Obtaining the raw RSA parameters from a PKCS11 private key

[Jim Lloyd]

Question: Is there a way to obtain the raw RSA parameters from a PKCS11 private key?

Background: I'm attempting to update an existing packet sniffing application to be able to load certs/keys via pkcs11. The application was previously written using gnutls 2.8.5 and gcrypt 1.4.4. I want to upgrade gnutls to 2.12.x and am currently developing with 2.12.18. I'd like to continue to use libgrcypt since the application currently uses gcrypt APIs for the cryptographic operations. I have been able to install 2.12.x, build my app, run our unit tests, etc. Now I am attempting to add the pkcs11 support. We are testing with an Thales nCipher netHSM device. I can use p11tool to query the device and install objects (certs, keys).

I am now working on the new logic to load a private key via pkcs11 so that I can obtain the cryptographic parameters. I can load the key just fine into a gnutls_privkey_t. But I see no way to then extract the cryptographic parameters, as we have previously done with gnutls_x509_privkey_export_rsa_raw. 

I see in the documentation this note:

"An abstract gnutls_privkey_t can be initialized using the functions below. It can be imported through an existing structure like gnutls_x509_privkey_t, but unlike public keys it cannot be exported. That is to allow abstraction over PKCS #11 keys that are not extractable."

What then is the way for packet sniffing applications to use gnutls with certs/keys stored on HSMs? Am I forced to use gnutls_pubkey_encrypt_data and gnutls_privkey_decrypt_data with keys loaded from HSMs? What happens under the hood with these APIs?

Thanks,

Jim Lloyd