[zeromq-dev] curvezmq ZAP zmq_msg_gets fields: is there a complete list & how to get the public key specifically
Jonas Thiem
jonasthiem at googlemail.com
Mon Feb 1 15:05:30 CET 2016
Sorry, I forgot this part which might be relevant:
We configure the authenticator with this code line:
self.auth.configure_curve(domain='*',
location=self.public_key_temp_dir)
Basically all I'm wondering is how to find out WHICH of the public
keys the client used to identify (of those in the specified
location/key folder) after I successfully received a message from a
logged in client.
On Mon, Feb 1, 2016 at 2:56 PM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
> Thanks for the exhaustive answer!
>
> We use zmq.auth.thread.ThreadAuthenticator in pyzmq - I guess this is
> the default zauth implementation you mentioned.
>
> Are there any plans to add this to zauth in the near future? Is there
> another good way of identifying the users securely? (Others should
> have hit this same scenario before, right?) Or is everyone just
> writing custom authenticators for their projects to make this work?
>
> Regards,
> Jonas Thiem
>
> On Sun, Jan 31, 2016 at 3:49 PM, Pieter Hintjens <ph at imatix.com> wrote:
>> There are several independent protocols and APIs at work here.
>>
>> First, CurveZMQ governs the handshake itself, and ZMTP wraps that in a
>> transport protocol as the CURVE mechanism. Then, ZAP connects an
>> external authenticator. There is *no* authenticator in libzmq so by
>> default, CURVE connections are refused. Then you have the per-message
>> properties, which the authenticator can set as it wishes. One of these
>> might be the public key. That would be the only way to access it.
>> User-Id is an example property, a field you might pull from a
>> certificate.
>>
>> The most popular authenticator is czmq/zauth.c, which you can read. I
>> see a comment in that class:
>>
>> // TODO: load metadata from certificate and return via ZAP response
>>
>> So without digging deeper, I assume it's not returning any metadata.
>> The code predates the zmq_msg_gets () api and needs some love now.
>>
>> If you really want to understand this flow (and it's not trivial,
>> sorry) then perhaps this is the place to start: bring zauth up to
>> scratch so it returns all metadata and the public key from the
>> certificate.
>>
>> -Pieter
>>
>> On Fri, Jan 29, 2016 at 2:23 PM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
>>> Hi,
>>>
>>> I am trying to solve the following: using the standard CURVE mechanism
>>> for authentication, how can I get either the full public key or the
>>> fingerprint of the public key the client used to connect, from a
>>> received message frame from that respective client?
>>>
>>> zmq_msg_gets seems to retrieve all sorts of possibly useful fields set
>>> by the authenticator mechanism ("User-Id", ..). However, this just seems
>>> to be briefly mentioned at http://api.zeromq.org/4-2:zmq-msg-gets
>>> without a comprehensive list, and the only guide on Curve ZMQ I could
>>> find http://curvezmq.org/page:read-the-docs seems to be more of a
>>> specification of the raw protocol, not the api of the zmq default
>>> implementation.
>>>
>>> In addition, "User-Id" specifically just seems to contain "user" (as an
>>> actual string) for my test, which doesn't really seem to be useful
>>> information(?).
>>>
>>> Therefore, I wondered whether there is:
>>>
>>> 1. a complete list/documentation of all fields set by the curve ZAP
>>> mechanism as provided in the standard implementation (like "User-Id" and
>>> others)
>>>
>>> 2. a specific field or some other helper function that allows me to
>>> obtain the respective public key of a message frame
>>>
>>> Sorry if I missed some obvious guide that contains all this info, please
>>> feel free to link if there is one!
>>>
>>> Regards,
>>> Jonas Thiem
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list