1. Introduction 1.1. Project/Component Working Name: GNOME Keyring 1.2. Name of Document Author/Supplier: Author: Jeff Cai Sponser: Irene Huang 1.3. Date of This Document: 07/09/2008 1.4. Name of Major Document Customer(s)/Consumer(s): 1.4.1. The PAC or CPT you expect to review your project: Solaris PAC 1.4.2. The ARC(s) you expect to review your project: LSARC 1.4.3. The Director/VP who is "Sponsoring" this project: Robert O'Dea 1.4.4. The name of your business unit: Software - OPG 1.5. Email Aliases: 1.5.1. Responsible Manager: harry.lu@sun.com 1.5.2. Responsible Engineer: jeff.cai@sun.com 1.5.3. Marketing Manager: 1.5.4. Interest List: brian.cameron@sun.com darren.moffat@sun.com wyllys.ingersoll@sun.com 2. Project Summary 2.1. Project Description: GNOME Keyring is a system to store passwords and other sensitive data in a standardized way across all GNOME applications. A keyring stores a collection of encrypted passwords and encrypted information about those passwords. A user can have multiple keyrings, each for a different use, but there is a default one, called 'login'. There is also a special 'session' keyring which is not stored on disk and goes away when you log out. When a user logs into GNOME, the keyrings are locked and a master keyring password has to be provided in order to unlock each of them. This fast-track increments the version of gnome-keyring in Solaris from 2.20.3 to 2.22.3. 4. Technical Description: 4.1. Details: Compared with the previous version 2.20, following features have been added: - Basic X.509 certificate and key store. - PKCS#11 module for accessing cerfificates and keys. - Now includes an SSH agent. - Automatically activate keyring daemon via DBus if it is not already running. - Add a simpler API fro accessing and storing passwords. Older APIs exist too. Refer to [1] 4.2 GNOME Keyring SSH Agent GNOME Keyring includes an SSH agent which integrates with the gnome-keyring and user login for its passwords. It can also use the main X.509 private key store. GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it starts up. The id_rsa and id_dsa files in ~/.ssh are automatically usable through the SSH agent without first 'loading' them. Other X.509 private keys marked with the 'ssh-authentication' purpose are also usable. Additional SSH keys can be manually loaded and managed via the ssh-add command. If you use another SSH agent(such as the ssh-agent included with OpenSSH), you may want to disable the SSH agent in GNOME Keyring to prevent ssh from using it instead of your prefered SSH agent. You can set /apps/gnome-keyring/daemon-components/ssh gconf key to false. This prevents the SSH component of gnome-keyring from starting up when the user logs in. The default GNOME start up script (/usr/dt/config/Xsession.jds) will be changed to NOT start up "under" ssh-agent like it does today and instead ensure the environment variables for the gnome-keyring version are set early enough. 4.3 GNOME Keyring Certificates and Encryption Keys The following paths are searched for encryption keys and certificate files. - ~/.ssh/id_?sa - ~/.gnome2/keystore/* Most standard file formats for keys and certificates are supported: Certificates * Standard DER encoded certificates. * Certificates contained in PKCS#7 files. * Certificates contained in PKCS#8 files. * PEM encodings of the above. Encryption Keys * PKCS#1 RSA keys. * PKCS#8 encrypted RSA and DSA keys. * DER encoded DSA keys. * PEM encodings of the above. * OpenSSL PEM encrypted keys. File Encryption and Password Algorithms PKCS#5 PBE * DES CBC MD2 * DES CBC MD5 * DES CBC SHA1 PKCS#5 PBE2 * DES CBC SHA1 * 3DES CBC SHA1 * RC2-128 CBC SHA1 PKCS#12 PBE * RC4-128 STREAM SHA1 * 3DES CBC SHA1 * RC2-128 CBC SHA1 * RC2-40 CBC SHA1 Supported crypto mechanisms include - DSA: sign/verify - RSA: encrypt/decrypt sign/verify 4.4 GNOME Keyring Cryptoki (PKCS#11) Support PKCS#11 is a standard that lets applications use encryption keys and certificates on devices like smart cards. gnome-keyring implements this standard and acts such a device, storing keys and certificates and making them available for applications to use. PKCS#11 deals directly with things like RSA/DSA signing operations, and certificate attributes. It's a bit low level. Usually one uses PKCS#11 through a cyrpto library like NSS. [5] PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to perform the actual crypto operations, nowhere in the keyring/pkcs11 code do they actually re-implement RSA or DSA key-generation or crypto functionality. 4.5. Interfaces: Exported Interfaces Interface Classification Comments --------------- -------------- ----------------------- SUNWgnome-libs Uncommitted Package name (unchanged) SUNWgnome-libs-devel Uncommitted Package name (unchanged) /usr/lib/libgnome-keyring.so Volatile Symbolic Link (unchanged) /usr/lib/libgnome-keyring.so.0 Volatile SONAME (changed) /us/share/gconf/schemas/ \ Volatile GCONF keys schemas that gnome-keyring.schemas defines the preferences for the tools (New) /usr/bin/gnome-keyring-daemon Volatile (unchanged) /usr/lib/gnome-keyring-ask Project Private (unchanged) /usr/lib/gnome-keyring/ \ Volatile (New) gnome-keyring-pkcs11.so /usr/lib/pkgconfig/ \ gnome-keyring-1.pc Volatile (unchanged) /usr/include/gnome-keyring-1/ \ gnome-keyring.h Volatile (unchanged) /usr/include/gnome-keyring-1/ \ gnome-keyring-memory.h Volatile (unchanged) /usr/include/gnome-keyring-1/ \ gnome-keyring-result.h Volatile (unchanged) ~/.gnome2/keyrings Project Private Location where keyrings are stored /usr/share/dbus-1/services/ \ Project org.gnome.keyring.service Private DBus service file (New) org.gnome.keyrings.Daemon Volatile DBus interface (session interface) org.gnome.keyrings.Daemon \ GetSocketPath Volatile DBus method, return socket path. Imported Interfaces Interface Classification Comments --------------- --------------- ----------------------- GTK+ Committed LSARC/2008/207 GLib Committed LSARC/2008/207 D-Bus Volatile LSARC/2006/368 libhal Volatile PSARC/2005/399 libgcrypt Volatile LSARC/2008/354 libtasn1 Volatile LSARC/2008/390 4.6. Packaging & Delivery: No new packages are delivered. The two existing packages: SUNWgnome-libs(base package) - base package for binaries SUNWgnome-libs-devel (development package) - develoment package for 4.7 Security Impact: Please refer to [7]. 4.8 Dependencies: libtasn1 is a new imported interface. gnome-keyring makes use of libtasn1 to parse X509 certificate and general certificate. 5. References [1] New API storing passwords: http://live.gnome.org/GnomeKeyring/StoringPasswords [2] Homepage: http://live.gnome.org/GnomeKeyring [3] API document: http://library.gnome.org/devel/gnome-keyring/stable/ [4] GNOME 2.14 ARC: LSARC/2006/202/ [5] Configure other applications to use gnome-keyring certificates and keys: http://live.gnome.org/GnomeKeyring/ApplicationSetup [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki [7] GNOME 2.14 security questionnaire: http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt