[kmf-discuss] pktool fixes for exporting symmetric keys
Huie-Ying Lee
huie-ying.lee at sun.com
Wed Dec 19 17:51:26 PST 2007
Wyllys Ingersoll wrote:
> Recent fixes to pktool for supporting the find_key operation (pktool
> export ...)
> have exposed a gap in the coverage of different key types for the utility.
>
> pktool now has no way to isolate just symmetric keys and export/delete
> them because
> there is no user interface (i.e. CLI option) for specifying that the
> user just wants
> to export a symmetric key.
>
> This is primarily an issue with symmetric keys in a PKCS#11 keystore
> because the
> "objtype" values allowed are: objtype=key[:[public | private | both]]
>
> I think we need either a new objtype, something like "symkey". Or we need
> a new modifier for the existing key, "symmetric"
>
> The choices are to support one of these 2 key/value pairs for the CLI:
>
> objtype=[cert | key[:[public | private | both]] | symkey ]
>
> OR
>
> objtype=[cert | key[:public | private | both | symmetric | all]]
>
> I think we have to keep the public/private/both modifiers to retain
> backwards compat with
> pre-KMF versions of the tool.
>
> I think I prefer the 1st choice - add a new objtype rather than a new
> key modifier since
> I think that the key modifier stuff makes things more complicated than
> it needs to be
> anyway.
>
> Thoughts?
>
The "public" keyword in the pktool usage actually refers to the public objects in a PKCS11
token. In PKCS11, a public object is an object that can be retrieved without logging into
the token (hence password is not required). It is not the public key of an asymmetric
keypair. Similarly, the "private" keyword refers to the private objects - can be retrieved
only when successfully login to the token (hence password is required).
Because of this, adding symkey or symmetric keyword into the existent public/private/both
choices doesn't seem right to me.
Huie-Ying
More information about the kmf-discuss
mailing list