[gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Aug 6 14:50:06 CEST 2014
On Wed, Aug 6, 2014 at 2:34 PM, Wolfgang Meyer zu Bergsten
<w.bergsten at sirrix.com> wrote:
> Hello
>>>> Wouldn't that be better if both unwrap and fixed exponent be set
>>>> using special flags? That is create the flags, e.g.,
>>>> GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP,
>>>> GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific
>>>> functionality for the key.
>>> Regarding the exponent, 0x10001 is the standard exponent that is used by
>>> PKCS#11 libraries if no CKA_PUBLIC_EXPONENT is provided. So stating it
>>> explicitly only improves compatibility with some PKCS#11 providers.
>>> (see
>>> http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html)
>>> Thus the library behaviour does not change and the flag should not be
>>> necessary. Do you still want the change?
>>> Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according
>>> to your proposal.
>> That makes sense. I.e., only the wrap and unwrap flags are needed.
> I added just one flag GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP because:
> * KEY_WRAP without KEY_UNWRAP are corresponding to the public vs.
> private part of the key and I cannot think of uses that require just
> one parameter to be set. Therefore only one flag.
> * the parameter gets passed into the function like the other _OBJ_
> flags. Therefore the name.
> If you have any objections, I will change things accordingly.
Applied, thank you.
More information about the Gnutls-devel
mailing list