diff options
author | Stef Walter <stefw@redhat.com> | 2013-06-13 12:27:57 +0200 |
---|---|---|
committer | Stef Walter <stefw@redhat.com> | 2013-06-13 12:32:06 +0200 |
commit | 0a324c312c228179a0cb4ff705d3b4636045604b (patch) | |
tree | 28efac0136d651eec4773a243e3e2bf72e9cffb2 | |
parent | 636a03e5d713285ad2f6a4e5b3c0e4531bea4645 (diff) |
Rework the PKCS#11 representation
-rw-r--r-- | specs/storing-trust-pkcs11.xml | 301 |
1 files changed, 242 insertions, 59 deletions
diff --git a/specs/storing-trust-pkcs11.xml b/specs/storing-trust-pkcs11.xml index a6a5d4b..dad6532 100644 --- a/specs/storing-trust-pkcs11.xml +++ b/specs/storing-trust-pkcs11.xml @@ -2,81 +2,264 @@ <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [ ]> <article id="storing-trust-pkcs11"> -<title>API: PKCS#11 Extensions</title> - -<articleinfo> - <releaseinfo>Take two draft</releaseinfo> - <date>June 2013</date> - <authorgroup> - <author> - <firstname>Stef</firstname> - <surname>Walter</surname> - <affiliation> - <orgname>Red Hat Inc.</orgname> - <address> - <email>stefw@redhat.com</email> - </address> - </affiliation> - </author> - </authorgroup> -</articleinfo> - -<sect1> - <title>PKCS#11 Extensions for Stapled Certificate Extensions</title> +<title>API: PKCS#11 representation</title> <para><ulink url="http://www.cryptsoft.com/pkcs11doc/">PKCS#11</ulink> is a useful and widely supported standard for storage and use of keys and certificates. It is often used with smart cards.</para> - <para>Here we outline how to use PKCS#11 as a store of stapled certificate extensions, - anchors and blacklisted certificates. We do this in the stardard PKCS#11 - object model, by defining a few extra attributes.</para> + <para>Here we outline how to use PKCS#11 as a store for trust policy, containing sets + for anchors, blacklist, and stapled extensions.</para> + +<sect1 id="pkcs11-store"> + <title>Store model</title> + + <para>We define a trust store using the stardard PKCS#11 object model, with a few + new attributes.</para> + + <variablelist> + <varlistentry> + <term>Store</term> + <listitem><para>Each PKCS#11 token is a store.</para></listitem> + </varlistentry> + <varlistentry> + <term>Sets</term> + <listitem><para>Sets are implemented by using certain PKCS#11 attributes to + differentiate between items in various sets.</para></listitem> + </varlistentry> + <varlistentry> + <term>Items</term> + <listitem><para>Items in the sets are represented by PKCS#11 objects.</para></listitem> + </varlistentry> + <varlistentry> + <term>Fields</term> + <listitem> + <para>Fields are implemented as various PKCS#11 <literal>CK_ATTRIBUTE</literal> + attributes, and the field identifiers are the <literal>CK_ATTRIBUTE_TYPE</literal> type + of the attribute.</para> + <para>Some fields are standard PKCS#11 attributes, and others are + implemented by defining a few extension vendor attributes in the PKCS#11 + defined fashion. To make it clear which attributes are defined here + and which are standard, all new attributes and values are + prefixed by the letters <literal>_X_</literal>. Once standardized + they would lose this tag.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>Lookup fields</term> + <listitem> + <para>In PKCS#11 any field can be used as a lookup field. For speedy + lookups it is recommended that implementations internally index the + attributes that will be used to lookup trust policy.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>Optional fields</term> + <listitem> + <para>Optional fields are implemented as an empty zero-length + <literal>CK</literal> value when the field is not present.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>Lookup operation</term> + <listitem> + <para>A lookup operation is implemented using the + <literal>C_FindObjectsInit()</literal> <literal>C_FindObjects()</literal> + PKCS#11 functions.</para> + <para>The set to lookup is specified by passing certain set specific + attributes, defined below, as part of the <literal>C_FindObjectsInit()</literal> + find template.</para> + <para>The fields to lookup are also passed as part of the + <literal>C_FindObjectsInit()</literal> find template.</para> + <para>If there are fields for which values need to be retrieved, the + <literal>C_GetAttributeValue()</literal> function should be used to retrieve + them on each of the objects matched by <literal>C_FindObjects()</literal>.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>Remove operation</term> + <listitem> + <para>A remove operation is implemented using the + <literal>C_FindObjectsInit()</literal> <literal>C_FindObjects()</literal> + PKCS#11 functions, in the same way as a in the lookup operation described + above.</para> + <para>The <literal>C_DestroyObject()</literal> function should be used to + remove the objects matched by the <literal>C_FindObjects()</literal> + function.</para> + <para>Another concurrent operation may have also removed an item. Do not + propogate <literal>CKR_OBJECT_HANDLE_INVALID</literal> return codes from + the <literal>C_DestroyObject()</literal> function.</para> + <para>Callers may consult the standard PKCS#11 <literal>CK_TOKEN_INFO</literal> + <literal>CKF_TOKEN_WRITE_PROTECTED</literal> flag, and object + <literal>CKA_MODIFIABLE</literal> attribute to determine whether items + may be removed.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>Store operation</term> + <listitem> + <para>A store operation is implemented using the <literal>C_CreateObject()</literal> + PKCS#11 function.</para> + <para>The set to store the item in is specified by passing certain + set specific attributes, defined below, as part of the + <literal>C_CreteObject()</literal> attribute template.</para> + <para>The fields to store are also passed as part of the + <literal>C_CreateObject()</literal> attribute template.</para> + <para>Implementors of the <literal>C_CreateObject()</literal> function should + check for another item that matches the relevant fields for the set in question. + If one exists the existing handle should be returned, rather than storing a + duplicate object.</para> + <para>Callers may consult the standard PKCS#11 <literal>CK_TOKEN_INFO</literal> + <literal>CKF_TOKEN_WRITE_PROTECTED</literal> flag to determine whether items + may be stored.</para> + </listitem> + </varlistentry> + </variablelist> + +</sect1> + +<sect1 id="pkcs11-anchors"> + <title>Set: Anchors</title> + + <para>The standard <literal>CKA_TRUSTED</literal> boolean attribute is used + to define a certificate or public key as an anchor.</para> - <para>To make it clear which attributes are defined here and which are standard, - all new attributes and values are prefixed by the letters <literal>_X_</literal>. Once - standardized they would lose this tag.</para> + <para>The following attribute is set on items that are part of the + set of anchors:</para> + + <variablelist> + <varlistentry> + <term><literal>CKA_TRUSTED</literal></term> + <listitem><para>Value: <literal>CK_TRUE</literal></para></listitem> + </varlistentry> + </variablelist> + + <para>Items in the set of anchors contain the following fields:</para> + + <variablelist> + <varlistentry> + <term><literal>CKA_X_PUBLIC_KEY_INFO</literal></term> + <listitem><para>The public key of the anchor, always present. A DER encoded + SubjectPublicKeyInfo sequence as defined in X.509.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>CKA_SUBJECT</literal></term> + <listitem><para>The subject DN of the anchor. Contents as defined in + PKCS#11: a DER encoded Name sequence defined in X.509.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>CKA_CLASS</literal></term> + <listitem><para>Set to <literal>CKO_CERTIFICATE</literal> when the + stored item is a certificate, and <literal>CKO_PUBLIC_KEY</literal> + when it doesn't.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>CKA_VALUE</literal></term> + <listitem><para>When the stored item is a certificate + (it has a <literal>CKA_CLASS</literal> of <literal>CKO_CERTIFICATE</literal>, + see above) this attribute stores the DER encoded Certificate + sequence defined in X.509.</para></listitem> + </varlistentry> + </variablelist> + + <para>Other standard PKCS#11 fields should be present on the objects as per + the <literal>CKA_CLASS</literal> attribute.</para> + + <para>Note that the presence of a BasicConstraints extension marks it as a + certificate authority anchor, capable of anchoring a certificate chain, + and not just itself.</para> +</sect1> - <para>The standard CKA_TRUSTED boolean attribute is used on an object with the - class CKO_CERTIFICATE to mark it as an anchor. The presence of a - BasicConstraints certificate extension marks it as a certificate - authority anchor, capable of anchoring a certificate chain, and not just - itself.</para> +<sect1 id="pkcs11-blacklist"> + <title>Set: Blacklist</title> - <para>We define a new boolean attribute CKA_X_DISTRUSTED. If this is present and - set to CK_TRUE on an object with the class CKO_CERTIFICATE, it marks that - certificate as being on the blacklist.</para> + <para>We define a new boolean attribute CKA_X_DISTRUSTED to indicate + blacklist status.</para> - <para>A new object class is defined of type CKO_X_CERTIFICATE_EXTENSION. Each + <para>The following attribute is set on items that are part of the + blacklist set:</para> + + <variablelist> + <varlistentry> + <term><literal>CKA_X_DISTRUSTED</literal></term> + <listitem><para>Value: <literal>CK_TRUE</literal></para></listitem> + </varlistentry> + </variablelist> + + <para>Items in the blacklist set contain the following fields:</para> + + <variablelist> + <varlistentry> + <term><literal>CKA_X_PUBLIC_KEY_INFO</literal></term> + <listitem><para>The public key of the anchor. A DER encoded + SubjectPublicKeyInfo sequence as defined in X.509. When this + value is not present, set to a zero length value.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>CKA_ISSUER</literal></term> + <listitem><para>The DN of the issuer. Contents as defined in + PKCS#11: a DER encoded Name sequence defined in X.509.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>CKA_SERIAL_NUMBER</literal></term> + <listitem><para>The serial number assigned by the issuer. Contents + as defined in PKCS#11: a DER encoded Name sequence defined in + X.509.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>CKA_CLASS</literal></term> + <listitem><para>Set to <literal>CKO_CERTIFICATE</literal> when the + <literal>CKA_ISSUER</literal> and <literal>CKA_SERIAL</literal> are\ + present. Otherwise may be set to either <literal>CKO_PUBLIC_KEY</literal> + or <literal>CKO_CERTIFICATE</literal> as appropriate.</para></listitem> + </varlistentry> + </variablelist> + + <para>Other standard PKCS#11 fields should be present on the objects as per + the <literal>CKA_CLASS</literal> attribute.</para> +</sect1> + +<sect1> + <title>Set: Stapled Extensions</title> + + <para>A new object class is defined of type <literal>CKO_X_CERTIFICATE_EXTENSION</literal>. Each object of this class represents one stapled certificate extension. It contains the following (standard and newly defined) attributes (in addition to the standard data storage attributes):</para> + <para>The following attribute is set on items that are part of the + set of stapled extensions:</para> + + <variablelist> + <varlistentry> + <term><literal>CKA_CLASS</literal></term> + <listitem><para>Value: <literal>CKO_X_CERTIFICATE_EXTENSION</literal></para></listitem> + </varlistentry> + </variablelist> + <variablelist> - <varlistentry> - <term>CKA_ID</term> - <listitem><para>The arbitrary byte string identifier of a - CKO_X_CERTIFICATE_EXTENSION must match the CKA_ID of the - CKO_CERTIFICATE which it is stapled to. This reflects the - customary PKCS#11 method of associating certificates and - keys. Must be set.</para></listitem> - </varlistentry> - <varlistentry> - <term>CKA_OBJECT_ID</term> - <listitem><para>The DER-encoded OID of the stapled certificate - extension. Must be set.</para></listitem> - </varlistentry> - <varlistentry> - <term>CKA_X_CRITICAL</term> - <listitem><para>A CK_BBOOL value indicating whether the extension - is critical or not. Defaults to CK_FALSE if not set.</para></listitem> - </varlistentry> - <varlistentry> - <term>CKA_VALUE</term> - <listitem><para>The DER encoded value of the certificate extension. - Must be set.</para></listitem> - </varlistentry> + <varlistentry> + <term><literal>CKA_X_PUBLIC_KEY_INFO</literal></term> + <listitem><para>The public key associated with the stapled + extension. A DER encoded SubjectPublicKeyInfo sequence as defined in + X.509.</para></listitem> + </varlistentry> + <varlistentry> + <term>CKA_VALUE</term> + <listitem><para>The DER encoded value of the Extension sequence as + defined in X.509</para></listitem> + </varlistentry> </variablelist> + <para>In addition the PKCS#11 <emphasis>Common Storage Object Attributes</emphasis> may + be present, as well as the <literal>CKA_ID</literal> attribute.</para> + +</sect1> + +<sect1 id="pkcs11-constants"> + <title>Constants</title> + + <para><emphasis>To do</emphasis></para> </sect1> </article> |