Obtaining the raw RSA parameters from a PKCS11 private key

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Apr 25 09:36:29 CEST 2012

On 04/25/2012 02:37 AM, Jim Lloyd wrote:

> Question: Is there a way to obtain the raw RSA parameters from a PKCS11
> private key?

The typical use case of PKCS #11 is to store keys there so that no-one
is able to extract the keys (e.g. if someone breaks into your
web-server he will not extract the keys). May I ask your use case?

Some devices do not allow exporting keys at all, but on some
you can mark them as exportable during their installation or
generation. If your keys are marked as exportable you can use
gnutls_pkcs11_obj_export() and then import it as an x509 private key.

> What then is the way for packet sniffing applications to use gnutls with

> certs/keys stored on HSMs? Am I forced to use gnutls_pubkey_encrypt_data
> and gnutls_privkey_decrypt_data with keys loaded from HSMs? What happens
> under the hood with these APIs?

The idea is to use the pubkey_encrypt() and privkey_decrypt() and let
the hardware perform the operations for you.


More information about the Gnutls-help mailing list