Giter VIP home page Giter VIP logo

xipki's Introduction

XiPKI

eXtensible sImple Public Key Infrastructure consists of CA and OCSP responder.

Highly scalable and high-performance open source PKI (CA and OCSP responder), especially suitable for IoT, M2M and V2X.

License

  • XiPKI Commercial License
  • GNU AFFERO GENERAL PUBLIC LICENSE (AGPL) version 3

Owner

Lijun Liao (lijun.liao -A-T- gmail -D-O-T- com), LinkedIn

Community Support

Just drop me an email.

Prerequisite

Tested Platforms

  • Database

    • DB2
    • Oracle
    • Oracle RAC
    • PostgreSQL
    • MySQL
    • MariaDB
    • H2
    • HSQLDB

  • HSM

    • Thales nCipher Solo (PCI Card)
    • Thales nCipher Connect (network)
    • Utimaco Se
    • Softhsm v1 & v2

  • JVM

    • OpenJDK 8
    • Oracle JRE/JDK 8

  • OS

    • CentOS
    • Fedora
    • Redhat
    • SLES
    • Ubuntu
    • Windows
    • Mac OS
    • Raspbian (tested on Raspberry Pi 2 Model B)

Alternative: Download the Released Binary Package

Download the released binary package xipki-pki-<version>.tar.gz from the URL https://github.com/xipki/xipki/releases

Alternative: Build and Assembly from Source Code

  • Get a copy of XiPKI code

    git clone git://github.com/xipki/xipki

  • Build

    • Install the third party artifacts that are not availablle in maven repositories

      • In folder xipki/ext 
        ./install.sh

    • Compile and install the artifacts

      In folder xipki

      mvn clean install

    • Assembly

      In folder xipki/dist/xipki-pki

      mvn clean package

Install

  • Copy the file xipki-pki-<version>.tar.gz to the destination folder

  • Unpack the assembled file

    In destination folder of the installation

    tar xvf xipki-pki-<version>.tar.gz

    The following steps use $XIPKI_HOME to point to the unpacked root folder

  • Adapt the database configuration (access rights read & write of database are required)

    $XIPKI_HOME/xipki/ca-config/ca-db.properties
$XIPKI_HOME/xipki/ca-config/ocsp-db.properties

  • In case if the real PKCS#11 device instead of the emulator is used:

    • In file etc/org.xipki.commons.security.pkcs11.cfg, change the pkcs11.confFile as follows:

      pkcs11.confFile = xipki/security/pkcs11-conf-hsm.xml

#pkcs11.confFile = xipki/security/pkcs11-conf-emulator.xml

    • In file xipki/security/pkcs11-conf-hsm.xml, change the PKCS#11 configuration.

  • If the CA is behind a reverse proxy apache httpd:

Run Demo

  • Delete folders $XIPKI_HOME/data and $XIPKI_HOME/output

  • Start XiPKI

    In folder $XIPKI_HOME

    bin/karaf

    HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, XiPKI should be started as follows

    preload bin/karaf

    If you get error like

    Error occurred during initialization of VM
Could not reserve enough space for 2097152KB object heap

    please change the value of JAVA_MAX_MEM in the file bin/setenv or bin/setenv.bat.

    If you have changed the content within folder $XIPKI_HOME/etc or $XIPKI_HOME/system, please delete the folder $XIPKI_HOME/data before starting XiPKI.

  • Run the pre-configured OSGi-commands in OSGi console

In the OSGi console, call source xipki/demo/demo.script to demonstrate the whole life-cycle (key generation, database initialization, CA installation, certificate enrollment, OCSP server installation, OCSP status, etc.). The generated keys, certificates and CRLs are saved in the folder output, and the log files are located in the folder data/log.

Karaf Features

The karaf feature can be installed via the command feature:install <feature name> and uninstalled in the OSGi console via the command feature:uninstall <feature name>. The possible feature can be auto-completed by typing the TAB key.

A list of all available XiPKI features can be retrieved via the command feature:list | grep xipki in OSGi console.

Karaf Commands

Please refer to commands.md for more details.

Components

  • CA (Certification Authority)

    • X.509 Certificate v3 (RFC 5280)
    • X.509 CRL v2 (RFC 5280)
    • SCEP (draft-gutmann-scep-00, draft-nourse-scep-23)
    • EN 319 411 (eIDAS)
    • EN 319 412 (eIDAS)
    • Supported databases
      • Oracle
      • DB2
      • PostgreSQL
      • MySQL
      • MariaDB
      • H2
      • HSQLDB
    • Direct and indirect CRL
    • FullCRL and DeltaCRL
    • Customized extension to embed certificates in CRL
    • CMP (RFC 4210 and RFC 4211)
    • API to specify customized certificate profiles
    • Support of XML-based certificate profile
    • API to specify customized publisher, e.g. for LDAP and OCSP responder
    • Support of publisher for OCSP responder
    • Signature algorithms of certificates
      • SHA3-*withRSA: where * is 224, 256, 384 and 512
      • SHA3-*withRSAandMGF1: where * is 224, 256, 384 and 512
      • SHA3-*withECDSA: where * is 224, 256, 384 and 512
      • SHA3-*withDSA: where * is 224, 256, 384 and 512
      • SHA*withRSA: where * is 1, 224, 256, 384 and 512
      • SHA*withRSAandMGF1: where * is 1, 224, 256, 384 and 512
      • SHA*withECDSA: where * is 1, 224, 256, 384 and 512
      • SHA*withPlainECDSA: where * is 1, 224, 256, 384 and 512
      • SHA*withDSA: where * is 1, 224, 256, 384 and 512

  • Native support of X.509 extensions (other extensions can be supported by configuring it as blob)

    • AdditionalInformation (German national standard CommonPKI)
    • Admission (German national standard CommonPKI)
    • AuthorityInformationAccess (RFC 5280)
    • AuthorityKeyIdentifier (RFC 5280)
    • BasicConstraints (RFC 5280)
    • BiometricInfo (RFC 3739)
    • CertificatePolicies (RFC 5280)
    • CRLDistributionPoints (RFC 5280)
    • ExtendedKeyUsage (RFC 5280)
    • FreshestCRL (RFC 5280)
    • InhibitAnyPolicy (RFC 5280)
    • IssuerAltName (RFC 5280)
    • KeyUsage (RFC 5280)
    • NameConstraints (RFC 5280)
    • OcspNoCheck (RFC 6960)
    • PolicyConstrains (RFC 5280)
    • PolicyMappings (RFC 5280)
    • PrivateKeyUsagePeriod (RFC 5280)
    • QCStatements (RFC 3739, eIDAS standard EN 319 412)
    • Restriction (German national standard CommonPKI)
    • SMIMECapabilities (RFC 4262)
    • SubjectAltName (RFC 5280)
    • SubjectDirectoryAttributes (RFC 3739)
    • SubjectInfoAccess (RFC 5280)
    • SubjectKeyIdentifier (RFC 5280)
    • TLSFeature (RFC 7633)
    • ValidityModel (German national standard CommonPKI)

  • Management of multiple CAs in one software instance

  • Support of database cluster

  • Multiple software instances (all can be in active mode) for the same CA

  • Native support of management of CA via embedded OSGi commands

  • API to specify CA management, e.g. GUI

  • Database tool (export and import CA database) simplifies the switch of databases, upgrade of XiPKi and switch from other CA system to XiPKI CA

  • Client to enroll, revoke, unrevoke and remove certificates, to generate and download CRLs

  • All configuration of CA except those of databases is saved in database

  • OCSP Responder

    • OCSP Responder (RFC 2560 and RFC 6960)
    • Support of Common PKI 2.0
    • Management of multiple certificate status sources
    • Support of certificate status source published by XiPKI CA
    • Support of certificate status source CRL and DeltaCRL
    • API to support proprietary certificate sources
    • Support of both unsigned and signed OCSP requests
    • Multiple software instances (all can be in active mode) for the same OCSP signer and certificate status sources.
    • Supported databases
      • Oracle
      • DB2
      • PostgreSQL
      • MySQL
      • MariaDB
      • H2
      • HSQLDB
    • Database tool (export and import OCSP database) simplifies the switch of databases, upgrade of XiPKi and switch from other OCSP system to XiPKI OCSP.
    • Client to send OCSP request

  • Key Tool (for both PKCS#12 and PKCS#11 tokens)

    • Generating keypairs of RSA, EC and DSA in token
    • Deleting keypairs and certificates from token
    • Updating certificates in token
    • Generating CSR (PKCS#10 request)
    • Exporting certificate from token

  • For both CA and OCSP Responder

    • Support of PKCS#12 and JKS keystore
    • Support of PKCS#11 devices, e.g. HSM
    • API to use customized key types, e.g. smartcard
    • High performance
    • OSGi-based (java), OS independent
    • Support of health check
    • Audit with syslog and slf4j

  • For CA, OCSP Responder and Key Tool

    • API to resolve password
    • Support of PBE (password based encryption) password resolver
      • All passwords can be encrypted by the master password
    • Support of OBF (as in jetty) password resolver

xipki's People

Contributors

xipki avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.