From: Wido den Hollander <wido@widodh.nl>
To: Sage Weil <sage@inktank.com>
Cc: ceph-devel@vger.kernel.org
Subject: Re: [PATCH] Generate URL-safe base64 strings for keys.
Date: Fri, 06 Jul 2012 10:48:38 +0200 [thread overview]
Message-ID: <4FF6A666.9080705@widodh.nl> (raw)
In-Reply-To: <Pine.LNX.4.64.1207050729350.6931@cobra.newdream.net>
On 07/05/2012 04:31 PM, Sage Weil wrote:
> On Thu, 5 Jul 2012, Wido den Hollander wrote:
>> On 04-07-12 18:18, Sage Weil wrote:
>>> On Wed, 4 Jul 2012, Wido den Hollander wrote:
>>>>> On Wed, 4 Jul 2012, Wido den Hollander wrote:
>>>>>> By using this we prevent scenarios where cephx keys are not accepted
>>>>>> in various situations.
>>>>>>
>>>>>> Replacing the + and / by - and _ we generate URL-safe base64 keys
>>>>>>
>>>>>> Signed-off-by: Wido den Hollander <wido@widodh.nl>
>>>>>
>>>>> Do already properly decode URL-sage base64 encoding?
>>>>>
>>>>
>>>> Yes, it decodes URL-safe base64 as well.
>>>>
>>>> See the if statements for 62 and 63, + and - are treated equally, just
>>>> like / and _.
>>>
>>> Oh, got it. The commit description confused me... I thought this was
>>> related encoding only.
>>>
>>> I think we should break the encode and decode patches into separate
>>> versions, and apply the decode to a stable branch (argonaut) and the
>>> encode to the master. That should avoid most problems with a
>>> rolling/staggered upgrade...
>>
>> I just submitted a patch for decoding only.
>
> Applied, thanks!
>
>> During some tests I did I found out that libvirt uses GNUlib and won't handle
>> URL-safe base64 encoded keys.
>>
>> So, as long as Ceph allows them we're good. Users can always replace the + and
>> / in their key knowing it will be accepted by Ceph.
>>
>> This works for me for now. The exact switch to base64url should be done at a
>> later stage I think.
>>
>> The RFC on this: http://tools.ietf.org/html/rfc4648#page-7
>
> We could:
> - submit a patch for gnulib; someday it'll support it
I already did, but IF they accept anything else than RFC4648 they'll
implement a lot of the other format as well. That will be some work.
> - kludge the secret generation code in ceph so that it rejects secrets
> with problematic encoding... :/ (radosgw-admin does something
> similar with +'s in the s3-style user keys.)
Seems the easy way out, but it will work though.
Wido
>
> sage
>
>
>
>>
>> Wido
>>
>>>
>>> sage
>>>
>>>
>>>>
>>>> Wido
>>>>
>>>>
>>>>> sage
>>>>>
>>>>>> ---
>>>>>> src/common/armor.c | 6 +++---
>>>>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>>>>
>>>>>> diff --git a/src/common/armor.c b/src/common/armor.c
>>>>>> index d1d5664..7f73da1 100644
>>>>>> --- a/src/common/armor.c
>>>>>> +++ b/src/common/armor.c
>>>>>> @@ -9,7 +9,7 @@
>>>>>> * base64 encode/decode.
>>>>>> */
>>>>>>
>>>>>> -const char *pem_key =
>>>>>> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
>>>>>> +const char *pem_key =
>>>>>> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
>>>>>>
>>>>>> static int encode_bits(int c)
>>>>>> {
>>>>>> @@ -24,9 +24,9 @@ static int decode_bits(char c)
>>>>>> return c - 'a' + 26;
>>>>>> if (c >= '0' && c <= '9')
>>>>>> return c - '0' + 52;
>>>>>> - if (c == '+')
>>>>>> + if (c == '+' || c == '-')
>>>>>> return 62;
>>>>>> - if (c == '/')
>>>>>> + if (c == '/' || c == '_')
>>>>>> return 63;
>>>>>> if (c == '=')
>>>>>> return 0; /* just non-negative, please */
>>>>>> --
>>>>>> 1.7.9.5
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list: send the line "unsubscribe ceph-devel"
>>>>>> in the body of a message to majordomo@vger.kernel.org
>>>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>>>
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>>>>> the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
prev parent reply other threads:[~2012-07-06 9:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-03 12:22 URL-safe base64 encoding for keys Wido den Hollander
2012-07-03 15:00 ` Florian Haas
2012-07-03 15:04 ` Yehuda Sadeh
2012-07-03 17:23 ` Florian Haas
2012-07-03 17:25 ` Yehuda Sadeh
2012-07-03 15:35 ` Tommi Virtanen
2012-07-03 19:18 ` Wido den Hollander
2012-07-04 12:46 ` [PATCH] Generate URL-safe base64 strings " Wido den Hollander
2012-07-04 15:16 ` Sage Weil
2012-07-04 16:10 ` Wido den Hollander
2012-07-04 16:18 ` Sage Weil
2012-07-05 13:31 ` Wido den Hollander
2012-07-05 14:31 ` Sage Weil
2012-07-06 8:48 ` Wido den Hollander [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FF6A666.9080705@widodh.nl \
--to=wido@widodh.nl \
--cc=ceph-devel@vger.kernel.org \
--cc=sage@inktank.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.