Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
This information is Copyright 2008 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
gnome-keyring
1.2. Name of Document Author/Supplier:
Author: Jeff Cai
1.3 Date of This Document:
08 July, 2008
4. Technical Description
1. Introduction
1.1. Project/Component Working Name:
GNOME Keyring
1.2. Name of Document Author/Supplier:
Author: Jeff Cai
Sponser: Irene Huang
1.3. Date of This Document:
07/09/2008
1.4. Name of Major Document Customer(s)/Consumer(s):
1.4.1. The PAC or CPT you expect to review your project:
Solaris PAC
1.4.2. The ARC(s) you expect to review your project:
LSARC
1.4.3. The Director/VP who is "Sponsoring" this project:
Robert O'Dea
1.4.4. The name of your business unit:
Software - OPG
1.5. Email Aliases:
1.5.1. Responsible Manager: harry.lu at sun.com
1.5.2. Responsible Engineer: jeff.cai at sun.com
1.5.3. Marketing Manager:
1.5.4. Interest List: brian.cameron at sun.com
darren.moffat at sun.com
wyllys.ingersoll at sun.com
2. Project Summary
2.1. Project Description:
GNOME Keyring is a system to store passwords and other sensitive data in a
standardized way across all GNOME applications.
A keyring stores a collection of encrypted passwords and encrypted
information about those passwords. A user can have multiple keyrings, each
for a different use, but there is a default one, called 'login'. There is
also a special 'session' keyring which is not stored on disk and goes away
when you log out.
When a user logs into GNOME, the keyrings are locked and a master keyring
password has to be provided in order to unlock each of them.
This fast-track increments the version of gnome-keyring in Solaris
from 2.20.3 to 2.22.3.
4. Technical Description:
4.1. Details:
Compared with the previous version 2.20, following features have been added:
- Basic X.509 certificate and key store.
- PKCS#11 module for accessing cerfificates and keys.
- Now includes an SSH agent.
- Automatically activate keyring daemon via DBus if it is not already
running.
- Add a simpler API fro accessing and storing passwords. Older APIs
exist too. Refer to [1]
4.2 GNOME Keyring SSH Agent
GNOME Keyring includes an SSH agent which integrates with the gnome-keyring
and user login for its passwords. It can also use the main X.509 private
key store.
GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it
starts up.
The id_rsa and id_dsa files in ~/.ssh are automatically usable through the
SSH agent without first 'loading' them. Other X.509 private keys marked
with the 'ssh-authentication' purpose are also usable.
Additional SSH keys can be manually loaded and managed via the ssh-add
command.
If you use another SSH agent(such as the ssh-agent included with OpenSSH),
you may want to disable the SSH agent in GNOME Keyring to prevent ssh from
using it instead of your prefered SSH agent. You can set
/apps/gnome-keyring/daemon-components/ssh
gconf key to false. This prevents the SSH component of gnome-keyring from
starting up when the user logs in.
The default GNOME start up script (/usr/dt/config/Xsession.jds) will be
changed to NOT start up "under" ssh-agent like it does today and instead
ensure the environment variables for the gnome-keyring version are set
early enough.
4.3 GNOME Keyring Certificates and Encryption Keys
The following paths are searched for encryption keys and certificate files.
- ~/.ssh/id_?sa
- ~/.gnome2/keystore/*
Most standard file formats for keys and certificates are supported:
Certificates
* Standard DER encoded certificates.
* Certificates contained in PKCS#7 files.
* Certificates contained in PKCS#8 files.
* PEM encodings of the above.
Encryption Keys
* PKCS#1 RSA keys.
* PKCS#8 encrypted RSA and DSA keys.
* DER encoded DSA keys.
* PEM encodings of the above.
* OpenSSL PEM encrypted keys.
File Encryption and Password Algorithms
PKCS#5 PBE
* DES CBC MD2
* DES CBC MD5
* DES CBC SHA1
PKCS#5 PBE2
* DES CBC SHA1
* 3DES CBC SHA1
* RC2-128 CBC SHA1
PKCS#12 PBE
* RC4-128 STREAM SHA1
* 3DES CBC SHA1
* RC2-128 CBC SHA1
* RC2-40 CBC SHA1
Supported crypto mechanisms include
- DSA: sign/verify
- RSA: encrypt/decrypt sign/verify
4.4 GNOME Keyring Cryptoki (PKCS#11) Support
PKCS#11 is a standard that lets applications use encryption keys and
certificates on devices like smart cards. gnome-keyring implements this
standard and acts such a device, storing keys and certificates and
making them available for applications to use.
PKCS#11 deals directly with things like RSA/DSA signing operations, and
certificate attributes. It's a bit low level. Usually one uses PKCS#11
through a cyrpto library like NSS. [5]
PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to perform
the actual crypto operations, nowhere in the keyring/pkcs11 code do they
actually re-implement RSA or DSA key-generation or crypto functionality.
4.5. Interfaces:
Exported Interfaces
Interface Classification Comments
--------------- --------------
-----------------------
SUNWgnome-libs Uncommitted Package name
(unchanged)
SUNWgnome-libs-devel Uncommitted Package name
(unchanged)
/usr/lib/libgnome-keyring.so Volatile Symbolic Link
(unchanged)
/usr/lib/libgnome-keyring.so.0 Volatile SONAME (changed)
/us/share/gconf/schemas/ \ Volatile GCONF keys schemas
that
gnome-keyring.schemas defines the
preferences for
the tools (New)
/usr/bin/gnome-keyring-daemon Volatile (unchanged)
/usr/lib/gnome-keyring-ask Project Private (unchanged)
/usr/lib/gnome-keyring/ \ Volatile (New)
gnome-keyring-pkcs11.so
/usr/lib/pkgconfig/ \
gnome-keyring-1.pc Volatile (unchanged)
/usr/include/gnome-keyring-1/ \
gnome-keyring.h Volatile (unchanged)
/usr/include/gnome-keyring-1/ \
gnome-keyring-memory.h Volatile (unchanged)
/usr/include/gnome-keyring-1/ \
gnome-keyring-result.h Volatile (unchanged)
~/.gnome2/keyrings Project Private Location where
keyrings
are stored
/usr/share/dbus-1/services/ \ Project
org.gnome.keyring.service Private DBus service file
(New)
org.gnome.keyrings.Daemon Volatile DBus interface
(session
interface)
org.gnome.keyrings.Daemon \
GetSocketPath Volatile DBus method,
return
socket path.
Imported Interfaces
Interface Classification Comments
--------------- --------------- -----------------------
GTK+ Committed LSARC/2008/207
GLib Committed LSARC/2008/207
D-Bus Volatile LSARC/2006/368
libhal Volatile PSARC/2005/399
libgcrypt Volatile LSARC/2008/354
libtasn1 Volatile LSARC/2008/390
4.6. Packaging & Delivery:
No new packages are delivered. The two existing packages:
SUNWgnome-libs(base package) - base package for
binaries
SUNWgnome-libs-devel (development package) - develoment package for
4.7 Security Impact:
Please refer to [7].
4.8 Dependencies:
libtasn1 is a new imported interface. gnome-keyring makes use of
libtasn1 to
parse X509 certificate and general certificate.
5. References
[1] New API storing passwords:
http://live.gnome.org/GnomeKeyring/StoringPasswords
[2] Homepage:
http://live.gnome.org/GnomeKeyring
[3] API document: http://library.gnome.org/devel/gnome-keyring/stable/
[4] GNOME 2.14 ARC: LSARC/2006/202/
[5] Configure other applications to use gnome-keyring certificates and
keys:
http://live.gnome.org/GnomeKeyring/ApplicationSetup
[6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki
[7] GNOME 2.14 security questionnaire:
http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
Desktop
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
