Key identifier lengths

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Key identifier lengths

Geoff Elgey
Key identifier lengths

G'day,

The PKCS#11 library in opensc defines the identifier for a private keys as a 32-byte value:

typedef struct pkcs11_key_private {
        ...
        unsigned char id[32];
        ...
} PKCS11_KEY_private;

Similarly for the PKCS11_CERT_private type.

Howver, I was using keys and certs on a muscle card created under Windows, and the key identifiers in this case were 36 bytes long (the length of a GUID). This caused a "BUFFER TOO SMALL" error in opensc, and as a result the id for the key/cert was reported as null.

PKCS#11 does not define any length restriction for the CKA_ID attribute, so perhaps the id length should be increased to 256 bytes to handle most sane cases.

-- Geoff


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Key identifier lengths

Geoff Elgey
Key identifier lengths

G'day,

The PKCS#11 library in opensc defines the identifier for a private keys as a 32-byte value:

typedef struct pkcs11_key_private {
        ...
        unsigned char id[32];
        ...
} PKCS11_KEY_private;

Similarly for the PKCS11_CERT_private type.

Howver, I was using keys and certs on a muscle card created under Windows, and the key identifiers in this case were 36 bytes long (the length of a GUID). This caused a "BUFFER TOO SMALL" error in opensc, and as a result the id for the key/cert was reported as null.

PKCS#11 does not define any length restriction for the CKA_ID attribute, so perhaps the id length should be increased to 256 bytes to handle most sane cases.

-- Geoff


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key identifier lengths

Stef Hoeben
Okay, done (it's set to 255, same length as for pkcs15).

Cheers,
Stef

Geoff Elgey wrote:

> G'day,
>
> The PKCS#11 library in opensc defines the identifier for a private
> keys as a 32-byte value:
>
> typedef struct pkcs11_key_private {
>         ...
>         unsigned char id[32];
>         ...
> } PKCS11_KEY_private;
>
> Similarly for the PKCS11_CERT_private type.
>
> Howver, I was using keys and certs on a muscle card created under
> Windows, and the key identifiers in this case were 36 bytes long (the
> length of a GUID). This caused a "BUFFER TOO SMALL" error in opensc,
> and as a result the id for the key/cert was reported as null.
>
> PKCS#11 does not define any length restriction for the CKA_ID
> attribute, so perhaps the id length should be increased to 256 bytes
> to handle most sane cases.
>
> -- Geoff
>
>------------------------------------------------------------------------
>
>_______________________________________________
>opensc-devel mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key identifier lengths

Nils Larsch
In reply to this post by Geoff Elgey
Geoff Elgey wrote:

> G'day,
>
> The PKCS#11 library in opensc defines the identifier for a private keys
> as a 32-byte value:
>
> typedef struct pkcs11_key_private {
>         ...
>         unsigned char id[32];
>         ...
> } PKCS11_KEY_private;
>
> Similarly for the PKCS11_CERT_private type.
>
> Howver, I was using keys and certs on a muscle card created under
> Windows, and the key identifiers in this case were 36 bytes long (the
> length of a GUID). This caused a "BUFFER TOO SMALL" error in opensc, and
> as a result the id for the key/cert was reported as null.
>
> PKCS#11 does not define any length restriction for the CKA_ID attribute,
> so perhaps the id length should be increased to 256 bytes to handle most
> sane cases.

isn't that a overkill ? pkcs11 recommends to use the key identitifier
as the CKA_ID value (which is normally some digest value) => I would
already consider CKA_ID values > 64 bytes insane and reject to support
them (an alternative solution would be use dynamic memory allocation
but that would require more changes).

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel