![]() | Cryptographic Token Interface Standard |
PKCS#11 |
Public key objects (object class CKO_PUBLIC_KEY) hold public keys. The following table defines the attributes common to all public keys, in addition to the common attributes defined for this object class:
Table 28, Common Public Key Attributes
Attribute | Data type | Meaning |
CKA_SUBJECT8 | Byte array | DER-encoding of the key subject name (default empty) |
CKA_ENCRYPT8 | CK_BBOOL | CK_TRUE if key supports encryption9 |
CKA_VERIFY8 | CK_BBOOL | CK_TRUE if key supports verification where the signature is an appendix to the data9 |
CKA_VERIFY_RECOVER8 | CK_BBOOL | CK_TRUE if key supports verification where the data is recovered from the signature9 |
CKA_WRAP8 | CK_BBOOL | CK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)9 |
CKA_TRUSTED10 | CK_BBOOL | The key can be trusted for the application that it was created. The wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE. |
CKA_WRAP_TEMPLATE | CK_ATTRIBUTE_PTR | For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE. |
- Refer to Table 15 for footnotes
It is intended in the interests of interoperability that the subject name and key identifier for a public key will be the same as those for the corresponding certificate and private key. However, Cryptoki does not enforce this, and it is not required that the certificate and private key also be stored on the token.
To map between ISO/IEC 9594-8 (X.509) keyUsage flags for public keys and the PKCS #11 attributes for public keys, use the following table.
Table 29, Mapping of X.509 key usage flags to cryptoki attributes for public keys
'''Key usage flags for public keys in X.509 public key certificates''' | Corresponding cryptoki attributes for public keys. |
dataEncipherment | CKA_ENCRYPT |
digitalSignature, keyCertSign, cRLSign | CKA_VERIFY |
digitalSignature, keyCertSign, cRLSign | CKA_VERIFY_RECOVER |
keyAgreement | CKA_DERIVE |
keyEncipherment | CKA_WRAP |
nonRepudiation | CKA_VERIFY |
nonRepudiation | CKA_VERIFY_RECOVER |