[Freeipa-devel] LDAP schema for DNSSEC keys
Petr Spacek
pspacek at redhat.com
Fri Jul 25 17:26:51 UTC 2014
On 17.7.2014 10:30, Jan Cholasta wrote:
> On 16.7.2014 17:13, Petr Spacek wrote:
>> On 24.6.2014 08:43, Jan Cholasta wrote:
>>> On 20.6.2014 20:23, Simo Sorce wrote:
>>>> On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:
>>>>> ipk11Private;privatekey: TRUE
>>>>> ipk11Private;publickey: FALSE
>>>>
>>>> can these two ever hold a different value ?
>>>> ie a privatekey be FALSE and a publickey be TRUE ?
>>>>
>>>> If not I suggest you do not add this attribute at all and assume their
>>>> value ?
>>>
>>> +1, we can use default values for most, if not all of the boolean flag
>>> attributes. Personally, I would try to avoid using ipk11 attributes
>>> until the
>>> PKCS#11 module is designed/implemented.
>>
>> I hope that this will not create headache in future...
>>
>> Anyway, I have taken default values used by OpenDNSSEC v1 and modified
>> them a little bit to accommodate our requirements.
>>
>> I'm using [1] as reference.
>>
>> Public keys
>> ===========
>> CKA_CLASS CKO_PUBLIC_KEY
>> CKA_COPYABLE TRUE
>> CKA_DERIVE FALSE
>> CKA_ENCRYPT FALSE
>> CKA_LOCAL TRUE
>> CKA_MODIFIABLE TRUE
>> CKA_PRIVATE TRUE
>> CKA_TRUSTED FALSE
>> CKA_VERIFY TRUE
>> CKA_VERIFY_RECOVER TRUE
>> CKA_WRAP FALSE
>>
>>
>> Private keys
>> ============
>> CKA_CLASS CKO_PRIVATE_KEY
>> CKA_ALWAYS_AUTHENTICATE FALSE
>> CKA_ALWAYS_SENSITIVE TRUE
>> CKA_COPYABLE TRUE
>> CKA_DECRYPT FALSE
>> CKA_DERIVE FALSE
>> CKA_EXTRACTABLE TRUE # changed by pspacek
>> CKA_LOCAL TRUE
>> CKA_MODIFIABLE TRUE
>> CKA_NEVER_EXTRACTABLE TRUE
>> CKA_PRIVATE TRUE
>> CKA_SENSITIVE TRUE
>> CKA_SIGN TRUE
>> CKA_SIGN_RECOVER TRUE
>> CKA_UNWRAP FALSE
>> CKA_WRAP_WITH_TRUSTED FALSE
>
> If you want the keys to be extractable, you also need to set CKA_SENSITIVE
> (and CKA_ALWAYS_SENSITIVE) to CK_FALSE.
>
>>
>> We can use this set for all DNSSEC key pair objects. Replica keys will
>> require small change, i.e. to change SIGN/VERIFY attributes to FALSE and
>> WRAP/UNWRAP attributes to TRUE.
>
> Replica private keys should not be extractable, i.e. should have
> CKA_EXTRACTABLE = CK_FALSE and CKA_SENSITIVE = CK_TRUE.
>
>>
>> OpenDNSSEC itself doesn't create any secret keys so we have to invent
>> own defaults. I propose to use following values:
>>
>> Secret keys
>> ===========
>> CKA_CLASS CKO_SECRET_KEY
>> CKA_COPYABLE TRUE
>> CKA_DECRYPT FALSE
>> CKA_DERIVE FALSE
>> CKA_ENCRYPT FALSE
>> CKA_EXTRACTABLE TRUE
>> CKA_MODIFIABLE TRUE
>> CKA_PRIVATE TRUE
>> CKA_SENSITIVE FALSE
>> CKA_SIGN FALSE
>> CKA_UNWRAP TRUE
>> CKA_VERIFY FALSE
>> CKA_WRAP TRUE
>> CKA_WRAP_WITH_TRUSTED FALSE
>
> When master key is rotated, CKA_WRAP on the old key should be set to CK_FALSE,
> so that new DNSSEC keys can't be wrapped with it.
>
>>
>>
>>>> (btw I forgot what's the point of that attribute)
>>>
>>> When it is true, a user may not access the object until the user has been
>>> authenticated to the token (what PKCS#11 spec says).
>>
>> In practice it means that SoftHSM encrypts values of "PRIVATE" objects
>> before storing them to file system.
>>
>> [1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf
>>
>
> BTW I have noticed at
> <https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm>
> that public key of each replica is stored in a ipk11 entry under cn=DNS. IMO
> it should be enough to store just the public key blob in ipaPublicKey
> attribute in cn=DNS itself.
I have updated design page and diagrams:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#LDAPschema
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list