pkinit: using RSA modulus to locate private key

Tom Yu tlyu at MIT.EDU
Mon Oct 6 12:07:37 EDT 2008

Mark Phalan <Mark.Phalan at Sun.COM> writes:

> One issue I ran into when working with PKINIT on OpenSolaris was that
> our tool for storing certs and keys in PKCS11 tokens (pkinit(1)) doesn't
> generate a CKA_ID for private keys - it leaves it blank. When PKINIT
> finds a suitable cert and then looks for a corresponding private key it
> fails to locate it (unless it's the only key available). I've
> implemented a fallback so that if PKINIT can't find a suitable key by
> CKA_ID it will try to find a private key matching the RSA modulus
> associated with its key. As the CKA_ID is typically a hash of the
> modulus it seemed to me to be a suitable fallback.
> Does this sound reasonable? I can contribute a patch.

Is there a CKA_ID on the certificate?  Also, my reading of PKCS11 is
that the CKA_ID is not required to match the subjectKeyIdentifier, but
this may not be a significant problem.

Your approach sounds reasonable, but I first would like else someone
more familiar with PKCS11 than I am to provide feedback.

More information about the krbdev mailing list