cristiklein
commented
4 years ago @solcates Would you like to take a look?
Closed cristiklein closed 4 years ago
cristiklein
commented
4 years ago @solcates Would you like to take a look?
dmjones
commented
4 years ago This change seems sensible to me.
Couple of comments:
FindKeyPairsWithAttributes will need updating.
solcates
commented
4 years ago This change seems sensible to me.
Couple of comments:
- The comments in
FindKeyPairsWithAttributeswill need updating.- This is a breaking change, so should be released as v2.0.0.
I agree with you @dmjones , this would break a few projects I know of, but it is a very sensible fix to a common use case.
In the next few months this project will have a bunch more activity on it with some more maintainers. i'll wait a bit till we cut up some features and milestones.
cristiklein
commented
4 years ago @solcates and @dmjones, thanks a lot for the quick feedback.
I pushed a new commit, that falls back to matching on CKA_ID alone, but only if matching on both CKA_ID and CKA_LABEL failed. It works for my use-case.
Could this be introduced without breaking backwards compatibility?
solcates
commented
4 years ago Hi @cristiklein sorry for the delayed response.
I think the fallback is a good approach. I'll run a few edge test cases, and merge today if there is no breakage.
On the HSM I am using, the private key has the label 'Private key for Digital Signature', where the public key has the label 'Public key for Digital Signature'. This means that the private and public key will never match by label, as previously done. Matching by CKA_ID is sufficient.