OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes

On 07/14/2014 08:45 AM, Tim Hudson wrote:

On 15/07/2014 1:09 AM, Oscar So wrote:

Perhaps, we can also set the CKA_ID during key generation where:

C_GenerateKey
CKA_ID = SHA1(symmetric key CKA_VALUE)

C_GenerateKeyPair
CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in
Firefox/Thunderbird

Hopefully, all CKA_ID(s) generated from the above method are unique.
We can then compare all CKA_ID(s) value to determine when to return:
CKR_OBJECT_EXISTS or CKR_KEY_EXISTS

You can do this - but the CKA_ID itself is also not guaranteed to be
present or unique and there are devices which happily report multiple
objects with the same CKA_ID value.
Actually some require multiple objects to have the same CKA_ID, in the case of certs, public keys, and private keys, NSS requires the cert and it's matching public/private key all have the same CKA_ID value. If you have multiple certs with the same keys (fairly common) you must be able to have multiple certs that have the same CKA_ID.
So generically saying CKA_ID needs to be unique isn't sufficient. However -- if you say CKA_ID has to be unique for a given symmetric key value, or a given private key value, then that would be OK. I believe softoken (our PKCS #11 module) enforces this internally, though I'd have to double check (I think we allow multiple 'null' CKA_ID's ). 



I for one would like to see a simple mandatory attribute added which was
the unique identifier (and not tied to anything other than the object
itself so any changes to attributes etc do not effect its value) - but
that wasn't something which made it into v2.40 ...
This is probably a reasonable requirement, though shoudl this attribute be automatic (that is generated by the token, not by the application)? 

bob


Tim.


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]