torsdag 11 januari 2007

hx509 and hcrypto

hx509 and hcrypto have both in the last two months been given an overhaul and are now self bootstraping. Needless to say, neither of the two packages are perfect, but we are getting to closer to same level of functionality as the rest of the Heimdal suite of applications and libraries.

hxtool can now both read and create PEM and PKCS11 files containing both certificates and private keys. Neither of formats will end up containing encrypted keys (ie shrouded PKCS8 keys), so that is a feature that must be added.

And talking about private keys, hcrypto now uses RSA key blinding and CRT for private key operations, makes quite a lot difference in performance and security. I also added RSA key generation, that is really the last two missing bits that makes hcrypto useful.

The coolest feature is also the most basic in the X.509 world. libhx509 and hxtool now can print certificates. It would be boastful to call is a CA software because some important tools are not there yet, for example a CRL and OSCP generation tools and certificate store handling.

There is two reason why I wrote this extension to hx509. First reason was I wanted a simple way to setup a PK-INIT realm and using OpenSSL as a CA only causes pain for most users, its very hard to get the generated certificates right and openssl lets you get away with it too. Second reason is that I needed a simple way to generate certificates for another part of Heimdal, kca (more about that later).

What hxtool do for us then ? It will let you issue certificates with a simple interface using default templates.

To generate a CA certifiate with RSA key that is valid for 10 years, this is the command you would use.

hxtool issue-certificate \
    --self-signed \
    --issue-ca \
    --generate-key=rsa \
    --subject="CN=CA,DC=h5l,DC=se" \
    --lifetime=10years \

Now you have a CA certificate with its private key in the PEM file ca.pem. Now you say, what makes this hx509 so much simpler to use then OpenSSL. The answer is the default values and builtin profiles, let take the example with the KDC PK-INIT certificate. It needs to have this EKU (extended key usage) and a special SAN (Subject Alternative Name) for PK-INIT. hxtool will help you generate that certificate with some simple command options, it wont give you total control over the certificate creation process, but for most users that is not really interesting, they just want to have certificates.

hxtool issue-certificate \
    --ca-certificate=FILE:ca.pem \
    --generate-key=rsa \
    --type="pkinit-kdc" \
    --pk-init-principal="krbtgt/H5L.SE@H5L.SE" \
    --subject="uid=kdc,DC=h5l,DC=se" \

Writing a certificate issuing code when you have a X509 verifier, a crypto library and a sane ASN.1 compiler is very simple. It took me about 3 days from no code to a somewhat working software, now, 12 days later while also working with other thing, its good enough to tell people about it.

Next item will be to write a sane manual how to use this software. Since hxtool is such a small tool the manual will be short too, it will be another texinfo manual about how to use hxtool to serve your basic CA needs. Creating a CA and issueing certificates to user and services.

There will always be missing functionallity to hx509, the PKIX people have started to write standard too long ago for me to catch up.

Inga kommentarer:

Skicka en kommentar