xref: /illumos-gate/usr/src/man/man3gss/gss_acquire_cred.3gss (revision b7daf79982d77b491ef9662483cd4549e0e5da9a) 
 te
 Copyright (C) 2003, Sun Microsystems, Inc. All Rights Reserved
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 GSS_ACQUIRE_CRED 3GSS "Jan 14, 2003"
 NAME
gss_acquire_cred - acquire a handle for a pre-existing credential by name

 SYNOPSIS


cc [ flag... ] file... -lgss [ library... ]
#include <gssapi/gssapi.h>

OM_uint32 gss_acquire_cred(OM_uint32 *minor_status,
 const gss_name_t *desired_name, OM_uint32 time_req,
 const gss_OID_set desired_mech, gss_cred_usage_t cred_usage,
 gss_cred_id_t * output_cred_handle, gss_OID_set *actual_mechs,
 OM_uint32 *time_rec);




 DESCRIPTION

The gss_acquire_cred() function allows an application to acquire a handle
for a pre-existing credential by name. This routine is not intended as a
function to login to the network; a function for login to the network would
involve creating new credentials rather than merely acquiring a handle to
existing credentials.


If desired_name is GSS_C_NO_NAME, the call is interpreted as a
request for a credential handle that will invoke default behavior when passed
to gss_init_sec_context(3GSS) (if cred_usage is
GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context(3GSS)
(if cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).


Normally gss_acquire_cred() returns a credential that is valid only for
the mechanisms requested by the desired_mechs argument. However, if
multiple mechanisms can share a single credential element, the function returns
all the mechanisms for which the credential is valid in the actual_mechs
argument.


gss_acquire_cred() is intended to be used primarily by context
acceptors, since the GSS-API routines obtain initiator credentials
through the system login process. Accordingly, you may not acquire
GSS_C_INITIATE or GSS_C_BOTH credentials by means of
gss_acquire_cred() for any name other than GSS_C_NO_NAME.
Alternatively, you may acquire GSS_C_INITIATE or GSS_C_BOTH
credentials for a name produced when gss_inquire_cred(3GSS) is applied to
a valid credential, or when gss_inquire_context(3GSS) is applied to an
active context.


If credential acquisition is time-consuming for a mechanism, the mechanism may
choose to delay the actual acquisition until the credential is required, for
example, by gss_init_sec_context(3GSS) or by
gss_accept_sec_context(3GSS). Such mechanism-specific implementations
are, however, invisible to the calling application; thus a call of
gss_inquire_cred(3GSS) immediately following the call of
gss_acquire_cred() will return valid credential data and incur the
overhead of a deferred credential acquisition.

 PARAMETERS

The parameter descriptions for gss_acquire_cred() follow:
desired_name


The name of the principal for which a credential should be acquired.



time_req


The number of seconds that credentials remain valid. Specify
GSS_C_INDEFINITE to request that the credentials have the maximum
permitted lifetime



desired_mechs


The set of underlying security mechanisms that may be used.
GSS_C_NO_OID_SET may be used to obtain a default.



cred_usage


A flag that indicates how this credential should be used. If the flag is
GSS_C_ACCEPT, then credentials will be used only to accept security
credentials. GSS_C_INITIATE indicates that credentials will be used only
to initiate security credentials. If the flag is GSS_C_BOTH, then
credentials may be used either to initiate or accept security contexts.



output_cred_handle


The returned credential handle. Resources associated with this credential
handle must be released by the application after use with a call to
gss_release_cred(3GSS)



actual_mechs


The set of mechanisms for which the credential is valid. Storage associated
with the returned OID-set must be released by the application after use
with a call to gss_release_oid_set(3GSS). Specify NULL if not
required.



time_rec


Actual number of seconds for which the returned credentials will remain valid.
Specify NULL if not required.



minor_status


Mechanism specific status code.




 ERRORS

gss_acquire_cred() may return the following status code:
GSS_S_COMPLETE


 Successful completion.



GSS_S_BAD_MECH


An unavailable mechanism has been requested.



GSS_S_BAD_NAMETYPE


The type contained within the desired_name parameter is not supported.



GSS_S_BAD_NAME


The value supplied for desired_name parameter is ill formed.



GSS_S_CREDENTIALS_EXPIRED


The credentials could not be acquired because they have expired.



GSS_S_NO_CRED


No credentials were found for the specified name.



GSS_S_FAILURE


The underlying mechanism detected an error for which no specific GSS
status code is defined. The mechanism-specific status code reported by means
of the minor_status parameter details the error condition.




 ATTRIBUTES

See attributes(5) for descriptions of the following attributes:






ATTRIBUTE TYPE ATTRIBUTE VALUE
MT-Level Safe



 SEE ALSO

gss_accept_sec_context(3GSS), gss_init_sec_context(3GSS),
gss_inquire_context(3GSS), gss_inquire_cred(3GSS),
gss_release_cred(3GSS), gss_release_oid_set(3GSS),
attributes(5)


Solaris Security for Developers Guide