@sc-hsm@saper
How do compare certificate (not inside hsm) and private key(inside hsm) to be valid and match? , since private key can not be exported so can’t be read its public content ? e.g. privKey.PublicKey.N.Cmp(pubKey.N)
The most obvious way is to perform a cryptographic operation with one key and validate with the other.
For a RSA you could encrypt using the public key and try to decrypt using the private key. For ECC you could sign with the private and verify with the public key.
@sc-hsm@saper
How do compare certificate (not inside hsm) and private key(inside hsm) to be valid and match? , since private key can not be exported so can’t be read its public content ? e.g. privKey.PublicKey.N.Cmp(pubKey.N)
PKCS#11 inteface will provide you a public key object in addition to the
private key object. They can be matched with the CKA_ID attribute.
Example from my HSM:
Private Key Object; EC
label: key 100
ID: 0100
Usage: sign, derive
Access: sensitive, always sensitive, never extractable, local
The public key object is generated from the certificate object. If the certificate does not match the private key, the public key won’t as well.
In the HSM there is no separate public key information at the private key. It’s always taken from the associate X.509 or CV-certificate. For a newly generated key pairs, the public key is stored as part of the CVC that is automatically generated internally and signed by the PrK.DevKey key.
@saper so here CKA_ID is 100, and that can be matched to validate the pair. correct ?
so on my case CKA_ID is : 34414d666d464d744c59364236764e337134535174436b43513655593566366755463372445245347771443459445572756e755a626d5a70566b387a737a6b74383679656e504255474532614351435a6d5146636d6e6a33556178794c7a66544d6a436e6170416533 ?