pkcs11 : extract pubkey from x509 certificates

Laurent Barbe laurent at ksperis.com
Fri Feb 18 05:08:51 EST 2011


Yes, the certificates do contain the public key.
I'll try to be a little more specific:

The problem is that openssh does not seem to find them and use them.

For example, I made tests with tokens of 72k at SafeNet (formerly
Aladdin), the pkcs11 libeTPkcs11.so provided by the middleware Safenet
does not list the public key certificates only.

In the search function objects ssh-pkcs11.c:pkcs11_fetch_keys()
the object to search is public key and not certificates :
line 400: "CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;"
and not "CKO_CERTIFICATE.

It is therefore not able to retrieve the public key of certificates, and
for these tokens I am not able to store key RSA classics.

I do not know much about the structure and functioning of pkcs11,
perhaps someone can tell me.

On versions <5.4 with the patch pkcs11 Alon Bar-Lev, without the support
X.509, such use was possible.

On Windows, Putty-CAC is also able to retrieve public key from
certificates, unlike PuttySC.

"Public certificates include public keys, but the implementation in
PuTTY SC will not extract those public keys from the certificates.
PuTTY-CAC fixes this."
http://www.risacher.org/putty-cac/

Sincerly,

Laurent


Le jeudi 17 février 2011 à 11:59 -0500, Steven Bade a écrit :
> Daniel Kahn Gillmor wrote:
> > On 02/17/2011 11:38 AM, Laurent Barbe wrote:
> >> About PKCS11, some provider allows only the use of X509
> >> certificate.
> >> Are there plans to add the ability to extract the public key from
> >> certificates when there is no public key?
> > 
> > I'm not sure this question makes sense.  All X.509 certificates have a
> > public key (the subject's public key) in them by definition.
> > 
> > Do you mean something else?  (apologies if this is a simple typo that i
> > should be able to guess what you mean -- this stuff is confusing enough
> > that being really clear and explicit is helpful, though)
> > 
> > 	--dkg
> > 
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> I think that they are saying that the PKCS#11 token will not allow
> access to the public key object (it may not even exist), some tokens
> only allow access to the public key through the certificate object.. but
> its been a while since i've delved into P11 in great detail. I know the
> implementations I worked on allowed access to the public key object.




More information about the openssh-unix-dev mailing list