[gnutls-devel] PKCS 11, public key from a private key

Jan Včelák jan.vcelak at nic.cz
Fri Dec 18 13:34:27 CET 2015

Hello Nikos.

> >> For a fix to make gnutls_pubkey_import_privkey() available with all
> >> keys, an alternative is for the import function to reconstruct the
> >> public key from the private key. I'll check how feasible is that.
> > 
> > I don't think this will be possible. The private key material is present
> > in the token, so the token would have to do the reconstruction.
>  I'm still thinking whether gnutls_pubkey_import_privkey() should work
> with these keys or we simply return an error. How did you solve that?

I wonder if CKA_ID for a public key object and a corresponding private key 
object have to match. I'm quite certain that they have to. Because this 
attribute is used in certificates to uniquely identify matching key pairs.

So I think one solution is obvious: Use the CKA_ID to get a CKO_PUBLIC_KEY 
object from the token to initialize the gnutls_pubkey_t structure.

As for my case: I haven't fixed it yet. I'm using RSA keys for testing and 
I know that ECDSA is broken. But I intend to import public keys explicitly 
using gnutls_pubkey_import_url() instead of gnutls_pubkey_import_privkey(). 
This is a safe bet.



More information about the Gnutls-devel mailing list