-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aziot_keyd: Consider setting CKA_ID for public and private PKCS#11 key #559
Comments
You can just reuse the |
Good idea. Multiple objects with same CKA_LABEL are a bit problematic anyway. I'm just wondering whether size of Anyway adding the option above:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've had a tool failing when accessing a key generated using the aziot_keyd because it searched for a matching public key using
CKA_ID
of the private key and both public and private key did not haveCKA_ID
set. Looking at the code it seems the aziot_keyd never setsCKA_ID
.As far as I understand setting
CKA_ID
is a good practice, which is why I'd like to ask if you would consider setting it.Context
From https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/csd03/pkcs11-base-v2.40-csd03.html
The CKA_ID attribute is intended as a means of distinguishing multiple public-key/private-key pairs held by the same subject (whether stored in the same token or not). (Since the keys are distinguished by subject name as well as identifier, it is possible that keys for different subjects may have the same CKA_ID value without introducing any ambiguity.)
Example
quality-leftovers@4f3c49f
Not sure whether using
rand::thread_rng()
is a good choice for generating the CKA_ID. Some tools / smartcards seem to use a hash of a public property, which probably is better assuming there are no problems with duplicates. Didn't give it much thought. Just wanted to check if adding it to the template args works (and wanted to paste it for EC and RSA without any changes)The text was updated successfully, but these errors were encountered: