Manpage updates are in the case materials directory.

On 01/27/10 10:19, Wyllys Ingersoll wrote:
>
> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> This information is Copyright 2010 Sun Microsystems
> 1. Introduction
>      1.1. Project/Component Working Name:
>        EC and SHA2 for KMF
>      1.2. Name of Document Author/Supplier:
>        Author:  Wyllys Ingersoll
>      1.3  Date of This Document:
>       27 January, 2010
> 4. Technical Description
> Project:  EC and SHA2 for KMF
> Submitter/Owner:  Wyllys Ingersoll
> Release Taxonomy: Micro/Patch
>
> Description:
>       This project adds Elliptic Curve support to KMF and pktool
>       so that X509 certificates with EC keys and curves can be created.
>       Additionally, pktool(1) will be enhanced to allow the user to specify
>       the hash algorithm to be used in the X509 certificate or certificate
>       signing request (PKCS#10 CSR).  This case is to document the interface
>       changes in the KMF library and pktool(1) CLI.
>
>       Additionally, pktool(1), will have a new command for generating
>       a keypair (EC, RSA, or DSA) without a certificate (or CSR).  The new
>       command is "genkeypair" and details are below and in the modified
>       man pages included in the case directory.
>
>       pktool will allow the following hash algorithms to be specified:
>               md5, sha1, sha256, sha384, sha512
>       The above hash algorithms are all valid with RSA and EC keytypes, DSA
>       support for anything other than SHA-1 is not available in our
>       current cryptographic framework.
>
>       Elliptic Curve support for KMF (and pktool) will only be available
>       when using the "nss" or "pkcs11" keystore types.  OpenSSL in
>       OpenSolaris does not have EC support for legal reasons.
>
>       KMF will support the following named Elliptic Curves.  These
>       curve names come from ANSI X9.62-1998 and SECG (Standards
>       for Efficient Cryptography Group - Recommended Elliptic Curve
>       Domain parameters - http://www.secg.org):
>
>               secp112r1, secp112r2, secp128r1, secp128r2, secp160k1
>               secp160r1, secp160r2, secp192k1, secp192r1, secp224k1
>               secp224r1, secp256k1, secp256r1, secp384r1, secp521r1
>               sect113r1, sect113r2, sect131r1, sect131r2, sect163k1
>               sect163r1, sect163r2, sect193r1, sect193r2, sect233k1
>               sect233r1, sect239k1, sect283k1, sect283r1, sect409k1
>               sect409r1, sect571k1, sect571r1, c2pnb163v1, c2pnb163v2
>               c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3
>               c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1
>               c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v2
>               prime192v3
>
>       The above names correspond to the appropriate Object Identifier
>       values that the KMF libraries will use when encoding the certificates.
>
>       The libkmf(3LIB) interfaces are not changing, though additional
>       pre-defined OID constants will be added to correspond with the
>       new hash algorithms and EC curves.  The diffs to "kmftypes.h" are given
>       in the case materials.
>
> Interfaces:
>
>      The following list indicates the new options for the 'gencert', 'gencsr'
>      and 'genkeypair'
>
>      The new and/or changed items are indicated with "-->".
>
>      gencert keystore=nss
>          label=cert-nickname
>          serial=serial number hex string]
>          [ -i ] | [subject=subject-DN]
>          [ altname=[critical:]SubjectAltName ]
>          [ keyusage=[critical:]usage,usage,...]
>          [ token=token[:manuf[:serial]]]
>          [ dir=directory-path ]
>          [ prefix=DBprefix ]
>     -->      [ keytype=rsa | dsa | ec [curve=ECC Curve Name]]
>          [ keylen=key-size ]
>          [ trust=trust-value ]
>          [ eku=[critical:]EKU name,...]
>      -->     [ hash=[md5 | sha1 | sha256 | sha384 | sha512]]
>      -->     [ listcurves ]
>          [ lifetime=number-hour|number-day|number-year ]
>      gencert [ keystore=pkcs11 ]
>          label=key/cert-label
>          serial=serial number hex string
>          [ -i ] | [subject=subject-DN]
>          [ altname=[critical:]SubjectAltName ]
>          [ keyusage=[critical:]usage,usage,...]
>          [ token=token[:manuf[:serial]]]
>     -->      [ keytype=rsa | dsa | ec [curve=ECC Curve Name]]
>          [ keylen=key-size ]
>          [ eku=[critical:]EKU name,...]
>      -->     [ hash=md5 | sha1 | sha256 | sha384 | sha512]
>      -->     [ listcurves ]
>          [ lifetime=number-hour|number-day|number-year ]
>      gencert keystore=file
>          outcert=cert_filename
>          outkey=key_filename
>          serial=serial number hex string
>          [ -i ] | [subject=subject-DN]
>          [ altname=[critical:]SubjectAltName ]
>          [ keyusage=[critical:]usage,usage,...]
>          [ format=der|pem ]
>          [ keytype=rsa|dsa ]
>          [ keylen=key-size ]
>          [ eku=[critical:]EKU name,...]
>      -->     [ hash=md5 | sha1 | sha256 | sha384 | sha512]
>          [ lifetime=number-hour|number-day|number-year ]
>
>      gencsr keystore=nss
>          nickname=cert-nickname
>          outcsr=csr-fn
>          [ -i ] | [subject=subject-DN]
>          [ altname=[critical:]SubjectAltName ]
>          [ keyusage=[critical:]usage,usage,...]
>          [ token=token[:manuf[:serial]]]
>          [ dir=directory-path ]
>          [ prefix=DBprefix ]
>     -->      [ keytype=rsa | dsa | ec [curve=ECC Curve Name]]
>          [ keylen=key-size ]
>          [ eku=[critical:]EKU name,...]
>      -->     [ hash=md5 | sha1 | sha256 | sha384 | sha512]
>      -->     [ listcurves ]
>          [ format=pem|der ]
>      gencsr [ keystore=pkcs11 ]
>          label=key-label
>          outcsr=csr-fn
>          [ -i ] | [subject=subject-DN]
>          [ altname=[critical:]SubjectAltName ]
>          [ keyusage=[critical:]usage,usage,...]
>          [ token=token[:manuf[:serial]]]
>     -->      [ keytype=rsa | dsa | ec [curve=ECC Curve Name]]
>          [ keylen=key-size ]
>          [ eku=[critical:]EKU name,...]
>      -->     [ hash=md5 | sha1 | sha256 | sha384 | sha512]
>      -->     [ listcurves ]
>          [ format=pem|der ]]
>      gencsr keystore=file
>          outcsr=csr-fn
>          outkey=key-fn
>          [ -i ] | [subject=subject-DN]
>          [ altname=[critical:]SubjectAltName ]
>          [ keyusage=[critical:]usage,usage,...]
>          [ keytype=rsa|dsa ]
>          [ keylen=key-size ]
>          [ eku=[critical:]EKU name,...]
>      -->     [ hash=md5 | sha1 | sha256 | sha384 | sha512]
>          [ format=pem|der ]
>
>      genkeypair keystore=nss
>          label=key-nickname
>          [ token=token[:manuf[:serial]]]
>          [ dir=directory-path ]
>          [ prefix=DBprefix ]
>          [ keytype=rsa | dsa | ec [curve=ECC Curve Name]]
>          [ keylen=key-size ]
>          [ listcurves ]
>      genkeypair [ keystore=pkcs11 ]
>          label=key-label
>          [ token=token[:manuf[:serial]]]
>          [ keytype=rsa | dsa | ec [curve=ECC Curve Name]]
>          [ keylen=key-size ]
>          [ listcurves ]
>      genkeypair keystore=file
>          outkey=key_filename
>          [ format=der|pem ]
>          [ keytype=rsa|dsa ]
>          [ keylen=key-size ]
>
>
> 6. Resources and Schedule
>      6.4. Steering Committee requested information
>       6.4.1. Consolidation C-team Name:
>               ON
>      6.5. ARC review type: FastTrack
>      6.6. ARC Exposure: open
>

Reply via email to