[gnutls-devel] PKCS 11, public key from a private key

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Fri Dec 18 13:59:11 CET 2015

On Fri, Dec 18, 2015 at 1:34 PM, Jan Včelák <jan.vcelak at nic.cz> wrote:
> Hello Nikos.
>> >> For a fix to make gnutls_pubkey_import_privkey() available with all
>> >> keys, an alternative is for the import function to reconstruct the
>> >> public key from the private key. I'll check how feasible is that.
>> > I don't think this will be possible. The private key material is present
>> > in the token, so the token would have to do the reconstruction.
>>  I'm still thinking whether gnutls_pubkey_import_privkey() should work
>> with these keys or we simply return an error. How did you solve that?
> I wonder if CKA_ID for a public key object and a corresponding private key
> object have to match. I'm quite certain that they have to. Because this
> attribute is used in certificates to uniquely identify matching key pairs.
> So I think one solution is obvious: Use the CKA_ID to get a CKO_PUBLIC_KEY
> object from the token to initialize the gnutls_pubkey_t structure.

Unfortunately there is no guarantee for the IDs to match. It is merely
a convention. Even worse the public object cannot be assumed to be
accessible without any user interaction (it may be marked as senstive
and require the user to put a password into pinpad).

> As for my case: I haven't fixed it yet. I'm using RSA keys for testing and
> I know that ECDSA is broken. But I intend to import public keys explicitly
> using gnutls_pubkey_import_url() instead of gnutls_pubkey_import_privkey().
> This is a safe bet.

Indeed. I'll also document that this function cannot operate on
certain PKCS#11 keys.


More information about the Gnutls-devel mailing list