Previous section.
DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group
Key Management API
Introduction
The routines in the Key Management API are distinguished with names
having the prefix "sec_key_mgmt".
Background is given in
Introduction to Security Services
,
especially
Key Management Facility
.
On input, those routines in this API that take a keydata argument
expect a value of data type sec_passwd_rec_t *, and those
that take a keytype argument expect a value of data type
sec_passwd_type_t *; furthermore, both of these arguments
must be non-NULL pointers to single values (not arrays).
On output, those operations that give a keydata argument
yield a value of data type sec_passwd_rec_t *, this being a
pointer to the first element of an array; this array is terminated by an
element whose key_type is sec_passwd_none.
Those routines in this API that take a void *get_key_fn_arg
argument expect a specification of "local key storage management", as
defined in this paragraph.
Any value of get_key_fn_arg other than the two special ones specified
in the remainder of this paragraph indicates a (single) argument to be
passed to an application-defined "key acquisition routine" (a value of type
rpc_auth_key_retrieval_fn_t; that is, an arg as for
rpc_server_register_auth_info()
in the referenced Open Group DCE 1.1 RPC Specification; see also Section D.7, Authentication, Authorisation and
Protection-level Arguments of that specification).
If get_key_fn_arg is a string value (of type idl_char *)
that begins with the substring FILE: (that is, is of the form
"FILE:xy···z" where
xy···z denotes a substring of arbitrary non-zero length)
this indicates that local key storage is implemented via a default implicit
implementation-defined key acquisition routine (not further specified in
this specification) in the local key table file whose full pathname
(in the local system's file namespace) is xy···z.
A NULL value of get_key_fn_arg
indicates the default implicit implementation-defined key
acquisition routine (defined in the previous sentence), using an
implementation-defined
default key table file (typically, on POSIX systems, this default key table
file is named
/krb/v5srvtab;
that is, this case corresponds to the
previous case with argument FILE:/krb/v5srvtab).
- Note:
- Access to local resources is subject to implementation and
local system access control policies. This is not further mentioned in
the entries for these routines,
though it does have implications for implementations.
For example, local key storage implemented in a local
file, such as
/krb/v5srvtab,
is subject to local access control
considerations. As such, implementations should exercise due caution in
protecting such files (for example, such files should not be located
on partitions that can be remotely mounted in an unprotected manner via
a network filesystem).
Please note that the html version of this specification
may contain formatting aberrations. The definitive version
is available as an electronic publication on CD-ROM
from The Open Group.