Constructing Mechanism OIDs (GSS-API Programming Guide)

GSS-API Programming Guide

Constructing Mechanism OIDs

Since gss_str_to_oid() is not always available or desirable, there are preferable, if more complex, ways to find out which mechanisms are available, and to choose one. One way is to construct a mechanism OID “by hand” and then compare it to a set of available mechanisms; another way is to get the set of available mechanisms and choose one from it.

The gss_OID type has the following form:

typedef struct gss_OID_desc struct {
     OM_uint32 length;
     void           *elements;
} gss_OID_desc, *gss_OID;

where the elements field of this structure points to the first byte of an octet string containing the ASN.1 BER encoding of the value portion of the normal BER TLV encoding of the gss_OID. The length field contains the number of bytes in this value. For example, the gss_OID value corresponding to the DASS X.509 authentication mechanism, has a length field of 7 and an elements field pointing to seven octets containing the following octal values: 53,14,2,207,163,7,5.

One way to construct a mechanism OID is to declare a gss_OID and then initialize its elements “by hand” to represent that of a given mechanism. (As above, the input for the elements values might be hard-coded, be looked up in a table, or come from user input.) This is somewhat more painstaking than using gss_str_to_oid() but achieves the same effect.

Such a gss_OID can then be compared against a set of available mechanisms returned by the functions gss_indicate_mechs() or gss_inquire_mechs_for_name(). The application can check to see if its constructed mechanism OID is in this set of available mechanisms by using the gss_test_oid_set_member() function. If gss_test_oid_set_member() does not return an error, then the constructed OID can be used as the mechanism for GSS-API transactions.

As an alternative to constructing a pre-set OID, the application can use gss_indicate_mechs() or gss_inquire_mechs_for_name() to get the gss_OID_set of available mechanisms. A gss_OID_set has the following form:

typedef struct gss_OID_set_desc_struct {
     OM_uint32 length;
     void           *elements;
} gss_OID_set_desc, *gss_OID_set;

where each of the elements is a gss_OID representing a mechanism. The application can then parse each mechanism and display the element values of each one, in effect displaying the numerical representation of each mechanism. A user can then choose which of the mechanisms to use, based on this display, and the application then sets its mechanism to be the appropriate member of the gss_OID_set. Or the application can compare these desired mechanisms with a list of preferred mechanisms.