[gnutls-devel] PKCS 11, public key from a private key
jan.vcelak at nic.cz
Fri Dec 18 13:34:27 CET 2015
> >> For a fix to make gnutls_pubkey_import_privkey() available with all
> >> keys, an alternative is for the import function to reconstruct the
> >> public key from the private key. I'll check how feasible is that.
> > I don't think this will be possible. The private key material is present
> > in the token, so the token would have to do the reconstruction.
> I'm still thinking whether gnutls_pubkey_import_privkey() should work
> with these keys or we simply return an error. How did you solve that?
I wonder if CKA_ID for a public key object and a corresponding private key
object have to match. I'm quite certain that they have to. Because this
attribute is used in certificates to uniquely identify matching key pairs.
So I think one solution is obvious: Use the CKA_ID to get a CKO_PUBLIC_KEY
object from the token to initialize the gnutls_pubkey_t structure.
As for my case: I haven't fixed it yet. I'm using RSA keys for testing and
I know that ECDSA is broken. But I intend to import public keys explicitly
using gnutls_pubkey_import_url() instead of gnutls_pubkey_import_privkey().
This is a safe bet.
More information about the Gnutls-devel