Authentication Credential Cache Storage Overhaul

Subversion 1.7 and older uses, primarily, an on-disk storage solution for cached authentication credentials. Bits of the more private information may be outsourced for storage to various OS keyring provider mechanisms as (see EncryptedPasswordStorage), but certainly the primary storage container are the on-disk serialized hash files stored in ${HOME}/.subversion/auth/${PROVIDERTYPE}/${REALMSTRING_MD5}. As we look to improve the client authentication subsystem in the future -- especially when considering major overhauls such as the master passphrase in-house encryption feature (see MasterPassphrase), one area that stands out as in need of attention is the storage of cached authentication credentials.

Disk Cache

Here's an attempt at summarizing what type of information is currently stored on disk for each credential type:

Provider Type

Subversion Realmstring (Key) Components

What Else Gets Cached

svn.username

repos UUID

username

svn.simple

server root URL (scheme, hostname, port), realm string

username, password

svn.ssl.client-cert

svn.ssl.client-passphrase

certificate file path

password

svn.ssl.client-passphrase (PKCS#11 PINs)

static string containing PIN token and slot

svn.ssl.server

server root URL (scheme, hostname, port)

ASCII certificate, bitmask of acceptable failures

Also interesting is that individual RA implementations do not necessarily agree on the realmstring. ra_neon builds realmstrings for itself to use. ra_serf builds some realmstrings for itself, but offloads some of that work to Serf (in the most common cases, even).

Outsourced Secure Cache

Here's a table describing the keys and values (of sorts) used when storing and retrieving passwords from third-party secure storage providers.

Keyring

Keys

Values

Win32 CryptoAPI

static description string

password

MacOS X Keychain

realmstring, username

password

Gnome Keyring

realmstring, username

password

KDE Wallet

realmstring, username

password

GPG Agent

realmstring

password

AuthenticationCredentialCacheStorageOverhaul (last edited 2012-04-05 13:53:00 by CMichaelPilato)