Cryptographic Token Interface Standard

PKCS#11


Object types

Cryptoki represents object information with the following types:

CK_OBJECT_HANDLE; CK_OBJECT_HANDLE_PTR

CK_OBJECT_HANDLE is a token-specific identifier for an object. It is defined as follows:

typedef CK_ULONG CK_OBJECT_HANDLE;

When an object is created or found on a token by an application, Cryptoki assigns it an object handle for that application's sessions to use to access it. A particular object on a token does not necessarily have a handle which is fixed for the lifetime of the object; however, if a particular session can use a particular handle to access a particular object, then that session will continue to be able to use that handle to access that object as long as the session continues to exist, the object continues to exist, and the object continues to be accessible to the session.

Valid object handles in Cryptoki always have nonzero values. For developers' convenience, Cryptoki defines the following symbolic value:

CK_INVALID_HANDLE

CK_OBJECT_HANDLE_PTR is a pointer to a CK_OBJECT_HANDLE.

CK_OBJECT_CLASS; CK_OBJECT_CLASS_PTR

CK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes. It is defined as follows:

typedef CK_ULONG CK_OBJECT_CLASS;

Object classes are defined with the objects that use them. The type is specified on an object through the CKA_CLASS attribute of the object.

Vendor defined values for this type may also be specified.

CKO_VENDOR_DEFINED 

Object classes CKO_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their object classes through the PKCS process.

CK_OBJECT_CLASS_PTR is a pointer to a CK_OBJECT_CLASS.

CK_HW_FEATURE_TYPE

CK_HW_FEATURE_TYPE is a value that identifies a hardware feature type of a device. It is defined as follows:

typedef CK_ULONG CK_HW_FEATURE_TYPE;

Hardware feature types are defined with the objects that use them. The type is specified on an object through the CKA_HW_FEATURE_TYPE attribute of the object.

Vendor defined values for this type may also be specified.

CKH_VENDOR_DEFINED 

Feature types CKH_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their feature types through the PKCS process.

CK_KEY_TYPE

CK_KEY_TYPE is a value that identifies a key type. It is defined as follows:

typedef CK_ULONG CK_KEY_TYPE;

Key types are defined with the objects and mechanisms that use them. The key type is specified on an object through the CKA_KEY_TYPE attribute of the object.

Vendor defined values for this type may also be specified.

CKK_VENDOR_DEFINED 

Key types CKK_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their key types through the PKCS process.

CK_CERTIFICATE_TYPE

CK_CERTIFICATE_TYPE is a value that identifies a certificate type. It is defined as follows:

typedef CK_ULONG CK_CERTIFICATE_TYPE;

Certificate types are defined with the objects and mechanisms that use them. The certificate type is specified on an object through the CKA_CERTIFICATE_TYPE attribute of the object.

Vendor defined values for this type may also be specified.

CKC_VENDOR_DEFINED

Certificate types CKC_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their certificate types through the PKCS process.

CK_ATTRIBUTE_TYPE

CK_ATTRIBUTE_TYPE is a value that identifies an attribute type. It is defined as follows:

typedef CK_ULONG CK_ATTRIBUTE_TYPE;

Attributes are defined with the objects and mechanisms that use them. Attributes are specified on an object as a list of type, length value items. These are often specified as an attribute template.

Vendor defined values for this type may also be specified.

CKA_VENDOR_DEFINED

Attribute types CKA_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their attribute types through the PKCS process.

CK_ATTRIBUTE; CK_ATTRIBUTE_PTR

CK_ATTRIBUTE is a structure that includes the type, value, and length of an attribute. It is defined as follows:

typedef struct CK_ATTRIBUTE {
CK_ATTRIBUTE_TYPE type;
CK_VOID_PTR pValue;
CK_ULONG ulValueLen;
} CK_ATTRIBUTE;

type the attribute type
pValue pointer to the value of the attribute
ulValueLen length in bytes of the value

If an attribute has no value, then ulValueLen = 0, and the value of pValue is irrelevant. An array of CK_ATTRIBUTEs is called a "template" and is used for creating, manipulating and searching for objects. The order of the attributes in a template never matters, even if the template contains vendor-specific attributes. Note that pValue is a "void" pointer, facilitating the passing of arbitrary values. Both the application and Cryptoki library must ensure that the pointer can be safely cast to the expected type (i.e., without word-alignment errors).

CK_ATTRIBUTE_PTR is a pointer to a CK_ATTRIBUTE.

CK_DATE

CK_DATE is a structure that defines a date. It is defined as follows:

typedef struct CK_DATE {
CK_CHAR year[4];
CK_CHAR month[2];
CK_CHAR day[2];
} CK_DATE;

year the year ("1900" - "9999")
month the month ("01" - "12")
day the day ("01" - "31")

The fields hold numeric characters from the character set in Table 3 , not the literal byte values.

When a Cryptoki object carries an attribute of this type, and the default value of the attribute is specified to be "empty," then Cryptoki libraries shall set the attribute's ulValueLen to 0.

Note that implementations of previous versions of Cryptoki may have used other methods to identify an "empty" attribute of type CK_DATE, and that applications that needs to interoperate with these libraries therefore have to be flexible in what they accept as an empty value.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230base