GSI Implementation Details.
The Globus GSI GSSAPI is an implementation of GSS API C Bindings using OpenSSL. This API documentation is intended to explain implementation-specific behavior of this GSSAPI implementation, as well as GSSAPI extensions.
The API documentation is divided into sections covering:
GSS Accept Security Context.
Acquire Credential. GSSAPI routine to acquire the local
See the latest IETF draft/RFC on the GSSAPI C bindings.
Gets the local credentials. The proxy_init_cred does most of the work of setting up the SSL_ctx, getting the user's cert, key, etc.
The globusid will be obtained from the certificate. (Minus and /CN=proxy entries.)
time_req Number of seconds that credentials should remain
valid. This value can be GSS_C_INDEFINITE for an unlimited lifetime. NOTE:
in the current implementation, this parameter is ignored, since you can't
change the expiration of a signed cert.
Add OID Set Member. Adds an Object Identifier to an Object Identifier set. This routine is intended for use in conjunction with GSS_Create_empty_OID_set() when constructing a set of mechanism OIDs for input to GSS_Acquire_cred().
Return values
Compare Name. Compare two names. GSSAPI names in this implementation are pointers to X.509 names.
Context Time.
Create Empty OID Set. Creates an object identifier set containing no object identifiers, to which members may be subsequently added using the GSS_Add_OID_set_member() routine. These routines are intended to be used to construct sets of mechanism object identifiers, for input to GSS_Acquire_cred().
Return values
Delete Security Context. Delete the GSS Security Context
Display Name. Produces a single line version of the internal X.509 name
Display Status
Calls the OpenSSL error print routines to produce a printable message. This may need some work, as the OpenSSL error messages are more of a trace, and my not be the best for the user. Also don't take advantage of being called in a loop.
Duplicate Name. Copy a GSSAPI name.
Export Name. Produces a mechanism-independent exported name object. See section 3.2 of RFC 2743.
Calculates a cryptographic MIC (message integrity check) over an application message, and returns that MIC in the token. The token and message can then be passed to the peer application which calls gss_verify_mic to verify the MIC.
Import a name into a gss_name_t
Creates a new gss_name_t which contains a mechanism-specific representation of the input name. GSSAPI OpenSSL implements the following name types, based on the input_name_type OID:
Return values
Indicate Mechs. Passes back the mech set of available mechs. We only have one for now.
Inquire Context.
Inquire Cred. We will also allow the return of the proxy file name, if the minor_status is set to a value of 57056 0xdee0 This is done since there is no way to pass back the delegated credential file name.
When 57056 is seen, this will cause a new copy of this credential to be written, and it is the user's responsibility to free the file when done. The name will be a pointer to a char * of the file name which must be freeed. The minor_status will be set to 57057 0xdee1 to indicate this.
DEE - this is a kludge, till the GSSAPI get a better way to return the name.
If the minor status is not changed from 57056 to 57057 assume it is not this gssapi, and a gss name was returned.
Release Buffer.
Return values
Release Credential. Release the GSSAPI credential handle
cred_handle_P The gss cred handle to be released
Return values
GSS Release Name. Release the GSS Name
Return values
Release OID Set. Release the OID set.
Return values
Seal. Obsolete variant of gss_wrap for V1 compatibility
Sign. Deprecated. Does the same thing as gss_get_mic for V1 compatibility.
Test OID Set Member. Interrogates an Object Identifier set to determine whether a specified Object Identifier is a member. This routine is intended to be used with OID sets returned by GSS_Indicate_mechs(), GSS_Acquire_cred(), and GSS_Inquire_cred().
Return values
Unseal. Obsolete variant of gss_wrap for V1 compatibility allow for non 32 bit integer in qop_state.
Return the data from the wrapped buffer. There may also be errors, such as integrity errors. Since we can not communicate directly with our peer, we can not do everything SSL could, i.e. return a token for example.
Unwrap. GSSAPI routine to unwrap a buffer which may have been received and wraped by wrap.c
Return the data from the wrapped buffer. There may also be errors, such as integrity errors. Since we can not communicate directly with our peer, we can not do everything SSL could, i.e. return a token for example.
Verify. Obsolete variant of gss_verify for V1 compatibility Check a MIC of the date
Verify MIC. Check a MIC of the data
Wrap. Wrap a message for integrity and protection. We do this using the SSLv3 routines, by writing to the SSL bio, and pulling off the buffer from the back of the write BIO. But we can't do everything SSL might want, such as control messages, or segment the messages here, since we are forced to using the GSSAPI tokens, and can not communicate directly with our peer. So there maybe some failures which would work with true SSL.
Wrap Size Limit. GSSAPI routine to take a buffer, calculate a MIC which is returned as a token. We will use the SSL protocol here.
