Low-Level API

The low-level API contains a variety of Python functions that map directly to the corresponding C functions. Additionally, it contains several basic wrapper classes that wrap underlying C structs and automatically deallocate them when the Python object itself is deallocated.

Warning

All methods in both the high-level and low-level APIs may throw the generic GSSError exception.

Core RFC 2744

Names

Note

Some functions in the following section will refer to “mechanism names”. These are not names of mechanisms. Instead, they are a special form of name specific to a given mechanism.

class Name[source]

A GSSAPI Name

import_name(name: bytes, name_type: gssapi.raw.oids.OID | None = None)[source]

Convert a string and a name type into a GSSAPI name.

This method takes a string name and a name type and converts them into a GSSAPI Name.

Parameters:
  • name (Name) – the string version of the name

  • name_type (MechType) – the type of this name

Returns:

the GSSAPI version of the name

Return type:

Name

Raises:
display_name(name: Name, name_type: bool = True)[source]

Convert a GSSAPI name into its components.

This method converts a GSSAPI Name back into its text form. If name_type is True, it also attempts to retrieve the NameType of the name (otherwise the returned name type will be None).

Parameters:
  • name (Name) – the name in question

  • name_type (MechType) – whether or not to retrieve the name type

Returns:

the text part of the name and its type

Return type:

DisplayNameResult

Raises:

BadNameError

compare_name(name1: Name, name2: Name)[source]

Check two GSSAPI names to see if they are the same.

This method compares two GSSAPI names, checking to see if they are equivalent.

Parameters:
  • name1 (Name) – the first name to compare

  • name2 (Name) – the second name to compare

Returns:

whether or not the names are equal

Return type:

bool

Raises:
export_name(name: Name)[source]

Export a GSSAPI name.

This method “produces a canonical contigous string representation of a mechanism name, suitable for direct comparison for use in authorization functions”.

The input name must be a valid GSSAPI mechanism name, as generated by canonicalize_name() or accept_sec_context().

Parameters:

name (Name) – the name to export

Returns:

the exported name

Return type:

bytes

Raises:
canonicalize_name(name: Name, mech: gssapi.raw.oids.OID)[source]

Canonicalize an arbitrary GSSAPI Name into a Mechanism Name

This method turns any GSSAPI name into a “mechanism name” – a full form name specific to a mechanism.

Parameters:
  • name (Name) – the name to canonicalize

  • mech (MechType) – the mechanism type to use to canonicalize the name

Returns:

a canonicalized version of the input name

Return type:

Name

Raises:
duplicate_name(name: Name)[source]

Duplicate a GSSAPI name.

Parameters:

name (Name) – the name to duplicate

Returns:

a duplicate of the input name

Return type:

Name

Raises:

BadNameError

release_name(name: Name)[source]

Release a GSSAPI name.

This method frees a GSSAPI Name. You probably won’t have to do this.

Warning

This method is deprecated. Names are automatically freed by Python.

Parameters:

name (Name) – the name in question

Raises:

BadNameError

Credentials

class Creds[source]

GSSAPI Credentials

acquire_cred(name: gssapi.raw.names.Name | None, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'both')[source]

Get GSSAPI credentials for the given name and mechanisms.

This method gets GSSAPI credentials corresponding to the given name and mechanims. The desired TTL and usage for the the credential may also be specified.

Parameters:
  • name (Name) – the name for which to acquire the credentials (or None for the “no name” functionality)

  • lifetime (int) – the lifetime in seconds for the credentials (or None for indefinite)

  • mechs (MechType) – the desired mechanisms for which the credentials should work, or None for the default set

  • usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’

Returns:

the resulting credentials, the actual mechanisms with which they may be used, and their actual lifetime in seconds (or None for indefinite or not supported)

Return type:

AcquireCredResult

Raises:
release_cred(creds)[source]

release_cred(creds) Release GSSAPI Credentials.

This method releases GSSAPI credentials.

Warning

This method is deprecated. Credentials are automatically freed by Python.

Parameters:

creds (Creds) – the credentials in question

Raises:

MissingCredentialsError

add_cred(input_cred: Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, usage: str = 'initiate', init_lifetime: int | None = None, accept_lifetime: int | None = None, mutate_input: bool = False)[source]

Add a credential element to a credential.

This method can be used to either compose two credentials (i.e., original and new credential), or to add a new element to an existing credential.

Parameters:
  • input_cred (Creds) – the set of credentials to which to add the new credentials

  • name (Name) – name of principal to acquire a credential for

  • mech (MechType) – the desired security mechanism (required).

  • usage (str) – usage type for credentials. Possible values: ‘initiate’ (default), ‘accept’, ‘both’ (failsafe).

  • init_lifetime (int) – lifetime of credentials for use in initiating security contexts in seconds (None for indefinite)

  • accept_lifetime (int) – lifetime of credentials for use in accepting security contexts in seconds (None for indefinite)

  • mutate_input (bool) – whether to mutate the input credentials (True) or produce a new set of credentials (False). Defaults to False

Returns:

the actual mechanisms with which the credentials may be used, the actual initiator TTL, and the actual acceptor TTL (None for either indefinite or not supported). Note that the credentials may be set to None if mutate_input is set to True.

Return type:

AddCredResult

Raises:
inquire_cred(creds: Creds, name: bool = True, lifetime: bool = True, usage: bool = True, mechs: bool = True)[source]

Inspect credentials for information.

This method inspects a Creds object for information.

Parameters:
  • creds (Creds) – the credentials to inspect

  • name (bool) – get the Name associated with the credentials

  • lifetime (bool) – get the TTL for the credentials

  • usage (bool) – get the usage type of the credentials

  • mechs (bool) – the mechanims used with the credentials

Returns:

the information about the credentials, with unused fields set to None

Return type:

InquireCredResult

Raises:
inquire_cred_by_mech(creds: Creds, mech: gssapi.raw.oids.OID, name: bool = True, init_lifetime: bool = True, accept_lifetime: bool = True, usage: bool = True)[source]

Inspect credentials for mechanism-specific information.

This method inspects a Creds object for information specific to a particular mechanism. It functions similarly to inquire_cred().

Parameters:
  • creds (Creds) – the credentials to inspect

  • mech (OID) – the desired mechanism

  • name (bool) – get the Name associated with the credentials

  • init_lifetime (bool) – get the initiator TTL for the credentials (in seconds)

  • accept_lifetime (bool) – get the acceptor TTL for the credentials (in seconds)

  • usage (bool) – get the usage type of the credentials

Returns:

the information about the credentials, with unused fields set to None

Return type:

InquireCredByMechResult

Raises:

Security Contexts

class SecurityContext[source]

A GSSAPI Security Context

init_sec_context(name: gssapi.raw.names.Name, creds: gssapi.raw.creds.Creds | None = None, context: SecurityContext | None = None, mech: gssapi.raw.oids.OID | None = None, flags: int | gssapi.raw.types.RequirementFlag | Iterable[int] | Iterable[gssapi.raw.types.RequirementFlag] | None = None, lifetime: int | None = None, channel_bindings: gssapi.raw.chan_bindings.ChannelBindings | None = None, input_token: bytes | None = None)[source]

Initiate a GSSAPI security context.

This method initiates a GSSAPI security context, targeting the given target name. To create a basic context, just provide the target name. Further calls used to update the context should pass in the output context of the last call, as well as the input token received from the acceptor.

Warning

This changes the input context!

Parameters:
  • target_name (Name) – the target for the security context

  • creds (Creds) – the credentials to use to initiate the context, or None to use the default credentials

  • context (SecurityContext) – the security context to update, or None to create a new context

  • mech (MechType) – the mechanism type for this security context, or None for the default mechanism type

  • flags (list) – the flags to request for the security context, or None to use the default set: mutual_authentication and out_of_sequence_detection. This may also be an IntEnumFlagSet

  • lifetime (int) – the request lifetime of the security context in seconds (a value of 0 or None means indefinite)

  • channel_bindings (ChannelBindings) – The channel bindings (or None for no channel bindings)

  • input_token (bytes) – the token to use to update the security context, or None if you are creating a new context

Returns:

the output security context, the actual mech type, the actual flags used, the output token to send to the acceptor, the actual lifetime of the context in seconds (or None if not supported or indefinite), and whether or not more calls are needed to finish the initiation.

Return type:

InitSecContextResult

Raises:
accept_sec_context(input_token: bytes, acceptor_creds: gssapi.raw.creds.Creds | None = None, context: SecurityContext | None = None, channel_bindings: gssapi.raw.chan_bindings.ChannelBindings | None = None)[source]

Accept a GSSAPI security context.

This method accepts a GSSAPI security context using a token sent by the initiator, using the given credentials. It can either be used to accept a security context and create a new security context object, or to update an existing security context object.

Warning

This changes the input context!

Parameters:
  • input_token (bytes) – the token sent by the context initiator

  • acceptor_creds (Creds) – the credentials to be used to accept the context (or None to use the default credentials)

  • context (SecurityContext) – the security context to update (or None to create a new security context object)

  • channel_bindings (ChannelBindings) – The channel bindings (or None for no channel bindings)

Returns:

the resulting security context, the initiator name, the mechanism being used, the output token, the flags in use, the lifetime of the context in seconds (or None for indefinite or not supported), the delegated credentials (valid only if the delegate_to_peer flag is set), and whether or not further token exchanges are needed to finalize the security context.

Return type:

AcceptSecContextResult

Raises:
inquire_context(context: SecurityContext, initiator_name: bool = True, target_name: bool = True, lifetime: bool = True, mech: bool = True, flags: bool = True, locally_init: bool = True, complete: bool = True)[source]

Get information about a security context.

This method obtains information about a security context, including the initiator and target names, as well as the TTL, mech, flags, and its current state (open vs closed).

Note

the target name may be None if it would have been GSS_C_NO_NAME

Parameters:

context (SecurityContext) – the context in question

Returns:

the initiator name, the target name, the TTL (can be None for indefinite or not supported), the mech type, the flags, whether or not the context was locally initiated, and whether or not the context is currently fully established

Return type:

InquireContextResult

Raises:

MissingContextError

context_time(context: SecurityContext)[source]

Get the amount of time for which the given context will remain valid.

This method determines the amount of time for which the given security context will remain valid. An expired context will give a result of 0.

Parameters:

context (SecurityContext) – the security context in question

Returns:

the number of seconds for which the context will be valid

Return type:

int

Raises:
process_context_token(context: SecurityContext, token: bytes)[source]

Process a token asynchronously.

This method provides a way to process a token, even if the given security context is not expecting one. For example, if the initiator has the initSecContext return that the context is complete, but the acceptor is unable to accept the context, and wishes to send a token to the initiator, letting the initiator know of the error.

Warning

This method has been essentially deprecated by RFC 2744.

Parameters:
  • context (SecurityContext) – the security context against which to process the token

  • token (bytes) – the token to process

Raises:
import_sec_context(token: bytes)[source]

Import a context from another process.

This method imports a security context established in another process by reading the specified token which was output by export_sec_context().

Raises:
export_sec_context(context: SecurityContext)[source]

Export a context for use in another process.

This method exports a security context, deactivating in the current process and creating a token which can then be imported into another process with import_sec_context().

Warning: this modifies the input context

Parameters:

context (SecurityContext) – the context to send to another process

Returns:

the output token to be imported

Return type:

bytes

Raises:
delete_sec_context(context: SecurityContext, local_only: bool = True)[source]

Delete a GSSAPI security context.

This method deletes a GSSAPI security context, returning an output token to send to the other holder of the security context to notify them of the deletion.

Note

This method generally should not be used. SecurityContext objects will automatically be freed by Python.

Parameters:
  • context (SecurityContext) – the security context in question

  • local_only (bool) – should we request local deletion (True), or also remote deletion (False), in which case a token is also returned

Returns:

the output token (if remote deletion is requested). Generally

this is None, but bytes for compatibility.

Return type:

bytes

Raises:

MissingContextError

get_mic(context: gssapi.sec_contexts.SecurityContext, message: bytes, qop: int | None = None)[source]

Generate a MIC for a message.

This method generates a Message Integrity Check token for the given message. This can be separately trasmitted to the other entity, unlike wrap, which bundles the MIC and the message together.

Parameters:
  • context (SecurityContext) – the current security context

  • message (bytes) – the message for which to generate the MIC

  • qop (int) – the requested Quality of Protection (or None to use the default)

Returns:

the generated MIC token

Return type:

bytes

Raises:
verify_mic(context: gssapi.sec_contexts.SecurityContext, message: bytes, token: bytes)[source]

Verify that a MIC matches a message.

This method verifies that the given MIC matches the given message. If the MIC does not match the given message, an exception will be raised.

Parameters:
  • context (SecurityContext) – the current security context

  • message (bytes) – the message in question

  • token (bytes) – the MIC token in question

Returns:

the QoP used.

Return type:

int

Raises:
wrap_size_limit(context: gssapi.sec_contexts.SecurityContext, output_size: int, confidential: bool = True, qop: int | None = None)[source]

Calculate the max message size.

This method calculates the unwrapped/unencrypted message size for the given maximum wrapped/encrypted message size.

Parameters:
  • context (SecurityContext) – the current security context

  • output_size (int) – the maximum desired wrapped/encrypted message size

  • confidential (bool) – whether or not confidentiality is being used

  • qop (int) – the QoP that will be when you actually call wrap (or None for the default QoP)

Returns:

the maximum unencrypted/unwrapped message size

Return type:

int

Raises:
wrap(context: gssapi.sec_contexts.SecurityContext, message: bytes, confidential: bool = True, qop: int | None = None)[source]

Wrap/Encrypt a message.

This method wraps or encrypts a message (depending on the value of confidential) with the given Quality of Protection.

Parameters:
  • context (SecurityContext) – the current security context

  • message (bytes) – the message to wrap or encrypt

  • confidential (bool) – whether or not to encrypt the message (True), or just wrap it with a MIC (False)

  • qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

the wrapped/encrypted message, and whether or not

encryption was actually used

Return type:

WrapResult

Raises:
unwrap(context: gssapi.sec_contexts.SecurityContext, message: bytes)[source]

Unwrap/Decrypt a message.

This method unwraps or decrypts a message, depending on whether the sender used confidentiality.

Parameters:
  • context (SecurityContext) – the current security context

  • message (bytes) – the message to unwrap/decrypt

Returns:

the unwrapped/decrypted message, whether or on

encryption was used, and the QoP used

Return type:

UnwrapResult

Raises:

Misc

class OID[source]

A GSSAPI OID

A new OID may be created by passing the elements argument to the constructor. The elements argument should be a bytes consisting of the BER-encoded values in the OID.

To retrieve the underlying bytes, use the bytes function in Python 3.

This object is hashable, and may be compared using equality operators.

classmethod from_int_seq(integer_sequence: str | Iterable[int])[source]

Create a OID from a sequence of integers.

This method creates an OID from a sequence of integers. The sequence can either be in dotted form as a string, or in list form.

This method is not for BER-encoded byte strings, which can be passed directly to the OID constructor.

Parameters:

integer_sequence – either a list of integers or a string in dotted form

Returns:

the OID represented by the given integer sequence

Return type:

OID

Raises:

ValueError – the sequence is less than two elements long

property dotted_form[source]
class Name[source]

A GSSAPI Name

class OID[source]

A GSSAPI OID

A new OID may be created by passing the elements argument to the constructor. The elements argument should be a bytes consisting of the BER-encoded values in the OID.

To retrieve the underlying bytes, use the bytes function in Python 3.

This object is hashable, and may be compared using equality operators.

classmethod from_int_seq(integer_sequence: str | Iterable[int])[source]

Create a OID from a sequence of integers.

This method creates an OID from a sequence of integers. The sequence can either be in dotted form as a string, or in list form.

This method is not for BER-encoded byte strings, which can be passed directly to the OID constructor.

Parameters:

integer_sequence – either a list of integers or a string in dotted form

Returns:

the OID represented by the given integer sequence

Return type:

OID

Raises:

ValueError – the sequence is less than two elements long

property dotted_form
class MechType[source]

GSSAPI Mechanism Types

This enum-like object contains any mechanism OID values registered by imported mechanisms.

kerberos
indicate_mechs()[source]

Get the currently supported mechanisms.

This method retrieves the currently supported GSSAPI mechanisms. Note that if unknown mechanims are found, those will be skipped.

inquire_names_for_mech(mech)[source]

inquire_names_for_mech(mech) Get the name types supported by a mechanism.

This method retrieves the different name types supported by the given mechanism.

Parameters:

mech (OID) – the mechanism in question

Returns:

the name type OIDs supported by the given mechanism

Return type:

list

Raises:

GSSError

inquire_mechs_for_name(name)[source]

inquire_mechs_for_name(name) List the mechanisms which can process a name.

This method lists the mechanisms which may be able to process the given name.

Parameters:

name (Name) – the name in question

Returns:

The mechanism OIDs able to process the given name

Raises:

GSSError

exception GSSError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

maj_code[source]
min_code[source]
token[source]
calling_code[source]
routine_code[source]
supplementary_code[source]
get_all_statuses(code: int, is_maj: bool)[source]

Retrieve all messages for a status code.

This method retrieves all human-readable messages available for the given status code.

Parameters:
  • code – the status code in question

  • is_maj – whether this is a major status code (True) or minor status code (False)

Returns:

A list of string messages associated with the

given code

Return type:

[str]

gen_message()[source]

Retrieves all messages for this error’s status codes

This method retrieves all messages for this error’s status codes, and forms them into a string for use as an exception message

Returns:

a string for use as this error’s message

Return type:

str

class NameType[source]

GSSAPI Name Types

This enum-like object represents GSSAPI name types (to be used with import_name(), etc)

anonymous = Ellipsis[source]
export = Ellipsis[source]
hostbased_service = Ellipsis[source]
machine_uid = Ellipsis[source]
string_uid = Ellipsis[source]
user = Ellipsis[source]
composite_export = Ellipsis[source]
kerberos_principal = Ellipsis[source]
krb5_nt_principal_name = Ellipsis[source]
class RequirementFlag[source]

GSSAPI Requirement Flags

This IntEnum represents flags used with the SecurityContext-related methods (e.g. init_sec_context())

The numbers behind the values correspond directly to their C counterparts.

delegate_to_peer = 1[source]
mutual_authentication = 2[source]
replay_detection = 4[source]
out_of_sequence_detection = 8[source]
confidentiality = 16[source]
integrity = 32[source]
anonymity = 64[source]
protection_ready = 128[source]
transferable = 256[source]
channel_bound = 2048[source]
dce_style = 4096[source]
identify = 8192[source]
extended_error = 16384[source]
ok_as_delegate = 32768[source]
class AddressType[source]

GSSAPI Channel Bindings Address Types

This IntEnum represents the various address types used with the ChannelBindings structure.

The numbers behind the values correspond directly to their C counterparts. There is no value for GSS_C_AF_UNSPEC, since this is represented by None.

local = 1[source]
ip = 2[source]
arpanet = 3[source]
pup = 4[source]
chaos = 5[source]
xerox_ns = 6[source]
nbs = 7[source]
ecma = 8[source]
datakit = 9[source]
ccitt = 10[source]
ibm_sna = 11[source]
decnet = 12[source]
dli = 13[source]
lat = 14[source]
hyperchannel = 15[source]
appletalk = 16[source]
bisync = 17[source]
dss = 18[source]
osi_tp4 = 19[source]
x25 = 21[source]
null = 255[source]
class MechType[source]

GSSAPI Mechanism Types

This enum-like object contains any mechanism OID values registered by imported mechanisms.

kerberos[source]
class GenericFlagSet(flags: GenericFlagSet | numbers.Integral | int | None = None)[source]

A set backed by a 32-bit integer

This is a set backed by a 32 bit integer. the members are integers where only one bit is set.

The class supports normal set operations, as well as traditional “flag set” operations, such as bitwise AND, OR, and XOR.

MAX_VAL[source]
add(flag: int)[source]

Add an element.

discard(flag: int)[source]

Remove an element. Do not raise an exception if absent.

class IntEnumFlagSet(enum: Type[enum.IntEnum], flags: GenericFlagSet | numbers.Integral | int | None = None)[source]

A set backed by a 32-bit integer with enum members

This class is a GenericFlagSet where the returned members are values in an IntEnum.

It functions exactly like a GenericFlagSet, except that it also supports bitwise operations with the enum values.

class ChannelBindings(initiator_address_type: int | None = None, initiator_address: bytes | None = None, acceptor_address_type: int | None = None, acceptor_address: bytes | None = None, application_data: bytes | None = None)[source]

GSSAPI Channel Bindings

This class represents a set of GSSAPI channel bindings.

Parameters:
  • initiator_address_type – the initiator address type

  • initiator_address – the initiator address

  • acceptor_address_type – the acceptor address type

  • acceptor_address – the acceptor address

  • application_data – additional application-specific data

initiator_address_type[source]
initiator_address[source]
acceptor_address_type[source]
acceptor_address[source]
application_data[source]

Additional RFCs and Extensions

The following is a list of GSSAPI extensions supported by the low-level API.

Note

While all of these extensions have bindings, they may not be supported by your particularly GSSAPI implementation. In this case, they will not be compiled, and will simply not be available in the gssapi.raw namespace.

RFC 4178 (GSS-API Negotiation Mechanism)

set_neg_mechs(cred_handle: gssapi.raw.creds.Creds, mech_set: Iterable[gssapi.raw.oids.OID])[source]

Specify the set of security mechanisms that may be negotiated with the credential identified by cred_handle. If more than one mechanism is specified in mech_set, the order in which those mechanisms are specified implies a relative preference.

Parameters:
  • cred_handle (Creds) – credentials to set negotiable mechanisms for

  • mech_set (MechType) – negotiable mechanisms to be set

Returns:

None

Raises:

GSSError

RFC 5587 (GSS-API Extension for Mech Attributes)

indicate_mechs_by_attrs(desired_mech_attrs: Iterable[gssapi.raw.oids.OID] | None = None, except_mech_attrs: Iterable[gssapi.raw.oids.OID] | None = None, critical_mech_attrs: Iterable[gssapi.raw.oids.OID] | None = None)[source]

Get a set of mechanisms that have the specified attributes.

Parameters:
  • desired_mech_attrs (OID) – Attributes that the output mechs MUST offer

  • except_mech_attrs (OID) – Attributes that the output mechs MUST NOT offer

  • critical_mech_attrs (OID) – Attributes that the output mechs MUST understand and offer

Returns:

a set of mechs which satisfy the given criteria

Return type:

MechType

Raises:

GSSError

inquire_attrs_for_mech(mech: gssapi.raw.oids.OID)[source]

Gets the set of attrs supported and known by a mechanism.

Parameters:

mech (MechType) – Mechanism to inquire about

Returns:

the results of inquiry; a mech’s attributes and known attributes

Return type:

InquireAttrsResult

Raises:

GSSError

display_mech_attr(attr: gssapi.raw.oids.OID)[source]

Returns information about attributes in human readable form.

Parameters:

attr (OID) – Mechanism attribute to retrieve names and descriptions of

Returns:

the results of displaying the attribute; mech name, short description, and long description.

Return type:

DisplayAttrResult

Raises:

GSSError

RFC 5588 (GSS-API Extension for Storing Delegated Credentials)

store_cred(creds: gssapi.raw.creds.Creds, usage: str = 'both', mech: gssapi.raw.oids.OID | None = None, overwrite: bool = False, set_default: bool = False)[source]

Store credentials into the default store.

This method stores the given credentials into the default store. They may then be retrieved later using acquire_cred().

Parameters:
  • creds (Creds) – the credentials to store

  • usage (str) – the usage to store the credentials with – either ‘both’, ‘initiate’, or ‘accept’

  • mech (OID) – the mechansim to associate with the stored credentials

  • overwrite (bool) – whether or not to overwrite existing credentials stored with the same name, etc

  • set_default (bool) – whether or not to set these credentials as the default credentials for the given store.

Returns:

the results of the credential storing operation

Return type:

StoreCredResult

Raises:

RFC 5801 (GSS-API SASL Extensions)

inquire_saslname_for_mech(mech: gssapi.raw.oids.OID)[source]

Gets information about a specified mech, including the SASL name, the mech name, and the mech description.

Parameters:

mech (OID) – Mechanism to inquire about

Returns:

the results of inquiry; a mech’s SASL name, name, and description.

Return type:

InquireSASLNameResult

Raises:

GSSError – an unknown failure occurred

inquire_mech_for_saslname(sasl_name: bytes)[source]

Gets the OID for the mech specified by SASL name.

Parameters:

sasl_name (bytes) – SASL name of the mechanism

Returns:

the mechanism with corresponding SASL name.

Return type:

OID

Raises:

GSSError – An unknown failure occurred

Credential Store Extensions

Credential Store Extension

acquire_cred_from(dict_store: Dict[bytes | str, bytes | str] | None = None, name: gssapi.raw.names.Name | None = None, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'both')[source]

Acquire credentials from the given store.

This method acquires credentials from the store specified by the given credential store information.

The credential store information is a dictionary containing mechanisms-specific keys and values pointing to a credential store or stores.

Parameters:
  • store (dict) – the credential store information pointing to the credential store from which to acquire the credentials. See Common Values for Credentials Store Extensions for valid values

  • name (Name) – the name associated with the credentials, or None for the default name

  • lifetime (int) – the desired lifetime of the credentials in seconds, or None for indefinite

  • mechs (list) – the desired mechanisms to be used with these credentials, or None for the default set

  • usage (str) – the usage for these credentials – either ‘both’, ‘initiate’, or ‘accept’

Returns:

the acquired credentials and information about them

Return type:

AcquireCredResult

Raises:

GSSError

add_cred_from(dict_store: Dict[bytes | str, bytes | str] | None, input_creds: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, usage: str = 'both', init_lifetime: int | None = None, accept_lifetime: int | None = None)[source]

Acquire credentials to add to the current set from the given store.

This method works like acquire_cred_from(), except that it adds the acquired credentials for a single mechanism to a copy of the current set, instead of creating a new set for multiple mechanisms. Unlike acquire_cred(), you cannot pass None for the desired name or mechanism.

The credential store information is a dictionary containing mechanisms-specific keys and values pointing to a credential store or stores.

Parameters:
  • store (dict) – the store into which to store the credentials, or None for the default store. See Common Values for Credentials Store Extensions for valid values

  • name (Name) – the name associated with the credentials

  • mech (OID) – the desired mechanism to be used with these credentials

  • usage (str) – the usage for these credentials – either ‘both’, ‘initiate’, or ‘accept’

  • init_lifetime (int) – the desired initiate lifetime of the credentials in seconds, or None for indefinite

  • accept_lifetime (int) – the desired accept lifetime of the credentials in seconds, or None for indefinite

Returns:

the new credentials set and information about it

Return type:

AcquireCredResult

Raises:

GSSError

store_cred_into(dict_store: Dict[bytes | str, bytes | str] | None, creds: gssapi.raw.creds.Creds, usage: str = 'both', mech: gssapi.raw.oids.OID | None = None, overwrite: bool = False, set_default: bool = False)[source]

Store credentials into the given store.

This method stores the given credentials into the store specified by the given store information. They may then be retrieved later using acquire_cred_from() or add_cred_from().

The credential store information is a dictionary containing mechanisms-specific keys and values pointing to a credential store or stores.

Parameters:
  • store (dict) – the store into which to store the credentials, or None for the default store. See Common Values for Credentials Store Extensions for valid values

  • creds (Creds) – the credentials to store

  • usage (str) – the usage to store the credentials with – either ‘both’, ‘initiate’, or ‘accept’

  • mech (OID) – the mechansim to associate with the stored credentials

  • overwrite (bool) – whether or not to overwrite existing credentials stored with the same name, etc

  • set_default (bool) – whether or not to set these credentials as the default credentials for the given store.

Returns:

the results of the credential storing operation

Return type:

StoreCredResult

Raises:

GSSError

RFC 6680 (GSS-API Naming Extensions)

display_name_ext(name: gssapi.raw.names.Name, name_type: gssapi.raw.oids.OID)[source]

Display the given Name using the given name type.

This method attempts to display the given Name using the syntax of the given name type. If this is not possible, an appropriate error will be raised.

Parameters:
  • name (Name) – the name to display

  • name_type (OID) – the name type (see NameType) to use to display the given name

Returns:

the displayed name

Return type:

bytes

Raises:

OperationUnavailableError – the given name could not be displayed using the given name type

inquire_name(name: gssapi.raw.names.Name, mech_name: bool = True, attrs: bool = True)[source]

Get information about a Name.

This method retrieves information about the given name, including the set of attribute names for the given name, as well as whether or not the name is a mechanism name. Additionally, if the given name is a mechanism name, the associated mechansim is returned as well.

Parameters:
  • name (Name) – the name about which to inquire

  • mech_name (bool) – whether or not to retrieve if this name is a mech_name (and the associate mechanism)

  • attrs (bool) – whether or not to retrieve the attribute name list

Returns:

the set of attribute names for the given name, whether or not the name is a Mechanism Name, and potentially the associated mechanism if it is a Mechanism Name

Return type:

InquireNameResult

Raises:

GSSError

set_name_attribute(name: gssapi.raw.names.Name, attr: bytes, value: Iterable[bytes], complete: bool = False)[source]

Set the value(s) of a name attribute.

This method sets the value(s) of the given attribute on the given name.

Note that this functionality more closely matches the pseudo-API presented in RFC 6680, not the C API (which uses multiple calls to add multiple values). However, multiple calls to this method will continue adding values, so delete_name_attribute() must be used in between calls to “clear” the values.

Parameters:
  • name (Name) – the Name on which to set the attribute

  • attr (bytes) – the name of the attribute

  • value (list) – a list of bytes objects to use as the value(s)

  • complete (bool) – whether or not to mark this attribute’s value set as being “complete”

Raises:

OperationUnavailableError – the given attribute name is unknown or could not be set

get_name_attribute(name: gssapi.raw.names.Name, attr: bytes, more: int | None = None)[source]

Get the value(s) of a name attribute.

This method retrieves the value(s) of the given attribute for the given Name.

Note that this functionality matches pseudo-API presented in RFC 6680, not the C API (which uses a state variable and multiple calls to retrieve multiple values).

Parameters:
  • name (Name) – the Name from which to get the attribute

  • attr (bytes) – the name of the attribute

Returns:

the raw version of the value(s), the human-readable version of the value(s), whether or not the attribute was authenticated, and whether or not the attribute’s value set was marked as complete

Return type:

GetNameAttributeResult

Raises:

OperationUnavailableError – the given attribute is unknown or unset

delete_name_attribute(name: gssapi.raw.names.Name, attr: bytes)[source]

Remove an attribute from a name.

This method removes an attribute from a Name. This method may be used before set_name_attribute() clear the values of an attribute before setting a new value (making the latter method work like a ‘set’ operation instead of an ‘add’ operation).

Note that the removal of certain attributes may not be allowed.

Parameters:
  • name (Name) – the name to remove the attribute from

  • attr (bytes) – the name of the attribute

Raises:
export_name_composite(name: gssapi.raw.names.Name)[source]

Export a name, preserving attribute information.

This method functions similarly to export_name(), except that it preserves attribute information. The resulting bytes may be imported using import_name() with the composite_export name type.

Note

Some versions of MIT Kerberos require you to either canonicalize a name once it has been imported with composite-export name type, or to import using the normal export name type.

Parameters:

name (Name) – the name to export

Returns:

the exported composite name

Return type:

bytes

Raises:

GSSError

Credentials Import-Export Extensions

Credentials Import/Export Extension

export_cred(creds: gssapi.raw.creds.Creds)[source]

Export GSSAPI credentials.

This method exports GSSSAPI credentials into a token which may be transmitted between different processes.

Parameters:

creds (Creds) – the credentials object to be exported

Returns:

the exported token representing the given credentials object

Return type:

bytes

Raises:

GSSError

import_cred(token: bytes)[source]

Import GSSAPI credentials from a token.

This method imports a credentials object from a token previously exported by export_cred().

Parameters:

token (bytes) – the token to import

Returns:

the imported credentials object

Return type:

Creds

Raises:

GSSError

DCE (IOV/AEAD) Extensions

wrap_aead(context: gssapi.raw.sec_contexts.SecurityContext, message: bytes, associated: bytes | None = None, confidential: bool = True, qop: int | None = None)[source]

Wrap/Encrypt an AEAD message.

This method takes an input message and associated data, and outputs and AEAD message.

Parameters:
  • context (SecurityContext) – the current security context

  • message (bytes) – the message to wrap or encrypt

  • associated (bytes) – associated data to go with the message

  • confidential (bool) – whether or not to encrypt the message (True), or just wrap it with a MIC (False)

  • qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

the wrapped/encrypted total message, and whether or not encryption was actually used

Return type:

WrapResult

Raises:

GSSError

unwrap_aead(context: gssapi.raw.sec_contexts.SecurityContext, message: bytes, associated: bytes | None = None)[source]

Unwrap/Decrypt an AEAD message.

This method takes an encrpyted/wrapped AEAD message and some associated data, and returns an unwrapped/decrypted message.

Parameters:
  • context (SecurityContext) – the current security context

  • message (bytes) – the AEAD message to unwrap or decrypt

  • associated (bytes) – associated data that goes with the message

Returns:

the unwrapped/decrypted message, whether or on encryption was used, and the QoP used

Return type:

UnwrapResult

Raises:

GSSError

class IOVBufferType[source]

IOV Buffer Types

This IntEnum represent GSSAPI IOV buffer types to be used with the IOV methods.

The numbers behind the values correspond directly to their C counterparts.

empty = 0[source]
data = 1[source]
header = 2[source]
mech_params = 3[source]
trailer = 7[source]
padding = 9[source]
stream = 10[source]
sign_only = 11[source]
mic_token = 12[source]
class IOVBuffer[source]
type[source]
allocate[source]
value[source]
class IOV(*args: IOVBuffer | Tuple[IOVBufferType | int, bool | None, bytes | None] | Tuple[IOVBufferType | int, bool | bytes | None] | bytes | IOVBufferType | int, std_layout: bool = True, auto_alloc: bool = True)[source]

A GSSAPI IOV

index(value: Any)[source]
count(value: Any)[source]
wrap_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: IOV, confidential: bool = True, qop: int | None = None)[source]

Wrap/Encrypt an IOV message.

This method wraps or encrypts an IOV message. The allocate parameter of the IOVBuffer objects in the IOV indicates whether or not that particular buffer should be automatically allocated (for use with padding, header, and trailer buffers).

Warning

This modifies the input IOV.

Parameters:
  • context (SecurityContext) – the current security context

  • message (IOV) – an IOV containing the message

  • confidential (bool) – whether or not to encrypt the miovessage (True), or just wrap it with a MIC (False)

  • qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

whether or not confidentiality was actually used

Return type:

bool

Raises:

GSSError

unwrap_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: IOV)[source]

Unwrap/Decrypt an IOV message.

This method uwraps or decrypts an IOV message. The allocate parameter of the IOVBuffer objects in the IOV indicates whether or not that particular buffer should be automatically allocated (for use with padding, header, and trailer buffers).

As a special case, you may pass an entire IOV message as a single ‘stream’. In this case, pass a buffer type of IOVBufferType.stream followed by a buffer type of IOVBufferType.data. The former should contain the entire IOV message, while the latter should be empty.

Warning

This modifies the input IOV.

Parameters:
  • context (SecurityContext) – the current security context

  • message (IOV) – an IOV containing the message

Returns:

whether or not confidentiality was used, and the QoP used.

Return type:

IOVUnwrapResult

Raises:

GSSError

wrap_iov_length(context: gssapi.raw.sec_contexts.SecurityContext, message: IOV, confidential: bool = True, qop: int | None = None)[source]

Appropriately size padding, trailer, and header IOV buffers.

This method sets the length values on the IOV buffers. You should already have data provided for the data (and sign-only) buffer(s) so that padding lengths can be appropriately computed.

In Python terms, this will result in an appropriately sized bytes object consisting of all zeros.

Warning

This modifies the input IOV.

Parameters:
  • context (SecurityContext) – the current security context

  • message (IOV) – an IOV containing the message

Returns:

a list of :class:IOVBuffer` objects, and whether or not encryption was actually used

Return type:

WrapResult

Raises:

GSSError

IOV MIC Extensions

get_mic_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: gssapi.raw.ext_dce.IOV, qop: int | None = None)[source]

Generate MIC tokens for the given IOV message.

This method generates a MIC token for the given IOV message, and places it in the mic_token buffer in the IOV. This method operates entirely in-place, and returns nothing.

Warning

This modifies the input IOV.

Parameters:
  • context (SecurityContext) – the current security context

  • message (IOV) – the IOV containing the message

  • qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

None

Raises:

GSSError

get_mic_iov_length(context: gssapi.raw.sec_contexts.SecurityContext, message: gssapi.raw.ext_dce.IOV, qop: int | None = None)[source]

Allocate space for the MIC buffer in the given IOV message.

This method allocates space for the MIC token buffer (mic_token) in the given IOV message.

Warning

This modifies the input IOV.

Parameters:
  • context (SecurityContext) – the current security context

  • message (IOV) – the IOV containing the message

  • qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

None

Raises:

GSSError

verify_mic_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: gssapi.raw.ext_dce.IOV, qop: int | None = None)[source]

Verify that the MIC matches the data in the given IOV message.

This method verifies that the MIC token in the MIC buffer (mic_token) match the data buffer(s) in the given IOV method.

Parameters:
  • context (SecurityContext) – the current security context

  • message (IOV) – the IOV containing the message

Returns:

the QoP used to generate the MIC token

Return type:

int

Raises:

GSSError

Global Grid Forum (GGF) Extensions

GGF Extensions

GGF provides extended credential and security context inquiry that allows application to retrieve more information about the client’s credentials and security context. One common use case is to use inquire_sec_context_by_oid() to retrieve the “session” key that is required by the SMB protocol for signing and encrypting a message.

Draft IETF document for these extensions can be found at https://tools.ietf.org/html/draft-engert-ggf-gss-extensions-00

inquire_cred_by_oid(cred_handle: gssapi.raw.creds.Creds, desired_aspect: gssapi.raw.oids.OID)[source]

This method inspects a Creds object for information specific to a particular desired aspect as an OID.

Parameters:
  • cred_handle (Creds) – the Credentials to query

  • desired_aspect (OID) – the desired aspect of the Credentials to inquire about.

Returns:

A list of zero or more pieces of data (as bytes objects)

Return type:

list

Raises:

GSSError

inquire_sec_context_by_oid(context: gssapi.raw.sec_contexts.SecurityContext, desired_aspect: gssapi.raw.oids.OID)[source]

This method inspects a SecurityContext object for information specific to a particular desired aspect as an OID.

This method can be used with the GSS_KRB5_INQ_SSPI_SESSION_KEY_OID OID to retrieve the required key that is used to derive the SMB/SAMBA signing and encryption keys.

Parameters:
  • context (SecurityContext) – the Security Context to query

  • desired_aspect (OID) – the desired aspect of the Security Context to inquire about.

Returns:

A list of zero or more pieces of data (as bytes objects)

Return type:

list

Raises:

GSSError

set_sec_context_option(desired_aspect: gssapi.raw.oids.OID, context: gssapi.raw.sec_contexts.SecurityContext, value: bytes | None = None)[source]

This method is used to set a value for a specific OID of a SecurityContext object. The OID and value to pass in depends on the mech the SecurityContext backs.

An example of how this can be used would be to reset the NTLM crypto engine used in gss-ntlmssp. The OID that controls this value is ‘1.3.6.1.4.1.7165.655.1.3’ and it takes it a byte value that represents an int32 where 1 resets the verifier handle and any other int resets the sender handle.

Parameters:
  • desired_aspect (OID) – the desired aspect of the Security Context to set the value for.

  • context (SecurityContext) – the Security Context to set, or None to create a new context.

  • value (bytes) – the value to set on the desired aspect of the Security Context or None to send GSS_C_EMPTY_BUFFER.

Returns:

The output security context.

Return type:

SecurityContext

Raises:

GSSError

Services4User Extensions

Service4User Extension

acquire_cred_impersonate_name(impersonator_cred: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'initiate')[source]

Acquire credentials by impersonating another name.

This method is one of the ways to use S4U2Self. It acquires credentials by impersonating another name using a set of proxy credentials. The impersonator credentials must have a usage of ‘both’ or ‘initiate’.

Parameters:
  • impersonator_cred (Creds) – the credentials with permissions to impersonate the target name

  • name (Name) – the name to impersonate

  • lifetime (int) – the lifetime for the credentials (or None for indefinite) in seconds

  • mechs (MechType) – the desired mechanisms for which the credentials should work (or None for the default set)

  • usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’

Returns:

the resulting credentials, the actual mechanisms with which they may be used, and their actual lifetime in seconds (or None for indefinite or not support)

Return type:

AcquireCredResult

Raises:

GSSError

add_cred_impersonate_name(input_cred: gssapi.raw.creds.Creds, impersonator_cred: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, usage: str = 'initiate', init_lifetime: int | None = None, accept_lifetime: int | None = None)[source]

Add a credentials element to a credential by impersonating another name.

This method is one of the ways to use S4U2Self. It adds credentials to the input credentials by impersonating another name using a set of proxy credentials. The impersonator credentials must have a usage of ‘both’ or ‘initiate’.

Parameters:
  • input_cred (Creds) – the set of credentials to which to add the new credentials

  • impersonator_cred (Creds) – the credentials with permissions to impersonate the target name

  • name (Name) – the name to impersonate

  • mech (MechType) – the desired mechanism. Note that this is both singular and required, unlike acquireCredImpersonateName

  • usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’

  • init_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to initiate security contexts (or None for indefinite)

  • accept_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to accept security contexts (or None for indefinite)

Returns:

the actual mechanisms with which the credentials may be used, the actual initiator TTL in seconds, and the actual acceptor TTL in seconds (the TTLs may be None for indefinite or not supported)

Return type:

AddCredResult

Raises:

GSSError

Acquiring Credentials With a Password Extensions

acquire_cred_with_password(name: gssapi.raw.names.Name, password: bytes, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'initiate')[source]

Acquire credentials through provided password.

This function is originally from Solaris and is not documented by either MIT or Heimdal.

In general, it functions similarly to acquire_cred().

Parameters:
  • name (Name) – the name to acquire credentials for

  • password (bytes) – the password used to acquire credentialss with

  • lifetime (int) – the lifetime for the credentials in seconds (or None for indefinite)

  • mechs (MechType) – the desired mechanisms for which the credentials should work (or None for the default set)

  • usage (str) – usage type for credentials. Possible values: ‘initiate’ (default), ‘accept’, ‘both’ (failsafe).

Returns:

the resulting credentials, the actual mechanisms with which they may be used, and their actual lifetime in seconds (or None for indefinite or not supported)

Return type:

AcquireCredResult

Raises:

GSSError

add_cred_with_password(input_cred: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, password: bytes, usage: str = 'initiate', init_lifetime: int | None = None, accept_lifetime: int | None = None)[source]

Add a credential-element to a credential using provided password.

This function is originally from Solaris and is not documented by either MIT or Heimdal.

In general, it functions similarly to add_cred().

Parameters:
  • input_cred (Creds) – the credentials to add to

  • name (Name) – the name to acquire credentials for

  • mech (MechType) – the desired mechanism. Note that this is both singular and required

  • password (bytes) – the password used to acquire credentialss with

  • usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’

  • init_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to initiate security contexts (or None for indefinite)

  • accept_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to accept security contexts (or None for indefinite)

Returns:

the actual mechanisms with which the credentials may be used, the actual initiator TTL in seconds, and the actual acceptor TTL in seconds (the TTLs may be None for indefinite or not supported)

Return type:

AddCredResult

Raises:

GSSError

Kerberos Specific Extensions

class Krb5LucidContext[source]

The base container returned by krb5_export_lucid_sec_context() when an unknown version was requested.

class Krb5LucidContextV1[source]

Kerberos context data returned by krb5_export_lucid_sec_context() when version 1 was requested.

property version[source]

The structure version number

Returns:

the structure version number

Return type:

Optional[int]

property is_initiator[source]

Whether the context was the initiator

Returns:

True when the exported context was the initiator

Return type:

Optional[bool]

property endtime[source]

Expiration time of the context

Returns:

the expiration time of the context

Return type:

Optional[int]

property send_seq[source]

Sender sequence number

Returns:

the sender sequence number

Return type:

Optional[int]

property recv_seq[source]

Receiver sequence number

Returns:

the receiver sequence number

Return type:

Optional[int]

property protocol[source]

The protocol number

If the protocol number is 0 then rfc1964_kd is set and cfx_kd is None. If the protocol number is 1 then the opposite is true.

Protocol 0 refers to RFC1964 and 1 refers to RFC4121.

Returns:

the protocol number

Return type:

Optional[int]

property rfc1964_kd[source]

Keydata for protocol 0 (RFC1964)

This will be set when protocol is 0.

Returns:

the RFC1964 key data

Return type:

Optional[Rfc1964KeyData]

property cfx_kd[source]

Key data for protocol 1 (RFC4121)

This will be set when protocol is 1.

Returns:

the RFC4121 key data

Return type:

Optional[CfxKeyData]

krb5_ccache_name(name: bytes | None)[source]

Set the default Kerberos Protocol credentials cache name.

This method sets the default credentials cache name for use by he Kerberos mechanism. The default credentials cache is used by acquire_cred() to create a GSS-API credential. It is also used by init_sec_context() when GSS_C_NO_CREDENTIAL is specified.

Note

Heimdal does not return the old name when called. It also does not reset the ccache lookup behaviour when setting to None.

Note

The return value may not be thread safe.

Parameters:

name (Optional[bytes]) – the name to set as the new thread specific ccache name. Set to None to revert back to getting the ccache from the config/environment settings.

Returns:

the old name that was previously set

Return type:

bytes

Raises:

GSSError

krb5_export_lucid_sec_context(context: gssapi.raw.sec_contexts.SecurityContext, version: int)[source]

Returns a non-opaque version of the internal context info.

Gets information about the Kerberos security context passed in. Currently only version 1 is known and supported by this library.

Note

The context handle must not be used again by the caller after this call.

Parameters:
  • context (SecurityContext) – the current security context

  • version (int) – the output structure version to export. Currently only 1 is supported.

Returns:

the non-opaque version context info

Return type:

Krb5LucidContext

Raises:

GSSError

krb5_extract_authtime_from_sec_context(context: gssapi.raw.sec_contexts.SecurityContext)[source]

Get the auth time for the security context.

Gets the auth time for the established security context.

Note

Heimdal can only get the authtime on the acceptor security context. MIT is able to get the authtime on both initiators and acceptors.

Parameters:

context (SecurityContext) – the current security context

Returns:

the authtime

Return type:

int

Raises:

GSSError

krb5_extract_authz_data_from_sec_context(context: gssapi.raw.sec_contexts.SecurityContext, ad_type: int)[source]

Extracts Kerberos authorization data.

Extracts authorization data that may be stored within the context.

Note

Only operates on acceptor contexts.

Parameters:
  • context (SecurityContext) – the current security context

  • ad_type (int) – the type of data to extract

Returns:

the raw authz data from the sec context

Return type:

bytes

Raises:

GSSError

krb5_import_cred(cred_handle: gssapi.raw.creds.Creds, cache: int | None = None, keytab_principal: int | None = None, keytab: int | None = None)[source]

Import Krb5 credentials into GSSAPI credential.

Imports the krb5 credentials (either or both of the keytab and cache) into the GSSAPI credential so it can be used within GSSAPI. The ccache is copied by reference and thus shared, so if the credential is destroyed, all users of cred_handle will fail.

Parameters:
  • cred_handle (Creds) – the credential handle to import into

  • cache (int) – the krb5_ccache address pointer, as an int, to import from

  • keytab_principal (int) – the krb5_principal address pointer, as an int, of the credential to import

  • keytab (int) – the krb5_keytab address pointer, as an int, of the keytab to import

Returns:

None

Raises:

GSSError

krb5_get_tkt_flags(context: gssapi.raw.sec_contexts.SecurityContext)[source]

Return ticket flags for the kerberos ticket.

Return the ticket flags for the kerberos ticket received when authenticating the initiator.

Note

Heimdal can only get the tkt flags on the acceptor security context. MIT is able to get the tkt flags on initiators and acceptors.

Parameters:

context (SecurityContext) – the security context

Returns:

the ticket flags for the received kerberos ticket

Return type:

int

Raises:

GSSError

krb5_set_allowable_enctypes(cred_handle: gssapi.raw.creds.Creds, ktypes: Iterable[int])[source]

Limits the keys that can be exported.

Called by a context initiator after acquiring the creds but before calling init_sec_context() to restrict the set of enctypes which will be negotiated during context establisment to those in the provided list.

Warning

The cred_handle should not be GSS_C_NO_CREDENTIAL.

Parameters:
  • cred_hande (Creds) – the credential handle

  • ktypes (List[int]) – list of enctypes allowed

Returns:

None

Raises:

GSSError

Other Extensions

gss_set_cred_option

Provides a way to set options on a credential based on the OID specified. A common use case is to set the GSS_KRB5_CRED_NO_CI_FLAGS_X on a Kerberos credential. This is used for interoperability with Microsoft’s SSPI.

Note this function is commonly lumped with the GGF extensions but they are not part of the GGF IETF draft so it’s separated into it’s own file.

Closest draft IETF document for the gss_set_cred_option can be found at https://tools.ietf.org/html/draft-williams-kitten-channel-bound-flag-01

set_cred_option(desired_aspect: gssapi.raw.oids.OID, creds: gssapi.raw.creds.Creds | None = None, value: bytes | None = None)[source]

This method is used to set options of a Creds object based on an OID key. The options that can be set depends on the mech the credentials were created with.

An example of how this can be used would be to set the GSS_KRB5_CRED_NO_CI_FLAGS_X on a Kerberos credential. The OID string for this flag is ‘1.2.752.43.13.29’ and it requires no value to be set. This must be set before the SecurityContext was initialised with the credentials.

Parameters:
  • desired_aspect (OID) – the desired aspect of the Credential to set.

  • cred_handle (Creds) – the Credentials to set, or None to create a new credential.

  • value (bytes) – the value to set on the desired aspect of the Credential or None to send GSS_C_EMPTY_BUFFER.

Returns:

The output credential.

Return type:

Creds

Raises:

GSSError

Results

class AcquireCredResult(creds: gssapi.raw.creds.Creds, mechs: Set[OID], lifetime: int)[source]

Credential result when acquiring a GSSAPI credential.

Create new instance of AcquireCredResult(creds, mechs, lifetime)

creds: gssapi.raw.creds.Creds

GSSAPI credentials that were acquired

mechs: Set[OID]

Set of mechs the cred is for

lifetime: int

Number of seconds for which the cred will remain valid

class InquireCredResult(name: gssapi.raw.names.Name | None, lifetime: int | None, usage: str | None, mechs: Set[OID] | None)[source]

Information about the credential.

Create new instance of InquireCredResult(name, lifetime, usage, mechs)

name: gssapi.raw.names.Name | None

The principal associated with the credential

lifetime: int | None

Number of seconds which the cred is valid for

usage: str | None

How the credential can be used

mechs: Set[OID] | None

Set of mechs the cred is for

class InquireCredByMechResult(name: gssapi.raw.names.Name | None, init_lifetime: int | None, accept_lifetime: int | None, usage: str | None)[source]

Information about the credential for a specific mechanism.

Create new instance of InquireCredByMechResult(name, init_lifetime, accept_lifetime, usage)

name: gssapi.raw.names.Name | None

The principal associated with the credential

init_lifetime: int | None

Time valid for initiation, in seconds

accept_lifetime: int | None

Time valid for accepting, in seconds

usage: str | None

How the credential can be used

class AddCredResult(creds: gssapi.raw.creds.Creds | None, mechs: Set[OID], init_lifetime: int, accept_lifetime: int)[source]

Result of adding to a GSSAPI credential.

Create new instance of AddCredResult(creds, mechs, init_lifetime, accept_lifetime)

creds: gssapi.raw.creds.Creds | None

The credential that was generated

mechs: Set[OID]

Set of mechs the cred is for

init_lifetime: int

Time valid for initiation, in seconds

accept_lifetime: int

Time valid for accepting, in seconds

class DisplayNameResult(name: bytes, name_type: OID | None)[source]

Textual representation of a GSSAPI name.

Create new instance of DisplayNameResult(name, name_type)

name: bytes

The representation of the GSSAPI name

name_type: OID | None

The type of GSSAPI name

class WrapResult(message: bytes, encrypted: bool)[source]

Wrapped message result.

Create new instance of WrapResult(message, encrypted)

message: bytes

The wrapped message

encrypted: bool

Whether the message is encrypted and not just signed

class UnwrapResult(message: bytes, encrypted: bool, qop: int)[source]

Unwrapped message result.

Create new instance of UnwrapResult(message, encrypted, qop)

message: bytes

The unwrapped message

encrypted: bool

Whether the message was encrypted and not just signed

qop: int

The quality of protection applied to the message

class AcceptSecContextResult(context: gssapi.raw.sec_contexts.SecurityContext, initiator_name: gssapi.raw.names.Name, mech: OID, token: bytes | None, flags: RequirementFlag, lifetime: int, delegated_creds: gssapi.raw.creds.Creds | None, more_steps: bool)[source]

Result when accepting a security context by an initiator.

Create new instance of AcceptSecContextResult(context, initiator_name, mech, token, flags, lifetime, delegated_creds, more_steps)

context: gssapi.raw.sec_contexts.SecurityContext

The acceptor security context

initiator_name: gssapi.raw.names.Name

The authenticated name of the initiator

mech: OID

Mechanism with which the context was established

token: bytes | None

Token to be returned to the initiator

flags: RequirementFlag

Services requested by the initiator

lifetime: int

Seconds for which the context is valid for

delegated_creds: gssapi.raw.creds.Creds | None

Delegated credentials

more_steps: bool

More input is required to complete the exchange

class InitSecContextResult(context: gssapi.raw.sec_contexts.SecurityContext, mech: OID, flags: RequirementFlag, token: bytes | None, lifetime: int, more_steps: bool)[source]

Result when initiating a security context

Create new instance of InitSecContextResult(context, mech, flags, token, lifetime, more_steps)

context: gssapi.raw.sec_contexts.SecurityContext

The initiator security context

mech: OID

Mechanism used in the security context

flags: RequirementFlag

Services available for the context

token: bytes | None

Token to be sent to the acceptor

lifetime: int

Seconds for which the context is valid for

more_steps: bool

More input is required to complete the exchange

class InquireContextResult(initiator_name: gssapi.raw.names.Name | None, target_name: gssapi.raw.names.Name | None, lifetime: int | None, mech: OID | None, flags: RequirementFlag | None, locally_init: bool | None, complete: bool | None)[source]

Information about the security context.

Create new instance of InquireContextResult(initiator_name, target_name, lifetime, mech, flags, locally_init, complete)

initiator_name: gssapi.raw.names.Name | None

Name of the initiator

target_name: gssapi.raw.names.Name | None

Name of the acceptor

lifetime: int | None

Time valid for the security context, in seconds

mech: OID | None

Mech used to create the security context

flags: RequirementFlag | None

Services available for the context

locally_init: bool | None

Context was initiated locally

complete: bool | None

Context has been established and ready to use

class StoreCredResult(mechs: List[OID], usage: str)[source]

Result of the credential storing operation.

Create new instance of StoreCredResult(mechs, usage)

mechs: List[OID]

Mechs that were stored in the credential store

usage: str

How the credential can be used

class IOVUnwrapResult(encrypted: bool, qop: int)[source]

Unwrapped IOV message result.

Create new instance of IOVUnwrapResult(encrypted, qop)

encrypted: bool

Whether the message was encrypted and not just signed

qop: int

The quality of protection applied to the message

class InquireNameResult(attrs: List[bytes], is_mech_name: bool, mech: OID)[source]

Information about a GSSAPI Name.

Create new instance of InquireNameResult(attrs, is_mech_name, mech)

attrs: List[bytes]

Set of attribute names

is_mech_name: bool

Name is a mechanism name

mech: OID

The mechanism if is_name_mech is True

class GetNameAttributeResult(values: List[bytes], display_values: List[bytes], authenticated: bool, complete: bool)[source]

GSSAPI Name attribute values.

Create new instance of GetNameAttributeResult(values, display_values, authenticated, complete)

values: List[bytes]

Raw values

display_values: List[bytes]

Human-readable values

authenticated: bool

Attribute has been authenticated

complete: bool

Attribute value is marked as complete

class InquireAttrsResult(mech_attrs: Set[OID], known_mech_attrs: Set[OID])[source]

Set of attributes supported and known by a mechanism.

Create new instance of InquireAttrsResult(mech_attrs, known_mech_attrs)

mech_attrs: Set[OID]

The mechanisms attributes

known_mech_attrs: Set[OID]

Known attributes of the mechanism

class DisplayAttrResult(name: bytes, short_desc: bytes, long_desc: bytes)[source]

Information about an attribute.

Create new instance of DisplayAttrResult(name, short_desc, long_desc)

name: bytes

The mechanism name

short_desc: bytes

Short description of the mechanism

long_desc: bytes

Long description of the mechanism

class InquireSASLNameResult(sasl_mech_name: bytes, mech_name: bytes, mech_description: bytes)[source]

SASL informmation about a GSSAPI Name.

Create new instance of InquireSASLNameResult(sasl_mech_name, mech_name, mech_description)

sasl_mech_name: bytes

The SASL name

mech_name: bytes

The mechanism name

mech_description: bytes

The mechanism description

class Rfc1964KeyData(sign_alg: int, seal_alg: int, key_type: int, key: bytes)[source]

Security context key data based on RFC1964.

Create new instance of Rfc1964KeyData(sign_alg, seal_alg, key_type, key)

sign_alg: int

Signing algorithm identifier

seal_alg: int

Sealing algorithm identifier

key_type: int

Key encryption type identifier

key: bytes

Encryption key data

class CfxKeyData(ctx_key_type: int, ctx_key: bytes, acceptor_subkey_type: int | None, acceptor_subkey: bytes | None)[source]

Securty context key data.

Create new instance of CfxKeyData(ctx_key_type, ctx_key, acceptor_subkey_type, acceptor_subkey)

ctx_key_type: int

Context key encryption type identifier

ctx_key: bytes

Context key data - session or sub-session key

acceptor_subkey_type: int | None

Acceptor key enc type identifier

acceptor_subkey: bytes | None

Acceptor key data

Exceptions

exception GSSError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: Exception

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

maj_code
min_code
token
calling_code
routine_code
supplementary_code
get_all_statuses(code: int, is_maj: bool)[source]

Retrieve all messages for a status code.

This method retrieves all human-readable messages available for the given status code.

Parameters:
  • code – the status code in question

  • is_maj – whether this is a major status code (True) or minor status code (False)

Returns:

A list of string messages associated with the

given code

Return type:

[str]

gen_message()[source]

Retrieves all messages for this error’s status codes

This method retrieves all messages for this error’s status codes, and forms them into a string for use as an exception message

Returns:

a string for use as this error’s message

Return type:

str

exception ParameterReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ParameterWriteError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MalformedParameterError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadMechanismError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadNameError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadNameTypeError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadChannelBindingsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadStatusError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadMICError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MissingCredentialsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MissingContextError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception InvalidTokenError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception InvalidCredentialsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ExpiredCredentialsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ExpiredContextError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadQoPError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception UnauthorizedError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception OperationUnavailableError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception DuplicateCredentialsElementError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MechanismNameRequiredError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception NameReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, BadNameError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception NameTypeReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, BadNameTypeError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception TokenReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, InvalidTokenError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ContextReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, MissingContextError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception CredentialsReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, MissingCredentialsError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ContextWriteError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterWriteError, MissingContextError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception CredentialsWriteError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterWriteError, MissingCredentialsError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception SupplementaryError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: gssapi.raw.misc.GSSError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception DuplicateTokenError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: SupplementaryError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ExpiredTokenError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: SupplementaryError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception TokenOutOfSequenceError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: SupplementaryError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception TokenTooLateError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: TokenOutOfSequenceError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception TokenTooEarlyError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: TokenOutOfSequenceError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes