[kmf-discuss] KMF questions
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Sat Mar 17 13:12:42 PDT 2007
Massimiliano Pala wrote:
> Thank you Wyllys.
>
> So If I get it correctly, to generate something (a cert, a key, a csr) I
> should generate it into the store and then use the find to get it, right ?
> This could be quite inefficient in case I want to generate a large number
> of certificates to be stored in an SQL database... will you think of
> providing something that could work in memory directly (without requiring
> the library to write data onto the disk) ? A sort of 'memory' store ?
Only the private keys are stored right away. Creating a cert, which
happens once you call KMF_SignCertRecord results in an in-memory
version of the cert being returned to you (in a KMF_DATA struct).
I will try to dig up some sample code to show you what I mean
and post it to the website next week.
I will look into adding an option for *not* storing the private keys
when a keypair is created so that you could later choose to store them
somewhere else - that is probably a good idea.
>
> Another question, in KMF I did not find any reference to EC-based schemes,
> e.g. ECDSA, will you support it ? I noticed that the OpenSSL version in
> OpenSolaris has the EC disabled by deafult, is there any particular reason
> for this ?
Offhand, I don't know why EC is disabled, probably due to import/export
restrictions or something. KMF supports only RSA and DSA at this time.
>
> Just another question :D I see that you use a PKCS11 keystore and the
> "Sun Metaslot", is there some documentation about this store ?
Metaslot is sort of a virtual token in Sun's PKCS#11 crypto framework,
I think you can read about it in the security docs or you could
visit the "solaris-crypto" project on the opensolaris.org site
for more details. From a consumer perspective, it is the default
token that is used when you write to the PKCS#11 interface. Unless
you have a hardware token on your system that is plugged into
the crypto framework, objects written to metaslot will end up
in the Solaris softtoken store.
-Wyllys
More information about the kmf-discuss
mailing list