How a pair privatekey and certificate match together in IAIK PKCS11 Wrapper?

Question

I want to work with a pkcs11 token in java. Thus, I used "IAIK" as a pkcs11 java wrapper. I can search for objects like keys and certificates but I can't find out which key belongs to which certificate. I used "CryptoKi Manager" for search objects in the token and it shows the connection between a certificate and key like below picture. Then I studied PKCS11 standard, it said there is a field called "certId" that declare this connection but I couldn't find it in "IAIK". Does "IAIK" support this feature in its Certificate object? How?

Answer 1

This connection is via the CKA_ID attribute, citing PKCS#11 version 2.20:

The CKA_ID field is intended to distinguish among multiple keys. In the case of public and private keys, this field assists in handling multiple keys held by the same subject; the key identifier for a public key and its corresponding private key should be the same. The key identifier should also be the same as for the corresponding certificate, if one exists. Cryptoki does not enforce these associations, however. (See Section 10.6 for further commentary.)

Please note that this association is not enforced (YMMV), but sane implementations behave in this way.

Use Key.getId() and X509PublicKeyCertificate.getID() methods in the PKCS#11 wrapper.

With IAIK-provider (note that you need a license) use IAIKPKCS11Key.getKeyID() to pair public and private key objects. I don't know how to get CKA_ID value from certificates obtained from TokenKeyStore.

Good luck!