[gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Aug 5 14:15:12 CEST 2014
On Tue, Aug 5, 2014 at 2:10 PM, Wolfgang Meyer zu Bergsten
<w.bergsten at sirrix.com> wrote:
>> Wouldn't that be better if both unwrap and fixed exponent be set
>> using special flags? That is create the flags, e.g.,
>> GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP,
>> GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific
>> functionality for the key.
> Regarding the exponent, 0x10001 is the standard exponent that is used by
> PKCS#11 libraries if no CKA_PUBLIC_EXPONENT is provided. So stating it
> explicitly only improves compatibility with some PKCS#11 providers.
> (see
> http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html)
> Thus the library behaviour does not change and the flag should not be
> necessary. Do you still want the change?
> Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according
> to your proposal.
That makes sense. I.e., only the wrap and unwrap flags are needed.
regards,
Nikos
More information about the Gnutls-devel
mailing list