[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes
On 07/14/2014 08:45 AM, Tim Hudson wrote:
Actually some require multiple objects to have the same CKA_ID, in the case of certs, public keys, and private keys, NSS requires the cert and it's matching public/private key all have the same CKA_ID value. If you have multiple certs with the same keys (fairly common) you must be able to have multiple certs that have the same CKA_ID.On 15/07/2014 1:09 AM, Oscar So wrote:Perhaps, we can also set the CKA_ID during key generation where: C_GenerateKey CKA_ID = SHA1(symmetric key CKA_VALUE) C_GenerateKeyPair CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in Firefox/Thunderbird Hopefully, all CKA_ID(s) generated from the above method are unique. We can then compare all CKA_ID(s) value to determine when to return: CKR_OBJECT_EXISTS or CKR_KEY_EXISTSYou can do this - but the CKA_ID itself is also not guaranteed to be present or unique and there are devices which happily report multiple objects with the same CKA_ID value.
So generically saying CKA_ID needs to be unique isn't sufficient. However -- if you say CKA_ID has to be unique for a given symmetric key value, or a given private key value, then that would be OK. I believe softoken (our PKCS #11 module) enforces this internally, though I'd have to double check (I think we allow multiple 'null' CKA_ID's ).
This is probably a reasonable requirement, though shoudl this attribute be automatic (that is generated by the token, not by the application)?I for one would like to see a simple mandatory attribute added which was the unique identifier (and not tied to anything other than the object itself so any changes to attributes etc do not effect its value) - but that wasn't something which made it into v2.40 ...
bob
Tim. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]