Security Policy
- Armando Carratala
- Julio D'Angelo
- Nestor Markowicz
Security Policy
SecurityPolicy defines security attributes and behavior applied to the profileName or KeyStore.
This policy is applied during the profile initialization, but sometimes it's also used during the installation of the certificate, so it must be informed on several methods of the certificate provider.
There are specific policies for each kind of Keystore, but not all the keystores have a specific policy. Sometimes is not possible to change some default values defined by the Keystore or profile by themselves. In this kind of case, a default policy, using an empty JSON file, must be used.
Following there is a list of specific policy and values that can be used:
Microsoft CryptoAPI security policy
{
"exportable": true,
"protectionLevel": 1,
"description": "John Doe - Digicert",
"friendlyName": "Sign and Authenticate services",
"title": "Digital Certificate"
}
| Field | Description | Default |
|---|---|---|
| exportable | Indicates if the certificate can be exported from this repository. | true |
| protectionLevel | Value [ 0 .. 2 ] used to indicate the level of protection to access the private key. Value==1 requires that users approve access to the key. Value==2, user must protect the key with a password. | 0 |
| description | Name of the keystore where the certificate will be stored. | |
| friendlyName | Friendly name to identify the certificate in an easier mode. | |
| title | Title of the certificate to protect. |
Password security policy
Used by PFX/P12 keystores
{
"passComplexity" : 2,
"passMinLength" : 5
}
| Field | Description | Default |
|---|---|---|
| passComplexity | integer value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol. | 2 |
| passMinLength | minimum length of characters. | 6 |
Device security policy
Used by some kind of devices
{
"installDummy" : false,
"generateOnBoard" : true
"modelTemplate" : "RIJKSPAS-qsign"
}
| Field | Description | Default |
|---|---|---|
| generateOnBoard | Used to indicate if the generation of keypair must be done inside of the device. | true |
| installDummy | After the keypair generation, a dummy certificate is created and installed into the device to register the key. This certificate is overwritten when the final certificate is issued and installed. | false |
| modelTemplate | Overwrite the default model template to generate or import keys. A programmer can select a model template specific for a smartcard model and behaviors. If none model is selected, then "TOKEN-default" is applied. This is for generic smartcards. Check the list of available models. | null |
Note: for specific information about each model, please refer to the related product documentation.
| ModelTemplate | Description | Desktop Version |
|---|---|---|
| TOKEN-default | General pkcs11 device. | +3.2.1 |
| RIJKSPAS-default | For IDEMIA smartcard, Multi-PIN mode enabled. | +3.2.1 |
| RIJKSPAS-protected | For IDEMIA smartcard, Multi-PIN mode enabled. | +3.2.1 |
| RIJKSPAS-qsign | For IDEMIA smartcard, Multi-PIN mode enabled, QSign enabled. | +3.2.1 |
| YUBIKEY-digital-signature | For Yubico PIV devices, to access digital-signature certificate slot | +3.3.0 |
| YUBIKEY-card-authentication | For Yubico PIV devices, to access card-authentication certificate slot | +3.3.0 |
| YUBIKEY-key-management | For Yubico PIV devices, to access key-management certificate slot | +3.3.0 |
| YUBIKEY-authentication | For Yubico PIV devices, to access authentication certificate slot | +3.3.0 |
PKCS11 security policy
Used by PKCS11 keystores
{
"passComplexity" : 2,
"passMinLength" : 5,
"installDummy" : false,
"generateOnBoard" : true
}
It combines the features of Password and Device security policies. This policy is used when the device can be initialized during the generation of keypair, and a new password must be entered to protect the key.
CSK security policy
Used on Alison KeyStore profiles.
{
"id": "polIdv-A",
"passComplexity": 3,
"passMinLength": 8,
"passExpiration": 365,
"passLockCount": 10,
"lockTimeout": 15,
"idleTimeout": 10,
"certExport": 15
}
| Field | Description | Default |
|---|---|---|
| id | Unique ID used to identify the security password applied. | |
| passComplexity | integer value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol. | 2 |
| passMinLength | Minimum length of characters. | 6 |
| passExpiration | Days of password validity. 30 days before, the profile returns a warning code (CLOSE_TO_EXPIRE). Use 0 to disable this feature. | 0 |
| passLockCount | Invalid login tries before of lock the profile. | 10 |
| lockTimeout | Minutes to wait when the profile is locked. After unlocking the profile, the user can try 1 more time. 0 value indicates that the profile must be locked permanently if the user fails passLockCount times. | 20 |
| idleTimeout | Minutes during the profile are maintained open without requires a new password. | 10 |
| certExport | Mask used to indicate if the certificate can be exportable. 0 indicates that certificates installed on the profile can't be exported. 15 for enabled exportable to PKCS12 files and other kinds of devices. | 15 |