The following security features and enhancements have been added to the Solaris 10 8/07 release.
The Solaris Key Management Framework (KMF) provides tools and programming interfaces for managing public key (PKI) objects. The pktool command enables the administrator to manage PKI objects in nss, pkcs11, and file-based keystores from a single utility.
The API layer enables the developer to specify the type of keystore to be used. KMF also provides plug-in modules for these PKI technologies. These plug-in modules enable developers to write new applications to use any of the supported keystores.
KMF has a unique feature that provides a system-wide policy database that KMF applications can use regardless of the type of keystore. By using the kmfcfg command, the administrator can create policy definitions in a global database. KMF applications can then choose a policy to enforce, so that all subsequent KMF operations are constrained by the policy being enforced. Policy definitions include rules for the following:
Strategy for performing validations
Key usage and extended key usage requirements
Trust anchor definitions
CRL DB parameters (for example, location)
For more information, see the following:
pktool(1) man page
kmfcfg(1) man page
Starting with this release, the libmd library provides implementations of cryptographic hash algorithms MD4, MD5, SHA1, and SHA2 which comprises SHA256, SHA384, SHA512, by using lightweight APIs. For more information about these APIs and functions offered by libmd, see the following man pages:
The Solaris Cryptographic Framework feature provides protection of signing keys in a token device. The elfsign command also displays more information about signatures and certificates.
For more information, see the elfsign(1) man page.
The Encryption Kit, SUNWcry and SUNWcryr packages, are included by default with the Solaris 10 8/07 software. Full strength crypto for the Solaris Cryptographic Framework, Kerberos, and OpenSSL is now installed by default.