Projects/Export import cred

From K5Wiki
Jump to: navigation, search
This project was completed in release 1.11.

This project is to add gss_export_cred and gss_import_cred extensions.


The GSS-Proxy project allows GSS operations to be proxied through a daemon. The proxy daemon can be much more robust if it is stateless. To achieve statelessness, the daemon must be able to respond to a caller's gss_acquire_cred() call with an object containing the actual credential information (or a reference to its on-disk representation). For this, we need a way to serialize and deserialize a GSS credential object.

There are two pieces of prior work in this area: an expired internet draft from 2003(draft-engert-ggf-gss-extensions-00) and a Heimdal implementation. The Heimdal API signatures do not match the draft's proposal (Heimdal's signatures are much simpler). We will follow Heimdal's API rather than the draft's. However, we are not required to match Heimdal's token format.

API extensions

The GSS extensions to be implemented are:

   OM_uint32 gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
                             gss_buffer_t token);
   OM_uint32 gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
                             gss_cred_id_t *cred_handle);

A mechglue credential containing multiple mech credentials exports to a token containing all of the serialized mech credentials, each tagged so that it can be imported by the proper mechanism. If any of the mechanisms cannot export its mech credential, exporting the mechglue credential fails.

Token format

The mechglue token format will be the same as Heimdal's, which is one or more repetitions of the following sequence:

  1. A four-byte big-endian number giving the length of the mechanism OID
  2. The mechanism OID
  3. A four-byte big-endian number giving the length of the mechanism token
  4. The mechanism token

A SPNEGO mechanism token will be the mechglue token for SPNEGO's underlying mechglue cred.

A krb5 mechanism token will use JSON to represent each of the credential's structure fields, except for the destroy_ccache flag. The credential's rcache and keytab will be marshalled by name. The credential's ccache will be marshalled by name unless it is a memory keytab, in which case it will be marshalled by contents. Binary fields within the marshalled character (such as encryption keys) will be encoded in base64 and marshalled as JSON strings. The exported credential will be wrapped in a JSON array whose first element is "K5C1" in order to gracefully detect attempts to import a token in the wrong format.

Here is an example of a krb5 mechanism token representing a default acceptor credential:


Here is an example of a krb5 mechanism token representing a delegated credential (which uses a memory ccache, so we must marshal the ccache contents):



First, we will add internal facilities for base64 and JSON. Declarations will be in include/k5-base64.h and include/k5-json.h; code will be in util/support/base64.c and util/support/json.c. The code will be loosely based on the equivalent facilities in Heimdal. The JSON infrastructure will include a very simple dynamic type system in order to represent JSON values.

The mechglue code will be relatively simple. To export, we will invoke each mechanism's gss_export cred function, then add the length and value for the mech OID and token to a k5buf. When importing, we will use a helper function to parse out the lengths and values for each mech OID and mech token, then invoke the appropriate mech's import_token function and add the result to a mechglue credential.

The SPNEGO code will export by simply calling the mechglue gss_export_cred function on its mechglue cred. To import, it will use the mechglue to import the token as a mechglue cred, then construct a SPNEGO credential wrapper.

The krb5 code will export by recursively translating the krb5 cred record into a JSON value, then encoding the value. To import, it will decode the JSON value, then recursively translate it into a krb5 cred record. This methodology may eventually be used to replace the current libkrb5 serialization code, but that is beyond the scope of this project.


A test program will acquire initiator and acceptor creds, export and re-import each one, then perform a single-token GSSAPI exchange with credential delegation. The delegated cred will be exported and re-imported, then stored to the default ccache. A Python wrapper will invoke the test program with various permutations of mechanism choices and names.


gssapi.rst will be amended to document the new extension.

Mailing list discussions

Release notes

Developer experience:

  • Add new APIs gss_export_cred and gss_import_cred to serialize and unserialize GSSAPI credentials.