Skip navigation links
JNA API 5.12.1
com.sun.jna.platform.win32

Interface Secur32

    • Field Detail

      • INSTANCE

        static final Secur32 INSTANCE
    • Method Detail

      • GetUserNameEx

        boolean GetUserNameEx(int nameFormat,
                              char[] lpNameBuffer,
                              IntByReference len)
        Retrieves the name of the user or other security principal associated with the calling thread. You can specify the format of the returned name.
        Parameters:
        nameFormat - The format of the name.
        lpNameBuffer - A pointer to a buffer that receives the name in the specified format.
        len - On input, the size of the buffer, on output the number of characters copied into the buffer, not including the terminating null character.
        Returns:
        True if the function succeeds. False otherwise.
      • AcquireCredentialsHandle

        int AcquireCredentialsHandle(java.lang.String pszPrincipal,
                                     java.lang.String pszPackage,
                                     int fCredentialUse,
                                     WinNT.LUID pvLogonID,
                                     Pointer pAuthData,
                                     Pointer pGetKeyFn,
                                     Pointer pvGetKeyArgument,
                                     Sspi.CredHandle phCredential,
                                     Sspi.TimeStamp ptsExpiry)
        The AcquireCredentialsHandle function acquires a handle to preexisting credentials of a security principal. This handle is required by the AcceptSecurityContext and InitializeSecurityContext functions. These can be either preexisting credentials, which are established through a system logon that is not described here, or the caller can provide alternative credentials.
        Parameters:
        pszPrincipal - A pointer to a null-terminated string that specifies the name of the principal whose credentials the handle will reference.
        pszPackage - A pointer to a null-terminated string that specifies the name of the security package with which these credentials will be used.
        fCredentialUse - A flag that indicates how these credentials will be used.
        pvLogonID - A pointer to a locally unique identifier (LUID) that identifies the user.
        pAuthData - A pointer to package-specific data. This parameter can be NULL, which indicates that the default credentials for that package must be used. To use supplied credentials, pass a Sspi.SEC_WINNT_AUTH_IDENTITY structure that includes those credentials in this parameter.
        pGetKeyFn - This parameter is not used and should be set to NULL.
        pvGetKeyArgument - This parameter is not used and should be set to NULL.
        phCredential - A pointer to a CredHandle structure to receive the credential handle.
        ptsExpiry - A pointer to a TimeStamp structure that receives the time at which the returned credentials expire. The value returned in this TimeStamp structure depends on the security package. The security package must return this value in local time.
        Returns:
        If the function succeeds, the function returns one of the SEC_I_ success codes. If the function fails, the function returns one of the SEC_E_ error codes.
      • InitializeSecurityContext

        int InitializeSecurityContext(Sspi.CredHandle phCredential,
                                      Sspi.CtxtHandle phContext,
                                      java.lang.String pszTargetName,
                                      int fContextReq,
                                      int Reserved1,
                                      int TargetDataRep,
                                      Sspi.SecBufferDesc pInput,
                                      int Reserved2,
                                      Sspi.CtxtHandle phNewContext,
                                      Sspi.SecBufferDesc pOutput,
                                      IntByReference pfContextAttr,
                                      Sspi.TimeStamp ptsExpiry)
        The InitializeSecurityContext function initiates the client side, outbound security context from a credential handle. The function is used to build a security context between the client application and a remote peer. InitializeSecurityContext returns a token that the client must pass to the remote peer, which the peer in turn submits to the local security implementation through the AcceptSecurityContext call. The token generated should be considered opaque by all callers. Typically, the InitializeSecurityContext function is called in a loop until a sufficient security context is established.
        Parameters:
        phCredential - A handle to the credentials returned by AcquireCredentialsHandle. This handle is used to build the security context. The InitializeSecurityContext function requires at least OUTBOUND credentials.
        phContext - A pointer to a CtxtHandle structure. On the first call to InitializeSecurityContext, this pointer is NULL. On the second call, this parameter is a pointer to the handle to the partially formed context returned in the phNewContext parameter by the first call.
        pszTargetName - A pointer to a null-terminated string that indicates the target of the context. The string contents are security-package specific.
        fContextReq - Bit flags that indicate requests for the context. Not all packages can support all requirements. Flags used for this parameter are prefixed with ISC_REQ_, for example, ISC_REQ_DELEGATE.
        Reserved1 - This parameter is reserved and must be set to zero.
        TargetDataRep - The data representation, such as byte ordering, on the target. This parameter can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.
        pInput - A pointer to a SecBufferDesc structure that contains pointers to the buffers supplied as input to the package. The pointer must be NULL on the first call to the function. On subsequent calls to the function, it is a pointer to a buffer allocated with enough memory to hold the token returned by the remote peer.
        Reserved2 - This parameter is reserved and must be set to zero.
        phNewContext - A pointer to a CtxtHandle structure. On the first call to InitializeSecurityContext, this pointer receives the new context handle. On the second call, phNewContext can be the same as the handle specified in the phContext parameter.
        pOutput - A pointer to a SecBufferDesc structure that contains pointers to the SecBuffer structure that receives the output data. If a buffer was typed as SEC_READWRITE in the input, it will be there on output. The system will allocate a buffer for the security token if requested (through ISC_REQ_ALLOCATE_MEMORY) and fill in the address in the buffer descriptor for the security token.
        pfContextAttr - A pointer to a variable to receive a set of bit flags that indicate the attributes of the established context. Flags used for this parameter are prefixed with ISC_RET, such as ISC_RET_DELEGATE.
        ptsExpiry - A pointer to a TimeStamp structure that receives the expiration time of the context. It is recommended that the security package always return this value in local time. This parameter is optional and NULL should be passed for short-lived clients.
        Returns:
        If the function succeeds, the function returns one of the SEC_I_ success codes. If the function fails, the function returns one of the SEC_E_ error codes.
      • DeleteSecurityContext

        int DeleteSecurityContext(Sspi.CtxtHandle phContext)
        The DeleteSecurityContext function deletes the local data structures associated with the specified security context.
        Parameters:
        phContext - Handle of the security context to delete.
        Returns:
        If the function succeeds, the return value is SEC_E_OK. If the function fails, the return value is SEC_E_INVALID_HANDLE;
      • FreeCredentialsHandle

        int FreeCredentialsHandle(Sspi.CredHandle phCredential)
        The FreeCredentialsHandle function notifies the security system that the credentials are no longer needed. An application calls this function to free the credential handle acquired in the call to the AcquireCredentialsHandle function. When all references to this credential set have been removed, the credentials themselves can be removed.
        Parameters:
        phCredential - A pointer to the credential handle obtained by using the AcquireCredentialsHandle function.
        Returns:
        If the function succeeds, the return value is SEC_E_OK. If the function fails, the return value is SEC_E_INVALID_HANDLE;
      • AcceptSecurityContext

        int AcceptSecurityContext(Sspi.CredHandle phCredential,
                                  Sspi.CtxtHandle phContext,
                                  Sspi.SecBufferDesc pInput,
                                  int fContextReq,
                                  int TargetDataRep,
                                  Sspi.CtxtHandle phNewContext,
                                  Sspi.SecBufferDesc pOutput,
                                  IntByReference pfContextAttr,
                                  Sspi.TimeStamp ptsTimeStamp)
        The AcceptSecurityContext function enables the server component of a transport application to establish a security context between the server and a remote client. The remote client uses the InitializeSecurityContext function to start the process of establishing a security context. The server can require one or more reply tokens from the remote client to complete establishing the security context.
        Parameters:
        phCredential - A handle to the credentials of the server. The server calls the AcquireCredentialsHandle function with either the SECPKG_CRED_INBOUND or SECPKG_CRED_BOTH flag set to retrieve this handle.
        phContext - A pointer to a CtxtHandle structure. On the first call to AcceptSecurityContext, this pointer is NULL. On subsequent calls, phContext is the handle to the partially formed context that was returned in the phNewContext parameter by the first call.
        pInput - A pointer to a SecBufferDesc structure generated by a client call to InitializeSecurityContext that contains the input buffer descriptor.
        fContextReq - Bit flags that specify the attributes required by the server to establish the context. Bit flags can be combined by using bitwise-OR operations.
        TargetDataRep - The data representation, such as byte ordering, on the target. This parameter can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.
        phNewContext - A pointer to a CtxtHandle structure. On the first call to AcceptSecurityContext, this pointer receives the new context handle. On subsequent calls, phNewContext can be the same as the handle specified in the phContext parameter.
        pOutput - A pointer to a SecBufferDesc structure that contains the output buffer descriptor. This buffer is sent to the client for input into additional calls to InitializeSecurityContext. An output buffer may be generated even if the function returns SEC_E_OK. Any buffer generated must be sent back to the client application.
        pfContextAttr - A pointer to a variable that receives a set of bit flags that indicate the attributes of the established context. For a description of the various attributes, see Context Requirements. Flags used for this parameter are prefixed with ASC_RET, for example, ASC_RET_DELEGATE.
        ptsTimeStamp - A pointer to a TimeStamp structure that receives the expiration time of the context.
        Returns:
        This function returns one of SEC_* values.
      • CompleteAuthToken

        int CompleteAuthToken(Sspi.CtxtHandle phContext,
                              Sspi.SecBufferDesc pToken)
        The CompleteAuthToken function completes an authentication token. This function is used by protocols, such as DCE, that need to revise the security information after the transport application has updated some message parameters.

        This function is supported only by the Digest security support provider (SSP).

        CompleteAuthToken is used on the server side only.

        Parameters:
        phContext - A handle of the context that needs to be completed.
        pToken - A Sspi.SecBufferDesc structure that contains the buffer descriptor for the entire message.
        Returns:
        If the function succeeds, the function returns SEC_E_OK.

        If the function fails, it returns one of the following error codes.

        Return codeDescription
        SEC_E_INVALID_HANDLEThe handle that was passed to the function is not valid.
        SEC_E_INVALID_TOKENThe token that was passed to the function is not valid.
        SEC_E_OUT_OF_SEQUENCEThe client's security context was located, but the message number is incorrect. This return value is used with the Digest SSP.
        SEC_E_MESSAGE_ALTEREDThe client's security context was located, but the client's message has been tampered with. This return value is used with the Digest SSP.
        SEC_E_INTERNAL_ERRORAn error occurred that did not map to an SSPI error code.
      • EnumerateSecurityPackages

        int EnumerateSecurityPackages(IntByReference pcPackages,
                                      Sspi.PSecPkgInfo ppPackageInfo)
        The EnumerateSecurityPackages function returns an array of SecPkgInfo structures that describe the security packages available to the client.
        Parameters:
        pcPackages - A pointer to a int variable that receives the number of packages returned.
        ppPackageInfo - A pointer to a variable that receives a pointer to an array of SecPkgInfo structures. Each structure contains information from the security support provider (SSP) that describes a security package that is available within that SSP.
        Returns:
        If the function succeeds, the function returns SEC_E_OK. If the function fails, it returns a nonzero error code.
      • FreeContextBuffer

        int FreeContextBuffer(Pointer buffer)
        The FreeContextBuffer function enables callers of security package functions to free a memory buffer that was allocated by the security package as a result of calls to InitializeSecurityContext and AcceptSecurityContext.
        Parameters:
        buffer - A pointer to memory allocated by the security package.
        Returns:
        If the function succeeds, the function returns SEC_E_OK. If the function fails, it returns a nonzero error code.
      • QuerySecurityContextToken

        int QuerySecurityContextToken(Sspi.CtxtHandle phContext,
                                      WinNT.HANDLEByReference phToken)
        The QuerySecurityContextToken function obtains the access token for a client security context and uses it directly.
        Parameters:
        phContext - Handle of the context to query.
        phToken - Returned handle to the access token.
        Returns:
        If the function succeeds, the function returns SEC_E_OK. If the function fails, it returns a nonzero error code. One possible error code return is SEC_E_INVALID_HANDLE.
      • ImpersonateSecurityContext

        int ImpersonateSecurityContext(Sspi.CtxtHandle phContext)
        The ImpersonateSecurityContext function allows a server to impersonate a client by using a token previously obtained by a call to AcceptSecurityContext or QuerySecurityContextToken. This function allows the application server to act as the client, and thus all necessary access controls are enforced.
        Parameters:
        phContext - The handle of the context to impersonate. This handle must have been obtained by a call to the AcceptSecurityContext function.
        Returns:
        If the function succeeds, the function returns SEC_E_OK. If the function fails, it returns a SEC_E_INVALID_HANDLE, SEC_E_NO_IMPERSONATION or SEC_E_UNSUPPORTED_FUNCTION error code.
      • RevertSecurityContext

        int RevertSecurityContext(Sspi.CtxtHandle phContext)
        Allows a security package to discontinue the impersonation of the caller and restore its own security context.
        Parameters:
        phContext - Handle of the security context being impersonated. This handle must have been obtained in the call to the AcceptSecurityContext function and used in the call to the ImpersonateSecurityContext function.
        Returns:
        If the function succeeds, the return value is SEC_E_OK. If the function fails, the return value can be either SEC_E_INVALID_HANDLE or SEC_E_UNSUPPORTED_FUNCTION.
      • QueryContextAttributes

        int QueryContextAttributes(Sspi.CtxtHandle phContext,
                                   int ulAttribute,
                                   Structure pBuffer)
        Enables a transport application to query a security package for certain attributes of a security context.
        Parameters:
        phContext - A handle to the security context to be queried.
        ulAttribute - Specifies the attribute of the context to be returned. This parameter can be one of the SECPKG_ATTR_* values defined in Sspi.
        pBuffer - A pointer to a structure that receives the attributes. The type of structure pointed to depends on the value specified in the ulAttribute parameter.
        Returns:
        If the function succeeds, the return value is SEC_E_OK. If the function fails, the return value is a nonzero error code.
      • QueryCredentialsAttributes

        int QueryCredentialsAttributes(Sspi.CredHandle phCredential,
                                       int ulAttribute,
                                       Structure pBuffer)
        Retrieves the attributes of a credential, such as the name associated with the credential. The information is valid for any security context created with the specified credential.
        Parameters:
        phCredential - A handle of the credentials to be queried.
        ulAttribute - Specifies the attribute of the context to be returned. This parameter can be one of the SECPKG_ATTR_* values defined in Sspi.
        pBuffer - A pointer to a structure that receives the attributes. The type of structure pointed to depends on the value specified in the ulAttribute parameter.
        Returns:
        If the function succeeds, the return value is SEC_E_OK. If the function fails, the return value is a nonzero error code.
      • QuerySecurityPackageInfo

        int QuerySecurityPackageInfo(java.lang.String pszPackageName,
                                     Sspi.PSecPkgInfo ppPackageInfo)
        Retrieves information about a specified security package. This information includes the bounds on sizes of authentication information, credentials, and contexts.
        Parameters:
        pszPackageName - Name of the security package.
        ppPackageInfo - Variable that receives a pointer to a SecPkgInfo structure containing information about the specified security package.
        Returns:
        If the function succeeds, the return value is SEC_E_OK. If the function fails, the return value is a nonzero error code.
      • EncryptMessage

        int EncryptMessage(Sspi.CtxtHandle phContext,
                           int fQOP,
                           Sspi.SecBufferDesc pMessage,
                           int MessageSeqNo)
        EncryptMessage (Kerberos) function

        The EncryptMessage (Kerberos) function encrypts a message to provide privacy. EncryptMessage (Kerberos) allows an application to choose among cryptographic algorithms supported by the chosen mechanism. The EncryptMessage (Kerberos) function uses the security context referenced by the context handle. Some packages do not have messages to be encrypted or decrypted but rather provide an integrity hash that can be checked.

        Parameters:
        phContext - A handle to the security context to be used to encrypt the message.
        fQOP - Package-specific flags that indicate the quality of protection. A security package can use this parameter to enable the selection of cryptographic algorithms. This parameter can be the following flag: Sspi.SECQOP_WRAP_NO_ENCRYPT.
        pMessage - A pointer to a SecBufferDesc structure. On input, the structure references one or more SecBuffer structures that can be of type SECBUFFER_DATA. That buffer contains the message to be encrypted. The message is encrypted in place, overwriting the original contents of the structure.

        The function does not process buffers with the SECBUFFER_READONLY attribute.

        The length of the SecBuffer structure that contains the message must be no greater than cbMaximumMessage, which is obtained from the QueryContextAttributes (Kerberos) (SECPKG_ATTR_STREAM_SIZES) function.

        Applications that do not use SSL must supply a SecBuffer of type SECBUFFER_PADDING.

        MessageSeqNo - The sequence number that the transport application assigned to the message. If the transport application does not maintain sequence numbers, this parameter must be zero.
        Returns:
        If the function succeeds, the function returns SEC_E_OK.
        See Also:
        MSDN Entry
      • VerifySignature

        int VerifySignature(Sspi.CtxtHandle phContext,
                            Sspi.SecBufferDesc pMessage,
                            int MessageSeqNo,
                            IntByReference pfQOP)
        VerifySignature function.

        Verifies that a message signed by using the MakeSignature function was received in the correct sequence and has not been modified.

        Warning

        The VerifySignature function will fail if the message was signed using the RsaSignPssSha512 algorithm on a different version of Windows. For example, a message that was signed by calling the MakeSignature function on Windows 8 will cause the VerifySignature function on Windows 8.1 to fail.

        Parameters:
        phContext - A handle to the security context to use for the message.
        pMessage - Pointer to a SecBufferDesc structure that references a set of SecBuffer structures that contain the message and signature to verify. The signature is in a SecBuffer structure of type SECBUFFER_TOKEN.
        MessageSeqNo - Specifies the sequence number expected by the transport application, if any. If the transport application does not maintain sequence numbers, this parameter is zero.
        pfQOP - Pointer to a ULONG variable that receives package-specific flags that indicate the quality of protection.

        Some security packages ignore this parameter.

        Returns:
        If the function verifies that the message was received in the correct sequence and has not been modified, the return value is SEC_E_OK.

        If the function determines that the message is not correct according to the information in the signature, the return value can be one of the following error codes.

        Return codeDescription
        SEC_E_OUT_OF_SEQUENCEThe message was not received in the correct sequence.
        SEC_E_MESSAGE_ALTEREDThe message has been altered.
        SEC_E_INVALID_HANDLEThe context handle specified by phContext is not valid.
        SEC_E_INVALID_TOKENpMessage did not contain a valid SECBUFFER_TOKEN buffer, or contained too few buffers.
        SEC_E_QOP_NOT_SUPPORTEDThe quality of protection negotiated between the client and server did not include integrity checking.
      • MakeSignature

        int MakeSignature(Sspi.CtxtHandle phContext,
                          int fQOP,
                          Sspi.SecBufferDesc pMessage,
                          int MessageSeqNo)
        MakeSignature function.

        The MakeSignature function generates a cryptographic checksum of the message, and also includes sequencing information to prevent message loss or insertion. MakeSignature allows the application to choose between several cryptographic algorithms, if supported by the chosen mechanism. The MakeSignature function uses the security context referenced by the context handle.

        Remarks

        Remarks

        The MakeSignature function generates a signature that is based on the message and the session key for the context.

        The VerifySignature function verifies the messages signed by the MakeSignature function.

        If the transport application created the security context to support sequence detection and the caller provides a sequence number, the function includes this information in the signature. This protects against reply, insertion, and suppression of messages. The security package incorporates the sequence number passed down from the transport application.

        Parameters:
        phContext - A handle to the security context to use to sign the message.
        fQOP - Package-specific flags that indicate the quality of protection. A security package can use this parameter to enable the selection of cryptographic algorithms.

        When using the Digest SSP, this parameter must be set to zero.

        pMessage - A pointer to a SecBufferDesc structure. On input, the structure references one or more SecBuffer structures that contain the message to be signed. The function does not process buffers with the SECBUFFER_READONLY_WITH_CHECKSUM attribute.

        The SecBufferDesc structure also references a SecBuffer structure of type SECBUFFER_TOKEN that receives the signature.

        When the Digest SSP is used as an HTTP authentication protocol, the buffers should be configured as follows.

        Buffer #/buffer typeMeaning
        0 / SECBUFFER_TOKENEmpty.
        1 / SECBUFFER_PKG_PARAMSMethod.
        2 / SECBUFFER_PKG_PARAMSURL.
        3 / SECBUFFER_PKG_PARAMSHEntity. For more information, see Input Buffers for the Digest Challenge Response.
        4 / SECBUFFER_PADDINGEmpty. Receives the signature.

        When the Digest SSP is used as an SASL mechanism, the buffers should be configured as follows.

        Buffer #/buffer typeMeaning
        0 / SECBUFFER_TOKENEmpty. Receives the signature. This buffer must be large enough to hold the largest possible signature. Determine the size required by calling the QueryContextAttributes (General) function and specifying SECPKG_ATTR_SIZES. Check the returned SecPkgContext_Sizes structure member cbMaxSignature.
        1 / SECBUFFER_DATAMessage to be signed.
        2 / SECBUFFER_PADDINGEmpty.
        MessageSeqNo - * The sequence number that the transport application assigned to the message. If the transport application does not maintain sequence numbers, this parameter is zero.

        When using the Digest SSP, this parameter must be set to zero. The Digest SSP manages sequence numbering internally.

        Returns:
        If the function succeeds, the function returns SEC_E_OK.

        If the function fails, it returns one of the following error codes.

        Return codeDescription
        SEC_I_RENEGOTIATEThe remote party requires a new handshake sequence or the application has just initiated a shutdown. Return to the negotiation loop and call AcceptSecurityContext (General) or InitializeSecurityContext (General) again. An empty input buffer is passed in the first call.
        SEC_E_INVALID_HANDLEThe context handle specified by phContext is not valid.
        SEC_E_INVALID_TOKENpMessage did not contain a valid SECBUFFER_TOKEN buffer or contained too few buffers.
        SEC_E_OUT_OF_SEQUENCEThe nonce count is out of sequence.
        SEC_E_NO_AUTHENTICATING_AUTHORITYThe security context (phContext) must be revalidated.
        STATUS_INVALID_PARAMETERThe nonce count is not numeric.
        SEC_E_QOP_NOT_SUPPORTEDThe quality of protection negotiated between the client and server did not include integrity checking.
      • DecryptMessage

        int DecryptMessage(Sspi.CtxtHandle phContext,
                           Sspi.SecBufferDesc pMessage,
                           int MessageSeqNo,
                           IntByReference pfQOP)
        DecryptMessage (Kerberos) function

        The DecryptMessage (Kerberos) function decrypts a message. Some packages do not encrypt and decrypt messages but rather perform and check an integrity hash.

        Parameters:
        phContext - A handle to the security context to be used to encrypt the message.
        pMessage - A pointer to a SecBufferDesc structure. On input, the structure references one or more SecBuffer structures that may be of type SECBUFFER_DATA. The buffer contains the encrypted message. The encrypted message is decrypted in place, overwriting the original contents of its buffer.
        MessageSeqNo - The sequence number expected by the transport application, if any. If the transport application does not maintain sequence numbers, this parameter must be set to zero.
        pfQOP - A pointer to a variable of type ULONG that receives package-specific flags that indicate the quality of protection. This parameter can be the following flag: Sspi.SECQOP_WRAP_NO_ENCRYPT.
        Returns:
        If the function verifies that the message was received in the correct sequence, the function returns SEC_E_OK.
        See Also:
        MSDN Entry
JNA API 5.12.1

Copyright © 2007-2018 Timothy Wall. All Rights Reserved.