Difference between revisions of "Projects/APIs for keytab and cccol content"
(New page: This project is to implement the Heimdal API krb5_kt_have_content(). ==Background== In certain situations, it is desirable to know whether a keytab is actually present and populated. Fo...) |
(No difference)
|
Revision as of 12:04, 2 June 2012
This project is to implement the Heimdal API krb5_kt_have_content().
Background
In certain situations, it is desirable to know whether a keytab is actually present and populated. For example, acquiring GSS acceptor credentials with the krb5 mech should not succeed if the default keytab file doesn't exist. krb5_kt_resolve() does not answer this question, as it returns successfully even if the file doesn't exist.
Description
The API signature is:
krb5_boolean krb5_kt_have_content(krb5_context context, krb5_keytab id);
The function returns true if entries can be successfully retrieved from the keytab.
Implementation
The Heimdal implementation begins iterating over the keytab and returns true if one entry can be retrieved. We can make the implementation somewhat more efficient using a vtable method; for instance, the FILE keytab type can stat the keytab and return true if the file size is larger than the size of a keytab header. But this optimization is probably not worth the code footprint.
The KDB keytab is not iterable. Since KDBs are almost never empty, it is probably reasonable to return true unconditionally for non-iterable keytabs.
Testing
The existing t_keytab.c test program can be augmented to test krb5_kt_have_content().
Documentation
Doxygen markup for krb5_kt_have_content() should be sufficient. It may be worth briefly mentioning this API in our application programmer section on keytabs when we have one.