Bug 84761 - We should use the key identifier certificate extension to fill CKA_ID
Summary: We should use the key identifier certificate extension to fill CKA_ID
Status: RESOLVED FIXED
Alias: None
Product: p11-glue
Classification: Unclassified
Component: p11-kit (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-07 16:39 UTC by Stef Walter
Modified: 2014-10-09 11:51 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
trust: Certificate CKA_ID is SubjectKeyIdentifier if possible (16.43 KB, patch)
2014-10-09 09:55 UTC, Stef Walter
Details | Splinter Review

Description Stef Walter 2014-10-07 16:39:13 UTC
The PKCS#11 v2.40 spec states:

| It is intended that the CKA_ID value be identical to the key identifier in
| such a certificate extension, although this will not be enforced by Cryptoki.

We should populate the CKA_ID in this way.
Comment 1 Stef Walter 2014-10-09 09:55:00 UTC
Created attachment 107606 [details] [review]
trust: Certificate CKA_ID is SubjectKeyIdentifier if possible
Comment 2 David Woodhouse 2014-10-09 10:08:44 UTC
Comment on attachment 107606 [details] [review]
trust: Certificate CKA_ID is SubjectKeyIdentifier if possible

Review of attachment 107606 [details] [review]:
-----------------------------------------------------------------

That fixes my problem; thanks.
Comment 3 Stef Walter 2014-10-09 11:51:08 UTC
Attachment 107606 [details] pushed as 03d280d - trust: Certificate CKA_ID is SubjectKeyIdentifier if possible


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.