1 # SteamWorks Pulley Scripts for TLS Pool
3 > *Pulley is the part of SteamWorks that digs up information from LDAP, stays
4 > subscribed to it for updates, mixes and matches the information found with
5 > an expressiveness akin to SQL, and finally delivers it in a local format.
6 > This backend to Pulley is meant to deliver information to the TLS Pool
12 The place where this plugins gets to work is as a so-called *output driver*
13 in the Pulley Script language. It is parameterised to receive certain
14 parameters, and maps those to the databases.
16 The output driver is for `disclose.db`, which is parameterised with
18 ... -> tlspool (config="../etc/tlspool.conf", type="disclose", args="...")
20 The two parameters provided are the configuration file for the TLS Pool
21 and the type of database. Multiple instances of this output driver
22 are possible, at the very least to support multiple databases.
24 There is no requirement to cover all the three database types underneath
25 the TLS Pool (they are `disclose`, `localid` and `trust`) as local
26 mechanisms may be used instead.
28 It is in fact possible to have multiple instances of the same database
29 type; in that case, an additional `subkey` argument may be helpful to
30 keep them separated. See the descriptions per database below.
32 The code for the output driver support is found
33 [here](../pulleyback).
36 ## Disclosure database
38 The information sent to the output driver for a `disclose` type database
39 is simply a pair of remote and
40 local identity variables (noted as `rid` and `lid` respectively), as in:
42 lid,rid -> tlspool (..., type="disclose",args="localid,remoteid")
46 rid,lid -> tlspool (..., type="disclose",args="remoteid,localid")
48 Note how the `args` determine how the arguments are interpreted. Only the
49 given two forms are possible for the `disclose` type backend. (Future
50 extensions may however incorporate validation expressions as well.)
52 There is no obligation to service this mapping from LDAP though; a rollout
53 may prefer to use a GUI element to do this instead. It may even both be
54 done; the Pulley backend is aware that this can lead to conflicts,
55 and will silently accept when an attempted removal was already done over
56 the GUI; likewise for additions. Note that this may not be the gentlest
57 situation for end user experience though; if the LDAP version of the data
58 is flapping it would consistently overwrite the user-set data.
61 ## Local identity database
63 This database is marked by type `localid` but beyond that it
64 falls apart in a number of perspectives, which could be
65 seen as a subkey mechanism. Therefore, provide a few extra parameters
68 .... -> tlspool (..., args=..., subtype="x509,client")
70 The `args` indicates how arguments supplied to the output driver are
71 interpreted. Possible values are:
73 * `localid` for the local identity being described, which must be present;
74 * `pkcs11` for the PKCS #11 URI of a private key, which must be present for any but the `valexp` subtype;
75 * `cred` for the public credential identifying the local identity, which must be present for any but the `valexp` subtype;
76 * `valexp` for the validation expression, which must be present for the `valexp` subtype;
77 * `credtype` for dynamically supplied credential types other than `valexp`;
78 * `role` for dynamically supplied roles.
80 The `subtype` consists of a number of information bits:
82 * credential type selection from `x509` for X.509 certificate entries,
83 or `openpgp` for OpenPGP entries;
84 alternatively, `valexp` for validation expression entries; future
85 extensions will probably also recognise `openssh`, `krb5`, `srp11`;
86 this must not be provided when `credtype` is in `args`;
87 * role selection from `client` or `server` to indicate the role to which
88 the setting applies, or `peer` if it applies to both;
89 this must not be provided when `role` is in `args`.
90 * an additional flags that can be requested is `chained`.
92 The dynamic form is provided to permit additional arguments to be supplied
93 to the Pulley backend in a dynamic form. This is why it is either/or
94 with the static values in the `subtype` argument.
96 The dynamic form is primarily useful for LDAP-supplied data. The values
97 for `credtype` match the singular attribute type `tlsPoolCredentialType`
98 and the values for `role` match the singular attribute type
99 `tlsPoolSupportedRole` -- and that is not a coincidence!
101 The arguments to the Pulley backend for the TLS Pool could be:
103 lid,p11uri,cred -> tlspool (...,args="localid,pkcs11,cred")
105 As explained before, the presence of `role` and `credtype` arguments
106 can lead to additional arguments from a dynamic source, for instance
108 lid,p11uri,cred,role -> tlspool (...,args="localid,pkcs11,cred,role")
110 Note that in the LDAP scheme, the
111 `valexp` value is usually supplied in a different manner, as it is not
112 part of the `tlsPoolCredentialType` and will not dynamically resolve
113 to the argument for the `credtype` parameter. This matches nicely with the
114 auxiliary object class `tlsPoolValidationRequirements` for validation
115 expressions, which may be applied independently on top of a
116 `tlsPoolLocalUserCredential` structural object class.
118 In the local identity database, validation expressions "abuse" the
119 PKCS #11 URI field to hold the
120 validation expression, and there is never a public credential, so its
121 format will usually be simply:
123 lid,valexp -> tlspool (...,args="localid,valexp")
125 or with the `role` argument made dynamic, because it can be combined
128 lid,valexp,role -> tlspool (...,args="localid,valexp,role")
133 **Note:** See the current TLS Pool implementation details for the
134 progress on trust database settings. The model for LDAP moves independently
135 and may be more complete than what is acceptable to the TLS Pool backend.
137 The configuration of the `trust` backend type has a subtype in a similar
138 fashion to that of the `localid` type:
140 .... -> tlspool (..., args=..., subtype="authority,x509,client")
142 The `args` parameter defines how arguments to the output driver will
145 * `cred` indicates the public credential being dealt with;
146 * `role` indicates dynamically whether the trust is for `client`, `server` or both (`peer`) credentials
147 * `valexp` indicates a validation expression supplied dynamically,
148 when there is no parameter `valexp` configuring the output driver
151 The `subtype` consists of a number of information bits:
153 * `x509` for X.509 certificate entries, or `openpgp` for OpenPGP entries;
154 alternatively, `valexp` for validation expression entries; future
155 extensions may also recognise `openssh`, `krb5`, `srp11`;
156 * `client` or `server` to indicate a static role to which the setting
157 applies, or `peer` if it applies to both;
158 * `authority` to indicate a trusted CA certificate (root or intermediate);
159 more entry types will follow, for instance `revocation` and `pinning`
160 are considered to be useful future additions.
162 In addition, a static `valexp` may be supplied, which will then apply
163 to all the productions from the output driver. The simplest form to
164 facilitate the required validation expression for trust database entries
167 .... -> tlspool (...,valexp="1")
169 The arguments to a trust output driver, using a dynamic validation expression
170 obtained from a source like LDAP, could be:
172 valexp,cred -> tlspool (...,args="valexp,cred")
174 Here, `valexp` provides a validation expression and `cred` provides a
175 public credential for the trusted entry.
177 For `authority,x509` subtypes, the credential is assumed to hold a
178 subject key identifier, which is then used as its index into the trust
179 database. When absent, the subject key identifier is computed as
180 described in Section 4.2.1.2 of RFC 5280, using `(1)` the full SHA1 form.
182 For `authority,openpgp` subtypes, the credential's 64-bit key ID is
183 derived and used as the index into the trust database.
186 ## Example Pulley Script
188 The following is a maximally dynamic script that could be used to pull
189 information from the LDAP scheme for the TLS Pool, and placing it in
190 the disclosure database:
192 # SteamWorks Pulley Script: LDAP --> TLS Pool disclose.db
194 # From: Rick van Rein <rick@openfortress.nl>
196 # Pull information from the disclose root
199 # Find group members that form lid/rid combinatiosn
202 # Supply each lid/rid pair to the disclose.db
203 lid,rid -> tlspool (config="/etc/tlspool.conf", type="disclose", args="localid,remoteid")
206 The following is a maximally dynamic script that could be used to pull
207 information from the LDAP scheme for the TLS Pool, and placing it in
208 the local identity database:
213 The following is a maximally dynamic script that could be used to pull
214 information from the LDAP scheme for the TLS Pool, and placing it in
217 # SteamWorks Pulley Script: LDAP --> TLS Pool trust.db
219 # From: Rick van Rein <rick@openfortress.nl>
223 # Generate <x509ca,x509cadn> as a potential root certificate
224 ObjectClass: "pkiUser" + UserCertificate: x509ca, @cadn, Ou="Trust Contestors" <- world
226 # Generate <x509anchordn,x509valexp,x509role> to describe a trusted CA
227 ObjectClass: "tlsPoolTrustedIssuer" + TlsPoolCredentialType: "x509" + TlsPoolTrustAnchor: x509anchordn + TlsPoolValidationExpression: x509valexp + TlsPoolSupportedRole: x509role, Cn=_, Ou="Our Foundation of Trust" <- world
229 # Trim down to x509ca certificates that are trusted
230 (x509cadn == x509anchordn)
232 # Send the found results to the TLS Pool backend
233 x509ca,x509valexp,x509role -> tlspool (config="../etc/tlspool.conf", type="trust", args="cred,valexp,role", subtype="authority,x509")
237 # Generate <pgpkey,pgpkeydn> as a potential PGP direct signer key
238 ObjectClass: "pgpKeyInfo" + PgpKey: pgpkey, @pgpkeydn, Ou="Trust Contestors" <- world
240 # Generate <pgpanchordn,pgpvalexp,pgprole> to describe a trusted signer
241 ObjectClass: "tlsPoolTrustedIssuer" + TlsPoolCredentialType: "pgp" + TlsPoolTrustAnchor: pgpanchordn + TlsPoolValidationExpression: pgpvalexp + TlsPoolSupportedRole: pgprole, Cn=_, Ou="Our Foundation of Trust" <- world
243 # Trim down to pgpkeys that are trusted
244 (pgpkeydn == pgpanchordn)
246 # Send the found results to the TLS Pool backend
247 pgpkey,pgpvalexp,pgprole -> tlspool (config="../etc/tlspool.conf", type="trust", args="cred,valexp,role", subtype="authority,openpgp")