[zeromq-dev] curvezmq ZAP zmq_msg_gets fields: is there a complete list & how to get the public key specifically

Jonas Thiem jonasthiem at googlemail.com
Mon Feb 1 14:56:34 CET 2016


Thanks for the exhaustive answer!

We use zmq.auth.thread.ThreadAuthenticator in pyzmq - I guess this is
the default zauth implementation you mentioned.

Are there any plans to add this to zauth in the near future? Is there
another good way of identifying the users securely? (Others should
have hit this same scenario before, right?) Or is everyone just
writing custom authenticators for their projects to make this work?

Regards,
Jonas Thiem

On Sun, Jan 31, 2016 at 3:49 PM, Pieter Hintjens <ph at imatix.com> wrote:
> There are several independent protocols and APIs at work here.
>
> First, CurveZMQ governs the handshake itself, and ZMTP wraps that in a
> transport protocol as the CURVE mechanism. Then, ZAP connects an
> external authenticator. There is *no* authenticator in libzmq so by
> default, CURVE connections are refused. Then you have the per-message
> properties, which the authenticator can set as it wishes. One of these
> might be the public key. That would be the only way to access it.
> User-Id is an example property, a field you might pull from a
> certificate.
>
> The most popular authenticator is czmq/zauth.c, which you can read. I
> see a comment in that class:
>
>     //  TODO: load metadata from certificate and return via ZAP response
>
> So without digging deeper, I assume it's not returning any metadata.
> The code predates the zmq_msg_gets () api and needs some love now.
>
> If you really want to understand this flow (and it's not trivial,
> sorry) then perhaps this is the place to start: bring zauth up to
> scratch so it returns all metadata and the public key from the
> certificate.
>
> -Pieter
>
> On Fri, Jan 29, 2016 at 2:23 PM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
>> Hi,
>>
>> I am trying to solve the following: using the standard CURVE mechanism
>> for authentication, how can I get either the full public key or the
>> fingerprint of the public key the client used to connect, from a
>> received message frame from that respective client?
>>
>> zmq_msg_gets seems to retrieve all sorts of possibly useful fields set
>> by the authenticator mechanism ("User-Id", ..). However, this just seems
>> to be briefly mentioned at http://api.zeromq.org/4-2:zmq-msg-gets
>> without a comprehensive list, and the only guide on Curve ZMQ I could
>> find http://curvezmq.org/page:read-the-docs seems to be more of a
>> specification of the raw protocol, not the api of the zmq default
>> implementation.
>>
>> In addition, "User-Id" specifically just seems to contain "user" (as an
>> actual string) for my test, which doesn't really seem to be useful
>> information(?).
>>
>> Therefore, I wondered whether there is:
>>
>> 1. a complete list/documentation of all fields set by the curve ZAP
>> mechanism as provided in the standard implementation (like "User-Id" and
>> others)
>>
>> 2. a specific field or some other helper function that allows me to
>> obtain the respective public key of a message frame
>>
>> Sorry if I missed some obvious guide that contains all this info, please
>> feel free to link if there is one!
>>
>> Regards,
>> Jonas Thiem
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list