[Softhsm-develop] The lifespan of a private key identifier

Full Name nuncestbibendum at excite.com
Tue Aug 24 17:30:10 UTC 2021

     GnuTLS exposes a number of PKCS #11- related APIs for generating key pairs - e.g. gnutls_pkcs11_privkey_generate3. When this function is invoked successfully against SoftHSM, it returns an identifier (a CKA_ID) that uniquely identifies the key object that has just been generated. This can be used later on in order to get SoftHSM to carry out cryptographic operations with the corresponding key - in essence, if I understand things correctly, this identifier is used by SoftHSM in order to find a private key blob that SoftHSM saved to the filesystem in the host computer when the key was generated by invoking gnutls_pkcs11_priveky_generate3.

     My question is, what is the lifespan of this identifier? My guess is that, as long as the matching keyblob is present in the filesystem, SoftHSM will be able to load that keyblob unambiguously when the identifier above is used for this purpose. Is this correct?


More information about the Softhsm-develop mailing list