1. /*

  2.  * @(#)GSSCredential.java	1.7 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.  

  8. package org.ietf.jgss;

  9. 

  10. /**

  11.  * This interface encapsulates the GSS-API credentials for an entity.  A

  12.  * credential contains all the necessary cryptographic information to

  13.  * enable the creation of a context on behalf of the entity that it

  14.  * represents.  It may contain multiple, distinct, mechanism specific

  15.  * credential elements, each containing information for a specific

  16.  * security mechanism, but all referring to the same entity. A credential

  17.  * may be used to perform context initiation, acceptance, or both.<p>

  18.  *

  19.  * Credentials are instantiated using one of the

  20.  * <code>createCredential</code> methods in the {@link GSSManager

  21.  * GSSManager} class. GSS-API credential creation is not

  22.  * intended to provide a "login to the network" function, as such a

  23.  * function would involve the creation of new credentials rather than

  24.  * merely acquiring a handle to existing credentials. The

  25.  * <a href=package-summary.html#useSubjectCredsOnly>section on credential

  26.  * acquisition</a> in the package level description describes

  27.  * how existing credentials are acquired in the Java 2 platform. GSS-API 

  28.  * implementations must impose a local access-control policy on callers to

  29.  * prevent unauthorized callers from acquiring credentials to which they

  30.  * are not entitled. <p>

  31.  *

  32.  * Applications will create a credential object passing the desired

  33.  * parameters.  The application can then use the query methods to obtain

  34.  * specific information about the instantiated credential object.

  35.  * When the credential is no longer needed, the application should call

  36.  * the {@link #dispose() dispose} method to release any resources held by

  37.  * the credential object and to destroy any cryptographically sensitive

  38.  * information.<p>

  39.  *

  40.  * This example code demonstrates the creation of a GSSCredential

  41.  * implementation for a specific entity, querying of its fields, and its

  42.  * release when it is no longer needed:<p>

  43.  * <pre>

  44.  *    GSSManager manager = GSSManager.getInstance();

  45.  *

  46.  *    // start by creating a name object for the entity

  47.  *    GSSName name = manager.createName("myusername", GSSName.NT_USER_NAME);

  48.  *

  49.  *    // now acquire credentials for the entity

  50.  *    GSSCredential cred = manager.createCredential(name,

  51.  *                    GSSCredential.ACCEPT_ONLY);

  52.  *

  53.  *    // display credential information - name, remaining lifetime,

  54.  *    // and the mechanisms it has been acquired over

  55.  *    System.out.println(cred.getName().toString());

  56.  *    System.out.println(cred.getRemainingLifetime());

  57.  *

  58.  *    Oid [] mechs = cred.getMechs();

  59.  *    if (mechs != null) {

  60.  *            for (int i = 0; i < mechs.length; i++)

  61.  *                    System.out.println(mechs[i].toString());

  62.  *    }

  63.  *

  64.  *    // release system resources held by the credential

  65.  *    cred.dispose();

  66.  * </pre>

  67.  *

  68.  * @see GSSManager#createCredential(int)

  69.  * @see GSSManager#createCredential(GSSName, int, Oid, int)

  70.  * @see GSSManager#createCredential(GSSName, int, Oid[], int)

  71.  * @see #dispose()

  72.  *

  73.  * @author Mayank Upadhyay

  74.  * @version 1.7, 01/23/03

  75.  * @since 1.4

  76.  */

  77. public interface GSSCredential extends Cloneable{

  78. 

  79.     /** 

  80.      * Credential usage flag requesting that it be usable

  81.      * for both context initiation and acceptance.

  82.      * 

  83.      */

  84.     public static final int INITIATE_AND_ACCEPT = 0;

  85.     

  86.     

  87.     /** 

  88.      * Credential usage flag requesting that it be usable

  89.      * for context initiation only.

  90.      * 

  91.      */

  92.     public static final int INITIATE_ONLY = 1;

  93.     

  94.     

  95.     /** 

  96.      * Credential usage flag requesting that it be usable

  97.      * for context acceptance only.

  98.      * 

  99.      */

  100.     public static final int ACCEPT_ONLY = 2;

  101.     

  102.     

  103.     /**    

  104.      * A lifetime constant representing the default credential lifetime. This 

  105.      * value it set to 0.

  106.      */

  107.     public static final int DEFAULT_LIFETIME = 0;

  108.     

  109.     /** 

  110.      * A lifetime constant representing indefinite credential lifetime.

  111.      * This value must is set to the maximum integer value in Java -

  112.      * {@link java.lang.Integer#MAX_VALUE Integer.MAX_VALUE}.

  113.      */

  114.     public static final int INDEFINITE_LIFETIME = Integer.MAX_VALUE;

  115.     

  116.     /**    

  117.      * Releases any sensitive information that the GSSCredential object may

  118.      * be containing.  Applications should call this method as soon as the

  119.      * credential is no longer needed to minimize the time any sensitive

  120.      * information is maintained.

  121.      *

  122.      * @throws GSSException containing the following 

  123.      * major error codes: 

  124.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  125.      */

  126.     public void dispose() throws GSSException;

  127.     

  128.     /**    

  129.      *  Retrieves the name of the entity that the credential asserts.

  130.      *

  131.      * @return a GSSName representing the entity

  132.      *

  133.      * @throws GSSException containing the following 

  134.      * major error codes: 

  135.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  136.      */

  137.     public GSSName getName() throws GSSException;

  138.     

  139.     /**    

  140.      * Retrieves a Mechanism Name of the entity that the credential

  141.      * asserts. This is equivalent to calling {@link

  142.      * GSSName#canonicalize(Oid) canonicalize} on the value returned by

  143.      * the other form of {@link #getName() getName}.

  144.      * 

  145.      * @param mech the Oid of the mechanism for which the Mechanism Name

  146.      * should be returned.

  147.      * @return a GSSName representing the entity canonicalized for the

  148.      * desired mechanism

  149.      *

  150.      * @throws GSSException containing the following 

  151.      * major error codes: 

  152.      *         {@link GSSException#BAD_MECH GSSException.BAD_MECH},

  153.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  154.      */

  155.     public GSSName getName(Oid mech) throws GSSException;

  156.     

  157.     /**    

  158.      * Returns the remaining lifetime in seconds for a credential.  The

  159.      * remaining lifetime is the minimum lifetime amongst all of the underlying

  160.      * mechanism specific credential elements.

  161.      *

  162.      * @return the minimum remaining lifetime in seconds for this

  163.      * credential. A return value of {@link #INDEFINITE_LIFETIME

  164.      * INDEFINITE_LIFETIME} indicates that the credential does

  165.      * not expire. A return value of 0 indicates that the credential is

  166.      * already expired.

  167.      *

  168.      * @see #getRemainingInitLifetime(Oid)

  169.      * @see #getRemainingAcceptLifetime(Oid)

  170.      *

  171.      * @throws GSSException containing the following 

  172.      * major error codes: 

  173.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  174.      */

  175.     public int getRemainingLifetime() throws GSSException;

  176.     

  177.     /**    

  178.      * Returns the lifetime in seconds for the credential to remain capable

  179.      * of initiating security contexts using the specified mechanism. This

  180.      * method queries the initiator credential element that belongs to the

  181.      * specified mechanism.

  182.      *

  183.      * @return the number of seconds remaining in the life of this credential

  184.      * element. A return value of {@link #INDEFINITE_LIFETIME

  185.      * INDEFINITE_LIFETIME} indicates that the credential element does not

  186.      * expire.  A return value of 0 indicates that the credential element is

  187.      * already expired.

  188.      * 

  189.      * @param mech the Oid of the mechanism whose intiator credential element

  190.      * should be queried.

  191.      *

  192.      * @throws GSSException containing the following 

  193.      * major error codes: 

  194.      *         {@link GSSException#BAD_MECH GSSException.BAD_MECH},

  195.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  196.      */

  197.     public int getRemainingInitLifetime(Oid mech) throws GSSException;

  198.     

  199.     /**    

  200.      * Returns the lifetime in seconds for the credential to remain capable

  201.      * of accepting security contexts using the specified mechanism. This

  202.      * method queries the acceptor credential element that belongs to the

  203.      * specified mechanism.

  204.      *

  205.      * @return the number of seconds remaining in the life of this credential

  206.      * element. A return value of {@link #INDEFINITE_LIFETIME

  207.      * INDEFINITE_LIFETIME} indicates that the credential element does not

  208.      * expire.  A return value of 0 indicates that the credential element is

  209.      * already expired.

  210.      * 

  211.      * @param mech the Oid of the mechanism whose acceptor credential element

  212.      * should be queried.

  213.      *

  214.      * @throws GSSException containing the following 

  215.      * major error codes: 

  216.      *         {@link GSSException#BAD_MECH GSSException.BAD_MECH},

  217.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  218.      */

  219.     public int getRemainingAcceptLifetime(Oid mech) throws GSSException;

  220.     

  221.     /**    

  222.      * Returns the credential usage mode. In other words, it

  223.      * tells us if this credential can be used for initiating or accepting

  224.      * security contexts. It does not tell us which mechanism(s) has to be

  225.      * used in order to do so. It is expected that an application will allow

  226.      * the GSS-API to pick a default mechanism after calling this method.

  227.      *

  228.      * @return The return value will be one of {@link #INITIATE_ONLY

  229.      * INITIATE_ONLY}, {@link #ACCEPT_ONLY ACCEPT_ONLY}, and {@link

  230.      * #INITIATE_AND_ACCEPT INITIATE_AND_ACCEPT}.

  231.      *

  232.      * @throws GSSException containing the following 

  233.      * major error codes: 

  234.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  235.      */

  236.     public int getUsage() throws GSSException;

  237.     

  238.     /**

  239.      * Returns the credential usage mode for a specific mechanism. In other

  240.      * words, it tells us if this credential can be used 

  241.      * for initiating or accepting security contexts with a given underlying

  242.      * mechanism.

  243.      *

  244.      * @return The return value will be one of {@link #INITIATE_ONLY

  245.      * INITIATE_ONLY}, {@link #ACCEPT_ONLY ACCEPT_ONLY}, and {@link

  246.      * #INITIATE_AND_ACCEPT INITIATE_AND_ACCEPT}.

  247.      * @param mech the Oid of the mechanism whose credentials usage mode is

  248.      * to be determined.

  249.      *

  250.      * @throws GSSException containing the following 

  251.      * major error codes: 

  252.      *         {@link GSSException#BAD_MECH GSSException.BAD_MECH},

  253.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  254.      */

  255.     public int getUsage(Oid mech) throws GSSException;

  256.     

  257.     /**    

  258.      * Returns a list of mechanisms supported by this credential. It does

  259.      * not tell us which ones can be used to initiate

  260.      * contexts and which ones can be used to accept contexts. The

  261.      * application must call the {@link #getUsage(Oid) getUsage} method with

  262.      * each of the returned Oid's to determine the possible modes of

  263.      * usage.

  264.      *

  265.      * @return an array of Oid's corresponding to the supported mechanisms.

  266.      *

  267.      * @throws GSSException containing the following 

  268.      * major error codes: 

  269.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  270.      */

  271.     public Oid[] getMechs() throws GSSException;

  272.     

  273.     /**    

  274.      * Adds a mechanism specific credential-element to an existing

  275.      * credential.  This method allows the construction of credentials, one

  276.      * mechanism at a time.<p>

  277.      *

  278.      * This routine is envisioned to be used mainly by context acceptors

  279.      * during the creation of acceptor credentials which are to be used

  280.      * with a variety of clients using different security mechanisms.<p>

  281.      *

  282.      * This routine adds the new credential element "in-place".  To add the

  283.      * element in a new credential, first call <code>clone</code> to obtain a

  284.      * copy of this credential, then call its <code>add</code> method.<p>

  285.      *

  286.      * As always, GSS-API implementations must impose a local access-control

  287.      * policy on callers to prevent unauthorized callers from acquiring

  288.      * credentials to which they are not entitled.

  289.      *

  290.      * Non-default values for initLifetime and acceptLifetime cannot always

  291.      * be honored by the underlying mechanisms, thus callers should be

  292.      * prepared to call {@link #getRemainingInitLifetime(Oid)

  293.      * getRemainingInitLifetime} and {@link #getRemainingAcceptLifetime(Oid)

  294.      * getRemainingAcceptLifetime} on the credential.

  295.      *

  296.      * @param name the name of the principal for whom this credential is to

  297.      * be acquired.  Use <code>null</code> to specify the default

  298.      * principal.

  299.      * @param initLifetime the number of seconds that the credential element

  300.      * should remain valid for initiating of security contexts. Use {@link

  301.      * GSSCredential#INDEFINITE_LIFETIME GSSCredential.INDEFINITE_LIFETIME}

  302.      * to request that the credentials have the maximum permitted lifetime

  303.      * for this.  Use {@link GSSCredential#DEFAULT_LIFETIME

  304.      * GSSCredential.DEFAULT_LIFETIME} to request default credential lifetime 

  305.      * for this.

  306.      * @param acceptLifetime the number of seconds that the credential

  307.      * element should remain valid for accepting security contexts. Use {@link

  308.      * GSSCredential#INDEFINITE_LIFETIME GSSCredential.INDEFINITE_LIFETIME}

  309.      * to request that the credentials have the maximum permitted lifetime

  310.      * for this.  Use {@link GSSCredential#DEFAULT_LIFETIME

  311.      * GSSCredential.DEFAULT_LIFETIME} to request default credential lifetime 

  312.      * for this.

  313.      * @param mech the mechanism over which the credential is to be acquired.

  314.      * @param usage the usage mode that this credential

  315.      * element should add to the credential. The value

  316.      * of this parameter must be one of: 

  317.      * {@link #INITIATE_AND_ACCEPT INITIATE_AND_ACCEPT},

  318.      * {@link #ACCEPT_ONLY ACCEPT_ONLY}, and

  319.      * {@link #INITIATE_ONLY INITIATE_ONLY}.

  320.      *

  321.      * @throws GSSException containing the following 

  322.      * major error codes: 

  323.      *         {@link GSSException#DUPLICATE_ELEMENT 

  324.      *                          GSSException.DUPLICATE_ELEMENT},

  325.      *         {@link GSSException#BAD_MECH GSSException.BAD_MECH},

  326.      *         {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},

  327.      *         {@link GSSException#NO_CRED GSSException.NO_CRED},

  328.      *         {@link GSSException#CREDENTIALS_EXPIRED 

  329.      *                                  GSSException.CREDENTIALS_EXPIRED},

  330.      *         {@link GSSException#FAILURE GSSException.FAILURE}

  331.      */

  332.     public void add(GSSName name, int initLifetime, int acceptLifetime,

  333.                     Oid mech, int usage) throws GSSException;

  334.     

  335.     /**    

  336.      * Tests if this GSSCredential asserts the same entity as the supplied

  337.      * object.  The two credentials must be acquired over the same

  338.      * mechanisms and must refer to the same principal.  

  339.      *

  340.      * @return <code>true</code> if the two GSSCredentials assert the same

  341.      * entity; <code>false</code> otherwise.

  342.      * @param another another GSSCredential for comparison to this one

  343.      */

  344.     public boolean equals(Object another);

  345. 

  346.     /**

  347.      * Returns a hashcode value for this GSSCredential.

  348.      *

  349.      * @return a hashCode value

  350.      */

  351.     public int hashCode();

  352. 

  353. }

  354.