_CREDENTIAL indicates that defective
credentials have been detected.
- GSS_S_FAILURE indicates a failure,
unspecified at the GSS-API
level.
- GSS_S_UNAVAILABLE indicates that the operation is
not supported.
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 16]
Internet-Draft March 25 , 1997
Parameters for gss_compound_cred:
delegated_cred_handle
A handle to the credentials being delegated, it refers to one or
several authenticated principals.
cred_handle
A handle to claimed credentials of the caller, cred_handle refers to
an authenticated principal.
cred_handle_new
A handle to the compounded set of credentials.
8. C-LANGUAGE BINDINGS
This section specifies C language bindings for the extended GSS-API
functions.
8.1. DATA TYPES AND CALLING CONVENTIONS
The following data types :
ú OM_uint32,
ú gss_buffer_t,
ú gss_OID,
ú gss_OID_set,
ú gss_cred_id_t,
ú gss_ctx_id_t,
are defined in [RFC-1508], along with the calling conventions.
8.1.1. SECURITY ATTRIBUTES
A security attribute (see section 2) has the following data
structure:
typedef struct gss_sec_attr_desc {
gss_OID attribute_type;
gss_buffer_t defining_authority;
/* specify GSS_C_NO_BUFFER when
non present */
gss_buffer_t security_value;
} gss_sec_attr;
8.1.2. SECURITY ATTRIBUTE SETS
A set of security attributes has the following structure:
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 17]
Internet-Draft March 25 , 1997
typedef struct gss_sec_attr_set_desc {
OM_uint32 attribute_count;
gss_sec_attr* attributes;
} gss_sec_attr_set;
The attribute_count field contains the number of security attributes
in the set.
8.1.3. CREDENTIALS LIST
A list of credentials has the following structure:
typedef struct {
OM_uint3 cred_count;
gss_cred_id_t* cred_list;
} gss_cred_list;
The cred_count field contains the number of credentials in the list.
8.1.4. ACCEPTOR CONTROL
Acceptor control has the following structure:
typedef struct gss_acceptor_control_desc {
gss_sec_attr target_only;
/* specify GSS_C_NULL_SEC_ATTR when
non present */
gss_sec_attr delegate_only;
/* specify GSS_C_NULL_SEC_ATTR when
non present */
gss_sec_attr delegate_target;
/* specify GSS_C_NULL_SEC_ATTR when
non present */
OM_uint32 delegation_mode;
/* specify NULL when non present */
} gss_acceptor_control;
8.1.5. ACCEPTOR CONTROL SET
A set of Acceptor Control has the following structure :
typedef struct gss_control_set_desc {
OM_uint32 control_count;
gss_acceptor_control* acceptor_controls;
} gss_control_set;
The control_count field contains the number of acceptor controls in
the set.
8.1.6. IDENTIFIER
Identifiers have the following data structure:
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 18]
Internet-Draft March 25 , 1997
typedef struct {
gss_type_en id_type
gss_value id_value;
} gss_id;
Where id_type identifies the syntax within the Identifier type:
typedef enum {
gss_oid_t, /* for OID */
gss_integer, /* for Integer */
gss_string, /* for character string */
gss_uuid, /* for DCE UUID */
gss_buffer_t; /* for gss_buffer */
} gss_type_en;
And where id_value is the actual value of the data of type
Identifier:
struct union {
gss_OID OID;
OM_uint32* integer;
char* string;
uuid_t* uuid;
gss_buffer_t buffer;
} gss_value;
This C type is applicable for the following types of attribute:
access identity, primary group, capability, audit identity, issuer
domain name, and role name.
When one of these attributes is handled in a call, the
security_value field of the gss_sec_attr structure for this
attribute contains a pointer to the gss_id structure.
8.1.7. IDENTIFIER SET
Identifier sets have the following data structure:
typedef struct gss_id_set_desc {
OM_uint32 id_count;
gss_id* ids;
} gss_id_set;
The id_count field contains the number of Identifiers in the set.
This C type is applicable for the following types of attribute:
group, role, optional restrictions, mandatory restrictions, acceptor
name and application trust group.
When one of these attributes is handled in a call, the
security_value field of the gss_sec_attr structure for this
attribute contains a pointer to the gss_id_set structure.
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 19]
Internet-Draft March 25 , 1997
8.1.8. TIME PERIOD
A time period has the following structure:
typedef struct gss_time_period_desc {
time_t start_time;
/* NULL for unconstrained start time */
time_t end_time;
/* NULL for unconstrained end time */
} gss_time_period;
8.1.9. TIME PERIODS LIST
Time period lists have the following data structure:
typedef struct gss_period_list _desc {
OM_uint32 period_count;
gss_time_period* periods;
} gss_period_list;
The period_count field contains the number of time periods in the
list.
This C type is applicable for the miscellaneous attribute: time
period.
When a list of time periods is returned by a GSS_Get_sec_attributes
call, or set by a GSS_Set_cred_attributes call, the security_value
field of the gss_sec_attr structure in gss_sec_attr_set contains a
pointer to the gss_period_list_structure.
8.2. XGSS-API ROUTINE DESCRIPTIONS
8.2.1. gss_set_cred_attributes
/* set attributes values in credentials */
OM_uint32 gss_set_cred _attributes (
gss_cred_id_t cred_handle, /* IN */
gss_sec_attr_set required_attributes, /* IN */
OM_uint32 new_cred_req, /* IN */
OM_uint32 commit_cred_req, /* IN */
OM_uint32* minor_status, /* OUT*/
gss_cred_id_t* output_cred_handle); /* OUT*/
8.2.2. gss_get_sec_attributes
/* get attributes associated with credentials or security context */
OM_uint32 gss_get_sec_attributes (
gss_cred_id_t cred_handle, /* IN */
gss_ctx_id_t context_handle, /* IN */
gss_OID_set attribute_types_required, /* IN */
OM_uint32* minor_status, /* OUT*/
gss_sec_attr_set** priv_attributes, /* OUT*/
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 20]
Internet-Draft March 25 , 1997
gss_sec_attr_set** misc_attributes); /* OUT*/
OM_uint32 other_cred_present /* OUT*/
8.2.3. gss_get_received_creds
/* get received credentials associated with a security context */
OM_uint32 gss_get_received_creds (
gss_ctx_id_t context_handle, /* IN */
OM_uint32* minor_status, /* OUT*/
gss_cred_list** received_creds); /* OUT*/
8.2.4. gss_set_cred_controls
/* Set acceptor controls in credentials for context establishment
*/
OM_uint32 gss_set_cred_controls (
gss_cred_id_t cred_handle, /* IN */
gss_ control_set required_control, /* IN */
OM_uint32 replace_old_controls, /* IN */
OM_uint32 new_cred_req, /* IN */
OM_uint32 commit_cred_req, /* IN */
OM_uint32* minor_status, /* OUT*/
gss_cred_id_t* output_cred_handle); /* OUT*/
8.2.5. gss_get_sec_controls
/* set context acceptor controls on credentials */
OM_uint32 gss_get_sec_controls (
gss_cred_id_t cred_handle, /* IN */
gss_ctx_id_t context_handle, /* IN */
OM_uint32* minor_status, /* OUT*/
gss_control_set* acceptor_controls); /* OUT*/
8.2.6. gss_compound_cred
/* compound credentials for delegation */
OM_uint32 gss_compound_cred (
gss_cred_id_t delegated_cred_handle, /* IN */
gss_cred_id_t cred_handle, /* IN */
OM_uint32* minor_status, /* OUT*/
gss_cred_id_t cred_handle_new); /* OUT*/
9. ACKNOWLEDGEMENTS
Acknowledgements are due to the following people : Eric Baize,
Belinda Fairthorne, Stephen Farell, Jacques Lebastard and Tom Parker
for providing material for the construction of this document and/or
providing useful inputs.
10. SECURITY CONSIDERATIONS
Security issues are discussed throughout this memo.
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 21]
Internet-Draft March 25 , 1997
11. REFERENCES
[RFC 1508] Generic Security Service API, J Linn,
September 1993
[RFC 1509] Generic Security Service API : C-bindings, J Wray,
September 1993
12. AUTHORS'S ADDRESSES
Tom Parker Internet email: t.a.parker@win0199.wins.icl.co.uk
ICL Enterprises Telephone: +44.1344.472169
59 Old Road, Fax : +44.1249.822703
Derry Hill,
Calne,
Wiltshire SN11 9NF,
United Kingdom
Denis Pinkas Internet email: D.Pinkas@frcl.bull.fr
Bull Telephone: +33 1 30 80 34 87
Rue Jean-Jaures Fax: +33 1 30 80 33 21
BP 68
78340 Les Clayes-sous-Bois
FRANCE
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 22]
Internet-Draft March 25 , 1997
13. CONTENT LIST
1. STATUS OF THIS MEMO 1
2. ABSTRACT 1
3. SECURITY ATTRIBUTES 2
3.1. PRINCIPAL ATTRIBUTES 2
3.1.1. PRIVILEGES ATTRIBUTES 2
3.1.2. MISCELLANEOUS ATTRIBUTES 3
3.2. QUALIFIER ATTRIBUTES 3
3.3. ATTRIBUTES DEFINITIONS 3
3.3.1. Privilege attributes 3
3.3.1.1. Role attribute 3
3.4.1.2. Access identity 3
3.4.1.3. Primary group 3
3.4.1.4. Group 4
3.4.1.5. Capability 4
3.3.2. Miscellaneous attributes 4
3.4.2.1. Audit identity 4
3.4.2.2. Issuer domain name 4
3.4.2.3. Validity periods 5
3.4.2.4. Optional restrictions 5
3.4.2.5. Mandatory restrictions 5
3.3.3. QUALIFIER ATTRIBUTES 5
3.4.3.1. Acceptor name 5
3.4.3.2. Application trust group 6
4. ATTRIBUTE SET REFERENCE 6
4.1. ROLE NAME 6
6. INTERFACE DESCRIPTIONS 6
6.1. ATTRIBUTE HANDLING SUPPORT FUNCTIONS 6
6.1.1. GSS_Set_cred_attributes 6
6.1.2. GSS_Get_sec_attributes 6
6.2. CONTEXT ACCEPTOR SUPPORT FUNCTION 7
6.2.1. GSS_Get_received_creds 7
6.3. CONTEXT ACCEPTOR CONTROL FUNCTIONS 7
6.3.1. GSS_Set_cred_controls function 7
6.3.2. GSS_Get_sec_controls function 8
6.3.3. GSS_Compound_creds function 8
7. DETAILED DESCRIPTION OF THE CALLS 8
7.1. Attribute handling calls 8
7.1.1. GSS_Set_cred_attributes call 8
7.1.2. GSS_Get_sec_attributes call 10
7.2. CONTEXT ACCEPTOR SUPPORT FUNCTION 11
7.2.1. GSS_Get_received_creds call 12
7.3. ACEPTOR CONTROL handling calls 13
7.3.1. GSS_Set_cred_controls call 14
7.3.2. GSS_Get_sec_controls call 15
7.3.3. GSS_Compound_creds call 16
8. C-LANGUAGE BINDINGS 17
8.1. DATA TYPES AND CALLING CONVENTIONS 17
8.1.1. Security attributes 17
8.1.2. Security attribute sets 17
8.1.3. Credentials list 18
8.1.4. Acceptor control 18
8.1.5. Acceptor control set 18
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 23]
Internet-Draft March 25 , 1997
8.1.6. Identifier 18
8.1.7. Identifier set 19
8.1.8. Time period 20
8.1.9. Time periods list 20
8.2. XGSS-API ROUTINE DESCRIPTIONS 20
8.2.1. gss_set_cred_attributes 20
8.2.2. gss_get_sec_attributes 20
8.2.3. gss_get_received_creds 21
8.2.4. gss_set_cred_controls 21
8.2.5. gss_get_sec_controls 21
8.2.6. gss_compound_cred 21
9. ACKNOWLEDGEMENTS 21
10. SECURITY CONSIDERATIONS 21
11. REFERENCES 22
12. AUTHORS'S ADDRESSES 22
13. CONTENT LIST 23
Parker, Pinkas Document Expiration: 25 September, 1997 [Page 24]
| PAFTECH AB 2003-2026 | 2026-04-23 10:41:22 |