1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
|
MyProxyv2 protocol
Section A
------- -
Basic Tenants:
1) All communications between MyProxy process will be authenticated
via GSSAPI. The MyProxyServer will always be the accepting side and
will have an identity of "host/<fully qualified host name>" or
"myproxy/<fully qualified host name>".
2) The transport protocol will be SSL (Kerberos support is planned)
Each message will be integrity protected and encrypted via gss_wrap().
3) Messages will consist of either one or more NULL-terminated ASCII text
strings or a single chunk of arbitrary data whose meaning is determined
by the context of the current state of the protocol.
4) All communications will be over TCP.
5) By default the MyProxy server will listen on port 7512 unless
otherwise specified. [NOTE - the port number choice is arbitrary.]
6) MyProxy server always replies to the requests with either a OK,
ERROR, or AUTHORIZATION message:
An OK message will simply contain:
VERSION=MYPROXYv2
RESPONSE=0
An ERROR message will contain:
VERSION=MYPROXYv2
RESPONSE=1
ERROR=<error text>
ERROR=<error text>
...
There may be one or more lines of error text, with the intent that the
client may concatenate them together (separated with carriage returns).
The line separator is the LF character: '\n'.
After sending an ERROR response myproxy-server will close the
connection and no more data should be sent in either direction.
If the client sends an empty passphrase, the server can also reply
with a MYPROXY_AUTHORIZATION_RESPONSE message:
VERSION=MYPROXYv2
RESPONSE=2
AUTHORIZATION_DATA=<method id>:<method data>
...
There may be more then one line of authorization data. The purpose
of this message is to provide the client with available
authorization methods along with data needed to use the
methods. The client will choose one method, create a response
according to server's challenge and send it back to the server.
The first four bytes of the response convey a method
identifier (see myproxy_authorization.[ch] for supported methods).
Currently, the identifier is specified in the first byte only.
The remaining three bytes are ignored.
The contents of the remaining part of the response depends on the
particular authorization method and is not specified here.
The server will verify the response, check authorization data,
check authorization policy and reply with either an OK or an ERROR
message. Then the protocol will continue.
Currently there are two supported methods: the original password
based and a new X.509 certificate based. When using the later one,
the server will generate a random 32 bytes long challenge, encode
it into an ASCII string and send to the client as <method
data>. The client will sign the challenge with its private key and
send the result back along with the whole certificate chain.
Format of the client's response in this case is following:
- first four bytes state length of the signature
- signature itself
- four bytes state number of certificates sent
- certificates in the ASN.1 encoding.
Since the original client never sends an empty password,
compatibility is retained (the MYPROXY_AUTHORIZATION_RESPONSE
message is sent iff the server receives an empty password).
7) The delegated credentials are sent over the wire as a chain of
certificates in a _single_ message.
The message contains: A byte that indicates the number of certificates
in the message followed by the certificates of the certificate chain.
Each certificate is encoded in the stardard X.509 v3 ASN.1 format.
The first certificate sent is the newly delegated certificate,
followed by the first certificate of the certificate chain,
and the rest of the chain. The last certificate sent should be the user
certificate signed by the CA. The CA certificate does not have to be
included.
8) For protocol extensibility, clients and servers are expected to
ignore lines in messages that they don't understand.
====
Section B
------- -
MyProxyInit <-> MyProxyServer protocol
The following illustrates a MyProxyInit process connecting to a
MyProxyServer process and storing a proxy for later retrieval.
1) MyProxyInit will make a connection to the MyProxyServer at the
host and port as specified by its configuration or the user.
2) MyProxyInit will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See Section A.1.
3) MyProxyInit will then send a message to MyProxyServer containing
the following strings:
VERSION=MYPROXYv2
COMMAND=1
USERNAME=<username>
PASSPHRASE=<pass phrase>
LIFETIME=<lifetime>
and optional strings
RETRIEVER=<retriever_dn>
RENEWER=<renewer_dn>
CRED_NAME=<credential name>
CRED_DESC=<credential description>
The intent of the VERSION string is to allow the server to know
if it is dealing with an outdated or newer client.
<username> and <pass phrase> are the strings supplied by the
user to be used for retrieval by the portal. <lifetime> is the
ASCII representation of the lifetime of the proxy to be delegated
to the portal, in seconds. <retriever_dn> and <renewer_dn> are strings
specifying the retriever and renewer policy regular expressions.
<credential name> assigns a name to the credential, allowing
multiple credentials to be stored for a given username.
<credential description> can provide additional descriptive text
to be displayed in MyProxyInfo requests, for example.
4) MyProxyServer will then respond with either a OK or an ERROR message.
See Section A.6 for details.
5) Next, the server will perform delegation with the client.
The MyProxyServer will generate a public/private key pair and send
the public key to the MyProxyInit client as a certificate request.
MyProxyInit client will sign the request with its proxy private key
and send the new certificate and the entire certificate chain back
to the server.
See section A.8 for details of the certificate chain message.
6) MyProxyServer will read the individual certificates, chain them back
up together into a new delegated credentials and store them. The server
also stores the retriever and renewer DN strings if they are specified.
7) MyProxyServer will then respond with either a OK message if it
successfully stored the proxy or an ERROR message if an error occurred.
For example, an error might occur when the stored proxy already exists
for the same username but belongs to another user.
For the reply message details see section A.6.
8) At this point, both sides should close the connection.
====
Section C
------- -
MyProxyGet <-> MyProxyServer protocol
The following illustrates a MyProxyGet process connecting to
a MyProxyServer process and retrieving a proxy for use.
1) MyProxyGet makes a connection to the MyProxyServer as
indicated by its configuration or arguments.
2) MyProxyGet will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See Section A.1.
3) MyProxyGet will then send a message to MyProxyServer containing
the following strings:
VERSION=MYPROXYv2
COMMAND=0
USERNAME=<username>
PASSPHRASE=<pass phrase>
LIFETIME=<requested lifetime>
The message can also contain an optional string :
CRED_NAME=<credential name>
The intent of the VERSION string is to allow the server to know
if it is dealing with an outdated or newer client.
<username> and <pass phrase> are the strings supplied by the
user to the portal to be used for retrieval by the portal.
4) MyProxyServer will then respond with either a OK, ERROR, or
AUTHORIZATION message. See Section A.6 for details.
5) Next, the server will delegate the user credential to the client.
The MyProxyGet will generate a public/private key pair and send
the public key to the MyProxyServer as a certificate request.
MyProxyServer will sign the request with the private key of the stored
user credential and send it as a new certificate back to the client
along with the rest of the certificate chain of the stored credential.
See section A.7 for details of the certificate chain message.
The MyProxyGet will then chain up the certificates together and create
the new user credentials.
6) MyProxyServer will then respond with either a OK message if it
successfully completed sending the certificates or an ERROR message
if an error occurred. See section A.6 for details.
7) At this point, both sides should close the connection.
====
Section D
------- -
MyProxyDestroy <-> MyProxyServer protocol
The following illustrates a MyProxyDestroy process connecting to
a MyProxyServer process and removing a proxy.
1) MyProxyDestroy makes a connection to the MyProxyServer as
indicated by its configuration or arguments.
2) MyProxyDestroy will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See section A.1.
3) MyProxyDestroy will then send a message to MyProxyServer containing
the following strings:
VERSION=MYPROXYv2
COMMAND=3
USERNAME=<username>
PASSPHRASE=<pass phrase>
The message can also contain an optional string :
CRED_NAME=<credential name>
The intent of the VERSION string is to allow the server to know
if it is dealing with an outdated or newer client.
<username> and <pass phrase> are the strings supplied by the
user to the portal used for retrieval of a proxy from the portal.
4) MyProxyServer will then respond with either a OK or an ERROR message.
See section A.6 for details.
5) At this point, both sides should close the connection.
====
Section E
------- -
MyProxyInfo <->MyProxyServer protocol
The following illustrates a MyProxyInfo process connecting to a
MyProxyServer process and queries information about a proxy.
1) MyProxyInfo makes a connection to the MyProxyServer as indicated by its
configuration or arguments.
2) MyProxyInfo will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See section A.1.
3) MyProxyInfo will then send a message to MyProxyServer containing the
following strings:
VERSION=MYPROXYv2
COMMAND=2
USERNAME=<username>
PASSPHRASE=<pass phrase>
The intent of the VERSION string is to allow the server to know if it is
dealing with an outdated or newer client.
<username> and <pass phrase> are the strings supplied by the user.
4) MyProxyServer will then respond with either a OK or an ERROR message.
See section A.6 for details. If the response is OK it will also contain
the following strings:
CRED_NAME=<credential name> // optional
CRED_DESC=<credential description> // optional
CRED_START_TIME=<start_time> // required
CRED_END_TIME=<end_time> // required
CRED_OWNER=<subject_name> // required
CRED_RETRIEVER=<retriever regex> // optional
CRED_RENEWER=<renewer regex> // optional
ADDL_CREDS=cred1,cred2,....,credn // If multiple creds are stored
CRED_cred1_DESC=<credential description> // optional
CRED_cred1_START_TIME=<start_time> // required
CRED_cred1_END_TIME=<end time> // required
CRED_cred1_OWNER=<subject name> // required
CRED_cred1_RETRIEVER=<retriever regex> // optional
CRED_cred1_RENEWER=<renewer regex> // optional
....
The time strings carry information on lifetime of the proxy in a
repository. Both the times are in unix format, i.e. number seconds since
the Epoch (00:00:00 UTC January 1, 1970). The <subject_name> field
contains DN of the proxy's owner.
5) At this point, both sides should close the connection.
======
Section F
------- -
MyProxyChangePasswd <-> MyProxyServer protocol
The following illustrates a MyProxyChangePasswd process connecting to a
MyProxyServer process and changes password of a proxy.
1) MyProxyChangePasswd makes a connection to the MyProxyServer as
indicated by its configuration or arguments.
2) MyProxyChangePasswd will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See section A.1.
3) MyProxyChangePasswd will then send a message to MyProxyServer containing
the following strings:
VERSION=MYPROXYv2
COMMAND=4
USERNAME=<username>
PASSPHRASE=<credential pass phrase>
NEW_PHRASE=<new pass phrase>
The message can also contain an optional string :
CRED_NAME=<credential name>
The intent of the VERSION string is to allow the server to know
if it is dealing with an outdated or newer client.
<username> and <credential pass phrase> are the strings supplied
by the user for authentication. <new pass phrase> is the new pass
phrase assigned to the credential.
4) MyProxyServer will then respond with either a OK or an ERROR message.
See section A.6 for details.
5) At this point, both sides should close the connection.
======
Section G
------- -
MyProxyStoreCertificate <-> MyProxyServer protocol
The following illustrates a MyProxyStoreCertificate process connecting to a
MyProxyServer process and storing a proxy for later retrieval.
1) MyProxyStoreCertificate will make a connection to the MyProxyServer at the
host and port as specified by its configuration or the user.
2) MyProxyStoreCertificate will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See Section A.1.
3) MyProxyStoreCertificate will then send a message to MyProxyServer
containing the following strings:
VERSION=MYPROXYv2
COMMAND=5
USERNAME=<username>
LIFETIME=<lifetime>
and optional strings
RETRIEVER=<retriever_dn>
RENEWER=<renewer_dn>
CRED_NAME=<credential name>
CRED_DESC=<credential description>
KEYRETRIEVER=<retriever_dn>
The intent of the VERSION string is to allow the server to know
if it is dealing with an outdated or newer client.
<username> is the strings supplied by the user to be used for retrieval
by the portal. <lifetime> is the ASCII representation of the lifetime of
the proxy to be delegated to the portal, in seconds. <retriever_dn> and
<renewer_dn> are strings specifying the retriever and renewer policy
regular expressions. <key retriever dns> is a string specifying the key
retriever policy regular expression. <credential name> assigns a name to
the credential, allowing multiple credentials to be stored for a given
username. <credential description> can provide additional descriptive
text to be displayed in MyProxyInfo requests, for example.
4) MyProxyServer will then respond with either a OK or an ERROR message.
See Section A.6 for details.
5) Next, the client will send the users end-entity credentials to the
server.
6) MyProxyServer will read the individual certificates and store it. The
server also stores the retriever, renewer, or key retriever DN strings if
they are specified.
7) MyProxyServer will then respond with either a OK message if it
successfully stored the proxy or an ERROR message if an error occurred.
For example, an error might occur when the stored proxy already exists
for the same username but belongs to another user.
For the reply message details see section A.6.
8) At this point, both sides should close the connection.
====
Section H
------- -
MyProxyRetrieve <-> MyProxyServer protocol
The following illustrates a MyProxyRetrieve process connecting to
a MyProxyServer process and retrieving the end-entity credentials.
1) MyProxyRetrieve makes a connection to the MyProxyServer as
indicated by its configuration or arguments.
2) MyProxyRetrieve will initiate the GSSAPI context setup loop, with
MyProxyServer accepting. See Section A.1.
3) MyProxyRetrieve will then send a message to MyProxyServer containing
the following strings:
VERSION=MYPROXYv2
COMMAND=6
USERNAME=<username>
PASSPHRASE=<pass phrase>
LIFETIME=<requested lifetime>
The message can also contain an optional string :
CRED_NAME=<credential name>
The intent of the VERSION string is to allow the server to know
if it is dealing with an outdated or newer client.
<username> and <pass phrase> are the strings supplied by the
user to the portal to be used for retrieval by the portal.
4) MyProxyServer will then respond with either a OK, ERROR, or
AUTHORIZATION message. See Section A.6 for details.
5) Next, the server will retrieve the user credential and send it to the
client.
6) At this point, both sides should close the connection.
|
