Партнёры:
Хостинг:
NAME
keypkg - create, delete, modify, and view key package
SYNOPSIS
keypkg -A [-h [-L virtual_host]] [-s | -v] [input_file]
keypkg -C [-h] [-s | -v] [-e [public_exponent] [-l key_size]
[-k keypkg_owner]
keypkg -D [-h [-L virtual_host]] [-s | -v]
keypkg -D -k keypkg_owner [-s | -v]
keypkg -F [-s | -v] [-h [-L virtual_host]] [output_file]
keypkg -G [-h [-L virtual_host]] [-s | -v]
keypkg -P [-h [-L virtual_host]] [-s | -v]
keypkg -R [-h [-L virtual_host]] [-s | -v]
[-a authority -n number | -t trusted_key_owner]
AVAILABILITY
SUNWski
DESCRIPTION
A key package contains the public and private key components
of an RSA keypair, the owner's identity (X.500 distinguished
name), a list of trusted public keys, and a digital signa-
ture computed over the key package contents. Each entry in
the list of trusted public keys contains a public key and
the identity (X.500 Distinguished Name) of its owner.
The trusted key list initially contains the user's own pub-
lic key. The trusted key list in a user's key package is
accessed when the user validates a digital signature and its
supporting certificate chain (see skiverify(1)), in order to
determine if the certificate chain contains any public keys
trusted by the user; if the user does not trust any of the
public keys in the received chain, the verification of the
digital signature fails.
The private key component of the key package is stored in
encrypted form in the key package, using triple DES encryp-
tion. keypkg will prompt the user for his or her encryption
password.
Before the private key of the generated key package can be
used, it must be registered with the SKI keyserver using the
skilogin(1) command.
The key package is stored in the configured name service,
such as NIS or NIS+.
Creating a key package
The keypkg -C utility generates an RSA keypair and places it
(along with the information described below) in a container
referred to as the key package. The key package is automat-
ically stored into the configured naming service.
keypkg_owner identifies the owner of the key package in the
form of an X.500 distinguished name (for example, "cn=john
smith, o=sun microsystems, c=us").
Adding trusted public keys to your key package
The keypkg -A command adds the public keys of one or more
certificates to a user's or host's key package. The certi-
ficates are read from input_file, which is the path name of
a regular file. Each certificate must be provided in print-
able encoding format as defined by the Internet RFC1421
standard, and may be created using the skicert(1) utility.
Each certificate must be bounded at the beginning by:
"-----BEGIN CERTIFICATE-----",
and bounded at the end by
"-----END CERTIFICATE-----".
Each of the boundaries must be followed by a NEWLINE.
Please refer to the example below. If no input file is
given, the certificates are read from stdin.
The certificates whose public keys are being added to the
key package are assumed to have already been verified by
some out-of-band mechanism (for example, by comparing the
digest of the received certificate with the digest generated
by the trusted source which provided the certificate).
Therefore, no cryptographic checks are applied to the certi-
ficates before their public key information is added to the
list of trusted public keys in the key package.
Adding public keys to a key package allows users to securely
communicate with others who do not exist within their cer-
tification domain. In this context, the key package is
essentially being used as a "public key ring".
Note: If another user's private key has been compromised and
the certificate for the public key has been revoked, the
keypkg -R command should be used to delete that public key
from the list of trusted public keys.
keypkg -A requires that the user has registered his or her
private key with the SKI keyserver (see skilogin(1)).
Deleting a key package
The keypkg -D command deletes a user's or host's key package
from the name service. keypkg -D must be executed by a sys-
tem administrator. The system administrator does not have
to enter the key package password to delete the key package.
If the key package owner had previously performed a skilogin
(1), then a duplicate copy of the key package was registered
with skiserv (1M) under that user. The system administrator
should inform the user to skilogout (1).
Storing a key package in a file
The keypkg -F command retrieves a user's or host's key pack-
age and stores it in output_file. If no output file is
specified, the key package is output to stdout. If
output_file already exists, it is overwritten. The key pack-
age is stored in printable encoding format, as defined by
the Internet RFC1421 standard.
keypkg -F requires that the user has registered his or her
private key with the SKI keyserver (see skilogin(1)).
Viewing the contents of a key package
The keypkg -G command retrieves a user's or host's key pack-
age and displays its contents.
keypkg -G requires that the user has registered his or her
private key with the SKI keyserver (see skilogin(1)).
Changing your key package password
The keypkg -P command changes the password under which the
private key in the user's or host's key package is
encrypted.
keypkg -P prompts the user for his or her old password, and
then prompts for the new password twice. When the new pass-
word is entered a second time, the two copies of the new
password are compared. If the two copies are not identi-
cal, the keypkg command exits with an error message.
Removing trusted public keys
The keypkg -R command removes one or more trusted keys from
the user's or host's key package.
The trusted key(s) to be removed can be identified in two
different ways: by a serial number/issuer combination or by
the trusted key owner's name.
If a serial number/issuer combination is given, a trusted
key with the matching combination is removed from the list
of trusted public keys.
If a trusted key owner's name is provided, all trusted keys
pertaining to the specified owner are removed from the list
of trusted public keys.
keypkg -R requires that the user has registered his or her
private key with the SKI key server (see skilogin(1)).
OPTIONS
keypkg can be run in the following modes:
-A Add one or more public keys to the list of trusted
public keys in your key package.
-C Create your key package and store it into the naming
service.
-D Delete a user's or host's key package from the nam-
ing service.
-F Retrieve a user's or host's key package from the
naming service and store it in a file.
-G Retrieve a user's or host's key package and display
its contents.
-P Change your key package password.
-R Remove one or more public keys from the list of
trusted keys in your key package.
The following options are supported for all modes of
keypkg:
-h For each mode, operate on the host's key package.
-s Run application silently (no status or error infor-
mation displayed).
-v Give verbose output. If both the -v and the -s
options are specified, the -v option is ignored.
The following option applies to all modes of keypkg, except
for keypkg -C:
-L virtual_host
Name or dot separated IP address of the virtual host on
whose behalf the command is run. This option can be
specified only with -h option.
The following options apply to keypkg -C:
-k keypkg_owner
Identity of key package owner. This is an X.500 dis-
tinguished name in string representation, for example,
"cn=Alice Smith, ou=SunSoft, o=SUN, c=US" or
"cn=hostname.eng.sun.com".
-l key_size
This is the key length. By default, a 768 bit key is
used. Other supported key sizes are 512 and 1024. The
higher the security requirements, the greater the key
length should be.
-e public_exponent
Public exponent for RSA key generation. Either F0
(numeric value 3) or F4 (Fermat 4). By default, the
public exponent is F4.
The following options apply to keypkg -R:
-a authority
Identity (given as an X.500 distinguished name in
string representation, for example, "ou=CA, ou=SunSoft,
o=SUN, c=US") of Certification Authority who issued a
certificate for the public key to be removed from the
list of trusted public keys.
-n number
Certificate serial number.
-t trusted_key_owner
Identity (given as an X.500 distinguished name in
string representation, for example, "cn=Alice Smith,
ou=SunSoft, o=SUN, c=US") of entity whose public key is
to be removed from the list of trusted public keys.
The following option applies to keypkg -D:
-k keypkg_owner
Key package owner. This value may be the key package
owner's username or the key package owner's X.500 dis-
tinguished name in string representation, for example,
"cn=Alice Smith, ou=SunSoft, o=SUN, c=US". If the key
package owner is not specified with the -k option, the
key package accessed will be the key package of the
user running the command.
EXAMPLES
The command (executed by the user, alice):
example% keypkg -G
allows alice to view the contents of her key package. The
private key is not displayed. Typically, this is used to
view the list of trusted public keys stored in the key pack-
age.
The command (executed by alice):
example% keypkg -F local
allows alice to retrieve her key package from the naming
service and store it in the file "local" in the current
directory, which she then can copy to an external device,
for example, a lap top.
The command (executed by alice):
example% keypkg -P
allows alice to change her key package password.
The command (run by alice):
example% keypkg -A certfile
allows alice to add one or more trusted keys to her key
package. The trusted keys are read from the file "certfile"
(the trusted keys are stored as certificates in the file --
encoding based on the Internet RFC1421 standard). "cert-
file" should have the following format:
-----BEGIN CERTIFICATE-----
MIIBRDCB7wIEMe0zZzANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkzNVoXDTk5MDcxNzE4MzkzNVowPTELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEPMA0GA1UEDRQGZHVtbXkxMQ8wDQYDVQQD
FAZkdW1teTEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAt9LgN5oT1WtlCJFXLmhc
SY4kN7OcNkBYq9iT4R8K0uZIrgp9/hSe0DFgQaAZkIUjqB0YkeIFPmy6/K3bp0l9
1QIDAQABMA0GCSqGSIb3DQEBBAUAA0EAdolKCynL2WjOxHmmsRbEg51dwB2u/ExM
2ZMaZvLMXHX5VIsjxfLSCXu3iI/RdMIi5dGfZhrp2XBkg0gkii+Mkw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBSjCB9QIEMe0zYTANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkyOVoXDTk5MDcxNzE4MzkyOVowQzELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEQMA4GA1UEDRQHY2hhcmxpZTEUMBIGA1UE
AxQLY2hhcmxpZSBsYWkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxQzeNvx72Dkp
GI9r6hALR3nVBG13PA/2wKrsT25xQGoSp104klnVgRfp4mbeiHEIfKG7Q9Z0bOei
luT4fG5EQQIDAQABMA0GCSqGSIb3DQEBBAUAA0EAUahDuBR5ONKIGvV4wvk2ZfVi
ms2TwKEDhtAkdQe0B3xeZk7e1/h6iK8QrXz2VtSCXde4onRr84Afj8je5gAkoQ==
-----END CERTIFICATE-----
If the trusted_key_owner of the public key is "cn=Bob
Smith, o=Company X, c=US", then the command (run by alice):
example% keypkg -R -t "cn=Bob Smith, o=Company X,
c=US"
allows alice to remove the public key of "cn=Bob Smith,
o=Company X, c=US" from the list of trusted public keys in
her key package.
The command (run by a system administrator):
example% keypkg -D -k alice
allows an administrator to delete alice's key package from
the naming service. The same result would have been achieved
by running
example% keypkg -D -k "cn=Alice Smith, ou=eng, o=SUN,
c=US"
provided that alice's distinguished name is "cn=Alice Smith,
ou=eng, o=SUN, c=US".
The following command, run by user "sun_ca":
example% keypkg -C -l 1024 -k "o=SUN, c=US"
generates a key package for "o=SUN, c=US" and stores it in
the configured name service under the user "sun_ca". The
newly generated RSA keypair contained in the key package has
a keysize of 1024 bits and a public exponent with value
0x010001.
The following command, run by user "root":
example% keypkg -C -h -l 1024 -k
"cn=yosemite.eng.sun.com"
generates a key package for the host "yosemite.eng.sun.com"
and stores it in the configured name service under the host
"yosemite".
EXIT STATUS
The keypkg command exits with 0 if successful and 1 other-
wise.
SEE ALSO
certreq(1), skilogin(1), skicert(1)
NOTES
For software shipped outside North America, only 512 bit RSA
key sizes are generated and supported.
If the key package is stored in NIS, then the create opera-
tions (-C) can only be done by NIS Administrator.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |