Re: [pkcs11] PKCS#11 Object Uniqueness error codes

[Tim Hudson <tjh@cryptsoft.com>]

On 15/07/2014 1:09 AM, Oscar So wrote:
> Perhaps, we can also set the CKA_ID during key generation where:
>
> C_GenerateKey
> CKA_ID = SHA1(symmetric key CKA_VALUE)
>
> C_GenerateKeyPair
> CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in
> Firefox/Thunderbird
>
> Hopefully, all CKA_ID(s) generated from the above method are unique.
> We can then compare all CKA_ID(s) value to determine when to return:
> CKR_OBJECT_EXISTS or CKR_KEY_EXISTS

You can do this - but the CKA_ID itself is also not guaranteed to be
present or unique and there are devices which happily report multiple
objects with the same CKA_ID value.

We had quite a few discussions on this topic - the choices we faced are
to either add in a new attribute or change the explicitly documented
behaviour in the specification for one or more of the existing
attributes. Many vendors do this as one of their vendor-specific
extensions - but there is no currently defined requirement for this.

I for one would like to see a simple mandatory attribute added which was
the unique identifier (and not tied to anything other than the object
itself so any changes to attributes etc do not effect its value) - but
that wasn't something which made it into v2.40 ...

Tim.