OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pkcs11] RE: [pkcs11-comment] Attributes of EC private key objects


2. SubjectPublicKeyInfo can have multiple correct values for the same key
I don't see any problem with SubjectPublicKeyInfo definition for RSA keys mostly because the "parameter" field of "algorithmidentifier" is required to be present and is also required to be NULL. However for the EC keys the "parameter" field of "algorithmidentifier" is defined as a choice of three different options. In chapter 2.3 of [PKCS11-curr] there is a statement that only two of the options (ecParameters and the namedCurve) are supported by Cryptoki, but this still leaves two possible values of SubjectPublicKeyInfo. I am not sure which one of them should Cryptoki app use as a value of CKA_PUBLIC_KEY_INFO in search templates.

I'm not sure what your use case is here.    E.g. where did you get the public key you're trying to match to the private key?

Mostly you should be using CKA_LABEL and CKA_ID to relate various objects.


Unfortunately there are many tokens (and cryptoki libraries of course) available from various vendors that support public keys only as a session objects so when the session that generated key pair is closed there is only a private key left on the device (or reported by cryptoki library).

Description of the use case when private key needs to be matched by a public key acquired from other source:

1. Cryptoki app generates key pair on the token - private key is token object and public key is temporary session object. 
2. Cryptoki app generates PKCS#10 certificate request and submits it to the CA. Time that CA needs to generate certificate varies from CA to CA but usually takes from few seconds to a few days. It is practically impossible to have cryptoki session open for that long so session is closed and public key object gets discarded.
3. CA finally issues certificate and cryptoki app needs to import it to the device and pair it with the private key object (by pairing I mean to set same values of CKA_ID and CKA_LABEL for both objects). So cryptoki app has certificate with public key and needs to find correct private key object. Unfortunately public key object is no longer present on the device.
4. Cryptoki app uses attributes of public key (CKA_MODULUS and CKA_PUBLIC_EXPONENT in the case of RSA) acquired from certificate to find corresponding private key.
5. After successful search operation cryptoki app creates certificate object with C_CreateObject() and sets the same value of CKA_ID and CKA_LABEL attributes for both certificate and private key objects.

I am not saying this is the only way to perform pairing, but from my experience it is the only reliable and CA/token independent way of pairing newly issued certificate with private key on such devices. I have already attached the code sample in my first e-mail in this thread, but if you would like to see the code I am using in the real world apps please take a look at first ImportCertificate() method in https://github.com/jariq/Pkcs11Interop.PkiUtils/blob/master/src/Pkcs11Interop.PkiUtils/ObjectImporter.cs

PS: I cannot post to pkcs11 list so its members do not see my e-mails.

Best regards

Jaroslav


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]