Cryptoki is defined very strictly while some parts are quite vague since tokens may vary in their behavior. In order to support our applet we had to violate some of these definitions. This chapter shows all the differences compared with the original specification.

KeyGeneration

  • Use the same template for pPublicKeyTemplate and pPrivateKeyTemplate
  • For EC keypair generation we limit CKA_EC_PARAMS for OID only usage. Supported OIDs can be found in Table 4

Import

  • When importing RSA keypairs do not use CKA_MODULUS_BITS attribute since this is internally used for detecting keypair generation
  • When importing RSA keypairs do not import the public key since this object is automatically generated on private key import. Just import the private key and use the object search afterwards to find the corresponding public key. Use the CKA_ID to find it since it will have the same CKA_ID attribute as the private key.
  • For EC keypair import we limit CKA_EC_PARAMS for OID only usage. Supported OIDs can be found in Table 4
  • When importing EC keypairs do not import the public key since this object is automatically generated on private key import. Just import the private key and use the object search afterwards to find the corresponding public key. Use the CKA_ID to find it since it will have the same CKA_ID attribute as the private key.


  • No labels