Finally I ended up allowing my software to generate the signature and
inmediately after the signature is generated, verifying it with the
certificate's public key, it if validates then the private key used for signing
and the public key are supposed to match, if it doesn't I discard the signature
and make the execution fail. Although I'm thinking about the performance issues
that this could bring.
On Wednesday, April 10, 2013 9:45:27 PM UTC-5, Jaime Hablutzel Egoavil wrote:
> Today I have realized that a buggy PKCS#11 module for a cryptographic token
> I'm working with is returning a wrong private key for a given certificate,
> thus when calling org.mozilla.jss.CryptoManager#findPrivKeyByCert for 'cert
> 1' the private key for 'cert 2' is returned, then my software generates a
> signature using 'cert 2' private key (thinking it is the private key for
> 'cert 1'), and in the future validation fails. I will talk seriously with my
> cryptographic token provider, but in the while I would like to validate that
> a private key matches the public key in the certificate before generating a
> signature.
>
>
>
> I've done this before with something like:
>
>
>
> if(privKey.getModulus().equals(((RSAPublicKey)
> x509Cert.getPublicKey()).getModulus())){
>
> // priv key matches public key in certificate
>
> }
>
>
>
> but JSS is returning null for the modulus in its
> org.mozilla.jss.pkcs11.PK11RSAPrivateKey
>
>
>
> So, two questions actually:
>
>
>
> 1. Why JSS is returning null for the modulus?, I though it could be made
> public even for hardware token.
>
>
>
> 2. Alternatives for matching a private key to a certificate?
>
>
>
> Thanks
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
