[Freeipa-devel] LDAP schema for DNSSEC keys
Jan Cholasta
jcholast at redhat.com
Thu Jul 17 08:30:09 UTC 2014
On 16.7.2014 17:13, Petr Spacek wrote:
> On 24.6.2014 08:43, Jan Cholasta wrote:
>> On 20.6.2014 20:23, Simo Sorce wrote:
>>> On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:
>>>> ipk11Private;privatekey: TRUE
>>>> ipk11Private;publickey: FALSE
>>>
>>> can these two ever hold a different value ?
>>> ie a privatekey be FALSE and a publickey be TRUE ?
>>>
>>> If not I suggest you do not add this attribute at all and assume their
>>> value ?
>>
>> +1, we can use default values for most, if not all of the boolean flag
>> attributes. Personally, I would try to avoid using ipk11 attributes
>> until the
>> PKCS#11 module is designed/implemented.
>
> I hope that this will not create headache in future...
>
> Anyway, I have taken default values used by OpenDNSSEC v1 and modified
> them a little bit to accommodate our requirements.
>
> I'm using [1] as reference.
>
> Public keys
> ===========
> CKA_CLASS CKO_PUBLIC_KEY
> CKA_COPYABLE TRUE
> CKA_DERIVE FALSE
> CKA_ENCRYPT FALSE
> CKA_LOCAL TRUE
> CKA_MODIFIABLE TRUE
> CKA_PRIVATE TRUE
> CKA_TRUSTED FALSE
> CKA_VERIFY TRUE
> CKA_VERIFY_RECOVER TRUE
> CKA_WRAP FALSE
>
>
> Private keys
> ============
> CKA_CLASS CKO_PRIVATE_KEY
> CKA_ALWAYS_AUTHENTICATE FALSE
> CKA_ALWAYS_SENSITIVE TRUE
> CKA_COPYABLE TRUE
> CKA_DECRYPT FALSE
> CKA_DERIVE FALSE
> CKA_EXTRACTABLE TRUE # changed by pspacek
> CKA_LOCAL TRUE
> CKA_MODIFIABLE TRUE
> CKA_NEVER_EXTRACTABLE TRUE
> CKA_PRIVATE TRUE
> CKA_SENSITIVE TRUE
> CKA_SIGN TRUE
> CKA_SIGN_RECOVER TRUE
> CKA_UNWRAP FALSE
> CKA_WRAP_WITH_TRUSTED FALSE
If you want the keys to be extractable, you also need to set
CKA_SENSITIVE (and CKA_ALWAYS_SENSITIVE) to CK_FALSE.
>
> We can use this set for all DNSSEC key pair objects. Replica keys will
> require small change, i.e. to change SIGN/VERIFY attributes to FALSE and
> WRAP/UNWRAP attributes to TRUE.
Replica private keys should not be extractable, i.e. should have
CKA_EXTRACTABLE = CK_FALSE and CKA_SENSITIVE = CK_TRUE.
>
> OpenDNSSEC itself doesn't create any secret keys so we have to invent
> own defaults. I propose to use following values:
>
> Secret keys
> ===========
> CKA_CLASS CKO_SECRET_KEY
> CKA_COPYABLE TRUE
> CKA_DECRYPT FALSE
> CKA_DERIVE FALSE
> CKA_ENCRYPT FALSE
> CKA_EXTRACTABLE TRUE
> CKA_MODIFIABLE TRUE
> CKA_PRIVATE TRUE
> CKA_SENSITIVE FALSE
> CKA_SIGN FALSE
> CKA_UNWRAP TRUE
> CKA_VERIFY FALSE
> CKA_WRAP TRUE
> CKA_WRAP_WITH_TRUSTED FALSE
When master key is rotated, CKA_WRAP on the old key should be set to
CK_FALSE, so that new DNSSEC keys can't be wrapped with it.
>
>
>>> (btw I forgot what's the point of that attribute)
>>
>> When it is true, a user may not access the object until the user has been
>> authenticated to the token (what PKCS#11 spec says).
>
> In practice it means that SoftHSM encrypts values of "PRIVATE" objects
> before storing them to file system.
>
> [1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf
>
BTW I have noticed at
<https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm>
that public key of each replica is stored in a ipk11 entry under cn=DNS.
IMO it should be enough to store just the public key blob in
ipaPublicKey attribute in cn=DNS itself.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list