pkinit: using RSA modulus to locate private key

Mark Phalan Mark.Phalan at Sun.COM
Thu Oct 2 11:59:31 EDT 2008

One issue I ran into when working with PKINIT on OpenSolaris was that
our tool for storing certs and keys in PKCS11 tokens (pkinit(1)) doesn't
generate a CKA_ID for private keys - it leaves it blank. When PKINIT
finds a suitable cert and then looks for a corresponding private key it
fails to locate it (unless it's the only key available). I've
implemented a fallback so that if PKINIT can't find a suitable key by
CKA_ID it will try to find a private key matching the RSA modulus
associated with its key. As the CKA_ID is typically a hash of the
modulus it seemed to me to be a suitable fallback.

Does this sound reasonable? I can contribute a patch.


More information about the krbdev mailing list