Scute: feature request: Support CKA_TRUSTED attribute on X.509 certs
simon at josefsson.org
Mon May 14 14:21:59 CEST 2007
Marcus Brinkmann <marcus.brinkmann at ruhr-uni-bochum.de> writes:
> sorry this didn't get sent out earlier, it was stuck in my drafts box.
> At Tue, 24 Apr 2007 11:32:41 +0200,
> 'Werner Koch' wrote:
>> On Mon, 23 Apr 2007 11:35, simon at josefsson.org said:
>> > Thanks. Btw, do you know what the best way to find out which
>> > certificate correspond to a private key? Using the key id seems
>> > somewhat fragile, but it is what I'll use unless I learn of a better
>> > way.
>> GnuPG uses a thing called keygrip
>> unsigned char *gcry_pk_get_keygrip (gcry_sexp_t key, unsigned char *array)
> We only export the fingerprint in the PKCS #11 token data (via
> CKA_ID). I don't think there is a good space to export the grip as
> well. Shouldn't the fingerprint be good enough?
Yes it has worked fine. My logic is to search for the CKA_ID's of
certificates and keys, and if they match, I assume the certificate is
the user certificate. I don't really care about whether the data is a
fingerprint or keygrip, just that it is persistant and memcmp properly.
More information about the Gnupg-devel