[kmf-discuss] kmf_validate_cert changes

Glenn T. Barry Glenn.Barry at Sun.COM
Wed Jan 16 18:27:28 PST 2008 

> 
> In order to support SSH's validation functionality, I
> think we need to 
> do the following,
> please verify.
> 
> kmf_validate_cert currently takes a single cert and
> an optional OCSP 
> response
> along with that cert.  If the OCSP response is not
> given, the function 
> will attempt
> to go over the network and get one - either by using
> the OCSP responder 
> URI extension
> in the cert or by using a fixed OCSP responder if
> specified in the KMF 
> policy.
> 
> In order to validate an entire chain, we need to
> change the arguments to 
> kmf_validate_cert.

For pkinit, it looks like it does not support ocsp.   At least not yet, the pkinit rfc does not seem to mention ocsp but there is another rfc (4557) that proposes support for ocsp for pkinit.  Nico is co-author of 4557, I'll see what he thinks.

The pkinit code does have some stub support for ocsp but that's about it (see pkinit_identity.c) so does look like it will support it in the future.



> 
> I propose a new argument:
> 
> KMF_CERT_RESP_LIST_ATTR
> KMF_CERT_RESP_LIST_LEN_ATTR
> 
> typedef KMF_CERT_RESP_PAIR {
>     KMF_DATA *cert;
> KMF_DATA *resp;
> }
> 
> The cert data must be non-null.  If the ocsp_resp
> data is NULL, then 
> kmf_validate_cert
> will go fetch an OCSP response as usual (see above).
> 
> The list of pairs MUST be in order, meaning, the cert
> at index 0 is the 
> subject cert,
> the cert at index 1 is the issuer of the one at index
> 0, etc etc.  The 
> last cert in
> the list is the trust anchor.
> 
> kmf_validate_cert will compare subjects, issuers, and
> signatures along 
> the chain.
> 
> Example of use:
> 
> ===
> KMF_CERT_RESP_PAIR certchain[3];
> ...
> certchain[0].cert = &cert_data1;
> certchain[0].resp = &resp1;
> certchain[1].cert = &cert_data2;
> certchain[1].resp = NULL;  /* KMF will fetch OCSP for
> this one */
> certchain[2].cert = &ta_cert;
> certchain[2].resp = NULL;  /* KMF will fetch OCSP for
> this one */
> len = 3;
> 
> kmf_set_attr_at_index(attrlist, numattr++,
> KMF_CERT_RESP_LIST_ATTR, 
> certchain, sizeof (certchain));
> kmf_set_attr_at_index(attrlist, numattr++,
> KMF_CERT_RESP_LIST_LEN_ATTR, 
> &len, sizeof (len));
> ...
> 
> rv = kmf_validate_cert(handle, numattr, attrlist);
> ===
> 
> 
> Will this work for SSH and PKINIT needs?
> 
> -Wyllys
> 
> 
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discu
> ss
 
 
This message posted from opensolaris.org

More information about the kmf-discuss mailing list