![]() | Cryptographic Token Interface Standard |
PKCS#11 |
Cryptoki represents object information with the following types:
typedef CK_ULONG CK_OBJECT_HANDLE;
When an object is created or found on a token by an application, Cryptoki assigns it an object handle for that application's sessions to use to access it. A particular object on a token does not necessarily have a handle which is fixed for the lifetime of the object; however, if a particular session can use a particular handle to access a particular object, then that session will continue to be able to use that handle to access that object as long as the session continues to exist, the object continues to exist, and the object continues to be accessible to the session.
Valid object handles in Cryptoki always have nonzero values. For developers' convenience, Cryptoki defines the following symbolic value:
CK_OBJECT_HANDLE_PTR is a pointer to a CK_OBJECT_HANDLE.
typedef CK_ULONG CK_OBJECT_CLASS;
Object classes are defined with the objects that use them. The type is specified on an object through the CKA_CLASS attribute of the object.
Vendor defined values for this type may also be specified.
CKO_VENDOR_DEFINED
Object classes CKO_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their object classes through the PKCS process.
CK_OBJECT_CLASS_PTR is a pointer to a CK_OBJECT_CLASS.
typedef CK_ULONG CK_HW_FEATURE_TYPE;
Hardware feature types are defined with the objects that use them. The type is specified on an object through the CKA_HW_FEATURE_TYPE attribute of the object.
Vendor defined values for this type may also be specified.
CKH_VENDOR_DEFINED
Feature types CKH_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their feature types through the PKCS process.
typedef CK_ULONG CK_KEY_TYPE;
Key types are defined with the objects and mechanisms that use them. The key type is specified on an object through the CKA_KEY_TYPE attribute of the object.
Vendor defined values for this type may also be specified.
CKK_VENDOR_DEFINED
Key types CKK_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their key types through the PKCS process.
typedef CK_ULONG CK_CERTIFICATE_TYPE;
Certificate types are defined with the objects and mechanisms that use them. The certificate type is specified on an object through the CKA_CERTIFICATE_TYPE attribute of the object.
Vendor defined values for this type may also be specified.
CKC_VENDOR_DEFINED
Certificate types CKC_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their certificate types through the PKCS process.
typedef CK_ULONG CK_ATTRIBUTE_TYPE;
Attributes are defined with the objects and mechanisms that use them. Attributes are specified on an object as a list of type, length value items. These are often specified as an attribute template.
Vendor defined values for this type may also be specified.
CKA_VENDOR_DEFINED
Attribute types CKA_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their attribute types through the PKCS process.
typedef struct CK_ATTRIBUTE { CK_ATTRIBUTE_TYPE type; CK_VOID_PTR pValue; CK_ULONG ulValueLen; } CK_ATTRIBUTE;
type | the attribute type |
pValue | pointer to the value of the attribute |
ulValueLen | length in bytes of the value |
If an attribute has no value, then ulValueLen = 0, and the value of pValue is irrelevant. An array of CK_ATTRIBUTEs is called a "template" and is used for creating, manipulating and searching for objects. The order of the attributes in a template never matters, even if the template contains vendor-specific attributes. Note that pValue is a "void" pointer, facilitating the passing of arbitrary values. Both the application and Cryptoki library must ensure that the pointer can be safely cast to the expected type (i.e., without word-alignment errors).
CK_ATTRIBUTE_PTR is a pointer to a CK_ATTRIBUTE.
year | the year ("1900" - "9999") |
month | the month ("01" - "12") |
day | the day ("01" - "31") |
The fields hold numeric characters from the character set in Table 3 , not the literal byte values.
When a Cryptoki object carries an attribute of this type, and the default value of the attribute is specified to be "empty," then Cryptoki libraries shall set the attribute's ulValueLen to 0.
Note that implementations of previous versions of Cryptoki may have used other methods to identify an "empty" attribute of type CK_DATE, and that applications that needs to interoperate with these libraries therefore have to be flexible in what they accept as an empty value.