vendor/gopkg.in/jcmturner/gokrb5.v7/gssapi/gssapi.go - voltha-go - Gitiles

 // Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
 package gssapi

 import (
 	"context"
 	"fmt"

 	"github.com/jcmturner/gofork/encoding/asn1"
 )

 // GSS-API OID names
 const (
 	// GSS-API OID names
 	OIDKRB5         OIDName = "KRB5"         // MechType OID for Kerberos 5
 	OIDMSLegacyKRB5 OIDName = "MSLegacyKRB5" // MechType OID for Kerberos 5
 	OIDSPNEGO       OIDName = "SPNEGO"
 )

 // GSS-API status values
 const (
 	StatusBadBindings = 1 << iota
 	StatusBadMech
 	StatusBadName
 	StatusBadNameType
 	StatusBadStatus
 	StatusBadSig
 	StatusBadMIC
 	StatusContextExpired
 	StatusCredentialsExpired
 	StatusDefectiveCredential
 	StatusDefectiveToken
 	StatusFailure
 	StatusNoContext
 	StatusNoCred
 	StatusBadQOP
 	StatusUnauthorized
 	StatusUnavailable
 	StatusDuplicateElement
 	StatusNameNotMN
 	StatusComplete
 	StatusContinueNeeded
 	StatusDuplicateToken
 	StatusOldToken
 	StatusUnseqToken
 	StatusGapToken
 )

 // ContextToken is an interface for a GSS-API context token.
 type ContextToken interface {
 	Marshal() ([]byte, error)
 	Unmarshal(b []byte) error
 	Verify() (bool, Status)
 	Context() context.Context
 }

 /*
 CREDENTIAL MANAGEMENT

 GSS_Acquire_cred             acquire credentials for use
 GSS_Release_cred             release credentials after use
 GSS_Inquire_cred             display information about credentials
 GSS_Add_cred                 construct credentials incrementally
 GSS_Inquire_cred_by_mech     display per-mechanism credential information

 CONTEXT-LEVEL CALLS

 GSS_Init_sec_context         initiate outbound security context
 GSS_Accept_sec_context       accept inbound security context
 GSS_Delete_sec_context       flush context when no longer needed
 GSS_Process_context_token    process received control token on context
 GSS_Context_time             indicate validity time remaining on context
 GSS_Inquire_context          display information about context
 GSS_Wrap_size_limit          determine GSS_Wrap token size limit
 GSS_Export_sec_context       transfer context to other process
 GSS_Import_sec_context       import transferred context

 PER-MESSAGE CALLS

 GSS_GetMIC                   apply integrity check, receive as token separate from message
 GSS_VerifyMIC                validate integrity check token along with message
 GSS_Wrap                     sign, optionally encrypt, encapsulate
 GSS_Unwrap                   decapsulate, decrypt if needed, validate integrity check

 SUPPORT CALLS

 GSS_Display_status           translate status codes to printable form
 GSS_Indicate_mechs           indicate mech_types supported on local system
 GSS_Compare_name             compare two names for equality
 GSS_Display_name             translate name to printable form
 GSS_Import_name              convert printable name to normalized form
 GSS_Release_name             free storage of normalized-form name
 GSS_Release_buffer           free storage of general GSS-allocated object
 GSS_Release_OID_set          free storage of OID set object
 GSS_Create_empty_OID_set     create empty OID set
 GSS_Add_OID_set_member       add member to OID set
 GSS_Test_OID_set_member      test if OID is member of OID set
 GSS_Inquire_names_for_mech   indicate name types supported by mechanism
 GSS_Inquire_mechs_for_name   indicates mechanisms supporting name type
 GSS_Canonicalize_name        translate name to per-mechanism form
 GSS_Export_name              externalize per-mechanism name
 GSS_Duplicate_name           duplicate name object
 */

 // Mechanism is the GSS-API interface for authentication mechanisms.
 type Mechanism interface {
 	OID() asn1.ObjectIdentifier
 	AcquireCred() error                                               // acquire credentials for use (eg. AS exchange for KRB5)
 	InitSecContext() (ContextToken, error)                            // initiate outbound security context (eg TGS exchange builds AP_REQ to go into ContextToken to send to service)
 	AcceptSecContext(ct ContextToken) (bool, context.Context, Status) // service verifies the token server side to establish a context
 	MIC() MICToken                                                    // apply integrity check, receive as token separate from message
 	VerifyMIC(mt MICToken) (bool, error)                              // validate integrity check token along with message
 	Wrap(msg []byte) WrapToken                                        // sign, optionally encrypt, encapsulate
 	Unwrap(wt WrapToken) []byte                                       // decapsulate, decrypt if needed, validate integrity check
 }

 // OIDName is the type for defined GSS-API OIDs.
 type OIDName string

 // OID returns the OID for the provided OID name.
 func OID(o OIDName) asn1.ObjectIdentifier {
 	switch o {
 	case OIDSPNEGO:
 		return asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}
 	case OIDKRB5:
 		return asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}
 	case OIDMSLegacyKRB5:
 		return asn1.ObjectIdentifier{1, 2, 840, 48018, 1, 2, 2}
 	}
 	return asn1.ObjectIdentifier{}
 }

 // Status is the GSS-API status and implements the error interface.
 type Status struct {
 	Code    int
 	Message string
 }

 // Error returns the Status description.
 func (s Status) Error() string {
 	var str string
 	switch s.Code {
 	case StatusBadBindings:
 		str = "channel binding mismatch"
 	case StatusBadMech:
 		str = "unsupported mechanism requested"
 	case StatusBadName:
 		str = "invalid name provided"
 	case StatusBadNameType:
 		str = "name of unsupported type provided"
 	case StatusBadStatus:
 		str = "invalid input status selector"
 	case StatusBadSig:
 		str = "token had invalid integrity check"
 	case StatusBadMIC:
 		str = "preferred alias for GSS_S_BAD_SIG"
 	case StatusContextExpired:
 		str = "specified security context expired"
 	case StatusCredentialsExpired:
 		str = "expired credentials detected"
 	case StatusDefectiveCredential:
 		str = "defective credential detected"
 	case StatusDefectiveToken:
 		str = "defective token detected"
 	case StatusFailure:
 		str = "failure, unspecified at GSS-API level"
 	case StatusNoContext:
 		str = "no valid security context specified"
 	case StatusNoCred:
 		str = "no valid credentials provided"
 	case StatusBadQOP:
 		str = "unsupported QOP valu"
 	case StatusUnauthorized:
 		str = "operation unauthorized"
 	case StatusUnavailable:
 		str = "operation unavailable"
 	case StatusDuplicateElement:
 		str = "duplicate credential element requested"
 	case StatusNameNotMN:
 		str = "name contains multi-mechanism elements"
 	case StatusComplete:
 		str = "normal completion"
 	case StatusContinueNeeded:
 		str = "continuation call to routine required"
 	case StatusDuplicateToken:
 		str = "duplicate per-message token detected"
 	case StatusOldToken:
 		str = "timed-out per-message token detected"
 	case StatusUnseqToken:
 		str = "reordered (early) per-message token detected"
 	case StatusGapToken:
 		str = "skipped predecessor token(s) detected"
 	default:
 		str = "unknown GSS-API error status"
 	}
 	if s.Message != "" {
 		return fmt.Sprintf("%s: %s", str, s.Message)
 	}
 	return str
 }
	// Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
	package gssapi

	import (
	"context"
	"fmt"

	"github.com/jcmturner/gofork/encoding/asn1"
	)

	// GSS-API OID names
	const (
	// GSS-API OID names
	OIDKRB5 OIDName = "KRB5" // MechType OID for Kerberos 5
	OIDMSLegacyKRB5 OIDName = "MSLegacyKRB5" // MechType OID for Kerberos 5
	OIDSPNEGO OIDName = "SPNEGO"
	)

	// GSS-API status values
	const (
	StatusBadBindings = 1 << iota
	StatusBadMech
	StatusBadName
	StatusBadNameType
	StatusBadStatus
	StatusBadSig
	StatusBadMIC
	StatusContextExpired
	StatusCredentialsExpired
	StatusDefectiveCredential
	StatusDefectiveToken
	StatusFailure
	StatusNoContext
	StatusNoCred
	StatusBadQOP
	StatusUnauthorized
	StatusUnavailable
	StatusDuplicateElement
	StatusNameNotMN
	StatusComplete
	StatusContinueNeeded
	StatusDuplicateToken
	StatusOldToken
	StatusUnseqToken
	StatusGapToken
	)

	// ContextToken is an interface for a GSS-API context token.
	type ContextToken interface {
	Marshal() ([]byte, error)
	Unmarshal(b []byte) error
	Verify() (bool, Status)
	Context() context.Context
	}

	/*
	CREDENTIAL MANAGEMENT

	GSS_Acquire_cred acquire credentials for use
	GSS_Release_cred release credentials after use
	GSS_Inquire_cred display information about credentials
	GSS_Add_cred construct credentials incrementally
	GSS_Inquire_cred_by_mech display per-mechanism credential information

	CONTEXT-LEVEL CALLS

	GSS_Init_sec_context initiate outbound security context
	GSS_Accept_sec_context accept inbound security context
	GSS_Delete_sec_context flush context when no longer needed
	GSS_Process_context_token process received control token on context
	GSS_Context_time indicate validity time remaining on context
	GSS_Inquire_context display information about context
	GSS_Wrap_size_limit determine GSS_Wrap token size limit
	GSS_Export_sec_context transfer context to other process
	GSS_Import_sec_context import transferred context

	PER-MESSAGE CALLS

	GSS_GetMIC apply integrity check, receive as token separate from message
	GSS_VerifyMIC validate integrity check token along with message
	GSS_Wrap sign, optionally encrypt, encapsulate
	GSS_Unwrap decapsulate, decrypt if needed, validate integrity check

	SUPPORT CALLS

	GSS_Display_status translate status codes to printable form
	GSS_Indicate_mechs indicate mech_types supported on local system
	GSS_Compare_name compare two names for equality
	GSS_Display_name translate name to printable form
	GSS_Import_name convert printable name to normalized form
	GSS_Release_name free storage of normalized-form name
	GSS_Release_buffer free storage of general GSS-allocated object
	GSS_Release_OID_set free storage of OID set object
	GSS_Create_empty_OID_set create empty OID set
	GSS_Add_OID_set_member add member to OID set
	GSS_Test_OID_set_member test if OID is member of OID set
	GSS_Inquire_names_for_mech indicate name types supported by mechanism
	GSS_Inquire_mechs_for_name indicates mechanisms supporting name type
	GSS_Canonicalize_name translate name to per-mechanism form
	GSS_Export_name externalize per-mechanism name
	GSS_Duplicate_name duplicate name object
	*/

	// Mechanism is the GSS-API interface for authentication mechanisms.
	type Mechanism interface {
	OID() asn1.ObjectIdentifier
	AcquireCred() error // acquire credentials for use (eg. AS exchange for KRB5)
	InitSecContext() (ContextToken, error) // initiate outbound security context (eg TGS exchange builds AP_REQ to go into ContextToken to send to service)
	AcceptSecContext(ct ContextToken) (bool, context.Context, Status) // service verifies the token server side to establish a context
	MIC() MICToken // apply integrity check, receive as token separate from message
	VerifyMIC(mt MICToken) (bool, error) // validate integrity check token along with message
	Wrap(msg []byte) WrapToken // sign, optionally encrypt, encapsulate
	Unwrap(wt WrapToken) []byte // decapsulate, decrypt if needed, validate integrity check
	}

	// OIDName is the type for defined GSS-API OIDs.
	type OIDName string

	// OID returns the OID for the provided OID name.
	func OID(o OIDName) asn1.ObjectIdentifier {
	switch o {
	case OIDSPNEGO:
	return asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}
	case OIDKRB5:
	return asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}
	case OIDMSLegacyKRB5:
	return asn1.ObjectIdentifier{1, 2, 840, 48018, 1, 2, 2}
	}
	return asn1.ObjectIdentifier{}
	}

	// Status is the GSS-API status and implements the error interface.
	type Status struct {
	Code int
	Message string
	}

	// Error returns the Status description.
	func (s Status) Error() string {
	var str string
	switch s.Code {
	case StatusBadBindings:
	str = "channel binding mismatch"
	case StatusBadMech:
	str = "unsupported mechanism requested"
	case StatusBadName:
	str = "invalid name provided"
	case StatusBadNameType:
	str = "name of unsupported type provided"
	case StatusBadStatus:
	str = "invalid input status selector"
	case StatusBadSig:
	str = "token had invalid integrity check"
	case StatusBadMIC:
	str = "preferred alias for GSS_S_BAD_SIG"
	case StatusContextExpired:
	str = "specified security context expired"
	case StatusCredentialsExpired:
	str = "expired credentials detected"
	case StatusDefectiveCredential:
	str = "defective credential detected"
	case StatusDefectiveToken:
	str = "defective token detected"
	case StatusFailure:
	str = "failure, unspecified at GSS-API level"
	case StatusNoContext:
	str = "no valid security context specified"
	case StatusNoCred:
	str = "no valid credentials provided"
	case StatusBadQOP:
	str = "unsupported QOP valu"
	case StatusUnauthorized:
	str = "operation unauthorized"
	case StatusUnavailable:
	str = "operation unavailable"
	case StatusDuplicateElement:
	str = "duplicate credential element requested"
	case StatusNameNotMN:
	str = "name contains multi-mechanism elements"
	case StatusComplete:
	str = "normal completion"
	case StatusContinueNeeded:
	str = "continuation call to routine required"
	case StatusDuplicateToken:
	str = "duplicate per-message token detected"
	case StatusOldToken:
	str = "timed-out per-message token detected"
	case StatusUnseqToken:
	str = "reordered (early) per-message token detected"
	case StatusGapToken:
	str = "skipped predecessor token(s) detected"
	default:
	str = "unknown GSS-API error status"
	}
	if s.Message != "" {
	return fmt.Sprintf("%s: %s", str, s.Message)
	}
	return str
	}