SLURM Cryptographic Plugin Programmer Guide
Overview
This document describes SLURM cryptographic plugins and the API that defines them. It is intended as a resource to programmers wishing to write their own SLURM cryptographic plugins. This is version 0 of the API.
SLURM cryptographic plugins are SLURM plugins that implement a digital signature mechanism. The slurmctld daemon generates a job step credential, signs it, and transmits it to an srun program. The srun program then transmits it to the slurmd daemons directly. The slurmctld daemon does not communicate directly with the slurmd daemons at this time for performance reasons, but the job step credential must be validated by the slurmd daemon as being generated by the slurmctld daemon. Digital signatures provide this validation mechanism. The plugins must conform to the SLURM Plugin API with the following specifications:
const char plugin_type[]
The major type must be "crypto."
The minor type can be any recognizable abbreviation for the type of
cryptographic mechanism.
We recommend, for example:
- mungeLLNL's Munge system.
- opensslOpen SSL.
The plugin_name and plugin_version symbols required by the SLURM Plugin API require no specialization for cryptographic support. Note carefully, however, the versioning discussion below.
Data Objects
The implementation must maintain (though not necessarily directly export) an enumerated errno to allow SLURM to discover as practically as possible the reason for any failed API call. Plugin-specific enumerated integer values may be used when appropriate.
These values must not be used as return values in integer-valued functions in the API. The proper error return value from integer-valued functions is SLURM_ERROR. The implementation should endeavor to provide useful and pertinent information by whatever means is practical. Successful API calls are not required to reset any errno to a known value. However, the initial value of any errno, prior to any error condition arising, should be SLURM_SUCCESS.
API Functions
The following functions must appear. Functions which are not implemented should be stubbed.
void * crypto_read_private_key (const char *path);
Description: Generate a private key based upon the contents of the supplied file.
Argument:path (input) fully-qualified pathname to the private key as specified by the JobCredentialPrivateKey configuration parameter.
Returns: The pointer to a key on success or NULL on failure. Call crypto_destroy_key() to release memory associated with this key.
void * crypto_read_public_key (const char *path);
Description: Generate a public key based upon the contents of the supplied file.
Argument:path (input) fully-qualified pathname to the public key as specified by the JobCredentialPublicCertificate configuration parameter.
Returns: The pointer to a key on success or NULL on failure. Call crypto_destroy_key() to release memory associated with this key.
void crypto_destroy_key (void *key);
Description: Release storage for a public or private key.
Argument: key (input/output) pointer to the key previously allocated by crypto_read_private_key() or crypto_read_public_key().
char *crypto_str_error(void);
Description: Return a string describing the last error generated by the the cryptographic software.
Returns: A pointer to a string.
int crypto_sign (void *key, char *buffer, int buf_size, char **sig_pp, unsigned int *sig_size_p);
Description: Generate a signature for the supplied buffer.
Arguments:
key
(input) pointer to the key previously generated by
crypto_read_private_key() or crypto_read_public_key().
buffer (input) data to
be signed.
buf_size (input)
size of buffer, in bytes.
sig_pp (input/output)
Location in which to store the signature. NOTE: The storage for
sig_pp should be allocated using xmalloc() and will be freed by
the caller using xfree().
sig_size_p (input/output)
Location in which to store the size of the signature (sig_pp).
Returns: SLURM_SUCCESS if successful. On failure, the plugin should return SLURM_ERROR and set the errno to an appropriate value to indicate the reason for failure.
int crypto_verify_sign (void *key, char *buffer, int buf_size, char *signature, unsigned int sig_size);
Description: Generate a signature for the supplied buffer.
Arguments:
key
(input) pointer to the key previously generated by
crypto_read_private_key() or crypto_read_public_key().
buffer (input) data
previously signed by crypto_sign().
buf_size (input)
size of buffer, in bytes.
signature (input)
Signature as returned in sig_pp by the crypto_sign() function and
to be confirmed.
sig_size (input)
Size of the signature as returned in sig_size_p by crypto_sign().
Returns: SLURM_SUCCESS if successful. On failure, the plugin should return SLURM_ERROR and set the errno to an appropriate value to indicate the reason for failure.
Versioning
This document describes version 0 of the SLURM cryptographic API. Future releases of SLURM may revise this API. A cryptographic plugin conveys its ability to implement a particular API version using the mechanism outlined for SLURM plugins.
Last modified 24 July 2007