> The public key can be created in memory and not on token, > this is also much faster. > You can do whatever you like with the public key once in memory.
True, but it adds up extra work if you want to use the functionalities of the
HSM.
> The pkcs11-tool can always create the public key from the
> stored private key object whenever requested.
No, since the private key has the CKA_SENSITIVE set to true (by the gen_keypair
function), which means that key material of the private key can not be
extracted. And no public key can thus be created from the private key.
I think that you should create a private and public key on the token. One of
the reasons to use a HSM is to securely store the private key, which means that
no public key can be derived from the private key (once the public key is
removed by the token).
My conclusion: Keep the {CKA_TOKEN, &_true, sizeof(_true)} for the public key
in the context of the pkcs11-tool.
// Rickard
PGP.sig
Description: PGP signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
