[zeromq-dev] curvezmq ZAP zmq_msg_gets fields: is there a complete list & how to get the public key specifically

Pieter Hintjens ph at imatix.com
Mon Feb 1 16:47:37 CET 2016


I don't know what authenticator pyzmq provides. zauth is part of CZMQ.
If your binding doesn't provide an authenticator then you need to
write your own.



On Mon, Feb 1, 2016 at 3:05 PM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
> Sorry, I forgot this part which might be relevant:
> We configure the authenticator with this code line:
>
> self.auth.configure_curve(domain='*',
>                 location=self.public_key_temp_dir)
>
> Basically all I'm wondering is how to find out WHICH of the public
> keys the client used to identify (of those in the specified
> location/key folder) after I successfully received a message from a
> logged in client.
>
>
> On Mon, Feb 1, 2016 at 2:56 PM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
>> Thanks for the exhaustive answer!
>>
>> We use zmq.auth.thread.ThreadAuthenticator in pyzmq - I guess this is
>> the default zauth implementation you mentioned.
>>
>> Are there any plans to add this to zauth in the near future? Is there
>> another good way of identifying the users securely? (Others should
>> have hit this same scenario before, right?) Or is everyone just
>> writing custom authenticators for their projects to make this work?
>>
>> Regards,
>> Jonas Thiem
>>
>> On Sun, Jan 31, 2016 at 3:49 PM, Pieter Hintjens <ph at imatix.com> wrote:
>>> There are several independent protocols and APIs at work here.
>>>
>>> First, CurveZMQ governs the handshake itself, and ZMTP wraps that in a
>>> transport protocol as the CURVE mechanism. Then, ZAP connects an
>>> external authenticator. There is *no* authenticator in libzmq so by
>>> default, CURVE connections are refused. Then you have the per-message
>>> properties, which the authenticator can set as it wishes. One of these
>>> might be the public key. That would be the only way to access it.
>>> User-Id is an example property, a field you might pull from a
>>> certificate.
>>>
>>> The most popular authenticator is czmq/zauth.c, which you can read. I
>>> see a comment in that class:
>>>
>>>     //  TODO: load metadata from certificate and return via ZAP response
>>>
>>> So without digging deeper, I assume it's not returning any metadata.
>>> The code predates the zmq_msg_gets () api and needs some love now.
>>>
>>> If you really want to understand this flow (and it's not trivial,
>>> sorry) then perhaps this is the place to start: bring zauth up to
>>> scratch so it returns all metadata and the public key from the
>>> certificate.
>>>
>>> -Pieter
>>>
>>> On Fri, Jan 29, 2016 at 2:23 PM, Jonas Thiem <jonasthiem at googlemail.com> wrote:
>>>> Hi,
>>>>
>>>> I am trying to solve the following: using the standard CURVE mechanism
>>>> for authentication, how can I get either the full public key or the
>>>> fingerprint of the public key the client used to connect, from a
>>>> received message frame from that respective client?
>>>>
>>>> zmq_msg_gets seems to retrieve all sorts of possibly useful fields set
>>>> by the authenticator mechanism ("User-Id", ..). However, this just seems
>>>> to be briefly mentioned at http://api.zeromq.org/4-2:zmq-msg-gets
>>>> without a comprehensive list, and the only guide on Curve ZMQ I could
>>>> find http://curvezmq.org/page:read-the-docs seems to be more of a
>>>> specification of the raw protocol, not the api of the zmq default
>>>> implementation.
>>>>
>>>> In addition, "User-Id" specifically just seems to contain "user" (as an
>>>> actual string) for my test, which doesn't really seem to be useful
>>>> information(?).
>>>>
>>>> Therefore, I wondered whether there is:
>>>>
>>>> 1. a complete list/documentation of all fields set by the curve ZAP
>>>> mechanism as provided in the standard implementation (like "User-Id" and
>>>> others)
>>>>
>>>> 2. a specific field or some other helper function that allows me to
>>>> obtain the respective public key of a message frame
>>>>
>>>> Sorry if I missed some obvious guide that contains all this info, please
>>>> feel free to link if there is one!
>>>>
>>>> Regards,
>>>> Jonas Thiem
>>>> _______________________________________________
>>>> zeromq-dev mailing list
>>>> zeromq-dev at lists.zeromq.org
>>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list