wli.5 (2011 03)
wli(5) Optional WLI Product Required
wli(5)
wliadm(1M).
WLI verification of executables is a two step process. First, the integrity of the signature metadata stored
within the executable is verified, including the public key fingerprint. The public key must be authorized
if it is not specified with the
-c option. Second, the public key is used to verify content of the entire exe-
cutable. Following the RSA standard, critical binary sections are cryptographically hashed to obtain a
digest. The signature is decrypted with the public key to recover the signature digest. If the two digests
are identical, the executable is authentic.
KEY GENERATION
Many WLI command options require a private key for authorization of the operations they perform and
generation of cryptographic signatures. All WLI keys, public and private, must be stored in regular files
in PEM format. Private keys are created with OpenSSL genrsa(1). The public key is then extracted from
the private key with OpenSSL rsa(1). Supported key lengths are 512, 1024, 1536 and 2048 bytes. For
secure environments, a key length of at least 2048 bits is highly recommended by HP. For more informa-
tion and recommendations on RSA keys, see
http://www.rsa.com/rsalabs
or other security
sources.
A passphrase is highly recommended on all private keys. If a private key requires a passphrase and it is
not given explicitly on the command line, it will be prompted for. There are numerous sources discussing
passphrase strength. One recommendation is:
http://en.wikipedia.org/wiki/Passphrase
.
PASSPHRASE RETRIEVAL
For all WLI commands requiring a passphrase to unwrap an encrypted RSA private key, a command-line
option can be used to specify whence the passphrase is retrieved. For all such commands, the option is of
the form
{
-p [keyword:keyval]}
where keyword
:keyval determines how the passphrase is retrieved.
There are six possible means of retrieving the passphrase:
-p option omitted If -p is omitted from the command, the passphrase is read from the terminal with
prompt RSA key passphrase and echoing turned off. The /dev/tty device is
used to read the passphrase value.
-p stdin The passphrase is read from standard input (file descriptor 0) with echoing on and
no prompt. Because the passphrase is echoed at the terminal, this is less secure
than omission of the -p option described above.
-p pass:passphrase
The passphrase is passphrase . This form is considered unsecure because the
passphrase is echoed. Not recommended when security is important.
-p env:var The value of environment variable var is the passphrase.
-p file:pathname
The file given by pathname contains the passphrase. pathname may be a regular
file, special file or named pipe. If the passphrase has been written to the file with a
newline (\n) as the last character in the string, the newline will be removed. Some
commands (examples: vi(1), echo (1)) insert a newline in a text string as part of a
file write operation.
-p fd:number The passphrase is read from file descriptor number . This option is convenient for
reading a passphrase through a pipe, as might be implemented within a script.
COMMANDS, LIBRARY, AND CONFIGURATION FILES
WLI provides the following manpages.
wlipolicy (1) Manage WLI file access policies.
wlisign (1) Manage executable signatures.
wlitool (1) Sign ELF executable files.
wliwrap (1) Run commands with WLI capabilities.
wlixfr (1) Transfer policy(s) from one file to another.
HP-UX 11iv3: Sep 2010 Web Release − 3 − Hewlett-Packard Company 3