[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] CKA_PUBLIC_KEY_INFO
On 04/17/2013 05:53 PM, Andrey Jivsov
wrote:
I agree with your assessment I'm sure how the proposal violates this. You don't actually need the certificate to create an SPKI, you only need the public key and a der encoder (A simple one would work). The latter is the difficulty.
(without endorsing the plan), CKA_PUBLIC_KEY_INFO is a DER SPKI, which is completely independent of any certificate. It is simply a DER encoded bare public key. It happens to be embedded in a certificate. Clearly the application creating the private key with C_CreateObject() should set that value. Presumably the application which does a C_Unwrap() of a key also needs to specify the object. The module can enforce the existance of CKA_PUBLIC_KEY_INFO in these cases. You definately have a point, though, if the private key is *generated* with C_GenerateKeyPair(). The application can't supply it in the template because it does not yet know the public key. So does the application have to set it after the key creation? (It would if it needs to be opaque), or do we require the module to set it on generate? This, I agree with, in almost all instances the public exponent should be available at key creation (either during C_GenerateKeyPair() in the module, or in C_CreateObject and C_Unwrap in the application).2) The data required to be stored for each private key shall be reviewed and changes made to ensure that the appropriate attributes sufficient to regenerate the public key shall be stored with the private key, and if needed provided with any call to C_CreateObject for that type of private key. For the RSA case, this means that CKA_PUBLIC_EXPONENT MUST be in a template for an RSA private key and stored with that private key. 3) CKA_PUBLIC_KEY_INFO can be used in a call to C_GetAttributeValues for all public and private keys. It will be encoded from the data available for those keys. (Which should mostly involve stuffing the public key data into a template). If an implementation doesn't wish to support this it will return the empty value. OK, this says the value is created by the module in the C_GenerateKeyPair() case, and by the application in the other two cases (since the application has access to the public key, but the module wouldn't necessarily yet). Comments? (Ideally from others besides myself and Bob) Mike --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]