Obtaining the raw RSA parameters from a PKCS11 private key

Jim Lloyd jim at silvertailsystems.com
Wed Apr 25 02:37:42 CEST 2012

Question: Is there a way to obtain the raw RSA parameters from a PKCS11
private key?

Background: I'm attempting to update an existing packet sniffing
application to be able to load certs/keys via pkcs11. The application was
previously written using gnutls 2.8.5 and gcrypt 1.4.4. I want to upgrade
gnutls to 2.12.x and am currently developing with 2.12.18. I'd like to
continue to use libgrcypt since the application currently uses gcrypt APIs
for the cryptographic operations. I have been able to install 2.12.x, build
my app, run our unit tests, etc. Now I am attempting to add the pkcs11
support. We are testing with an Thales nCipher netHSM device. I can use
p11tool to query the device and install objects (certs, keys).

I am now working on the new logic to load a private key via pkcs11 so that
I can obtain the cryptographic parameters. I can load the key just fine
into a gnutls_privkey_t. But I see no way to then extract the cryptographic
parameters, as we have previously done with

I see in the documentation this note:

*"An abstract gnutls_privkey_t can be initialized using the functions
below. It can be imported through an existing structure
like gnutls_x509_privkey_t, but unlike public keys it cannot be exported.
That is to allow abstraction over PKCS #11 keys that are not extractable."*

What then is the way for packet sniffing applications to use gnutls with
certs/keys stored on HSMs? Am I forced to use gnutls_pubkey_encrypt_data
and gnutls_privkey_decrypt_data with keys loaded from HSMs? What happens
under the hood with these APIs?

Jim Lloyd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120424/bbb6910f/attachment.htm>

More information about the Gnutls-help mailing list