Scute: feature request: Support CKA_TRUSTED attribute on X.509 certs

Simon Josefsson simon at
Mon May 14 14:21:59 CEST 2007

Marcus Brinkmann <marcus.brinkmann at> writes:

> Hi,
> sorry this didn't get sent out earlier, it was stuck in my drafts box.
> At Tue, 24 Apr 2007 11:32:41 +0200,
> 'Werner Koch' wrote:
>> On Mon, 23 Apr 2007 11:35, simon at said:
>> > Thanks.  Btw, do you know what the best way to find out which
>> > certificate correspond to a private key?  Using the key id seems
>> > somewhat fragile, but it is what I'll use unless I learn of a better
>> > way.
>> GnuPG uses a thing called keygrip
>>  unsigned char *gcry_pk_get_keygrip (gcry_sexp_t key, unsigned char *array)
> We only export the fingerprint in the PKCS #11 token data (via
> CKA_ID).  I don't think there is a good space to export the grip as
> well.  Shouldn't the fingerprint be good enough?

Yes it has worked fine.  My logic is to search for the CKA_ID's of
certificates and keys, and if they match, I assume the certificate is
the user certificate.  I don't really care about whether the data is a
fingerprint or keygrip, just that it is persistant and memcmp properly.


More information about the Gnupg-devel mailing list