[kmf-discuss] Proposed pktool changes

Hai-May Chao Hai-May.Chao at sun.com
Thu Jan 10 17:45:38 PST 2008 

Wyllys Ingersoll wrote:
> Below are the proposed changes to pktool needed to support Kerberos PKINIT
> and some the SSH certficate changes.
>
> One feature missing from pktool is the ability to add EKU values when 
> creating
> a cert or CSR, I will propose adding a new attr/value pair command line 
> arg to
> support this.
>
> Ex:
>    ekuname=[[critical:]EKU Name,[critical:]EKU Name,...]
>    where EKU Name = serverAuth | clientAuth |
>                     codeSigning | emailProtection |
>                     ipsecEndSystem | ipsecTunnel |
>                     ipsecUser | timeStamping |
>                     OCSPSigning | KPClientAuth | KPKdc
>
>   

The proposed EKU attr command arg looks good.
Should the new SCLogon be added to the above list of EKU names?


> The KMF library, pktoo, and kmfcfg need to support 3 new EKU types
> and 1 new subjectAltName format.
>
> New EKU OIDs (from RFC 4556):
> * KPClientAuth { 1 3 6 1 5 2 3 4 }
> * SCLogon { 1.3.6.1.4.1.311.20.2.2 }
> * KPKdc { 1 3 6 1 5 2 3 5 }
>
> Notes:  When KPClientAuth or KPKdc are used, the digitalSignature KU bit
> MUST also be set.
>
>   

This is good -- it enforces that the purpose of a certificate is 
consistent with
those new EKU bits and KU digitalSignature bit.  It looks like there is 
no other
EKU and KU bits  must be consistent based on RFC 3280.

 
> A new subjectAltName form will be accepted by pktool for creating PKINIT
> user certificates:
>         id-pkinit-san = { 1 3 6 1 5 2 2 }
>
> The form of the name is principal at REALM.  Example:   wyllys at SUN.COM
>
> For use in pktool, the usage would look like:
> $ pktool gencsr ... altname=[critical:]KRB=wyllys at SUN.COM ...
>
> - should pktool will automatically fold the REALM into uppercase form ?
>
> pktool also needs a new command for signing a CSR (as previously discussed).
>
> pktool signcsr
>  signkey=label/filename of signing key (label if keystore=PKCS11 or NSS, filename if file)
>  csr=CSR filename
>  serial=serial number hex string
>  outcert=filename for resulting certificate.
>  [issuer=issuer-DN]             ( DN to use for issuer field.  Not needed if a the key
>                                   has an associated certificate in the keystore.  The subject
>                                   of the associated cert will be the issuer of the new one )
>  [keystore=pkcs11|file|nss]     ( PKCS11 is default )
>  [token=token[:manuf[:serial]]] ( PKCS11 token name, default is to use metaslot )
>  [format=pem|der]               ( format of output cert, PEM is default)
>  [subject=subjectDN]            ( override the subject in the original request )
>  [store=y|n]                    ( store the new cert, default = n )
>  [label=cert label]             ( label to use when storing in PKCS11 or NSS )
>  [altname=subjectAltName]       ( add a SAN )
>  [keyusage=[critical:]usage,..] ( add key usage bits )
>  [eku=EKU Name, EKU Name, ...]  ( add EKU values )
>
>   

Should the eku be in the form like gencert and gencsr commands:

ekuname=[[critical:]EKU Name,[critical:]EKU Name,...]

Otherwise, the signcsr looks good to me.

Hai-May

More information about the kmf-discuss mailing list