Stan Design - Work In Progress

From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- security/nss/lib/pki/doc/standiag.png | Bin 0 -> 20475 bytes security/nss/lib/pki/doc/standoc.html | 442 ++++++++++++++++++++++++++++++++++ 2 files changed, 442 insertions(+) create mode 100644 security/nss/lib/pki/doc/standiag.png create mode 100644 security/nss/lib/pki/doc/standoc.html (limited to 'security/nss/lib/pki/doc') diff --git a/security/nss/lib/pki/doc/standiag.png b/security/nss/lib/pki/doc/standiag.png new file mode 100644 index 000000000..fe1aca389 Binary files /dev/null and b/security/nss/lib/pki/doc/standiag.png differ diff --git a/security/nss/lib/pki/doc/standoc.html b/security/nss/lib/pki/doc/standoc.html new file mode 100644 index 000000000..2e110fcbe --- /dev/null +++ b/security/nss/lib/pki/doc/standoc.html @@ -0,0 +1,442 @@ + + + + + + + + Stan Design - Work In Progress + + +
+ This is a working document for progress on Stan design/development.
+
+ Current build + and test + instructions.
+
+ The current set of Stan libraries.
+ asn1 +
+ base +
+ ckfw +
+ dev +
+ pki +
+ pki1 +
+ pkix +
+
+ "Public" types below (those available to consumers of + NSS) begin with "NSS". "Protected" types (those only available + within NSS) begin with "nss".
+
+ Open issues appears as numbered indents.
+
+
+ +

+ +

+ + ASN.1 +

+ ASN.1 encoder/decoder wrapping around the current + ASN.1 implementation.
+
+ NSSASN1EncodingType +
+ nssASN1Item +
+ nssASN1Template +
+ + nssASN1ChooseTemplateFunction +
+ nssASN1Encoder +
+ nssASN1Decoder +
+ nssASN1EncodingPart +
+ + nssASN1NotifyFunction +
+ + nssASN1EncoderWriteFunction +
+ + nssASN1DecoderFilterFunction +
+
+ +

+ + Base +

+ Set of base utilities for Stan implementation. + These are all fairly straightforward, except for nssPointerTracker.
+
+ NSSError +
+ NSSArena +
+ NSSItem +
+ NSSBER +
+ NSSDER +
+ NSSBitString +
+ NSSUTF8 +
+ NSSASCII7 +
+ nssArenaMark +
+ nssPointerTracker +
+ This is intended for debug builds only.
+ +

Ignored for now.
+

+ nssStringType +
+
+ Suggested additions:
+ +

nssList - A list that optionally uses a lock. This list would + manage the currently loaded modules in a trust domain, etc.

SECMODListLock kept track of the number of waiting threads. Will + this be needed in the trust domain?

+
+ +

+ + CKFW +

+ The cryptoki framework, used for building cryptoki tokens. + This needs to be described in a separate document showing how + to set up a token using CKFW. This code only relates to tokens, + so it is not relevant here.
+
+
+ +

+ + Device +

+ Defines cryptoki devices used in NSS. This + is not part of the exposed API. It is a low-level API allowing +NSS to manage cryptoki devices.
+
+ The relationship is like this:
+
+ libpki --> libdev --> cryptoki
+
+ As an example,
+
+ NSSTrustDomain_FindCertificate --> NSSToken_FindCertificate --> + C_FindObjects
+
+ NSSModule +
+ Replaces the SECMOD API. The module manages a +PRLibrary that holds a cryptoki implementation via a number of slots. + The API should provide the ability to Load and Unload a module, +Login and Logout to the module (through its slots), and to locate a +particular slot/token.
+
+ NSSSlot +
+ This and NSSToken combine to replace the PK11 API parts + that relate to slot and token management. The slot API should + provide the ability to Login/Logout to a slot, check the login status, + determine basic configuration information about the slot, and modify + the password settings.
+ +

Should slots also maintain a default session? This session would + be used for slot management calls (sections 9.5 and9.6 of PKCS#11). Or + is the token session sufficient (this would not work if C_GetTokenInfo and + C_InitToken need to be wrapped in a threadsafe session).
+

+
+ NSSToken +
+ Fills in the gaps left by NSSSlot. Much of the +cryptoki API is directed towards slots. However, some functionality + clearly belongs with a token type. For example, a certificate + lives on a token, not a slot, so one would expect a function NSSToken_FindCertificate. + Thus functions that deal with importing/exporting an object +and performing actual cryptographic operations belong here.
+ +

The distinction between a slot and a token is not clear. Most + functions take a slotID as an argument, even though it is obvious that + the event is intended to occur on a token. That leaves various + possibilities:

Implement the API entirely as NSSToken. If the token is not + present, some calls will simply fail.
Divide the API between NSSToken and NSSSlot, as described above. + NSSSlot would handle cryptoki calls specified as "slot management", + while NSSToken handles actual token operations.
Others?

Session management. Tokens needs a threadsafe session handle + to perform operations. CryptoContexts are meant to provide such sessions, + but other objects will need access to token functions as well (examples: +the TrustDomain_Find functions, _Login, _Logout, and others that do not exist + such as NSSToken_ChangePassword). For those functions, the token could + maintain a default session. Thus all NSSToken API functions would take + sessionOpt as an argument. If the caller is going to provide a session, + it sends an NSSSession there, otherwise it sends NULL and the default session + is utilized.
+

+ Proposed:
+ NSSSession
+ Wraps a Cryptoki session. Created from a slot. Used to manage + sessions for crypto contexts. Has a lock field, which locks the session + if the slot is not threadsafe.
+
+ +

+ +

+ + PKI +

+ The NSS PKI library.
+
+ NSS + Certificate +
+ +

The API leaves open the possibility of NSSCertificate meaning various + certificate types, not just X.509. The way to keep open this possibility + is to keep only generally useful information in the NSSCertificate type. + Examples would be the certificate encoding, label, trust (obtained + from cryptoki calls), an email address, etc. Some type of generic +reference should be kept to the decoded certificate, which would then be +accessed by a type-specific API (e.g., NSSX509_GetSubjectName).

+
+ NSSUserCertificate +
+ +

Should this be a typedef of NSSCertificate? This implies that + any function that requires an NSSUserCertificate would fail when called + with a certificate lacking a private key.

+ NSSPrivateKey +
+ NSSPublicKey +
+ NSSSymmetricKey +
+ NSSTrustDomain +
+ A trust domain is "the field in which certificates may + be validated." It is a collection of modules capable of performing + cryptographic operations and storing certs and keys. This collection + is managed by NSS in a manner opaque to the consumer. The slots + will have various orderings determining which has preference for a +given operation. For example, the trust domain may order the storage + of user certificates one way, and the storage of email certificates in + another way [is that a good example?].
+
+ +

How will ordering work? We already have the suggestion + that there be two kinds of ordering: storage and search. How +will they be constructed/managed? Do we want to expose access +to a token that overrides this ordering (i.e., the download of updated +root certs may need to override storage order)
How are certs cached? Nelson wonders what it means to Stan + when a cert does not live on a token yet. Bob, Terry, and I discussed + this. My conclusion is that there should be a type, separate +from NSSCertificate, that holds the decoded cert parts (e.g., NSSX509Certificate, + or to avoid confusion, NSSX509DecodedParts). NSSCertificate would + keep a handle to this type, so that it only needs to decode the cert +once. The NSSTrustDomain would keep a hash table of cached certs, +some of which may not live on a token yet (i.e., they are only NSSX509DecodedParts). + This cache could be accessed in the same way the temp db was, +and when the cert is ready to be moved onto a token a call to NSSTrustDomain_ImportCertificate + is made. Note that this is essentially the same as CERT_TempCertToPerm.

The hashtable in lib/base (copied from ckfw/hash.c) uses the identity +hash. Therefore, in a hash of certificates, the key is the certificate +pointer itself. One possibility is to store the decoded cert (NSSX509DecodedParts +above) as the value in the {key, value} pair. When a cert is decoded, +the cert pointer and decoding pointer are added to the hash. Subsequent +lookups have access to one or both of these pointers. This keeps NSSCertificate +separate from its decoding, while providing a way to locate it.

The API is designed to keep token details hidden from the user. However, + it has already been realized that PSM and CMS may need special access to +tokens. Is this part of the TrustDomain API, or should PSM and CMS +be allowed to use "friend" headers from the Token API?
Do we want to allow traversal via NSSTrustDomain_TraverseXXXX?
+

+
+ NSSCryptoContext +
+ Analgous to a Cryptoki session. Manages session objects only.
+
+ NSSTime +
+ NSSUsage +
+ +

See Fred's + comments + .

+ NSSPolicies +
+ + NSSAlgorithmAndParameters +
+ +

Again, Fred's + comments + . The old NSS code had various types related to algorithms + running around in it. We had SECOidTag, SECAlgorithmID, SECItem's + for parameters, CK_MECHANISM for cryptoki, etc. This type should + be able to encapsulate all of those.

+ NSSCallback +
+ NSSOperations +
+
+
+ +

+
+ A diagram to suggest a possible TrustDomain architecture.
+
+ Trust Domain Diagram

+
+ +

+ +

+ + PKI1 +

+
+ NSSOID +
+ NSSATAV +
+ NSSRDN +
+ NSSRDNSeq +
+ NSSName +
+ NSSNameChoice
+ NSSGeneralName
+ NSSGeneralNameChoice
+ NSSOtherName
+ NSSRFC822Name
+ NSSDNSName
+ NSSX400Address
+ NSSEdiParityAddress
+ NSSURI
+ NSSIPAddress
+ NSSRegisteredID
+ NSSGeneralNameSeq
+ + nssAttributeTypeAliasTable +
+
+
+ +

+ +

+ + PKIX +

+ There is a plethora of PKIX related types here.
+
+ +

+ +

+ Building Stan

+
+ From nss/lib, run "make BUILD_STAN=1"
+
+ +

+ +

+ Testing Stan

+ A new command line tool, pkiutil, has been created to use only + the Stan API. It depends on a new library, cmdlib, meant to replace + the old secutil library. The old library had code used by products + that needed to be integrated into the main library codebase somehow. The + goal of the new cmdlib is to have functionality needed strictly for NSS + tools.
+
+ How to build:
+ +

cd nss/cmd/cmdlib; make
cd ../pkiutil; make

+ pkiutil will give detailed help with either "pkiutil -?" or "pkiutil + --help".
+
+ So far, the only available test is to list certs on the builtins token. + Copy "libnssckbi.so" (or whatever it is) to cmd/pkiutil. Then + run "pkiutil -L" or "pkiutil --list". The list of certificate nicknames + should be displayed.
+
+
+ + + -- cgit v1.2.3