Hi Milinda,
Good job. :). See my comments in line.
Cheers,
Kaushalye
Milinda Pathirage wrote:
Hi all,
After doing some research with openssl pkcs12 implementation, I designed
following API for PKCS12 Keystore to include in Rampart/C.
Currently Rampart configuration support specifying certificate using their
.pem file name. This approach is limiting our capabilities of server side
security because we can only handle one user certificate(correct me if I am
wrong). PKCS12 Keystore implementation will allow us to store several
certificates inside one single file and retrive and validate them according
to our requirements.
Here is the API for PKCS12 Keystore (This API is designed after examine the
Crypto interface of WSS4J):
pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);
This method is use to create a key store from given file.
openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)
Get the private key of the owner of key store. Currently assuming that we
store our private key and public key pair with our CA certificates and
others public keys. This method will handle situation with several private
keys in the key store because we specify the alias.
pkcs12_keystore_get_ certificates(char *alias)
Get the certificates for given alias. Need to figure out the return type
(Whether to return STACK_OF(X509) or x509 array).
Here we can use an array of X509* from the openssl struct. But I prefer
to use an array of oxs_x509_cert_t from OMXLSec as the return type.
char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
Get alias of the certificate that matches given issuer's name.
char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)
Get alias of the certificate that matches given issuer's name and serial.
char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
Get alias of the certificate that matches given Subject Key Identifier.
x509 * pkcs12_keystore_get_default_cert()
Get the default certificate of the key store.
This is a good addition to the API, when we have only one certificate.
But how exactly we are suppose to define a certificate as "default" when
there are multiple entries?
char * pkcs12_keystore_ get_alias_for_defualt_cert()
Get the alias of the default certificate.
char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
Get alias of the matching certificate with given thumbprint.
pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
Get alias of the matching certificate with given DN.
Have to figure out how we can validate a given certificate. Function name
should change.
pkcs12_keystore_validate_cert_path(X509 certs)
This is only a draft API. I think there may be some missing parts. Please
feel free to comment on this.
You can use openssl_pkcs12_parse() which is already implemented to load
a pkcs12 file. I think for the searching functions such as
pkcs12_keystore_get_alias_for_cert_thumb() we have to implement our
comparison logic within a loop. I doubt that pkcs12 has implemented such
functions that we can wrap with ours.
Also the parse function returns a stack of CA certificates. This is
required for the WS-Trust implementation.
I think the above set is enough for a start. We can implement more
functions when there is a requirement. But always keep the consistency
in mind. For example we can use the following pattern.
alias = get_alias_given_X(x);
cert/key = get_cert/key_given_alias(alias, [passwd]);
Thanks
Milinda
--
http://blog.kaushalye.org/
http://wso2.org/
