Hello, Stef Walter has been working on designing a central key store to be implemented on desktop systems. I was thinking this could be useful to unbound (and possibly other implementations) to use that storage for dnssec keys. The original document in [2] is made with certificates (mail/web) in mind, but if you have any comments on how this could be extended to accommodate dnssec keys it would be nice to forward them to the author or me.
best regards, Nikos ---------- Forwarded message ---------- From: Stef Walter <[email protected]> Date: Fri, Dec 21, 2012 at 12:05 PM Subject: PKCS#11 trust module implementation To: [email protected] I've been working an a p11-kit PKCS#11 trust module as a way to share certificate anchors and black lists between crypto libraries. I hope that eventually we'll have a comprehensive way represent this stored system trust policy information. Yesterday I posted a rough document for how this might be done. It's called 'Sharing Trust Policy between Crypto Libraries' [1] [2]. However, for this initial implementation things are more modest: * Provide a PKCS#11 module that loads certificates, trust and blacklist information from a directory. * This PKCS#11 module is a drop in replacement to be used with NSS or glib-networking, both of which can consume anchors and trust policy from PKCS#11. In this way NSS can use system certificate anchors stored in a directory rather than hard coded in, or stored in its per-application databases. * As an interim measure the p11-kit tool will provide a way to extract the certificates and trust information from the PKCS#11 module in various formats: - OpenSSL dirhash format - OpenSSL TRUSTED CERTIFICATE format - CA PEM bundle of anchors for serverAuth usage (or other usages) - Java KeyStore cacerts format * No crypto library or application changes are necessary to make use of this initial implementation on a system. Over time I want to help build bridges for GnuTLS, OpenSSL, and Java so that they can read trust information directly from a PKCS#11 module, removing the need to extract that information into various formats. It's assumed that most folks/distros will continue to use the trusted anchors and black list published on the Mozilla CA Certificate list (but use of others are certainly possible). System administrators can easy add certificates trust anchors, and (in the interim after a the extract tool has been run) have them recognized by all the relevant crypto libraries and applications. Obviously, certain applications (especially servers) can continue to use custom CA lists. So, here's what's working so far: * The code is on the 'trust' branch of the p11-kit repository: http://cgit.freedesktop.org/p11-glue/p11-kit/log/?h=trust * The PKCS#11 trust module is complete and works as an NSS drop in replacement for lookup of certificate anchors. And here's how to play with it. The commands may need some tweaking on different distros. Especially the --with-system-anchors path... $ # install libtasn1-devel $ git clone git://anongit.freedesktop.org/p11-glue/p11-kit $ cd p11-kit $ git checkout trust # this stuff is not on master branch yet $ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug --with-system-anchors=/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/anchors $ make $ sudo make install $ sudo mv -v /usr/lib64/libnssckbi.so /opt/libnssckbi.so.orig-nss $ sudo ln -sv pkcs11/p11-kit-trust.so /usr/lib64/libnssckbi.so Now place some certificates in the --with-system-anchors location(s). Right now, as input, you can use DER, PEM or OpenSSL style 'trusted certificates'. For example you can tweak some trust policy bits like so: $ openssl x509 -addtrust serverAuth -addreject clientAuth -in /path/to/my-ca.pem -out /etc/pki/tls/certs/anchors/my-ca.pem Now you can run apps like firefox and see the certificates appear in the Certificate manager and are trusted as appropriate. You can use a command like this to see some debug output: $ P11_KIT_DEBUG=all firefox All in all, this is just the first step towards a comprehensive way to share stored system trust information between crypto libraries and applications. I hope to build the extract tools next. Thanks for reading this far. :) Stef [1] http://lists.freedesktop.org/archives/p11-glue/2012-December/000196.html [2] http://p11-glue.freedesktop.org/doc/sharing-trust-policy/ _______________________________________________ p11-glue mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/p11-glue _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
