gnome-keyring [LSARC/2008/430 FastTrack timeout 07/15/2008]
Jeff Cai
Jeff.Cai at sun.com
Wed Jul 9 22:59:23 PDT 2008
John Fischer wrote:
> Jeff,
>
> Just a few questions...
>
> How does this work with Trusted Extensions? Will there
> be a separate keyring per label? Has this been answered
> previously in another ARC case?
>
This issue has not been discussed before. I think Stephen Browne can
give more about it.
>
>> /usr/lib/gnome-keyring/ \ Volatile (New)
>> gnome-keyring-pkcs11.so
>>
>
> This appears to be a Project Private library as it is
> hidden underneath /usr/lib/gnome-keyring directory.
> Is that correct? If so then it should be declared as
> Project Private.
>
As Darren has said, the library can be added by cryptoadm(1M) as a
provider, so I'd like it to be a volatile interface.
> It appears from the document that the default behavior
> is to have the ssh agent turned off for Solaris. Thus
> it will use OpenSSH. Is that correct?
>
Currently, ssh-agent is started in /usr/dt/config/Xsession.jds. Since
gnome-session will also start gnome-keyring-daemon with ssh agent
enabled, the start script of ssh-agent in Xsession.jds will be removed
in case of the confliction.
Jeff
> Thanks,
>
> John
>
> On Tue, 2008-07-08 at 23:48, Shi-Ying Irene Huang wrote:
>
>> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
>> This information is Copyright 2008 Sun Microsystems
>> 1. Introduction
>> 1.1. Project/Component Working Name:
>> gnome-keyring
>> 1.2. Name of Document Author/Supplier:
>> Author: Jeff Cai
>> 1.3 Date of This Document:
>> 08 July, 2008
>> 4. Technical Description
>> 1. Introduction
>> 1.1. Project/Component Working Name:
>>
>> GNOME Keyring
>>
>> 1.2. Name of Document Author/Supplier:
>>
>> Author: Jeff Cai
>> Sponser: Irene Huang
>>
>> 1.3. Date of This Document:
>>
>> 07/09/2008
>>
>> 1.4. Name of Major Document Customer(s)/Consumer(s):
>>
>> 1.4.1. The PAC or CPT you expect to review your project:
>>
>> Solaris PAC
>>
>> 1.4.2. The ARC(s) you expect to review your project:
>>
>> LSARC
>>
>> 1.4.3. The Director/VP who is "Sponsoring" this project:
>>
>> Robert O'Dea
>>
>> 1.4.4. The name of your business unit:
>>
>> Software - OPG
>>
>> 1.5. Email Aliases:
>> 1.5.1. Responsible Manager: harry.lu at sun.com
>> 1.5.2. Responsible Engineer: jeff.cai at sun.com
>> 1.5.3. Marketing Manager:
>> 1.5.4. Interest List: brian.cameron at sun.com
>> darren.moffat at sun.com
>> wyllys.ingersoll at sun.com
>>
>> 2. Project Summary
>> 2.1. Project Description:
>>
>> GNOME Keyring is a system to store passwords and other sensitive data in a
>> standardized way across all GNOME applications.
>>
>> A keyring stores a collection of encrypted passwords and encrypted
>> information about those passwords. A user can have multiple keyrings, each
>> for a different use, but there is a default one, called 'login'. There is
>> also a special 'session' keyring which is not stored on disk and goes away
>> when you log out.
>>
>> When a user logs into GNOME, the keyrings are locked and a master keyring
>> password has to be provided in order to unlock each of them.
>>
>> This fast-track increments the version of gnome-keyring in Solaris
>> from 2.20.3 to 2.22.3.
>>
>> 4. Technical Description:
>>
>> 4.1. Details:
>>
>> Compared with the previous version 2.20, following features have been added:
>>
>> - Basic X.509 certificate and key store.
>> - PKCS#11 module for accessing cerfificates and keys.
>> - Now includes an SSH agent.
>> - Automatically activate keyring daemon via DBus if it is not already
>> running.
>> - Add a simpler API fro accessing and storing passwords. Older APIs
>> exist too. Refer to [1]
>>
>> 4.2 GNOME Keyring SSH Agent
>>
>> GNOME Keyring includes an SSH agent which integrates with the gnome-keyring
>> and user login for its passwords. It can also use the main X.509 private
>> key store.
>>
>> GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it
>> starts up.
>>
>> The id_rsa and id_dsa files in ~/.ssh are automatically usable through the
>> SSH agent without first 'loading' them. Other X.509 private keys marked
>> with the 'ssh-authentication' purpose are also usable.
>>
>> Additional SSH keys can be manually loaded and managed via the ssh-add
>> command.
>>
>> If you use another SSH agent(such as the ssh-agent included with OpenSSH),
>> you may want to disable the SSH agent in GNOME Keyring to prevent ssh from
>> using it instead of your prefered SSH agent. You can set
>> /apps/gnome-keyring/daemon-components/ssh
>> gconf key to false. This prevents the SSH component of gnome-keyring from
>> starting up when the user logs in.
>>
>> The default GNOME start up script (/usr/dt/config/Xsession.jds) will be
>> changed to NOT start up "under" ssh-agent like it does today and instead
>> ensure the environment variables for the gnome-keyring version are set
>> early enough.
>>
>> 4.3 GNOME Keyring Certificates and Encryption Keys
>>
>> The following paths are searched for encryption keys and certificate files.
>>
>> - ~/.ssh/id_?sa
>> - ~/.gnome2/keystore/*
>>
>> Most standard file formats for keys and certificates are supported:
>>
>> Certificates
>>
>> * Standard DER encoded certificates.
>> * Certificates contained in PKCS#7 files.
>> * Certificates contained in PKCS#8 files.
>> * PEM encodings of the above.
>>
>> Encryption Keys
>>
>> * PKCS#1 RSA keys.
>> * PKCS#8 encrypted RSA and DSA keys.
>> * DER encoded DSA keys.
>> * PEM encodings of the above.
>> * OpenSSL PEM encrypted keys.
>>
>> File Encryption and Password Algorithms
>>
>> PKCS#5 PBE
>>
>> * DES CBC MD2
>> * DES CBC MD5
>> * DES CBC SHA1
>>
>> PKCS#5 PBE2
>>
>> * DES CBC SHA1
>> * 3DES CBC SHA1
>> * RC2-128 CBC SHA1
>>
>> PKCS#12 PBE
>>
>> * RC4-128 STREAM SHA1
>> * 3DES CBC SHA1
>> * RC2-128 CBC SHA1
>> * RC2-40 CBC SHA1
>>
>> Supported crypto mechanisms include
>>
>> - DSA: sign/verify
>> - RSA: encrypt/decrypt sign/verify
>>
>> 4.4 GNOME Keyring Cryptoki (PKCS#11) Support
>>
>> PKCS#11 is a standard that lets applications use encryption keys and
>> certificates on devices like smart cards. gnome-keyring implements this
>> standard and acts such a device, storing keys and certificates and
>> making them available for applications to use.
>>
>> PKCS#11 deals directly with things like RSA/DSA signing operations, and
>> certificate attributes. It's a bit low level. Usually one uses PKCS#11
>> through a cyrpto library like NSS. [5]
>>
>> PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to perform
>> the actual crypto operations, nowhere in the keyring/pkcs11 code do they
>> actually re-implement RSA or DSA key-generation or crypto functionality.
>>
>>
>> 4.5. Interfaces:
>> Exported Interfaces
>> Interface Classification Comments
>> --------------- -------------- -----------------------
>> SUNWgnome-libs Uncommitted Package name (unchanged)
>> SUNWgnome-libs-devel Uncommitted Package name (unchanged)
>>
>> /usr/lib/libgnome-keyring.so Volatile Symbolic Link (unchanged)
>> /usr/lib/libgnome-keyring.so.0 Volatile SONAME (changed)
>>
>>
>> /us/share/gconf/schemas/ \ Volatile GCONF keys schemas that
>> gnome-keyring.schemas defines the preferences for
>> the tools (New)
>>
>> /usr/bin/gnome-keyring-daemon Volatile (unchanged)
>> /usr/lib/gnome-keyring-ask Project Private (unchanged)
>>
>> /usr/lib/gnome-keyring/ \ Volatile (New)
>> gnome-keyring-pkcs11.so
>>
>> /usr/lib/pkgconfig/ \
>> gnome-keyring-1.pc Volatile (unchanged)
>> /usr/include/gnome-keyring-1/ \
>> gnome-keyring.h Volatile (unchanged)
>> /usr/include/gnome-keyring-1/ \
>> gnome-keyring-memory.h Volatile (unchanged)
>> /usr/include/gnome-keyring-1/ \
>> gnome-keyring-result.h Volatile (unchanged)
>>
>> ~/.gnome2/keyrings Project Private Location where keyrings
>> are stored
>>
>> /usr/share/dbus-1/services/ \ Project
>> org.gnome.keyring.service Private DBus service file (New)
>>
>> org.gnome.keyrings.Daemon Volatile DBus interface
>> (session interface)
>> org.gnome.keyrings.Daemon \
>> GetSocketPath Volatile DBus method, return
>> socket path.
>> Imported Interfaces
>> Interface Classification Comments
>> --------------- --------------- -----------------------
>> GTK+ Committed LSARC/2008/207
>> GLib Committed LSARC/2008/207
>> D-Bus Volatile LSARC/2006/368
>> libhal Volatile PSARC/2005/399
>> libgcrypt Volatile LSARC/2008/354
>> libtasn1 Volatile LSARC/2008/390
>>
>> 4.6. Packaging & Delivery:
>>
>> No new packages are delivered. The two existing packages:
>> SUNWgnome-libs(base package) - base package for binaries
>> SUNWgnome-libs-devel (development package) - develoment package for
>>
>> 4.7 Security Impact:
>>
>> Please refer to [7].
>>
>> 4.8 Dependencies:
>>
>> libtasn1 is a new imported interface. gnome-keyring makes use of libtasn1 to
>> parse X509 certificate and general certificate.
>>
>> 5. References
>> [1] New API storing passwords:
>> http://live.gnome.org/GnomeKeyring/StoringPasswords
>> [2] Homepage:
>> http://live.gnome.org/GnomeKeyring
>> [3] API document: http://library.gnome.org/devel/gnome-keyring/stable/
>> [4] GNOME 2.14 ARC: LSARC/2006/202/
>> [5] Configure other applications to use gnome-keyring certificates and keys:
>> http://live.gnome.org/GnomeKeyring/ApplicationSetup
>> [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki
>> [7] GNOME 2.14 security questionnaire:
>> http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt
>>
>>
>> 6. Resources and Schedule
>> 6.4. Steering Committee requested information
>> 6.4.1. Consolidation C-team Name:
>> Desktop
>> 6.5. ARC review type: FastTrack
>> 6.6. ARC Exposure: open
>>
>>
>
>
More information about the opensolaris-arc
mailing list