Template Version: @(#)sac_nextcase 1.70 03/30/10 SMI
This information is Copyright (c) 2010, Oracle and/or its affiliates. All
rights reserved.
1. Introduction
1.1. Project/Component Working Name:
KMF Common Name Mapper
1.2. Name of Document Author/Supplier:
Author: Jan Pechanec
1.3 Date of This Document:
18 May, 2010
4. Technical Description
KMF Common Name (CN) Mapper
===========================
This case introduces the first KMF certificate to name mapper. The KMF
certificate to name mapping framework is defined in the "Certificate to name
mapping extension to the Key Management Framework" ARC case.
Interface
---------
The CN mapper is a very simple one and maps a certificate to its value from the
Common Name attribute. All other certificate attributes are ignored. The mapper
presumes that the Common Name values are unique in the given domain.
The Common Attribute has OID 2.5.4.3 (joint-iso-ccitt(2) ds(5) id-at(4)
id-at-commonName(3)) as defined in "RFC 2459: Internet X.509 Public Key
Infrastructure Certificate and CRL Profile".
The mapper accepts only one option, the "casesensitive" option which defaults to
false. If set, the kmf_match_cert_to_name() function will honor the case
sensitivity when comparing the mapped name with the name provided. The option
has no effect on the kmf_map_cert_to_name() function.
Example
-------
The following certificate will be mapped to the string "janp".
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=authority
Validity
Not Before: Mar 26 16:57:00 2010 GMT
Not After : Mar 26 16:57:00 2011 GMT
Subject: CN=CZ, CN=janp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:fd:b7:97:f5:34:83:f8:39:c4:0f:b7:a0:9c:
..
<ABRIDGED>
..
b8:32:99:5d:30:6d:08:5a:05
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4f:f3:28:0d:c3:7c:62:c7:44:71:a3:82:cf:db:07:22:f8:63:
..
<ABRIDGED>
..
c7:ae:2b:06:92:fa:cc:ce:fc:67:df:0e:eb:58:b1:4d:c6:eb:
35:24
Relevant CRs
------------
6949176 KMF cert-to-name mapping framework needs a CN mapper
Documentation
-------------
6953338 libkmf(3lib) will need an update after the delivery of the CN mapper
The suggested fix is the following one:
--- libkmf.3lib Tue May 18 10:20:37 2010
+++ libkmf.3lib.new Tue May 18 21:51:56 2010
@@ -97,6 +97,45 @@
kmf_verify_csr kmf_verify_data
kmf_verify_policy
+NOTES
+ Certificate to name mapping
+
+ KMF provides a means to map a certificate to a name
+ according to the configuration from the policy database
+ or through the mapping initialization function. The
+ functions that provide the mapping functionality are
+ kmf_cert_to_name_mapping_initialize,
+ kmf_cert_to_name_mapping_finalize, kmf_map_cert_to_name,
+ kmf_match_cert_to_name, and kmf_get_mapper_error_str. KMF
+ provides different types of mapping through shared
+ objects called mappers. Supported mappers are:
+
+ cn The CN mapper maps a certificate to its value
+ from the Common Name attribute. All other
+ certificate attributes are ignored. The mapper
+ should be used in domains where the Common
+ Name values are unique within the particular
+ domain.
+
+ The mapper accepts only one option, the
+ "casesensitive" option which defaults to
+ false. If set, the kmf_match_cert_to_name()
+ function will honor the case sensitivity when
+ comparing the mapped name with the name
+ provided. The option has no effect on the
+ kmf_map_cert_to_name() function.
+
+EXAMPLES
+
+ Example 1 Configuring the certificate to name mapping.
+
+ The following configures the default certificate to name
+ mapping to use the CN mapper while ignoring the case
+ sensitivity when matching the certificates.
+
+ $ kmfcfg modify policy=default mapper-name=cn \
+ mapper-options=casesensitive
+
FILES
/lib/libkmf.so.1 shared object
Interface stability
-------------------
Volatile.
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
_______________________________________________
opensolaris-arc mailing list
[email protected]
