You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-c-dev@ws.apache.org by Milinda Pathirage <mi...@gmail.com> on 2008/01/31 08:13:30 UTC

PKCS12 Key Store API

Hi all,

After doing some research with openssl pkcs12 implementation, I designed
following API for PKCS12 Keystore to include in Rampart/C.

Currently Rampart configuration support specifying certificate using their
.pem file name. This approach is limiting our capabilities of server side
security because we can only handle one user certificate(correct me if I am
wrong). PKCS12 Keystore implementation will allow us to store several
certificates inside one single file and retrive and validate them according
to our requirements.

Here is the API for PKCS12 Keystore (This API is designed after examine the
Crypto interface of WSS4J):

pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);

This method is use to create a key store from given file.


openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)

Get the private key of the owner of key store. Currently assuming that we
store our private key and public key pair with our CA certificates and
others public keys. This method will handle situation with several private
keys in the key store because we specify the alias.


pkcs12_keystore_get_ certificates(char *alias)

Get the certificates for given alias. Need to figure out the return type
(Whether to return STACK_OF(X509) or x509 array).

 char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)

Get alias of the certificate that matches given issuer's name.


char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)

Get alias of the certificate that matches given issuer's name and serial.


char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)

Get alias of the certificate that matches given Subject Key Identifier.


x509 * pkcs12_keystore_get_default_cert()

Get the default certificate of the key store.


 char * pkcs12_keystore_ get_alias_for_defualt_cert()

Get the alias of the default certificate.


char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)

Get alias of the matching certificate with given thumbprint.


 pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)

Get alias of the matching certificate with given DN.


 Have to figure out how we can validate a given certificate. Function name
should change.
pkcs12_keystore_validate_cert_path(X509 certs)


 This is only a draft API. I think there may be some missing parts. Please
feel free to comment on this.


 Thanks

Milinda



-- 
http://think2ed.blogspot.com "thinksquared"
http://wsaxc.blogspot.com "Web Services With Axis2/C"

Re: PKCS12 Key Store API

Posted by Milinda Pathirage <mi...@gmail.com>.

Hi,
In the case of private key, we have only one private key in any side.
Therefore I think we don't have any difficulties to retrieve that private
key. In general case we only store our own private key only in our key store
with matching certificate (our own certificate) and certificates from
others.
When using openssl's PKCS12_parse function we can retrieve default private
key and certificate easily (default means, our private key and certificate).
This function fill STACK_OF(X509) with other certificate inside key store.
So, what we to do is handle others certificates and validate certificates.
Please feel free to comment on this if there are any missing points. :)

Thanks

Milinda

On Jan 31, 2008 8:33 PM, Kaushalye Kapuruge <ka...@wso2.com> wrote:

> Manjula Peiris wrote:
> > On Thu, 2008-01-31 at 12:43 +0530, Milinda Pathirage wrote:
> >
> >> Hi all,
> >>
> >> After doing some research with openssl pkcs12 implementation, I
> designed
> >> following API for PKCS12 Keystore to include in Rampart/C.
> >>
> >> Currently Rampart configuration support specifying certificate using
> their
> >> .pem file name. This approach is limiting our capabilities of server
> side
> >> security because we can only handle one user certificate(correct me if
> I am
> >> wrong). PKCS12 Keystore implementation will allow us to store several
> >> certificates inside one single file and retrive and validate them
> according
> >> to our requirements.
> >>
> >> Here is the API for PKCS12 Keystore (This API is designed after examine
> the
> >> Crypto interface of WSS4J):
> >>
> >> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char
> *password);
> >>
> >> This method is use to create a key store from given file.
> >>
> >>
> >> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char
> *passwd)
> >>
> >> Get the private key of the owner of key store. Currently assuming that
> we
> >> store our private key and public key pair with our CA certificates and
> >> others public keys. This method will handle situation with several
> private
> >> keys in the key store because we specify the alias.
> >>
> >
> > How are you going to provide the alias ? Is it through the policy file
> > or using another way? If it is through the policy file then you need to
> > add another element to Rampart_Config. But the problem is how to select
> > the correct private key from the key store. Because it needs to be done
> > when the SOAP messages arrives using the information of the receivers
> > public key.
> >
> In the SOAP header we have information such as issuer and the serial
> number, Thumbprint or the SKI. With that information we can get the
> alias for the certificate.Given the alias we can get the private key. I
> do not think we can get the private key directly by giving the SKI,
> Thumbprint or Issuer+Serial.(Milinda please google a bit on that) If the
> complete certificate is available in the header, we can extract
> information and follow the same steps.
> -Kau
> > -Manjula
> >
> >
> >> pkcs12_keystore_get_ certificates(char *alias)
> >>
> >> Get the certificates for given alias. Need to figure out the return
> type
> >> (Whether to return STACK_OF(X509) or x509 array).
> >>
> >>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
> >>
> >> Get alias of the certificate that matches given issuer's name.
> >>
> >>
> >> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int
> serial)
> >>
> >> Get alias of the certificate that matches given issuer's name and
> serial.
> >>
> >>
> >> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
> >>
> >> Get alias of the certificate that matches given Subject Key Identifier.
> >>
> >>
> >> x509 * pkcs12_keystore_get_default_cert()
> >>
> >> Get the default certificate of the key store.
> >>
> >>
> >>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
> >>
> >> Get the alias of the default certificate.
> >>
> >>
> >> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
> >>
> >> Get alias of the matching certificate with given thumbprint.
> >>
> >>
> >>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
> >>
> >> Get alias of the matching certificate with given DN.
> >>
> >>
> >>  Have to figure out how we can validate a given certificate. Function
> name
> >> should change.
> >> pkcs12_keystore_validate_cert_path(X509 certs)
> >>
> >>
> >>  This is only a draft API. I think there may be some missing parts.
> Please
> >> feel free to comment on this.
> >>
> >>
> >>  Thanks
> >>
> >> Milinda
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> http://blog.kaushalye.org/
> http://wso2.org/
>
>


-- 
http://think2ed.blogspot.com "thinksquared"
http://wsaxc.blogspot.com "Web Services With Axis2/C"

Re: PKCS12 Key Store API

Posted by Kaushalye Kapuruge <ka...@wso2.com>.

Manjula Peiris wrote:
> On Thu, 2008-01-31 at 12:43 +0530, Milinda Pathirage wrote:
>   
>> Hi all,
>>
>> After doing some research with openssl pkcs12 implementation, I designed
>> following API for PKCS12 Keystore to include in Rampart/C.
>>
>> Currently Rampart configuration support specifying certificate using their
>> .pem file name. This approach is limiting our capabilities of server side
>> security because we can only handle one user certificate(correct me if I am
>> wrong). PKCS12 Keystore implementation will allow us to store several
>> certificates inside one single file and retrive and validate them according
>> to our requirements.
>>
>> Here is the API for PKCS12 Keystore (This API is designed after examine the
>> Crypto interface of WSS4J):
>>
>> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);
>>
>> This method is use to create a key store from given file.
>>
>>
>> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)
>>
>> Get the private key of the owner of key store. Currently assuming that we
>> store our private key and public key pair with our CA certificates and
>> others public keys. This method will handle situation with several private
>> keys in the key store because we specify the alias.
>>     
>
> How are you going to provide the alias ? Is it through the policy file
> or using another way? If it is through the policy file then you need to
> add another element to Rampart_Config. But the problem is how to select
> the correct private key from the key store. Because it needs to be done
> when the SOAP messages arrives using the information of the receivers
> public key.
>   
In the SOAP header we have information such as issuer and the serial 
number, Thumbprint or the SKI. With that information we can get the 
alias for the certificate.Given the alias we can get the private key. I 
do not think we can get the private key directly by giving the SKI, 
Thumbprint or Issuer+Serial.(Milinda please google a bit on that) If the 
complete certificate is available in the header, we can extract 
information and follow the same steps.
-Kau
> -Manjula
>
>   
>> pkcs12_keystore_get_ certificates(char *alias)
>>
>> Get the certificates for given alias. Need to figure out the return type
>> (Whether to return STACK_OF(X509) or x509 array).
>>
>>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
>>
>> Get alias of the certificate that matches given issuer's name.
>>
>>
>> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)
>>
>> Get alias of the certificate that matches given issuer's name and serial.
>>
>>
>> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
>>
>> Get alias of the certificate that matches given Subject Key Identifier.
>>
>>
>> x509 * pkcs12_keystore_get_default_cert()
>>
>> Get the default certificate of the key store.
>>
>>
>>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
>>
>> Get the alias of the default certificate.
>>
>>
>> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
>>
>> Get alias of the matching certificate with given thumbprint.
>>
>>
>>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
>>
>> Get alias of the matching certificate with given DN.
>>
>>
>>  Have to figure out how we can validate a given certificate. Function name
>> should change.
>> pkcs12_keystore_validate_cert_path(X509 certs)
>>
>>
>>  This is only a draft API. I think there may be some missing parts. Please
>> feel free to comment on this.
>>
>>
>>  Thanks
>>
>> Milinda
>>
>>
>>
>>     
>
>
>   


-- 
http://blog.kaushalye.org/
http://wso2.org/

Re: PKCS12 Key Store API

Posted by Manjula Peiris <ma...@wso2.com>.

On Thu, 2008-01-31 at 12:43 +0530, Milinda Pathirage wrote:
> Hi all,
> 
> After doing some research with openssl pkcs12 implementation, I designed
> following API for PKCS12 Keystore to include in Rampart/C.
> 
> Currently Rampart configuration support specifying certificate using their
> .pem file name. This approach is limiting our capabilities of server side
> security because we can only handle one user certificate(correct me if I am
> wrong). PKCS12 Keystore implementation will allow us to store several
> certificates inside one single file and retrive and validate them according
> to our requirements.
> 
> Here is the API for PKCS12 Keystore (This API is designed after examine the
> Crypto interface of WSS4J):
> 
> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);
> 
> This method is use to create a key store from given file.
> 
> 
> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)
> 
> Get the private key of the owner of key store. Currently assuming that we
> store our private key and public key pair with our CA certificates and
> others public keys. This method will handle situation with several private
> keys in the key store because we specify the alias.

How are you going to provide the alias ? Is it through the policy file
or using another way? If it is through the policy file then you need to
add another element to Rampart_Config. But the problem is how to select
the correct private key from the key store. Because it needs to be done
when the SOAP messages arrives using the information of the receivers
public key.

-Manjula

> 
> pkcs12_keystore_get_ certificates(char *alias)
> 
> Get the certificates for given alias. Need to figure out the return type
> (Whether to return STACK_OF(X509) or x509 array).
> 
>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
> 
> Get alias of the certificate that matches given issuer's name.
> 
> 
> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)
> 
> Get alias of the certificate that matches given issuer's name and serial.
> 
> 
> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
> 
> Get alias of the certificate that matches given Subject Key Identifier.
> 
> 
> x509 * pkcs12_keystore_get_default_cert()
> 
> Get the default certificate of the key store.
> 
> 
>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
> 
> Get the alias of the default certificate.
> 
> 
> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
> 
> Get alias of the matching certificate with given thumbprint.
> 
> 
>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
> 
> Get alias of the matching certificate with given DN.
> 
> 
>  Have to figure out how we can validate a given certificate. Function name
> should change.
> pkcs12_keystore_validate_cert_path(X509 certs)
> 
> 
>  This is only a draft API. I think there may be some missing parts. Please
> feel free to comment on this.
> 
> 
>  Thanks
> 
> Milinda
> 
> 
>

Re: PKCS12 Key Store API

Posted by Kaushalye Kapuruge <ka...@wso2.com>.

Hi Milinda,
Good job. :). See my comments in line.
Cheers,
Kaushalye

Milinda Pathirage wrote:
> Hi all,
>
> After doing some research with openssl pkcs12 implementation, I designed
> following API for PKCS12 Keystore to include in Rampart/C.
>
> Currently Rampart configuration support specifying certificate using their
> .pem file name. This approach is limiting our capabilities of server side
> security because we can only handle one user certificate(correct me if I am
> wrong). PKCS12 Keystore implementation will allow us to store several
> certificates inside one single file and retrive and validate them according
> to our requirements.
>
> Here is the API for PKCS12 Keystore (This API is designed after examine the
> Crypto interface of WSS4J):
>
> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);
>
> This method is use to create a key store from given file.
>
>
> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)
>
> Get the private key of the owner of key store. Currently assuming that we
> store our private key and public key pair with our CA certificates and
> others public keys. This method will handle situation with several private
> keys in the key store because we specify the alias.
>
>
> pkcs12_keystore_get_ certificates(char *alias)
>
> Get the certificates for given alias. Need to figure out the return type
> (Whether to return STACK_OF(X509) or x509 array).
>   
Here we can use an array of X509* from the openssl struct. But I prefer 
to use an array of oxs_x509_cert_t from OMXLSec as the return type.
>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
>
> Get alias of the certificate that matches given issuer's name.
>
>
> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)
>
> Get alias of the certificate that matches given issuer's name and serial.
>
>
> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
>
> Get alias of the certificate that matches given Subject Key Identifier.
>
>
> x509 * pkcs12_keystore_get_default_cert()
>
> Get the default certificate of the key store.
>
>   
This is a good addition to the API, when we have only one certificate. 
But how exactly we are suppose to define a certificate as "default" when 
there are multiple entries?
>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
>
> Get the alias of the default certificate.
>
>
> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
>
> Get alias of the matching certificate with given thumbprint.
>
>
>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
>
> Get alias of the matching certificate with given DN.
>
>
>  Have to figure out how we can validate a given certificate. Function name
> should change.
> pkcs12_keystore_validate_cert_path(X509 certs)
>
>
>  This is only a draft API. I think there may be some missing parts. Please
> feel free to comment on this.
>
>   
You can use openssl_pkcs12_parse() which is already implemented to load 
a pkcs12 file. I think for the searching functions such as 
pkcs12_keystore_get_alias_for_cert_thumb() we have to implement our 
comparison logic within a loop. I doubt that pkcs12 has implemented such 
functions that we can wrap with ours. 

Also the parse function returns a stack of CA certificates. This is 
required for the WS-Trust implementation.

I think the above set is enough for a start. We can implement more 
functions when there is a requirement. But always keep the consistency 
in mind. For example we can use the following pattern.

alias = get_alias_given_X(x);
cert/key = get_cert/key_given_alias(alias, [passwd]);

>  Thanks
>
> Milinda
>
>
>
>   


-- 
http://blog.kaushalye.org/
http://wso2.org/

Re: PKCS12 Key Store API

Posted by Milinda Pathirage <mi...@gmail.com>.

Hi,

I added the missing parts into wiki page. :)

Thanks
Milinda

On Feb 14, 2008 10:58 AM, Kaushalye Kapuruge <ka...@wso2.com> wrote:

> Hi Milinda,
> Looks fine to me. Would like to add followings suggestions.
> 1. The structure of the  pkcs12_keystore_t should be in the wiki
> 2. The free function is missing
> 3. Shouldn't it be
>    pkcs12_keystore_*create* -> pkcs12_keystore_*load*
>    Or do we need both functions.
> Thoughts?
> -Kaushalye
>
> Milinda Pathirage wrote:
> > hi all,
> >
> > I updated the API for pkcs12 key store. Please refer the wiki page and
> > comment if there are any issues.
> >
> > thanks
> >
> > Milinda
> >
> > On Feb 7, 2008 11:25 AM, Kaushalye Kapuruge <ka...@wso2.com> wrote:
> >
> >
> >> The correct location is ...
> >> http://wiki.apache.org/ws/rampartc/pkcs12_API
> >> :)
> >> -Kaushalye
> >>
> >> Kaushalye Kapuruge wrote:
> >>
> >>> Hi Milinda,
> >>> I created following[1] WIKI page with some modifications to the API.
> >>> Please add other functions too.
> >>> -Kau
> >>>
> >>> [1]http://wiki.apache.org/general/rampartc/pkcs12_API
> >>>
> >>> Milinda Pathirage wrote:
> >>>
> >>>> Hi all,
> >>>>
> >>>> After doing some research with openssl pkcs12 implementation, I
> >>>>
> >> designed
> >>
> >>>> following API for PKCS12 Keystore to include in Rampart/C.
> >>>>
> >>>> Currently Rampart configuration support specifying certificate using
> >>>> their
> >>>> .pem file name. This approach is limiting our capabilities of server
> >>>> side
> >>>> security because we can only handle one user certificate(correct me
> >>>> if I am
> >>>> wrong). PKCS12 Keystore implementation will allow us to store several
> >>>> certificates inside one single file and retrive and validate them
> >>>> according
> >>>> to our requirements.
> >>>>
> >>>> Here is the API for PKCS12 Keystore (This API is designed after
> >>>> examine the
> >>>> Crypto interface of WSS4J):
> >>>>
> >>>> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char
> >>>> *password);
> >>>>
> >>>> This method is use to create a key store from given file.
> >>>>
> >>>>
> >>>> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char
> >>>> *passwd)
> >>>>
> >>>> Get the private key of the owner of key store. Currently assuming
> >>>> that we
> >>>> store our private key and public key pair with our CA certificates
> and
> >>>> others public keys. This method will handle situation with several
> >>>> private
> >>>> keys in the key store because we specify the alias.
> >>>>
> >>>>
> >>>> pkcs12_keystore_get_ certificates(char *alias)
> >>>>
> >>>> Get the certificates for given alias. Need to figure out the return
> >>>>
> >> type
> >>
> >>>> (Whether to return STACK_OF(X509) or x509 array).
> >>>>
> >>>>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
> >>>>
> >>>> Get alias of the certificate that matches given issuer's name.
> >>>>
> >>>>
> >>>> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int
> >>>> serial)
> >>>>
> >>>> Get alias of the certificate that matches given issuer's name and
> >>>> serial.
> >>>>
> >>>>
> >>>> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
> >>>>
> >>>> Get alias of the certificate that matches given Subject Key
> Identifier.
> >>>>
> >>>>
> >>>> x509 * pkcs12_keystore_get_default_cert()
> >>>>
> >>>> Get the default certificate of the key store.
> >>>>
> >>>>
> >>>>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
> >>>>
> >>>> Get the alias of the default certificate.
> >>>>
> >>>>
> >>>> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
> >>>>
> >>>> Get alias of the matching certificate with given thumbprint.
> >>>>
> >>>>
> >>>>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
> >>>>
> >>>> Get alias of the matching certificate with given DN.
> >>>>
> >>>>
> >>>>  Have to figure out how we can validate a given certificate. Function
> >>>> name
> >>>> should change.
> >>>> pkcs12_keystore_validate_cert_path(X509 certs)
> >>>>
> >>>>
> >>>>  This is only a draft API. I think there may be some missing parts.
> >>>> Please
> >>>> feel free to comment on this.
> >>>>
> >>>>
> >>>>  Thanks
> >>>>
> >>>> Milinda
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >> --
> >> http://blog.kaushalye.org/
> >> http://wso2.org/
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> http://blog.kaushalye.org/
> http://wso2.org/
>
>


-- 
http://inf-dimensions.blogspot.com "Infinite Dimensions"
http://wsaxc.blogspot.com "Web Services With Axis2/C"

Re: PKCS12 Key Store API

Posted by Kaushalye Kapuruge <ka...@wso2.com>.

Hi Milinda,
Looks fine to me. Would like to add followings suggestions.
1. The structure of the  pkcs12_keystore_t should be in the wiki
2. The free function is missing
3. Shouldn't it be
    pkcs12_keystore_*create* -> pkcs12_keystore_*load*
    Or do we need both functions.  
Thoughts?
-Kaushalye

Milinda Pathirage wrote:
> hi all,
>
> I updated the API for pkcs12 key store. Please refer the wiki page and
> comment if there are any issues.
>
> thanks
>
> Milinda
>
> On Feb 7, 2008 11:25 AM, Kaushalye Kapuruge <ka...@wso2.com> wrote:
>
>   
>> The correct location is ...
>> http://wiki.apache.org/ws/rampartc/pkcs12_API
>> :)
>> -Kaushalye
>>
>> Kaushalye Kapuruge wrote:
>>     
>>> Hi Milinda,
>>> I created following[1] WIKI page with some modifications to the API.
>>> Please add other functions too.
>>> -Kau
>>>
>>> [1]http://wiki.apache.org/general/rampartc/pkcs12_API
>>>
>>> Milinda Pathirage wrote:
>>>       
>>>> Hi all,
>>>>
>>>> After doing some research with openssl pkcs12 implementation, I
>>>>         
>> designed
>>     
>>>> following API for PKCS12 Keystore to include in Rampart/C.
>>>>
>>>> Currently Rampart configuration support specifying certificate using
>>>> their
>>>> .pem file name. This approach is limiting our capabilities of server
>>>> side
>>>> security because we can only handle one user certificate(correct me
>>>> if I am
>>>> wrong). PKCS12 Keystore implementation will allow us to store several
>>>> certificates inside one single file and retrive and validate them
>>>> according
>>>> to our requirements.
>>>>
>>>> Here is the API for PKCS12 Keystore (This API is designed after
>>>> examine the
>>>> Crypto interface of WSS4J):
>>>>
>>>> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char
>>>> *password);
>>>>
>>>> This method is use to create a key store from given file.
>>>>
>>>>
>>>> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char
>>>> *passwd)
>>>>
>>>> Get the private key of the owner of key store. Currently assuming
>>>> that we
>>>> store our private key and public key pair with our CA certificates and
>>>> others public keys. This method will handle situation with several
>>>> private
>>>> keys in the key store because we specify the alias.
>>>>
>>>>
>>>> pkcs12_keystore_get_ certificates(char *alias)
>>>>
>>>> Get the certificates for given alias. Need to figure out the return
>>>>         
>> type
>>     
>>>> (Whether to return STACK_OF(X509) or x509 array).
>>>>
>>>>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
>>>>
>>>> Get alias of the certificate that matches given issuer's name.
>>>>
>>>>
>>>> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int
>>>> serial)
>>>>
>>>> Get alias of the certificate that matches given issuer's name and
>>>> serial.
>>>>
>>>>
>>>> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
>>>>
>>>> Get alias of the certificate that matches given Subject Key Identifier.
>>>>
>>>>
>>>> x509 * pkcs12_keystore_get_default_cert()
>>>>
>>>> Get the default certificate of the key store.
>>>>
>>>>
>>>>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
>>>>
>>>> Get the alias of the default certificate.
>>>>
>>>>
>>>> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
>>>>
>>>> Get alias of the matching certificate with given thumbprint.
>>>>
>>>>
>>>>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
>>>>
>>>> Get alias of the matching certificate with given DN.
>>>>
>>>>
>>>>  Have to figure out how we can validate a given certificate. Function
>>>> name
>>>> should change.
>>>> pkcs12_keystore_validate_cert_path(X509 certs)
>>>>
>>>>
>>>>  This is only a draft API. I think there may be some missing parts.
>>>> Please
>>>> feel free to comment on this.
>>>>
>>>>
>>>>  Thanks
>>>>
>>>> Milinda
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>       
>> --
>> http://blog.kaushalye.org/
>> http://wso2.org/
>>
>>
>>     
>
>
>   


-- 
http://blog.kaushalye.org/
http://wso2.org/

Re: PKCS12 Key Store API

Posted by Milinda Pathirage <mi...@gmail.com>.

hi all,

I updated the API for pkcs12 key store. Please refer the wiki page and
comment if there are any issues.

thanks

Milinda

On Feb 7, 2008 11:25 AM, Kaushalye Kapuruge <ka...@wso2.com> wrote:

> The correct location is ...
> http://wiki.apache.org/ws/rampartc/pkcs12_API
> :)
> -Kaushalye
>
> Kaushalye Kapuruge wrote:
> > Hi Milinda,
> > I created following[1] WIKI page with some modifications to the API.
> > Please add other functions too.
> > -Kau
> >
> > [1]http://wiki.apache.org/general/rampartc/pkcs12_API
> >
> > Milinda Pathirage wrote:
> >> Hi all,
> >>
> >> After doing some research with openssl pkcs12 implementation, I
> designed
> >> following API for PKCS12 Keystore to include in Rampart/C.
> >>
> >> Currently Rampart configuration support specifying certificate using
> >> their
> >> .pem file name. This approach is limiting our capabilities of server
> >> side
> >> security because we can only handle one user certificate(correct me
> >> if I am
> >> wrong). PKCS12 Keystore implementation will allow us to store several
> >> certificates inside one single file and retrive and validate them
> >> according
> >> to our requirements.
> >>
> >> Here is the API for PKCS12 Keystore (This API is designed after
> >> examine the
> >> Crypto interface of WSS4J):
> >>
> >> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char
> >> *password);
> >>
> >> This method is use to create a key store from given file.
> >>
> >>
> >> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char
> >> *passwd)
> >>
> >> Get the private key of the owner of key store. Currently assuming
> >> that we
> >> store our private key and public key pair with our CA certificates and
> >> others public keys. This method will handle situation with several
> >> private
> >> keys in the key store because we specify the alias.
> >>
> >>
> >> pkcs12_keystore_get_ certificates(char *alias)
> >>
> >> Get the certificates for given alias. Need to figure out the return
> type
> >> (Whether to return STACK_OF(X509) or x509 array).
> >>
> >>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
> >>
> >> Get alias of the certificate that matches given issuer's name.
> >>
> >>
> >> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int
> >> serial)
> >>
> >> Get alias of the certificate that matches given issuer's name and
> >> serial.
> >>
> >>
> >> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
> >>
> >> Get alias of the certificate that matches given Subject Key Identifier.
> >>
> >>
> >> x509 * pkcs12_keystore_get_default_cert()
> >>
> >> Get the default certificate of the key store.
> >>
> >>
> >>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
> >>
> >> Get the alias of the default certificate.
> >>
> >>
> >> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
> >>
> >> Get alias of the matching certificate with given thumbprint.
> >>
> >>
> >>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
> >>
> >> Get alias of the matching certificate with given DN.
> >>
> >>
> >>  Have to figure out how we can validate a given certificate. Function
> >> name
> >> should change.
> >> pkcs12_keystore_validate_cert_path(X509 certs)
> >>
> >>
> >>  This is only a draft API. I think there may be some missing parts.
> >> Please
> >> feel free to comment on this.
> >>
> >>
> >>  Thanks
> >>
> >> Milinda
> >>
> >>
> >>
> >>
> >
> >
>
>
> --
> http://blog.kaushalye.org/
> http://wso2.org/
>
>


-- 
http://inf-dimensions.blogspot.com "Infinite Dimensions"
http://wsaxc.blogspot.com "Web Services With Axis2/C"

Re: PKCS12 Key Store API

Posted by Kaushalye Kapuruge <ka...@wso2.com>.

The correct location is ...
http://wiki.apache.org/ws/rampartc/pkcs12_API
:)
-Kaushalye

Kaushalye Kapuruge wrote:
> Hi Milinda,
> I created following[1] WIKI page with some modifications to the API.
> Please add other functions too.
> -Kau
>
> [1]http://wiki.apache.org/general/rampartc/pkcs12_API
>
> Milinda Pathirage wrote:
>> Hi all,
>>
>> After doing some research with openssl pkcs12 implementation, I designed
>> following API for PKCS12 Keystore to include in Rampart/C.
>>
>> Currently Rampart configuration support specifying certificate using 
>> their
>> .pem file name. This approach is limiting our capabilities of server 
>> side
>> security because we can only handle one user certificate(correct me 
>> if I am
>> wrong). PKCS12 Keystore implementation will allow us to store several
>> certificates inside one single file and retrive and validate them 
>> according
>> to our requirements.
>>
>> Here is the API for PKCS12 Keystore (This API is designed after 
>> examine the
>> Crypto interface of WSS4J):
>>
>> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char 
>> *password);
>>
>> This method is use to create a key store from given file.
>>
>>
>> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char 
>> *passwd)
>>
>> Get the private key of the owner of key store. Currently assuming 
>> that we
>> store our private key and public key pair with our CA certificates and
>> others public keys. This method will handle situation with several 
>> private
>> keys in the key store because we specify the alias.
>>
>>
>> pkcs12_keystore_get_ certificates(char *alias)
>>
>> Get the certificates for given alias. Need to figure out the return type
>> (Whether to return STACK_OF(X509) or x509 array).
>>
>>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
>>
>> Get alias of the certificate that matches given issuer's name.
>>
>>
>> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int 
>> serial)
>>
>> Get alias of the certificate that matches given issuer's name and 
>> serial.
>>
>>
>> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
>>
>> Get alias of the certificate that matches given Subject Key Identifier.
>>
>>
>> x509 * pkcs12_keystore_get_default_cert()
>>
>> Get the default certificate of the key store.
>>
>>
>>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
>>
>> Get the alias of the default certificate.
>>
>>
>> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
>>
>> Get alias of the matching certificate with given thumbprint.
>>
>>
>>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
>>
>> Get alias of the matching certificate with given DN.
>>
>>
>>  Have to figure out how we can validate a given certificate. Function 
>> name
>> should change.
>> pkcs12_keystore_validate_cert_path(X509 certs)
>>
>>
>>  This is only a draft API. I think there may be some missing parts. 
>> Please
>> feel free to comment on this.
>>
>>
>>  Thanks
>>
>> Milinda
>>
>>
>>
>>   
>
>


-- 
http://blog.kaushalye.org/
http://wso2.org/

Re: PKCS12 Key Store API

Posted by Kaushalye Kapuruge <ka...@wso2.com>.

Hi Milinda,
I created following[1] WIKI page with some modifications to the API.
Please add other functions too.
-Kau

[1]http://wiki.apache.org/general/rampartc/pkcs12_API

Milinda Pathirage wrote:
> Hi all,
>
> After doing some research with openssl pkcs12 implementation, I designed
> following API for PKCS12 Keystore to include in Rampart/C.
>
> Currently Rampart configuration support specifying certificate using their
> .pem file name. This approach is limiting our capabilities of server side
> security because we can only handle one user certificate(correct me if I am
> wrong). PKCS12 Keystore implementation will allow us to store several
> certificates inside one single file and retrive and validate them according
> to our requirements.
>
> Here is the API for PKCS12 Keystore (This API is designed after examine the
> Crypto interface of WSS4J):
>
> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char *password);
>
> This method is use to create a key store from given file.
>
>
> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char *passwd)
>
> Get the private key of the owner of key store. Currently assuming that we
> store our private key and public key pair with our CA certificates and
> others public keys. This method will handle situation with several private
> keys in the key store because we specify the alias.
>
>
> pkcs12_keystore_get_ certificates(char *alias)
>
> Get the certificates for given alias. Need to figure out the return type
> (Whether to return STACK_OF(X509) or x509 array).
>
>  char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer)
>
> Get alias of the certificate that matches given issuer's name.
>
>
> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int serial)
>
> Get alias of the certificate that matches given issuer's name and serial.
>
>
> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski)
>
> Get alias of the certificate that matches given Subject Key Identifier.
>
>
> x509 * pkcs12_keystore_get_default_cert()
>
> Get the default certificate of the key store.
>
>
>  char * pkcs12_keystore_ get_alias_for_defualt_cert()
>
> Get the alias of the default certificate.
>
>
> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb)
>
> Get alias of the matching certificate with given thumbprint.
>
>
>  pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn)
>
> Get alias of the matching certificate with given DN.
>
>
>  Have to figure out how we can validate a given certificate. Function name
> should change.
> pkcs12_keystore_validate_cert_path(X509 certs)
>
>
>  This is only a draft API. I think there may be some missing parts. Please
> feel free to comment on this.
>
>
>  Thanks
>
> Milinda
>
>
>
>   


-- 
http://blog.kaushalye.org/
http://wso2.org/