[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pkcs11] Recent Comment
All, It seems pkcs11-base is underspecified here. IMO leading 0 bytes should not be allowed: Imaging there is a public RSA key with
{0x00, 0x01, 0x00, 0x01} stored as modulus. Now, you export this key. Export requires DER encoding, which removes the leading 0. When you import the key at another token this results in modulus {0x01, 0x00, 0x01}. So, the same happens as with Jonathanâs previous EC key example: you need to search for both
{0x01, 0x00, 0x01} and {0x00, 0x01, 0x00, 0x01} (and even more leading 0s) to find all keys with modulus 0x10001. Or a token silently removes leading 0s on import so that the first token in the example already stores the same modulus
as the second token â and the same should happen when searching for such a modulus. However, this seems cumbersome from an implementers point of view. Maybe we should just forbid leading 0s here. Best, Daniel From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Tony Cox Hi folks, The following was sent to the pkcs#11 comment list (copied below for convenience). We agreed to discuss this on our next call. pkcs11-base (4) defines attribute values of Big integer data type as follows:
You can view the original comment at https://lists.oasis-open.org/archives/pkcs11-comment/202006/msg00002.html Best Regards, Utimaco IS GmbH Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com Seat: Aachen â Registergericht Aachen HRB 18922 VAT ID No.: DE 815 496 496 Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]