[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes
On 15/07/2014 1:09 AM, Oscar So wrote: > Perhaps, we can also set the CKA_ID during key generation where: > > C_GenerateKey > CKA_ID = SHA1(symmetric key CKA_VALUE) > > C_GenerateKeyPair > CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in > Firefox/Thunderbird > > Hopefully, all CKA_ID(s) generated from the above method are unique. > We can then compare all CKA_ID(s) value to determine when to return: > CKR_OBJECT_EXISTS or CKR_KEY_EXISTS You can do this - but the CKA_ID itself is also not guaranteed to be present or unique and there are devices which happily report multiple objects with the same CKA_ID value. We had quite a few discussions on this topic - the choices we faced are to either add in a new attribute or change the explicitly documented behaviour in the specification for one or more of the existing attributes. Many vendors do this as one of their vendor-specific extensions - but there is no currently defined requirement for this. I for one would like to see a simple mandatory attribute added which was the unique identifier (and not tied to anything other than the object itself so any changes to attributes etc do not effect its value) - but that wasn't something which made it into v2.40 ... Tim.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]