[kitten] Suggested update to RFC 5653 JGSS-API: Provide a way to return a token when context establishment fails
Weijun Wang
weijun.wang at oracle.com
Fri Jul 19 06:48:17 UTC 2013
Hi Mayank
On 7/19/2013 1:37 PM, Mayank Upadhyay wrote:
> (My apologies for resending, but with the right subject this time.)
>
> Hi Weijun,
>
> You point out a legitimate problem, but I want to understand a couple of
> assumptions:
>
> 1. Why allow only initSecContext() and acceptSecContext() to have this
> new behavior? Imagine a mechanism built on top of TLS which is
> renegotiating the session intermixed with actual payload, and had
> some error it wanted to communicate to the peer (e.g., a TLS Alert).
> Is there any particular reason you'd like to avoid that scenario?
No, there isn't. I just haven't expected any usage outside these 2
methods. In the final spec, I think I would write something like "If the
underlying mechanism defines any error token to be sent to the peer, ....".
>
> 2. I didn't quite follow the comment about the default method (maybe it
> shows that my Java is dated :). GSSException is not an interface but
> a concrete class, and adding a method to it adds it in the JRE
> starting at some particular version. What happens when applications
> that call the new method are run on an older JRE?
Oh, I was wrong. I thought everything in JGSS is an interface. We can
just add the method there.
If someone call the new method on an older JRE, a NoSuchMethodException
is thrown. I had thought about creating a new ExtendedGSSException, but
I really don't want to create ExtendedExtendedGSSException one day.
>
> 3. Don't we also need to set this token when the mechanism creates a
> GSSException instance? Note that the concrete class has no setter
> methods of any kind at this time, but two constructors.
New constructors will be provided.
Thanks
Weijun
>
> Thanks,
> Mayank
>
> ---------- Forwarded message ----------
> From: **<kitten-request at ietf.org <mailto:kitten-request at ietf.org>>
> Date: Mon, Jul 15, 2013 at 12:01 PM
>
> Message: 4
> Date: Mon, 15 Jul 2013 11:58:47 +0800
> From: Weijun Wang <weijun.wang at oracle.com <mailto:weijun.wang at oracle.com>>
> To: kitten at ietf.org <mailto:kitten at ietf.org>, OpenJDK
> <security-dev at openjdk.java.net <mailto:security-dev at openjdk.java.net>>
> Subject: [kitten] Suggested update to RFC 5653 JGSS-API: Provide a way
> to return a token when context establishment fails
> Message-ID: <51E37377.1030704 at oracle.com
> <mailto:51E37377.1030704 at oracle.com>>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi All
>
> I am Weijun Wang from the Java SE Seurity Team at Oracle, and this mail
> is about a design flaw in the initSecContext and acceptSecContext
> methods of the GSSContext class defined in RFC 5653 7.4.3 [1] and 7.4.9 [2].
>
> The GSSContext::initSecContext() method could either return a token
> (possibly null if no more token is needed) when the call succeeds or
> throw a GSSException if there is a failure, but not *both*. The same
> applies to acceptSecContext().
>
> On the other hand, the C bindings of GSS-API has a chance to return
> both, and it does try to make use of both of them (according to RFC 2743
> 2.2.1 [3]):
>
> It is the caller's responsibility to establish a communications path
> to the target, and to transmit any returned output_token (independent
> of the accompanying returned major_status value) to the target over
> that path.
>
> Without the ability to send a token when there is a failure, a Java
> program has no chance to tell the other side what's happening. This is
> very user-unfriendly. Also, in the case of SPNEGO, a "reject"
> NegTokenResp token will never be able to sent out.
>
> My current proposal is to add a new method getOutputToken() to the
> GSSException class (which will be thrown when an error occurs) to return
> this last token. This means the method calls will be something like
>
> try {
> send(initSecContext(inToken));
> } catch (GSSException e) {
> if (e.getOutputToken() != null) {
> send(e.getOutputToken());
> }
> throw e;
> }
>
> The getOutputToken() method can only return a non-null value when it's
> thrown by an initSecContext or acceptSecContext call. The method won't
> throw another GSSException even if the exception was thrown in other calls.
>
> We can use the new JDK 8 default method feature [1] to add this new
> method to the existing GSSException interface.
>
> Thanks
> Weijun
>
> [1] http://tools.ietf.org/html/rfc5653#section-7.4.3[2]
> http://tools.ietf.org/html/rfc5653#section-7.4.9
> [3] http://tools.ietf.org/html/rfc2743#page-46
> [4] http://tools.ietf.org/html/rfc5653#section-7.4.5
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 15 Jul 2013 13:33:41 -0400
> From: Jeffrey Hutzelman <jhutz at cmu.edu <mailto:jhutz at cmu.edu>>
> To: Weijun Wang <weijun.wang at oracle.com <mailto:weijun.wang at oracle.com>>
> Cc: kitten at ietf.org <mailto:kitten at ietf.org>, OpenJDK
> <security-dev at openjdk.java.net <mailto:security-dev at openjdk.java.net>>,
> jhutz at cmu.edu <mailto:jhutz at cmu.edu>
> Subject: Re: [kitten] Suggested update to RFC 5653 JGSS-API: Provide a
> way to return a token when context establishment fails
> Message-ID: <1373909621.23365.286.camel at minbar.fac.cs.cmu.edu
> <mailto:1373909621.23365.286.camel at minbar.fac.cs.cmu.edu>>
> Content-Type: text/plain; charset="UTF-8"
>
> On Mon, 2013-07-15 at 11:58 +0800, Weijun Wang wrote:
>
> > My current proposal is to add a new method getOutputToken() to the
> > GSSException class (which will be thrown when an error occurs) to return
> > this last token. This means the method calls will be something like
>
> This seems like an elegant solution to the problem.
>
> -- Jeff
More information about the security-dev
mailing list