1 \input texinfo @c -*- texinfo -*-
4 @setfilename hx509.info
9 @c some sensible characters, please?
19 @set VERSION @value{PACKAGE_VERSION}
25 * hx509: (hx509). The X.509 distribution from KTH
32 @subtitle X.509 distribution from KTH
33 @subtitle Edition @value{EDITION}, for version @value{VERSION}
35 @author Love Hörnquist Åstrand
38 @def@copynext{@vskip 20pt plus 1fil}
51 Copyright (c) 1994-2008 Kungliga Tekniska Högskolan
52 (Royal Institute of Technology, Stockholm, Sweden).
55 Redistribution and use in source and binary forms, with or without
56 modification, are permitted provided that the following conditions
59 1. Redistributions of source code must retain the above copyright
60 notice, this list of conditions and the following disclaimer.
62 2. Redistributions in binary form must reproduce the above copyright
63 notice, this list of conditions and the following disclaimer in the
64 documentation and/or other materials provided with the distribution.
66 3. Neither the name of the Institute nor the names of its contributors
67 may be used to endorse or promote products derived from this software
68 without specific prior written permission.
70 THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
71 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
72 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
73 ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
74 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
75 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
76 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
77 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
78 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
79 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
84 Copyright (c) 1988, 1990, 1993
85 The Regents of the University of California. All rights reserved.
87 Redistribution and use in source and binary forms, with or without
88 modification, are permitted provided that the following conditions
91 1. Redistributions of source code must retain the above copyright
92 notice, this list of conditions and the following disclaimer.
94 2. Redistributions in binary form must reproduce the above copyright
95 notice, this list of conditions and the following disclaimer in the
96 documentation and/or other materials provided with the distribution.
98 3. Neither the name of the University nor the names of its contributors
99 may be used to endorse or promote products derived from this software
100 without specific prior written permission.
102 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
103 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
104 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
105 ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
106 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
107 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
108 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
109 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
110 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
111 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
116 Copyright 1992 Simmule Turner and Rich Salz. All rights reserved.
118 This software is not subject to any license of the American Telephone
119 and Telegraph Company or of the Regents of the University of California.
121 Permission is granted to anyone to use this software for any purpose on
122 any computer system, and to alter it and redistribute it freely, subject
123 to the following restrictions:
125 1. The authors are not responsible for the consequences of use of this
126 software, no matter how awful, even if they arise from flaws in it.
128 2. The origin of this software must not be misrepresented, either by
129 explicit claim or by omission. Since few users ever read sources,
130 credits must appear in the documentation.
132 3. Altered versions must be plainly marked as such, and must not be
133 misrepresented as being the original software. Since few users
134 ever read sources, credits must appear in the documentation.
136 4. This notice may not be removed or altered.
140 IMath is Copyright 2002-2005 Michael J. Fromberger
141 You may use it subject to the following Licensing Terms:
143 Permission is hereby granted, free of charge, to any person obtaining
144 a copy of this software and associated documentation files (the
145 "Software"), to deal in the Software without restriction, including
146 without limitation the rights to use, copy, modify, merge, publish,
147 distribute, sublicense, and/or sell copies of the Software, and to
148 permit persons to whom the Software is furnished to do so, subject to
149 the following conditions:
151 The above copyright notice and this permission notice shall be
152 included in all copies or substantial portions of the Software.
154 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
155 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
156 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
157 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
158 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
159 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
160 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
165 @macro manpage{man, section}
166 @cite{\man\(\section\)}
169 @c Less filling! Tastes great!
172 @global@parskip 6pt plus 1pt
173 @global@chapheadingskip = 15pt plus 4pt minus 2pt
174 @global@secheadingskip = 12pt plus 3pt minus 2pt
175 @global@subsecheadingskip = 9pt plus 2pt minus 2pt
182 @node Top, Introduction, (dir), (dir)
186 This manual is for version @value{VERSION} of hx509.
192 * CMS signing and encryption::
193 * Certificate matching::
194 * Software PKCS 11 module::
195 * Creating a CA certificate::
196 * Issuing certificates::
198 * Application requirements::
201 * How to use the PKCS11 module::
204 --- The Detailed Node Listing ---
208 @c * Issuing certificates::
209 * Creating a CA certificate::
210 * Issuing certificates::
212 @c * Issuing a proxy certificate::
213 @c * Creating a user certificate::
214 @c * Validating a certificate::
215 @c * Validating a certificate path::
216 * Application requirements::
218 CMS signing and encryption
226 Software PKCS 11 module
228 * How to use the PKCS11 module::
233 @node Introduction, What is X.509 ?, Top, Top
234 @chapter Introduction
236 The goals of a PKI infrastructure (as defined in
237 <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>) is to meet
238 @emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
241 The administrator should be aware of certain terminologies as explained by the aforementioned
242 RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
246 Certificate Authority
248 Registration Authority, i.e., an optional system to which a CA delegates certain management functions.
250 An optional system to which a CA delegates the publication of certificate revocation lists.
252 A system or collection of distributed systems that stores certificates and CRLs
253 and serves as a means of distributing these certificates and CRLs to end entities
256 hx509 (Heimdal x509 support) is a near complete X.509 stack that can
257 handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT)
258 and basic certificate processing tasks, path construction, path
259 validation, OCSP and CRL validation, PKCS10 message construction, CMS
260 Encrypted (shared secret encrypted), CMS SignedData (certificate
261 signed), and CMS EnvelopedData (certificate encrypted).
263 hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded
266 @node What is X.509 ?, Setting up a CA, Introduction, Top
267 @chapter What is X.509, PKIX, PKCS7 and CMS ?
269 X.509 was created by CCITT (later ITU) for the X.500 directory
270 service. Today, X.509 discussions and implementations commonly reference
271 the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate
272 standard, as specified in RFC 3280.
274 ITU continues to develop the X.509 standard together with the IETF in a
275 rather complicated dance.
277 X.509 is a public key based security system that has associated data
278 stored within a so called certificate. Initially, X.509 was a strict
279 hierarchical system with one root. However, ever evolving requiments and
280 technology advancements saw the inclusion of multiple policy roots,
281 bridges and mesh solutions.
283 x.509 can also be used as a peer to peer system, though often seen as a
286 @section Type of certificates
288 There are several flavors of certificate in X.509.
294 Trust anchors are strictly not certificates, but commonly stored in a
295 certificate format as they become easier to manage. Trust anchors are
296 the keys that an end entity would trust to validate other certificates.
297 This is done by building a path from the certificate you want to
298 validate to to any of the trust anchors you have.
300 @item End Entity (EE) certificates
302 End entity certificates are the most common types of certificates. End
303 entity certificates cannot issue (sign) certificate themselves and are generally
304 used to authenticate and authorize users and services.
306 @item Certification Authority (CA) certificates
308 Certificate authority certificates have the right to issue additional
309 certificates (be it sub-ordinate CA certificates to build an trust anchors
310 or end entity certificates). There is no limit to how many certificates a CA
311 may issue, but there might other restrictions, like the maximum path
314 @item Proxy certificates
316 Remember the statement "End Entity certificates cannot issue
317 certificates"? Well that statement is not entirely true. There is an
318 extension called proxy certificates defined in RFC3820, that allows
319 certificates to be issued by end entity certificates. The service that
320 receives the proxy certificates must have explicitly turned on support
321 for proxy certificates, so their use is somewhat limited.
323 Proxy certificates can be limited by policies stored in the certificate to
324 what they can be used for. This allows users to delegate the proxy
325 certificate to services (by sending over the certificate and private
326 key) so the service can access services on behalf of the user.
328 One example of this would be a print service. The user wants to print a
329 large job in the middle of the night when the printer isn't used that
330 much, so the user creates a proxy certificate with the policy that it
331 can only be used to access files related to this print job, creates the
332 print job description and send both the description and proxy
333 certificate with key over to print service. Later at night when the
334 print service initializes (without any user intervention), access to the files
335 for the print job is granted via the proxy certificate. As a result of (in-place)
336 policy limitations, the certificate cannot be used for any other purposes.
340 @section Building a path
342 Before validating a certificate path (or chain), the path needs to be
343 constructed. Given a certificate (EE, CA, Proxy, or any other type),
344 the path construction algorithm will try to find a path to one of the
347 The process starts by looking at the issuing CA of the certificate, by
348 Name or Key Identifier, and tries to find that certificate while at the
349 same time evaluting any policies in-place.
351 @node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
352 @chapter Setting up a CA
354 Do not let information overload scare you off! If you are simply testing
355 or getting started with a PKI infrastructure, skip all this and go to
356 the next chapter (see: @pxref{Creating a CA certificate}).
358 Creating a CA certificate should be more the just creating a
359 certificate, CA's should define a policy. Again, if you are simply
360 testing a PKI, policies do not matter so much. However, when it comes to
361 trust in an organisation, it will probably matter more whom your users
362 and sysadmins will find it acceptable to trust.
364 At the same time, try to keep things simple, it's not very hard to run a
365 Certificate authority and the process to get new certificates should be simple.
367 You may find it helpful to answer the following policy questions for
368 your organization at a later stage:
371 @item How do you trust your CA.
372 @item What is the CA responsibility.
373 @item Review of CA activity.
374 @item How much process should it be to issue certificate.
375 @item Who is allowed to issue certificates.
376 @item Who is allowed to requests certificates.
377 @item How to handle certificate revocation, issuing CRLs and maintain OCSP services.
380 @node Creating a CA certificate, Issuing certificates, Setting up a CA, Top
381 @section Creating a CA certificate
383 This section describes how to create a CA certificate and what to think
386 @subsection Lifetime CA certificate
388 You probably want to create a CA certificate with a long lifetime, 10
389 years at the very minimum. This is because you don't want to push out the
390 certificate (as a trust anchor) to all you users again when the old
391 CA certificate expires. Although a trust anchor can't really expire, not all
392 software works in accordance with published standards.
394 Keep in mind the security requirements might be different 10-20 years
395 into the future. For example, SHA1 is going to be withdrawn in 2010, so
396 make sure you have enough buffering in your choice of digest/hash
397 algorithms, signature algorithms and key lengths.
399 @subsection Create a CA certificate
401 This command below can be used to generate a self-signed CA certificate.
404 hxtool issue-certificate \
408 --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \
410 --certificate="FILE:ca.pem"
413 @subsection Extending the lifetime of a CA certificate
415 You just realised that your CA certificate is going to expire soon and
416 that you need replace it with a new CA. The easiest way to do that
417 is to extend the lifetime of your existing CA certificate.
419 The example below will extend the CA certificate's lifetime by 10 years.
420 You should compare this new certificate if it contains all the
421 special tweaks as the old certificate had.
424 hxtool issue-certificate \
427 --lifetime="10years" \
428 --template-certificate="FILE:ca.pem" \
429 --template-fields="serialNumber,notBefore,subject,SPKI" \
430 --ca-private-key=FILE:ca.pem \
431 --certificate="FILE:new-ca.pem"
434 @subsection Subordinate CA
436 This example below creates a new subordinate certificate authority.
439 hxtool issue-certificate \
440 --ca-certificate=FILE:ca.pem \
443 --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \
444 --certificate="FILE:dev-ca.pem"
448 @node Issuing certificates, Issuing CRLs, Creating a CA certificate, Top
449 @section Issuing certificates
451 First you'll create a CA certificate, after that you have to deal with
452 your users and servers and issue certificates to them.
454 @c I think this section needs a bit of clarity. Can I add a separate
455 @c section which explains CSRs as well?
460 @item Do all the work themself
462 Generate the key for the user. This has the problme that the the CA
463 knows the private key of the user. For a paranoid user this might leave
464 feeling of disconfort.
466 @item Have the user do part of the work
468 Receive PKCS10 certificate requests fromusers. PKCS10 is a request for a
469 certificate. The user may specify what DN they want as well as provide
470 a certificate signing request (CSR). To prove the user have the key,
471 the whole request is signed by the private key of the user.
475 @subsection Name space management
477 @c The explanation given below is slightly unclear. I will re-read the
478 @c RFC and document accordingly
480 What people might want to see.
482 Re-issue certificates just because people moved within the organization.
484 Expose privacy information.
486 Using Sub-component name (+ notation).
488 @subsection Certificate Revocation, CRL and OCSP
490 Certificates that a CA issues may need to be revoked at some stage. As
491 an example, an employee leaves the organization and does not bother
492 handing in his smart card (or even if the smart card is handed back --
493 the certificate on it must no longer be acceptable to services; the
496 You may also want to revoke a certificate for a service which is no
497 longer being offered on your network. Overlooking these scenarios can
498 lead to security holes which will quickly become a nightmare to deal
501 There are two primary protocols for dealing with certificate
505 @item Certificate Revocation List (CRL)
506 @item Online Certificate Status Protocol (OCSP)
509 If however the certificate in qeustion has been destroyed, there is no
510 need to revoke the certificate because it can not be used by someone
511 else. This matter since for each certificate you add to CRL, the
512 download time and processing time for clients are longer.
514 CRLs and OCSP responders however greatly help manage compatible services
515 which may authenticate and authorize users (or services) on an on-going
516 basis. As an example, VPN connectivity established via certificates for
517 connecting clients would require your VPN software to make use of a CRL
518 or an OCSP service to ensure revoked certificates belonging to former
519 clients are not allowed access to (formerly subscribed) network
523 @node Issuing CRLs, Application requirements, Issuing certificates, Top
524 @section Issuing CRLs
526 Create an empty CRL with no certificates revoked. Default expiration
527 value is one year from now.
535 Create a CRL with all certificates in the directory
536 @file{/path/to/revoked/dir} included in the CRL as revoked. Also make
537 it expire one month from now.
542 --signer=FILE:ca.pem \
543 --lifetime='1 month' \
544 DIR:/path/to/revoked/dir
547 @node Application requirements, CMS signing and encryption, Issuing CRLs, Top
548 @section Application requirements
550 Application place different requirements on certificates. This section
551 tries to expand what they are and how to use hxtool to generate
552 certificates for those services.
554 @subsection HTTPS - server
557 hxtool issue-certificate \
558 --subject="CN=www.test.h5l.se,DC=test,DC=h5l,DC=se" \
559 --type="https-server" \
560 --hostname="www.test.h5l.se" \
561 --hostname="www2.test.h5l.se" \
565 @subsection HTTPS - client
568 hxtool issue-certificate \
569 --subject="UID=testus,DC=test,DC=h5l,DC=se" \
570 --type="https-client" \
574 @subsection S/MIME - email
576 There are two things that should be set in S/MIME certificates, one or
577 more email addresses and an extended eku usage (EKU), emailProtection.
579 The email address format used in S/MIME certificates is defined in
580 RFC2822, section 3.4.1 and it should be an ``addr-spec''.
582 There are two ways to specifify email address in certificates. The old
583 way is in the subject distinguished name, @emph{this should not be used}. The
584 new way is using a Subject Alternative Name (SAN).
586 Even though the email address is stored in certificates, they don't need
587 to be, email reader programs are required to accept certificates that
588 doesn't have either of the two methods of storing email in certificates
589 -- in which case, the email client will try to protect the user by
590 printing the name of the certificate instead.
592 S/MIME certificate can be used in another special way. They can be
593 issued with a NULL subject distinguished name plus the email in SAN,
594 this is a valid certificate. This is used when you wont want to share
595 more information then you need to.
597 hx509 issue-certificate supports adding the email SAN to certificate by
598 using the --email option, --email also gives an implicit emailProtection
599 eku. If you want to create an certificate without an email address, the
600 option --type=email will add the emailProtection EKU.
603 hxtool issue-certificate \
604 --subject="UID=testus-email,DC=test,DC=h5l,DC=se" \
606 --email="testus@@test.h5l.se" \
610 An example of an certificate without and subject distinguished name with
611 an email address in a SAN.
614 hxtool issue-certificate \
617 --email="testus@@test.h5l.se" \
623 A PK-INIT infrastructure allows users and services to pick up kerberos
624 credentials (tickets) based on their certificate. This, for example,
625 allows users to authenticate to their desktops using smartcards while
626 acquiring kerberos tickets in the process.
628 As an example, an office network which offers centrally controlled
629 desktop logins, mail, messaging (xmpp) and openafs would give users
630 single sign-on facilities via smartcard based logins. Once the kerberos
631 ticket has been acquired, all kerberized services would immediately
632 become accessible based on deployed security policies.
634 Let's go over the process of initializing a demo PK-INIT framework:
637 hxtool issue-certificate \
638 --type="pkinit-kdc" \
639 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
640 --hostname=kerberos.test.h5l.se \
641 --ca-certificate="FILE:ca.pem,ca.key" \
643 --certificate="FILE:kdc.pem" \
647 How to create a certificate for a user.
650 hxtool issue-certificate \
651 --type="pkinit-client" \
652 --pk-init-principal="user@@TEST.H5L.SE" \
653 --ca-certificate="FILE:ca.pem,ca.key" \
655 --subject="cn=Test User" \
656 --certificate="FILE:user.pem"
659 The --type field can be specified multiple times. The same certificate
660 can hence house extensions for both pkinit-client as well as S/MIME.
662 To use the PKCS11 module, please see the section:
663 @pxref{How to use the PKCS11 module}.
665 More about how to configure the KDC, see the documentation in the
666 Heimdal manual to set up the KDC.
668 @subsection XMPP/Jabber
670 The jabber server certificate should have a dNSname that is the same as
671 the user entered into the application, not the same as the host name of
675 hxtool issue-certificate \
676 --subject="CN=xmpp1.test.h5l.se,DC=test,DC=h5l,DC=se" \
677 --hostname="xmpp1.test.h5l.se" \
678 --hostname="test.h5l.se" \
682 The certificate may also contain a jabber identifier (JID) that, if the
683 receiver allows it, authorises the server or client to use that JID.
685 When storing a JID inside the certificate, both for server and client,
686 it's stored inside a UTF8String within an otherName entity inside the
687 subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5).
689 To read more about the requirements, see RFC3920, Extensible Messaging
690 and Presence Protocol (XMPP): Core.
692 hxtool issue-certificate have support to add jid to the certificate
693 using the option @kbd{--jid}.
696 hxtool issue-certificate \
697 --subject="CN=Love,DC=test,DC=h5l,DC=se" \
698 --jid="lha@@test.h5l.se" \
703 @node CMS signing and encryption, CMS background, Application requirements, Top
704 @chapter CMS signing and encryption
706 CMS is the Cryptographic Message System that among other, is used by
707 S/MIME (secure email) and Kerberos PK-INIT. It's an extended version of
708 the RSA, Inc standard PKCS7.
710 @node CMS background, Certificate matching, CMS signing and encryption, Top
711 @section CMS background
714 @node Certificate matching, Matching syntax, CMS background, Top
715 @chapter Certificate matching
717 To match certificates hx509 have a special query language to match
718 certifictes in queries and ACLs.
720 @node Matching syntax, Software PKCS 11 module, Certificate matching, Top
721 @section Matching syntax
723 This is the language definitions somewhat slopply descriped:
738 word IN ( word [, word ...])
739 word IN %@{variable.subvariable@}
747 @node Software PKCS 11 module, How to use the PKCS11 module, Matching syntax, Top
748 @chapter Software PKCS 11 module
750 PKCS11 is a standard created by RSA, Inc to support hardware and
751 software encryption modules. It can be used by smartcard to expose the
752 crypto primitives inside without exposing the crypto keys.
754 Hx509 includes a software implementation of PKCS11 that runs within the
755 memory space of the process and thus exposes the keys to the
758 @node How to use the PKCS11 module, , Software PKCS 11 module, Top
759 @section How to use the PKCS11 module
762 $ cat > ~/.soft-pkcs11.rc <<EOF
763 mycert cert User certificate FILE:/Users/lha/Private/pkinit.pem
766 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG