[kmf-discuss] Proposed pktool changes

Wyllys Ingersoll wyllys.ingersoll at sun.com
Thu Jan 10 13:04:54 PST 2008 

Below are the proposed changes to pktool needed to support Kerberos PKINIT
and some the SSH certficate changes.

One feature missing from pktool is the ability to add EKU values when 
creating
a cert or CSR, I will propose adding a new attr/value pair command line 
arg to
support this.

Ex:
   ekuname=[[critical:]EKU Name,[critical:]EKU Name,...]
   where EKU Name = serverAuth | clientAuth |
                    codeSigning | emailProtection |
                    ipsecEndSystem | ipsecTunnel |
                    ipsecUser | timeStamping |
                    OCSPSigning | KPClientAuth | KPKdc

The KMF library, pktoo, and kmfcfg need to support 3 new EKU types
and 1 new subjectAltName format.

New EKU OIDs (from RFC 4556):
* KPClientAuth { 1 3 6 1 5 2 3 4 }
* SCLogon { 1.3.6.1.4.1.311.20.2.2 }
* KPKdc { 1 3 6 1 5 2 3 5 }

Notes:  When KPClientAuth or KPKdc are used, the digitalSignature KU bit
MUST also be set.

A new subjectAltName form will be accepted by pktool for creating PKINIT
user certificates:
        id-pkinit-san = { 1 3 6 1 5 2 2 }

The form of the name is principal at REALM.  Example:   wyllys at SUN.COM

For use in pktool, the usage would look like:
$ pktool gencsr ... altname=[critical:]KRB=wyllys at SUN.COM ...

- should pktool will automatically fold the REALM into uppercase form ?

pktool also needs a new command for signing a CSR (as previously discussed).

pktool signcsr
 signkey=label/filename of signing key (label if keystore=PKCS11 or NSS, filename if file)
 csr=CSR filename
 serial=serial number hex string
 outcert=filename for resulting certificate.
 [issuer=issuer-DN]             ( DN to use for issuer field.  Not needed if a the key
                                  has an associated certificate in the keystore.  The subject
                                  of the associated cert will be the issuer of the new one )
 [keystore=pkcs11|file|nss]     ( PKCS11 is default )
 [token=token[:manuf[:serial]]] ( PKCS11 token name, default is to use metaslot )
 [format=pem|der]               ( format of output cert, PEM is default)
 [subject=subjectDN]            ( override the subject in the original request )
 [store=y|n]                    ( store the new cert, default = n )
 [label=cert label]             ( label to use when storing in PKCS11 or NSS )
 [altname=subjectAltName]       ( add a SAN )
 [keyusage=[critical:]usage,..] ( add key usage bits )
 [eku=EKU Name, EKU Name, ...]  ( add EKU values )

Thoughts?

-Wyllys

More information about the kmf-discuss mailing list