Accepts a GSS Security Context
(Server) This method accepts a GSSAPI security context based on the given parameters, including the token sent by the client returned from initSecContext()
Parameters: |
|
---|---|
Returns: | a tuple containing the (potentially modified) context, the authenticated name of the context initiator, the mechanism type used, the output token (to send to the client), the flags in use, the TTL for the context, and the delegated credential handle (or None if RequirementFlags.delegate_to_peer is not present in the flags) (i.e. (context, name, MechType, bytes, [RequirementFlag], int, delegated_cred, continue_needed)) |
Raises GSSError: | |
Acquires GSSAPI Credentials
This method acquires credentials for the given name (imported with importName()) for the desired mechanims, with permissions to either initiate security contexts, accept them, or both.
Parameters: |
|
---|---|
Returns: | a tuple containing the actual credentials, the mechanisms for which these credentials are valid, and the actual TTL (which may be 0) (i.e. (creds, [MechType], ttl)) |
Canonicalizes a GSSAPI Name into a Mechanism Name
This method turns any GSSAPI name into a “mechanism name”, i.e. a name that would be returned as initator principal from acceptSecContext.
Warning
Unlike other methods, a mechanism type must be explicitly provided here; No default is available for this method.
Parameters: |
|
---|---|
Returns: | a canonicalized name |
Return type: | PyCapsule |
Raises GSSError: | |
Compares Two GSSAPI Names
This method compares to GSSAPI names to see if they are equal.
Parameters: |
|
---|---|
Returns: | whether or not the two names are equal |
Return type: | bool |
Releases a security context
This method releases a security context, potentially providing an output buffer as the result
Parameters: |
|
---|---|
Return type: | bytes or None |
Returns: | an output token, if requested (otherwise None) |
Converts a GSSAPI Name into a String
This function is essentially the opposite of importName(): it takes a GSSAPI name and converts it back into a string and name type.
Parameters: | name – a GSSAPI name capsule |
---|---|
Returns: | a tuple containing the string-version of the name and its name type |
Return type: | (bytes, gssapi.base.types.NameType) |
Raises GSSError: | |
Duplicates a GSSAPI Name
This method duplicates an existing GSSAPI name. Releasing the old name will not release the new name, etc.
Parameters: | name – the name to duplicate |
---|---|
Returns: | a new name identical to the old name |
Return type: | PyCapsule |
Raises GSSError: | |
Exports a GSSAPI Mechanism Name
This method “produces a canonical contiguous string representation of a mechanism name, suitable for direct comparison for use in authorization functions”. The input name must be a valid GSSAPI mechanism name, as generated by acceptSecContext or canonicalizeName.
Note
A mechanism name does not, in fact, refer to the name of a mechanism. Instead, it refers to a canonicalized name, such as the initiator name returned by acceptSecContext
Parameters: | name – a valid GSSAPI mechanism name |
---|---|
Returns: | a string version of the mechanism name |
Return type: | bytes |
Raises GSSError: | |
Generates a MIC for a Message
This method generates a cryptographic message integrity code for the supplied method. The QoP can be changed to vary the algorithm used. The output is a token that can be transfered to a peer application.
Parameters: |
|
---|---|
Returns: | the MIC encoded into a token |
Return type: | bytes |
Raises GSSError: | |
Converts a value from the MechType enum into a gss_OID
This method converts a value from the MechType enum into a gss_OID, which can be used in GSSAPI methods such as initSecContext
Parameters: | mech_type (MechType) – the mechanism type |
---|---|
Returns: | a gss_OID capsule representing the selected mechanism type |
Gets a GSSAPI Name
This method converts a string name and type into a ‘name’ string usable in future calls to GSSAPI.
NOTE: This name needs to have its name released when finished
Parameters: |
|
---|---|
Return type: | bytes |
Returns: | the GSSAPI name string for use in other GSSAPI methods |
Raises GSSError: | |
Gets the Currently Supported GSS Mechanisms
This method gets a list of the GSS mechanisms supported by the current GSSAPI implementation
Returns: | the supported mechanisms |
---|---|
Return type: | [gssapi.base.types.MechType] |
Raises GSSError: | |
Initializes a GSS Security Context
(Client) This method initializes a GSSAPI security context with the given parameters. The default flags for the flags field are MUTUAL and SEQUENCE.
Parameters: |
|
---|---|
Returns: | a tuple containing the (potentially modified) context, the actual mechanism type used, the output token, the actual flags provided, the actual TTL for this context, and whether or not a continue is needed (i.e. (context, MechType, [RequirementFlag], bytes, TTL, continue_needed)) |
Raises GSSError: | |
Releases GSSAPI credentials
This method releases GSSAPI credentials that were allocated with acquireCred
Parameters: | cred_obj – the name credentials object to be released |
---|---|
Returns: | None |
Releases a GSSAPI Name
This method releases a GSSAPI name that was allocated with importName
Parameters: | name_obj – the name object to be released |
---|---|
Returns: | None |
Unwraps a wrapped message
This method unwraps a message that was previously wrapped by the other party
Parameters: |
|
---|---|
Return type: | (bytes, bool, int) |
Returns: | a tuple containing the decrypted message, whether confidentiality was used, and the QoP used |
Raises GSSError: | |
Verifies a Message’s MIC
This method verifies that the message matches the given message integrity code (token).
Note
This method does not throw an error on GSS_S_DUPLICATE_TOKEN, which simply indicates that the token was valid and contained the correct MIC for the message, but had already be processed. Instead, it simply returns that the MIC was valid, since this is not really an error.
Parameters: |
|
---|---|
Returns: | this depends on the value of return_bool. If False, the QoP used to generate the MIC is returned if the verification is successfull, and and error is raised otherwise. If True, a tuple is returned containing whether or not the MIC was valid, the QoP used, the major result code, and the minor result code (which can be interpreted with gssapi.base.status_utils.displayStatus()) |
Return type: | int or (bool, int, int, int) |
Raises GSSError: | |
if there is an error and return_bool is set to False |
Wraps a message
This method wraps a message with a MIC and potentially encrypts the message using the requested QoP
Parameters: |
|
---|---|
Return type: | (bytes, bool) |
Returns: | a tuple containing the output message and whether confidentiality was used |
Raises GSSError: | |
Calculates the Max Message Size
This method calculates the maxium size that a message can be in order to have the wrapped message fit within the given size.
Parameters: | |
---|---|
Returns: | the max unwrapped message size |
Return type: | int |
Convert a GSSAPI status code into a human-readable string
Converts the given general GSSAPI (major) status code or mechanism-specific (minor) status code into a human-readable string. This method may need to be called multiple times, which is what the message_context parameter is for.
Parameters: |
|
---|---|
Return type: | (str, int, bool) |
Returns: | a tuple containing the result message, the message context for any further calls, and whether or not further calls can be made |
Bases: exceptions.Exception
GSSAPI Error
This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes
Retrieves all messages for this error’s status codes
This method retrieves all messages for this error’s status codes, and forms them into a string for use as an exception message
Return type: | str |
---|---|
Returns: | a string for use as this error’s message |
Bases: flufl.enum._enum.IntEnum
GSSAPI Mechanism Types
This IntEnum represents explicit GSSAPI mechanism types (to be used with initSecContext).
Note that the integers behind these enum members do not correspond to any numbers in the GSSAPI C bindings, and are subject oto change at any point.
Bases: flufl.enum._enum.IntEnum
GSSAPI Name Types
This IntEnum represents GSSAPI name types (to be used with importName, etc)
Note that the integers behind these enum members do not correspond to any numbers in the GSSAPI C bindings, and are subject to change at any point.
Bases: flufl.enum._enum.IntEnum
GSSAPI Requirement Flags
This IntEnum represents flags to be used in the service flags parameter of initSecContext.
The numbers behind the values correspond directly to their C counterparts.