[gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation

Wolfgang Meyer zu Bergsten w.bergsten at sirrix.com
Tue Aug 5 14:10:36 CEST 2014


Hello.

Am 05.08.2014 13:41, schrieb Nikos Mavrogiannopoulos:
> On Mon, Aug 4, 2014 at 3:39 PM, Wolfgang Meyer zu Bergsten
> <w.bergsten at sirrix.com> wrote:
>> Hello,
>> find attached a patch for improving the compatibilty of key generation
>> with the "CardOS API 5.1" PKCS#11 library.
> 
> Hello,
>  Wouldn't that be better if both unwrap and fixed exponent be set
> using special flags? That is create the flags, e.g.,
> GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP,
> GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific
> functionality for the key.

Regarding the exponent, 0x10001 is the standard exponent that is used by
PKCS#11 libraries if no  CKA_PUBLIC_EXPONENT is provided. So stating it
explicitly only improves compatibility with some PKCS#11 providers.
(see
http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html)
Thus the library behaviour does not change and the flag should not be
necessary. Do you still want the change?

Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according
to your proposal.

regards
Wolfgang



More information about the Gnutls-devel mailing list