[kmf-discuss] KMF questions

Wyllys Ingersoll wyllys.ingersoll at sun.com
Sat Mar 17 09:37:16 PDT 2007 

Massimiliano Pala wrote:
> Hi,
> 
> I am building an hi-level PKI (libpki) library which makes use of kmf on
> OpenSolaris and of OpenSSL on others to ensure compatibility with older
> systems (e.g., Solaris <10).
> 
> I have some simple questions:
> 
> * I started looking at the documentation for KMF, the only doc I have is
>   from 10/23/06 - is this the latest version ?


Yes, but it is due for an update soon.  There have not been many
changes.  You can check the kmfapi.h and kmftypes.h file for
the most recent function prototypes and type definitions to be sure.


> 
> * Can I use KMF to generate KeyPairs/CSRs/Certs without having to save them
>   into a specific store and decide at a later time ? Or will I have to use
>   another library to do so ?

If you are creating a keypair, you must specify the keystore to use for
the private key along with parameters unique to whichever keystore
you choose (ex: for OpenSSL, you would have to give a file name).
The private key is stored in the indicated keystore at the time it is
created and the caller is given a handle to access this key data later.

You don't have to use another library, KMF takes care of it.  You
can manually store keys and certs with KMF_StoreCert and KMF_StorePrivateKey.


> 
> * I am confused about some functions. For example the KMF_DownloadCRL():
>   where does it stores the downloaded CRL ?

KMF_DownloadCRL(
	KMF_HANDLE_T handle,
	char *uri,
	char *proxy,	/* optional */
        int proxy_port  /* optional */
	unsigned int maxsecs,
	char *crlfile,
	KMF_ENCODE_FORMAT *pformat);

You specify the filename for downloaded CRL in the "crlfile" parameter.

> 
> * What is the Datatype that is used for CRLs ?

They are generally raw ASN.1 DER data or sometimes a PEM encoded
version.  Those are the only 2 types we support.

> 
> * How can I load/save a Cert/Key/CSR to/from a file ? I see there is a
>   KMF_ReadInputFile(), but then ?

We recommend using KMF_FindCert or KMF_FindKey routines to load certs
and keys because these functions will handle a variety of formats
and will verify that the data is actually X.509 (or RSA key) data.
KMF_ReadInputFile is more of a general purpose utility that will just
read ANY data from a file into a KMF_DATA record and return it to the
caller.

Using KMF_FindCert will return the data in a KMF_X509_DER_CERT block
which has some metadata in addition to the raw ASN.1 encoded cert data.
and can be used as input to other routines.

-Wyllys

More information about the kmf-discuss mailing list