[kmf-discuss] more detailed proposal for cert-to-name mapping

Jan Pechanec Jan.Pechanec at Sun.COM
Mon Feb 25 11:18:38 PST 2008 

On Mon, 25 Feb 2008, Wyllys Ingersoll wrote:

>> ----------------------------------------------------------------------------
>> kmf_map_cert_to_name(KMF_HANDLE_T, KMF_DATA *cert, KMF_DATA **name);
>> kmf_match_cert_to_name(KMF_HANDLE_T, KMF_DATA *cert, char *name);
>>
// ...
>
> I think the "name" field in "map_cert..." should just be a "KMF_DATA *name"
> type.
> The caller supplies the KMF_DATA record, the mapper fills it in.  No need to
> have
> the mapper also allocate a KMF_DATA record.

	good point.

> What does "match_cert_to_name" do?

	checks if the name supplied matches the one in the certificate. 
pam_pkcs11 has it and I think it's a good idea. Some apps will need the 
name, some (ssh) will just need to check if it matches the name supplied.

	it might even come in handy for some applications to get full 
username at domain but match it against usename only. Options might say 
"dontmatchdomain". It would be nice if no extra work was needed for the 
developer. match() will be just a simple wrapper around map() in the mapper 
object.

>> 	mapper-setting="ignorecase,ignoredomain"
>>  
>
> Just a nit, but how about "mapper-options" instead of "setting" ?

	definitely

>> 	mapper_cert_to_name_init(KMF_ATTRIBUTE *attrlist);
>>
>> 		- would dlopen() the object
>>  
> ... and dlclose any already opened mapper in.

	yes

>> 	mapper_map_cert_to_name(KMF_DATA *cert, KMF_DATA **name);
>> 	mapper_match_cert_to_name(KMF_DATA *cert, char *name);
>
> Also consider "mapper_get_error_string(int mapper_errcode, char **err);"

	ah, yes, I forgot about this one.

	we might want to call it kmf_get_mapper_error_str() so that it's 
consistent with kmf_get_plugin_error_str().

> I agree, but I think "evolving" is now "volatile".

	sorry, I've been shifting "read taxonomy docs" in my todo list down 
and down for far too long I guess

	I think we might try to implement a prototype before filing an ARC 
case, what do you think? So that we are sure that we have all we want. We 
can use a very simple mapper and I can verify it in my SunSSH+x509 prototype 
implementation then.

	Jan.

-- 
Jan Pechanec

More information about the kmf-discuss mailing list