From: pkcs11-comment@lists.oasis-open.org [mailto:pkcs11-comment@lists.oasis-open.org] On Behalf Of Jaroslav Imrich
Sent: Donnerstag, 26. Dezember 2013 00:55
To: Michael StJohns
Cc: pkcs11@lists.oasis-open.org; pkcs11-comment@lists.oasis-open.org
Subject: [pkcs11-comment] Re: [pkcs11] RE: [pkcs11-comment] Attributes of EC private key objects CKA_PUBLIC_KEY_INFO looks like a step in the right direction when it comes to retrieval of public key information from the private key object. However I am not sure whether it is a good choice for searching operations because in the current wording its support is optional ("MAY be empty") and therefore I personally consider pair of CKA_MODULUS and CKA_PUBLIC_EXPONENT (mandatory since v2.40) a better choice for searching templates. I would expect the same from CKA_EC_POINT defined as a mandatory attribute of EC private key objects. But there may be a few other issues with CKA_PUBLIC_KEY_INFO in the current draft: 1. Missing definitions of SubjectPublicKeyInfo for specific key types Chapter 4.8 of [PKCS11-base] states: "The encodings for the subjectPublicKey field are specified in the description of the public key types in the appropriate [Mechanisms] document for the key types defined within this specification." I was unable to find anything like that in [PKCS11-base] or [PKCS11-curr]. Exact format of SubjectPublicKeyInfo for RSA keys is defined in RFC 3279, for EC keys in RFC 5480 etc. Maybe this information should be added to the text where appropriate. 2. SubjectPublicKeyInfo can have multiple correct values for the same key I don't see any problem with SubjectPublicKeyInfo definition for RSA keys mostly because the "parameter" field of "algorithmidentifier" is required to be present and is also required to be NULL. However for the EC keys the "parameter" field of "algorithmidentifier" is defined as a choice of three different options. In chapter 2.3 of [PKCS11-curr] there is a statement that only two of the options (ecParameters and the namedCurve) are supported by Cryptoki, but this still leaves two possible values of SubjectPublicKeyInfo. I am not sure which one of them should Cryptoki app use as a value of CKA_PUBLIC_KEY_INFO in search templates. On Mon, Dec 23, 2013 at 6:07 PM, Michael StJohns <msj@nthpermutation.com> wrote: Edited down.
With this new 2.40 version of the spec, the attribute CKA_PUBLIC_KEY_INFO was defined to provide this information in a non-key-type specific manner. See section 4.9. Any private key type should implement this as a way of providing the public key information.
Is that sufficient for your needs or is there something still missing?
Mike
On 12/23/2013 8:49 AM, Griffin, Robert wrote:
I would like to discuss attributes of EC private key objects. I will first try to explain what I like about RSA private key objects: So my final question is: Would it be possible to define CKA_EC_POINT attribute as a mandatory attribute also for EC private key objects?
|