Versions Compared

Old Version 4

changes.mady.by.user user-9bc78

Saved on

compared with

New Version Current

changes.mady.by.user user-9bc78

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • CKK_RSA and CKK_EC for CKA_KEY_TYPE
    In conjunction with the CKA_CLASS attribute this leads to the following implementation types:
    • RSA public key (CKA_CLASS -> CKO_PUBLIC_KEY)
    • RSA private key (CKA_CLASS -> CKO_PRIVATE_KEY)
    • EC public key (CKA_CLASS -> CKO_PUBLIC_KEY)
    • EC private key (CKA_CLASS -> CKO_PRIVATE_KEY)

  • CKC_X_509 for CKA_CERTIFICATE_TYPE
  • and any user specific OID for CKA_OBJECT_ID

...

Regarding the implementation type each object has additionally attributes. Those attributes are defined here where the fat ones are mandatory while the others are optional. We first start with the base types before we handle the specific implementation types.

Image RemovedImage Added

Each object inherits the base classe's attributes thus it also includes that attributes. Inherited attributes are no more listed and can be extracted from Figure 3.

...

Table 3 describes the mandatory attributes for importing a RSA private key (token object) and a RSA public key (session object).


Since the applet generates the public key itself (for token objects) this object should not be created. Just import the private key and use the object-search (use the private keys CKA_ID) afterwards to find the corresponding public key. An example is given in 5.


Image Removed

Image Added

RSA private key (token object)
During the import a label can be also given. If not CKA_LABEL receives the same value as CKA_ID.
The values for CKA_MODULUS, CKA_PRIVATE_EXPONENT, CKA_EXPONENT_1, CKA_EXPONENT_2 and CKA_COEFFICIENT can be also given. If not when one of the previous attributes is missing all these attributes are calculated they are calculated in software from CKA_PRIME_1, CKA_PRIME_2 and CKA_PUBLIC_EXPONENT.

Image RemovedImage Added

Do not use CKA_MODULUS_BITS as attribute when creating / importing a RSA keypair. This attribute is reserved and is used for detecting keypair generation! The attribute will be automatically set during import.

Image RemovedImage Added

We do not support the creation / import of a private key session object since we only allow public key operations in software.

...

Since we only support public key operations in software a RSA private key can not be created as session object. Private key operations shall always be done in hardware – therefore import the private key as token object. RSA public keys can be created as session objects in order to encrypt

Anchor
_Ref453321597
_Ref453321597
according to the relevant access flags data for a receiver or to verify18 a signature. An example is given in 5.


Image RemovedImage Added

RSA public key (session object)
During the import a label can be also given. If not CKA_LABEL receives the same value as CKA_ID.
During the import CKA_MODULUS_BITS can be also given. If not it is calculated from CKA_MODULUS.

Key Type

CKA_CLASS

CKA_TOKEN

CKA_PRIVATE

CKA_MODIFIABLE

CKA_KEY_TYPE

CKA_ID

CKA_PRIME_1

CKA_PRIME_2

CKA_PUBLIC_EXPONENT

Private key (token object)

CKO_PRIVATE_KEY

CK_TRUE

CK_TRUE

CK_TRUE or CK_FALSE

CKK_RSA

All UTF8 symbols

CK_BYTE[]

CK_BYTE[]

CK_BYTE[]
(recommended is 0x010001)

Key Type

CKA_CLASS

CKA_TOKEN

CKA_PRIVATE

CKA_MODIFIABLE

CKA_KEY_TYPE

CKA_ID

CKA_MODULUS

CKA_PUBLIC_EXPONENT

-

Public key (session object)

CKO_PUBLIC_KEY

CK_FALSE

CK_FALSE

CK_TRUE or CK_FALSE

CKK_RSA

All UTF8 symbols

CK_BYTE[]

CK_BYTE[]

-

Anchor
_Ref453318462
_Ref453318462
Anchor
_Toc453920106
_Toc453920106

...

Table 3: RSA key import

...


Anchor
_Toc453149798
_Toc453149798
Anchor
_Ref452990552
_Ref452990552
EC

Table 5 describes the mandatory attributes for importing a EC private key (token object) and a EC public key (session object).


Table 4 lists the OIDs of the supported elliptic curves – use the desired OID as CK_EC_PARAMS.


Since the applet generates the public key itself (for token objects) this object should not be created. Just import the private key and use the object-search (use the private keys CKA_ID) afterwards to find the corresponding public key. An example is given in 5.


Image RemovedImage Added

During the import a label can be also given. If not CKA_LABEL receives the same value as CKA_ID.
The value CKA_EC_POINT In uncompressed format => starting with 0x04 indicating this is the uncompressed format followed by concatenating the x and then the y coordinate of the point can be also given. If not it is calculated in software from CKA_VALUE.

Image RemovedImage Added

We do not support the import of a private key session object since we only allow public key operations in software.


Use one of the following OID values as CK_BYTE[] as value for CKA_EC_PARAMS attribute.

Defined elliptic curve

OID

brainpoolP160r1

0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x01

brainpoolP192r1

0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x03

brainpoolP224r1

0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x05

brainpoolP256r1

0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07

brainpoolP320r1

0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x09

ansi-x962 prime192v1

0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x01

ansip224r1

0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x21

ansi-x962 prime256v1

0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07

Anchor
_Ref453323233
_Ref453323233
Anchor
_Toc453920107
_Toc453920107
Table 4: supported EC OIDs


Since we only support public key operations in software an EC private key can not be created as session object. Private key operations shall always be done in hardware – therefore import the private key as token object. EC public keys can be created as session objects in order to verify18 a signature. An example is given in 5.

Image RemovedImage Added

EC public key (session object)
During the import a label can be also given. If not CKA_LABEL receives the same value as CKA_ID.

Key Type

CKA_CLASS

CKA_TOKEN

CKA_PRIVATE

CKA_MODIFIABLE

CKA_KEY_TYPE

CKA_ID

CKA_EC_PARAMS

CKA_VALUE

Private key

CKO_PRIVATE_KEY

CK_TRUE

CK_TRUE

CK_TRUE or CK_FALSE

CKK_EC

All UTF8 symbols

CK_BYTE[]

CK_BYTE[]

Key Type

CKA_CLASS

CKA_TOKEN

CKA_PRIVATE

CKA_MODIFIABLE

CKA_KEY_TYPE

CKA_ID

CKA_EC_PARAMS

CK_EC_POINT

Public key

CKO_PUBLIC_KEY

CK_FALSE

CK_ FALSE

CK_TRUE or CK_FALSE

CKK_EC

All UTF8 symbols

CK_BYTE[]

CK_BYTE[]

Anchor
_Ref453319629
_Ref453319629
Anchor
_Toc453920108
_Toc453920108

...

Table 5: EC key import

...


Generate a keypair

Table 6 shows the attributes necessary to generate a keypair. We only support this feature for token objects.


Image RemovedImage Added

When calling the function C_GenerateKeyPair(…) the same template (the same pointer can be used) for pPublicKeyTemplate and pPublicKeyTemplate shall be used.

Image RemovedImage Added

We do not support the generation of keypairs for session objects.

Keypair type

CKA_CLASS

CKA_TOKEN

CKA_PRIVATE

CKA_KEY_TYPE

CKA_MODULUS_BITS

RSA KeyPair
(CKM_RSA_PKCS_KEY_PAIR_GEN)

CKO_PRIVATE_KEY

CK_TRUE

CK_TRUE

CKK_RSA

512 – 2048

Keypair type

CKA_CLASS

CKA_TOKEN

CKA_PRIVATE

CKA_KEY_TYPE

CKA_EC_PARAMS

EC KeyPair
(CKM_ECDSA_KEY_PAIR_GEN)

CKO_PRIVATE_KEY

CK_TRUE

CK_TRUE

CKK_EC

use one OID from Table 4

Anchor
_Ref453323895
_Ref453323895
Anchor
_Toc453920109
_Toc453920109
Table 6: generate a keypair

Anchor
_Ref453860569
_Ref453860569
Change attributes

Image RemovedImage Added

Currently we do only support to change CKA_ID.