[gnutls-devel] PKCS 11, public key from a private key

Jan Vcelak jan.vcelak at nic.cz
Sun Dec 6 00:46:38 CET 2015

Hello everyone.

I've encountered a problem when constructing a public key from a private key
stored in a PKCS #11 token.

This is a snippet of the code I'm using:

  gnutls_privkey_t key;
  gnutls_privkey_import_pkcs11_url(key, url);
  gnutls_pubkey_t pubkey;
  gnutls_pubkey_import_privkey(pubkey, key, 0, 0);

Actually, there are two problems with this code.

First, there is a bug in the _pkcs11_privkey_get_pubkey() code. An invalid
variable is passed as a function argument for pkcs11_read_pubkey(). By chance,
the values of these variables match for RSA keys. The execution path is just
wrong for any other algorithm. The following patch fixes this problem.

Second, the patch doesn't really solve the problem. This cannot work for
anything else than RSA:

The RSA is special that the public key parameters are a subset of it's private
key parameters. So we can read the public attributes from a private key object
in the token and get the public key.

For ECDSA (and probably DSA), the private key object doesn't contain the
public attributes. So the gnutls_pubkey_import_privkey() call will fail.

I'm not sure what is the correct solution. I have three possible ones:

 1. Don't support gnutls_pubkey_import_privkey() for PKCS #11 non-RSA keys.

 2. Check if the private key object contains optional CKA_PUBLIC_KEY_INFO
    and try to construct the key from it's content.

 3. Use the private key object URL, replace type=private with type=public
    (if it's there), and use the new URL to retrieve the public key from
    the token.

Any ideas?



More information about the Gnutls-devel mailing list