how to find paired ECDSA private key PKCS11 having public key

Question

I have an application that works with smartcards that have RSA certificates on them For some reason manufacturer does not fill CKA_LABEL on them, so i fidn private key object for RSA like this:

RsaKeyParameters rsaPubKeyParams = (RsaKeyParameters)pubKeyParams;
                    privKeySearchTemplate.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
                    privKeySearchTemplate.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODULUS, rsaPubKeyParams.Modulus.ToByteArrayUnsigned()));
                    privKeySearchTemplate.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PUBLIC_EXPONENT, rsaPubKeyParams.Exponent.ToByteArrayUnsigned()));

now i have to support smartcards that have ECDSA certificates, no CKA_LABEL also SO the question is how can i find according private key like with RSA ?

Note: all smart cards have 2 certificates (auth,sign) in random order, so i cant just take first or last object found:

ECPublicKeyParameters ecdsaPubKeyParams = (ECPublicKeyParameters)pubKeyParams;
                    privKeySearchTemplate.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_ECDSA));

-----some more params needed to identify the needed the private key

Answer 1

If it is the same curve, you can't. A workaround would be to test a signature/verification, then if match, assign CLA_LABEL to optimize for next time.

Answer 2

If you set a unique LABLE or ID for key, you can recover key-pair easily. Then, public key is the one which has CKA.CKA_VERIFY attribute as True and private key is the one which has CKA.CKA_SIGN attribute set to True.

Another tip: for RSA you have its modules and exponent, for elliptic key you have its ec-point CKA.CKA_EC_POINT which is unique for any elliptic-public-key.