3

I have some private keys stored in the HSM but without public keys. I want to get the corresponding public key using PKCS11 interface.

If the private key is a RSA key, I can extract the modulus from CKA_MODULUS and exponent from CKA_PUBLIC_EXPONENT, and then construct the public key with these two numbers.

However, when it comes to ECDSA(or DSA) keys, how can I achieve the same goal?
CKA_EC_POINT attribute is not available for private keys.
I think the only useful information I can get is its curve parameters from CKA_EC_PARAMS, which is not enough to get the public point.

Jemmy1228
  • 141
  • 6
  • It should be possible to calculate public key from signature (never tried that myself)...see e.g. [here](https://crypto.stackexchange.com/q/18105/25845) – vlp Jun 11 '19 at 22:11
  • @vlp this method seems very interesting! But I can't understand it totally... I don't understand the two rare cases stated by Steve Mitchell and Jan Moritz. If I try to recover the public key using two or more signatures, will I have more possiblity to recover the right public key? – Jemmy1228 Jun 12 '19 at 11:17
  • I suppose so. It might be worth searching/asking on [crypto SE](http://crypto.stackexchange.com). [This code](https://github.com/andrewkozlik/eop/blob/master/compute_issuer_public_key.py) was used to get public key for Czech national ID card CA from single issued certificate (CA public key was not publicly released, see [here](https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fwww.paralelnipolis.cz%2Fobcanka%2F)). [Bouncy castle](https://www.bouncycastle.org/) has a nice API for calculations on EC. – vlp Jun 12 '19 at 14:33
  • @vlp The news is intersting and funny! And yes, I'm using Bouncycastle in C#. I will try to write some code to reproduce the public key. – Jemmy1228 Jun 12 '19 at 15:13

1 Answers1

2

If you're using PKCS#11 library that implements PKCS#11 specification v2.40 then CKA_PUBLIC_KEY_INFO attribute is what you are looking for.

If you're using PKCS#11 library that implements PKCS#11 specification older than 2.40 then you cannot read EC public key value from EC private key object unless your device vendor provides some vendor specific attribute similar to CKA_PUBLIC_KEY_INFO attribute.

jariq
  • 11,681
  • 3
  • 33
  • 52
  • I don't know which version the PKCS#11 library implements and I don't know how to distinguish the version as well... I tried to read CKA_PUBLIC_KEY_INFO in C# using Pkcs11Interop, it seems that the attribute can be read (CannotBeRead=false), but GetAttributeAsByteArray returned an empty array. Does it mean that the PKCS#11 library doesn't implenent specification v2.40? – Jemmy1228 Jun 12 '19 at 11:31
  • @JemmyLoveJenny version of PKCS#11 standard implemented by your PKCS#11 library can be read with the following code: `pkcs11Library.GetInfo().CryptokiVersion` – jariq Jun 12 '19 at 12:11
  • Checked with you code, the library supports v2.40 specification. In the v2.40 specification, it says CKA_PUBLIC_KEY_INFO "(MAY be empty, DEFAULT derived from the underlying public key data)". In my case, the attribute is empty. So it seems the result of this attribute varies with the implemention of the PKCS#11 library. It isn't a reliable way that I expect... – Jemmy1228 Jun 12 '19 at 14:41