pkinit: using RSA modulus to locate private key
tlyu at MIT.EDU
Wed Oct 8 17:51:49 EDT 2008
Mark Phalan <Mark.Phalan at Sun.COM> writes:
> On Wed, 2008-10-08 at 11:56 -0400, tsitkova wrote:
>> On Oct 7, 2008, at 8:16 AM, Mark Phalan wrote:
>> CKA_ID may be generated in the numerous ways. It may be a modulus of
>> RSA, a public value of DSA, SHA1/MD5 hash of the RSA modulus or any
>> other unique to the token identifier that maps the cert to the
>> associated key pair.
>> Keeping this in mind, as a work around, it might be sufficient just to
>> extract RSA pub keys both from the cert and the priv key and compare
>> their modulus, rather than cert's CKA_ID and the hash value of the
>> modulus of the key pair.
> Indeed thats essentially what I'm proposing (except I'm asking PKCS11 to
> do the comparison for me rather than doing it myself).
I went back to your original message and realize now that I read some
unintended meaning into it. I think now that you meant to propose the
If lookup of certificate's private key by CKA_ID fails, extract the
modulus from the certificate (or use its CKA_MODULUS?) and use that to
locate the private key by CKA_MODULUS.
You do not propose to directly interpret CKA_ID as a specific hash of
the modulus in this fallback situation.
Is this what you meant? If so, I agree with the approach and would be
pleased to see a patch.
I am interested in hearing about how to generalize this approach to
non-RSA keys, if that actually becomes necessary. Is it possible to
generalize this fallback approach without encoding knowledge specific
to the public key mechanism?
More information about the krbdev