OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Attributes of EC private key objects

Hello all,

I would like to discuss attributes of EC private key objects. I will first try to explain what I like about RSA private key objects:

Section 4.9.1 of PKCS11-base defines that Cryptoki implementation is required to be able to return values of CKA_MODULUS, CKA_PRIVATE_EXPONENT, and CKA_PUBLIC_EXPONENT for RSA private key objects. By other words RSA private key object holds also information about RSA public key (CKA_MODULUS and CKA_PUBLIC_EXPONENT). Indirectly that means Cryptoki application can use attributes of RSA public key acquired from other source (i.e. X.509 certificate) to search for corresponding RSA private key object. Following pseudo-code demonstrates such situation:

  // Parse certificate
  X509CertificateParser x509CertificateParser = new X509CertificateParser();
  X509Certificate x509Certificate = x509CertificateParser.ReadCertificate(certificate);
  
  // Get public key from certificate
  RsaKeyParameters rsaPubKeyParams = (RsaKeyParameters)x509Certificate.GetPublicKey();
  byte[] rsaPubKeyModulus = rsaPubKeyParams.Modulus.ToByteArrayUnsigned();
  byte[] rsaPubKeyExponent = rsaPubKeyParams.Exponent.ToByteArrayUnsigned();
  
  // Define search template
  List<ObjectAttribute> privKeySearchTemplate = new List<ObjectAttribute>();
  privKeySearchTemplate.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
  privKeySearchTemplate.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
  privKeySearchTemplate.Add(new ObjectAttribute(CKA.CKA_MODULUS, rsaPubKeyModulus));
  privKeySearchTemplate.Add(new ObjectAttribute(CKA.CKA_PUBLIC_EXPONENT, rsaPubKeyExponent));
  
  // Find corresponding private key
  List<ObjectHandle> foundObjects = session.FindAllObjects(privKeySearchTemplate);
  if (foundObjects.Count != 1)
    throw new ObjectNotFoundException("Corresponding RSA private key not found");

I consider myself still a newbie in EC world so I may be wrong but from my experience this kind of pairing is currently impossible to perform with EC private keys:

According to section 2.3.4 of PKCS11-curr  valid EC specific attributes of EC private key object are CKA_EC_PARAMS and CKA_VALUE. So EC private key object (unlike RSA private key object) does not contain any attribute with information about its public part. Indirectly that means Cryptoki application cannot use attributes of EC public key acquired from other source (i.e. X.509 certificate) to search for corresponding EC private key object. While experimenting with X.509 certificates issued for EC public keys I have noticed that certificate contains value of CKA_EC_POINT attribute (alternative to CKA_MODULUS and CKA_PUBLIC_EXPONENT) which is currently defined only as an attribute of EC public key objects.

So my final question is: Would it be possible to define CKA_EC_POINT attribute as a mandatory attribute also for EC private key objects?

--
Kind Regards

Jaroslav Imrich
www.pkcs11interop.net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]