pkinit: using RSA modulus to locate private key

Mark Phalan Mark.Phalan at Sun.COM
Mon Oct 6 12:27:18 EDT 2008

On Mon, 2008-10-06 at 12:07 -0400, Tom Yu wrote:
> Mark Phalan <Mark.Phalan at Sun.COM> writes:
> > One issue I ran into when working with PKINIT on OpenSolaris was that
> > our tool for storing certs and keys in PKCS11 tokens (pkinit(1)) doesn't
> > generate a CKA_ID for private keys - it leaves it blank. When PKINIT
> > finds a suitable cert and then looks for a corresponding private key it
> > fails to locate it (unless it's the only key available). I've
> > implemented a fallback so that if PKINIT can't find a suitable key by
> > CKA_ID it will try to find a private key matching the RSA modulus
> > associated with its key. As the CKA_ID is typically a hash of the
> > modulus it seemed to me to be a suitable fallback.
> >
> > Does this sound reasonable? I can contribute a patch.
> Is there a CKA_ID on the certificate?

When stored with pktool(1) certificates have a CKA_ID stored along with

>   Also, my reading of PKCS11 is
> that the CKA_ID is not required to match the subjectKeyIdentifier, but
> this may not be a significant problem.
> Your approach sounds reasonable, but I first would like else someone
> more familiar with PKCS11 than I am to provide feedback.

Ok. I'd also like to hear someone with PKCS11 experience give their
opinion on this.


More information about the krbdev mailing list