High-level Design#
KRATool is a stand-alone Java-based command-line utility
KRATool Parameters#
Mandatory parameters:
Rewrap parameters:
-target_storage_certificate_file <complete path to the target storage certificate file; the target storage certificate is stored in an ASCII format between a header and footer>
ID offset parameters:
-append_id_offset <ID offset that is appended to each record's source ID>
-remove_id_offset <ID offset that is removed from each record's source ID>
Note that either all rewrap parameters OR all ID offset parameters is mandatory.
Optional parameters:
KRATool Config file#
The LDIF record fields specified by this file are the ONLY fields that can be changed in the LDIF file.
No fields can be added without changes to the KRATool source code, and several fields are commented on within this configuration file.
Additionally, internal LDAP fields such as ‘modifyTimestamp’ cannot, and will not, be changed by KRATool.
By default, all supported fields are processed by KRATool and the default config file resides at /usr/share/pki/java-tools/KRATool.cfg
For example, to process or leave out a field from CA enrollment requests, the KRATool looks at the following lines from the configuration file provided
kratool.ldif.caEnrollmentRequest.cn=true
kratool.ldif.caEnrollmentRequest.dateOfModify=true
kratool.ldif.caEnrollmentRequest.dn=true
kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
kratool.ldif.caEnrollmentRequest.requestId=true
If set to true, the field will be processed in the generated LDIF file. If set to false, the field will be untouched in the generated LDIF file.
Low-level Design#
The KRA records, that are processed by KRATool, are classified into 2 types:
Requests
Key Records
There are seven different types of KRA LDIF records that are processed, in total.
KRA LDIF Record Fields to be Processed#
Attribute |
Attribute Description |
Source Value |
Target Value |
---|---|---|---|
cn |
Common Name of the entry |
source cn |
(source cn + targ et_uid_offset) OR (source cn - targ et_uid_offset) |
dateOfModify |
Date the entry was last modified |
original date |
date modified |
ext data-keyrecord |
source ext data-keyrecord |
(source ext data-keyrecord + targ et_uid_offset) |
|
ext data-requestid |
Request ID |
source ext data-requestid |
(source ext data-requestid + targ et_uid_offset) |
extdat a-requestnotes |
Comments (usually empty) |
comments (generally empty) |
comments + [REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] OR [REMOVED OFFSET OF xxx…xxx] |
extdat a-serialnumber |
Serial number of the cert whose key was retrieved |
source extdat a-serialnumber |
(source extdat a-serialnumber + targ et_uid_offset) |
privateKeyData |
payload key wrapped with KRA’s storage cert + Payload enc rypted/wrapped with payload key |
private user key wrapped with source storage key |
private user key wrapped with target storage key |
requestId |
Request ID |
[source length in digits][source requestId] |
[target length in d igits][(source requestId + targe t_uid_offset)] |
serialno |
Serial number of the key |
[source length in digits][source serialno] |
[target length in d igits][(source serialno + targe t_uid_offset)] |
Key Requests#
CA enrollment request:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
extdata-keyrecord |
source extdata-keyrecord |
(source extdata-keyrecord + target_uid_offset) |
extdata-requestid |
source extdata-requestid |
(source extdata-requestid + target_uid_offset) |
extdata-requestnotes |
comments (generally empty) |
comments + [REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] |
requestId |
[source length in digits][source requestId] |
[target length in digits][(source requestId + target_uid_offset)] |
CA recovery request:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
extdata-requestid |
source extdata-requestid |
(source extdata-requestid + target_uid_offset) |
extdata-requestnotes |
ATTRIBUTE DOES NOT EXIST |
[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] |
extdata-serialno |
source extdata-serialnumber |
(source extdata-serialnumber + target_uid_offset) |
requestId |
[source length in digits][source requestId] |
[target length in digits][(source requestId + target_uid_offset)] |
TPS netkeyKeygen request:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
extdata-keyrecord |
source keyrecord |
(source keyrecord + target_uid_offset) |
extdata-requestid |
source requestid |
(source requestid + target_uid_offset) |
extdata-requestnotes |
ATTRIBUTE DOES NOT EXIST |
[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] |
requestId |
[source length in digits][source requestId] |
[target length in digits][(source requestId + target_uid_offset)] |
TPS recovery request:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
extdata-requestid |
source extdata-requestid |
(source extdata-requestid + target_uid_offset) |
extdata-requestnotes |
ATTRIBUTE DOES NOT EXIST |
[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] |
extdata-serialno |
source extdata-serialnumber |
(source extdata-serialnumber + target_uid_offset) |
requestId |
[source length in digits][source requestId] |
[target length in digits][(source requestId + target_uid_offset)] |
TPS netkeyKeyRecovery request:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
extdata-requestid |
source extdata-requestid |
(source extdata-requestid + target_uid_offset) |
extdata-requestnotes |
ATTRIBUTE DOES NOT EXIST |
[REWRAPPED] + [APPENDED OFFSET OF xxx…xxx] |
requestId |
[source length in digits][source requestId] |
[target length in digits][(source requestId + target_uid_offset)] |
Key Record#
CA keyrecord:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
privateKeyData |
private user key wrapped with source storage key |
private user key wrapped with target storage key |
serialno |
[source length in digits][source serialno] |
[target length in digits][(source serialno + target_uid_offset)] |
TPS keyrecord:
Attribute |
Source Value |
Target Value |
---|---|---|
cn |
source cn |
(source cn + target_uid_offset) |
dateOfModify |
original date |
date modified |
privateKeyData |
private user key wrapped with source storage key |
private user key wrapped with target storage key |
serialno |
[source length in digits][source serialno] |
[target length in digits][(source serialno + target_uid_offset)] |