Today I have realized that a buggy PKCS#11 module for a cryptographic token I'm
working with is returning a wrong private key for a given certificate, thus
when calling org.mozilla.jss.CryptoManager#findPrivKeyByCert for 'cert 1' the
private key for 'cert 2' is returned, then my software generates a signature
using 'cert 2' private key (thinking it is the private key for 'cert 1'), and
in the future validation fails. I will talk seriously with my cryptographic
token provider, but in the while I would like to validate that a private key
matches the public key in the certificate before generating a signature.
I've done this before with something like:
if(privKey.getModulus().equals(((RSAPublicKey)
x509Cert.getPublicKey()).getModulus())){
// priv key matches public key in certificate
}
but JSS is returning null for the modulus in its
org.mozilla.jss.pkcs11.PK11RSAPrivateKey
So, two questions actually:
1. Why JSS is returning null for the modulus?, I though it could be made public
even for hardware token.
2. Alternatives for matching a private key to a certificate?
Thanks
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
