gss_acquire_credGeneric Security Services API Library Fugss_acquire_cred(3GSS)NAMEgss_acquire_cred - acquire a handle for a pre-existing credential by
name
SYNOPSIS
cc -flag ... file ...-lgss [library ...]
#include <gssapi/gssapi.h>
OM_uint32 gss_acquire_cred(OM_uint32 *minor_status, const gss_name_t
*desired_name, OM_uint32 time_req, const gss_OID_set desired_mech,
gss_cred_usage_t cred_usage, gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs, OM_uint32 *time_rec);
DESCRIPTION
The gss_acquire_cred() function allows an application to acquire a han‐
dle for a pre-existing credential by name. This routine is not intended
as a function to login to the network; a function for login to the net‐
work would involve creating new credentials rather than merely acquir‐
ing a handle to existing credentials.
If desired_name is GSS_C_NO_NAME, the call is interpreted as a request
for a credential handle that will invoke default behavior when passed
to gss_init_sec_context(3GSS) (if cred_usage is GSS_C_INITIATE or
GSS_C_BOTH) or gss_accept_sec_context(3GSS) (if cred_usage is
GSS_C_ACCEPT or GSS_C_BOTH).
Normally gss_acquire_cred() returns a credential that is valid only for
the mechanisms requested by the desired_mechs argument. However, if
multiple mechanisms can share a single credential element, the function
returns all the mechanisms for which the credential is valid in the
actual_mechs argument.
gss_acquire_cred() is intended to be used primarily by context accep‐
tors, since the GSS-API routines obtain initiator credentials through
the system login process. Accordingly, you may not acquire GSS_C_INITI‐
ATE or GSS_C_BOTH credentials by means of gss_acquire_cred() for any
name other than GSS_C_NO_NAME. Alternatively, you may acquire
GSS_C_INITIATE or GSS_C_BOTH credentials for a name produced when
gss_inquire_cred(3GSS) is applied to a valid credential, or when
gss_inquire_context(3GSS) is applied to an active context.
If credential acquisition is time-consuming for a mechanism, the mecha‐
nism may choose to delay the actual acquisition until the credential is
required, for example, by gss_init_sec_context(3GSS) or by
gss_accept_sec_context(3GSS). Such mechanism-specific implementations
are, however, invisible to the calling application; thus a call of
gss_inquire_cred(3GSS) immediately following the call of
gss_acquire_cred() will return valid credential data and incur the
overhead of a deferred credential acquisition.
PARAMETERS
The parameter descriptions for gss_acquire_cred() follow:
desired_name The name of the principal for which a creden‐
tial should be acquired.
time_req The number of seconds that credentials remain
valid. Specify GSS_C_INDEFINITE to request
that the credentials have the maximum permitted
lifetime
desired_mechs The set of underlying security mechanisms that
may be used. GSS_C_NO_OID_SET may be used to
obtain a default.
cred_usage A flag that indicates how this credential
should be used. If the flag is GSS_C_ACCEPT,
then credentials will be used only to accept
security credentials. GSS_C_INITIATE indicates
that credentials will be used only to initiate
security credentials. If the flag is
GSS_C_BOTH, then credentials may be used either
to initiate or accept security contexts.
output_cred_handle The returned credential handle. Resources
associated with this credential handle must be
released by the application after use with a
call to gss_release_cred(3GSS)
actual_mechs The set of mechanisms for which the credential
is valid. Storage associated with the returned
OID-set must be released by the application
after use with a call to
gss_release_oid_set(3GSS). Specify NULL if not
required.
time_rec Actual number of seconds for which the returned
credentials will remain valid. Specify NULL if
not required.
minor_status Mechanism specific status code.
ERRORSgss_acquire_cred() may return the following status code:
GSS_S_COMPLETE Successful completion.
GSS_S_BAD_MECH An unavailable mechanism has been
requested.
GSS_S_BAD_NAMETYPE The type contained within the
desired_name parameter is not sup‐
ported.
GSS_S_BAD_NAME The value supplied for desired_name
parameter is ill formed.
GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired
because they have expired.
GSS_S_NO_CRED No credentials were found for the spec‐
ified name.
GSS_S_FAILURE The underlying mechanism detected an
error for which no specific GSS status
code is defined. The mechanism-spe‐
cific status code reported by means of
the minor_status parameter details the
error condition.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWgss (32-bit) │
├─────────────────────────────┼─────────────────────────────┤
│ │SUNWgssx (64-bit) │
├─────────────────────────────┼─────────────────────────────┤
│MT-Level │Safe │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOgss_accept_sec_context(3GSS), gss_init_sec_context(3GSS),
gss_inquire_context(3GSS), gss_inquire_cred(3GSS),
gss_release_cred(3GSS), gss_release_oid_set(3GSS), attributes(5)
Solaris Security for Developers Guide
SunOS 5.10 14 Jan 2003 gss_acquire_cred(3GSS)
