pkinit: using RSA modulus to locate private key
Mark Phalan
Mark.Phalan at Sun.COM
Thu Oct 2 11:59:31 EDT 2008
One issue I ran into when working with PKINIT on OpenSolaris was that
our tool for storing certs and keys in PKCS11 tokens (pkinit(1)) doesn't
generate a CKA_ID for private keys - it leaves it blank. When PKINIT
finds a suitable cert and then looks for a corresponding private key it
fails to locate it (unless it's the only key available). I've
implemented a fallback so that if PKINIT can't find a suitable key by
CKA_ID it will try to find a private key matching the RSA modulus
associated with its key. As the CKA_ID is typically a hash of the
modulus it seemed to me to be a suitable fallback.
Does this sound reasonable? I can contribute a patch.
-M
More information about the krbdev
mailing list