[Freeipa-devel] LDAP schema for DNSSEC keys
Petr Spacek
pspacek at redhat.com
Wed Jul 16 15:13:18 UTC 2014
On 24.6.2014 08:43, Jan Cholasta wrote:
> On 20.6.2014 20:23, Simo Sorce wrote:
>> On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:
>>> ipk11Private;privatekey: TRUE
>>> ipk11Private;publickey: FALSE
>>
>> can these two ever hold a different value ?
>> ie a privatekey be FALSE and a publickey be TRUE ?
>>
>> If not I suggest you do not add this attribute at all and assume their
>> value ?
>
> +1, we can use default values for most, if not all of the boolean flag
> attributes. Personally, I would try to avoid using ipk11 attributes until the
> PKCS#11 module is designed/implemented.
I hope that this will not create headache in future...
Anyway, I have taken default values used by OpenDNSSEC v1 and modified them a
little bit to accommodate our requirements.
I'm using [1] as reference.
Public keys
===========
CKA_CLASS CKO_PUBLIC_KEY
CKA_COPYABLE TRUE
CKA_DERIVE FALSE
CKA_ENCRYPT FALSE
CKA_LOCAL TRUE
CKA_MODIFIABLE TRUE
CKA_PRIVATE TRUE
CKA_TRUSTED FALSE
CKA_VERIFY TRUE
CKA_VERIFY_RECOVER TRUE
CKA_WRAP FALSE
Private keys
============
CKA_CLASS CKO_PRIVATE_KEY
CKA_ALWAYS_AUTHENTICATE FALSE
CKA_ALWAYS_SENSITIVE TRUE
CKA_COPYABLE TRUE
CKA_DECRYPT FALSE
CKA_DERIVE FALSE
CKA_EXTRACTABLE TRUE # changed by pspacek
CKA_LOCAL TRUE
CKA_MODIFIABLE TRUE
CKA_NEVER_EXTRACTABLE TRUE
CKA_PRIVATE TRUE
CKA_SENSITIVE TRUE
CKA_SIGN TRUE
CKA_SIGN_RECOVER TRUE
CKA_UNWRAP FALSE
CKA_WRAP_WITH_TRUSTED FALSE
We can use this set for all DNSSEC key pair objects. Replica keys will require
small change, i.e. to change SIGN/VERIFY attributes to FALSE and WRAP/UNWRAP
attributes to TRUE.
OpenDNSSEC itself doesn't create any secret keys so we have to invent own
defaults. I propose to use following values:
Secret keys
===========
CKA_CLASS CKO_SECRET_KEY
CKA_COPYABLE TRUE
CKA_DECRYPT FALSE
CKA_DERIVE FALSE
CKA_ENCRYPT FALSE
CKA_EXTRACTABLE TRUE
CKA_MODIFIABLE TRUE
CKA_PRIVATE TRUE
CKA_SENSITIVE FALSE
CKA_SIGN FALSE
CKA_UNWRAP TRUE
CKA_VERIFY FALSE
CKA_WRAP TRUE
CKA_WRAP_WITH_TRUSTED FALSE
>> (btw I forgot what's the point of that attribute)
>
> When it is true, a user may not access the object until the user has been
> authenticated to the token (what PKCS#11 spec says).
In practice it means that SoftHSM encrypts values of "PRIVATE" objects before
storing them to file system.
[1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list