Additional extensions

Author: jake-desco

v3/cred.go

@@ -100,3 +100,37 @@ type Credential interface {
 	//   - err: error if one occurred, otherwise nil
 	InquireByMech(mech GssMech) (info *CredInfo, err error) // RFC 2743 § 2.1.5
 }
+
+// CredentialExtRFC4178  extends the Credential interface to support the APIs defined in RFC 4178: GSSAPI Negotiation mechanism.
+type CredentialExtRFC4178 interface {
+	Credential
+	SetNegotiationMechs([]GssMech) error     // RFC 4178 § B.1
+	GetNegotiationMechs() ([]GssMech, error) // RFC 4178 § B.2
+}
+
+// CredentialExtRFC5588 extends the Credential interface to support the APIs defined in RFC 5588: GSSAPI Negotiation mechanismStoring delegated credentials.
+type CredentialExtRFC5588 interface {
+	Credential
+	StoreCredential(usage CredUsage, mech GssMech, overwrite bool, makeDefault bool) ([]GssMech, CredUsage, error) // RFC 5588 § B.1
+}
+
+// CredentialExtGGF extends the Credential interface to support the APIs defined in GFD.24: GGF extensions.
+type CredentialExtGGF interface {
+	Credential
+	Export() ([]byte, error)                         // GFD.24 § 2.1.1
+	InquireByOid(oid Oid) (data [][]byte, err error) // GFD.24 § 2.3.2
+
+}
+
+// CredentialExtS4U extends the Credential interface to support the APIs defined in S4U extensions.
+type CredentialExtS4U interface {
+	Credential
+	AquireImpersonateName(name GssName, mechs []GssMech, usage CredUsage, lifetime time.Duration) (Credential, error)
+	AddImpersonateName(impersonateCred Credential, name GssName, mech GssMech, usage CredUsage, initiatorLifetime time.Duration, acceptorLifetime time.Duration) (Credential, error)
+}
+
+// Acquire credentials with password extension
+type CredentialExtCredPassword interface {
+	Credential
+	AddWithPassword(name GssName, password string, mech GssMech, usage CredUsage, initiatorLifetime time.Duration, acceptorLifetime time.Duration) (Credential, error)
+}

v3/extensions.go

@@ -13,12 +13,24 @@ const (
 	// HasExtChannelBindingSignalling indicates support for channel binding signalling extensions
 	//  (https://datatracker.ietf.org/doc/html/draft-williams-kitten-channel-bound-flag-02)
 	HasExtChannelBindingSignalling GssapiExtension = iota
-	// HasExtInquireSecContextByOid indicates support for context inquiry by OID (GDF: https://ogf.org/documents/GFD.24.pdf)
-	HasExtInquireSecContextByOid
 	// HasExtLocalname indicates support for local name mapping extensions (Solaris-style)
 	HasExtLocalname
+	// HasExtRFC4178 indicates support for the credential APIs defined in RFC 4178: GSSAPI Negotiation mechamisn
+	HasExtRFC4178
+	// HasExtRFC5588 indicates support for the credential APIs defined in RFC 5588: Storing delegated credentials
+	HasExtRFC5588
 	// HasExtRFC6680 indicates support for RFC 6680 naming extensions (composite names and attributes)
 	HasExtRFC6680
 	// HasExtRFC5587 indicates support for RFC 5587 mechanism inquiry extensions (mechanism attributes)
 	HasExtRFC5587
+	// HasExtRFC5801 indicates support for RFC 5801 Mechanisms in SASL Negotiation
+	HasExtRFC5801
+	// HasExtRFC4121 indicates support for RFC 4121: AEAD modes for Kerberos GSSAPI
+	HasExtRFC4121
+	// HasExtGGF indicates support for GGF extensions (GDF: https://ogf.org/documents/GFD.24.pdf)
+	HasExtGGF
+	// HasS4U indicates support for Service4user constrained delegation extensions
+	HasS4U
+	// HasExtCredPassword indicates support for acquiring credentials using passwords
+	HasExtCredPassword
 )

v3/provider.go

@@ -262,3 +262,33 @@ type ProviderExtRFC5587 interface {
 	// The three parameters represent desired attributes, except attributes, and critical attributes respectively.
 	IndicateMechsByAttrs([]GssMechAttr, []GssMechAttr, []GssMechAttr) ([]GssMech, error) // RFC 5587 § 3.4.2
 }
+
+// ProviderExtRFC5801 extends the Provider interface with RFC 5801 mechanism functionality.
+// Providers implementing this interface can be used by GS2 SASL mechanisms.  Support
+// for RFC 5801 can be determined with a call to `HasExtension(HasExtRFC5801)`.
+type ProviderExtRFC5801 interface {
+	Provider
+	// InquireSASLNameForMech identified the GSSAPI mechanism to which a SASL mechanism refers
+	// See RFC 5801 § 10
+	InquireSASLNameForMech(m GssMech) (SASLMechInfo, error)
+	// InquireMechForSASLName identifies the SASL mechanism to which a GSSAPI mechanism refers
+	// See RFC 5801 § 11
+	InquireMechForSASLName(saslName string) (GssMech, error)
+}
+
+type SASLMechInfo struct {
+	SASLName        string
+	MechName        string
+	MechDescription string
+}
+
+type ProviderExtGGF interface {
+	Provider
+	ImportCredential(b []byte) (Credential, error) // GFD.24 § 2.1.2
+}
+
+// Acquire credentials with password extension
+type ProviderExtCredPassword interface {
+	Provider
+	AcquireCredentialWithPassword(name GssName, password string, lifetime time.Duration, mechs []GssMech, usage CredUsage) (Credential, error)
+}

v3/seccontext.go

@@ -182,3 +182,15 @@ type SecContext interface {
 	//   - err: Error if one occurred, otherwise nil
 	Continue([]byte) (tokOut []byte, err error)
 }
+
+type SecContextExtGGF interface {
+	SecContext
+	InquireByOid(oid Oid) (data [][]byte, err error) // GFD.24 § 2.3.1
+	SetOption(option Oid, value []byte) error        // GFD.24 § 2.4.1
+}
+
+type SecContextExtRFC4121 interface {
+	SecContext
+	WrapAEAD([]byte, []byte, bool, QoP) (msgOut []byte, confState bool, err error) // RFC 4121 § 4.1
+	UnwrapAEAD([]byte, []byte) (msgOut []byte, confState bool, err error)          // RFC 4121 § 4.2
+}