[Freeipa-devel] LDAP schema for DNSSEC keys

Petr Spacek pspacek at redhat.com
Wed Jul 16 15:13:18 UTC 2014 

On 24.6.2014 08:43, Jan Cholasta wrote:
> On 20.6.2014 20:23, Simo Sorce wrote:
>> On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:
>>> ipk11Private;privatekey: TRUE
>>> ipk11Private;publickey: FALSE
>>
>> can these two ever hold a different value ?
>> ie a privatekey be FALSE and a publickey be TRUE ?
>>
>> If not I suggest you do not add this attribute at all and assume their
>> value ?
>
> +1, we can use default values for most, if not all of the boolean flag
> attributes. Personally, I would try to avoid using ipk11 attributes until the
> PKCS#11 module is designed/implemented.

I hope that this will not create headache in future...

Anyway, I have taken default values used by OpenDNSSEC v1 and modified them a 
little bit to accommodate our requirements.

I'm using [1] as reference.

Public keys
===========
CKA_CLASS	CKO_PUBLIC_KEY
CKA_COPYABLE	TRUE
CKA_DERIVE	FALSE
CKA_ENCRYPT	FALSE
CKA_LOCAL	TRUE
CKA_MODIFIABLE	TRUE
CKA_PRIVATE	TRUE
CKA_TRUSTED	FALSE
CKA_VERIFY	TRUE
CKA_VERIFY_RECOVER	TRUE
CKA_WRAP	FALSE


Private keys
============
CKA_CLASS	CKO_PRIVATE_KEY
CKA_ALWAYS_AUTHENTICATE	FALSE
CKA_ALWAYS_SENSITIVE	TRUE
CKA_COPYABLE	TRUE
CKA_DECRYPT	FALSE
CKA_DERIVE	FALSE
CKA_EXTRACTABLE	TRUE # changed by pspacek
CKA_LOCAL	TRUE
CKA_MODIFIABLE	TRUE
CKA_NEVER_EXTRACTABLE	TRUE
CKA_PRIVATE	TRUE
CKA_SENSITIVE	TRUE
CKA_SIGN	TRUE
CKA_SIGN_RECOVER	TRUE
CKA_UNWRAP	FALSE
CKA_WRAP_WITH_TRUSTED	FALSE

We can use this set for all DNSSEC key pair objects. Replica keys will require 
small change, i.e. to change SIGN/VERIFY attributes to FALSE and WRAP/UNWRAP 
attributes to TRUE.

OpenDNSSEC itself doesn't create any secret keys so we have to invent own 
defaults. I propose to use following values:

Secret keys
===========
CKA_CLASS	CKO_SECRET_KEY
CKA_COPYABLE	TRUE
CKA_DECRYPT	FALSE
CKA_DERIVE	FALSE
CKA_ENCRYPT	FALSE
CKA_EXTRACTABLE	TRUE
CKA_MODIFIABLE	TRUE
CKA_PRIVATE	TRUE
CKA_SENSITIVE	FALSE
CKA_SIGN	FALSE
CKA_UNWRAP	TRUE
CKA_VERIFY	FALSE
CKA_WRAP	TRUE
CKA_WRAP_WITH_TRUSTED	FALSE


>> (btw I forgot what's the point of that attribute)
>
> When it is true, a user may not access the object until the user has been
> authenticated to the token (what PKCS#11 spec says).

In practice it means that SoftHSM encrypts values of "PRIVATE" objects before 
storing them to file system.

[1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list