[kmf-discuss] Proposed pktool changes

Glenn T. Barry Glenn.Barry at Sun.COM
Fri Jan 11 18:47:51 PST 2008 

> Below are the proposed changes to pktool needed to
> support Kerberos PKINIT
> and some the SSH certficate changes.
> 
> One feature missing from pktool is the ability to add
> EKU values when 
> creating
> a cert or CSR, I will propose adding a new attr/value
> pair command line 
> arg to
> support this.
> 
> Ex:
> ekuname=[[critical:]EKU Name,[critical:]EKU
>  Name,...]
>   where EKU Name = serverAuth | clientAuth |
>                   codeSigning | emailProtection |
>   ipsecEndSystem | ipsecTunnel |
>                   ipsecUser | timeStamping |
>   OCSPSigning | KPClientAuth | KPKdc
> he KMF library, pktoo, and kmfcfg need to support 3
> new EKU types
> and 1 new subjectAltName format.
> 
> New EKU OIDs (from RFC 4556):
> * KPClientAuth { 1 3 6 1 5 2 3 4 }
> * SCLogon { 1.3.6.1.4.1.311.20.2.2 }

fwiw, the MIT kerb 1.6.3-beta1 doc has the kdc.conf opt listed as scLogin (but yea, the EKU is id-ms-kp-sc-logon so seems a bit inconsistent, eh?)


> * KPKdc { 1 3 6 1 5 2 3 5 }
> 
> Notes:  When KPClientAuth or KPKdc are used, the
> digitalSignature KU bit
> MUST also be set.
> 
> A new subjectAltName form will be accepted by pktool
> for creating PKINIT
> user certificates:
>         id-pkinit-san = { 1 3 6 1 5 2 2 }
> m of the name is principal at REALM.  Example:
>   wyllys at SUN.COM
> or use in pktool, the usage would look like:
> $ pktool gencsr ...
> altname=[critical:]KRB=wyllys at SUN.COM ...

maybe KRB5 instead of KRB?


> 
> - should pktool will automatically fold the REALM
> into uppercase form ?

good q, should we just have same behavior as openssl x509 cmd?    I assume it does not but I can double check it.


> 
> pktool also needs a new command for signing a CSR (as
> previously discussed).
> 
> pktool signcsr
> signkey=label/filename of signing key (label if
>  keystore=PKCS11 or NSS, filename if file)
> csr=CSR filename
>  serial=serial number hex string
> outcert=filename for resulting certificate.
> [issuer=issuer-DN]             ( DN to use for
>  issuer field.  Not needed if a the key
> has an associated
> certificate in the keystore.  The subject
> of the associated
> cert will be the issuer of the new one )
>  [keystore=pkcs11|file|nss]     ( PKCS11 is default )
> [token=token[:manuf[:serial]]] ( PKCS11 token name,
> default is to use metaslot )
> [format=pem|der]               ( format of output
>  cert, PEM is default)
> [subject=subjectDN]            ( override the subject
> in the original request )
> [store=y|n]                    ( store the new cert,
>  default = n )
> [label=cert label]             ( label to use when
> storing in PKCS11 or NSS )
>  [altname=subjectAltName]       ( add a SAN )
> [keyusage=[critical:]usage,..] ( add key usage bits )
>  [eku=EKU Name, EKU Name, ...]  ( add EKU values )
> Thoughts?
> 
> -Wyllys
> 
> 
> 
> 
> 
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discu
> ss
 
 
This message posted from opensolaris.org

More information about the kmf-discuss mailing list