Hi, In the case of private key, we have only one private key in any side. Therefore I think we don't have any difficulties to retrieve that private key. In general case we only store our own private key only in our key store with matching certificate (our own certificate) and certificates from others. When using openssl's PKCS12_parse function we can retrieve default private key and certificate easily (default means, our private key and certificate). This function fill STACK_OF(X509) with other certificate inside key store. So, what we to do is handle others certificates and validate certificates. Please feel free to comment on this if there are any missing points. :)
Thanks Milinda On Jan 31, 2008 8:33 PM, Kaushalye Kapuruge <[EMAIL PROTECTED]> wrote: > Manjula Peiris wrote: > > On Thu, 2008-01-31 at 12:43 +0530, Milinda Pathirage wrote: > > > >> Hi all, > >> > >> After doing some research with openssl pkcs12 implementation, I > designed > >> following API for PKCS12 Keystore to include in Rampart/C. > >> > >> Currently Rampart configuration support specifying certificate using > their > >> .pem file name. This approach is limiting our capabilities of server > side > >> security because we can only handle one user certificate(correct me if > I am > >> wrong). PKCS12 Keystore implementation will allow us to store several > >> certificates inside one single file and retrive and validate them > according > >> to our requirements. > >> > >> Here is the API for PKCS12 Keystore (This API is designed after examine > the > >> Crypto interface of WSS4J): > >> > >> pkcs12_keystore_t * pkcs12_keystore_create(char *filename, char > *password); > >> > >> This method is use to create a key store from given file. > >> > >> > >> openssl_pkey_t * pkcs12_keystore_get_private_key(char *alias, char > *passwd) > >> > >> Get the private key of the owner of key store. Currently assuming that > we > >> store our private key and public key pair with our CA certificates and > >> others public keys. This method will handle situation with several > private > >> keys in the key store because we specify the alias. > >> > > > > How are you going to provide the alias ? Is it through the policy file > > or using another way? If it is through the policy file then you need to > > add another element to Rampart_Config. But the problem is how to select > > the correct private key from the key store. Because it needs to be done > > when the SOAP messages arrives using the information of the receivers > > public key. > > > In the SOAP header we have information such as issuer and the serial > number, Thumbprint or the SKI. With that information we can get the > alias for the certificate.Given the alias we can get the private key. I > do not think we can get the private key directly by giving the SKI, > Thumbprint or Issuer+Serial.(Milinda please google a bit on that) If the > complete certificate is available in the header, we can extract > information and follow the same steps. > -Kau > > -Manjula > > > > > >> pkcs12_keystore_get_ certificates(char *alias) > >> > >> Get the certificates for given alias. Need to figure out the return > type > >> (Whether to return STACK_OF(X509) or x509 array). > >> > >> char * pkcs12_keystore_get_alias_for_cert_issuer(char *issuer) > >> > >> Get alias of the certificate that matches given issuer's name. > >> > >> > >> char * pkcs12_keystore_get_alias_for_cert_serial(char *issuer, int > serial) > >> > >> Get alias of the certificate that matches given issuer's name and > serial. > >> > >> > >> char * pkcs12_keystore_get_alias_for_cert_sub_key_id(char *ski) > >> > >> Get alias of the certificate that matches given Subject Key Identifier. > >> > >> > >> x509 * pkcs12_keystore_get_default_cert() > >> > >> Get the default certificate of the key store. > >> > >> > >> char * pkcs12_keystore_ get_alias_for_defualt_cert() > >> > >> Get the alias of the default certificate. > >> > >> > >> char* pkcs12_keystore_get_alias_for_cert_thumb(char *thumb) > >> > >> Get alias of the matching certificate with given thumbprint. > >> > >> > >> pkcs12_keystore_get_alias_for_cert_DN(char *subject_dn) > >> > >> Get alias of the matching certificate with given DN. > >> > >> > >> Have to figure out how we can validate a given certificate. Function > name > >> should change. > >> pkcs12_keystore_validate_cert_path(X509 certs) > >> > >> > >> This is only a draft API. I think there may be some missing parts. > Please > >> feel free to comment on this. > >> > >> > >> Thanks > >> > >> Milinda > >> > >> > >> > >> > > > > > > > > > -- > http://blog.kaushalye.org/ > http://wso2.org/ > > -- http://think2ed.blogspot.com "thinksquared" http://wsaxc.blogspot.com "Web Services With Axis2/C"
