[kmf-discuss] kmf_validate_cert changes

Glenn T. Barry Glenn.Barry at Sun.COM
Fri Jan 11 18:53:36 PST 2008 

for pkinit, I need to do some research and get back to ya....glenn

> 
> In order to support SSH's validation functionality, I
> think we need to 
> do the following,
> please verify.
> 
> kmf_validate_cert currently takes a single cert and
> an optional OCSP 
> response
> along with that cert.  If the OCSP response is not
> given, the function 
> will attempt
> to go over the network and get one - either by using
> the OCSP responder 
> URI extension
> in the cert or by using a fixed OCSP responder if
> specified in the KMF 
> policy.
> 
> In order to validate an entire chain, we need to
> change the arguments to 
> kmf_validate_cert.
> 
> I propose a new argument:
> 
> KMF_CERT_RESP_LIST_ATTR
> KMF_CERT_RESP_LIST_LEN_ATTR
> 
> typedef KMF_CERT_RESP_PAIR {
>     KMF_DATA *cert;
> KMF_DATA *resp;
> }
> 
> The cert data must be non-null.  If the ocsp_resp
> data is NULL, then 
> kmf_validate_cert
> will go fetch an OCSP response as usual (see above).
> 
> The list of pairs MUST be in order, meaning, the cert
> at index 0 is the 
> subject cert,
> the cert at index 1 is the issuer of the one at index
> 0, etc etc.  The 
> last cert in
> the list is the trust anchor.
> 
> kmf_validate_cert will compare subjects, issuers, and
> signatures along 
> the chain.
> 
> Example of use:
> 
> ===
> KMF_CERT_RESP_PAIR certchain[3];
> ...
> certchain[0].cert = &cert_data1;
> certchain[0].resp = &resp1;
> certchain[1].cert = &cert_data2;
> certchain[1].resp = NULL;  /* KMF will fetch OCSP for
> this one */
> certchain[2].cert = &ta_cert;
> certchain[2].resp = NULL;  /* KMF will fetch OCSP for
> this one */
> len = 3;
> 
> kmf_set_attr_at_index(attrlist, numattr++,
> KMF_CERT_RESP_LIST_ATTR, 
> certchain, sizeof (certchain));
> kmf_set_attr_at_index(attrlist, numattr++,
> KMF_CERT_RESP_LIST_LEN_ATTR, 
> &len, sizeof (len));
> ...
> 
> rv = kmf_validate_cert(handle, numattr, attrlist);
> ===
> 
> 
> Will this work for SSH and PKINIT needs?
> 
> -Wyllys
> 
> 
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discu
> ss
 
 
This message posted from opensolaris.org

More information about the kmf-discuss mailing list