Manpage updates are in the case materials directory.
On 01/27/10 10:19, Wyllys Ingersoll wrote: > > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI > This information is Copyright 2010 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > EC and SHA2 for KMF > 1.2. Name of Document Author/Supplier: > Author: Wyllys Ingersoll > 1.3 Date of This Document: > 27 January, 2010 > 4. Technical Description > Project: EC and SHA2 for KMF > Submitter/Owner: Wyllys Ingersoll > Release Taxonomy: Micro/Patch > > Description: > This project adds Elliptic Curve support to KMF and pktool > so that X509 certificates with EC keys and curves can be created. > Additionally, pktool(1) will be enhanced to allow the user to specify > the hash algorithm to be used in the X509 certificate or certificate > signing request (PKCS#10 CSR). This case is to document the interface > changes in the KMF library and pktool(1) CLI. > > Additionally, pktool(1), will have a new command for generating > a keypair (EC, RSA, or DSA) without a certificate (or CSR). The new > command is "genkeypair" and details are below and in the modified > man pages included in the case directory. > > pktool will allow the following hash algorithms to be specified: > md5, sha1, sha256, sha384, sha512 > The above hash algorithms are all valid with RSA and EC keytypes, DSA > support for anything other than SHA-1 is not available in our > current cryptographic framework. > > Elliptic Curve support for KMF (and pktool) will only be available > when using the "nss" or "pkcs11" keystore types. OpenSSL in > OpenSolaris does not have EC support for legal reasons. > > KMF will support the following named Elliptic Curves. These > curve names come from ANSI X9.62-1998 and SECG (Standards > for Efficient Cryptography Group - Recommended Elliptic Curve > Domain parameters - http://www.secg.org): > > secp112r1, secp112r2, secp128r1, secp128r2, secp160k1 > secp160r1, secp160r2, secp192k1, secp192r1, secp224k1 > secp224r1, secp256k1, secp256r1, secp384r1, secp521r1 > sect113r1, sect113r2, sect131r1, sect131r2, sect163k1 > sect163r1, sect163r2, sect193r1, sect193r2, sect233k1 > sect233r1, sect239k1, sect283k1, sect283r1, sect409k1 > sect409r1, sect571k1, sect571r1, c2pnb163v1, c2pnb163v2 > c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3 > c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1 > c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v2 > prime192v3 > > The above names correspond to the appropriate Object Identifier > values that the KMF libraries will use when encoding the certificates. > > The libkmf(3LIB) interfaces are not changing, though additional > pre-defined OID constants will be added to correspond with the > new hash algorithms and EC curves. The diffs to "kmftypes.h" are given > in the case materials. > > Interfaces: > > The following list indicates the new options for the 'gencert', 'gencsr' > and 'genkeypair' > > The new and/or changed items are indicated with "-->". > > gencert keystore=nss > label=cert-nickname > serial=serial number hex string] > [ -i ] | [subject=subject-DN] > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ token=token[:manuf[:serial]]] > [ dir=directory-path ] > [ prefix=DBprefix ] > --> [ keytype=rsa | dsa | ec [curve=ECC Curve Name]] > [ keylen=key-size ] > [ trust=trust-value ] > [ eku=[critical:]EKU name,...] > --> [ hash=[md5 | sha1 | sha256 | sha384 | sha512]] > --> [ listcurves ] > [ lifetime=number-hour|number-day|number-year ] > gencert [ keystore=pkcs11 ] > label=key/cert-label > serial=serial number hex string > [ -i ] | [subject=subject-DN] > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ token=token[:manuf[:serial]]] > --> [ keytype=rsa | dsa | ec [curve=ECC Curve Name]] > [ keylen=key-size ] > [ eku=[critical:]EKU name,...] > --> [ hash=md5 | sha1 | sha256 | sha384 | sha512] > --> [ listcurves ] > [ lifetime=number-hour|number-day|number-year ] > gencert keystore=file > outcert=cert_filename > outkey=key_filename > serial=serial number hex string > [ -i ] | [subject=subject-DN] > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ format=der|pem ] > [ keytype=rsa|dsa ] > [ keylen=key-size ] > [ eku=[critical:]EKU name,...] > --> [ hash=md5 | sha1 | sha256 | sha384 | sha512] > [ lifetime=number-hour|number-day|number-year ] > > gencsr keystore=nss > nickname=cert-nickname > outcsr=csr-fn > [ -i ] | [subject=subject-DN] > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ token=token[:manuf[:serial]]] > [ dir=directory-path ] > [ prefix=DBprefix ] > --> [ keytype=rsa | dsa | ec [curve=ECC Curve Name]] > [ keylen=key-size ] > [ eku=[critical:]EKU name,...] > --> [ hash=md5 | sha1 | sha256 | sha384 | sha512] > --> [ listcurves ] > [ format=pem|der ] > gencsr [ keystore=pkcs11 ] > label=key-label > outcsr=csr-fn > [ -i ] | [subject=subject-DN] > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ token=token[:manuf[:serial]]] > --> [ keytype=rsa | dsa | ec [curve=ECC Curve Name]] > [ keylen=key-size ] > [ eku=[critical:]EKU name,...] > --> [ hash=md5 | sha1 | sha256 | sha384 | sha512] > --> [ listcurves ] > [ format=pem|der ]] > gencsr keystore=file > outcsr=csr-fn > outkey=key-fn > [ -i ] | [subject=subject-DN] > [ altname=[critical:]SubjectAltName ] > [ keyusage=[critical:]usage,usage,...] > [ keytype=rsa|dsa ] > [ keylen=key-size ] > [ eku=[critical:]EKU name,...] > --> [ hash=md5 | sha1 | sha256 | sha384 | sha512] > [ format=pem|der ] > > genkeypair keystore=nss > label=key-nickname > [ token=token[:manuf[:serial]]] > [ dir=directory-path ] > [ prefix=DBprefix ] > [ keytype=rsa | dsa | ec [curve=ECC Curve Name]] > [ keylen=key-size ] > [ listcurves ] > genkeypair [ keystore=pkcs11 ] > label=key-label > [ token=token[:manuf[:serial]]] > [ keytype=rsa | dsa | ec [curve=ECC Curve Name]] > [ keylen=key-size ] > [ listcurves ] > genkeypair keystore=file > outkey=key_filename > [ format=der|pem ] > [ keytype=rsa|dsa ] > [ keylen=key-size ] > > > 6. Resources and Schedule > 6.4. Steering Committee requested information > 6.4.1. Consolidation C-team Name: > ON > 6.5. ARC review type: FastTrack > 6.6. ARC Exposure: open >