[gnutls-devel] PKCS 11, public key from a private key
jan.vcelak at nic.cz
Fri Dec 18 14:14:23 CET 2015
> > I wonder if CKA_ID for a public key object and a corresponding private key
> > object have to match. I'm quite certain that they have to. Because this
> > attribute is used in certificates to uniquely identify matching key pairs.
> > So I think one solution is obvious: Use the CKA_ID to get a CKO_PUBLIC_KEY
> > object from the token to initialize the gnutls_pubkey_t structure.
> Unfortunately there is no guarantee for the IDs to match. It is merely
> a convention. Even worse the public object cannot be assumed to be
> accessible without any user interaction (it may be marked as senstive
> and require the user to put a password into pinpad).
Currently, the RSA public key is also constructed from the private key object,
which will be marked as sensitive for sure. So that's not a huge difference.
Anyway, if the IDs are not guaranteed to match, I would rather go for the
second proposed solution: Make the gnutls_pubkey_import_privkey() function
always fail for PKCS #11.
It's better than inventing some unreliable workaround. The implicit import of
the public key will always work. And if it doesn't, then the cause is obvious.
More information about the Gnutls-devel