On 24.6.2014 08:43, Jan Cholasta wrote:
On 20.6.2014 20:23, Simo Sorce wrote:
On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:
ipk11Private;privatekey: TRUE
ipk11Private;publickey: FALSE


can these two ever hold a different value ?
ie a privatekey be FALSE and a publickey be TRUE ?

If not I suggest you do not add this attribute at all and assume their
value ?

+1, we can use default values for most, if not all of the boolean flag
attributes. Personally, I would try to avoid using ipk11 attributes until the
PKCS#11 module is designed/implemented.

I hope that this will not create headache in future...

Anyway, I have taken default values used by OpenDNSSEC v1 and modified them a little bit to accommodate our requirements.

I'm using [1] as reference.

Public keys
===========
CKA_CLASS       CKO_PUBLIC_KEY
CKA_COPYABLE    TRUE
CKA_DERIVE      FALSE
CKA_ENCRYPT     FALSE
CKA_LOCAL       TRUE
CKA_MODIFIABLE  TRUE
CKA_PRIVATE     TRUE
CKA_TRUSTED     FALSE
CKA_VERIFY      TRUE
CKA_VERIFY_RECOVER      TRUE
CKA_WRAP        FALSE


Private keys
============
CKA_CLASS       CKO_PRIVATE_KEY
CKA_ALWAYS_AUTHENTICATE FALSE
CKA_ALWAYS_SENSITIVE    TRUE
CKA_COPYABLE    TRUE
CKA_DECRYPT     FALSE
CKA_DERIVE      FALSE
CKA_EXTRACTABLE TRUE # changed by pspacek
CKA_LOCAL       TRUE
CKA_MODIFIABLE  TRUE
CKA_NEVER_EXTRACTABLE   TRUE
CKA_PRIVATE     TRUE
CKA_SENSITIVE   TRUE
CKA_SIGN        TRUE
CKA_SIGN_RECOVER        TRUE
CKA_UNWRAP      FALSE
CKA_WRAP_WITH_TRUSTED   FALSE

We can use this set for all DNSSEC key pair objects. Replica keys will require small change, i.e. to change SIGN/VERIFY attributes to FALSE and WRAP/UNWRAP attributes to TRUE.

OpenDNSSEC itself doesn't create any secret keys so we have to invent own defaults. I propose to use following values:

Secret keys
===========
CKA_CLASS       CKO_SECRET_KEY
CKA_COPYABLE    TRUE
CKA_DECRYPT     FALSE
CKA_DERIVE      FALSE
CKA_ENCRYPT     FALSE
CKA_EXTRACTABLE TRUE
CKA_MODIFIABLE  TRUE
CKA_PRIVATE     TRUE
CKA_SENSITIVE   FALSE
CKA_SIGN        FALSE
CKA_UNWRAP      TRUE
CKA_VERIFY      FALSE
CKA_WRAP        TRUE
CKA_WRAP_WITH_TRUSTED   FALSE


(btw I forgot what's the point of that attribute)

When it is true, a user may not access the object until the user has been
authenticated to the token (what PKCS#11 spec says).

In practice it means that SoftHSM encrypts values of "PRIVATE" objects before storing them to file system.

[1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to