[Softhsm-develop] The lifespan of a private key identifier

Berry van Halderen berry at nlnetlabs.nl
Tue Aug 24 19:56:34 UTC 2021


>      My question is, what is the lifespan of this identifier? My guess
> is that, as long as the matching keyblob is present in the filesystem,
> SoftHSM will be able to load that keyblob unambiguously when the
> identifier above is used for this purpose. Is this correct?

Nope, it is not a unique identifier, so this is not necessary 
unambiguous.
It is up to the end-application to keep it unique and to distinguish
certificates/public/private keys with the same identifier.  It is also
not generated by (all) PKCS#11 implementations but must be set 
explicitly,
I assume for this reason.

The "lifespan" of this attribute is that once set, it remains stable
across sessions, so you may use it in another session or at later time
to look up the object.  This in contrast to the handle, which although
implemented as an integer, is not necessarily stable across sessions.

The main difference between CKA_LABEL and CKA_ID from my perspective is
the different values that are permissable, but their use case is
similar.  (Although labels are more meant for human consumption).

\Berry


More information about the Softhsm-develop mailing list