Re: [gtk-vnc-devel] PATCH: Support for x509 credentials

From: Anthony Liguori <anthony codemonkey ws>
To: "Daniel P. Berrange" <berrange redhat com>
Cc: gtk-vnc-devel <gtk-vnc-devel lists sourceforge net>
Subject: Re: [gtk-vnc-devel] PATCH: Support for x509 credentials
Date: Tue, 31 Jul 2007 20:42:03 -0500

Daniel P. Berrange wrote:

When authenticating with TLS+x509, the GTK Widget needs 1-to-4 files

  - A CA certificate (compulsory)
  - A CA revocation list (optional)
  - A client certificate (compulsory IFF the server does client verification)
  - A client key (compulsory IFF the server does client verification)

For the latter two case, the client has no way of knowing if it needs to
provde them or not. The server, may or may not be doing client certificate
validation, and it may or may not fail auth if it does. So, if the client
has its own cert & key it should use them, if it doesn't then it may get
a auth rejection from the server later.

This is all a little complex and not nice to expose to applicationdevelopers really. So I think I want to provide a simplified interface

to apps. For this purposes I am introducing a single credential type.
It is called 'VNC_CREDENTIAL_CLIENTNAME'.  The application should set
this to its short logical name - eg, 'gvncviewer'. When this is set the
vncdisplay class will lookup the certificate data in the following
locations

  - A CA certificate in:

     $HOME/.pki/CA/cacert.pem
     /etc/pki/CA/cacert.pem

  - A CA revocation list in:

     $HOME/.pki/CA/cacrl.pem
     /etc/pki/CA/cacrl.pem

  - A client key in

     $HOME/.pki/<CLIENTNAME>/private/clientkey.pem
     /etc/pki/<CLIENTNAME>/private/clientkey.pem

  - A client certificate in

     $HOME/.pki/<CLIENTNAME>/clientcert.pem
     /etc/pki/<CLIENTNAME>/clientcert.pem

In the future I'll probably also make it look for

     $HOME/.pki/<CLIENTNAME>/clientcert-[hostname].pem
     /etc/pki/<CLIENTNAME>/clientcert-[hostname].pem
     $HOME/.pki/<CLIENTNAME>/clientcert-[domainname].pem
     /etc/pki/<CLIENTNAME>/clientcert-[domainname].pem

To allow it to give different certs based on the server it is connecting
to. For now though the code is assuming all a user's server are under
the same CA realm.

I agree with you that it would be better not to expose all the gorydetails of this. Is this is how other applications deal with this? Myonly experience with TLS required that the user supplied locations ofthe certificates (with a single default location). I'm not aware of howclient applications that may be run by multiple users deal with this.Any ideas?


Regards,

Anthony Liguori

I've re-done the authentication dialog for the demo programs to showhow to handle this. They are a little more complex now, since you can not
assume that every credential the VNC widget asks for maps into a user
presentable text field.

Follow-Ups:
- Re: [gtk-vnc-devel] PATCH: Support for x509 credentials
  - From: Daniel P. Berrange

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]