Cryptographic Token Interface Standard

PKCS#11


Public key objects

Public key objects (object class CKO_PUBLIC_KEY) hold public keys. The following table defines the attributes common to all public keys, in addition to the common attributes defined for this object class:

Table 28, Common Public Key Attributes
Attribute Data type Meaning
CKA_SUBJECT8 Byte array DER-encoding of the key subject name (default empty)
CKA_ENCRYPT8 CK_BBOOL CK_TRUE if key supports encryption9
CKA_VERIFY8 CK_BBOOL CK_TRUE if key supports verification where the signature is an appendix to the data9
CKA_VERIFY_RECOVER8 CK_BBOOL CK_TRUE if key supports verification where the data is recovered from the signature9
CKA_WRAP8 CK_BBOOL CK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)9
CKA_TRUSTED10 CK_BBOOL The key can be trusted for the application that it was created. The wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE.
CKA_WRAP_TEMPLATE CK_ATTRIBUTE_PTR For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE.

- Refer to Table 15 for footnotes

It is intended in the interests of interoperability that the subject name and key identifier for a public key will be the same as those for the corresponding certificate and private key. However, Cryptoki does not enforce this, and it is not required that the certificate and private key also be stored on the token.

To map between ISO/IEC 9594-8 (X.509) keyUsage flags for public keys and the PKCS #11 attributes for public keys, use the following table.

Table 29, Mapping of X.509 key usage flags to cryptoki attributes for public keys
'''Key usage flags for public keys in X.509 public key certificates''' Corresponding cryptoki attributes for public keys.
dataEncipherment CKA_ENCRYPT
digitalSignature, keyCertSign, cRLSign CKA_VERIFY
digitalSignature, keyCertSign, cRLSign CKA_VERIFY_RECOVER
keyAgreement CKA_DERIVE
keyEncipherment CKA_WRAP
nonRepudiation CKA_VERIFY
nonRepudiation CKA_VERIFY_RECOVER


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230