Bob,
Thanks for yor reply. Infact, I am working on the NSS Bug # 291383.
There it
proposes an option to delete an orphan key. I am able to see how to make
a patch
which can identify a key based on CKA_ID and then delete it also but
what if I dont
have a CKA_ID and even not a cert but only a Cert Req(in PKCS#10 format) ?
How do I deal with this type of file ? Is not the bug reporter(Julien)
proposing a
CertReq as an input to the certutil utility to delete an orphan key? My
question
is on that. Any suggestion/s?
Regards
Biswatosh
Bob Relyea wrote:
Biswatosh wrote:
As a sequel to the earlier mail about the way to extract infos from a
Cert Req file,
I have this to discuss.
As I understand, CertReq is a PKCS 10 structure and so the min.
members would be
1)Name and 2)SubjectPublicKeyInfo ,at least.
Now, do we need to identify an orphan key in key.db on the basis of
one of these?
I mean, in the case when we want to delete an orphan key(in an
enhancement of
the present certutil).
But, suppose we start with pub key, do we match all components? I
mean the
modulus, the exponent and all?
With name, it need not be unique.
As I mentioned earlier, searching based on CKA_ID is possible and my
patch
will list the keys based on CKA_IDs and then identify and delete them.
But, here we are talking of CertReq. We need that, is not it?
Thanks
Biswatosh
First, thanks for taking on filling this hole. If you create a bug in
bugzilla, it should be possible to get your patch reviewed and
incorporated into NSS.
Next, on to your question:
CKA_ID is technically a freeform field in the PKCS #11 spec. The only
requirement is that the CKA_ID of a key match the CKA_ID of the
corresponding certificate. NSS, however needs to identify that a
particular certificate matches with a newly created key, so when NSS
creates the key it always sets it to a value derived from the public
key. The function PK11_MakeIDFromPubKey() will give you the CKA_ID
value you need.
bob
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
