Manjula Peiris wrote:
On Thu, 2008-01-31 at 12:43 +0530, Milinda Pathirage wrote:
Hi all,
After doing some research with openssl pkcs12 implementation, I designed
following API for PKCS12 Keystore to include in Rampart/C.
Currently Rampart configuration support specifying certificate using their
.pem file name. This approach is limiting our capabilities of server side
security because we can only handle one user certificate(correct me if I am
wrong). PKCS12 Keystore implementation will allow us to store several
certificates inside one single file and retrive and validate them according
to our requirements.
Here is the API for PKCS12 Keystore (This API is designed after examine the
Crypto interface of WSS4J):
pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);
This method is use to create a key store from given file.
openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)
Get the private key of the owner of key store. Currently assuming that we
store our private key and public key pair with our CA certificates and
others public keys. This method will handle situation with several private
keys in the key store because we specify the alias.
How are you going to provide the alias ? Is it through the policy file
or using another way? If it is through the policy file then you need to
add another element to Rampart_Config. But the problem is how to select
the correct private key from the key store. Because it needs to be done
when the SOAP messages arrives using the information of the receivers
public key.
In the SOAP header we have information such as issuer and the serial
number, Thumbprint or the SKI. With that information we can get the
alias for the certificate.Given the alias we can get the private key. I
do not think we can get the private key directly by giving the SKI,
Thumbprint or Issuer+Serial.(Milinda please google a bit on that) If the
complete certificate is available in the header, we can extract
information and follow the same steps.
-Kau
-Manjula
pkcs12_keystore_get_ certificates(char *alias)
Get the certificates for given alias. Need to figure out the return type
(Whether to return STACK_OF(X509) or x509 array).
char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
Get alias of the certificate that matches given issuer's name.
char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)
Get alias of the certificate that matches given issuer's name and serial.
char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
Get alias of the certificate that matches given Subject Key Identifier.
x509 * pkcs12_keystore_get_default_cert()
Get the default certificate of the key store.
char * pkcs12_keystore_ get_alias_for_defualt_cert()
Get the alias of the default certificate.
char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
Get alias of the matching certificate with given thumbprint.
pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
Get alias of the matching certificate with given DN.
Have to figure out how we can validate a given certificate. Function name
should change.
pkcs12_keystore_validate_cert_path(X509 certs)
This is only a draft API. I think there may be some missing parts. Please
feel free to comment on this.
Thanks
Milinda
--
http://blog.kaushalye.org/
http://wso2.org/
