[kmf-discuss] KMF questions

Massimiliano Pala pala at cs.dartmouth.edu
Sat Mar 17 10:47:03 PDT 2007 

Thank you Wyllys.

So If I get it correctly, to generate something (a cert, a key, a csr) I
should generate it into the store and then use the find to get it, right ?
This could be quite inefficient in case I want to generate a large number
of certificates to be stored in an SQL database... will you think of
providing something that could work in memory directly (without requiring
the library to write data onto the disk) ? A sort of 'memory' store ?

Another question, in KMF I did not find any reference to EC-based schemes,
e.g. ECDSA, will you support it ? I noticed that the OpenSSL version in
OpenSolaris has the EC disabled by deafult, is there any particular reason
for this ?

Just another question :D I see that you use a PKCS11 keystore and the
"Sun Metaslot", is there some documentation about this store ?

Thanks again,
Max

Wyllys Ingersoll wrote:
> Massimiliano Pala wrote:
>> Hi,
>>
>> I am building an hi-level PKI (libpki) library which makes use of kmf on
>> OpenSolaris and of OpenSSL on others to ensure compatibility with older
>> systems (e.g., Solaris <10).
>>
>> I have some simple questions:
>>
>> * I started looking at the documentation for KMF, the only doc I have is
>>   from 10/23/06 - is this the latest version ?
> 
> 
> Yes, but it is due for an update soon.  There have not been many
> changes.  You can check the kmfapi.h and kmftypes.h file for
> the most recent function prototypes and type definitions to be sure.
> 
> 
>> * Can I use KMF to generate KeyPairs/CSRs/Certs without having to save them
>>   into a specific store and decide at a later time ? Or will I have to use
>>   another library to do so ?
> 
> If you are creating a keypair, you must specify the keystore to use for
> the private key along with parameters unique to whichever keystore
> you choose (ex: for OpenSSL, you would have to give a file name).
> The private key is stored in the indicated keystore at the time it is
> created and the caller is given a handle to access this key data later.
> 
> You don't have to use another library, KMF takes care of it.  You
> can manually store keys and certs with KMF_StoreCert and KMF_StorePrivateKey.
> 
> 
>> * I am confused about some functions. For example the KMF_DownloadCRL():
>>   where does it stores the downloaded CRL ?
> 
> KMF_DownloadCRL(
> 	KMF_HANDLE_T handle,
> 	char *uri,
> 	char *proxy,	/* optional */
>         int proxy_port  /* optional */
> 	unsigned int maxsecs,
> 	char *crlfile,
> 	KMF_ENCODE_FORMAT *pformat);
> 
> You specify the filename for downloaded CRL in the "crlfile" parameter.
> 
>> * What is the Datatype that is used for CRLs ?
> 
> They are generally raw ASN.1 DER data or sometimes a PEM encoded
> version.  Those are the only 2 types we support.
> 
>> * How can I load/save a Cert/Key/CSR to/from a file ? I see there is a
>>   KMF_ReadInputFile(), but then ?
> 
> We recommend using KMF_FindCert or KMF_FindKey routines to load certs
> and keys because these functions will handle a variety of formats
> and will verify that the data is actually X.509 (or RSA key) data.
> KMF_ReadInputFile is more of a general purpose utility that will just
> read ANY data from a file into a KMF_DATA record and return it to the
> caller.
> 
> Using KMF_FindCert will return the data in a KMF_X509_DER_CERT block
> which has some metadata in addition to the raw ASN.1 encoded cert data.
> and can be used as input to other routines.
> 
> -Wyllys
> 


-- 

Best Regards,

	Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]            pala at cs.dartmouth.edu
                                                  project.manager at openca.org

Dartmouth Computer Science Dept               Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063                        Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: S/MIME Cryptographic Signature
Url : http://oss-beta1.opensolaris.org/pipermail/kmf-discuss/attachments/20070317/aa7fc270/attachment.bin

More information about the kmf-discuss mailing list