[gnutls-devel] PKCS 11, public key from a private key
Jan Včelák
jan.vcelak at nic.cz
Fri Dec 18 14:14:23 CET 2015
> > I wonder if CKA_ID for a public key object and a corresponding private key
> > object have to match. I'm quite certain that they have to. Because this
> > attribute is used in certificates to uniquely identify matching key pairs.
> > So I think one solution is obvious: Use the CKA_ID to get a CKO_PUBLIC_KEY
> > object from the token to initialize the gnutls_pubkey_t structure.
>
> Unfortunately there is no guarantee for the IDs to match. It is merely
> a convention. Even worse the public object cannot be assumed to be
> accessible without any user interaction (it may be marked as senstive
> and require the user to put a password into pinpad).
Currently, the RSA public key is also constructed from the private key object,
which will be marked as sensitive for sure. So that's not a huge difference.
Anyway, if the IDs are not guaranteed to match, I would rather go for the
second proposed solution: Make the gnutls_pubkey_import_privkey() function
always fail for PKCS #11.
It's better than inventing some unreliable workaround. The implicit import of
the public key will always work. And if it doesn't, then the cause is obvious.
Cheers,
Jan
More information about the Gnutls-devel
mailing list