[gnutls-devel] PKCS 11, public key from a private key

Jan Včelák jan.vcelak at nic.cz
Fri Dec 18 14:14:23 CET 2015

> > I wonder if CKA_ID for a public key object and a corresponding private key
> > object have to match. I'm quite certain that they have to. Because this
> > attribute is used in certificates to uniquely identify matching key pairs.
> > So I think one solution is obvious: Use the CKA_ID to get a CKO_PUBLIC_KEY
> > object from the token to initialize the gnutls_pubkey_t structure.
> Unfortunately there is no guarantee for the IDs to match. It is merely
> a convention. Even worse the public object cannot be assumed to be
> accessible without any user interaction (it may be marked as senstive
> and require the user to put a password into pinpad).

Currently, the RSA public key is also constructed from the private key object,  
which will be marked as sensitive for sure. So that's not a huge difference.

Anyway, if the IDs are not guaranteed to match, I would rather go for the 
second proposed solution: Make the gnutls_pubkey_import_privkey() function 
always fail for PKCS #11.

It's better than inventing some unreliable workaround. The implicit import of 
the public key will always work. And if it doesn't, then the cause is obvious.



More information about the Gnutls-devel mailing list