Project

General

Profile

Actions

KeyChain Configuration

For release 0.1.0

Default configuration of KeyChain is moved from hardcoded source code to ~/.ndn/client.conf

...
pib=sqlite3
tpm=file ; SecTpmFile or osx-keychain if SecTpmOsx
...

Proposal for future release

The configuration file of KeyChain consists of pib (Public Information Base) and tpm (Trusted Platform Module).

pib ; Public Information Base
{
  type sqlite3 ; SecPublic
}
tpm ; Trust Platform Module
{
  type file
}

PIB

Right now, only one type of pib is supported: sqlite3 which corresponds to SecPublicInfoSqlite3.
But in a future release, we will support a new type of pib: service which corresponds to a system service.

ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.

TPM

Right now, two types of tpm is supported: osx-keychain and file which correspond to SecTpmOsx and SecTpmFile respectively.
But in a future release, we will support a new type of tpm: softhsm.

At least one tpm must be specified in a KeyChain configuration file.
The first tpm in a configuration file is taken as the primary tpm,
All the other tpms is taken as secondary tpms.
The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm.

In most cases, a KeyChain should use the primary tpm only.
Secondary tpm should be used cautiously.

One use case of secondary tpm is tpm transition.
In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm.
Application can still use private keys from both primary tpm and secondary tpm.
Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm.
And only the primary tpm should be kept in the configuration file after the transition.

Multiple-tpm is still possible, if it is really desired.
But you should be aware that KeyChain with multiple-tpm may have a bad signing performance because a private key will be looked up in these tpms one-by-one.

SecTpmOsx

tpm for SecTpmOsx should be specified as

tpm
{
  type osx-keychain ; required
}

ATTENTION!! At most one tpm for SecTpmOsx can be specified in a KeyChain configuration.

SecTpmFile

tpm for SecTpmFile should be specified as

tpm
{
  type file    ; required
  dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/
}

The property dir will be used identify a tpm instance of this type.
Therefore, with following configuration, the KeyChain still use only one tpm.

tpm
{
  type file
}
tpm
{
  type file
  dir /user/home/dir/.ndn/ndnsec-tpm-file
}

Updated by Davide Pesavento 8 months ago ยท 8 revisions