[kitten] Proposed GSS extension for explicit credential stores

Nico Williams <nico@cryptonector.com> Tue, 03 April 2012 04:56 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=mq9Ibm8QQ1bXudGkP2BawsQWk6cZNEye0b0qvdzqd2Qu mHJoc9XIioqTfhSaP9xXakvR6Jm6xgqL//imAv9aTYZG8rTM/ReMVXFnZeNrynO7 PULE4PHp1lW9RVBoMvpifVDbUXxqqmvJhM3Osc/Ec3zxLmlAK+woGLq0j/8rhU8=
MIME-Version: 1.0
In-Reply-To: <CAK3OfOgh7TvkxvdtsNvNHn9YMTgWa_1aJ4=ozkrujvHxG8K0-Q@mail.gmail.com>
References: <CAK3OfOgh7TvkxvdtsNvNHn9YMTgWa_1aJ4=ozkrujvHxG8K0-Q@mail.gmail.com>
Date: Mon, 02 Apr 2012 23:56:42 -0500
Message-ID: <CAK3OfOg5NEc5coye1jPNdQ_X1J0SWdRxo_cG58ozCkLL23izjg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: [kitten] Proposed GSS extension for explicit credential stores
Precedence: list

Simo and I have a need for extensions for acquiring credentials from,
and storing credentials into, an explicit credential store as opposed
to the one implied by process credentials/context/environment.

For some use cases it is possible to get by without this extension by
just forking/spawning processes that can change their process
credentials and/or environment variables to change their implicit
credential store.  I understand that this argument will come up.  But
this is not a great solution for us.  Particularly since it is not a
portable and generic solution.  The solution we propose will still
involve some elements that are not entirely generic or portable, but
these elements are abstracted into key/value pairs that are easily
configured, thus the resulting applications themselves should be
generic and portable.

The new functions are:

 - GSS_Acquire_cred_from()
 - GSS_Add_cred_from()
 - GSS_Store_cred_into()

These are just like the existing functions that they are based on, but
with one additional argument: a credential store.

The credential store is just an ordered set of key/value pairs where
the keys are URNs (as opposed to OIDs) and the values are octet
strings with formats given by the keys.  In the C bindings the
credential store looks like this:

typedef struct gss_cred_store_element_struct {
   const char *urn;
   const char *value;
} gss_cred_store_element, *gss_cred_store_element_t;
typedef const struct gss_cred_store_element *gss_const_cred_store_element_t;

typedef struct gss_cred_store_struct {
   OM_uint32 count;
   gss_const_cred_store_element_t *elements;
} gss_cred_store, *gss_cred_store_t;
typedef const struct gss_cred_store_struct *gss_const_cred_store_t;

Note the use of the C const keyword.

The abstract API representation of this would probably be

    SET OF SEQUENCE {
        element_type_urn OCTET STRING,
        element OCTET STRING
    }

or perhaps just "CREDENTIAL STORE".  Note that RFC2743 has types with
that much structure, namely: OID sets, or at least the C bindings of
OID SET have that much structure.

URNs will be provided for at least the following:

 - ccache values
  Values will be of the form [<TYPE>:]<ccache-path-or-id>, such as
the familiar "FILE:/tmp/somecc" but also "LSA:" and "CCAPI:...".

 - keytab values
  Same as with ccache values, but naming a keytab.

We'll probably provide URNs for other store element types, such as:

 - PKCS#11 URI
   See http://tools.ietf.org/html/draft-pechanec-pkcs11uri-06

We have debated, but not reached a conclusion, other possible element
types such as:

 - User-ID, username

 - AFS PAG

The complete C bindings would be:

+/* Extension for credential stores */
+typedef struct gss_cred_store_element_struct {
+    const char *urn;
+    const char *value;
+} gss_cred_store_element, *gss_cred_store_element_t;
+typedef const struct gss_cred_store_element *gss_const_cred_store_element_t;
+
+typedef struct gss_cred_store_struct {
+    OM_uint32 count;
+    gss_const_cred_store_element_t *elements;
+} gss_cred_store, *gss_cred_store_t;
+typedef const struct gss_cred_store_struct *gss_const_cred_store_t;

+#define GSS_C_NO_CRED_STORE ((gss_const_cred_store_t) 0)

+OM_uint32 gss_acquire_cred_from(
+            OM_uint32 *minor_status*,
+            const gss_name_t desired_name,
+            OM_uint32 time_req,
+            const gss_OID_set desired_mechs,
+            gss_cred_usage_t cred_usage,
+            gss_const_cred_store_t cred_store,
+            gss_cred_id_t *output_cred_handle,
+            gss_OID_set *actual_mechs,
+            OM_uint32 *time_rec);

+OM_uint32 gss_add_cred_from (
+            OM_uint32 *minor_status,
+            const gss_cred_id_t input_cred_handle,
+            const gss_name_t desired_name,
+            const gss_OID desired_mech,
+            gss_cred_usage_t cred_usage,
+            OM_uint32 initiator_time_req,
+            OM_uint32 acceptor_time_req,
+            gss_const_cred_store_t cred_store,
+            gss_cred_id_t *output_cred_handle,
+            gss_OID_set *actual_mechs,
+            OM_uint32 *initiator_time_rec,
+            OM_uint32 *acceptor_time_rec);

+OM_uint32 gss_store_cred_into(
+              OM_uint32         *minor_status,
+              gss_cred_id_t     input_cred_handle,
+              gss_cred_usage_t  cred_usage,
+              const gss_OID     desired_mech,
+              OM_uint32         overwrite_cred,
+              OM_uint32         default_cred,
+              gss_const_cred_store_t cred_store,
+              gss_OID_set       *elements_stored,
+              gss_cred_usage_t  *cred_usage_stored);

Comments?

Nico
--

[kitten] Proposed GSS extension for explicit cred… Nico Williams
Re: [kitten] Proposed GSS extension for explicit … Simon Josefsson
Re: [kitten] Proposed GSS extension for explicit … Simo Sorce
Re: [kitten] Proposed GSS extension for explicit … Nico Williams