f9a8e744b7
This is a breaking API change: pkcs11key now takes as input a public key rather than a private key label. In order to find the private key, it first finds the public key's CKA_ID in the token, then looks for a private key with the same CKA_ID. From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf: > The CKA_ID field is intended to distinguish among multiple keys. In the case of public and private keys, this field assists in handling multiple keys held by the same subject; the key identifier for a public key and its corresponding private key should be the same. This does require that both the public key and private key are present and have appropriate CKA_IDs set. I've verified this is the case in prod. In our integration testing environment it was not the case, so I've tweaked entrypoint.sh to load public keys into SoftHSM and set their CKA_ID. The initial part of this change was written by @cpu. I've reviewed and approved those commits. |
||
|---|---|---|
| .. | ||
| config | ||
| proto | ||
| testdata | ||
| ca.go | ||
| ca_test.go | ||