-
I am using CKA_MODULUS_BITS to get length of RSA key. Using pkcs11-tool I noticed that the key size is not presented. Is it something that should be expected to not be available on private key? On SoftHSM after generating a key the forementioned attribute return null. After testing with a key generated on OpenPGP card I was surprised that also the private key has the CKA_MODULUS_BITS set and returns the proper value. Which is more common? I found something in the spec that generated key does not have this attribute set. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
Is there reason you need to know key size? Or just for signature buffer size? |
Beta Was this translation helpful? Give feedback.
-
In my case I am trying to connect python package of cryptography to PKCS11 cards and there is a parameter for PSS salt length which has a value of MAX_LENGTH and in this case cryptography calculates salt length like this:
and you can emagine that this is done on private key if we do signing with RSA. Missing key_size on the key would make a problem using this. There are other posibilities for salt length, but for completenes I tried to finish this also. |
Beta Was this translation helpful? Give feedback.
-
PKCS11 "CKA_MODULUS_BITS" is not an attribute of object class "CKO_PRIVATE_KEY, key type CKK_RSA" "Note that when generating an RSA private key, there is no CKA_MODULUS_BITS attribute specified. 389 This is because RSA private keys are only generated as part of an RSA key pair, and the 390 CKA_MODULUS_BITS attribute for the pair is specified in the template for the RSA public key." See https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.pdf in sections "2.1.2 RSA public key objects" and "2.1.3 RSA private key objects. The CKO_PRIVATE_KEY, CKO_PUBLIC_KEY and CKO_CERTIFICATE should all contain the same CKA_ID so given one you can find the matching other two. At least CKO_PUBLIC_KEY or CKO_CERTIFICATE should be present if if there is a private key object: CKO_PRIVATE_KEY. See: https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.pdf RSA uses these common sizes keys in bits: 1024, 2048, 3072, 4096 so you could look at the size of CKA_MODULUS in bytes which will be just under one of these sizes in bits. |
Beta Was this translation helpful? Give feedback.
PKCS11 "CKA_MODULUS_BITS" is not an attribute of object class "CKO_PRIVATE_KEY, key type CKK_RSA"
"CKA_MODULUS_BITS" is an attribute of "CKO_PUBLIC_KEY, key type CKK_RSA"
"Note that when generating an RSA private key, there is no CKA_MODULUS_BITS attribute specified. 389 This is because RSA private keys are only generated as part of an RSA key pair, and the 390 CKA_MODULUS_BITS attribute for the pair is specified in the template for the RSA public key."
See https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.pdf in sections "2.1.2 RSA public key objects" and "2.1.3 RSA private key objects.
The CKO_PRIVATE_KEY, CKO_PUBLIC_KEY and CKO_CERTIFICATE should all contain th…