[gnutls-devel] PKCS 11, public key from a private key

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Sun Dec 6 11:25:57 CET 2015

On Sun, 2015-12-06 at 00:46 +0100, Jan Vcelak wrote:
> Hello everyone.

> I've encountered a problem when constructing a public key from a 
> private key
> stored in a PKCS #11 token.
> This is a snippet of the code I'm using:
>   gnutls_privkey_t key;
>   gnutls_privkey_init(&key);
>   gnutls_privkey_import_pkcs11_url(key, url);
>   gnutls_pubkey_t pubkey;
>   gnutls_pubkey_init(&pubkey);
>   gnutls_pubkey_import_privkey(pubkey, key, 0, 0);

> [...]
> Second, the patch doesn't really solve the problem. This cannot work 
> for anything else than RSA:

> The RSA is special that the public key parameters are a subset of 
> it's private key parameters. So we can read the public attributes 
> from a private key object in the token and get the public key.
> For ECDSA (and probably DSA), the private key object doesn't contain 
> the public attributes. So the gnutls_pubkey_import_privkey() call 
> will fail.

Interesting. As I understand you are referring to the CKA_EC_POINT
attribute which does not need to be included in private key objects. 

> I'm not sure what is the correct solution. I have three possible 
> ones:
>  1. Don't support gnutls_pubkey_import_privkey() for PKCS #11 non-RSA 
> keys.

For now, indeed you cannot use this function to get public keys out of
PKCS #11 private keys. You'll have to rely on the equivalent
CKO_PUBLIC_KEY object (if it is present).

For a fix to make gnutls_pubkey_import_privkey() available with all
keys, an alternative is for the import function to reconstruct the
public key from the private key. I'll check how feasible is that.


More information about the Gnutls-devel mailing list