Network Working Group N. Williams
Request for Comments: 5588 Sun
Category: Standards Track July 2009
Network Working Group N. Williams
Request for Comments: 5588 Sun
Category: Standards Track July 2009
Generic Security Service Application Program Interface (GSS-API) Extension for Storing Delegated Credentials
用于存储委派凭据的通用安全服务应用程序接口(GSS-API)扩展
Abstract
摘要
This document defines a new function for the Generic Security Service Application Program Interface (GSS-API), which allows applications to store delegated (and other) credentials in the implicit GSS-API credential store. This is needed for GSS-API applications to use delegated credentials as they would use other credentials.
本文档为通用安全服务应用程序接口(GSS-API)定义了一个新函数,该函数允许应用程序在隐式GSS-API凭据存储中存储委派(和其他)凭据。这是GSS-API应用程序使用委派凭据所必需的,因为它们将使用其他凭据。
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托在本文件出版之日生效的与IETF文件有关的法律规定的约束(http://trustee.ietf.org/license-info). 请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................3
3. GSS_Store_cred() ................................................3
4. C-Bindings ......................................................5
5. Examples ........................................................6
6. Security Considerations .........................................6
7. Normative References ............................................7
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................3
3. GSS_Store_cred() ................................................3
4. C-Bindings ......................................................5
5. Examples ........................................................6
6. Security Considerations .........................................6
7. Normative References ............................................7
The GSS-API [RFC2743] clearly assumes that credentials exist in an implicit store whence they can be acquired using GSS_Acquire_cred() and GSS_Add_cred() or through use of the default credential. Multiple credential stores may exist on a given host, but only one store may be accessed by GSS_Acquire_cred() and GSS_Add_cred() at any given time.
GSS-API[RFC2743]明确假设凭证存在于隐式存储中,可使用GSS_Acquire_cred()和GSS_Add_cred()或通过使用默认凭证获取凭证。给定主机上可能存在多个凭据存储,但GSS_Acquire_cred()和GSS_Add_cred()在任何给定时间只能访问一个存储。
This assumption can be seen in Sections 1.1.1.2 and 1.1.1.3 of [RFC2743] as well as in Section 3.5 of [RFC2744].
该假设见[RFC2743]第1.1.1.2节和第1.1.1.3节以及[RFC2744]第3.5节。
Applications may be able to change the credential store from which credentials can be acquired, either by changing user contexts (where the applications have the privilege to do so) or by other means (where a user may have multiple credential stores).
应用程序可以通过更改用户上下文(应用程序有权这样做)或通过其他方式(用户可能有多个凭据存储)来更改可从中获取凭据的凭据存储。
Some GSS-API acceptor applications always change user contexts, after accepting a GSS-API security context and making appropriate authorization checks, to the user context corresponding to the initiator principal name or to a context requested by the initiator. The means by which credential stores are managed are generally beyond the scope of the GSS-API.
某些GSS-API接受者应用程序在接受GSS-API安全上下文并进行适当的授权检查后,总是将用户上下文更改为与启动器主体名称对应的用户上下文或启动器请求的上下文。管理凭证存储的方法通常超出GSS-API的范围。
In the case of delegated credential handles however, such credentials do not exist in the acceptor's credential store or in the credential stores of the user contexts to which the acceptor application might change. The GSS-API provides no mechanism by which delegated credential handles can be made available for acquisition through GSS_Acquire_cred()/GSS_Add_cred(). The GSS-API also does not provide any credential import/export interfaces like the GSS-API context import/export interfaces.
但是,对于委派凭证句柄,此类凭证不存在于接受者的凭证存储或接受者应用程序可能更改到的用户上下文的凭证存储中。GSS-API不提供通过GSS_Acquire_cred()/GSS_Add_cred()获取委托凭证句柄的机制。GSS-API也不提供任何凭证导入/导出接口,如GSS-API上下文导入/导出接口。
Thus, acceptors are limited to making only direct use of delegated credential handles and only with GSS_Init_sec_context(), GSS_Inquire_cred*(), and GSS_Release_cred(). This limitation is particularly onerous on Unix systems where a call to exec() to replace the process image obliterates any delegated credentials handle that may exist in that process.
因此,接受方仅限于直接使用委托凭证句柄,并且仅限于使用GSS_Init_sec_context()、GSS_Inquire_cred*()和GSS_Release_cred()。在Unix系统上,此限制尤其繁重,在Unix系统中,调用exec()来替换进程映像会删除该进程中可能存在的任何委托凭据句柄。
In order to make delegated credentials generally as useful as credentials that can be acquired with GSS_Acquire_cred() and GSS_Add_cred(), a primitive is needed that allows storing of credentials in the implicit credential store. We call this primitive "GSS_Store_cred()".
为了使委托凭证与使用GSS_Acquire_cred()和GSS_Add_cred()获取的凭证一样有用,需要一个原语,允许在隐式凭证存储中存储凭证。我们将此原语称为“GSS\u Store\u cred()”。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Inputs:
投入:
o input_cred_handle CREDENTIAL HANDLE, -- credential to store; MUST NOT be GSS_C_NO_CREDENTIAL.
o 输入凭证句柄凭证句柄,--要存储的凭证;不能是GSS\U C\U NO\U凭证。
o cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY, 2=ACCEPT-ONLY.
o cred_usage INTEGER--0=INITIATE-AND-ACCEPT,1=INITIATE-ONLY,2=ACCEPT-ONLY。
o desired_mech_element OBJECT IDENTIFIER, -- if GSS_C_NULL_OID, then store all the elements of the input_cred_handle, otherwise, store only the element of the corresponding mechanism.
o 所需的元素对象标识符,-如果为GSS\u C\u NULL\u OID,则存储输入\u cred\u句柄的所有元素,否则仅存储相应机制的元素。
o overwrite_cred BOOLEAN, -- if TRUE, replace any credential for the same principal in the credential store.
o overwrite_cred BOOLEAN,-如果为TRUE,则替换凭证存储中相同主体的任何凭证。
o default_cred BOOLEAN -- advisory input; if TRUE, make the stored credential available as the default credential (for acquisition with GSS_C_NO_NAME as the desired name or for use as GSS_C_NO_CREDENTIAL).
o 默认值\u cred BOOLEAN——建议输入;如果为TRUE,则将存储的凭证作为默认凭证提供(用于以GSS_C_NO_NAME作为所需名称的采集或用作GSS_C_NO_凭证)。
Outputs:
产出:
o major_status INTEGER.
o 主_状态整数。
o minor_status INTEGER.
o 次要_状态整数。
o mech_elements_stored SET OF OBJECT IDENTIFIER, -- the set of mechanism OIDs for which credential elements were successfully stored.
o mech_elements_存储的对象标识符集,--成功存储凭证元素的机制OID集。
o cred_usage_stored INTEGER -- like cred_usage, but indicates what kind of credential was stored (useful when the cred_usage input parameter is set to INITIATE-AND-ACCEPT).
o cred_usage_存储的整数——与cred_usage类似,但表示存储的凭据类型(当cred_usage输入参数设置为INITIATE-AND-ACCEPT时很有用)。
Return major_status codes:
返回主要_状态代码:
o GSS_S_COMPLETE indicates that the credentials were successfully stored.
o GSS_S_COMPLETE表示凭据已成功存储。
o GSS_S_CREDENTIALS_EXPIRED indicates that the input credentials had expired or expired before they could be stored.
o GSS_S_凭据_EXPIRED表示输入凭据已过期或在存储之前已过期。
o GSS_S_NO_CRED indicates that no input credentials were given.
o GSS_S_NO_CRED表示未提供任何输入凭据。
o GSS_S_UNAVAILABLE indicates that the credential store is not available.
o GSS_S_不可用表示凭据存储不可用。
o GSS_S_DUPLICATE_ELEMENT indicates that an element of the input credential could not be stored because a credential for the same principal exists in the current credential store and the overwrite_cred input argument was FALSE.
o GSS_S_DUPLICATE_元素表示无法存储输入凭据的元素,因为当前凭据存储中存在相同主体的凭据,并且overwrite_cred输入参数为FALSE。
o GSS_S_FAILURE indicates that the credential could not be stored for some other reason. The minor status code may provide more information if a non-GSS_C_NULL_OID desired_mech_element was given.
o GSS_故障表示由于其他原因无法存储凭据。如果给出了非GSS_C_NULL_OID所需的机械元件,次要状态代码可能会提供更多信息。
GSS_Store_cred() is used to store, in the current credential store, a given credential that has either been acquired from a different credential store or been accepted as a delegated credential.
GSS_Store_cred()用于在当前凭据存储中存储从其他凭据存储中获取的给定凭据或已被接受为委派凭据的给定凭据。
Specific mechanism elements of a credential can be stored one at a time by specifying a non-GSS_C_NULL_OID mechanism OID as the desired_mech_element input argument; in which case, the minor status output SHOULD have a mechanism-specific value when the major status is not GSS_S_COMPLETE.
通过将非GSS_C_NULL_OID机制OID指定为所需的_mech_元素输入参数,可以一次存储凭证的特定机制元素;在这种情况下,当主要状态不是GSS_S_完成时,次要状态输出应具有特定于机制的值。
The initiator, acceptor, or both usages of the input credential may be stored as per the cred_usage input argument.
输入凭证的发起者、接受者或两者的用法可根据cred_用法输入参数存储。
The credential elements that were actually stored, when the major status is GSS_S_COMPLETE, are indicated through the cred_usage_stored and mech_elements_stored function outputs.
当主要状态为GSS\U S\U COMPLETE时,实际存储的凭证元素通过cred\u usage\u stored和mech\u elements\u stored功能输出指示。
If credentials already exist in the current store for the principal of the input_cred_handle, then those credentials are not replaced with the input credentials unless the overwrite_cred input argument is TRUE.
如果输入\u cred\u句柄的主体的凭据已存在于当前存储中,则不会用输入凭据替换这些凭据,除非overwrite\u cred输入参数为TRUE。
In the GSS-API, the default credential can be used by using GSS_C_NO_CREDENTIAL or a CREDENTIAL handle acquired by calling GSS_Acquire_cred() or GSS_Add_cred() with the desired_name input set to GSS_C_NO_NAME.
在GSS-API中,可以通过使用GSS_C_NO_凭证或通过调用GSS_Acquire_cred()或GSS_Add_cred()获取的凭证句柄使用默认凭证,所需的_name输入设置为GSS_C_NO_name。
If the default_cred input argument is TRUE, and the input credential can be successfully stored, then the input credential SHOULD be stored as the default credential (see above).
如果default_cred input参数为TRUE,并且可以成功存储输入凭据,则输入凭据应存储为默认凭据(参见上文)。
If the current credential store has no default credential (see above), then the implementation MAY make the stored credentials available as the default credential regardless of the value of the default_cred input argument.
如果当前凭据存储没有默认凭据(请参见上文),则实现可能会使存储的凭据作为默认凭据可用,而不考虑default_cred输入参数的值。
The C-Bindings for GSS_Store_cred() make use of types from and are designed based on the style of the GSS-APIv2 C-Bindings [RFC2744].
GSS_Store_cred()的C绑定使用GSS-APIv2 C绑定[RFC2744]的类型,并基于GSS-APIv2 C绑定的样式进行设计。
OM_uint32 gss_store_cred( OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored)
OM_uint32 gss_存储_cred(OM_uint32*次要_状态、gss_cred_id_输入_cred_句柄、gss_cred_用法_cred_用法、const gss_OID所需_机制、OM_uint32覆盖_cred、OM_uint32默认_cred、gss_OID_set*元素_存储、gss_cred_用法_cred_存储)
Figure 1
图1
The two boolean arguments, 'overwrite_cred' and 'default_cred', are typed as OM_uint32; 0 corresponds to FALSE, non-zero values correspond to TRUE.
两个布尔参数“overwrite_cred”和“default_cred”的类型为OM_uint32;0对应于FALSE,非零值对应于TRUE。
The intended usage of GSS_Store_cred() is to make delegated credentials available to child processes of GSS-API acceptor applications. Example pseudo-code:
GSS_Store_cred()的预期用途是向GSS-API接受程序的子进程提供委派凭据。伪代码示例:
/*
* <GSS_Accept_sec_context() loop resulting in GSS_S_COMPLETE,
* an initiator name (hereafter, "src_name") and a delegated
* credential handle (hereafter "deleg_cred").>
*
* <"requested_username" is a username derived from the
* initiator name or explicitly requested by the initiator
* application.>
*/
...
/*
* <GSS_Accept_sec_context() loop resulting in GSS_S_COMPLETE,
* an initiator name (hereafter, "src_name") and a delegated
* credential handle (hereafter "deleg_cred").>
*
* <"requested_username" is a username derived from the
* initiator name or explicitly requested by the initiator
* application.>
*/
...
if (authorize_gss_client(src_name, requested_username)) {
/*
* For Unix-type platforms this may mean calling setuid() and
* it may or may not also mean setting/unsetting such
* environment variables as KRB5CCNAME and what not -- all
* OS-specific details.
*/
if (change_user_context(requested_username))
(void) gss_store_cred(&minor_status, deleg_cred,
GSS_C_INITIATE, actual_mech,
0, 1, NULL, NULL);
}
else ...
}
else ...
if (authorize_gss_client(src_name, requested_username)) {
/*
* For Unix-type platforms this may mean calling setuid() and
* it may or may not also mean setting/unsetting such
* environment variables as KRB5CCNAME and what not -- all
* OS-specific details.
*/
if (change_user_context(requested_username))
(void) gss_store_cred(&minor_status, deleg_cred,
GSS_C_INITIATE, actual_mech,
0, 1, NULL, NULL);
}
else ...
}
else ...
Acceptor applications MUST only store delegated credentials into appropriate credential stores and only after proper authorization of the authenticated initiator principal to the requested service(s).
接受方应用程序必须仅在经过身份验证的发起方主体对请求的服务进行适当授权后,才将委派的凭据存储到相应的凭据存储中。
Acceptor applications that have no use for delegated credentials MUST release them (such acceptor applications that use the GSS-API C-Bindings may simply provide a NULL value for the delegated_cred_handle argument to gss_accept_sec_context()).
不使用委托凭证的接受方应用程序必须释放它们(使用GSS-API C绑定的此类接受方应用程序可能只是为GSS\U accept\U sec\U context()的委托\U cred\U handle参数提供空值)。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2743]Linn,J.,“通用安全服务应用程序接口版本2,更新1”,RFC 2743,2000年1月。
[RFC2744] Wray, J., "Generic Security Service API Version 2 : C-bindings", RFC 2744, January 2000.
[RFC2744]Wray,J.,“通用安全服务API第2版:C-绑定”,RFC 2744,2000年1月。
Author's Address
作者地址
Nicolas Williams Sun Microsystems 5300 Riata Trace Ct Austin, TX 78727 US
Nicolas Williams Sun Microsystems 5300 Riata Trace Ct德克萨斯州奥斯汀78727美国
EMail: Nicolas.Williams@sun.com
EMail: Nicolas.Williams@sun.com