Project

General

Profile

KeyChainConf » History » Version 5

Yingdi Yu, 04/24/2014 05:01 PM

1 1 Yingdi Yu
KeyChain Configuration
2
======================
3
4 2 Yingdi Yu
The configuration file of `KeyChain` consists of **pib** (Public Information Base) and **tpm** (Trusted Platform Module).
5 1 Yingdi Yu
6
    pib ; Public Information Base
7
    {
8 4 Yingdi Yu
      type sqlite3 ; SecPublic
9 1 Yingdi Yu
    }
10
    tpm ; Trust Platform Module
11
    {
12 2 Yingdi Yu
      type file
13 1 Yingdi Yu
    }
14 2 Yingdi Yu
15 3 Yingdi Yu
## pib
16 2 Yingdi Yu
17
Right now, only one type of **pib** is suppported: **sqlite3** which corresponds to `SecPublicInfoSqlite3`.
18 4 Yingdi Yu
But in release 2.0, we will support an new type of pib: **service** which corresponds to a [[PublicInfoService|system service]]. 
19 1 Yingdi Yu
20 4 Yingdi Yu
<font color='red'>**ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.**</font>
21 1 Yingdi Yu
22
## tpm
23 4 Yingdi Yu
24
Right now, two types of **tpm** is supported: **osx-keychain** and **file** which correspond to `SecTpmOsx` and `SecTpmFile` respectively.
25
But in future relase, we will support an new type of tpm: **softhsm**.
26
27
At least one tpm must be specified in a KeyChain configuration file. 
28
The first tpm in a configuration file is taken as the **primary tpm**, 
29
All the other tpms is taken as **secondary tpms**.
30
The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm.
31
32
In most cases, a KeyChain should use the primary tpm only. 
33
<font color='red'>**Secondary tpm should be used cautiously.**</font>
34
35
One use case of secondary tpm is tpm transition.
36
In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm.
37
Application can still use private keys from both primary tpm and secondary tpm.
38
Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm.
39
And only the primary tpm should be kept in the configuration file after the transition.
40
41
Multiple-tpm is still possible, if it is really desired.
42
But you should be aware that **KeyChain with multiple-tpm may have a bad signing performance** because a private key will be looked up in these tpms one-by-one.
43
44
### `SecTpmOsx`
45
46
**tpm** for `SecTpmOsx` should be specified as
47
48
    tpm
49
    {
50
      type osx-keychain ; required
51
    }
52
53
<font color='red'>**ATTENTION!! At most one tpm for `SecTpmOsx` can be specified in a KeyChain configuration.**</font>
54
55
### `SecTpmFile`
56
57
**tpm** for `SecTpmFile` should be specified as 
58
59
    tpm
60
    {
61
      type file    ; required
62
      dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/
63
    }
64
65
The property **dir** will be used identify a tpm instance of this type.
66 5 Yingdi Yu
Therefore, with following configuration, the KeyChain still use only one tpm.
67 4 Yingdi Yu
68
    tpm
69
    {
70
      type file
71
    }
72
    tpm
73
    {
74
      type file
75
      dir /user/home/dir/.ndn/ndnsec-tpm-file
76
    }