Source code for gssapi.raw.ext_ggf

"""
GGF Extensions

GGF provides extended credential and security context inquiry that allows
application to retrieve more information about the client's credentials and
security context. One common use case is to use
:meth:`inquire_sec_context_by_oid` to retrieve the "session" key that is
required by the SMB protocol for signing and encrypting a message.

Draft IETF document for these extensions can be found at
https://tools.ietf.org/html/draft-engert-ggf-gss-extensions-00
"""
import typing as t

if t.TYPE_CHECKING:
    from gssapi.raw.creds import Creds
    from gssapi.raw.oids import OID
    from gssapi.raw.sec_contexts import SecurityContext


[docs]def inquire_cred_by_oid( cred_handle: "Creds", desired_aspect: "OID", ) -> t.List[bytes]: """ This method inspects a :class:`~gssapi.raw.creds.Creds` object for information specific to a particular desired aspect as an OID. Args: cred_handle (Creds): the Credentials to query desired_aspect (~gssapi.raw.oids.OID): the desired aspect of the Credentials to inquire about. Returns: list: A list of zero or more pieces of data (as bytes objects) Raises: ~gssapi.exceptions.GSSError """
[docs]def inquire_sec_context_by_oid( context: "SecurityContext", desired_aspect: "OID", ) -> t.List[bytes]: """ This method inspects a :class:`~gssapi.raw.sec_contexts.SecurityContext` object for information specific to a particular desired aspect as an OID. This method can be used with the GSS_KRB5_INQ_SSPI_SESSION_KEY_OID OID to retrieve the required key that is used to derive the SMB/SAMBA signing and encryption keys. Args: context (~gssapi.raw.sec_contexts.SecurityContext): the Security Context to query desired_aspect (~gssapi.raw.oids.OID): the desired aspect of the Security Context to inquire about. Returns: list: A list of zero or more pieces of data (as bytes objects) Raises: ~gssapi.exceptions.GSSError """
[docs]def set_sec_context_option( desired_aspect: "OID", context: "SecurityContext", value: t.Optional[bytes] = None, ) -> None: """ This method is used to set a value for a specific OID of a :class:`~gssapi.raw.sec_contexts.SecurityContext` object. The OID and value to pass in depends on the mech the SecurityContext backs. An example of how this can be used would be to reset the NTLM crypto engine used in gss-ntlmssp. The OID that controls this value is '1.3.6.1.4.1.7165.655.1.3' and it takes it a byte value that represents an int32 where 1 resets the verifier handle and any other int resets the sender handle. Args: desired_aspect (~gssapi.raw.oids.OID): the desired aspect of the Security Context to set the value for. context (~gssapi.raw.sec_contexts.SecurityContext): the Security Context to set, or None to create a new context. value (bytes): the value to set on the desired aspect of the Security Context or None to send GSS_C_EMPTY_BUFFER. Returns: ~gssapi.raw.sec_contexts.SecurityContext: The output security context. Raises: ~gssapi.exceptions.GSSError """