pkinit: using RSA modulus to locate private key

[Tom Yu]

Mark Phalan <Mark.Phalan at Sun.COM> writes:

> On Wed, 2008-10-08 at 11:56 -0400, tsitkova wrote:
>> On Oct 7, 2008, at 8:16 AM, Mark Phalan wrote:

>> CKA_ID may be generated in the numerous ways. It may be a modulus of  
>> RSA, a public value of DSA,  SHA1/MD5 hash of the RSA modulus or any  
>> other unique to the token identifier that maps the cert to the  
>> associated key pair.
>> Keeping this in mind, as a work around, it might be sufficient just to  
>> extract RSA pub keys both  from the cert and the priv key and compare  
>> their modulus, rather than cert's CKA_ID and the hash value of the  
>> modulus of the key pair.

> Indeed thats essentially what I'm proposing (except I'm asking PKCS11 to
> do the comparison for me rather than doing it myself).

I went back to your original message and realize now that I read some
unintended meaning into it.  I think now that you meant to propose the
following:

If lookup of certificate's private key by CKA_ID fails, extract the
modulus from the certificate (or use its CKA_MODULUS?) and use that to
locate the private key by CKA_MODULUS.

You do not propose to directly interpret CKA_ID as a specific hash of
the modulus in this fallback situation.

Is this what you meant?  If so, I agree with the approach and would be
pleased to see a patch.

I am interested in hearing about how to generalize this approach to
non-RSA keys, if that actually becomes necessary.  Is it possible to
generalize this fallback approach without encoding knowledge specific
to the public key mechanism?