pkinit: using RSA modulus to locate private key
Mark.Phalan at Sun.COM
Thu Oct 9 05:52:40 EDT 2008
On Wed, 2008-10-08 at 17:51 -0400, Tom Yu wrote:
> Mark Phalan <Mark.Phalan at Sun.COM> writes:
> > On Wed, 2008-10-08 at 11:56 -0400, tsitkova wrote:
> >> On Oct 7, 2008, at 8:16 AM, Mark Phalan wrote:
> >> CKA_ID may be generated in the numerous ways. It may be a modulus of
> >> RSA, a public value of DSA, SHA1/MD5 hash of the RSA modulus or any
> >> other unique to the token identifier that maps the cert to the
> >> associated key pair.
> >> Keeping this in mind, as a work around, it might be sufficient just to
> >> extract RSA pub keys both from the cert and the priv key and compare
> >> their modulus, rather than cert's CKA_ID and the hash value of the
> >> modulus of the key pair.
> > Indeed thats essentially what I'm proposing (except I'm asking PKCS11 to
> > do the comparison for me rather than doing it myself).
> I went back to your original message and realize now that I read some
> unintended meaning into it. I think now that you meant to propose the
> If lookup of certificate's private key by CKA_ID fails, extract the
> modulus from the certificate (or use its CKA_MODULUS?) and use that to
> locate the private key by CKA_MODULUS.
Exactly. Sorry if I wasn't clear in my mail.
> You do not propose to directly interpret CKA_ID as a specific hash of
> the modulus in this fallback situation.
> Is this what you meant? If so, I agree with the approach and would be
> pleased to see a patch.
> I am interested in hearing about how to generalize this approach to
> non-RSA keys, if that actually becomes necessary. Is it possible to
> generalize this fallback approach without encoding knowledge specific
> to the public key mechanism?
Thats not something I've thought about. I'm open to suggestions.
More information about the krbdev