[kmf-discuss] pktool fixes for exporting symmetric keys
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Wed Dec 19 13:21:26 PST 2007
Recent fixes to pktool for supporting the find_key operation (pktool
export ...)
have exposed a gap in the coverage of different key types for the utility.
pktool now has no way to isolate just symmetric keys and export/delete
them because
there is no user interface (i.e. CLI option) for specifying that the
user just wants
to export a symmetric key.
This is primarily an issue with symmetric keys in a PKCS#11 keystore
because the
"objtype" values allowed are: objtype=key[:[public | private | both]]
I think we need either a new objtype, something like "symkey". Or we need
a new modifier for the existing key, "symmetric"
The choices are to support one of these 2 key/value pairs for the CLI:
objtype=[cert | key[:[public | private | both]] | symkey ]
OR
objtype=[cert | key[:public | private | both | symmetric | all]]
I think we have to keep the public/private/both modifiers to retain
backwards compat with
pre-KMF versions of the tool.
I think I prefer the 1st choice - add a new objtype rather than a new
key modifier since
I think that the key modifier stuff makes things more complicated than
it needs to be
anyway.
Thoughts?
-Wyllys
More information about the kmf-discuss
mailing list