Multi Domain PKI Test Suite
-- Result of JNSA Challenge PKI 2002 --
Ryu Inada <[email protected]>
As representative of
NPO Japan Network Security Association Sponsored by IT Promotion Agency, Japan
署名は検証 されていま せん。
JNSA Challenge PKI 2002
• As we reported on 11-Nov-2002/56
thIETF, we,
JNSA, make a Multi Domain PKI Test Suite.
• We finished work at 28-Feb-2003, and prepare to
open it public and translation to English.
– Estimated date of open to public: End of June 2003
– Estimated date of translation to English : End of June
2003
C hallenge P KI 2002- P rojec t sc ope
P ublic key C ryptographic S tandard
X .509 R F C 3280
Implementation J DK / J C E
C ryptoAP I
interoperability test
T est C ase
R eport Interoperability
T est S uit
P KIinteroperability framework C ryptoA P I
J DK 1.4/ J C E sample
Implementation
PKI interoperability test suite
T E S T DB
test date Gen.
Key's C R L 's
C ertific ate's
test exc ute S c ript
test c ommand (S ammple
Impl..) test
R esult L oader
R esult R eport
test c onf.
test c ase E ditor
test result テスト
ケース テスト ケース
GP KI test c ase
S tandard R F C 3280
X .509 GP KI
interoperability S pec . etc .
F eedbac k to standard F eedbak to Implementation
C an easily add test c ase.
Challenge PKI 2002 - Test Cases
・ NIS T / DoD
‐ X .509 P ath V alidation T est S uite, V ersion 1.07
‐ http:/ / c src .nist.gov/ pki/ testing/ x509paths.html
‐ T otal 130 c ases
・ GP KI (J apanese Government’ s P KI)
‐ GP KI simulation environment
‐ T otal 81 c ases
・ J NS A Original
‐ UT F 8 enc oding matter (name rollover c ertific ate) whic h
desc ribed in R F C 3280.
‐ Key update issues.
‐ S ome C R L extensions inc luding IDP
‐ T otal 45 c ases
・ C an easily add test c ase.
Sample implementations
• In Java
– Worked on JDK 1.4
• Based on Path Discovery/Path Validation API
which provided from reference implementation.
• And additional Path Discovery/Path Validation logic
which concerned multi domain PKI environment.
• In C++
– Worked on Microsoft Crypto API.
• Using Windows original Revocation Service
Provider and additional Path Discovery/Path
Validation logic which concerned multi domain PKI
environment.
Requirement of GPKI and implementations
MUS T
○
○
○ Name C onstrain ×
MUS T
○
○
△ P ath C onstruc tion ×
MUS T
○
×
○ C R L IDP *1 ×
MUS T
○
×
× AIA / OC S P ×
MUS T
○
○
○ polic y mapping ×
MUS T
○
○
○ P olic y ×
C onstraints
MUS T
○
○
○ Basic C onstrain ○
Requirement of GPKI
S ample Impl. J DK1.4
C ert. P ath lib. Mic rosoft
C ryptoAP I Win- X P Mic rosoft
C ryptoAP I Win- 2000
*1 CRL IDP ( issuing distribution point )
Sample implementation for CryptoAPI
MS C ryptoAP I IE
Outlook E xpress
3rd party AP L .
Base
C ryptographic P rovider
R evoc ation P roviders E nhanc ed
C ryptographic P rovider
C ryptographic S ervic e P roviders ( C S P )
3rd party C ryptographic
P rovider
3rd party R evoc ation V P N
c lient 802.1x
supplic ant Outlook
OC S P
C rosse C ertific ate
Sample implementation for JAVA
GPKICertPathChecker GPKICertPathBuilderSpi
GPKICertPathValidatorSpi
java.security.cert.*
We extend original JDK’s path builder/path checker interface.
To achieve more Applicable Test Suite ...
We need two Reference!!
• Provide Framework more applicable & reusable
• Easy to extract minimal test case
– There are too many test cases … about 256 cases.
– For easily modified to you purpose: PKIX, GPKI, and other frameworks
• Ready for Multi-domain PKI
• Re-usable for others
• No depend on environment – Run on your local environment – maybe linux or cygwin?
Define multi-domain PKI Define multi-domain PKI Define DB Schema to re-use Define DB Schema to re-use
Related Links
• NPO JNSA
– http://www.jnsa.org/english/e_index.html
• IPA Security Center
– http://www.ipa.go.jp/security/index-e.html
• JNSA Challenge PKI 2002
– http://www.jnsa.org/english/e_active2_10.html
• Implementation Problems on PKI ( JNSA Challenge PKI 2001 )
– http://www.ipa.go.jp/security/fy13/report/pki_interop/chala
nge2001.html
• The report of Challenge PKI in IETF Atlanta
