[Freeipa-devel] DNSSEC design page
Simo Sorce
simo at redhat.com
Tue Feb 25 13:44:15 UTC 2014
On Tue, 2014-02-25 at 11:28 +0100, Ludwig Krispenz wrote:
> On 02/24/2014 08:20 PM, Simo Sorce wrote:
> > On Mon, 2014-02-24 at 13:11 +0100, Ludwig Krispenz wrote:
> >> Hi,
> >>
> >> here is a draft to start discussion. Lt me know if it is the right
> >> direction and what you're missing.
> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema
> > I think we need to think hard if you really can make all those
> > attributes a MUST for the private key, as not all the attributes seem to
> > apply to all encryption algorithms. Would have to have to add bogus
> > attributes in some cases.
> most of them are MAY, right now I have only" ipaPkcs11keyType
> ipaPkcs11label ipaPkcs11id" as MUST, but this can be argued. I looke
> what softhsm is doing when importing a keypair:
> |softhsm --import key1.pem --slot 1 --label "My key" --id A1B2 --pin 123456
> so I thought ID and LABEL woul be something provided from the
> application and should be there to describe the key. When storing the
> key (which is in pkcs#8 format) softhsm breaks up the data from the file
> and creates two pkcs#11 attribute templates:
Any reason why we should follow in detail what softshm does ?
> CK_ATTRIBUTE pubTemplate[] = {
> { CKA_CLASS, &pubClass, sizeof(pubClass) },
> { CKA_KEY_TYPE, &keyType, sizeof(keyType) },
> { CKA_LABEL, label, strlen(label) },
> { CKA_ID, objID, objIDLen },
> { CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
> { CKA_VERIFY, &ckTrue, sizeof(ckTrue) },
> { CKA_ENCRYPT, &ckFalse, sizeof(ckFalse) },
> { CKA_WRAP, &ckFalse, sizeof(ckFalse) },
> { CKA_PUBLIC_EXPONENT, keyMat->bigE, keyMat->sizeE },
> { CKA_MODULUS, keyMat->bigN, keyMat->sizeN }
> };
> CK_ATTRIBUTE privTemplate[] = {
> { CKA_CLASS, &privClass, sizeof(privClass) },
> { CKA_KEY_TYPE, &keyType, sizeof(keyType) },
> { CKA_LABEL, label, strlen(label) },
> { CKA_ID, objID, objIDLen },
> { CKA_SIGN, &ckTrue, sizeof(ckTrue) },
> { CKA_DECRYPT, &ckFalse, sizeof(ckFalse) },
> { CKA_UNWRAP, &ckFalse, sizeof(ckFalse) },
> { CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
> { CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
> { CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
> { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) },
> { CKA_PUBLIC_EXPONENT, keyMat->bigE, keyMat->sizeE },
> { CKA_MODULUS, keyMat->bigN, keyMat->sizeN },
> { CKA_PRIVATE_EXPONENT, keyMat->bigD, keyMat->sizeD },
> { CKA_PRIME_1, keyMat->bigP, keyMat->sizeP },
> { CKA_PRIME_2, keyMat->bigQ, keyMat->sizeQ },
> { CKA_EXPONENT_1, keyMat->bigDMP1, keyMat->sizeDMP1 },
> { CKA_EXPONENT_2, keyMat->bigDMQ1, keyMat->sizeDMQ1 },
> { CKA_COEFFICIENT, keyMat->bigIQMP, keyMat->sizeIQMP }
> };
>
> I thought that CLASS would be translated to an LDAP objectclass, |
>
> |CKA_KEY_TYPE,||CKA_LABEL and CKA_ID would be provided (or default to rsa)|.
>
> For the the private key itself it could be either stored completely as ipaPkcs8privateKey or as individual key attributes: ipaPkcs11publicExponent, ipaPkcs11modulus, ipaPkcs11privateExponent, ipaPkcs11prim1, ipaPkcs11prim2
> I did ignore CKA_SIGN, CKA_DECRYPT, CKA_UNWRAP, CKA_SENSITIVE as only defaults were used, but maybe this is my ignorance.
> And|CKA_EXPONENT_1,||CKA_EXPONENT_2, CKA_COEFICIENT as they seemed redundant to me, calculated from other components.
>
> If we need any of the attributes I omitted or if we need other attributes for other keytypes let me know.
> |
I am unsure that splitting keys this way really is useful to us, in what
case an LDAP client will ever need such details ? Wouldn't it make sense
to keep a pkcs11 blob and only split out attributes we need to identify
the key for our needs ?
> > ipaPkcs8privateKey
> >
> > Also can you add some examples on how we would use these classes to
> > store DNS keys ?
> in what format do you provide the dns key ? The public key could be
> stored using modulus and exponent, do we need the flags, protocol adn
> algorithm attribute ? Does a schema for DNS records already exist ?
Well for example we store SSH keys in DNS, the whole key in one single
attribute. I am not sure what is the point for us to split keys in
parts, the only thing I see is a risk of messing up keys by
inadvertently changing one of the attributes only and a burden to
recompose keys every time they are queried.
> > Ideally the example would show the LDAP tree and some example data in
> > detail, and also what operation we think would be common.
> >
> > Simo.
> >
>
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list