一对私钥和证书如何在 IAIK PKCS11 Wrapper 中匹配在一起?
How a pair privatekey and certificate match together in IAIK PKCS11 Wrapper?
我想在 java 中使用 pkcs11 令牌。因此,我使用 "IAIK" 作为 pkcs11 java 包装器。我可以搜索密钥和证书等对象,但无法找出哪个密钥属于哪个证书。我使用 "CryptoKi Manager" 作为令牌中的搜索对象,它显示了证书和密钥之间的连接,如下图所示。然后我研究了PKCS11标准,它说有一个名为"certId"的字段声明了这个连接,但我在"IAIK"中找不到它。 "IAIK" 是否在其 Certificate 对象中支持此功能?怎么样?
此连接是通过 CKA_ID 属性,引用 PKCS#11 版本 2.20:
The CKA_ID field is intended to distinguish among multiple keys. In the case of public
and private keys, this field assists in handling multiple keys held by the same subject; the
key identifier for a public key and its corresponding private key should be the same. The
key identifier should also be the same as for the corresponding certificate, if one exists.
Cryptoki does not enforce these associations, however. (See Section 10.6 for further
commentary.)
请注意,此关联不是强制执行的 (YMMV),但理智的实现会以这种方式运行。
在 PKCS#11 包装器中使用 Key.getId() and X509PublicKeyCertificate.getID() 方法。
使用IAIK-provider(注意你需要许可证)使用IAIKPKCS11Key.getKeyID() to pair public and private key objects. I don't know how to get CKA_ID value from certificates obtained from TokenKeyStore.
祝你好运!
我想在 java 中使用 pkcs11 令牌。因此,我使用 "IAIK" 作为 pkcs11 java 包装器。我可以搜索密钥和证书等对象,但无法找出哪个密钥属于哪个证书。我使用 "CryptoKi Manager" 作为令牌中的搜索对象,它显示了证书和密钥之间的连接,如下图所示。然后我研究了PKCS11标准,它说有一个名为"certId"的字段声明了这个连接,但我在"IAIK"中找不到它。 "IAIK" 是否在其 Certificate 对象中支持此功能?怎么样?
此连接是通过 CKA_ID 属性,引用 PKCS#11 版本 2.20:
The CKA_ID field is intended to distinguish among multiple keys. In the case of public and private keys, this field assists in handling multiple keys held by the same subject; the key identifier for a public key and its corresponding private key should be the same. The key identifier should also be the same as for the corresponding certificate, if one exists. Cryptoki does not enforce these associations, however. (See Section 10.6 for further commentary.)
请注意,此关联不是强制执行的 (YMMV),但理智的实现会以这种方式运行。
在 PKCS#11 包装器中使用 Key.getId() and X509PublicKeyCertificate.getID() 方法。
使用IAIK-provider(注意你需要许可证)使用IAIKPKCS11Key.getKeyID() to pair public and private key objects. I don't know how to get CKA_ID value from certificates obtained from TokenKeyStore.
祝你好运!