summaryrefslogtreecommitdiff
path: root/libjava/classpath/org/ietf/jgss
diff options
context:
space:
mode:
authorupstream source tree <ports@midipix.org>2015-03-15 20:14:05 -0400
committerupstream source tree <ports@midipix.org>2015-03-15 20:14:05 -0400
commit554fd8c5195424bdbcabf5de30fdc183aba391bd (patch)
tree976dc5ab7fddf506dadce60ae936f43f58787092 /libjava/classpath/org/ietf/jgss
downloadcbb-gcc-4.6.4-554fd8c5195424bdbcabf5de30fdc183aba391bd.tar.bz2
cbb-gcc-4.6.4-554fd8c5195424bdbcabf5de30fdc183aba391bd.tar.xz
obtained gcc-4.6.4.tar.bz2 from upstream website;upstream
verified gcc-4.6.4.tar.bz2.sig; imported gcc-4.6.4 source tree from verified upstream tarball. downloading a git-generated archive based on the 'upstream' tag should provide you with a source tree that is binary identical to the one extracted from the above tarball. if you have obtained the source via the command 'git clone', however, do note that line-endings of files in your working directory might differ from line-endings of the respective files in the upstream repository.
Diffstat (limited to 'libjava/classpath/org/ietf/jgss')
-rw-r--r--libjava/classpath/org/ietf/jgss/ChannelBinding.java215
-rw-r--r--libjava/classpath/org/ietf/jgss/GSSContext.java924
-rw-r--r--libjava/classpath/org/ietf/jgss/GSSCredential.java344
-rw-r--r--libjava/classpath/org/ietf/jgss/GSSException.java448
-rw-r--r--libjava/classpath/org/ietf/jgss/GSSManager.java501
-rw-r--r--libjava/classpath/org/ietf/jgss/GSSName.java278
-rw-r--r--libjava/classpath/org/ietf/jgss/MessageProp.java273
-rw-r--r--libjava/classpath/org/ietf/jgss/Oid.java387
8 files changed, 3370 insertions, 0 deletions
diff --git a/libjava/classpath/org/ietf/jgss/ChannelBinding.java b/libjava/classpath/org/ietf/jgss/ChannelBinding.java
new file mode 100644
index 000000000..9ea266de5
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/ChannelBinding.java
@@ -0,0 +1,215 @@
+/* ChannelBinding.java -- a channel binding in the GSS-API.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+import java.net.InetAddress;
+import java.util.Arrays;
+
+/**
+ * <p>The GSS-API accommodates the concept of caller-provided channel
+ * binding information. Channel bindings are used to strengthen the
+ * quality with which peer entity authentication is provided during
+ * context establishment. They enable the GSS-API callers to bind the
+ * establishment of the security context to relevant characteristics
+ * like addresses or to application specific data.</p>
+ *
+ * <p>The caller initiating the security context must determine the
+ * appropriate channel binding values to set in the {@link GSSContext}
+ * object. The acceptor must provide an identical binding in order to
+ * validate that received tokens possess correct channel-related
+ * characteristics.</p>
+ *
+ * <p>Use of channel bindings is optional in GSS-API. Since channel-binding
+ * information may be transmitted in context establishment tokens,
+ * applications should therefore not use confidential data as
+ * channel-binding components.</p>
+ */
+public class ChannelBinding
+{
+
+ // Fields.
+ // -------------------------------------------------------------------------
+
+ private final byte[] appData;
+ private final InetAddress initAddr;
+ private final InetAddress acceptAddr;
+
+ // Constructor.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Create a ChannelBinding object with user supplied address information
+ * and data. <code>null</code> values can be used for any fields which the
+ * application does not want to specify.
+ *
+ * @param initAddr The address of the context initiator. <code>null</code>
+ * value can be supplied to indicate that the application
+ * does not want to set this value.
+ * @param acceptAddr The address of the context acceptor. <code>null</code>
+ * value can be supplied to indicate that the application
+ * does not want to set this value.
+ * @param appData Application supplied data to be used as part of the
+ * channel bindings. <code>null</code> value can be
+ * supplied to indicate that the application does not
+ * want to set this value.
+ */
+ public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr,
+ byte[] appData)
+ {
+ this.appData = (appData != null) ? (byte[]) appData.clone() : null;
+ this.initAddr = initAddr;
+ this.acceptAddr = acceptAddr;
+ }
+
+ /**
+ * Creates a ChannelBinding object without any addressing information.
+ *
+ * @param appData Application supplied data to be used as part of the
+ * channel bindings.
+ */
+ public ChannelBinding(byte[] appData)
+ {
+ this(null, null, appData);
+ }
+
+ // Instance methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Returns the initiator's address for this channel binding.
+ * <code>null</code> is returned if the address has not been set.
+ *
+ * @return The initiator's address, or <code>null</code>.
+ */
+ public InetAddress getInitiatorAddress()
+ {
+ return initAddr;
+ }
+
+ /**
+ * Returns the acceptor's address for this channel binding.
+ * <code>null</code> is returned if the address has not been set.
+ *
+ * @return The acceptor's address, or <code>null</code>.
+ */
+ public InetAddress getAcceptorAddress()
+ {
+ return acceptAddr;
+ }
+
+ /**
+ * Returns application data being used as part of the ChannelBinding.
+ * <code>null</code> is returned if no application data has been
+ * specified for the channel binding.
+ *
+ * @return The application data, or <code>null</code>.
+ */
+ public byte[] getApplicationData()
+ {
+ if (appData != null)
+ return (byte[]) appData.clone();
+ return null;
+ }
+
+ /**
+ * Returns <code>true</code> if two channel bindings match.
+ *
+ * @param obj Another channel binding to compare with.
+ * @return True if this channel binding equals the other.
+ */
+ public boolean equals(Object obj)
+ {
+ if (!(obj instanceof ChannelBinding))
+ return false;
+ ChannelBinding cb = (ChannelBinding) obj;
+ boolean b1 = Arrays.equals(appData, cb.appData);
+ boolean b2 = (initAddr == null && cb.initAddr == null)
+ || (cb.initAddr != null && initAddr.equals(cb.initAddr));
+ boolean b3 = (acceptAddr == null && cb.acceptAddr == null)
+ || (cb.acceptAddr != null && acceptAddr.equals(cb.acceptAddr));
+ return b1 && b2 && b3;
+ }
+
+ /**
+ * Returns the hash code for this channel binding.
+ *
+ * @return The hash code.
+ */
+ public int hashCode()
+ {
+ int code = 0;
+ if (appData != null)
+ for (int i = 0; i < appData.length; i++)
+ code ^= appData[i] << ((8 * i) & 31);
+ if (initAddr != null)
+ code ^= initAddr.hashCode();
+ if (acceptAddr != null)
+ code ^= acceptAddr.hashCode();
+ return code;
+ }
+}
diff --git a/libjava/classpath/org/ietf/jgss/GSSContext.java b/libjava/classpath/org/ietf/jgss/GSSContext.java
new file mode 100644
index 000000000..c39622145
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/GSSContext.java
@@ -0,0 +1,924 @@
+/* GSSContext.java -- The GSS context interface.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package org.ietf.jgss;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+
+/**
+ * <p>This interface encapsulates the GSS-API security context and provides
+ * the security services ({@link #wrap(byte[],int,int,org.ietf.jgss.MessageProp)},
+ * {@link #unwrap(byte[],int,int,org.ietf.jgss.MessageProp)}, {@link
+ * #getMIC(byte[],int,int,org.ietf.jgss.MessageProp)}, {@link
+ * #verifyMIC(byte[],int,int,byte[],int,int,org.ietf.jgss.MessageProp)}) that
+ * are available over the context. Security contexts are established
+ * between peers using locally acquired credentials. Multiple contexts
+ * may exist simultaneously between a pair of peers, using the same or
+ * different set of credentials. GSS-API functions in a manner
+ * independent of the underlying transport protocol and depends on its
+ * calling application to transport its tokens between peers.</p>
+ *
+ * <p>Before the context establishment phase is initiated, the context
+ * initiator may request specific characteristics desired of the
+ * established context. These can be set using the set methods. After
+ * the context is established, the caller can check the actual
+ * characteristic and services offered by the context using the query
+ * methods.</p>
+ *
+ * <p>The context establishment phase begins with the first call to the
+ * init method by the context initiator. During this phase the
+ * {@link #initSecContext(byte[],int,int)} and {@link
+ * #acceptSecContext(byte[],int,int)} methods will produce GSS-API
+ * authentication tokens which the calling application needs to send to
+ * its peer. If an error occurs at any point, an exception will get
+ * thrown and the code will start executing in a catch block. If not,
+ * the normal flow of code continues and the application can make a call
+ * to the {@link #isEstablished()} method. If this method returns false it
+ * indicates that a token is needed from its peer in order to continue
+ * the context establishment phase. A return value of true signals that
+ * the local end of the context is established. This may still require
+ * that a token be sent to the peer, if one is produced by GSS-API.
+ * During the context establishment phase, the {@link #isProtReady()}
+ * method may be called to determine if the context can be used for the
+ * per-message operations. This allows applications to use per-message
+ * operations on contexts which aren't fully established.</p>
+ *
+ * <p>After the context has been established or the {@link #isProtReady()}
+ * method returns <code>true</code>, the query routines can be invoked to
+ * determine the actual characteristics and services of the established
+ * context. The application can also start using the per-message methods
+ * of {@link #wrap(byte[],int,int,org.ietf.jgss.MessageProp)} and
+ * {@link #getMIC(byte[],int,int,org.ietf.jgss.MessageProp)} to obtain
+ * cryptographic operations on application supplied data.</p>
+ *
+ * <p>When the context is no longer needed, the application should call
+ * {@link dispose()} to release any system resources the context may be
+ * using.</p>
+ *
+ * <h3>Example Code</h3>
+ *
+ * <pre>
+GSSManager mgr = GSSManager.getInstance();
+
+// start by creating the name for a service entity
+GSSName targetName = mgr.createName("service@host",
+ GSSName.NT_HOSTBASED_SERVICE);
+
+// create a context using default credentials for the above entity
+// and the implementation specific default mechanism
+GSSContext context = mgr.createContext(targetName,
+ null, // default mechanism
+ null, // default credentials
+ GSSContext.INDEFINITE_LIFETIME);
+
+// set desired context options - all others are false by default
+context.requestConf(true);
+context.requestMutualAuth(true);
+context.requestReplayDet(true);
+context.requestSequenceDet(true);
+
+// establish a context between peers - using byte arrays
+byte []inTok = new byte[0];
+
+try
+ {
+ do
+ {
+ byte[] outTok = context.initSecContext(inTok, 0,
+ inTok.length);
+
+ // send the token if present
+ if (outTok != null)
+ sendToken(outTok);
+
+ // check if we should expect more tokens
+ if (context.isEstablished())
+ break;
+
+ // another token expected from peer
+ inTok = readToken();
+
+ }
+ while (true);
+ }
+catch (GSSException e)
+ {
+ print("GSSAPI error: " + e.getMessage());
+ }
+
+// display context information
+print("Remaining lifetime in seconds = " + context.getLifetime());
+print("Context mechanism = " + context.getMech().toString());
+print("Initiator = " + context.getSrcName().toString());
+print("Acceptor = " + context.getTargName().toString());
+
+if (context.getConfState())
+ print("Confidentiality security service available");
+
+if (context.getIntegState())
+ print("Integrity security service available");
+
+// perform wrap on an application supplied message, appMsg,
+// using QOP = 0, and requesting privacy service
+byte[] appMsg ...
+MessageProp mProp = new MessageProp(0, true);
+byte[] tok = context.wrap(appMsg, 0, appMsg.length, mProp);
+
+if (mProp.getPrivacy())
+ print("Message protected with privacy.");
+
+sendToken(tok);
+
+
+// release the local-end of the context
+context.dispose();
+ * </pre>
+ */
+public interface GSSContext
+{
+
+ // Constants.
+ // -------------------------------------------------------------------------
+
+ /**
+ * A lifetime constant representing the default context lifetime.
+ */
+ int DEFAULT_LIFETIME = 0;
+
+ /**
+ * A lifetime constant representing indefinite context lifetime.
+ */
+ int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
+
+ // Methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * <p>Called by the context initiator to start the context creation
+ * process. This is equivalent to the stream based method except that
+ * the token buffers are handled as byte arrays instead of using stream
+ * objects. This method may return an output token which the
+ * application will need to send to the peer for processing by the
+ * accept call. Typically, the application would do so by calling the
+ * {@link OutputStream#flush()} method on an OutputStream that
+ * encapsulates the connection between the two peers. The application
+ * can call {@link #isEstablished()} to determine if the context
+ * establishment phase is complete for this peer. A return value of
+ * <code>false</code> from {@link #isEstablished()} indicates that more
+ * tokens are expected to be supplied to the initSecContext() method. Note
+ * that it is possible that the initSecContext() method return a token for
+ * the peer, and {@link #isEstablished()} to return <code>true</code> also.
+ * This indicates that the token needs to be sent to the peer, but the local
+ * end of the context is now fully established.</p>
+ *
+ * <p>Upon completion of the context establishment, the available context
+ * options may be queried through the get methods.</p>
+ *
+ * @param inputBuf Token generated by the peer. This parameter is ignored
+ * on the first call.
+ * @param offset The offset within the <i>inputBuf</i> where the token
+ * begins.
+ * @param len The length of the token within the <i>inputBuf</i>
+ * (starting at the offset).
+ * @return The output token, if any.
+ * @throws GSSException If this operation fails.
+ */
+ byte[] initSecContext(byte[] inputBuf, int offset, int len)
+ throws GSSException;
+
+ /**
+ * <p>Called by the context initiator to start the context creation
+ * process. This is equivalent to the byte array based method. This
+ * method may write an output token to the <i>outStream</i>, which the
+ * application will need to send to the peer for processing by the
+ * accept call. Typically, the application would do so by calling the
+ * {@link OutputStream#flush()} method on an OutputStream that encapsulates
+ * the connection between the two peers. The application can call {@link
+ * #isEstablished()} to determine if the context establishment phase is
+ * complete for this peer. A return value of <code>false</code> from
+ * isEstablished indicates that more tokens are expected to be supplied
+ * to the initSecContext() method. Note that it is possible that the
+ * initSecContext() method return a token for the peer, and {@link
+ * #isEstablished() return <code>true</code> also. This indicates that
+ * the token needs to be sent to the peer, but the local end of the context
+ * is now fully established.</p>
+ *
+ * <p>The GSS-API authentication tokens contain a definitive start and end.
+ * This method will attempt to read one of these tokens per invocation,
+ * and may block on the stream if only part of the token is available.</p>
+ *
+ * <p>Upon completion of the context establishment, the available context
+ * options may be queried through the get methods.</p>
+ *
+ * @param inStream Contains the token generated by the peer. This
+ * parameter is ignored on the first call.
+ * @param outStream Output stream where the output token will be written.
+ * During the final stage of context establishment, there
+ * may be no bytes written.
+ * @return The number of bytes written to <i>outStream</i>, or 0 if no
+ * token is written.
+ * @throws GSSException If this operation fails.
+ */
+ int initSecContext(InputStream inStream, OutputStream outStream)
+ throws GSSException;
+
+ /**
+ * <p>Called by the context acceptor upon receiving a token from the peer.
+ * This call is equivalent to the stream based method except that the
+ * token buffers are handled as byte arrays instead of using stream
+ * objects.</p>
+ *
+ * <p>This method may return an output token which the application will
+ * need to send to the peer for further processing by the init call.</p>
+ *
+ * <p><code>null</code> return value indicates that no token needs to be
+ * sent to the peer. The application can call {@link #isEstablished()}
+ * to determine if the context establishment phase is complete for this
+ * peer. A return value of <code>false</code> from {@link #isEstablished()}
+ * indicates that more tokens are expected to be supplied to this
+ * method.</p>
+ *
+ * <p>Note that it is possible that acceptSecContext() return a token for
+ * the peer, and isEstablished() return <code>true</code> also. This
+ * indicates that the token needs to be sent to the peer, but the local
+ * end of the context is now fully established.</p>
+ *
+ * <p>Upon completion of the context establishment, the available context
+ * options may be queried through the get methods.</p>
+ *
+ * @param inTok Token generated by the peer.
+ * @param offset The offset within the <i>inTok</i> where the token begins.
+ * @param len The length of the token within the <i>inTok</i> (starting
+ * at the offset).
+ * @return The output token, if any.
+ * @throws GSSException If this operation fails.
+ */
+ byte[] acceptSecContext(byte[] inTok, int offset, int len)
+ throws GSSException;
+
+ /**
+ * <p>Called by the context acceptor upon receiving a token from the peer.
+ * This call is equivalent to the byte array method. It may write an
+ * output token to the outStream, which the application will need to
+ * send to the peer for processing by its initSecContext method.
+ * Typically, the application would do so by calling the {@link
+ * OutputStream#flush()} method on an OutputStream that encapsulates the
+ * connection between the two peers. The application can call {@link
+ * #isEstablished()} to determine if the context establishment phase is
+ * complete for this peer. A return value of <code>false</code> from
+ * {@link #isEstablished()} indicates that more tokens are expected to be
+ * supplied to this method.</p>
+ *
+ * <p>Note that it is possible that acceptSecContext() return a token for
+ * the peer, and isEstablished() return <code>true</code> also. This
+ * indicates that the token needs to be sent to the peer, but the local
+ * end of the context is now fully established.</p>
+ *
+ * <p>The GSS-API authentication tokens contain a definitive start and end.
+ * This method will attempt to read one of these tokens per invocation,
+ * and may block on the stream if only part of the token is available.</p>
+ *
+ * <p>Upon completion of the context establishment, the available context
+ * options may be queried through the get methods.</p>
+ *
+ * @param inStream Contains the token generated by the peer.
+ * @param outStream Output stream where the output token will be written.
+ * During the final stage of context establishment, there
+ * may be no bytes written.
+ * @return The number of bytes written, or 0 if no token is written.
+ * @throws GSSException If this operation fails.
+ */
+ void acceptSecContext(InputStream inStream, OutputStream outStream)
+ throws GSSException;
+
+ /**
+ * Used during context establishment to determine the state of the
+ * context. Returns <code>true</code> if this is a fully established
+ * context on the caller's side and no more tokens are needed from the
+ * peer. Should be called after a call to {@link
+ * #initSecContext(byte[],int,int)} or {@link
+ * #acceptSecContext(byte[],int,int)} when no {@link GSSException}
+ * is thrown.
+ *
+ * @return True of this context is fully established on this side.
+ */
+ boolean isEstablished();
+
+ /**
+ * Releases any system resources and cryptographic information stored in
+ * the context object. This will invalidate the context.
+ *
+ * @throws GSSException If this operation fails.
+ */
+ void dispose() throws GSSException;
+
+ /**
+ * <p>Returns the maximum message size that, if presented to the
+ * {@link #wrap(byte[],int,int,org.ietf.jgss.MessageProp)} method with
+ * the same <i>confReq</i> and <i>qop</i> parameters, will result in an
+ * output token containing no more than the <i>maxTokenSize</i> bytes.</p>
+ *
+ * <p>This call is intended for use by applications that communicate over
+ * protocols that impose a maximum message size. It enables the
+ * application to fragment messages prior to applying protection.</p>
+ *
+ * <p>GSS-API implementations are recommended but not required to detect
+ * invalid QOP values when getWrapSizeLimit is called. This routine
+ * guarantees only a maximum message size, not the availability of
+ * specific QOP values for message protection.</p>
+ *
+ * <p>Successful completion of this call does not guarantee that wrap will
+ * be able to protect a message of the computed length, since this
+ * ability may depend on the availability of system resources at the
+ * time that wrap is called. However, if the implementation itself
+ * imposes an upper limit on the length of messages that may be
+ * processed by wrap, the implementation should not return a value that
+ * is greater than this length.</p>
+ *
+ * @param qop Indicates the level of protection wrap will be asked
+ * to provide.
+ * @param confReq Indicates if wrap will be asked to provide privacy
+ * service.
+ * @param maxTokenSize The desired maximum size of the token emitted
+ * by {@link #wrap(byte[],int,int,org.ietf.jgss.MessageProp)}.
+ * @return The maximum wrapped output size.
+ * @throws GSSException If this operation fails.
+ */
+ int getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize)
+ throws GSSException;
+
+ /**
+ * <p>Applies per-message security services over the established security
+ * context. The method will return a token with a cryptographic MIC and
+ * may optionally encrypt the specified <i>inBuf</i>. This method is
+ * equivalent in functionality to its stream counterpart. The returned
+ * byte array will contain both the MIC and the message.</p>
+ *
+ * <p>The {@link MessageProp} object is instantiated by the application
+ * and used to specify a QOP value which selects cryptographic algorithms,
+ * and a privacy service to optionally encrypt the message. The underlying
+ * mechanism that is used in the call may not be able to provide the
+ * privacy service. It sets the actual privacy service that it does
+ * provide in this {@link MessageProp} object which the caller should then
+ * query upon return. If the mechanism is not able to provide the
+ * requested QOP, it throws a {@link GSSException} with the {@link
+ * GSSException#BAD_QOP} code.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by wrap to provide "secure framing", implementations should support
+ * the wrapping of zero-length messages.</p>
+ *
+ * <p>The application will be responsible for sending the token to the
+ * peer.</p>
+ *
+ * @param inBuf Application data to be protected.
+ * @param offset The offset within the inBuf where the data begins.
+ * @param len The length of the data within the inBuf (starting at
+ * the offset).
+ * @param msgProp Instance of {@link MessageProp} that is used by the
+ * application to set the desired QOP and privacy state.
+ * Set the desired QOP to 0 to request the default QOP.
+ * Upon return from this method, this object will contain
+ * the the actual privacy state that was applied to the
+ * message by the underlying mechanism.
+ * @return The wrapped data.
+ * @throws GSSException If this operation fails.
+ */
+ byte[] wrap(byte[] inBuf, int offset, int len, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Allows to apply per-message security services over the established
+ * security context. The method will produce a token with a
+ * cryptographic MIC and may optionally encrypt the message in inStream.
+ * The outStream will contain both the MIC and the message.</p>
+ *
+ * <p>The {@link MessageProp} object is instantiated by the application and
+ * used to specify a QOP value which selects cryptographic algorithms, and
+ * a privacy service to optionally encrypt the message. The underlying
+ * mechanism that is used in the call may not be able to provide the
+ * privacy service. It sets the actual privacy service that it does
+ * provide in this MessageProp object which the caller should then query
+ * upon return. If the mechanism is not able to provide the requested
+ * QOP, it throws a {@link GSSException} with the {@link
+ * GSSException#BAD_QOP} code.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by wrap to provide "secure framing", implementations should support
+ * the wrapping of zero-length messages.</p>
+ *
+ * <p>The application will be responsible for sending the token to the
+ * peer.</p>
+ *
+ * @param inStream Input stream containing the application data to be
+ * protected.
+ * @param outStream The output stream to write the protected message to.
+ * The application is responsible for sending this to the
+ * other peer for processing in its unwrap method.
+ * @param msgProp Instance of {@link MessageProp} that is used by the
+ * application to set the desired QOP and privacy state.
+ * Set the desired QOP to 0 to request the default QOP.
+ * Upon return from this method, this object will contain
+ * the the actual privacy state that was applied to the
+ * message by the underlying mechanism.
+ * @throws GSSException If this operation fails.
+ */
+ void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Used by the peer application to process tokens generated with the
+ * wrap call. This call is equal in functionality to its stream
+ * counterpart. The method will return the message supplied in the peer
+ * application to the wrap call, verifying the embedded MIC.</p>
+ *
+ * <p>The {@link MessageProp} object is instantiated by the application and
+ * is used by the underlying mechanism to return information to the caller
+ * such as the QOP, whether confidentiality was applied to the message, and
+ * other supplementary message state information.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by wrap to provide "secure framing", implementations should support
+ * the wrapping and unwrapping of zero-length messages.</p>
+ *
+ * @param inBuf GSS-API wrap token received from peer.
+ * @param offset The offset within the inBuf where the token begins.
+ * @param len The length of the token within the inBuf (starting at
+ * the offset).
+ * @param msgProp Upon return from the method, this object will contain
+ * the applied QOP, the privacy state of the message, and
+ * supplementary information stating whether the token was
+ * a duplicate, old, out of sequence or arriving after a gap.
+ * @return The unwrapped token.
+ * @throws GSSException If this operation fails.
+ */
+ byte[] unwrap(byte[] inBuf, int offset, int len, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Used by the peer application to process tokens generated with the
+ * wrap call. This call is equal in functionality to its byte array
+ * counterpart. It will produce the message supplied in the peer
+ * application to the wrap call, verifying the embedded MIC.</p>
+ *
+ * <p>The {@link MessageProp} object is instantiated by the application
+ * and is used by the underlying mechanism to return information to the
+ * caller such as the QOP, whether confidentiality was applied to the
+ * message, and other supplementary message state information.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by wrap to provide "secure framing", implementations should support
+ * the wrapping and unwrapping of zero-length messages.</p>
+ *
+ * @param inStream Input stream containing the GSS-API wrap token
+ * received from the peer.
+ * @param outStream The output stream to write the application message to.
+ * @param msgProp Upon return from the method, this object will contain
+ * the applied QOP, the privacy state of the message, and
+ * supplementary information stating whether the token was
+ * a duplicate, old, out of sequence or arriving after a gap.
+ * @throws GSSException If this operation fails.
+ */
+ void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Returns a token containing a cryptographic MIC for the supplied
+ * message, for transfer to the peer application. Unlike wrap, which
+ * encapsulates the user message in the returned token, only the message
+ * MIC is returned in the output token. This method is identical in
+ * functionality to its stream counterpart.</p>
+ *
+ * <p>Note that privacy can only be applied through the wrap call.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by getMIC to provide "secure framing", implementations should support
+ * derivation of MICs from zero-length messages.</p>
+ *
+ * @param inMsg Message to generate MIC over.
+ * @param offset The offset within the inMsg where the token begins.
+ * @param len The length of the token within the inMsg (starting at
+ * the offset).
+ * @param msgProp Instance of MessageProp that is used by the
+ * application to set the desired QOP. Set the desired
+ * QOP to 0 in msgProp to request the default QOP.
+ * Alternatively pass in <code>null</code> for msgProp to
+ * request default QOP.
+ * @return The MIC.
+ * @throws GSSException If this operation fails.
+ */
+ byte[] getMIC(byte[] inMsg, int offset, int len, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Produces a token containing a cryptographic MIC for the supplied
+ * message, for transfer to the peer application. Unlike wrap, which
+ * encapsulates the user message in the returned token, only the message
+ * MIC is produced in the output token. This method is identical in
+ * functionality to its byte array counterpart.</p>
+ *
+ * <p>Note that privacy can only be applied through the wrap call.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by getMIC to provide "secure framing", implementations should support
+ * derivation of MICs from zero-length messages.</p>
+ *
+ * @param inStream Input stream containing the message to generate
+ * the MIC over.
+ * @param outStream Output stream to write the GSS-API output token to.
+ * @param mgProp Instance of MessageProp that is used by the
+ * application to set the desired QOP. Set the desired
+ * QOP to 0 in msgProp to request the default QOP.
+ * Alternatively pass in <code>null</code> for msgProp
+ * to request default QOP.
+ * @throws GSSException If this operation fails.
+ */
+ void getMIC(InputStream inStream, OutputStream outStream, MessageProp mgProp)
+ throws GSSException;
+
+ /**
+ * <p>Verifies the cryptographic MIC, contained in the token parameter,
+ * over the supplied message. This method is equivalent in
+ * functionality to its stream counterpart.</p>
+ *
+ * <p>The MessageProp object is instantiated by the application and is used
+ * by the underlying mechanism to return information to the caller such
+ * as the QOP indicating the strength of protection that was applied to
+ * the message and other supplementary message state information.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by getMIC to provide "secure framing", implementations should support
+ * the calculation and verification of MICs over zero-length messages.</p>
+ *
+ * @param inTok Token generated by peer's getMIC method.
+ * @param tokOffset The offset within the inTok where the token begins.
+ * @param tokLen The length of the token within the inTok (starting at
+ * the offset).
+ * @param inMsg Application message to verify the cryptographic MIC
+ * over.
+ * @param msgOffset The offset within the inMsg where the message begins.
+ * @param msgLen The length of the message within the inMsg (starting
+ * at the offset).
+ * @param msgProp Upon return from the method, this object will contain
+ * the applied QOP and supplementary information
+ * stating whether the token was a duplicate, old, out
+ * of sequence or arriving after a gap. The
+ * confidentiality state will be set to <code>false</code>.
+ * @throws GSSException If this operation fails.
+ */
+ void verifyMIC(byte[] inTok, int tokOffset, int tokLen, byte[] inMsg,
+ int msgOffset, int msgLen, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Verifies the cryptographic MIC, contained in the token parameter,
+ * over the supplied message. This method is equivalent in
+ * functionality to its byte array counterpart.</p>
+ *
+ * <p>The MessageProp object is instantiated by the application and is used
+ * by the underlying mechanism to return information to the caller such
+ * as the QOP indicating the strength of protection that was applied to
+ * the message and other supplementary message state information.</p>
+ *
+ * <p>Since some application-level protocols may wish to use tokens emitted
+ * by getMIC to provide "secure framing", implementations should support
+ * the calculation and verification of MICs over zero-length messages.</p>
+ *
+ * @param tokStream Input stream containing the token generated by peer's
+ * getMIC method.
+ * @param msgStream Input stream containing the application message to
+ * verify the cryptographic MIC over.
+ * @param msgProp Upon return from the method, this object will contain
+ * the applied QOP and supplementary information
+ * stating whether the token was a duplicate, old, out of
+ * sequence or arriving after a gap. The confidentiality
+ * state will be set to <code>false</code>.
+ * @throws GSSException If this operation fails.
+ */
+ void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp)
+ throws GSSException;
+
+ /**
+ * <p>Provided to support the sharing of work between multiple processes.
+ * This routine will typically be used by the context-acceptor, in an
+ * application where a single process receives incoming connection
+ * requests and accepts security contexts over them, then passes the
+ * established context to one or more other processes for message
+ * exchange.</p>
+ *
+ * <p>This method deactivates the security context and creates an
+ * interprocess token which, when passed to the byte array constructor
+ * of the GSSContext interface in another process, will re-activate the
+ * context in the second process. Only a single instantiation of a
+ * given context may be active at any one time; a subsequent attempt by
+ * a context exporter to access the exported security context will fail.</p>
+ *
+ * <p>The implementation may constrain the set of processes by which the
+ * interprocess token may be imported, either as a function of local
+ * security policy, or as a result of implementation decisions. For
+ * example, some implementations may constrain contexts to be passed
+ * only between processes that run under the same account, or which are
+ * part of the same process group.</p>
+ *
+ * <p>The interprocess token may contain security-sensitive information
+ * (for example cryptographic keys). While mechanisms are encouraged to
+ * either avoid placing such sensitive information within interprocess
+ * tokens, or to encrypt the token before returning it to the
+ * application, in a typical GSS-API implementation this may not be
+ * possible. Thus the application must take care to protect the
+ * interprocess token, and ensure that any process to which the token is
+ * transferred is trustworthy.</p>
+ *
+ * @return The exported context.
+ * @throws GSSException If this operation fails.
+ */
+ byte[] export() throws GSSException;
+
+ /**
+ * <p>Sets the request state of the mutual authentication flag for the
+ * context. This method is only valid before the context creation
+ * process begins and only for the initiator.</p>
+ *
+ * @param state Boolean representing if mutual authentication should
+ * be requested during context establishment.
+ * @throws GSSException If this operation fails.
+ */
+ void requestMutualAuth(boolean state) throws GSSException;
+
+ /**
+ * <p>Sets the request state of the replay detection service for the
+ * context. This method is only valid before the context creation
+ * process begins and only for the initiator.</p>
+ *
+ * @param state Boolean representing if replay detection is desired
+ * over the established context.
+ * @throws GSSException If this operation fails.
+ */
+ void requestReplayDet(boolean state) throws GSSException;
+
+ /**
+ * <p>Sets the request state for the sequence checking service of the
+ * context. This method is only valid before the context creation
+ * process begins and only for the initiator.</p>
+ *
+ * @param state Boolean representing if sequence detection is desired
+ * over the established context.
+ * @throws GSSException If this operation fails.
+ */
+ void requestSequenceDet(boolean state) throws GSSException;
+
+ /**
+ * <p>Sets the request state for the credential delegation flag for the
+ * context. This method is only valid before the context creation
+ * process begins and only for the initiator.</p>
+ *
+ * @param state Boolean representing if credential delegation is
+ * desired.
+ * @throws GSSException If this operation fails.
+ */
+ void requestCredDeleg(boolean state) throws GSSException;
+
+ /**
+ * <p>Requests anonymous support over the context. This method is only
+ * valid before the context creation process begins and only for the
+ * initiator.</p>
+ *
+ * @param state Boolean representing if anonymity support is requested.
+ * @throws GSSException If this operation fails.
+ */
+ void requestAnonymity(boolean state) throws GSSException;
+
+ /**
+ * <p>Requests that confidentiality service be available over the context.
+ * This method is only valid before the context creation process begins
+ * and only for the initiator.</p>
+ *
+ * @param state Boolean indicating if confidentiality services are to
+ * be requested for the context.
+ * @throws GSSException If this operation fails.
+ */
+ void requestConf(boolean state) throws GSSException;
+
+ /**
+ * <p>Requests that integrity services be available over the context. This
+ * method is only valid before the context creation process begins and
+ * only for the initiator.</p>
+ *
+ * @param state Boolean indicating if integrity services are to be
+ * requested for the context.
+ * @throws GSSException If this operation fails.
+ */
+ void requestInteg(boolean state) throws GSSException;
+
+ /**
+ * <p>Sets the desired lifetime for the context in seconds. This method is
+ * only valid before the context creation process begins and only for
+ * the initiator. Use {@link #INDEFINITE_LIFETIME} and {@link
+ * #DEFAULT_LIFETIME} to request indefinite or default context lifetime.</p>
+ *
+ * @param lifetime The desired context lifetime in seconds.
+ * @throws GSSException If this operation fails.
+ */
+ void requestLifetime(int lifetime) throws GSSException;
+
+ /**
+ * <p>Sets the channel bindings to be used during context establishment.
+ * This method is only valid before the context creation process begins.</p>
+ *
+ * @param cb Channel bindings to be used.
+ * @throws GSSException If this operation fails.
+ */
+ void setChannelBinding(ChannelBinding cb) throws GSSException;
+
+ /**
+ * <p>Returns the state of the delegated credentials for the context.
+ * When issued before context establishment is completed or when the
+ * isProtReady method returns "false", it returns the desired state,
+ * otherwise it will indicate the actual state over the established
+ * context.</p>
+ *
+ * @return The state of the delegated credentials for the context.
+ */
+ boolean getCredDelegState();
+
+ /**
+ * <p>Returns the state of the mutual authentication option for the
+ * context. When issued before context establishment completes or when
+ * the isProtReady method returns "false", it returns the desired state,
+ * otherwise it will indicate the actual state over the established
+ * context.</p>
+ *
+ * @return The state of the mutual authentication option.
+ */
+ boolean getMutualAuthState();
+
+ /**
+ * <p>Returns the state of the replay detection option for the context.
+ * When issued before context establishment completes or when the
+ * isProtReady method returns "false", it returns the desired state,
+ * otherwise it will indicate the actual state over the established
+ * context.</p>
+ *
+ * @return The state of the replay detection option.
+ */
+ boolean getReplayDetState();
+
+ /**
+ * <p>Returns the state of the sequence detection option for the context.
+ * When issued before context establishment completes or when the
+ * isProtReady method returns "false", it returns the desired state,
+ * otherwise it will indicate the actual state over the established
+ * context.</p>
+ *
+ * @return The state of the sequence detection option.
+ */
+ boolean getSequenceDetState();
+
+ /**
+ * <p>Returns "true" if this is an anonymous context. When issued before
+ * context establishment completes or when the isProtReady method
+ * returns "false", it returns the desired state, otherwise it will
+ * indicate the actual state over the established context.</p>
+ *
+ * @return True if this is an anonymous context.
+ */
+ boolean getAnonymityState();
+
+ /**
+ * <p>Returns "true" if the context is transferable to other processes
+ * through the use of the {@link #export()} method. This call is only
+ * valid on fully established contexts.</p>
+ *
+ * @return True if the context is transferable.
+ * @throws GSSException If this operation fails.
+ */
+ boolean isTransferable() throws GSSException;
+
+ /**
+ * <p>Returns "true" if the per message operations can be applied over
+ * the context. Some mechanisms may allow the usage of per-message
+ * operations before the context is fully established. This will also
+ * indicate that the get methods will return actual context state
+ * characteristics instead of the desired ones.</p>
+ *
+ * @return True if the per message operations can be applied over
+ * the context.
+ */
+ boolean isProtReady();
+
+ /**
+ * <p>Returns the confidentiality service state over the context. When
+ * issued before context establishment completes or when the isProtReady
+ * method returns "false", it returns the desired state, otherwise it
+ * will indicate the actual state over the established context.</p>
+ *
+ * @return True the confidentiality service state.
+ */
+ boolean getConfState();
+
+ /**
+ * <p>Returns the integrity service state over the context. When issued
+ * before context establishment completes or when the isProtReady method
+ * returns "false", it returns the desired state, otherwise it will
+ * indicate the actual state over the established context.</p>
+ *
+ * @return The integrity service state.
+ */
+ boolean getIntegState();
+
+ /**
+ * <p>Returns the context lifetime in seconds. When issued before context
+ * establishment completes or when the isProtReady method returns
+ * "false", it returns the desired lifetime, otherwise it will indicate
+ * the remaining lifetime for the context.</p>
+ *
+ * @return The lifetime.
+ */
+ int getLifetime();
+
+ /**
+ * <p>Returns the name of the context initiator. This call is valid only
+ * after the context is fully established or the isProtReady method
+ * returns "true". It is guaranteed to return an MN.</p>
+ *
+ * @return The name of the context initiator.
+ * @throws GSSException If this operation fails.
+ */
+ GSSName getSrcName() throws GSSException;
+
+ /**
+ * <p>Returns the name of the context target (acceptor). This call is
+ * valid only after the context is fully established or the isProtReady
+ * method returns "true". It is guaranteed to return an MN.</p>
+ *
+ * @return The name of the context target.
+ * @throws GSSException If this operation fails.
+ */
+ GSSName getTargName() throws GSSException;
+
+ /**
+ * <p>Returns the mechanism oid for this context. This method may be called
+ * before the context is fully established, but the mechanism returned
+ * may change on successive calls in negotiated mechanism case.</p>
+ *
+ * @return The mechanism OID.
+ * @throws GSSException If this operation fails.
+ */
+ Oid getMech() throws GSSException;
+
+ /**
+ * <p>Returns the delegated credential object on the acceptor's side.
+ * To check for availability of delegated credentials call
+ * {@link #getDelegCredState()}. This call is only valid on fully
+ * established contexts.</p>
+ *
+ * @return The delegated credential object.
+ * @throws GSSException If this operation fails.
+ */
+ GSSCredential getDelegCred() throws GSSException;
+
+ /**
+ * <p>Returns "true" if this is the initiator of the context. This call is
+ * only valid after the context creation process has started.</p>
+ *
+ * @return True if this is the initiator.
+ * @throws GSSException If this operation fails.
+ */
+ boolean isInitiator() throws GSSException;
+}
diff --git a/libjava/classpath/org/ietf/jgss/GSSCredential.java b/libjava/classpath/org/ietf/jgss/GSSCredential.java
new file mode 100644
index 000000000..bdf149710
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/GSSCredential.java
@@ -0,0 +1,344 @@
+/* GSSCredential.java -- GSS credential interface.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+/**
+ * <p>This interface encapsulates the GSS-API credentials for an entity.
+ * A credential contains all the necessary cryptographic information to
+ * enable the creation of a context on behalf of the entity that it
+ * represents. It may contain multiple, distinct, mechanism specific
+ * credential elements, each containing information for a specific
+ * security mechanism, but all referring to the same entity.</p>
+ *
+ * <p>A credential may be used to perform context initiation, acceptance,
+ * or both.</p>
+ *
+ * <p>GSS-API implementations must impose a local access-control policy on
+ * callers to prevent unauthorized callers from acquiring credentials to
+ * which they are not entitled. GSS-API credential creation is not
+ * intended to provide a "login to the network" function, as such a
+ * function would involve the creation of new credentials rather than
+ * merely acquiring a handle to existing credentials. Such functions,
+ * if required, should be defined in implementation-specific extensions
+ * to the API.</p>
+ *
+ * <p>If credential acquisition is time-consuming for a mechanism, the
+ * mechanism may choose to delay the actual acquisition until the
+ * credential is required (e.g. by {@link GSSContext}). Such mechanism-
+ * specific implementation decisions should be invisible to the calling
+ * application; thus the query methods immediately following the
+ * creation of a credential object must return valid credential data,
+ * and may therefore incur the overhead of a deferred credential
+ * acquisition.</p>
+ *
+ * <p>Applications will create a credential object passing the desired
+ * parameters. The application can then use the query methods to obtain
+ * specific information about the instantiated credential object
+ * (equivalent to the gss_inquire routines). When the credential is no
+ * longer needed, the application should call the dispose (equivalent to
+ * gss_release_cred) method to release any resources held by the
+ * credential object and to destroy any cryptographically sensitive
+ * information.</p>
+ *
+ * <p>Classes implementing this interface also implement the {@link Cloneable}
+ * interface. This indicates the the class will support the {@link
+ * Cloneable#clone()} method that will allow the creation of duplicate
+ * credentials. This is useful when called just before the {@link
+ * #add(org.ietf.jgss.GSSName,int,int,org.ietf.jgss.Oid,int)} call to retain
+ * a copy of the original credential.</p>
+ *
+ * <h3>Example Code</h3>
+ *
+ * <pre>
+GSSManager mgr = GSSManager.getInstance();
+
+// start by creating a name object for the entity
+GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
+
+// now acquire credentials for the entity
+GSSCredential cred = mgr.createCredential(name,
+ GSSCredential.ACCEPT_ONLY);
+
+// display credential information - name, remaining lifetime,
+// and the mechanisms it has been acquired over
+print(cred.getName().toString());
+print(cred.getRemainingLifetime());
+
+Oid [] mechs = cred.getMechs();
+if (mechs != null)
+ {
+ for (int i = 0; i < mechs.length; i++)
+ print(mechs[i].toString());
+ }
+
+// release system resources held by the credential
+cred.dispose();
+ * </pre>
+ */
+public interface GSSCredential extends Cloneable
+{
+
+ // Constants.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Credential usage flag requesting that it be able to be used for both
+ * context initiation and acceptance.
+ */
+ int INITIATE_AND_ACCEPT = 0;
+
+ /**
+ * Credential usage flag requesting that it be able to be used for
+ * context initiation only.
+ */
+ int INITIATE_ONLY = 1;
+
+ /**
+ * Credential usage flag requesting that it be able to be used for
+ * context acceptance only.
+ */
+ int ACCEPT_ONLY = 2;
+
+ /**
+ * A lifetime constant representing the default credential lifetime.
+ */
+ int DEFAULT_LIFETIME = 0;
+
+ /**
+ * A lifetime constant representing indefinite credential lifetime.
+ */
+ int INDEFINITE_LIFETIME = Integer.MAX_VALUE;
+
+ // Methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Releases any sensitive information that the GSSCredential object may
+ * be containing. Applications should call this method as soon as the
+ * credential is no longer needed to minimize the time any sensitive
+ * information is maintained.
+ *
+ * @throws GSSException If this operation fails.
+ */
+ void dispose() throws GSSException;
+
+ /**
+ * Retrieves the name of the entity that the credential asserts.
+ *
+ * @return The name.
+ * @throws GSSException If this operation fails.
+ */
+ GSSName getName() throws GSSException;
+
+ /**
+ * Retrieves a mechanism name of the entity that the credential asserts.
+ * Equivalent to calling {@link GSSName#canonicalize(org.ietf.jgss.Oid)}
+ * on the name returned by {@link #getName()}.
+ *
+ * @param mechOID The mechanism for which information should be returned.
+ * @return The name.
+ * @throws GSSException If this operation fails.
+ */
+ GSSName getName(Oid mechOID) throws GSSException;
+
+ /**
+ * Returns the remaining lifetime in seconds for a credential. The
+ * remaining lifetime is the minimum lifetime for any of the underlying
+ * credential mechanisms. A return value of {@link
+ * GSSCredential#INDEFINITE_LIFETIME} indicates that the credential does
+ * not expire. A return value of 0 indicates that the credential is
+ * already expired.
+ *
+ * @return The remaining lifetime.
+ * @throws GSSException If this operation fails.
+ */
+ int getRemainingLifetime() throws GSSException;
+
+ /**
+ * Returns the remaining lifetime is seconds for the credential to
+ * remain capable of initiating security contexts under the specified
+ * mechanism. A return value of {@link GSSCredential#INDEFINITE_LIFETIME}
+ * indicates that the credential does not expire for context initiation.
+ * A return value of 0 indicates that the credential is already expired.
+ *
+ * @param mech The mechanism for which information should be returned.
+ * @return The remaining lifetime.
+ * @throws GSSException If this operation fails.
+ */
+ int getRemainingInitLifetime(Oid mech) throws GSSException;
+
+ /**
+ * Returns the remaining lifetime is seconds for the credential to
+ * remain capable of accepting security contexts under the specified
+ * mechanism. A return value of {@link GSSCredential#INDEFINITE_LIFETIME}
+ * indicates that the credential does not expire for context acceptance.
+ * A return value of 0 indicates that the credential is already expired.
+ *
+ * @param mech The mechanism for which information should be returned.
+ * @return The remaining lifetime.
+ * @throws GSSException If this operation fails.
+ */
+ int getRemainingAcceptLifetime(Oid mech) throws GSSException;
+
+ /**
+ * Returns the credential usage flag. The return value will be one of
+ * {@link GSSCredential#INITIATE_ONLY}, {@link GSSCredential#ACCEPT_ONLY},
+ * or {@link GSSCredential#INITIATE_AND_ACCEPT}.
+ *
+ * @return The credential usage flag.
+ * @throws GSSException If this operation fails.
+ */
+ int getUsage() throws GSSException;
+
+ /**
+ * Returns the credential usage flag for the specified credential
+ * mechanism. The return value will be one of
+ * {@link GSSCredential#INITIATE_ONLY}, {@link GSSCredential#ACCEPT_ONLY},
+ * or {@link GSSCredential#INITIATE_AND_ACCEPT}.
+ *
+ * @param mechOID The mechanism for which information should be returned.
+ * @return The credential usage flag.
+ * @throws GSSException If this operation fails.
+ */
+ int getUsage(Oid mechOID) throws GSSException;
+
+ /**
+ * Returns an array of mechanisms supported by this credential.
+ *
+ * @return The supported mechanism.
+ * @throws GSSException If this operation fails.
+ */
+ Oid[] getMechs() throws GSSException;
+
+ /**
+ * <p>Adds a mechanism specific credential-element to an existing
+ * credential. This method allows the construction of credentials one
+ * mechanism at a time.</p>
+ *
+ * <p>This routine is envisioned to be used mainly by context acceptors
+ * during the creation of acceptance credentials which are to be used
+ * with a variety of clients using different security mechanisms.</p>
+ *
+ * <p>This routine adds the new credential element "in-place". To add the
+ * element in a new credential, first call {@link Cloneable#clone()} to
+ * obtain a copy of this credential, then call its <code>add()</code>
+ * method.</p>
+ *
+ * @param aName Name of the principal for whom this credential
+ * is to be acquired. Use <code>null</code> to
+ * specify the default principal.
+ * @param initLifetime The number of seconds that credentials should
+ * remain valid for initiating of security contexts.
+ * Use {@link #INDEFINITE_LIFETIME} to request that
+ * the credentials have the maximum permitted lifetime.
+ * Use {@link GSSCredential#DEFAULT_LIFETIME} to
+ * request the default credential lifetime.
+ * @param acceptLifetime The number of seconds that credentials should
+ * remain valid for accepting of security contexts.
+ * Use {@link GSSCredential#INDEFINITE_LIFETIME} to
+ * request that the credentials have the maximum
+ * permitted lifetime. Use {@link
+ * GSSCredential#DEFAULT_LIFETIME} to request
+ * the default credential lifetime.
+ * @param mech The mechanisms over which the credential is to be
+ * acquired.
+ * @param usage The intended usage for this credential object. The
+ * value of this parameter must be one of:
+ * {@link GSSCredential#ACCEPT_AND_INITIATE},
+ * {@link GSSCredential#ACCEPT_ONLY},
+ * {@link GSSCredential#INITIATE_ONLY}.
+ * @throws GSSException If this operation fails.
+ */
+ void add(GSSName aName, int initLifetime, int acceptLifetime,
+ Oid mech, int usage) throws GSSException;
+
+ /**
+ * Tests if this GSSCredential refers to the same entity as the supplied
+ * object. The two credentials must be acquired over the same
+ * mechanisms and must refer to the same principal. Returns <code>true</code>
+ * if the two GSSCredentials refer to the same entity; <code>false</code>
+ * otherwise. (Note that the Java language specification requires that two
+ * objects that are equal according to the {@link
+ * Object#equals(java.lang.Object)} method must return the same integer
+ * result when the {@link Object#hashCode()} method is called on them.)
+ *
+ * @param another Another GSSCredential object for comparison.
+ * @return True if this object equals the other.
+ */
+ boolean equals(Object another);
+
+ /**
+ * Return the hash code of this credential. When overriding {@link #equals},
+ * it is necessary to override hashCode() as well.
+ *
+ * @return the hash code that must be the same for two credentials if
+ * {@link #equals} returns true.
+ */
+ int hashCode();
+
+}
diff --git a/libjava/classpath/org/ietf/jgss/GSSException.java b/libjava/classpath/org/ietf/jgss/GSSException.java
new file mode 100644
index 000000000..9c352e3e9
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/GSSException.java
@@ -0,0 +1,448 @@
+/* GSSException.java -- a general exception in GSS.
+ Copyright (C) 2004, 2005 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+import java.util.PropertyResourceBundle;
+import java.util.ResourceBundle;
+
+/**
+ * This exception is thrown whenever a fatal GSS-API error occurs
+ * including mechanism specific errors. It may contain both, the major
+ * and minor, GSS-API status codes. The mechanism implementers are
+ * responsible for setting appropriate minor status codes when throwing
+ * this exception. Aside from delivering the numeric error code(s) to
+ * the caller, this class performs the mapping from their numeric values
+ * to textual representations. All Java GSS-API methods are declared
+ * throwing this exception.
+ *
+ * @specnote Some of the constant values defined in this class were
+ * chosen to be compatible with J2SE 1.4, and not with RFC 2853.
+ */
+public class GSSException extends Exception
+{
+ /**
+ * For compatability with Sun's JDK 1.4.2 rev. 5
+ */
+ private static final long serialVersionUID = -2706218945227726672L;
+
+ // Constants and fields.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Channel bindings mismatch error.
+ * @specnote Should be 4 according to RFC 2853.
+ */
+ public static final int BAD_BINDINGS = 1;
+
+ /**
+ * Unsupported mechanism requested error.
+ * @specnote Should be 1 according to RFC 2853.
+ */
+ public static final int BAD_MECH = 2;
+
+ /**
+ * Invalid name provided error.
+ * @specnote Should be 2 according to RFC 2853.
+ */
+ public static final int BAD_NAME = 3;
+
+ /**
+ * Name of unsupported type provided error.
+ * @specnote Should be 3 according to RFC 2853.
+ */
+ public static final int BAD_NAMETYPE = 4;
+
+ /**
+ * Invalid status code error - this is the default status value.
+ */
+ public static final int BAD_STATUS = 5;
+
+ /**
+ * Token had invalid integrity check error.
+ */
+ public static final int BAD_MIC = 6;
+
+ /**
+ * Specified security context expired error.
+ * @specnote Should be 12 according to RFC 2853.
+ */
+ public static final int CONTEXT_EXPIRED = 7;
+
+ /**
+ * Expired credentials detected error.
+ * @specnote Should be 11 according to RFC 2853.
+ */
+ public static final int CREDENTIALS_EXPIRED = 8;
+
+ /**
+ * Defective credential error.
+ * @specnote Should be 10 according to RFC 2853.
+ */
+ public static final int DEFECTIVE_CREDENTIAL = 9;
+
+ /**
+ * Defective token error.
+ * @specnote Should be 9 according to RFC 2853.
+ */
+ public static final int DEFECTIVE_TOKEN = 10;
+
+ /**
+ * General failure, unspecified at GSS-API level.
+ * @specnote Should be 13 according to RFC 2853.
+ */
+ public static final int FAILURE = 11;
+
+ /**
+ * Invalid security context error.
+ * @specnote Should be 8 according to RFC 2853.
+ */
+ public static final int NO_CONTEXT = 12;
+
+ /**
+ * Invalid credentials error.
+ * @specnote Should be 7 according to RFC 2853.
+ */
+ public static final int NO_CRED = 13;
+
+ /**
+ * Unsupported QOP value error.
+ */
+ public static final int BAD_QOP = 14;
+
+ /**
+ * Operation unauthorized error.
+ */
+ public static final int UNAUTHORIZED = 15;
+
+ /**
+ * Operation unavailable error.
+ */
+ public static final int UNAVAILABLE = 16;
+
+ /**
+ * Duplicate credential element requested error.
+ */
+ public static final int DUPLICATE_ELEMENT = 17;
+
+ /**
+ * Name contains multi-mechanism elements error.
+ */
+ public static final int NAME_NOT_MN = 18;
+
+ /**
+ * The token was a duplicate of an earlier token. This is a fatal error
+ * code that may occur during context establishment. It is not used to
+ * indicate supplementary status values. The MessageProp object is used
+ * for that purpose.
+ * @specnote Should be 20 according to RFC 2853.
+ */
+ public static final int DUPLICATE_TOKEN = 19;
+
+ /**
+ * The token's validity period has expired. This is a fatal error code
+ * that may occur during context establishment. It is not used to
+ * indicate supplementary status values. The MessageProp object is used
+ * for that purpose.
+ * @specnote Should be 19 according to RFC 2853.
+ */
+ public static final int OLD_TOKEN = 20;
+
+ /**
+ * A later token has already been processed. This is a fatal error code
+ * that may occur during context establishment. It is not used to
+ * indicate supplementary status values. The MessageProp object is used
+ * for that purpose.
+ */
+ public static final int UNSEQ_TOKEN = 21;
+
+ /**
+ * An expected per-message token was not received. This is a fatal
+ * error code that may occur during context establishment. It is not
+ * used to indicate supplementary status values. The MessageProp object
+ * is used for that purpose.
+ */
+ public static final int GAP_TOKEN = 22;
+
+ private final int major;
+ private int minor;
+ private String minorString;
+
+ private ResourceBundle messages;
+
+ // Constructors.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Create a new GSS exception with the given major code.
+ *
+ * @param major The major GSS error code.
+ */
+ public GSSException(int major)
+ {
+ this(major, 0, null);
+ }
+
+ /**
+ * Create a new GSS exception with the given major and minor codes, and a
+ * minor explanation string.
+ *
+ * @param major The major GSS error code.
+ * @param minor The minor application-specific error code.
+ * @param minorString An explanation of the minor error code.
+ */
+ public GSSException(int major, int minor, String minorString)
+ {
+ this.major = major;
+ this.minor = minor;
+ this.minorString = minorString;
+ try
+ {
+ messages = PropertyResourceBundle.getBundle("org/ietf/jgss/MessagesBundle");
+ }
+ catch (Exception e)
+ {
+ messages = null;
+ }
+ }
+
+ // Instance methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Returns the major code representing the GSS error code that caused
+ * this exception to be thrown.
+ *
+ * @return The major error code.
+ */
+ public int getMajor()
+ {
+ return major;
+ }
+
+ /**
+ * Returns the mechanism error code that caused this exception. The
+ * minor code is set by the underlying mechanism. Value of 0 indicates
+ * that mechanism error code is not set.
+ *
+ * @return The minor error code, or 0 if not set.
+ */
+ public int getMinor()
+ {
+ return minor;
+ }
+
+ /**
+ * Returns a string explaining the GSS major error code causing this
+ * exception to be thrown.
+ *
+ * @return The major error string.
+ */
+ public String getMajorString()
+ {
+ switch (major)
+ {
+ case BAD_MECH:
+ return getMsg("GSSException.BAD_MECH",
+ "An unsupported mechanism was requested.");
+ case BAD_NAME:
+ return getMsg("GSSException.BAD_NAME",
+ "An invalid name was supplied.");
+ case BAD_NAMETYPE:
+ return getMsg("GSSException.BAD_NAMETYPE",
+ "A supplied name was of an unsupported type.");
+ case BAD_BINDINGS:
+ return getMsg("GSSException.BAD_BINDINGS",
+ "Incorrect channel bindings were supplied.");
+ case BAD_STATUS:
+ return getMsg("GSSException.BAD_STATUS",
+ "An invalid status code was supplied.");
+ case BAD_MIC:
+ return getMsg("GSSException.BAD_MIC",
+ "A token had an invalid MIC.");
+ case NO_CRED:
+ return getMsg("GSSException.NO_CRED",
+ "No credentials were supplied, or the credentials were "+
+ "unavailable or inaccessible.");
+ case NO_CONTEXT:
+ return getMsg("GSSException.NO_CONTEXT",
+ "Invalid context has been supplied.");
+ case DEFECTIVE_TOKEN:
+ return getMsg("GSSException.DEFECTIVE_TOKEN",
+ "A supplied token was invalid.");
+ case DEFECTIVE_CREDENTIAL:
+ return getMsg("GSSException.DEFECTIVE_CREDENTIAL",
+ "A supplied credential was invalid.");
+ case CREDENTIALS_EXPIRED:
+ return getMsg("GSSException.CREDENTIALS_EXPIRED",
+ "The referenced credentials have expired.");
+ case CONTEXT_EXPIRED:
+ return getMsg("GSSException.CONTEXT_EXPIRED",
+ "The context has expired.");
+ case FAILURE:
+ return getMsg("GSSException.FAILURE",
+ "Miscellaneous failure.");
+ case BAD_QOP:
+ return getMsg("GSSException.BAD_QOP",
+ "The quality-of-protection requested could not be provided.");
+ case UNAUTHORIZED:
+ return getMsg("GSSException.UNAUTHORIZED",
+ "The operation is forbidden by local security policy.");
+ case UNAVAILABLE:
+ return getMsg("GSSException.UNAVAILABLE",
+ "The operation or option is unavailable.");
+ case DUPLICATE_ELEMENT:
+ return getMsg("GSSException.DUPLICATE_ELEMENT",
+ "The requested credential element already exists.");
+ case NAME_NOT_MN:
+ return getMsg("GSSException.NAME_NOT_MN",
+ "The provided name was not a mechanism name.");
+ case OLD_TOKEN:
+ return getMsg("GSSException.OLD_TOKEN",
+ "The token's validity period has expired.");
+ case DUPLICATE_TOKEN:
+ return getMsg("GSSException.DUPLICATE_TOKEN",
+ "The token was a duplicate of an earlier version.");
+ case UNSEQ_TOKEN:
+ return getMsg("GSSException.UNSEQ_TOKEN",
+ "A later token has already been processed.");
+ case GAP_TOKEN:
+ return getMsg("GSSException.GAP_TOKEN",
+ "An expected per-message token was not received.");
+ default: return "Unknown or invalid error code.";
+ }
+ }
+
+ /**
+ * Returns a string explaining the mechanism specific error code.
+ * <code>null</code> will be returned when no mechanism error code has
+ * been set.
+ *
+ * @return The minor error string, or <code>null</code>.
+ */
+ public String getMinorString()
+ {
+ return minorString;
+ }
+
+ /**
+ * Used internally by the GSS-API implementation and the underlying
+ * mechanisms to set the minor code and its textual representation.
+ *
+ * @param minorCode The mechanism specific error code.
+ * @param message A textual explanation of the mechanism error code.
+ */
+ public void setMinor(int minorCode, String message)
+ {
+ this.minor = minorCode;
+ this.minorString = message;
+ }
+
+ /**
+ * Returns a textual representation of both the major and minor status
+ * codes.
+ *
+ * @return The textual representation.
+ */
+ public String toString()
+ {
+ return GSSException.class.getName() + ": " + getMessage();
+ }
+
+ /**
+ * Returns a detailed message of this exception. Overrides {@link
+ * Throwable#getMessage()}. It is customary in Java to use this method to
+ * obtain exception information.
+ *
+ * @return The detail message.
+ */
+ public String getMessage()
+ {
+ if (minor == 0)
+ return getMajorString();
+ else
+ return getMajorString() + " (" + minorString + ")";
+ }
+
+ // Own methods.
+ // -------------------------------------------------------------------------
+
+ private String getMsg(String key, String defaultText)
+ {
+ if (messages != null)
+ {
+ try
+ {
+ return messages.getString(key);
+ }
+ catch (Exception e)
+ {
+ }
+ }
+ return defaultText;
+ }
+}
diff --git a/libjava/classpath/org/ietf/jgss/GSSManager.java b/libjava/classpath/org/ietf/jgss/GSSManager.java
new file mode 100644
index 000000000..60eca49ab
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/GSSManager.java
@@ -0,0 +1,501 @@
+/* GSSManager.java -- manager class for the GSS-API.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * <p>The GSSManager class is an abstract class that serves as a factory
+ * for three GSS interfaces: {@link GSSName}, {@link GSSCredential}, and
+ * {@link GSSContext}. It also provides methods for applications to determine
+ * what mechanisms are available from the GSS implementation and what
+ * nametypes these mechanisms support. An instance of the default GSSManager
+ * subclass may be obtained through the static method {@link #getInstance()},
+ * but applications are free to instantiate other subclasses of GSSManager.</p>
+ *
+ * <p>All but one method in this class are declared abstract. This means
+ * that subclasses have to provide the complete implementation for those
+ * methods. The only exception to this is the static method {@link
+ * #getInstance()} which will have platform specific code to return an
+ * instance of the default subclass.</p>
+ *
+ * <p>Platform providers of GSS are required not to add any constructors to
+ * this class, private, public, or protected. This will ensure that all
+ * subclasses invoke only the default constructor provided to the base
+ * class by the compiler.</p>
+ *
+ * <p>A subclass extending the GSSManager abstract class may be implemented
+ * as a modular provider based layer that utilizes some well known
+ * service provider specification. The GSSManager API provides the
+ * application with methods to set provider preferences on such an
+ * implementation. These methods also allow the implementation to throw
+ * a well-defined exception in case provider based configuration is not
+ * supported. Applications that expect to be portable should be aware of
+ * this and recover cleanly by catching the exception.</p>
+ *
+ * <p>It is envisioned that there will be three most common ways in which
+ * providers will be used:</p>
+ *
+ * <ol>
+ * <li>The application does not care about what provider is used (the
+ * default case).</li>
+ *
+ * <li>The application wants a particular provider to be used
+ * preferentially, either for a particular mechanism or all the
+ * time, irrespective of mechanism.</li>
+ *
+ * <li>The application wants to use the locally configured providers
+ * as far as possible but if support is missing for one or more
+ * mechanisms then it wants to fall back on its own provider.</li>
+ * </ol>
+ *
+ * <p>The GSSManager class has two methods that enable these modes of
+ * usage: {@link #addProviderAtFront(java.security.Provider,org.ietf.jgss.Oid)}
+ * and {@link #addProviderAtEnd(java.security.Provider,org.ietf.jgss.Oid)}.
+ * These methods have the effect of creating an ordered list of
+ * (<i>provider</i>, <i>oid</i>) pairs where each pair indicates a preference
+ * of provider for a given oid.</p>
+ *
+ * <p>The use of these methods does not require any knowledge of whatever
+ * service provider specification the GSSManager subclass follows. It is
+ * hoped that these methods will serve the needs of most applications.
+ * Additional methods may be added to an extended GSSManager that could
+ * be part of a service provider specification that is standardized
+ * later.</p>
+ *
+ * <h3>Example Code</h3>
+ *
+ * <pre>
+GSSManager mgr = GSSManager.getInstance();
+
+// What mechs are available to us?
+Oid[] supportedMechs = mgr.getMechs();
+
+// Set a preference for the provider to be used when support is needed
+// for the mechanisms "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".
+
+Oid krb = new Oid("1.2.840.113554.1.2.2");
+Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
+
+Provider p = (Provider) (new com.foo.security.Provider());
+
+mgr.addProviderAtFront(p, krb);
+mgr.addProviderAtFront(p, spkm1);
+
+// What name types does this spkm implementation support?
+Oid[] nameTypes = mgr.getNamesForMech(spkm1);
+</pre>
+ */
+public abstract class GSSManager
+{
+
+ // Constructor.
+ // -------------------------------------------------------------------------
+
+ public GSSManager()
+ {
+ }
+
+ // Class method.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Returns the default GSSManager implementation.
+ *
+ * @return The default GSSManager implementation.
+ */
+ public static synchronized GSSManager getInstance()
+ {
+ String impl = Security.getProperty("org.ietf.jgss.GSSManager");
+ if (impl == null)
+ impl = "gnu.crypto.gssapi.GSSManagerImpl";
+ try
+ {
+ ClassLoader loader = GSSManager.class.getClassLoader();
+ if (loader == null)
+ loader = ClassLoader.getSystemClassLoader();
+ Class<?> c = loader.loadClass(impl);
+ return (GSSManager) c.newInstance();
+ }
+ catch (Exception x)
+ {
+ throw new RuntimeException(x.toString());
+ }
+ }
+
+ // Abstract methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * <p>This method is used to indicate to the GSSManager that the
+ * application would like a particular provider to be used if no other
+ * provider can be found that supports the given mechanism. When a value
+ * of null is used instead of an Oid for the mechanism, the GSSManager
+ * must use the indicated provider for any mechanism.</p>
+ *
+ * <p>Calling this method repeatedly preserves the older settings but
+ * raises them above newer ones in preference thus forming an ordered
+ * list of providers and Oid pairs that grows at the bottom. Thus the
+ * older provider settings will be utilized first before this one is.</p>
+ *
+ * <p>If there are any previously existing preferences that conflict with
+ * the preference being set here, then the GSSManager should ignore this
+ * request.</p>
+ *
+ * <p>If the GSSManager implementation does not support an SPI with a
+ * pluggable provider architecture it should throw a GSSException with
+ * the status code {@link GSSException#UNAVAILABLE} to indicate that the
+ * operation is unavailable.</p>
+ *
+ * @param p The provider instance that should be used whenever
+ * support is needed for <i>mech</i>.
+ * @param mech The mechanism for which the provider is being set.
+ * @throws GSSException If this service is unavailable.
+ */
+ public abstract void addProviderAtEnd(Provider p, Oid mech)
+ throws GSSException;
+
+ /**
+ * <p>This method is used to indicate to the GSSManager that the
+ * application would like a particular provider to be used ahead of all
+ * others when support is desired for the given mechanism. When a value
+ * of null is used instead of an Oid for the mechanism, the GSSManager
+ * must use the indicated provider ahead of all others no matter what
+ * the mechanism is. Only when the indicated provider does not support
+ * the needed mechanism should the GSSManager move on to a different
+ * provider.</p>
+ *
+ * <p>Calling this method repeatedly preserves the older settings but
+ * lowers them in preference thus forming an ordered list of provider
+ * and Oid pairs that grows at the top.</p>
+ *
+ * <p>Calling addProviderAtFront with a null Oid will remove all previous
+ * preferences that were set for this provider in the GSSManager
+ * instance. Calling addProviderAtFront with a non-null Oid will remove
+ * any previous preference that was set using this mechanism and this
+ * provider together.</p>
+ *
+ * <p>If the GSSManager implementation does not support an SPI with a
+ * pluggable provider architecture it should throw a GSSException with
+ * the status code {@link GSSException#UNAVAILABLE} to indicate that the
+ * operation is unavailable.</p>
+ *
+ * @param p The provider instance that should be used whenever
+ * support is needed for <i>mech</i>.
+ * @param mech The mechanism for which the provider is being set.
+ * @throws GSSException If this service is unavailable.
+ */
+ public abstract void addProviderAtFront(Provider p, Oid mech)
+ throws GSSException;
+
+ /**
+ * Factory method for creating a previously exported context. The
+ * context properties will be determined from the input token and can't
+ * be modified through the set methods.
+ *
+ * @param interProcessToken The token previously emitted from the
+ * export method.
+ * @return The context.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSContext createContext(byte[] interProcessToken)
+ throws GSSException;
+
+ /**
+ * Factory method for creating a context on the acceptor' side. The
+ * context's properties will be determined from the input token supplied
+ * to the accept method.
+ *
+ * @param myCred Credentials for the acceptor. Use <code>null</code> to
+ * act as a default acceptor principal.
+ * @return The context.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSContext createContext(GSSCredential myCred)
+ throws GSSException;
+
+ /**
+ * Factory method for creating a context on the initiator's side.
+ * Context flags may be modified through the mutator methods prior to
+ * calling {@link
+ * GSSContext#initSecContext(java.io.InputStream,java.io.OutputStream)}.
+ *
+ * @param peer Name of the target peer.
+ * @param mech Oid of the desired mechanism. Use <code>null</code>
+ * to request default mechanism.
+ * @param myCred Credentials of the initiator. Use <code>null</code>
+ * default initiator principal.
+ * @param lifetime The request lifetime, in seconds, for the context.
+ * Use {@link GSSContext#INDEFINITE_LIFETIME} and
+ * {@link GSSContext#DEFAULT_LIFETIME} to request
+ * indefinite or default context lifetime.
+ * @return The context.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSContext createContext(GSSName peer, Oid mech,
+ GSSCredential myCred, int lifetime)
+ throws GSSException;
+
+ /**
+ * Factory method for acquiring default credentials. This will cause
+ * the GSS-API to use system specific defaults for the set of
+ * mechanisms, name, and a DEFAULT lifetime.
+ *
+ * @param usage The intended usage for this credential object. The
+ * value of this parameter must be one of:
+ * {@link GSSCredential#ACCEPT_AND_INITIATE},
+ * {@link GSSCredential#ACCEPT_ONLY},
+ * {@link GSSCredential#INITIATE_ONLY}.
+ * @return The credential.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSCredential createCredential(int usage) throws GSSException;
+
+ /**
+ * Factory method for acquiring a single mechanism credential.
+ *
+ * @param aName Name of the principal for whom this credential is to
+ * be acquired. Use <code>null</code> to specify the
+ * default principal.
+ * @param lifetime The number of seconds that credentials should remain
+ * valid. Use {@link GSSCredential#INDEFINITE_LIFETIME}
+ * to request that the credentials have the maximum
+ * permitted lifetime. Use {@link
+ * GSSCredential#DEFAULT_LIFETIME} to request default
+ * credential lifetime.
+ * @param mech The oid of the desired mechanism. Use <code>null</code>
+ * to request the default mechanism(s).
+ * @param usage The intended usage for this credential object. The
+ * value of this parameter must be one of:
+ * {@link GSSCredential#ACCEPT_AND_INITIATE},
+ * {@link GSSCredential#ACCEPT_ONLY},
+ * {@link GSSCredential#INITIATE_ONLY}.
+ * @return The credential.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSCredential createCredential(GSSName aName, int lifetime,
+ Oid mech, int usage)
+ throws GSSException;
+
+ /**
+ * Factory method for acquiring credentials over a set of mechanisms.
+ * Acquires credentials for each of the mechanisms specified in the
+ * array called mechs. To determine the list of mechanisms' for which
+ * the acquisition of credentials succeeded, the caller should use the
+ * {@link GSSCredential#getMechs()} method.
+ *
+ * @param aName Name of the principal for whom this credential is to
+ * be acquired. Use <code>null</code> to specify the
+ * default principal.
+ * @param lifetime The number of seconds that credentials should remain
+ * valid. Use {@link GSSCredential#INDEFINITE_LIFETIME}
+ * to request that the credentials have the maximum
+ * permitted lifetime. Use {@link
+ * GSSCredential#DEFAULT_LIFETIME} to request default
+ * credential lifetime.
+ * @param mechs The array of mechanisms over which the credential is
+ * to be acquired. Use <code>null</code> for requesting
+ * a system specific default set of mechanisms.
+ * @param usage The intended usage for this credential object. The
+ * value of this parameter must be one of:
+ * {@link GSSCredential#ACCEPT_AND_INITIATE},
+ * {@link GSSCredential#ACCEPT_ONLY},
+ * {@link GSSCredential#INITIATE_ONLY}.
+ * @return The credential.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSCredential createCredential(GSSName aName, int lifetime,
+ Oid[] mechs, int usage)
+ throws GSSException;
+
+ /**
+ * Factory method to convert a contiguous byte array containing a name
+ * from the specified namespace to a {@link GSSName} object. In general,
+ * the {@link GSSName} object created will not be an MN; two examples that
+ * are exceptions to this are when the namespace type parameter indicates
+ * {@link GSSName#NT_EXPORT_NAME} or when the GSS-API implementation is not
+ * multi-mechanism.
+ *
+ * @param name The byte array containing the name to create.
+ * @param nameType The Oid specifying the namespace of the name supplied
+ * in the byte array. Note that nameType serves to
+ * describe and qualify the interpretation of the input
+ * name byte array, it does not necessarily imply a type
+ * for the output GSSName implementation. "null" value
+ * can be used to specify that a mechanism specific
+ * default syntax should be assumed by each mechanism
+ * that examines the byte array.
+ * @return The name.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSName createName(byte[] name, Oid nameType)
+ throws GSSException;
+
+ /**
+ * Factory method to convert a contiguous byte array containing a name
+ * from the specified namespace to a GSSName object that is an MN. In
+ * other words, this method is a utility that does the equivalent of two
+ * steps: {@link #createName(byte[],org.ietf.jgss.Oid)} and then also
+ * {@link GSSName#canonicalize(org.ietf.jgss.Oid)}.
+ *
+ * @param name The byte array representing the name to create.
+ * @param nameType The Oid specifying the namespace of the name supplied
+ * in the byte array. Note that nameType serves to
+ * describe and qualify the interpretation of the input
+ * name byte array, it does not necessarily imply a type
+ * for the output GSSName implementation. "null" value
+ * can be used to specify that a mechanism specific
+ * default syntax should be assumed by each mechanism
+ * that examines the byte array.
+ * @param mech Oid specifying the mechanism for which this name
+ * should be created.
+ * @return The name.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSName createName(byte[] name, Oid nameType, Oid mech)
+ throws GSSException;
+
+ /**
+ * Factory method to convert a contiguous string name from the specified
+ * namespace to a {@link GSSName} object. In general, the {@link GSSName}
+ * object created will not be an MN; two examples that are exceptions to
+ * this are when the namespace type parameter indicates {@link
+ * GSSName#NT_EXPORT_NAME} or when the GSS-API implementation is not
+ * multi-mechanism.
+ *
+ * @param nameStr The string representing a printable form of the name
+ * to create.
+ * @param nameType The Oid specifying the namespace of the printable name
+ * supplied. Note that nameType serves to describe and
+ * qualify the interpretation of the input nameStr, it
+ * does not necessarily imply a type for the output
+ * GSSName implementation. "null" value can be used to
+ * specify that a mechanism specific default printable
+ * syntax should be assumed by each mechanism that
+ * examines nameStr.
+ * @return The name.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSName createName(String nameStr, Oid nameType)
+ throws GSSException;
+
+ /**
+ * Factory method to convert a contiguous string name from the specified
+ * namespace to an GSSName object that is a mechanism name (MN). In
+ * other words, this method is a utility that does the equivalent of two
+ * steps: the {@link #createName(java.lang.String,org.ietf.jgss.Oid)}
+ * and then also {@link GSSName#canonicalize(org.ietf.jgss.Oid)}.
+ *
+ * @param nameStr The string representing a printable form of the name
+ * to create.
+ * @param nameType The Oid specifying the namespace of the printable name
+ * supplied. Note that nameType serves to describe and
+ * qualify the interpretation of the input nameStr, it
+ * does not necessarily imply a type for the output
+ * GSSName implementation. "null" value can be used to
+ * specify that a mechanism specific default printable
+ * syntax should be assumed when the mechanism examines
+ * nameStr.
+ * @param mech Oid specifying the mechanism for which this name
+ * should be created.
+ * @return The name.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract GSSName createName(String nameStr, Oid nameType, Oid mech)
+ throws GSSException;
+
+ /**
+ * Returns an array of {@link Oid} objects indicating mechanisms available
+ * to GSS-API callers. A <code>null</code> value is returned when no
+ * mechanism are available (an example of this would be when mechanism are
+ * dynamically configured, and currently no mechanisms are installed).
+ *
+ * @return The array of available mechanisms, or <code>null</code>.
+ */
+ public abstract Oid[] getMechs();
+
+ /**
+ * Returns an array of {@link Oid} objects corresponding to the mechanisms
+ * that support the specific name type. <code>null</code> is returned when
+ * no mechanisms are found to support the specified name type.
+ *
+ * @param name The Oid object for the name type.
+ * @return The array of mechanisms, or <code>null</code>.
+ */
+ public abstract Oid[] getMechsForName(Oid name);
+
+ /**
+ * Returns name type Oid's supported by the specified mechanism.
+ *
+ * @param mechanism The Oid object for the mechanism to query.
+ * @return The name type Oid's supported by the mechanism.
+ * @throws GSSException If this operation fails.
+ */
+ public abstract Oid[] getNamesForMech(Oid mechanism) throws GSSException;
+}
diff --git a/libjava/classpath/org/ietf/jgss/GSSName.java b/libjava/classpath/org/ietf/jgss/GSSName.java
new file mode 100644
index 000000000..ee3209dd0
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/GSSName.java
@@ -0,0 +1,278 @@
+/* GSSName.java -- a name interface for GSS.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+/**
+ * <p>This interface encapsulates a single GSS-API principal entity.
+ * Different name formats and their definitions are identified with
+ * universal Object Identifiers (Oids). The format of the names can be
+ * derived based on the unique oid of its namespace type.</p>
+ *
+ * <h3>Example Code</h3>
+ *
+ * <pre>
+GSSManager mgr = GSSManager.getInstance();
+
+// create a host based service name
+GSSName name = mgr.createName("service@host",
+ GSSName.NT_HOSTBASED_SERVICE);
+
+Oid krb5 = new Oid("1.2.840.113554.1.2.2");
+
+GSSName mechName = name.canonicalize(krb5);
+
+// the above two steps are equivalent to the following
+GSSName mechName = mgr.createName("service@host",
+ GSSName.NT_HOSTBASED_SERVICE, krb5);
+
+// perform name comparison
+if (name.equals(mechName))
+ print("Names are equal.");
+
+// obtain textual representation of name and its printable
+// name type
+print(mechName.toString() +
+ mechName.getStringNameType().toString());
+
+// export and re-import the name
+byte [] exportName = mechName.export();
+
+// create a new name object from the exported buffer
+GSSName newName = mgr.createName(exportName,
+ GSSName.NT_EXPORT_NAME);
+</pre>
+ */
+public interface GSSName
+{
+
+ // Constants.
+ // -------------------------------------------------------------------------
+
+ /**
+ * <p>Name type for representing an anonymous entity. It represents the
+ * following value: <code>{ 1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name) }</code>.</p>
+ */
+ Oid NT_ANONYMOUS = new Oid(new int[] { 1, 3, 6, 1, 5, 6, 3 });
+
+ /**
+ * <p>Name type used to indicate an exported name produced by the export
+ * method. It represents the following value: <code>{ 1(iso), 3(org), 6(dod),
+ * 1(internet), 5(security), 6(nametypes), 4(gss-api-exported-name)
+ * }</code>.</p>
+ */
+ Oid NT_EXPORT_NAME = new Oid(new int[] { 1, 3, 6, 1, 5, 6, 4 });
+
+ /**
+ * <p>Oid indicating a host-based service name form. It is used to
+ * represent services associated with host computers. This name form is
+ * constructed using two elements, "service" and "hostname", as follows:</p>
+ *
+ * <blockquote><code>service@hostname</code></blockquote>
+ *
+ * <p>Values for the "service" element are registered with the IANA. It
+ * represents the following value: <code>{ 1(iso), 3(org), 6(dod),
+ * 1(internet), 5(security), 6(nametypes), 2(gss-host-based-services)
+ * }</code>.</p>
+ */
+ Oid NT_HOSTBASED_SERVICE = new Oid(new int[] { 1, 3, 6, 1, 5, 6, 2 });
+
+ /**
+ * <p>Name type to indicate a numeric user identifier corresponding to a
+ * user on a local system. (e.g. Uid). It represents the following
+ * value: <code>{ iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) machine_uid_name(2) }</code>.</p>
+ */
+ Oid NT_MACHINE_UID_NAME = new Oid(new int[] { 1, 2, 840, 113554, 1, 2, 1, 2 });
+
+ /**
+ * <p>Name type to indicate a string of digits representing the numeric
+ * user identifier of a user on a local system. It represents the
+ * following value: <code>{ iso(1) member-body(2) United States(840)
+ * mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3)
+ * }</code>.</p>
+ */
+ Oid NT_STRING_UID_NAME = new Oid(new int[] { 1, 2, 840, 113554, 1, 2, 1, 3 });
+
+ /**
+ * <p>Name type to indicate a named user on a local system. It represents
+ * the following value: <code>{ iso(1) member-body(2) United States(840)
+ * mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }</code>.</p>
+ */
+ Oid NT_USER_NAME = new Oid(new int[] { 1, 2, 840, 113554, 1, 2, 1, 1 });
+
+ // Instance methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Compares two GSSName objects to determine whether they refer to the
+ * same entity. This method may throw a {@link GSSException} when the
+ * names cannot be compared. If either of the names represents an
+ * anonymous entity, the method will return <code>false</code>.
+ *
+ * @param another GSSName object to compare with.
+ * @return True if this name equals the other, and if neither name
+ * represents an anonymous entity.
+ * @throws GSSException If the names cannot be compared.
+ */
+ boolean equals(GSSName another) throws GSSException;
+
+ /**
+ * A variation of the {@link #equals(org.ietf.jgss.GSSName)} method that
+ * is provided to override the {@link Object#equals(java.lang.Object)}
+ * method that the implementing class will inherit. The behavior is
+ * exactly the same as that in the other equals method except that no
+ * {@link GSSException} is thrown; instead, <code>false</code> will be
+ * returned in the situation where an error occurs. (Note that the Java
+ * language specification requires that two objects that are equal
+ * according to the {@link Object#equals(java.lang.Object)} method must
+ * return the same integer when the {@link hashCode()} method is called
+ * on them.
+ *
+ * @param another GSSName object to compare with.
+ * @return True if this name equals the other, if neither name
+ * represents an anonymous entity, or if an error occurs.
+ */
+ boolean equals(Object another);
+
+ /**
+ * Return the hashcode of this GSSName. When overriding {@link #equals},
+ * it is normally necessary to override hashCode() as well.
+ *
+ * @return the hash code that must be the same for two names if {@link #equals}
+ * returns true.
+ */
+ int hashCode();
+
+ /**
+ * Creates a mechanism name (MN) from an arbitrary internal name. This
+ * is equivalent to using the factory methods {@link
+ * GSSManager#createName(java.lang.String,org.ietf.jgss.Oid,org.ietf.jgss.Oid)}
+ * or {@link
+ * GSSManager#createName(byte[],org.ietf.jgss.Oid,org.ietf.jgss.Oid)}.
+ *
+ * @param mech The oid for the mechanism for which the canonical form
+ * of the name is requested.
+ * @return The mechanism name.
+ * @throws GSSException If this operation fails.
+ */
+ GSSName canonicalize(Oid mech) throws GSSException;
+
+ /**
+ * Returns a canonical contiguous byte representation of a mechanism
+ * name (MN), suitable for direct, byte by byte comparison by
+ * authorization functions. If the name is not an MN, implementations
+ * may throw a {@link GSSException} with the {@link GSSException#NAME_NOT_MN}
+ * status code. If an implementation chooses not to throw an exception,
+ * it should use some system specific default mechanism to canonicalize
+ * the name and then export it. The format of the header of the output
+ * buffer is specified in <a
+ * href="http://www.ietf.org/rfc/rfc2743.txt">RFC 2743</a>.
+ *
+ * @return The exported name.
+ * @throws GSSException If the name is not an MN and the implementation
+ * throws an exception for this case.
+ */
+ byte[] export() throws GSSException;
+
+ /**
+ * Returns a textual representation of the GSSName object. To retrieve
+ * the printed name format, which determines the syntax of the returned
+ * string, the {@link #getStringNameType()} method can be used.
+ *
+ * @return The textual representation of the GSSName object.
+ */
+ String toString();
+
+ /**
+ * Returns the oid representing the type of name returned through the
+ * {@link #toString()} method. Using this oid, the syntax of the printable
+ * name can be determined.
+ *
+ * @return The name type.
+ * @throws GSSException If this operation fails.
+ */
+ Oid getStringNameType() throws GSSException;
+
+ /**
+ * Tests if this name object represents an anonymous entity. Returns
+ * <code>true</code> if this is an anonymous name.
+ *
+ * @return True if this name represents an anonymous entity.
+ */
+ boolean isAnonymous();
+
+ /**
+ * Tests if this name object contains only one mechanism element and is
+ * thus a mechanism name as defined by <a
+ * href="http://www.ietf.org/rfc/rfc2743.txt">RFC 2743</a>.
+ *
+ * @return True if this name is a mechanism name.
+ */
+ boolean isMN();
+}
diff --git a/libjava/classpath/org/ietf/jgss/MessageProp.java b/libjava/classpath/org/ietf/jgss/MessageProp.java
new file mode 100644
index 000000000..5c79455ac
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/MessageProp.java
@@ -0,0 +1,273 @@
+/* MessageProp.java -- GSS-API message property.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+/**
+ * <p>This is a utility class used within the per-message {@link
+ * GSSContext} methods to convey per-message properties.</p>
+ *
+ * <p>When used with the GSSContext interface's {@link
+ * GSSContext#wrap(byte[],int,int,org.ietf.jgss.MessageProp)} and {@link
+ * GSSContext#getMIC(byte[],int,int,org.ietf.jgss.MessageProp)} methods, an
+ * instance of this class is used to indicate the desired QOP and to
+ * request if confidentiality services are to be applied to caller
+ * supplied data (wrap only). To request default QOP, the value of 0
+ * should be used for QOP.</p>
+ *
+ * <p>When used with the {@link
+ * GSSContext#unwrap(byte[],int,int,org.ietf.jgss.MessageProp)} and {@link
+ * GSSContext#verifyMIC(byte[],int,int,byte[],int,int,org.ietf.jgss.MessageProp)}
+ * methods of the GSSContext interface, an instance of this class will be
+ * used to indicate the applied QOP and confidentiality services over the
+ * supplied message. In the case of verifyMIC, the confidentiality state
+ * will always be "false". Upon return from these methods, this object will
+ * also contain any supplementary status values applicable to the processed
+ * token. The supplementary status values can indicate old tokens, out
+ * of sequence tokens, gap tokens or duplicate tokens.</p>
+ */
+public class MessageProp
+{
+
+ // Fields.
+ // -------------------------------------------------------------------------
+
+ private int qopVal;
+ private boolean privState;
+ private boolean duplicate;
+ private boolean old;
+ private boolean unseq;
+ private boolean gap;
+ private int minorStatus;
+ private String minorString;
+
+ // Constructors.
+ // -------------------------------------------------------------------------
+
+ /**
+ * <p>Constructor which sets QOP to 0 indicating that the default QOP is
+ * requested.</p>
+ *
+ * @param privState The desired privacy state. "true" for privacy and
+ * "false" for integrity only.
+ */
+ public MessageProp(boolean privState)
+ {
+ this(0, privState);
+ }
+
+ /**
+ * <p>Constructor which sets the values for the qop and privacy state.</p>
+ *
+ * @param qop The desired QOP. Use 0 to request a default QOP.
+ * @param privState The desired privacy state. "true" for privacy and
+ * "false" for integrity only.
+ */
+ public MessageProp(int qop, boolean privState)
+ {
+ this.qopVal = qop;
+ this.privState = privState;
+ }
+
+ // Instance methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Retrieves the QOP value.
+ *
+ * @return The QOP value.
+ */
+ public int getQOP()
+ {
+ return qopVal;
+ }
+
+ /**
+ * Retrieves the privacy state.
+ *
+ * @return The privacy state.
+ */
+ public boolean getPrivacy()
+ {
+ return privState;
+ }
+
+ /**
+ * Retrieves the minor status that the underlying mechanism might have
+ * set.
+ *
+ * @return The minor status.
+ */
+ public int getMinorStatus()
+ {
+ return minorStatus;
+ }
+
+ /**
+ * Returns a string explaining the mechanism specific error code.
+ * <code>null</code> will be returned when no mechanism error code has
+ * been set.
+ *
+ * @return The minor status string.
+ */
+ public String getMinorString()
+ {
+ return minorString;
+ }
+
+ /**
+ * Sets the QOP value.
+ *
+ * @param qopVal The QOP value to be set. Use 0 to request a default
+ * QOP value.
+ */
+ public void setQOP(int qopVal)
+ {
+ this.qopVal = qopVal;
+ }
+
+ /**
+ * Sets the privacy state.
+ *
+ * @param privState The privacy state to set.
+ */
+ public void setPrivacy(boolean privState)
+ {
+ this.privState = privState;
+ }
+
+ /**
+ * Returns "true" if this is a duplicate of an earlier token.
+ *
+ * @return True if this is a duplicate of an earlier token.
+ */
+ public boolean isDuplicateToken()
+ {
+ return duplicate;
+ }
+
+ /**
+ * Returns "true" if the token's validity period has expired.
+ *
+ * @return True if the token's validity period has expired.
+ */
+ public boolean isOldToken()
+ {
+ return old;
+ }
+
+ /**
+ * Returns "true" if a later token has already been processed.
+ *
+ * @return True if a later token has already been processed.
+ */
+ public boolean isUnseqToken()
+ {
+ return unseq;
+ }
+
+ /**
+ * Returns "true" if an expected per-message token was not received.
+ *
+ * @return True if an expected per-message token was not received.
+ */
+ public boolean isGapToken()
+ {
+ return gap;
+ }
+
+ /**
+ * This method sets the state for the supplementary information flags
+ * and the minor status in MessageProp. It is not used by the
+ * application but by the GSS implementation to return this information
+ * to the caller of a per-message context method.
+ *
+ * @param duplicate True if the token was a duplicate of an earlier
+ * token, false otherwise.
+ * @param old True if the token's validity period has expired,
+ * false otherwise.
+ * @param unseq True if a later token has already been processed,
+ * false otherwise.
+ * @param gap True if one or more predecessor tokens have not yet
+ * been successfully processed, false otherwise.
+ * @param minorStatus The integer minor status code that the underlying
+ * mechanism wants to set.
+ * @param minorString The textual representation of the minorStatus
+ * value.
+ */
+ public void setSupplementaryStates(boolean duplicate, boolean old,
+ boolean unseq, boolean gap,
+ int minorStatus, String minorString)
+ {
+ this.duplicate = duplicate;
+ this.old = old;
+ this.unseq = unseq;
+ this.gap = gap;
+ this.minorStatus = minorStatus;
+ this.minorString = minorString;
+ }
+}
diff --git a/libjava/classpath/org/ietf/jgss/Oid.java b/libjava/classpath/org/ietf/jgss/Oid.java
new file mode 100644
index 000000000..bd01f9cfe
--- /dev/null
+++ b/libjava/classpath/org/ietf/jgss/Oid.java
@@ -0,0 +1,387 @@
+/* Oid.java -- Object identifier class.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ The documentation comments of this class are derived from the text
+ of RFC 2853: Generic Security Service API Version 2: Java Bindings.
+ That document is covered under the following license notice:
+
+Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it
+or assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are
+included on all such copies and derivative works. However, this
+document itself may not be modified in any way, such as by removing
+the copyright notice or references to the Internet Society or other
+Internet organizations, except as needed for the purpose of developing
+Internet standards in which case the procedures for copyrights defined
+in the Internet Standards process must be followed, or as required to
+translate it into languages other than English.
+
+The limited permissions granted above are perpetual and will not be
+revoked by the Internet Society or its successors or assigns.
+
+This document and the information contained herein is provided on an
+"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
+WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */
+
+
+package org.ietf.jgss;
+
+import gnu.java.lang.CPStringBuilder;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.InputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+import java.math.BigInteger;
+
+import java.util.Arrays;
+import java.util.StringTokenizer;
+
+/**
+ * <p>This class represents Universal Object Identifiers (Oids) and their
+ * associated operations.</p>
+ *
+ * <p>Oids are hierarchically globally-interpretable identifiers used
+ * within the GSS-API framework to identify mechanisms and name formats.</p>
+ *
+ * <p>The structure and encoding of Oids is defined in ISOIEC-8824 and
+ * ISOIEC-8825. For example the Oid representation of Kerberos V5
+ * mechanism is "1.2.840.113554.1.2.2".</p>
+ *
+ * <p>The {@link GSSName} name class contains <code>public static Oid</code>
+ * objects representing the standard name types defined in GSS-API.</p>
+ */
+public class Oid
+{
+
+ // Constants and fields.
+ // -------------------------------------------------------------------------
+
+ private static final int OBJECT_IDENTIFIER = 0x06;
+ private static final int RELATIVE_OID = 0x0d;
+
+ private final int[] components;
+ private byte[] derOid;
+ private String strOid;
+ private boolean relative;
+
+ // Constructors.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Creates an Oid object from a string representation of its integer
+ * components (e.g. "1.2.840.113554.1.2.2").
+ *
+ * @param strOid The string representation for the oid.
+ * @throws GSSException If the argument is badly formed.
+ */
+ public Oid(String strOid) throws GSSException
+ {
+ if (strOid == null)
+ throw new NullPointerException();
+ this.strOid = strOid;
+ try
+ {
+ StringTokenizer tok = new StringTokenizer(strOid, ".");
+ components = new int[tok.countTokens()];
+ int i = 0;
+ while (tok.hasMoreTokens() && i < components.length)
+ {
+ components[i++] = Integer.parseInt(tok.nextToken());
+ }
+ }
+ catch (Exception x)
+ {
+ throw new GSSException(GSSException.FAILURE);
+ }
+ relative = false;
+ }
+
+ /**
+ * Creates an Oid object from its DER encoding. This refers to the full
+ * encoding including tag and length. The structure and encoding of
+ * Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is
+ * identical in functionality to its byte array counterpart.
+ *
+ * @param derOid Stream containing the DER encoded oid.
+ * @throws GSSException If the DER stream is badly formed, or if the
+ * input stream throws an exception.
+ */
+ public Oid(InputStream derOid) throws GSSException
+ {
+ DataInputStream in = new DataInputStream(derOid);
+ try
+ {
+ int tag = in.read() & 0x1F;
+ if (tag != OBJECT_IDENTIFIER && tag != RELATIVE_OID)
+ throw new IOException();
+ int len = in.read();
+ if ((len & ~0x7F) != 0)
+ {
+ byte[] buf = new byte[len & 0x7F];
+ in.readFully(buf);
+ len = new BigInteger(1, buf).intValue();
+ }
+ if (len < 0)
+ throw new IOException();
+ byte[] enc = new byte[len];
+ in.readFully(enc);
+ int[] comp = new int[len + 1];
+ int count = 0;
+ int i = 0;
+ relative = tag == RELATIVE_OID;
+ if (!relative && i < len)
+ {
+ int j = (enc[i] & 0xFF);
+ comp[count++] = j / 40;
+ comp[count++] = j % 40;
+ i++;
+ }
+ while (i < len)
+ {
+ int j = 0;
+ do
+ {
+ j = enc[i++] & 0xFF;
+ comp[count] <<= 7;
+ comp[count] |= j & 0x7F;
+ if (i >= len && (j & 0x80) != 0)
+ throw new IOException();
+ }
+ while ((j & 0x80) != 0);
+ count++;
+ }
+ if (count == len)
+ this.components = comp;
+ else
+ {
+ this.components = new int[count];
+ System.arraycopy(comp, 0, components, 0, count);
+ }
+ }
+ catch (IOException ioe)
+ {
+ throw new GSSException(GSSException.FAILURE);
+ }
+ }
+
+ /**
+ * Creates an Oid object from its DER encoding. This refers to the full
+ * encoding including tag and length. The structure and encoding of
+ * Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is
+ * identical in functionality to its streaming counterpart.
+ *
+ * @param derOid Byte array storing a DER encoded oid.
+ * @throws GSSException If the DER bytes are badly formed.
+ */
+ public Oid(byte[] derOid) throws GSSException
+ {
+ this(new ByteArrayInputStream(derOid));
+ this.derOid = (byte[]) derOid.clone();
+ }
+
+ Oid(int[] components)
+ {
+ this.components = components;
+ relative = false;
+ }
+
+ // Instance methods.
+ // -------------------------------------------------------------------------
+
+ /**
+ * Returns a string representation of the oid's integer components in
+ * dot separated notation (e.g. "1.2.840.113554.1.2.2").
+ *
+ * @return The string representation of this oid.
+ */
+ public String toString()
+ {
+ if (strOid == null)
+ {
+ CPStringBuilder buf = new CPStringBuilder();
+ for (int i = 0; i < components.length; i++)
+ {
+ buf.append(components[i]);
+ if (i < components.length - 1)
+ buf.append('.');
+ }
+ strOid = buf.toString();
+ }
+ return strOid;
+ }
+
+ /**
+ * Returns the full ASN.1 DER encoding for this oid object, which
+ * includes the tag and length.
+ *
+ * @return The ASN.1 DER encoding for this oid.
+ * @throws GSSException If encoding fails.
+ */
+ public byte[] getDER() throws GSSException
+ {
+ if (derOid == null)
+ {
+ ByteArrayOutputStream out = new ByteArrayOutputStream(256);
+ try
+ {
+ int i = 0;
+ if (!relative)
+ {
+ int b = components[i++] * 40 + (components.length > 1
+ ? components[i++] : 0);
+ encodeSubId(out, b);
+ }
+ for ( ; i < components.length; i++)
+ encodeSubId(out, components[i]);
+ byte[] oid = out.toByteArray();
+ out.reset();
+ if (relative)
+ out.write(RELATIVE_OID);
+ else
+ out.write(OBJECT_IDENTIFIER);
+ if (oid.length < 128)
+ out.write(oid.length);
+ else if (oid.length < 256)
+ {
+ out.write(0x81);
+ out.write(oid.length);
+ }
+ else if (oid.length < 65536)
+ {
+ out.write(0x82);
+ out.write((oid.length >>> 8) & 0xFF);
+ out.write(oid.length & 0xFF);
+ }
+ else if (oid.length < 16777216)
+ {
+ out.write(0x83);
+ out.write((oid.length >>> 16) & 0xFF);
+ out.write((oid.length >>> 8) & 0xFF);
+ out.write(oid.length & 0xFF);
+ }
+ else
+ {
+ out.write(0x84);
+ out.write((oid.length >>> 24) & 0xFF);
+ out.write((oid.length >>> 16) & 0xFF);
+ out.write((oid.length >>> 8) & 0xFF);
+ out.write(oid.length & 0xFF);
+ }
+ out.write(oid);
+ }
+ catch (IOException ioe)
+ {
+ throw new GSSException(GSSException.FAILURE);
+ }
+ derOid = out.toByteArray();
+ }
+ return (byte[]) derOid.clone();
+ }
+
+ /**
+ * A utility method to test if an Oid object is contained within the
+ * supplied Oid object array.
+ *
+ * @param oids An array of oids to search.
+ * @return True if this oid is contained in the given array.
+ */
+ public boolean containedIn(Oid[] oids)
+ {
+ for (int i = 0; i < oids.length; i++)
+ {
+ if (equals(oids[i]))
+ return true;
+ }
+ return false;
+ }
+
+ public boolean equals(Object o)
+ {
+ if (!(o instanceof Oid))
+ return false;
+ Oid that = (Oid) o;
+ return Arrays.equals(components, that.components);
+ }
+
+ public int hashCode()
+ {
+ int code = 0;
+ for (int i = 0; i < components.length; i++)
+ code += components[i];
+ return code;
+ }
+
+ // Own methods.
+ // -------------------------------------------------------------------------
+
+ private static void encodeSubId(OutputStream out, int id) throws IOException
+ {
+ if (id < 128)
+ {
+ out.write(id);
+ }
+ else if (id < 16384)
+ {
+ out.write((id >>> 7) | 0x80);
+ out.write(id & 0x7F);
+ }
+ else if (id < 2097152)
+ {
+ out.write((id >>> 14) | 0x80);
+ out.write(((id >>> 7) | 0x80) & 0xFF);
+ out.write(id & 0x7F);
+ }
+ else if (id < 268435456)
+ {
+ out.write( (id >>> 21) | 0x80);
+ out.write(((id >>> 14) | 0x80) & 0xFF);
+ out.write(((id >>> 7) | 0x80) & 0xFF);
+ out.write(id & 0x7F);
+ }
+ }
+}