This section describes the following KMF components:
Thepktool(1) key management tool
The KMF policy database
Thekmfcfg policy definition and plugin configuration utility
KMF data types defined inkmftypes.h andprogramming interfaces defined inkmfapi.h andlibkmf(3LIB)
The followingpktool subcommands specifically support KMF:
Delete objects in the keystore.
Download a CRL or certificate file from an external source.
Export objects from the keystore to a file.
Create a self-signed X.509v3 certificate.
Create a PKCS#10 Certificate Signing Request (CSR) file.
Create a symmetric key in the keystore.
Create an asymmetric keypair.
Displays a help message.
Import objects from an external source.
Initialize a PKCS#11 token.
List a summary of objects in the keystore.
Change user authentication passphrase for keystore access.
Sign a PKCS#10 CSR.
List all visible PKCS#11 tokens.
KMF policy is a hierarchical tree of policies. A default policy is definedwhen the system is installed. The default policy applies unless the applicationasserts a different policy.
Policy parameters control the use of X.509 certificates by an application.KMF policy applies to all certificates and is not restricted to any particularkeystore.
Use thekmfcfg(1) utility to manage the KMF policydatabase and configure plugins. You can usekmfcfg to list,create, modify, delete, import, and export policy definitions in the systemdefault database file/etc/security/kmfpolicy.xml orin a user-defined database file. Note that you cannot modify the default policyin the system KMF policy database. For plugin configuration, you can usekmfcfg to display plugin information, install or uninstall a KMFplugin, and modify the plugin option.
The following list shows some of the KMF policy attributes. See thekmfcfg man page for a complete list and descriptions of these policy attributes.
Policy Name. Applications reference this name.
Ignore Date. Ignore the validity periods defined in the certificates when evaluating their validity.
Ignore Unknown EKU. Ignore any unrecognized EKU values in the Extended Key Usage extension.
Validation Method. Examples include OCSP and CRL.
Key Usage Values. This attribute is a comma separated list of key usage values that are required by the policy being defined. These bits must be set in order to use the certificate.
Extended Key Usage Values. This attribute is a comma separated list of Extended Key Usage OIDs that are required by the policy being defined. These OIDS must be present in order to use the certificate.
See thekmfpolicy.h file for definitions of policy data types.
The following plugin libraries are provided in Oracle Solaris KMF:
PKCS#11 keystore plugin: kmf_pkcs11
OpenSSL keystore plugin: kmf_openssl
The Oracle Solaris KMF provides abstract APIs for PKI operations. Applications writtento KMF can access multiple keystores such as files (OpenSSL), NSS, and PKCS11tokens and multiple validation modules such as OCSP and CRL checking. TheKMF API can be extended by third parties for proprietary and legacy implementations.
The KMF APIs are provided in the Key Management Framework Library,libkmf(3LIB). These APIs enable yourapplication to create and manage public key objects such as public/privatekeypairs, certificates, CSRs, certificate validation, CRLs, and OCSP responseprocessing.
Keys, certificate, and CSR operations: create and delete,store and retrieve, search, import and export
Common cryptographic operations: sign and verify, encryptand decrypt using certificates as keys
Access complex PKI objects: set and get X.509 attributes andextensions, and extract data in human-readable formats
The KMF APIs are defined in thekmfapi.h file, and structures and types are defined in thekmftypes.h file. Thekmfapi.h file lists the functions in the following groups:
Setup operations
Key operations
Certificate operations
Cryptographic operations with key or certificate
CRL operations
CSR operations
Get certificate operations
Set certificate operations
PK12 operations
OCSP operations
Policy operations
Error handling
Memory cleanup operations
APIs for PKCS#11 tokens
Attribute management operations