OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes

On 07/14/2014 08:45 AM, Tim Hudson wrote:
On 15/07/2014 1:09 AM, Oscar So wrote:
Perhaps, we can also set the CKA_ID during key generation where:

CKA_ID = SHA1(symmetric key CKA_VALUE)

CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in

Hopefully, all CKA_ID(s) generated from the above method are unique.
We can then compare all CKA_ID(s) value to determine when to return:
You can do this - but the CKA_ID itself is also not guaranteed to be
present or unique and there are devices which happily report multiple
objects with the same CKA_ID value.
Actually some require multiple objects to have the same CKA_ID, in the case of certs, public keys, and private keys, NSS requires the cert and it's matching public/private key all have the same CKA_ID value. If you have multiple certs with the same keys (fairly common) you must be able to have multiple certs that have the same CKA_ID.

So generically saying CKA_ID needs to be unique isn't sufficient. However -- if you say CKA_ID has to be unique for a given symmetric key value, or a given private key value, then that would be OK. I believe softoken (our PKCS #11 module) enforces this internally, though I'd have to double check (I think we allow multiple 'null' CKA_ID's ).

I for one would like to see a simple mandatory attribute added which was
the unique identifier (and not tied to anything other than the object
itself so any changes to attributes etc do not effect its value) - but
that wasn't something which made it into v2.40 ...
This is probably a reasonable requirement, though shoudl this attribute be automatic (that is generated by the token, not by the application)?



To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]