Scute: feature request: Support CKA_TRUSTED attribute on X.509 certs

Werner Koch wk at
Tue Apr 24 11:32:41 CEST 2007

On Mon, 23 Apr 2007 11:35, simon at said:

> Thanks.  Btw, do you know what the best way to find out which
> certificate correspond to a private key?  Using the key id seems
> somewhat fragile, but it is what I'll use unless I learn of a better
> way.

GnuPG uses a thing called keygrip

 unsigned char *gcry_pk_get_keygrip (gcry_sexp_t key, unsigned char *array)

  Return the so called "keygrip" which is the SHA-1 hash of the public
  key parameters expressed in a way depended on the algorithm.
  @var{array} must either provide space for 20 bytes or be
  @code{NULL}. In the latter case a newly allocated array of that size
  is returned.  On success a pointer to the newly allocated space or to
  @var{array} is returned.  @code{NULL} is returned to indicate an error
  which is most likely an unknown algorithm or one where a "keygrip" has
  not yet been defined.  The function accepts public or secret keys in

This might return more than one certificate in case a CA has reissued a
one.  With gpgsm you can select keys based on there keygrip using 

  gpgsm -k '&1122334455667788990011223344556677889900'

The ampersand indicates a keygrip.  Needs to be implemented for gpg2,



More information about the Gnupg-devel mailing list