...
An attribute consists of the following three parts
- The type of the attribute
PKCS#11 specifies pre-defined constants identifying the attribute or more precisely the value, i. e. the type gives information about how the content of the value can be interpreted.
- The value of the attribute
the value contains the intended data
- The length of the attribute
the amount of bytes necessary to store the value
Construction of an object
Now as we now how attributes are structured we can exemplary construct a PKCS#11 object.
For example a RSA public key is described by the public exponent and its modulus. For constructing such an object in PKCS#11 we would need the gobal mandatory attributes and the key specific attributes like CKA_PUBLIC_EXPONENT and CKA_MODULUS. The public exponent attribute would may look like the following:
TYPE
TYPE -> CKA_PUBLIC_EXPONENT
VALUE VALUE -> 010001
LENGTH LENGTH -> 3
An optional attribute would be CKA_MODULUS_BITS since it gives extra information about the size of the modulus but isn't needed because this information could be derived from the modulus itsself. PKCS#11 defines all possible constructions of objects which really would go beyond the scope of this document for listing all of them here. For this reason we just concentrate on the base types and will discuss only the ones we really need in order to support our mechanisms. So lets start with the base types before we go on with defining the global mandatory attributes contained in every object.
...
A data object is able to store values for all of these attributes but it does not neccessariliy have to set data for each of these. The next sub chapter gives us an overview which attributes are mandatory for all objects and guarantees distinguishablity. Afterwards we learn which attributes are mandatory for our three base objects. Having learned all necessary basics we are then able to talk about object templates for different key implementations such as RSA or EC.
Figure 3: class hirarchy
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
Use one of the following OID values as CK_BYTE[] as value for CKA_EC_PARAMS attribute.
Defined elliptic curve | OID |
brainpoolP160r1 | 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x01 |
brainpoolP192r1 | 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x03 |
brainpoolP224r1 | 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x05 |
brainpoolP256r1 | 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07 |
brainpoolP320r1 | 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x09 |
ansi-x962 prime192v1 | 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x01 |
ansip224r1 | 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x21 |
ansi-x962 prime256v1 | 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07 |
...