1

I am having a problem with exporting a name using gss_export_name, I though that once the name is exported I should be able to just print it but I am turning up a blank Literaly EXPORTED NAME: , EXPORTED NAME LENGTH: 47

Here is my code

OM_uint32 major_status;
gss_cred_usage_t usage;
OM_uint32 lifetime;
gss_name_t inquired_name;
major_status = gss_inquire_cred(&minor_status, GSS_C_NO_CREDENTIAL, &inquired_name,
                             &lifetime, &usage, &oid_set);
gss_buffer_desc exported_name_buffer;
major_status = gss_export_name(&minor_status, inquired_name, &exported_name_buffer);
printf("EXPORTED NAME: %s, EXPORTED NAME LENGTH: %d\n",
       exported_name_buffer.value, exported_name_buffer.length);

for clarity I decided not to include checks, but I also take care to make sure that major_status is always == GSS_S_COMPLETE Appreciate any ideas

pu239ppy
  • 129
  • 1
  • 9
  • The digging around I did suggests that you need to call `gss_canonicalize_name` before `gss_export_name`. But I wasn't able to verify that in working code. – Fred the Magic Wonder Dog Dec 17 '13 at 00:21
  • I was under the impression that canonicalization was only required when a name has been imported from a string as opposed to from active credentials. Either way in my other trials i did do that and still came up blank. It is possible that the buffer does not contain a textual value and further needs to be decoded. Hoping to have more in a bit – pu239ppy Dec 17 '13 at 18:42

1 Answers1

0

Unfortunately the buffer output by gss_export_name is an ASN.1 data structure not a human-readable string. Se section 3.2 of RFC 2743. You'd need to skip over the header of that structure and then parse the name in a mechanism-dependent manner. Some of the GSS-API developers strongly recommend doing this. As an example, the gss-api patches to Openssh do this for parsing Kerberos names. This is the theoretically correct approach. In practice though, using gss_display_name and handling the output of that call produces more portable results in practice, even though it may produce strange results in a multi-mechanism application. You'll get significant arguments over how to handle this in the GSS-API community. Everyone will agree that you should use gss_display_name for producing output for debugging and logs. The question is what should you do if you want a name for searching on an access control list. If you can directly use the output of gss_export_name and do binary comparisons, do that. However if you need to compare against input entered by a human, I'd argue that using the output of gss_display_name is better, while others will argue that parsing the gss_export_name output is better.

Community
  • 1
  • 1
Sam Hartman
  • 6,210
  • 3
  • 23
  • 40