Generic Security Service API Version 2: Java Bindings Update
draft-ietf-kitten-rfc5653bis-05
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8353.
|
|
|---|---|---|---|
| Authors | Mayank D. Upadhyay , Seema Malkani , Wang Weijun | ||
| Last updated | 2017-09-11 (Latest revision 2017-08-04) | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Telechat review
(of
-06)
by Joel Halpern
Ready w/issues
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Matt Rogers | ||
| Shepherd write-up | Show Last changed 2017-04-11 | ||
| IESG | IESG state | Became RFC 8353 (Proposed Standard) | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Eric Rescorla | ||
| Send notices to | mrogers@redhat.com | ||
| IANA | IANA review state | IANA OK - No Actions Needed |
draft-ietf-kitten-rfc5653bis-05
quot;Old Token? " + supplInfo.isOldToken());
print("Unsequenced Token? " +
supplInfo.isUnseqToken());
print("Gap Token? " + supplInfo.isGapToken());
/*
* Now process the bytes and send back an
* encrypted response.
*/
buffer = serverProcess(buffer);
// Encipher it and send it across
supplInfo.setPrivacy(true); // privacy requested
supplInfo.setQOP(0); // default QOP
outToken = context.wrap(buffer, 0, buffer.length,
Upadhyay, et al. Expires February 5, 2018 [Page 88]
Internet-Draft draft-ietf-kitten-rfc5653bis-05 August 2017
supplInfo);
writeGSSToken(outToken);
} catch (GSSException e) {
print("GSS-API Error: " + e.getMessage());
// Alternatively, could call e.getMajorMessage()
// and e.getMinorMessage()
// If the exception contains an output token,
// it should be sent to the initiator.
byte[] outTok = e.getOutputToken();
if (outTok != null) {
writeGSSToken(outTok);
}
print("Abandoning security context.");
...
...
}
...
...
} // end of run method in ServerThread
} // end of inner class ServerThread
...
...
} // end of class SimpleServer
<CODE ENDS>
8. Security Considerations
The Java language security model allows platform providers to have
policy-based fine-grained access control over any resource that an
application wants. When using a Java security manager (such as, but
not limited to, the case of applets running in browsers) the
application code is in a sandbox by default.
Administrators of the platform JRE determine what permissions, if
any, are to be given to source from different codebases. Thus, the
administrator has to be aware of any special requirements that the
GSS provider might have for system resources. For instance, a
Kerberos provider might wish to make a network connection to the Key
Distribution Center (KDC) to obtain initial credentials. This would
not be allowed under the sandbox unless the administrator had granted
permissions for this. Also, note that this granting and checking of
permissions happens transparently to the application and is outside
the scope of this document.
Upadhyay, et al. Expires February 5, 2018 [Page 89]
Internet-Draft draft-ietf-kitten-rfc5653bis-05 August 2017
The Java language allows administrators to pre-configure a list of
security service providers in the <JRE>/lib/security/java.security
file. At runtime, the system approaches these providers in order of
preference when looking for security related services. Applications
have a means to modify this list through methods in the "Security"
class in the "java.security" package. However, since these
modifications would be visible in the entire Java Virtual Machine
(JVM) and thus affect all code executing in it, this operation is not
available in the sandbox and requires special permissions to perform.
Thus, when a GSS application has special needs that are met by a
particular security provider, it has two choices:
1) To install the provider on a JVM-wide basis using the
java.security.Security class and then depend on the system to find
the right provider automatically when the need arises. (This
would require the application to be granted a "insertProvider
SecurityPermission".)
2) To pass an instance of the provider to the local instance of
GSSManager so that only factory calls going through that
GSSManager use the desired provider. (This would not require any
permissions.)
9. IANA Considerations
This document has no actions for IANA.
10. Acknowledgments
This proposed API leverages earlier work performed by the IETF's CAT
WG as outlined in both RFC 2743 [RFC2743] and RFC 2744 [RFC2744].
Many conceptual definitions, implementation directions, and
explanations have been included from these documents.
We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael
Saltz, and other members of Sun's development team for their helpful
input, comments, and suggestions.
We would also like to thank Joe Salowey, and Michael Smith for many
insightful ideas and suggestions that have contributed to this
document.
11. Changes since RFC 5653
This document has following changes:
1) New error token embedded in GSSException
Upadhyay, et al. Expires February 5, 2018 [Page 90]
Internet-Draft draft-ietf-kitten-rfc5653bis-05 August 2017
There is a design flaw in the initSecContext and acceptSecContext
methods of the GSSContext class defined in Generic Security
Service API Version 2: Java Bindings Update [RFC5653].
The methods could either return a token (possibly null if no more
tokens are needed) when the call succeeds or throw a GSSException
if there is a failure, but NOT both. On the other hand, the C
bindings of GSS-API [RFC2744] can return both, that is to say, a
call to the GSS_Init_sec_context() function can return a major
status code, and at the same time, fill in the output_token
argument if there is one.
Without the ability to emit an error token when there is a
failure, a Java application has no mechanism to tell the other
side what the error is. For example, a "reject" NegTokenResp
token can never be transmitted for the SPNEGO mechanism [RFC4178].
While a Java method can never return a value and throw an
exception at the same time, we can embed the error token inside
the exception so that the caller has a chance to retrieve it.
This update adds a new GSSException constructor to include this
token inside a GSSException object, and a getOutputToken() method
to retrieve the token. The specification for the initSecContext
and acceptSecContext methods are updated to describe the new
behavior. Various examples are also updated.
This is a compatible change. New JGSS programs should make use of
this new feature but it is not mandatory.
2) Removing stream-based GSSContext methods
The overloaded methods of GSSContext that use input and output
streams as the means to convey authentication and per-message GSS-
API tokens as described in Section 5.15 of RFC 5653 [RFC5653] are
removed in this update as the wire protocol should be defined by
an application and not a library. It's also impossible to
implement these methods correctly when the token has no self-
framing (where the end cannot be determined) or the library has no
knowledge of the token format (for example, as a bridge talking to
another GSS library). These methods include initSecContext
(Section 7.4.5 of RFC 5653 [RFC5653]), acceptSecContext
(Section 7.4.9 of RFC 5653 [RFC5653]), wrap (Section 7.4.15 of RFC
5653 [RFC5653]), unwrap (Section 7.4.17 of RFC 5653 [RFC5653]),
getMIC (Section 7.4.19 of RFC 5653 [RFC5653]), and verifyMIC
(Section 7.4.21 of RFC 5653 [RFC5653]).
Upadhyay, et al. Expires February 5, 2018 [Page 91]
Internet-Draft draft-ietf-kitten-rfc5653bis-05 August 2017
12. Changes since RFC 2853
This document has following changes:
1) Major GSS Status Code Constant Values
RFC 2853 listed all the GSS status code values in two different
sections: section 4.12.1 defined numeric values for them, and
section 6.8.1 defined them as static constants in the GSSException
class without assigning any values. Due to an inconsistent
ordering between these two sections, all of the GSS major status
codes resulted in misalignment, and a subsequent disagreement
between deployed implementations.
This document defines the numeric values of the GSS status codes
in both sections, while maintaining the original ordering from
section 6.8.1 of RFC 2853 [RFC2853], and obsoletes the GSS status
code values defined in section 4.12.1. The relevant sections in
this document are sections 4.12.1 and 6.8.1.
2) GSS Credential Usage Constant Values
RFC 2853 section 6.3.2 defines static constants for the
GSSCredential usage flags. However, the values of these constants
were not defined anywhere in RFC 2853 [RFC2853].
This document defines the credential usage values in section
6.3.1. The original ordering of these values from section 6.3.2
of RFC 2853 [RFC2853] is maintained.
3) GSS Host-Based Service Name
RFC 2853 [RFC2853], section 6.2.2, defines the static constant for
the GSS host-based service OID NT_HOSTBASED_SERVICE, using a
deprecated OID value.
This document updates the NT_HOSTBASED_SERVICE OID value in
section 6.2.1 to be consistent with the C-bindings in RFC 2744
[RFC2744].
13. References
13.1. Normative References
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
(SPKM)", RFC 2025, DOI 10.17487/RFC2025, October 1996,
<http://www.rfc-editor.org/info/rfc2025>.
Upadhyay, et al. Expires February 5, 2018 [Page 92]
Internet-Draft draft-ietf-kitten-rfc5653bis-05 August 2017
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743,
DOI 10.17487/RFC2743, January 2000,
<http://www.rfc-editor.org/info/rfc2743>.
[RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, DOI 10.17487/RFC2744, January 2000,
<http://www.rfc-editor.org/info/rfc2744>.
[RFC2853] Kabat, J. and M. Upadhyay, "Generic Security Service API
Version 2 : Java Bindings", RFC 2853,
DOI 10.17487/RFC2853, June 2000,
<http://www.rfc-editor.org/info/rfc2853>.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121,
DOI 10.17487/RFC4121, July 2005,
<http://www.rfc-editor.org/info/rfc4121>.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism",
RFC 4178, DOI 10.17487/RFC4178, October 2005,
<http://www.rfc-editor.org/info/rfc4178>.
[RFC5653] Upadhyay, M. and S. Malkani, "Generic Security Service API
Version 2: Java Bindings Update", RFC 5653,
DOI 10.17487/RFC5653, August 2009,
<http://www.rfc-editor.org/info/rfc5653>.
13.2. Informative References
[JLS] Gosling, J., Joy, B., Steele, G., and G. Bracha, "The Java
Language Specification", Third Edition, 2005,
<http://java.sun.com/docs/books/jls/>.
Authors' Addresses
Mayank D. Upadhyay
Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
USA
Email: m.d.upadhyay+ietf@gmail.com
Upadhyay, et al. Expires February 5, 2018 [Page 93]
Internet-Draft draft-ietf-kitten-rfc5653bis-05 August 2017
Seema Malkani
ActivIdentity Corp.
6623 Dumbarton Circle
Fremont, California 94555
USA
Email: Seema.Malkani@gmail.com
Wang Weijun
Oracle
Building No. 24, Zhongguancun Software Park
Beijing 100193
China
Email: weijun.wang@oracle.com
Upadhyay, et al. Expires February 5, 2018 [Page 94]