001/* GSSCredential.java -- GSS credential interface.
002   Copyright (C) 2004 Free Software Foundation, Inc.
003
004This file is part of GNU Classpath.
005
006GNU Classpath is free software; you can redistribute it and/or modify
007it under the terms of the GNU General Public License as published by
008the Free Software Foundation; either version 2, or (at your option)
009any later version.
010
011GNU Classpath is distributed in the hope that it will be useful, but
012WITHOUT ANY WARRANTY; without even the implied warranty of
013MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
014General Public License for more details.
015
016You should have received a copy of the GNU General Public License
017along with GNU Classpath; see the file COPYING.  If not, write to the
018Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
01902110-1301 USA.
020
021Linking this library statically or dynamically with other modules is
022making a combined work based on this library.  Thus, the terms and
023conditions of the GNU General Public License cover the whole
024combination.
025
026As a special exception, the copyright holders of this library give you
027permission to link this library with independent modules to produce an
028executable, regardless of the license terms of these independent
029modules, and to copy and distribute the resulting executable under
030terms of your choice, provided that you also meet, for each linked
031independent module, the terms and conditions of the license of that
032module.  An independent module is a module which is not derived from
033or based on this library.  If you modify this library, you may extend
034this exception to your version of the library, but you are not
035obligated to do so.  If you do not wish to do so, delete this
036exception statement from your version.
037
038   The documentation comments of this class are derived from the text
039   of RFC 2853:  Generic Security Service API Version 2: Java Bindings.
040   That document is covered under the following license notice:
041
042Copyright (C) The Internet Society (2000).  All Rights Reserved.
043
044This document and translations of it may be copied and furnished to
045others, and derivative works that comment on or otherwise explain it
046or assist in its implementation may be prepared, copied, published and
047distributed, in whole or in part, without restriction of any kind,
048provided that the above copyright notice and this paragraph are
049included on all such copies and derivative works.  However, this
050document itself may not be modified in any way, such as by removing
051the copyright notice or references to the Internet Society or other
052Internet organizations, except as needed for the purpose of developing
053Internet standards in which case the procedures for copyrights defined
054in the Internet Standards process must be followed, or as required to
055translate it into languages other than English.
056
057The limited permissions granted above are perpetual and will not be
058revoked by the Internet Society or its successors or assigns.
059
060This document and the information contained herein is provided on an
061"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
062TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
063NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
064WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
065MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
066
067
068package org.ietf.jgss;
069
070/**
071 * <p>This interface encapsulates the GSS-API credentials for an entity.
072 * A credential contains all the necessary cryptographic information to
073 * enable the creation of a context on behalf of the entity that it
074 * represents.  It may contain multiple, distinct, mechanism specific
075 * credential elements, each containing information for a specific
076 * security mechanism, but all referring to the same entity.</p>
077 *
078 * <p>A credential may be used to perform context initiation, acceptance,
079 * or both.</p>
080 *
081 * <p>GSS-API implementations must impose a local access-control policy on
082 * callers to prevent unauthorized callers from acquiring credentials to
083 * which they are not entitled.  GSS-API credential creation is not
084 * intended to provide a "login to the network" function, as such a
085 * function would involve the creation of new credentials rather than
086 * merely acquiring a handle to existing credentials.  Such functions,
087 * if required, should be defined in implementation-specific extensions
088 * to the API.</p>
089 *
090 * <p>If credential acquisition is time-consuming for a mechanism, the
091 * mechanism may choose to delay the actual acquisition until the
092 * credential is required (e.g.  by {@link GSSContext}). Such mechanism-
093 * specific implementation decisions should be invisible to the calling
094 * application; thus the query methods immediately following the
095 * creation of a credential object must return valid credential data,
096 * and may therefore incur the overhead of a deferred credential
097 * acquisition.</p>
098 *
099 * <p>Applications will create a credential object passing the desired
100 * parameters.  The application can then use the query methods to obtain
101 * specific information about the instantiated credential object
102 * (equivalent to the gss_inquire routines).  When the credential is no
103 * longer needed, the application should call the dispose (equivalent to
104 * gss_release_cred) method to release any resources held by the
105 * credential object and to destroy any cryptographically sensitive
106 * information.</p>
107 *
108 * <p>Classes implementing this interface also implement the {@link Cloneable}
109 * interface. This indicates the the class will support the {@link
110 * Cloneable#clone()} method that will allow the creation of duplicate
111 * credentials. This is useful when called just before the {@link
112 * #add(org.ietf.jgss.GSSName,int,int,org.ietf.jgss.Oid,int)} call to retain
113 * a copy of the original credential.</p>
114 *
115 * <h3>Example Code</h3>
116 *
117 * <pre>
118GSSManager mgr = GSSManager.getInstance();
119
120// start by creating a name object for the entity
121GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
122
123// now acquire credentials for the entity
124GSSCredential cred = mgr.createCredential(name,
125                                          GSSCredential.ACCEPT_ONLY);
126
127// display credential information - name, remaining lifetime,
128// and the mechanisms it has been acquired over
129print(cred.getName().toString());
130print(cred.getRemainingLifetime());
131
132Oid [] mechs = cred.getMechs();
133if (mechs != null)
134  {
135    for (int i = 0; i < mechs.length; i++)
136      print(mechs[i].toString());
137  }
138
139// release system resources held by the credential
140cred.dispose();
141 * </pre>
142 */
143public interface GSSCredential extends Cloneable
144{
145
146  // Constants.
147  // -------------------------------------------------------------------------
148
149  /**
150   * Credential usage flag requesting that it be able to be used for both
151   * context initiation and acceptance.
152   */
153  int INITIATE_AND_ACCEPT = 0;
154
155  /**
156   * Credential usage flag requesting that it be able to be used for
157   * context initiation only.
158   */
159  int INITIATE_ONLY = 1;
160
161  /**
162   * Credential usage flag requesting that it be able to be used for
163   * context acceptance only.
164   */
165  int ACCEPT_ONLY = 2;
166
167  /**
168   * A lifetime constant representing the default credential lifetime.
169   */
170  int DEFAULT_LIFETIME = 0;
171
172  /**
173   * A lifetime constant representing indefinite credential lifetime.
174   */
175  int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
176
177  // Methods.
178  // -------------------------------------------------------------------------
179
180  /**
181   * Releases any sensitive information that the GSSCredential object may
182   * be containing.  Applications should call this method as soon as the
183   * credential is no longer needed to minimize the time any sensitive
184   * information is maintained.
185   *
186   * @throws GSSException If this operation fails.
187   */
188  void dispose() throws GSSException;
189
190  /**
191   * Retrieves the name of the entity that the credential asserts.
192   *
193   * @return The name.
194   * @throws GSSException If this operation fails.
195   */
196  GSSName getName() throws GSSException;
197
198  /**
199   * Retrieves a mechanism name of the entity that the credential asserts.
200   * Equivalent to calling {@link GSSName#canonicalize(org.ietf.jgss.Oid)}
201   * on the name returned by {@link #getName()}.
202   *
203   * @param mechOID The mechanism for which information should be returned.
204   * @return The name.
205   * @throws GSSException If this operation fails.
206   */
207  GSSName getName(Oid mechOID) throws GSSException;
208
209  /**
210   * Returns the remaining lifetime in seconds for a credential.  The
211   * remaining lifetime is the minimum lifetime for any of the underlying
212   * credential mechanisms.  A return value of {@link
213   * GSSCredential#INDEFINITE_LIFETIME} indicates that the credential does
214   * not expire.  A return value of 0 indicates that the credential is
215   * already expired.
216   *
217   * @return The remaining lifetime.
218   * @throws GSSException If this operation fails.
219   */
220  int getRemainingLifetime() throws GSSException;
221
222  /**
223   * Returns the remaining lifetime is seconds for the credential to
224   * remain capable of initiating security contexts under the specified
225   * mechanism.  A return value of {@link GSSCredential#INDEFINITE_LIFETIME}
226   * indicates that the credential does not expire for context initiation.
227   * A return value of 0 indicates that the credential is already expired.
228   *
229   * @param mech The mechanism for which information should be returned.
230   * @return The remaining lifetime.
231   * @throws GSSException If this operation fails.
232   */
233  int getRemainingInitLifetime(Oid mech) throws GSSException;
234
235  /**
236   * Returns the remaining lifetime is seconds for the credential to
237   * remain capable of accepting security contexts under the specified
238   * mechanism.  A return value of {@link GSSCredential#INDEFINITE_LIFETIME}
239   * indicates that the credential does not expire for context acceptance.
240   * A return value of 0 indicates that the credential is already expired.
241   *
242   * @param mech The mechanism for which information should be returned.
243   * @return The remaining lifetime.
244   * @throws GSSException If this operation fails.
245   */
246  int getRemainingAcceptLifetime(Oid mech) throws GSSException;
247
248  /**
249   * Returns the credential usage flag.  The return value will be one of
250   * {@link GSSCredential#INITIATE_ONLY}, {@link GSSCredential#ACCEPT_ONLY},
251   * or {@link GSSCredential#INITIATE_AND_ACCEPT}.
252   *
253   * @return The credential usage flag.
254   * @throws GSSException If this operation fails.
255   */
256  int getUsage() throws GSSException;
257
258  /**
259   * Returns the credential usage flag for the specified credential
260   * mechanism.  The return value will be one of
261   * {@link GSSCredential#INITIATE_ONLY}, {@link GSSCredential#ACCEPT_ONLY},
262   * or {@link GSSCredential#INITIATE_AND_ACCEPT}.
263   *
264   * @param mechOID The mechanism for which information should be returned.
265   * @return The credential usage flag.
266   * @throws GSSException If this operation fails.
267   */
268  int getUsage(Oid mechOID) throws GSSException;
269
270  /**
271   * Returns an array of mechanisms supported by this credential.
272   *
273   * @return The supported mechanism.
274   * @throws GSSException If this operation fails.
275   */
276  Oid[] getMechs() throws GSSException;
277
278  /**
279   * <p>Adds a mechanism specific credential-element to an existing
280   * credential.  This method allows the construction of credentials one
281   * mechanism at a time.</p>
282   *
283   * <p>This routine is envisioned to be used mainly by context acceptors
284   * during the creation of acceptance credentials which are to be used
285   * with a variety of clients using different security mechanisms.</p>
286   *
287   * <p>This routine adds the new credential element "in-place".  To add the
288   * element in a new credential, first call {@link Cloneable#clone()} to
289   * obtain a copy of this credential, then call its <code>add()</code>
290   * method.</p>
291   *
292   * @param aName          Name of the principal for whom this credential
293   *                       is to be acquired. Use <code>null</code> to
294   *                       specify the default principal.
295   * @param initLifetime   The number of seconds that credentials should
296   *                       remain valid for initiating of security contexts.
297   *                       Use {@link #INDEFINITE_LIFETIME} to request that
298   *                       the credentials have the maximum permitted lifetime.
299   *                       Use {@link GSSCredential#DEFAULT_LIFETIME} to
300   *                       request the default credential lifetime.
301   * @param acceptLifetime The number of seconds that credentials should
302   *                       remain valid for accepting of security contexts.
303   *                       Use {@link GSSCredential#INDEFINITE_LIFETIME} to
304   *                       request that the credentials have the maximum
305   *                       permitted lifetime. Use {@link
306   *                       GSSCredential#DEFAULT_LIFETIME} to request
307   *                       the default credential lifetime.
308   * @param mech           The mechanisms over which the credential is to be
309   *                       acquired.
310   * @param usage          The intended usage for this credential object. The
311   *                       value of this parameter must be one of:
312   *                       {@link GSSCredential#ACCEPT_AND_INITIATE},
313   *                       {@link GSSCredential#ACCEPT_ONLY},
314   *                       {@link GSSCredential#INITIATE_ONLY}.
315   * @throws GSSException If this operation fails.
316   */
317  void add(GSSName aName, int initLifetime, int acceptLifetime,
318           Oid mech, int usage) throws GSSException;
319
320  /**
321   * Tests if this GSSCredential refers to the same entity as the supplied
322   * object.  The two credentials must be acquired over the same
323   * mechanisms and must refer to the same principal. Returns <code>true</code>
324   * if the two GSSCredentials refer to the same entity; <code>false</code>
325   * otherwise. (Note that the Java language specification requires that two
326   * objects that are equal according to the {@link
327   * Object#equals(java.lang.Object)} method must return the same integer
328   * result when the {@link Object#hashCode()} method is called on them.)
329   *
330   * @param another Another GSSCredential object for comparison.
331   * @return True if this object equals the other.
332   */
333  boolean equals(Object another);
334
335  /**
336   * Return the hash code of this credential. When overriding {@link #equals},
337   * it is necessary to override hashCode() as well.
338   *
339   * @return the hash code that must be the same for two credentials if
340   * {@link #equals} returns true.
341   */
342  int hashCode();
343
344}