Cryptographic Token Interface Standard |
PKCS#11 |
Go to the source code of this file.
Data Structures | |
CK_VERSION | |
CK_VERSION; CK_VERSION_PTRCK_VERSION is a structure that describes the version of a Cryptoki interface, a Cryptoki library, or an SSL implementation, or the hardware or firmware version of a slot or token. More... | |
CK_INFO | |
CK_INFO; CK_INFO_PTRCK_INFO provides general information about Cryptoki. More... | |
CK_SLOT_INFO | |
CK_SLOT_INFO; CK_SLOT_INFO_PTRCK_SLOT_INFO provides information about a slot. More... | |
CK_TOKEN_INFO | |
CK_TOKEN_INFO; CK_TOKEN_INFO_PTRCK_TOKEN_INFO provides information about a token. More... | |
CK_SESSION_INFO | |
CK_SESSION_INFO; CK_SESSION_INFO_PTRCK_SESSION_INFO provides information about a session. More... | |
CK_ATTRIBUTE | |
CK_ATTRIBUTE; CK_ATTRIBUTE_PTRCK_ATTRIBUTE is a structure that includes the type, value, and length of an attribute. More... | |
CK_DATE | |
CK_DATECK_DATE is a structure that defines a date. More... | |
CK_MECHANISM | |
CK_MECHANISM; CK_MECHANISM_PTRCK_MECHANISM is a structure that specifies a particular mechanism and any parameters it requires. More... | |
CK_MECHANISM_INFO | |
CK_MECHANISM_INFO; CK_MECHANISM_INFO_PTRCK_MECHANISM_INFO is a structure that provides information about a particular mechanism. More... | |
CK_FUNCTION_LIST | |
CK_FUNCTION_LIST; CK_FUNCTION_LIST_PTR; CK_FUNCTION_LIST_PTR_PTRCK_FUNCTION_LIST is a structure which contains a Cryptoki version and a function pointer to each function in the Cryptoki API. More... | |
CK_C_INITIALIZE_ARGS | |
CK_C_INITIALIZE_ARGS; CK_C_INITIALIZE_ARGS_PTRCK_C_INITIALIZE_ARGS is a structure containing the optional arguments for the C_Initialize function. More... | |
CK_RSA_PKCS_OAEP_PARAMS | |
CK_RSA_PKCS_OAEP_PARAMS; CK_RSA_PKCS_OAEP_PARAMS_PTRCK_RSA_PKCS_OAEP_PARAMS is a structure that provides the parameters to the CKM_RSA_PKCS_OAEP mechanism. More... | |
CK_KEA_DERIVE_PARAMS | |
CK_RC2_CBC_PARAMS | |
CK_RC2_CBC_PARAMS; CK_RC2_CBC_PARAMS_PTRCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC and CKM_RC2_CBC_PAD mechanisms. More... | |
CK_RC2_MAC_GENERAL_PARAMS | |
CK_RC2_MAC_GENERAL_PARAMS; CK_RC2_MAC_GENERAL_PARAMS_PTRCK_RC2_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC2_MAC_GENERAL mechanism. More... | |
CK_RC5_PARAMS | |
CK_RC5_PARAMS; CK_RC5_PARAMS_PTRCK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and CKM_RC5_MAC mechanisms. More... | |
CK_RC5_CBC_PARAMS | |
CK_RC5_CBC_PARAMS; CK_RC5_CBC_PARAMS_PTRCK_RC5_CBC_PARAMS is a structure that provides the parameters to the CKM_RC5_CBC and CKM_RC5_CBC_PAD mechanisms. More... | |
CK_RC5_MAC_GENERAL_PARAMS | |
CK_RC5_MAC_GENERAL_PARAMS; CK_RC5_MAC_GENERAL_PARAMS_PTRCK_RC5_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC5_MAC_GENERAL mechanism. More... | |
CK_SKIPJACK_PRIVATE_WRAP_PARAMS | |
CK_SKIPJACK_PRIVATE_WRAP_PARAMS; CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTRCK_SKIPJACK_PRIVATE_WRAP_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_PRIVATE_WRAP mechanism. More... | |
CK_SKIPJACK_RELAYX_PARAMS | |
CK_SKIPJACK_RELAYX_PARAMS; CK_SKIPJACK_RELAYX_PARAMS_PTRCK_SKIPJACK_RELAYX_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_RELAYX mechanism. More... | |
CK_PBE_PARAMS | |
CK_PBE_PARAMS; CK_PBE_PARAMS_PTRCK_PBE_PARAMS is a structure which provides all of the necessary information required by the CKM_PBE mechanisms (see PKCS #5 and PKCS #12 for information on the PBE generation mechanisms) and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism. More... | |
CK_PKCS5_PBKD2_PARAMS | |
CK_PKCS5_PBKD2_PARAMS; CK_PKCS5_PBKD2_PARAMS_PTRCK_PKCS5_PBKD2_PARAMS is a structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism. More... | |
CK_KEY_WRAP_SET_OAEP_PARAMS | |
CK_KEY_WRAP_SET_OAEP_PARAMS; CK_KEY_WRAP_SET_OAEP_PARAMS_PTRCK_KEY_WRAP_SET_OAEP_PARAMS is a structure that provides the parameters to the CKM_KEY_WRAP_SET_OAEP mechanism. More... | |
CK_SSL3_RANDOM_DATA | |
CK_SSL3_RANDOM_DATACK_SSL3_RANDOM_DATA is a structure which provides information about the random data of a client and a server in an SSL context. More... | |
CK_SSL3_MASTER_KEY_DERIVE_PARAMS | |
CK_SSL3_KEY_MAT_OUT | |
CK_SSL3_KEY_MAT_OUT; CK_SSL3_KEY_MAT_OUT_PTRCK_SSL3_KEY_MAT_OUT is a structure that contains the resulting key handles and initialization vectors after performing a C_DeriveKey function with the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. More... | |
CK_SSL3_KEY_MAT_PARAMS | |
CK_SSL3_KEY_MAT_PARAMS; CK_SSL3_KEY_MAT_PARAMS_PTRCK_SSL3_KEY_MAT_PARAMS is a structure that provides the parameters to the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. More... | |
CK_KEY_DERIVATION_STRING_DATA | |
CK_KEY_DERIVATION_STRING_DATA; CK_KEY_DERIVATION_STRING_DATA_PTR. More... | |
Defines | |
#define | CK_INVALID_HANDLE |
An invalid handle. More... | |
#define | CK_TRUE |
CK_BBOOL true. More... | |
#define | CK_FALSE |
CK_BBOOL false. More... | |
#define | CK_UNAVAILABLE_INFORMATION |
Information unavailable. More... | |
#define | CK_EFFECTIVELY_INFINITE |
Effectively infinite. More... | |
#define | CKU_SO |
Security Officer. More... | |
#define | CKU_USER |
User. More... | |
#define | CKU_CONTEXT_SPECIFIC |
Context specific. More... | |
#define | CKS_RO_PUBLIC_SESSION |
Read only public session. More... | |
#define | CKS_RO_USER_FUNCTIONS |
Read only user functions. More... | |
#define | CKS_RW_PUBLIC_SESSION |
Read write public session. More... | |
#define | CKS_RW_USER_FUNCTIONS |
Read write user functions. More... | |
#define | CKS_RW_SO_FUNCTIONS |
Read write security officer functions. More... | |
#define | TRUE |
True. More... | |
#define | FALSE |
False. More... | |
#define | CKF_TOKEN_PRESENT |
TRUE if a token is present in the slot (''e.g.'', a device is in the reader). More... | |
#define | CKF_REMOVABLE_DEVICE |
TRUE if the reader supports removable devices. More... | |
#define | CKF_HW_SLOT |
TRUE if the slot is a hardware slot, as opposed to a software slot implementing a "soft token". More... | |
#define | CKF_RNG |
TRUE if the token has its own random number generator. More... | |
#define | CKF_WRITE_PROTECTED |
TRUE if the token is write-protected (see below). More... | |
#define | CKF_LOGIN_REQUIRED |
TRUE if there are some cryptographic functions that a user must be logged in to perform. More... | |
#define | CKF_USER_PIN_INITIALIZED |
TRUE if the normal user's PIN has been initialized. More... | |
#define | CKF_RESTORE_KEY_NOT_NEEDED |
TRUE if a successful save of a session's cryptographic operations state ''always'' contains all keys needed to restore the state of the session. More... | |
#define | CKF_CLOCK_ON_TOKEN |
TRUE if token has its own hardware clock. More... | |
#define | CKF_PROTECTED_AUTHENTICATION_PATH |
TRUE if token has a "protected authentication path", whereby a user can log into the token without passing a PIN through the Cryptoki library. More... | |
#define | CKF_DUAL_CRYPTO_OPERATIONS |
TRUE if a single session with the token can perform dual cryptographic operations (see Section 11.13). More... | |
#define | CKF_TOKEN_INITIALIZED |
TRUE if the token has been initialized using C_InitializeToken or an equivalent mechanism outside the scope of this standard. More... | |
#define | CKF_SECONDARY_AUTHENTICATION |
TRUE if the token supports secondary authentication for private key objects. More... | |
#define | CKF_USER_PIN_COUNT_LOW |
TRUE if an incorrect user login PIN has been entered at least once since the last successful authentication. More... | |
#define | CKF_USER_PIN_FINAL_TRY |
TRUE if supplying an incorrect user PIN will it to become locked. More... | |
#define | CKF_USER_PIN_LOCKED |
TRUE if the user PIN has been locked. More... | |
#define | CKF_USER_PIN_TO_BE_CHANGED |
TRUE if the user PIN value is the default value set by token initialization or manufacturing. More... | |
#define | CKF_SO_PIN_COUNT_LOW |
TRUE if an incorrect SO login PIN has been entered at least once since the last successful authentication. More... | |
#define | CKF_SO_PIN_FINAL_TRY |
TRUE if supplying an incorrect SO PIN will it to become locked. More... | |
#define | CKF_SO_PIN_LOCKED |
TRUE if the user PIN has been locked. More... | |
#define | CKF_SO_PIN_TO_BE_CHANGED |
TRUE if the SO PIN value is the default value set by token initialization or manufacturing. More... | |
#define | CKF_RW_SESSION |
TRUE if the session is read/write; FALSE if the session is read-only. More... | |
#define | CKF_SERIAL_SESSION |
This flag is provided for backward compatibility, and should always be set to TRUE. More... | |
#define | CKF_HW |
TRUE if the mechanism is performed by the device; FALSE if the mechanism is performed in software. More... | |
#define | CKF_ENCRYPT |
TRUE if the mechanism can be used with '''C_EncryptInit'''. More... | |
#define | CKF_DECRYPT |
TRUE if the mechanism can be used with '''C_DecryptInit'''. More... | |
#define | CKF_DIGEST |
TRUE if the mechanism can be used with '''C_DigestInit'''. More... | |
#define | CKF_SIGN |
TRUE if the mechanism can be used with '''C_SignInit'''. More... | |
#define | CKF_SIGN_RECOVER |
TRUE if the mechanism can be used with '''C_SignRecoverInit'''. More... | |
#define | CKF_VERIFY |
TRUE if the mechanism can be used with '''C_VerifyInit'''. More... | |
#define | CKF_VERIFY_RECOVER |
TRUE if the mechanism can be used with '''C_VerifyRecoverInit'''. More... | |
#define | CKF_GENERATE |
TRUE if the mechanism can be used with '''C_GenerateKey'''. More... | |
#define | CKF_GENERATE_KEY_PAIR |
TRUE if the mechanism can be used with '''C_GenerateKeyPair'''. More... | |
#define | CKF_WRAP |
TRUE if the mechanism can be used with '''C_WrapKey'''. More... | |
#define | CKF_UNWRAP |
TRUE if the mechanism can be used with '''C_UnwrapKey'''. More... | |
#define | CKF_DERIVE |
TRUE if the mechanism can be used with '''C_DeriveKey'''. More... | |
#define | CKF_EXTENSION |
TRUE if there is an extension to the flags; FALSE if no extensions. More... | |
#define | CKF_LIBRARY_CANT_CREATE_OS_THREADS |
TRUE if application threads which are executing calls to the library may ''not'' use native operating system calls to spawn new threads; FALSE if they may. More... | |
#define | CKF_OS_LOCKING_OK |
TRUE if the library can use the native operation system threading model for locking; FALSE otherwise. More... | |
#define | CKA_CLASS |
Object class (type). More... | |
#define | CKA_HW_FEATURE_TYPE |
Hardware feature (type). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_RESET_ON_INIT |
The value of the counter will reset to a previously returned value if the token is initialized using '''C_InitializeToken'''. More... | |
#define | CKA_HAS_RESET |
The value of the counter has been reset at least once at some point in time. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_TOKEN |
TRUE if object is a token object; FALSE if object is a session object (default FALSE). More... | |
#define | CKA_PRIVATE |
TRUE if object is a private object; FALSE if object is a public object. More... | |
#define | CKA_MODIFIABLE |
TRUE if object can be modified (default TRUE). More... | |
#define | CKA_LABEL |
Description of the object (default empty). More... | |
#define | CKA_APPLICATION |
Description of the application that manages the object (default empty). More... | |
#define | CKA_OBJECT_ID |
DER-encoding of the object identifier indicating the data object type (default empty). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_CERTIFICATE_TYPE |
Type of certificate. More... | |
#define | CKA_SUBJECT |
DER-encoding of the certificate subject name. More... | |
#define | CKA_ID |
Key identifier for public/private key pair (default empty). More... | |
#define | CKA_ISSUER |
DER-encoding of the certificate issuer name (default empty). More... | |
#define | CKA_SERIAL_NUMBER |
DER-encoding of the certificate serial number (default empty). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_OWNER |
DER-encoding of the attribute certificate's subject field. More... | |
#define | CKA_AC_ISSUER |
DER-encoding of the attribute certificate's issuer field. More... | |
#define | CKA_SERIAL_NUMBER |
DER-encoding of the certificate serial number (default empty). More... | |
#define | CKA_ATTR_TYPES |
BER-encoding of a sequence of object identifier values corresponding to the attribute types contained in the certificate. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_KEY_TYPE |
Type of key. More... | |
#define | CKA_ID |
Key identifier for public/private key pair (default empty). More... | |
#define | CKA_START_DATE |
Start date for the key (default empty). More... | |
#define | CKA_END_DATE |
End date for the key (default empty). More... | |
#define | CKA_DERIVE |
TRUE if key supports key derivation (''i.e.'', if other keys can be derived from this one (default FALSE). More... | |
#define | CKA_LOCAL |
TRUE only if key was either * generated locally (''i.e.'', on the token) with a '''C_GenerateKey''' or '''C_GenerateKeyPair''' call * created with a '''C_CopyObject''' call as a copy of a key which had its '''CKA_LOCAL''' attribute set to TRUE. More... | |
#define | CKA_SUBJECT |
DER-encoding of the certificate subject name. More... | |
#define | CKA_ENCRYPT |
TRUE if key supports encryption9. More... | |
#define | CKA_VERIFY |
TRUE if key supports verification where the signature is an appendix to the data9. More... | |
#define | CKA_VERIFY_RECOVER |
TRUE if key supports verification where the data is recovered from the signature9. More... | |
#define | CKA_WRAP |
TRUE if key supports wrapping (''i.e.'', can be used to wrap other keys)9. More... | |
#define | CKA_MODULUS |
Modulus ''n''. More... | |
#define | CKA_MODULUS_BITS |
Length in bits of modulus ''n''. More... | |
#define | CKA_PUBLIC_EXPONENT |
Public exponent ''e''. More... | |
#define | CKA_PRIME |
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
#define | CKA_SUBPRIME |
Subprime ''q'' (160 bits). More... | |
#define | CKA_BASE |
Base ''g''. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_ECDSA_PARAMS |
DER-encoding of an X9.62 ECParameters value. More... | |
#define | CKA_EC_POINT |
DER-encoding of X9.62 ECPoint value ''P''. More... | |
#define | CKA_PRIME |
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
#define | CKA_BASE |
Base ''g''. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_PRIME |
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
#define | CKA_SUBPRIME |
Subprime ''q'' (160 bits). More... | |
#define | CKA_BASE |
Base ''g''. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_SUBJECT |
DER-encoding of the certificate subject name. More... | |
#define | CKA_SENSITIVE |
TRUE if key is sensitive9. More... | |
#define | CKA_SECONDARY_AUTH |
TRUE is the key requires a secondary authentication to take place before its use it allowed. More... | |
#define | CKA_AUTH_PIN_FLAGS |
Mask indicating the current state of the secondary authentication PIN. More... | |
#define | CKA_DECRYPT |
TRUE if key supports decryption9. More... | |
#define | CKA_SIGN |
TRUE if key supports signatures where the signature is an appendix to the data9. More... | |
#define | CKA_SIGN_RECOVER |
TRUE if key supports signatures where the data can be recovered from the signature9. More... | |
#define | CKA_UNWRAP |
TRUE if key supports unwrapping (''i.e.'', can be used to unwrap other keys)9. More... | |
#define | CKA_EXTRACTABLE |
TRUE if key is extractable9. More... | |
#define | CKA_ALWAYS_SENSITIVE |
TRUE if key has ''always'' had the CKA_SENSITIVE attribute set to TRUE. More... | |
#define | CKA_NEVER_EXTRACTABLE |
TRUE if key has ''never'' had the CKA_EXTRACTABLE attribute set to TRUE. More... | |
#define | CKA_MODULUS |
Modulus ''n''. More... | |
#define | CKA_PUBLIC_EXPONENT |
Public exponent ''e''. More... | |
#define | CKA_PRIVATE_EXPONENT |
Private exponent ''d''. More... | |
#define | CKA_PRIME_1 |
Prime ''p''. More... | |
#define | CKA_PRIME_2 |
Prime ''q''. More... | |
#define | CKA_EXPONENT_1 |
Private exponent ''d'' modulo ''p''-1. More... | |
#define | CKA_EXPONENT_2 |
Private exponent ''d'' modulo ''q''-1. More... | |
#define | CKA_COEFFICIENT |
CRT coefficient ''q''-1 mod ''p''. More... | |
#define | CKA_PRIME |
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
#define | CKA_SUBPRIME |
Subprime ''q'' (160 bits). More... | |
#define | CKA_BASE |
Base ''g''. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_ECDSA_PARAMS |
DER-encoding of an X9.62 ECParameters value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_PRIME |
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
#define | CKA_BASE |
Base ''g''. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_BITS |
Length in bits of private value ''x''. More... | |
#define | CKA_PRIME |
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
#define | CKA_SUBPRIME |
Subprime ''q'' (160 bits). More... | |
#define | CKA_BASE |
Base ''g''. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_SENSITIVE |
TRUE if key is sensitive9. More... | |
#define | CKA_ENCRYPT |
TRUE if key supports encryption9. More... | |
#define | CKA_DECRYPT |
TRUE if key supports decryption9. More... | |
#define | CKA_SIGN |
TRUE if key supports signatures where the signature is an appendix to the data9. More... | |
#define | CKA_VERIFY |
TRUE if key supports verification where the signature is an appendix to the data9. More... | |
#define | CKA_WRAP |
TRUE if key supports wrapping (''i.e.'', can be used to wrap other keys)9. More... | |
#define | CKA_UNWRAP |
TRUE if key supports unwrapping (''i.e.'', can be used to unwrap other keys)9. More... | |
#define | CKA_EXTRACTABLE |
TRUE if key is extractable9. More... | |
#define | CKA_ALWAYS_SENSITIVE |
TRUE if key has ''always'' had the CKA_SENSITIVE attribute set to TRUE. More... | |
#define | CKA_NEVER_EXTRACTABLE |
TRUE if key has ''never'' had the CKA_EXTRACTABLE attribute set to TRUE. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE_LEN |
Length in bytes of key value. More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKA_VALUE |
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
#define | CKR_GENERAL_ERROR |
Some horrible, unrecoverable error has occurred. More... | |
#define | CKR_HOST_MEMORY |
The computer that the Cryptoki library is running on has insufficient memory to perform the requested function. More... | |
#define | CKR_FUNCTION_FAILED |
The requested function could not be performed, but detailed information about why not is not available in this error return. More... | |
#define | CKR_OK |
The function executed successfully. More... | |
#define | CKR_SESSION_HANDLE_INVALID |
The specified session handle was invalid ''at the time that the function was invoked''. More... | |
#define | CKR_DEVICE_REMOVED |
The token was removed from its slot ''during the execution of the function''. More... | |
#define | CKR_SESSION_CLOSED |
The session was closed ''during the execution of the function''. More... | |
#define | CKR_DEVICE_MEMORY |
The token does not have sufficient memory to perform the requested function. More... | |
#define | CKR_DEVICE_ERROR |
Some problem has occurred with the token and/or slot. More... | |
#define | CKR_TOKEN_NOT_PRESENT |
The token was not present in its slot ''at the time that the function was invoked''. More... | |
#define | CKR_DEVICE_REMOVED |
The token was removed from its slot ''during the execution of the function''. More... | |
#define | CKR_CANCEL |
When a function executing in serial with an application decides to give the application a chance to do some work, it calls an application-supplied function with a CKN_SURRENDER callback (see Section 11.17). More... | |
#define | CKR_MUTEX_BAD |
This error code can be returned by mutex-handling functions who are passed a bad mutex object as an argument. More... | |
#define | CKR_MUTEX_NOT_LOCKED |
This error code can be returned by mutex-unlocking functions. More... | |
#define | CKR_ARGUMENTS_BAD |
This is a rather generic error code which indicates that the arguments supplied to the Cryptoki function were in some way not appropriate. More... | |
#define | CKR_ATTRIBUTE_READ_ONLY |
An attempt was made to set a value for an attribute which may not be set by the application, or which may not be modified by the application. More... | |
#define | CKR_ATTRIBUTE_SENSITIVE |
An attempt was made to obtain the value of an attribute of an object which cannot be satisfied because the object is either sensitive or unextractable. More... | |
#define | CKR_ATTRIBUTE_TYPE_INVALID |
An invalid attribute type was specified in a template. More... | |
#define | CKR_ATTRIBUTE_VALUE_INVALID |
An invalid value was specified for a particular attribute in a template. More... | |
#define | CKR_BUFFER_TOO_SMALL |
The output of the function is too large to fit in the supplied buffer. More... | |
#define | CKR_CANT_LOCK |
This value can only be returned by '''C_Initialize'''. More... | |
#define | CKR_CRYPTOKI_ALREADY_INITIALIZED |
This value can only be returned by '''C_Initialize'''. More... | |
#define | CKR_CRYPTOKI_NOT_INITIALIZED |
This value can be returned by any function other than '''C_Initialize''' and '''C_GetFunctionList'''. More... | |
#define | CKR_DATA_INVALID |
The plaintext input data to a cryptographic operation is invalid. More... | |
#define | CKR_DATA_LEN_RANGE |
The plaintext input data to a cryptographic operation has a bad length. More... | |
#define | CKR_ENCRYPTED_DATA_INVALID |
The encrypted input to a decryption operation has been determined to be invalid ciphertext. More... | |
#define | CKR_ENCRYPTED_DATA_LEN_RANGE |
The ciphertext input to a decryption operation has been determined to be invalid ciphertext solely on the basis of its length. More... | |
#define | CKR_FUNCTION_CANCELED |
The function was canceled in mid-execution. More... | |
#define | CKR_FUNCTION_NOT_PARALLEL |
There is currently no function executing in parallel in the specified session. More... | |
#define | CKR_FUNCTION_NOT_SUPPORTED |
The requested function is not supported by this Cryptoki library. More... | |
#define | CKR_INFORMATION_SENSITIVE |
The information requested could not be obtained because the token considers it sensitive, and is not able or willing to reveal it. More... | |
#define | CKR_KEY_CHANGED |
This value is only returned by '''C_SetOperationState'''. More... | |
#define | CKR_KEY_FUNCTION_NOT_PERMITTED |
An attempt has been made to use a key for a cryptographic purpose that the key's attributes are not set to allow it to do. More... | |
#define | CKR_KEY_HANDLE_INVALID |
The specified key handle is not valid. More... | |
#define | CKR_KEY_INDIGESTIBLE |
This error code can only be returned by '''C_DigestKey'''. More... | |
#define | CKR_KEY_NEEDED |
This value is only returned by '''C_SetOperationState'''. More... | |
#define | CKR_KEY_NOT_NEEDED |
An extraneous key was supplied to '''C_SetOperationState'''. More... | |
#define | CKR_KEY_NOT_WRAPPABLE |
Although the specified private or secret key does not have its CKA_UNEXTRACTABLE attribute set to TRUE, Cryptoki (or the token) is unable to wrap the key as requested (possibly the token can only wrap a given key with certain types of keys, and the wrapping key specified is not one of these types). More... | |
#define | CKR_KEY_SIZE_RANGE |
Although the requested keyed cryptographic operation could in principle be carried out, this Cryptoki library (or the token) is unable to actually do it because the supplied key's size is outside the range of key sizes that it can handle. More... | |
#define | CKR_KEY_TYPE_INCONSISTENT |
The specified key is not the correct type of key to use with the specified mechanism. More... | |
#define | CKR_KEY_UNEXTRACTABLE |
The specified private or secret key can't be wrapped because its CKA_UNEXTRACTABLE attribute is set to TRUE. More... | |
#define | CKR_MECHANISM_INVALID |
An invalid mechanism was specified to the cryptographic operation. More... | |
#define | CKR_MECHANISM_PARAM_INVALID |
Invalid parameters were supplied to the mechanism specified to the cryptographic operation. More... | |
#define | CKR_NEED_TO_CREATE_THREADS |
This value can only be returned by '''C_Initialize'''. More... | |
#define | CKR_NO_EVENT |
This value can only be returned by '''C_GetSlotEvent'''. More... | |
#define | CKR_OBJECT_HANDLE_INVALID |
The specified object handle is not valid. More... | |
#define | CKR_OPERATION_ACTIVE |
There is already an active operation (or combination of active operations) which prevents Cryptoki from activating the specified operation. More... | |
#define | CKR_OPERATION_NOT_INITIALIZED |
There is no active operation of an appropriate type in the specified session. More... | |
#define | CKR_PIN_EXPIRED |
The specified PIN has expired, and cannot be used to authenticate the user to the token. More... | |
#define | CKR_PIN_INCORRECT |
The specified PIN is incorrect, ''i.e.'', does not match the PIN stored on the token. More... | |
#define | CKR_PIN_INVALID |
The specified PIN has invalid characters in it. More... | |
#define | CKR_PIN_LEN_RANGE |
The specified PIN is too long or too short. More... | |
#define | CKR_PIN_LOCKED |
The specified PIN is "locked", and cannot be used. More... | |
#define | CKR_RANDOM_NO_RNG |
This value can be returned by '''C_SeedRandom''' and '''C_GenerateRandom'''. More... | |
#define | CKR_RANDOM_SEED_NOT_SUPPORTED |
This value can only be returned by '''C_SeedRandom'''. More... | |
#define | CKR_SAVED_STATE_INVALID |
This value can only be returned by '''C_SetOperationState'''. More... | |
#define | CKR_SESSION_COUNT |
This value can only be returned by '''C_OpenSession'''. More... | |
#define | CKR_SESSION_EXISTS |
This value can only be returned by '''C_InitToken'''. More... | |
#define | CKR_SESSION_PARALLEL_NOT_SUPPORTED |
The specified token does not support parallel sessions. More... | |
#define | CKR_SESSION_READ_ONLY |
The specified session was unable to accomplish the desired action because it is a read-only session. More... | |
#define | CKR_SESSION_READ_ONLY_EXISTS |
A read-only session already exists, and so the SO cannot be logged in. More... | |
#define | CKR_SESSION_READ_WRITE_SO_EXISTS |
A read/write SO session already exists, and so a read-only session cannot be opened. More... | |
#define | CKR_SIGNATURE_LEN_RANGE |
The provided signature/MAC can be seen to be invalid solely on the basis of its length. More... | |
#define | CKR_SIGNATURE_INVALID |
The provided signature/MAC is invalid. More... | |
#define | CKR_SLOT_ID_INVALID |
The specified slot ID is not valid. More... | |
#define | CKR_STATE_UNSAVEABLE |
The cryptographic operations state of the specified session cannot be saved for some reason (possibly the token is simply unable to save the current state). More... | |
#define | CKR_TEMPLATE_INCOMPLETE |
The template specified for creating an object is incomplete, and lacks some necessary attributes. More... | |
#define | CKR_TEMPLATE_INCONSISTENT |
The template specified for creating an object has conflicting attributes. More... | |
#define | CKR_TOKEN_NOT_RECOGNIZED |
The Cryptoki library and/or slot does not recognize the token in the slot. More... | |
#define | CKR_TOKEN_WRITE_PROTECTED |
The requested action could not be performed because the token is write-protected. More... | |
#define | CKR_UNWRAPPING_KEY_HANDLE_INVALID |
This value can only be returned by '''C_UnwrapKey'''. More... | |
#define | CKR_UNWRAPPING_KEY_SIZE_RANGE |
This value can only be returned by '''C_UnwrapKey'''. More... | |
#define | CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT |
This value can only be returned by '''C_UnwrapKey'''. More... | |
#define | CKR_USER_ALREADY_LOGGED_IN |
This value can only be returned by '''C_Login'''. More... | |
#define | CKR_USER_ANOTHER_ALREADY_LOGGED_IN |
This value can only be returned by '''C_Login'''. More... | |
#define | CKR_USER_NOT_LOGGED_IN |
The desired action cannot be performed because the appropriate user (or ''an'' appropriate user) is not logged in. More... | |
#define | CKR_USER_PIN_NOT_INITIALIZED |
This value can only be returned by '''C_Login'''. More... | |
#define | CKR_USER_TOO_MANY_TYPES |
An attempt was made to have more distinct users simultaneously logged into the token than the token and/or library permits. More... | |
#define | CKR_USER_TYPE_INVALID |
An invalid value was specified as a '''CK_USER_TYPE'''. More... | |
#define | CKR_WRAPPED_KEY_INVALID |
This value can only be returned by '''C_UnwrapKey'''. More... | |
#define | CKR_WRAPPED_KEY_LEN_RANGE |
This value can only be returned by '''C_UnwrapKey'''. More... | |
#define | CKR_WRAPPING_KEY_HANDLE_INVALID |
This value can only be returned by '''C_WrapKey'''. More... | |
#define | CKR_WRAPPING_KEY_SIZE_RANGE |
This value can only be returned by '''C_WrapKey'''. More... | |
#define | CKR_WRAPPING_KEY_TYPE_INCONSISTENT |
This value can only be returned by '''C_WrapKey'''. More... | |
Typedefs | |
typedef unsigned char | CK_BYTE |
an unsigned 8-bit value. More... | |
typedef CK_BYTE | CK_CHAR |
an unsigned 8-bit character. More... | |
typedef CK_BYTE | CK_UTF8CHAR |
an 8-bit UTF-8 character. More... | |
typedef CK_BYTE | CK_BBOOL |
a BYTE-sized Boolean flag. More... | |
typedef unsigned long int | CK_ULONG |
an unsigned value, at least 32 bits long. More... | |
typedef long int | CK_LONG |
a signed value, the same size as a CK_ULONG. More... | |
typedef CK_ULONG | CK_FLAGS |
at least 32 bits; each bit is a Boolean flag. More... | |
typedef CK_BYTE CK_PTR | CK_BYTE_PTR |
Pointer to a CK_BYTE. More... | |
typedef CK_CHAR CK_PTR | CK_CHAR_PTR |
Pointer to a CK_CHAR. More... | |
typedef CK_UTF8CHAR CK_PTR | CK_UTF8CHAR_PTR |
Pointer to a CK_UTF8CHAR. More... | |
typedef CK_ULONG CK_PTR | CK_ULONG_PTR |
Pointer to a CK_ULONG. More... | |
typedef void CK_PTR | CK_VOID_PTR |
Pointer to a void. More... | |
typedef CK_VOID_PTR CK_PTR | CK_VOID_PTR_PTR |
Pointer to a CK_VOID_PTR. More... | |
typedef NULL CK_PTR | NULL_PTR |
A NULL pointer. More... | |
typedef CK_RV(* | myCallbackType )(args) |
CK_CALLBACK_FUNCTIONCK_CALLBACK_FUNCTION(returnType, name), when followed by a parentheses-enclosed list of arguments and a semicolon, declares a variable or type which is a pointer to an application callback function that can be used by a Cryptoki API function in a Cryptoki library. More... | |
typedef struct | CK_VERSION |
CK_VERSION; CK_VERSION_PTRCK_VERSION is a structure that describes the version of a Cryptoki interface, a Cryptoki library, or an SSL implementation, or the hardware or firmware version of a slot or token. More... | |
typedef CK_VERSION CK_PTR | CK_VERSION_PTR |
Pointer to a CK_VERSION. More... | |
typedef struct | CK_INFO |
CK_INFO; CK_INFO_PTRCK_INFO provides general information about Cryptoki. More... | |
typedef CK_INFO CK_PTR | CK_INFO_PTR |
Pointer to a CK_INFO. More... | |
typedef CK_ULONG | CK_NOTIFICATION |
CK_NOTIFICATIONCK_NOTIFICATION holds the types of notifications that Cryptoki provides to an application. More... | |
typedef CK_ULONG | CK_SLOT_ID |
CK_SLOT_ID; CK_SLOT_ID_PTRCK_SLOT_ID is a Cryptoki-assigned value that identifies a slot. More... | |
typedef CK_SLOT_ID CK_PTR | CK_SLOT_ID_PTR |
Pointer to a CK_SLOT_ID. More... | |
typedef struct | CK_SLOT_INFO |
CK_SLOT_INFO; CK_SLOT_INFO_PTRCK_SLOT_INFO provides information about a slot. More... | |
typedef CK_SLOT_INFO CK_PTR | CK_SLOT_INFO_PTR |
Pointer to a CK_SLOT_INFO. More... | |
typedef struct | CK_TOKEN_INFO |
CK_TOKEN_INFO; CK_TOKEN_INFO_PTRCK_TOKEN_INFO provides information about a token. More... | |
typedef CK_TOKEN_INFO CK_PTR | CK_TOKEN_INFO_PTR |
Pointer to a CK_TOKEN_INFO. More... | |
typedef CK_ULONG | CK_SESSION_HANDLE |
CK_SESSION_HANDLE; CK_SESSION_HANDLE_PTRCK_SESSION_HANDLE is a Cryptoki-assigned value that identifies a session. More... | |
typedef CK_SESSION_HANDLE CK_PTR | CK_SESSION_HANDLE_PTR |
Pointer to a CK_SESSION_HANDLE. More... | |
typedef CK_ULONG | CK_USER_TYPE |
CK_USER_TYPECK_USER_TYPE holds the types of Cryptoki users described in Section 6.4.. More... | |
typedef CK_ULONG | CK_STATE |
CK_STATECK_STATE holds the session state, as described in Sections 6.6.1 and 6.6.2. It is defined as follows:. More... | |
typedef struct | CK_SESSION_INFO |
CK_SESSION_INFO; CK_SESSION_INFO_PTRCK_SESSION_INFO provides information about a session. More... | |
typedef CK_SESSION_INFO CK_PTR | CK_SESSION_INFO_PTR |
Pointer to a CK_SESSION_INFO. More... | |
typedef CK_ULONG | CK_OBJECT_HANDLE |
CK_OBJECT_HANDLE; CK_OBJECT_HANDLE_PTRCK_OBJECT_HANDLE is a token-specific identifier for an object. More... | |
typedef CK_OBJECT_HANDLE CK_PTR | CK_OBJECT_HANDLE_PTR |
Pointer to a CK_OBJECT_HANDLE. More... | |
typedef CK_ULONG | CK_OBJECT_CLASS |
CK_OBJECT_CLASS; CK_OBJECT_CLASS_PTRCK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes. More... | |
typedef CK_OBJECT_CLASS CK_PTR | CK_OBJECT_CLASS_PTR |
Pointer to a CK_OBJECT_CLASS. More... | |
typedef CK_ULONG | CK_HW_FEATURE_TYPE |
CK_HW_FEATURE_TYPECK_HW_FEATURE_TYPE is a value that identifies a hardware feature type of a device. More... | |
typedef CK_ULONG | CK_KEY_TYPE |
CK_KEY_TYPECK_KEY_TYPE is a value that identifies a key type. More... | |
typedef CK_ULONG | CK_CERTIFICATE_TYPE |
CK_CERTIFICATE_TYPECK_CERTIFICATE_TYPE is a value that identifies a certificate type. More... | |
typedef CK_ULONG | CK_ATTRIBUTE_TYPE |
CK_ATTRIBUTE_TYPECK_ATTRIBUTE_TYPE is a value that identifies an attribute type. More... | |
typedef struct | CK_ATTRIBUTE |
CK_ATTRIBUTE; CK_ATTRIBUTE_PTRCK_ATTRIBUTE is a structure that includes the type, value, and length of an attribute. More... | |
typedef CK_ATTRIBUTE CK_PTR | CK_ATTRIBUTE_PTR |
Pointer to a CK_ATTRIBUTE. More... | |
typedef struct | CK_DATE |
CK_DATECK_DATE is a structure that defines a date. More... | |
typedef CK_ULONG | CK_MECHANISM_TYPE |
CK_MECHANISM_TYPE; CK_MECHANISM_TYPE_PTRCK_MECHANISM_TYPE is a value that identifies a mechanism type. More... | |
typedef CK_MECHANISM_TYPE CK_PTR | CK_MECHANISM_TYPE_PTR |
Pointer to a CK_MECHANISM_TYPE. More... | |
typedef struct | CK_MECHANISM |
CK_MECHANISM; CK_MECHANISM_PTRCK_MECHANISM is a structure that specifies a particular mechanism and any parameters it requires. More... | |
typedef CK_MECHANISM CK_PTR | CK_MECHANISM_PTR |
Pointer to a CK_MECHANISM. More... | |
typedef struct | CK_MECHANISM_INFO |
CK_MECHANISM_INFO; CK_MECHANISM_INFO_PTRCK_MECHANISM_INFO is a structure that provides information about a particular mechanism. More... | |
typedef CK_MECHANISM_INFO CK_PTR | CK_MECHANISM_INFO_PTR |
Pointer to a CK_MECHANISM_INFO. More... | |
typedef CK_ULONG | CK_RV |
CK_RVCK_RV is a value that identifies the return value of a Cryptoki function. More... | |
typedef CK_RV(* | CK_NOTIFY )(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event, CK_VOID_PTR pApplication) |
CK_NOTIFYCK_NOTIFY is the type of a pointer to a function used by Cryptoki to perform notification callbacks. More... | |
typedef struct | CK_FUNCTION_LIST |
CK_FUNCTION_LIST; CK_FUNCTION_LIST_PTR; CK_FUNCTION_LIST_PTR_PTRCK_FUNCTION_LIST is a structure which contains a Cryptoki version and a function pointer to each function in the Cryptoki API. More... | |
typedef CK_FUNCTION_LIST CK_PTR | CK_FUNCTION_LIST_PTR |
Pointer to a CK_FUNCTION_LIST. More... | |
typedef CK_FUNCTION_LIST_PTR CK_PTR | CK_FUNCTION_LIST_PTR_PTR |
Pointer to a CK_FUNCTION_LIST_PTR. More... | |
typedef CK_RV(* | CK_CREATEMUTEX )(CK_VOID_PTR_PTR ppMutex) |
CK_CREATEMUTEXCK_CREATEMUTEX is the type of a pointer to an application-supplied function which creates a new mutex object and returns a pointer to it. More... | |
typedef CK_RV(* | CK_DESTROYMUTEX )(CK_VOID_PTR pMutex) |
CK_DESTROYMUTEXCK_DESTROYMUTEX is the type of a pointer to an application-supplied function which destroys an existing mutex object. More... | |
typedef CK_RV(* | CK_LOCKMUTEX )(CK_VOID_PTR pMutex) |
If a CK_LOCKMUTEX function is called on a mutex which is not locked, the calling thread obtains a lock on that mutex and returns. More... | |
typedef CK_RV(* | CK_UNLOCKMUTEX )(CK_VOID_PTR pMutex) |
CK_UNLOCKMUTEX is defined as follows:. More... | |
typedef struct | CK_C_INITIALIZE_ARGS |
CK_C_INITIALIZE_ARGS; CK_C_INITIALIZE_ARGS_PTRCK_C_INITIALIZE_ARGS is a structure containing the optional arguments for the C_Initialize function. More... | |
typedef CK_C_INITIALIZE_ARGS CK_PTR | CK_C_INITIALIZE_ARGS_PTR |
Pointer to a CK_C_INITIALIZE_ARGS. More... | |
typedef CK_ULONG | CK_RSA_PKCS_MGF_TYPE |
CK_RSA_PKCS_MGF_TYPE; CK_RSA_PKCS_MGF_TYPE_PTRCK_RSA_PKCS_MGF_TYPE is used to indicate the Message Generation Function (MGF) applied to a message block when formatting a message block for the PKCS #1 OAEP encryption scheme. More... | |
typedef CK_RSA_PKCS_MGF_TYPE CK_PTR | CK_RSA_PKCS_MGF_TYPE_PTR |
Pointer to a CK_RSA_PKCS_MGF_TYPE. More... | |
typedef CK_ULONG | CK_RSA_PKCS_OAEP_SOURCE_TYPE |
CK_RSA_PKCS_OAEP_SOURCE_TYPE; CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTRCK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source of the encoding parameter when formatting a message block for the PKCS #1 OAEP encryption scheme. More... | |
typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR | CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR |
Pointer to a CK_RSA_PKCS_OAEP_SOURCE_TYPE. More... | |
typedef struct | CK_RSA_PKCS_OAEP_PARAMS |
CK_RSA_PKCS_OAEP_PARAMS; CK_RSA_PKCS_OAEP_PARAMS_PTRCK_RSA_PKCS_OAEP_PARAMS is a structure that provides the parameters to the CKM_RSA_PKCS_OAEP mechanism. More... | |
typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR | CK_RSA_PKCS_OAEP_PARAMS_PTR |
Pointer to a CK_RSA_PKCS_OAEP_PARAMS. More... | |
typedef struct | CK_KEA_DERIVE_PARAMS |
typedef CK_KEA_DERIVE_PARAMS CK_PTR | CK_KEA_DERIVE_PARAMS_PTR |
Pointer to a CK_KEA_DERIVE_PARAMS. More... | |
typedef CK_ULONG | CK_RC2_PARAMS |
CK_RC2_PARAMS; CK_RC2_PARAMS_PTRCK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and CKM_RC2_MAC mechanisms. More... | |
typedef CK_RC2_PARAMS CK_PTR | CK_RC2_PARAMS_PTR |
Pointer to a CK_RC2_PARAMS. More... | |
typedef struct | CK_RC2_CBC_PARAMS |
CK_RC2_CBC_PARAMS; CK_RC2_CBC_PARAMS_PTRCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC and CKM_RC2_CBC_PAD mechanisms. More... | |
typedef CK_RC2_CBC_PARAMS CK_PTR | CK_RC2_CBC_PARAMS_PTR |
Pointer to a CK_RC2_CBC_PARAMS. More... | |
typedef struct | CK_RC2_MAC_GENERAL_PARAMS |
CK_RC2_MAC_GENERAL_PARAMS; CK_RC2_MAC_GENERAL_PARAMS_PTRCK_RC2_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC2_MAC_GENERAL mechanism. More... | |
typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR | CK_RC2_MAC_GENERAL_PARAMS_PTR |
Pointer to a CK_RC2_MAC_GENERAL_PARAMS. More... | |
typedef struct | CK_RC5_PARAMS |
CK_RC5_PARAMS; CK_RC5_PARAMS_PTRCK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and CKM_RC5_MAC mechanisms. More... | |
typedef CK_RC5_PARAMS CK_PTR | CK_RC5_PARAMS_PTR |
Pointer to a CK_RC5_PARAMS. More... | |
typedef struct | CK_RC5_CBC_PARAMS |
CK_RC5_CBC_PARAMS; CK_RC5_CBC_PARAMS_PTRCK_RC5_CBC_PARAMS is a structure that provides the parameters to the CKM_RC5_CBC and CKM_RC5_CBC_PAD mechanisms. More... | |
typedef CK_RC5_CBC_PARAMS CK_PTR | CK_RC5_CBC_PARAMS_PTR |
Pointer to a CK_RC5_CBC_PARAMS. More... | |
typedef struct | CK_RC5_MAC_GENERAL_PARAMS |
CK_RC5_MAC_GENERAL_PARAMS; CK_RC5_MAC_GENERAL_PARAMS_PTRCK_RC5_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC5_MAC_GENERAL mechanism. More... | |
typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR | CK_RC5_MAC_GENERAL_PARAMS_PTR |
Pointer to a CK_RC5_MAC_GENERAL_PARAMS. More... | |
typedef CK_ULONG | CK_MAC_GENERAL_PARAMS |
CK_MAC_GENERAL_PARAMS; CK_MAC_GENERAL_PARAMS_PTRCK_MAC_GENERAL_PARAMS provides the parameters to the general-length MACing mechanisms of the DES, DES3 (triple-DES), CAST, CAST3, CAST128 (CAST5), IDEA, and CDMF ciphers. More... | |
typedef CK_MAC_GENERAL_PARAMS CK_PTR | CK_MAC_GENERAL_PARAMS_PTR |
Pointer to a CK_MAC_GENERAL_PARAMS. More... | |
typedef struct | CK_SKIPJACK_PRIVATE_WRAP_PARAMS |
CK_SKIPJACK_PRIVATE_WRAP_PARAMS; CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTRCK_SKIPJACK_PRIVATE_WRAP_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_PRIVATE_WRAP mechanism. More... | |
typedef CK_PRIVATE_WRAP_PARAMS CK_PTR | CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR |
Pointer to a CK_PRIVATE_WRAP_PARAMS. More... | |
typedef struct | CK_SKIPJACK_RELAYX_PARAMS |
CK_SKIPJACK_RELAYX_PARAMS; CK_SKIPJACK_RELAYX_PARAMS_PTRCK_SKIPJACK_RELAYX_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_RELAYX mechanism. More... | |
typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR | CK_SKIPJACK_RELAYX_PARAMS_PTR |
Pointer to a CK_SKIPJACK_RELAYX_PARAMS. More... | |
typedef struct | CK_PBE_PARAMS |
CK_PBE_PARAMS; CK_PBE_PARAMS_PTRCK_PBE_PARAMS is a structure which provides all of the necessary information required by the CKM_PBE mechanisms (see PKCS #5 and PKCS #12 for information on the PBE generation mechanisms) and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism. More... | |
typedef CK_PBE_PARAMS CK_PTR | CK_PBE_PARAMS_PTR |
Pointer to a CK_PBE_PARAMS. More... | |
typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR | CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR |
Pointer to a CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE. More... | |
typedef CK_ULONG | CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE |
CK_PKCS5_PBKD2_SALT_SOURCE_TYPE; CK_PKCS5_PBKD2_SALT_SOURCE_TYPE_PTRCK_PKCS5_PBKD2_SALT_SOURCE_TYPE is used to indicate the source of the salt value when deriving a key using PKCS #5 PBKDF2. More... | |
typedef CK_PKCS5_PBKD2_SALT_SOURCE_TYPE CK_PTR | CK_PKCS5_PBKD2_SALT_SOURCE_TYPE_PTR |
Pointer to a CK_PKCS5_PBKD2_SALT_SOURCE_TYPE. More... | |
typedef struct | CK_PKCS5_PBKD2_PARAMS |
CK_PKCS5_PBKD2_PARAMS; CK_PKCS5_PBKD2_PARAMS_PTRCK_PKCS5_PBKD2_PARAMS is a structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism. More... | |
typedef CK_PKCS5_PBKD2_PARAMS CK_PTR | CK_PKCS5_PBKD2_PARAMS_PTR |
Pointer to a CK_PKCS5_PBKD2_PARAMS. More... | |
typedef struct | CK_KEY_WRAP_SET_OAEP_PARAMS |
CK_KEY_WRAP_SET_OAEP_PARAMS; CK_KEY_WRAP_SET_OAEP_PARAMS_PTRCK_KEY_WRAP_SET_OAEP_PARAMS is a structure that provides the parameters to the CKM_KEY_WRAP_SET_OAEP mechanism. More... | |
typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR | CK_KEY_WRAP_SET_OAEP_PARAMS_PTR |
Pointer to a CK_KEY_WRAP_SET_OAEP_PARAMS. More... | |
typedef struct | CK_SSL3_RANDOM_DATA |
CK_SSL3_RANDOM_DATACK_SSL3_RANDOM_DATA is a structure which provides information about the random data of a client and a server in an SSL context. More... | |
typedef struct | CK_SSL3_MASTER_KEY_DERIVE_PARAMS |
typedef CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR | CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR |
Pointer to a CK_SSL3_MASTER_KEY_DERIVE_PARAMS. More... | |
typedef struct | CK_SSL3_KEY_MAT_OUT |
CK_SSL3_KEY_MAT_OUT; CK_SSL3_KEY_MAT_OUT_PTRCK_SSL3_KEY_MAT_OUT is a structure that contains the resulting key handles and initialization vectors after performing a C_DeriveKey function with the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. More... | |
typedef CK_SSL3_KEY_MAT_OUT CK_PTR | CK_SSL3_KEY_MAT_OUT_PTR |
Pointer to a CK_SSL3_KEY_MAT_OUT. More... | |
typedef struct | CK_SSL3_KEY_MAT_PARAMS |
CK_SSL3_KEY_MAT_PARAMS; CK_SSL3_KEY_MAT_PARAMS_PTRCK_SSL3_KEY_MAT_PARAMS is a structure that provides the parameters to the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. More... | |
typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR | CK_SSL3_KEY_MAT_PARAMS_PTR |
Pointer to a CK_SSL3_KEY_MAT_PARAMS. More... | |
typedef struct | CK_KEY_DERIVATION_STRING_DATA |
CK_KEY_DERIVATION_STRING_DATA; CK_KEY_DERIVATION_STRING_DATA_PTR. More... | |
typedef CK_ULONG | CK_EXTRACT_PARAMS |
CK_EXTRACT_PARAMS; CK_EXTRACT_PARAMS_PTRCK_KEY_EXTRACT_PARAMS provides the parameter to the CKM_EXTRACT_KEY_FROM_KEY mechanism. More... | |
typedef CK_EXTRACT_PARAMS CK_PTR | CK_EXTRACT_PARAMS_PTR |
Pointer to a CK_EXTRACT_PARAMS. More... | |
Functions | |
typedef | CK_DECLARE_FUNCTION_POINTER (CK_RV, myC_InitializeType)(CK_VOID_PTR pReserved) |
CK_RV | C_Initialize (CK_VOID_PTR pInitArgs) |
C_Initialize initializes the Cryptoki library. More... | |
CK_RV | C_Finalize (CK_VOID_PTR pReserved) |
C_Finalize is called to indicate that an application is finished with the Cryptoki library. More... | |
CK_RV | C_GetInfo (CK_INFO_PTR pInfo) |
C_GetInfo returns general information about Cryptoki. More... | |
CK_RV | C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR ppFunctionList) |
C_GetFunctionList obtains a pointer to the Cryptoki library's list of function pointers. More... | |
CK_RV | C_GetSlotList (CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) |
C_GetSlotList is used to obtain a list of slots in the system. More... | |
CK_RV | C_GetSlotInfo (CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) |
C_GetSlotInfo obtains information about a particular slot in the system. More... | |
CK_RV | C_GetTokenInfo (CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) |
C_GetTokenInfo obtains information about a particular token in the system. More... | |
CK_RV | C_WaitForSlotEvent (CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) |
C_WaitForSlotEvent waits for a slot event, such as token insertion or token removal, to occur. More... | |
CK_RV | C_GetMechanismList (CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) |
C_GetMechanismList is used to obtain a list of mechanism types supported by a token. More... | |
CK_RV | C_GetMechanismInfo (CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo) |
C_GetMechanismInfo obtains information about a particular mechanism possibly supported by a token. More... | |
CK_RV | C_InitToken (CK_SLOT_ID slotID, CK_CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel) |
C_InitToken initializes a token. More... | |
CK_RV | C_InitPIN (CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin, CK_ULONG ulPinLen) |
C_InitPIN initializes the normal user's PIN. More... | |
CK_RV | C_SetPIN (CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen) |
C_SetPIN modifies the PIN of the user that is currently logged in. More... | |
CK_RV | C_OpenSession (CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession) |
C_OpenSession opens a session between an application and a token in a particular slot. More... | |
CK_RV | C_CloseSession (CK_SESSION_HANDLE hSession) |
C_CloseSession closes a session between an application and a token. More... | |
CK_RV | C_CloseAllSessions (CK_SLOT_ID slotID) |
C_CloseAllSessions closes all sessions an application has with a token. More... | |
CK_RV | C_GetSessionInfo (CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) |
C_GetSessionInfo obtains information about a session. More... | |
CK_RV | C_GetOperationState (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) |
C_GetOperationState obtains a copy of the cryptographic operations state of a session, encoded as a string of bytes. More... | |
CK_RV | C_SetOperationState (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen, CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) |
C_SetOperationState restores the cryptographic operations state of a session from a string of bytes obtained with C_GetOperationState. More... | |
CK_RV | C_Login (CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_CHAR_PTR pPin, CK_ULONG ulPinLen) |
C_Login logs a user into a token. More... | |
CK_RV | C_Logout (CK_SESSION_HANDLE hSession) |
C_Logout logs a user out from a token. More... | |
CK_RV | C_CreateObject (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject) |
C_CreateObject creates a new object. More... | |
CK_RV | C_CopyObject (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phNewObject) |
C_CopyObject copies an object, creating a new object for the copy. More... | |
CK_RV | C_DestroyObject (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) |
C_DestroyObject destroys an object. More... | |
CK_RV | C_GetObjectSize (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) |
C_GetObjectSize gets the size of an object in bytes. More... | |
CK_RV | C_GetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
C_GetAttributeValue obtains the value of one or more attributes of an object. More... | |
CK_RV | C_SetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
C_SetAttributeValue modifies the value of one or more attributes of an object. More... | |
CK_RV | C_FindObjectsInit (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
C_FindObjectsInit initializes a search for token and session objects that match a template. More... | |
CK_RV | C_FindObjects (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount) |
C_FindObjects continues a search for token and session objects that match a template, obtaining additional object handles. More... | |
CK_RV | C_FindObjectsFinal (CK_SESSION_HANDLE hSession) |
C_FindObjectsFinal terminates a search for token and session objects. More... | |
CK_RV | C_EncryptInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
C_EncryptInit initializes an encryption operation. More... | |
CK_RV | C_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, CK_ULONG_PTR pulEncryptedDataLen) |
C_Encrypt encrypts single-part data. More... | |
CK_RV | C_EncryptUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) |
C_EncryptUpdate continues a multiple-part encryption operation, processing another data part. More... | |
CK_RV | C_EncryptFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen) |
C_EncryptFinal finishes a multiple-part encryption operation. More... | |
CK_RV | C_DecryptInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
C_DecryptInit initializes a decryption operation. More... | |
CK_RV | C_Decrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) |
C_Decrypt decrypts encrypted data in a single part. More... | |
CK_RV | C_DecryptUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) |
C_DecryptUpdate continues a multiple-part decryption operation, processing another encrypted data part. More... | |
CK_RV | C_DecryptFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen) |
C_DecryptFinal finishes a multiple-part decryption operation. More... | |
CK_RV | C_DigestInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) |
C_DigestInit initializes a message-digesting operation. More... | |
CK_RV | C_Digest (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) |
C_Digest digests data in a single part. More... | |
CK_RV | C_DigestUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) |
C_DigestUpdate continues a multiple-part message-digesting operation, processing another data part. More... | |
CK_RV | C_DigestKey (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) |
C_DigestKey continues a multiple-part message-digesting operation by digesting the value of a secret key. More... | |
CK_RV | C_DigestFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) |
C_DigestFinal finishes a multiple-part message-digesting operation, returning the message digest. More... | |
CK_RV | C_SignInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
C_SignInit initializes a signature operation, where the signature is an appendix to the data. More... | |
CK_RV | C_Sign (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) |
C_Sign signs data in a single part, where the signature is an appendix to the data. More... | |
CK_RV | C_SignUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) |
C_SignUpdate continues a multiple-part signature operation, processing another data part. More... | |
CK_RV | C_SignFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) |
C_SignFinal finishes a multiple-part signature operation, returning the signature. More... | |
CK_RV | C_SignRecoverInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
C_SignRecoverInit initializes a signature operation, where the data can be recovered from the signature. More... | |
CK_RV | C_SignRecover (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) |
C_SignRecover signs data in a single operation, where the data can be recovered from the signature. More... | |
CK_RV | C_VerifyInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
C_VerifyInit initializes a verification operation, where the signature is an appendix to the data. More... | |
CK_RV | C_Verify (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) |
C_Verify verifies a signature in a single-part operation, where the signature is an appendix to the data. More... | |
CK_RV | C_VerifyUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) |
C_VerifyUpdate continues a multiple-part verification operation, processing another data part. More... | |
CK_RV | C_VerifyFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) |
C_VerifyFinal finishes a multiple-part verification operation, checking the signature. More... | |
CK_RV | C_VerifyRecoverInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
C_VerifyRecoverInit initializes a signature verification operation, where the data is recovered from the signature. More... | |
CK_RV | C_VerifyRecover (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) |
C_VerifyRecover verifies a signature in a single-part operation, where the data is recovered from the signature. More... | |
CK_RV | C_DigestEncryptUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) |
C_DigestEncryptUpdate continues multiple-part digest and encryption operations, processing another data part. More... | |
CK_RV | C_DecryptDigestUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) |
C_DecryptDigestUpdate continues a multiple-part combined decryption and digest operation, processing another data part. More... | |
CK_RV | C_SignEncryptUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) |
C_SignEncryptUpdate continues a multiple-part combined signature and encryption operation, processing another data part. More... | |
CK_RV | C_DecryptVerifyUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) |
C_DecryptVerifyUpdate continues a multiple-part combined decryption and verification operation, processing another data part. More... | |
CK_RV | C_GenerateKey (CK_SESSION_HANDLE hSession CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) |
C_GenerateKey generates a secret key, creating a new key object. More... | |
CK_RV | C_GenerateKeyPair (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) |
C_GenerateKeyPair generates a public/private key pair, creating new key objects. More... | |
CK_RV | C_WrapKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) |
C_WrapKey wraps (i.e., encrypts) a private or secret key. More... | |
CK_RV | C_UnwrapKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) |
C_UnwrapKey unwraps (i.e. decrypts) a wrapped key, creating a new private key or secret key object. More... | |
CK_RV | C_DeriveKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) |
C_DeriveKey derives a key from a base key, creating a new key object. More... | |
CK_RV | C_SeedRandom (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen) |
C_SeedRandom mixes additional seed material into the token's random number generator. More... | |
CK_RV | C_GenerateRandom (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) |
C_GenerateRandom generates random or pseudo-random data. More... | |
CK_RV | C_GetFunctionStatus (CK_SESSION_HANDLE hSession) |
In previous versions of Cryptoki, C_GetFunctionStatus obtained the status of a function running in parallel with an application. More... | |
CK_RV | C_CancelFunction (CK_SESSION_HANDLE hSession) |
In previous versions of Cryptoki, C_CancelFunction cancelled a function running in parallel with an application. More... | |
Variables | |
myC_Initialize | |
myCallback | |
typedef | CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE |
CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTRCK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to indicate the Pseudo-Random Function (PRF) used to generate key bits using PKCS #5 PBKDF2. More... |
Definition in file pkcs11_all.h.
|
An invalid handle. |
|
CK_BBOOL true. |
|
CK_BBOOL false. |
|
Information unavailable. |
|
Effectively infinite. |
|
Security Officer. |
|
User. |
|
Context specific. |
|
Read only public session. |
|
Read only user functions. |
|
Read write public session. |
|
Read write user functions. |
|
Read write security officer functions. |
|
True. |
|
False. |
|
TRUE if a token is present in the slot (''e.g.'', a device is in the reader). |
|
TRUE if the reader supports removable devices. |
|
TRUE if the slot is a hardware slot, as opposed to a software slot implementing a "soft token". |
|
TRUE if the token has its own random number generator. |
|
TRUE if the token is write-protected (see below). |
|
TRUE if there are some cryptographic functions that a user must be logged in to perform. |
|
TRUE if the normal user's PIN has been initialized. |
|
TRUE if a successful save of a session's cryptographic operations state ''always'' contains all keys needed to restore the state of the session. |
|
TRUE if token has its own hardware clock. |
|
TRUE if token has a "protected authentication path", whereby a user can log into the token without passing a PIN through the Cryptoki library. |
|
TRUE if a single session with the token can perform dual cryptographic operations (see Section 11.13). |
|
TRUE if the token has been initialized using C_InitializeToken or an equivalent mechanism outside the scope of this standard. Calling C_InitializeToken when this flag is set will cause the token to be reinitialized. |
|
TRUE if the token supports secondary authentication for private key objects. |
|
TRUE if an incorrect user login PIN has been entered at least once since the last successful authentication. |
|
TRUE if supplying an incorrect user PIN will it to become locked. |
|
TRUE if the user PIN has been locked. User login to the token is not possible. |
|
TRUE if the user PIN value is the default value set by token initialization or manufacturing. |
|
TRUE if an incorrect SO login PIN has been entered at least once since the last successful authentication. |
|
TRUE if supplying an incorrect SO PIN will it to become locked. |
|
TRUE if the user PIN has been locked. User login to the token is not possible. |
|
TRUE if the SO PIN value is the default value set by token initialization or manufacturing. |
|
TRUE if the session is read/write; FALSE if the session is read-only. |
|
This flag is provided for backward compatibility, and should always be set to TRUE. |
|
TRUE if the mechanism is performed by the device; FALSE if the mechanism is performed in software. |
|
TRUE if the mechanism can be used with '''C_EncryptInit'''. |
|
TRUE if the mechanism can be used with '''C_DecryptInit'''. |
|
TRUE if the mechanism can be used with '''C_DigestInit'''. |
|
TRUE if the mechanism can be used with '''C_SignInit'''. |
|
TRUE if the mechanism can be used with '''C_SignRecoverInit'''. |
|
TRUE if the mechanism can be used with '''C_VerifyInit'''. |
|
TRUE if the mechanism can be used with '''C_VerifyRecoverInit'''. |
|
TRUE if the mechanism can be used with '''C_GenerateKey'''. |
|
TRUE if the mechanism can be used with '''C_GenerateKeyPair'''. |
|
TRUE if the mechanism can be used with '''C_WrapKey'''. |
|
TRUE if the mechanism can be used with '''C_UnwrapKey'''. |
|
TRUE if the mechanism can be used with '''C_DeriveKey'''. |
|
TRUE if there is an extension to the flags; FALSE if no extensions. Must be FALSE for this version. |
|
TRUE if application threads which are executing calls to the library may ''not'' use native operating system calls to spawn new threads; FALSE if they may. |
|
TRUE if the library can use the native operation system threading model for locking; FALSE otherwise. |
|
Object class (type). |
|
Hardware feature (type). |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
The value of the counter will reset to a previously returned value if the token is initialized using '''C_InitializeToken'''. |
|
The value of the counter has been reset at least once at some point in time. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
TRUE if object is a token object; FALSE if object is a session object (default FALSE). |
|
TRUE if object is a private object; FALSE if object is a public object. Default value is token-specific, and may depend on the values of other attributes of the object. |
|
TRUE if object can be modified (default TRUE). |
|
Description of the object (default empty). |
|
Description of the application that manages the object (default empty). |
|
DER-encoding of the object identifier indicating the data object type (default empty). |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Type of certificate. |
|
DER-encoding of the certificate subject name. |
|
Key identifier for public/private key pair (default empty). |
|
DER-encoding of the certificate issuer name (default empty). |
|
DER-encoding of the certificate serial number (default empty). (default empty) |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
DER-encoding of the attribute certificate's subject field. This is distinct from the CKA_SUBJECT attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. |
|
DER-encoding of the attribute certificate's issuer field. This is distinct from the CKA_ISSUER attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. (default empty) |
|
DER-encoding of the certificate serial number (default empty). (default empty) |
|
BER-encoding of a sequence of object identifier values corresponding to the attribute types contained in the certificate. When present, this field offers an opportunity for applications to search for a particular attribute certificate without fetching and parsing the certificate itself. (default empty) |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Type of key. |
|
Key identifier for public/private key pair (default empty). |
|
Start date for the key (default empty). |
|
End date for the key (default empty). |
|
TRUE if key supports key derivation (''i.e.'', if other keys can be derived from this one (default FALSE). |
|
TRUE only if key was either * generated locally (''i.e.'', on the token) with a '''C_GenerateKey''' or '''C_GenerateKeyPair''' call * created with a '''C_CopyObject''' call as a copy of a key which had its '''CKA_LOCAL''' attribute set to TRUE. |
|
DER-encoding of the certificate subject name. |
|
TRUE if key supports encryption9. |
|
TRUE if key supports verification where the signature is an appendix to the data9. |
|
TRUE if key supports verification where the data is recovered from the signature9. |
|
TRUE if key supports wrapping (''i.e.'', can be used to wrap other keys)9. |
|
Modulus ''n''. |
|
Length in bits of modulus ''n''. |
|
Public exponent ''e''. |
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
Subprime ''q'' (160 bits). |
|
Base ''g''. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
DER-encoding of an X9.62 ECParameters value. |
|
DER-encoding of X9.62 ECPoint value ''P''. |
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
Base ''g''. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
Subprime ''q'' (160 bits). |
|
Base ''g''. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
DER-encoding of the certificate subject name. |
|
TRUE if key is sensitive9. |
|
TRUE is the key requires a secondary authentication to take place before its use it allowed. (default FALSE) |
|
Mask indicating the current state of the secondary authentication PIN. If CKA_SECONDARY_AUTH is FALSE, then this attribute is zero. |
|
TRUE if key supports decryption9. |
|
TRUE if key supports signatures where the signature is an appendix to the data9. |
|
TRUE if key supports signatures where the data can be recovered from the signature9. |
|
TRUE if key supports unwrapping (''i.e.'', can be used to unwrap other keys)9. |
|
TRUE if key is extractable9. |
|
TRUE if key has ''always'' had the CKA_SENSITIVE attribute set to TRUE. |
|
TRUE if key has ''never'' had the CKA_EXTRACTABLE attribute set to TRUE. |
|
Modulus ''n''. |
|
Public exponent ''e''. |
|
Private exponent ''d''. |
|
Prime ''p''. |
|
Prime ''q''. |
|
Private exponent ''d'' modulo ''p''-1. |
|
Private exponent ''d'' modulo ''q''-1. |
|
CRT coefficient ''q''-1 mod ''p''. |
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
Subprime ''q'' (160 bits). |
|
Base ''g''. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
DER-encoding of an X9.62 ECParameters value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
Base ''g''. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bits of private value ''x''. |
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
Subprime ''q'' (160 bits). |
|
Base ''g''. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
TRUE if key is sensitive9. |
|
TRUE if key supports encryption9. |
|
TRUE if key supports decryption9. |
|
TRUE if key supports signatures where the signature is an appendix to the data9. |
|
TRUE if key supports verification where the signature is an appendix to the data9. |
|
TRUE if key supports wrapping (''i.e.'', can be used to wrap other keys)9. |
|
TRUE if key supports unwrapping (''i.e.'', can be used to unwrap other keys)9. |
|
TRUE if key is extractable9. |
|
TRUE if key has ''always'' had the CKA_SENSITIVE attribute set to TRUE. |
|
TRUE if key has ''never'' had the CKA_EXTRACTABLE attribute set to TRUE. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Length in bytes of key value. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value is returned in big endian order. |
|
Some horrible, unrecoverable error has occurred. In the worst case, it is possible that the function only partially succeeded, and that the computer and/or token is in an inconsistent state. |
|
The computer that the Cryptoki library is running on has insufficient memory to perform the requested function. |
|
The requested function could not be performed, but detailed information about why not is not available in this error return. If the failed function uses a session, it is possible that the '''CK_SESSION_INFO''' structure that can be obtained by calling '''C_GetSessionInfo''' will hold useful information about what happened in its ''ulDeviceError'' field. In any event, although the function call failed, the situation is not necessarily totally hopeless, as it is likely to be when CKR_GENERAL_ERROR is returned. Depending on what the root cause of the error actually was, it is possible that an attempt to make the exact same function call again would succeed. |
|
The function executed successfully. Technically, CKR_OK is not ''quite'' a "universal" return value; in particular, the legacy functions '''C_GetFunctionStatus''' and '''C_CancelFunction''' (see Section 11.16) cannot return CKR_OK. |
|
The specified session handle was invalid ''at the time that the function was invoked''. Note that this can happen if the session's token is removed before the function invocation, since removing a token closes all sessions with it. |
|
The token was removed from its slot ''during the execution of the function''. |
|
The session was closed ''during the execution of the function''. Note that, as stated in Section 6.6.6, the behavior of Cryptoki is ''undefined'' if multiple threads of an application attempt to access a common Cryptoki session simultaneously. Therefore, there is actually no guarantee that a function invocation could ever return the value CKR_SESSION_CLOSED"if one thread is using a session when another thread closes that session, that is an instance of multiple threads accessing a common session simultaneously. |
|
The token does not have sufficient memory to perform the requested function. |
|
Some problem has occurred with the token and/or slot. This error code can be returned by more than just the functions mentioned above; in particular, it is possible for '''C_GetSlotInfo''' to return CKR_DEVICE_ERROR. |
|
The token was not present in its slot ''at the time that the function was invoked''. |
|
The token was removed from its slot ''during the execution of the function''. |
|
When a function executing in serial with an application decides to give the application a chance to do some work, it calls an application-supplied function with a CKN_SURRENDER callback (see Section 11.17). If the callback returns the value CKR_CANCEL, then the function aborts and returns CKR_FUNCTION_CANCELED. |
|
This error code can be returned by mutex-handling functions who are passed a bad mutex object as an argument. Unfortunately, it is possible for such a function not to recognize a bad mutex object. There is therefore no guarantee that such a function will successfully detect bad mutex objects and return this value. |
|
This error code can be returned by mutex-unlocking functions. It indicates that the mutex supplied to the mutex-unlocking function was not locked. |
|
This is a rather generic error code which indicates that the arguments supplied to the Cryptoki function were in some way not appropriate. |
|
An attempt was made to set a value for an attribute which may not be set by the application, or which may not be modified by the application. See Section 10.1 for more information. |
|
An attempt was made to obtain the value of an attribute of an object which cannot be satisfied because the object is either sensitive or unextractable. |
|
An invalid attribute type was specified in a template. See Section 10.1 for more information. |
|
An invalid value was specified for a particular attribute in a template. See Section 10.1 for more information. |
|
The output of the function is too large to fit in the supplied buffer. |
|
This value can only be returned by '''C_Initialize'''. It means that the type of locking requested by the application for thread-safety is not available in this library, and so the application cannot make use of this library in the specified fashion. |
|
This value can only be returned by '''C_Initialize'''. It means that the Cryptoki library has already been initialized (by a previous call to '''C_Initialize''' which did not have a matching '''C_Finalize''' call). |
|
This value can be returned by any function other than '''C_Initialize''' and '''C_GetFunctionList'''. It indicates that the function cannot be executed because the Cryptoki library has not yet been initialized by a call to '''C_Initialize'''. |
|
The plaintext input data to a cryptographic operation is invalid. At present, this error only applies to the '''CKM_RSA_X_509''' mechanism; it is returned when plaintext is supplied that has the same number of bytes as the RSA modulus and is numerically at least as large as the modulus. This return value has lower priority than CKR_DATA_LEN_RANGE. |
|
The plaintext input data to a cryptographic operation has a bad length. Depending on the operation's mechanism, this could mean that the plaintext data is too short, too long, or is not a multiple of some particular blocksize. This return value has higher priority than CKR_DATA_INVALID. |
|
The encrypted input to a decryption operation has been determined to be invalid ciphertext. This return value has lower priority than CKR_ENCRYPTED_DATA_LEN_RANGE. |
|
The ciphertext input to a decryption operation has been determined to be invalid ciphertext solely on the basis of its length. Depending on the operation's mechanism, this could mean that the ciphertext is too short, too long, or is not a multiple of some particular blocksize. This return value has higher priority than CKR_ENCRYPTED_DATA_INVALID. |
|
The function was canceled in mid-execution. This happens to a cryptographic function if the function makes a '''CKN_SURRENDER''' application callback which returns CKR_CANCEL (see CKR_CANCEL). |
|
There is currently no function executing in parallel in the specified session. This is a legacy error code which is only returned by the legacy functions '''C_GetFunctionStatus''' and '''C_CancelFunction'''. |
|
The requested function is not supported by this Cryptoki library. Even unsupported functions in the Cryptoki API should have a "stub" in the library; this stub should simply return the value CKR_FUNCTION_NOT_SUPPORTED. |
|
The information requested could not be obtained because the token considers it sensitive, and is not able or willing to reveal it. |
|
This value is only returned by '''C_SetOperationState'''. It indicates that one of the keys specified is not the same key that was being used in the original saved session. |
|
An attempt has been made to use a key for a cryptographic purpose that the key's attributes are not set to allow it to do. For example, to use a key for performing encryption, that key must have its '''CKA_ENCRYPT''' attribute set to TRUE (the fact that the key must have a '''CKA_ENCRYPT''' attribute implies that the key cannot be a private key). This return value has lower priority than CKR_KEY_TYPE_INCONSISTENT. |
|
The specified key handle is not valid. It may be the case that the specified handle is a valid handle for an object which is not a key. We reiterate here that 0 is never a valid key handle. |
|
This error code can only be returned by '''C_DigestKey'''. It indicates that the value of the specified key cannot be digested for some reason (perhaps the key isn't a secret key, or perhaps the token simply can't digest this kind of key). |
|
This value is only returned by '''C_SetOperationState'''. It indicates that the session state cannot be restored because '''C_SetOperationState''' needs to be supplied with one or more keys that were being used in the original saved session. |
|
An extraneous key was supplied to '''C_SetOperationState'''. For example, an attempt was made to restore a session that had been performing a message digesting operation, and an encryption key was supplied. |
|
Although the specified private or secret key does not have its CKA_UNEXTRACTABLE attribute set to TRUE, Cryptoki (or the token) is unable to wrap the key as requested (possibly the token can only wrap a given key with certain types of keys, and the wrapping key specified is not one of these types). Compare with CKR_KEY_UNEXTRACTABLE. |
|
Although the requested keyed cryptographic operation could in principle be carried out, this Cryptoki library (or the token) is unable to actually do it because the supplied key's size is outside the range of key sizes that it can handle. |
|
The specified key is not the correct type of key to use with the specified mechanism. This return value has a higher priority than CKR_KEY_FUNCTION_NOT_PERMITTED. |
|
The specified private or secret key can't be wrapped because its CKA_UNEXTRACTABLE attribute is set to TRUE. Compare with CKR_KEY_NOT_WRAPPABLE. |
|
An invalid mechanism was specified to the cryptographic operation. This error code is an appropriate return value if an unknown mechanism was specified or if the mechanism specified cannot be used in the selected token with the selected function. |
|
Invalid parameters were supplied to the mechanism specified to the cryptographic operation. Which parameter values are supported by a given mechanism can vary from token to token. |
|
This value can only be returned by '''C_Initialize'''. It is returned when two conditions hold: |
|
This value can only be returned by '''C_GetSlotEvent'''. It is returned when '''C_GetSlotEvent''' is called in non-blocking mode and there are no new slot events to return. |
|
The specified object handle is not valid. We reiterate here that 0 is never a valid object handle. |
|
There is already an active operation (or combination of active operations) which prevents Cryptoki from activating the specified operation. For example, an active object-searching operation would prevent Cryptoki from activating an encryption operation with '''C_EncryptInit'''. Or, an active digesting operation and an active encryption operation would prevent Cryptoki from activating a signature operation. Or, on a token which doesn't support simultaneous dual cryptographic operations in a session (see the description of the '''CKF_DUAL_CRYPTO_OPERATIONS''' flag in the '''CK_TOKEN_INFO''' structure), an active signature operation would prevent Cryptoki from activating an encryption operation. |
|
There is no active operation of an appropriate type in the specified session. For example, an application cannot call '''C_Encrypt''' in a session without having called '''C_EncryptInit''' first to activate an encryption operation. |
|
The specified PIN has expired, and cannot be used to authenticate the user to the token. Whether or not the normal user's PIN on a token ever expires varies from token to token. |
|
The specified PIN is incorrect, ''i.e.'', does not match the PIN stored on the token. More generally-- when authentication to the token involves something other than a PIN-- the attempt to authenticate the user has failed. |
|
The specified PIN has invalid characters in it. This return code only applies to functions which attempt to set a PIN. |
|
The specified PIN is too long or too short. This return code only applies to functions which attempt to set a PIN. |
|
The specified PIN is "locked", and cannot be used. That is, because some particular number of failed authentication attempts has been reached, the token is unwilling to permit further attempts at authentication. Depending on the token, the specified PIN may or may not remain locked indefinitely. |
|
This value can be returned by '''C_SeedRandom''' and '''C_GenerateRandom'''. It indicates that the specified token doesn't have a random number generator. This return value has higher priority than CKR_RANDOM_SEED_NOT_SUPPORTED. |
|
This value can only be returned by '''C_SeedRandom'''. It indicates that the token's random number generator does not accept seeding from an application. This return value has lower priority than CKR_RANDOM_NO_RNG. |
|
This value can only be returned by '''C_SetOperationState'''. It indicates that the supplied saved cryptographic operations state is invalid, and so it cannot be restored to the specified session. |
|
This value can only be returned by '''C_OpenSession'''. It indicates that the attempt to open a session failed, either because the token has too many sessions already open, or because the token has too many read/write sessions already open. |
|
This value can only be returned by '''C_InitToken'''. It indicates that a session with the token is already open, and so the token cannot be initialized. |
|
The specified token does not support parallel sessions. This is a legacy error code"in Cryptoki Version 2.01 and up, ''no'' token supports parallel sessions. CKR_SESSION_PARALLEL_NOT_SUPPORTED can only be returned by '''C_OpenSession''', and it is only returned when '''C_OpenSession''' is called in a particular [deprecated] way. |
|
The specified session was unable to accomplish the desired action because it is a read-only session. This return value has lower priority than CKR_TOKEN_WRITE_PROTECTED. |
|
A read-only session already exists, and so the SO cannot be logged in. |
|
A read/write SO session already exists, and so a read-only session cannot be opened. |
|
The provided signature/MAC can be seen to be invalid solely on the basis of its length. This return value has higher priority than CKR_SIGNATURE_INVALID. |
|
The provided signature/MAC is invalid. This return value has lower priority than CKR_SIGNATURE_LEN_RANGE. |
|
The specified slot ID is not valid. |
|
The cryptographic operations state of the specified session cannot be saved for some reason (possibly the token is simply unable to save the current state). This return value has lower priority than CKR_OPERATION_NOT_INITIALIZED. |
|
The template specified for creating an object is incomplete, and lacks some necessary attributes. See Section 10.1 for more information. |
|
The template specified for creating an object has conflicting attributes. See Section 10.1 for more information. |
|
The Cryptoki library and/or slot does not recognize the token in the slot. |
|
The requested action could not be performed because the token is write-protected. This return value has higher priority than CKR_SESSION_READ_ONLY. |
|
This value can only be returned by '''C_UnwrapKey'''. It indicates that the key handle specified to be used to unwrap another key is not valid. |
|
This value can only be returned by '''C_UnwrapKey'''. It indicates that although the requested unwrapping operation could in principle be carried out, this Cryptoki library (or the token) is unable to actually do it because the supplied key's size is outside the range of key sizes that it can handle. |
|
This value can only be returned by '''C_UnwrapKey'''. It indicates that the type of the key specified to unwrap another key is not consistent with the mechanism specified for unwrapping. |
|
This value can only be returned by '''C_Login'''. It indicates that the specified user cannot be logged into the session, because it is already logged into the session. For example, if an application has an open SO session, and it attempts to log the SO into it, it will receive this error code. |
|
This value can only be returned by '''C_Login'''. It indicates that the specified user cannot be logged into the session, because another user is already logged into the session. For example, if an application has an open SO session, and it attempts to log the normal user into it, it will receive this error code. |
|
The desired action cannot be performed because the appropriate user (or ''an'' appropriate user) is not logged in. One example is that a session cannot be logged out unless it is logged in. Another example is that a private object cannot be created on a token unless the session attempting to create it is logged in as the normal user. A final example is that cryptographic operations on certain tokens cannot be performed unless the normal user is logged in. |
|
This value can only be returned by '''C_Login'''. It indicates that the normal user's PIN has not yet been initialized with '''C_InitPIN'''. |
|
An attempt was made to have more distinct users simultaneously logged into the token than the token and/or library permits. For example, if some application has an open SO session, and another application attempts to log the normal user into a session, the attempt may return this error. It is not required to, however. Only if the simultaneous distinct users cannot be supported does '''C_Login''' have to return this value. Note that this error code generalizes to true multi-user tokens. |
|
An invalid value was specified as a '''CK_USER_TYPE'''. Valid types are '''CKU_SO''' and '''CKU_USER'''. |
|
This value can only be returned by '''C_UnwrapKey'''. It indicates that the provided wrapped key is not valid. If a call is made to '''C_UnwrapKey''' to unwrap a particular type of key (''i.e.'', some particular key type is specified in the template provided to '''C_UnwrapKey'''), and the wrapped key provided to '''C_UnwrapKey''' is recognizably not a wrapped key of the proper type, then '''C_UnwrapKey''' should return CKR_WRAPPED_KEY_INVALID. This return value has lower priority than CKR_WRAPPED_KEY_LEN_RANGE. |
|
This value can only be returned by '''C_UnwrapKey'''. It indicates that the provided wrapped key can be seen to be invalid solely on the basis of its length. This return value has higher priority than CKR_WRAPPED_KEY_INVALID. |
|
This value can only be returned by '''C_WrapKey'''. It indicates that the key handle specified to be used to wrap another key is not valid. |
|
This value can only be returned by '''C_WrapKey'''. It indicates that although the requested wrapping operation could in principle be carried out, this Cryptoki library (or the token) is unable to actually do it because the supplied wrapping key's size is outside the range of key sizes that it can handle. |
|
This value can only be returned by '''C_WrapKey'''. It indicates that the type of the key specified to wrap another key is not consistent with the mechanism specified for wrapping. |
|
an unsigned 8-bit value. |
|
an unsigned 8-bit character. |
|
an 8-bit UTF-8 character. |
|
a BYTE-sized Boolean flag. |
|
an unsigned value, at least 32 bits long. |
|
a signed value, the same size as a CK_ULONG. |
|
at least 32 bits; each bit is a Boolean flag. |
|
Pointer to a CK_BYTE. |
|
Pointer to a CK_CHAR. |
|
Pointer to a CK_UTF8CHAR. |
|
Pointer to a CK_ULONG. |
|
Pointer to a void. |
|
Pointer to a CK_VOID_PTR. |
|
A NULL pointer. |
|
CK_CALLBACK_FUNCTIONCK_CALLBACK_FUNCTION(returnType, name), when followed by a parentheses-enclosed list of arguments and a semicolon, declares a variable or type which is a pointer to an application callback function that can be used by a Cryptoki API function in a Cryptoki library. returnType is the return type of the function, and name is its name. It can be used in either of the following fashions to define a function pointer variable, myCallback, which can point to an application callback which takes arguments args and returns a CK_RV (note that neither of the following code snippets actually assigns a value to myCallback): |
|
CK_VERSION; CK_VERSION_PTRCK_VERSION is a structure that describes the version of a Cryptoki interface, a Cryptoki library, or an SSL implementation, or the hardware or firmware version of a slot or token.
For version 1.0, major = 1 and minor = For version 2.1, major = 2 and minor = 10. Minor revisions of the Cryptoki standard are always upwardly compatible within the same major version number. CK_VERSION_PTR is a pointer to a CK_VERSION.
CK_INFO; CK_INFO_PTRCK_INFO provides general information about Cryptoki. It is defined as follows:
|
|
Pointer to a CK_VERSION. |
|
CK_INFO; CK_INFO_PTRCK_INFO provides general information about Cryptoki. It is defined as follows:
For libraries written to this document, the value of cryptokiVersion should be 2.1; the value of libraryVersion is the version number of the library software itself. CK_INFO_PTR is a pointer to a CK_INFO.
CK_NOTIFICATIONCK_NOTIFICATION holds the types of notifications that Cryptoki provides to an application. It is defined as follows:
typedef CK_ULONG CK_NOTIFICATION; For this version of Cryptoki, the following types of notifications are defined:
#define CKN_SURRENDER 0 The notifications have the following meanings: CKN_SURRENDER Cryptoki is surrendering the execution of a function executing in a session so that the application may perform other operations. After performing any desired operations, the application should indicate to Cryptoki whether to continue or cancel the function (see Section 11.17.1). |
|
Pointer to a CK_INFO. |
|
CK_NOTIFICATIONCK_NOTIFICATION holds the types of notifications that Cryptoki provides to an application. |
|
CK_SLOT_ID; CK_SLOT_ID_PTRCK_SLOT_ID is a Cryptoki-assigned value that identifies a slot. It is defined as follows: |
|
Pointer to a CK_SLOT_ID. |
|
CK_SLOT_INFO; CK_SLOT_INFO_PTRCK_SLOT_INFO provides information about a slot. It is defined as follows:
The following table defines the flags field:
Table 9, Slot Information Flags
For a given slot, the value of the CKF_REMOVABLE_DEVICE flag never changes. In addition, if this flag is not set for a given slot, then the CKF_TOKEN_PRESENT flag for that slot is always set. That is, if a slot does not support a removable device, then that slot always has a token in it. CK_SLOT_INFO_PTR is a pointer to a CK_SLOT_INFO.
CK_TOKEN_INFO; CK_TOKEN_INFO_PTRCK_TOKEN_INFO provides information about a token. It is defined as follows:
|
|
Pointer to a CK_SLOT_INFO. |
|
CK_TOKEN_INFO; CK_TOKEN_INFO_PTRCK_TOKEN_INFO provides information about a token. It is defined as follows:
The following table defines the flags field:
Table 10, Token Information Flags
Exactly what the CKF_WRITE_PROTECTED flag means is not specified in Cryptoki. An application may be unable to perform certain actions on a write-protected token; these actions can include any of the following, among others:
Note: The fields ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, ulRwSessionCount, ulTotalPublicMemory, ulFreePublicMemory, ulTotalPrivateMemory, and ulFreePrivateMemory can have the special value CK_UNAVAILABLE_INFORMATION, which means that the token and/or library is unable or unwilling to provide that information. In addition, the fields ulMaxSessionCount and ulMaxRwSessionCount can have the special value CK_EFFECTIVELY_INFINITE, which means that there is no practical limit on the number of sessions (resp. R/W sessions) an application can have open with the token. These values are defined as
#define CK_UNAVAILABLE_INFORMATION (~0UL) #define CK_EFFECTIVELY_INFINITE 0 It is important to check these fields for these special values. This is particularly true for CK_EFFECTIVELY_INFINITE, since an application seeing this value in the ulMaxSessionCount or ulMaxRwSessionCount field would otherwise conclude that it can't open any sessions with the token, which is far from being the case. The upshot of all this is that the correct way to interpret (for example) the ulMaxSessionCount field is something along the lines of the following:
CK_TOKEN_INFO info; . . . if ((CK_LONG) info.ulMaxSessionCount == CK_UNAVAILABLE_INFORMATION) {
/* Token refuses to give value of ulMaxSessionCount */ . . . } else if (info.ulMaxSessionCount == CK_EFFECTIVELY_INFINITE) { /* Application can open as many sessions as it wants */ . . . } else { /* ulMaxSessionCount really does contain what it should */ . . . } CK_TOKEN_INFO_PTR is a pointer to a CK_TOKEN_INFO. |
|
Pointer to a CK_TOKEN_INFO. |
|
CK_SESSION_HANDLE; CK_SESSION_HANDLE_PTRCK_SESSION_HANDLE is a Cryptoki-assigned value that identifies a session. |
|
Pointer to a CK_SESSION_HANDLE. |
|
CK_USER_TYPECK_USER_TYPE holds the types of Cryptoki users described in Section 6.4.. |
|
CK_STATECK_STATE holds the session state, as described in Sections 6.6.1 and 6.6.2. It is defined as follows:. |
|
CK_SESSION_INFO; CK_SESSION_INFO_PTRCK_SESSION_INFO provides information about a session. It is defined as follows:
The following table defines the flags field:
Table 11, Session Information Flags
CK_SESSION_INFO_PTR is a pointer to a CK_SESSION_INFO. |
|
Pointer to a CK_SESSION_INFO. |
|
CK_OBJECT_HANDLE; CK_OBJECT_HANDLE_PTRCK_OBJECT_HANDLE is a token-specific identifier for an object. It is defined as follows: |
|
Pointer to a CK_OBJECT_HANDLE. |
|
CK_OBJECT_CLASS; CK_OBJECT_CLASS_PTRCK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes. |
|
Pointer to a CK_OBJECT_CLASS. |
|
CK_HW_FEATURE_TYPECK_HW_FEATURE_TYPE is a value that identifies a hardware feature type of a device. |
|
CK_KEY_TYPECK_KEY_TYPE is a value that identifies a key type. It is defined as follows: |
|
CK_CERTIFICATE_TYPECK_CERTIFICATE_TYPE is a value that identifies a certificate type. |
|
CK_ATTRIBUTE_TYPECK_ATTRIBUTE_TYPE is a value that identifies an attribute type. It is defined as follows: |
|
CK_ATTRIBUTE; CK_ATTRIBUTE_PTRCK_ATTRIBUTE is a structure that includes the type, value, and length of an attribute.
If an attribute has no value, then ulValueLen = 0, and the value of pValue is irrelevant. An array of CK_ATTRIBUTEs is called a "template" and is used for creating, manipulating and searching for objects. The order of the attributes in a template never matters, even if the template contains vendor-specific attributes. Note that pValue is a "void" pointer, facilitating the passing of arbitrary values. Both the application and Cryptoki library must ensure that the pointer can be safely cast to the expected type (i.e., without word-alignment errors). CK_ATTRIBUTE_PTR is a pointer to a CK_ATTRIBUTE.
CK_DATECK_DATE is a structure that defines a date. It is defined as follows:
|
|
Pointer to a CK_ATTRIBUTE. |
|
CK_DATECK_DATE is a structure that defines a date. It is defined as follows:
The fields hold numeric characters from the character set in Table 3 , not the literal byte values. |
|
CK_MECHANISM_TYPE; CK_MECHANISM_TYPE_PTRCK_MECHANISM_TYPE is a value that identifies a mechanism type. It is defined as follows: |
|
Pointer to a CK_MECHANISM_TYPE. |
|
CK_MECHANISM; CK_MECHANISM_PTRCK_MECHANISM is a structure that specifies a particular mechanism and any parameters it requires.
Note that pParameter is a "void" pointer, facilitating the passing of arbitrary values. Both the application and the Cryptoki library must ensure that the pointer can be safely cast to the expected type (i.e., without word-alignment errors). CK_MECHANISM_PTR is a pointer to a CK_MECHANISM.
CK_MECHANISM_INFO; CK_MECHANISM_INFO_PTRCK_MECHANISM_INFO is a structure that provides information about a particular mechanism. It is defined as follows:
|
|
Pointer to a CK_MECHANISM. |
|
CK_MECHANISM_INFO; CK_MECHANISM_INFO_PTRCK_MECHANISM_INFO is a structure that provides information about a particular mechanism.
For some mechanisms, the ulMinKeySize and ulMaxKeySize fields have meaningless values. The following table defines the flags field:
Table 12, Mechanism Information Flags
CK_MECHANISM_INFO_PTR is a pointer to a CK_MECHANISM_INFO. |
|
Pointer to a CK_MECHANISM_INFO. |
|
CK_RVCK_RV is a value that identifies the return value of a Cryptoki function. |
|
CK_NOTIFYCK_NOTIFY is the type of a pointer to a function used by Cryptoki to perform notification callbacks. |
|
CK_FUNCTION_LIST; CK_FUNCTION_LIST_PTR; CK_FUNCTION_LIST_PTR_PTRCK_FUNCTION_LIST is a structure which contains a Cryptoki version and a function pointer to each function in the Cryptoki API. It is defined as follows: An application may or may not be able to modify a Cryptoki library's static CK_FUNCTION_LIST structure. Whether or not it can, it should never attempt to do so.CK_FUNCTION_LIST_PTR is a pointer to a CK_FUNCTION_LIST. CK_FUNCTION_LIST_PTR_PTR is a pointer to a CK_FUNCTION_LIST_PTR. |
|
Pointer to a CK_FUNCTION_LIST. |
|
Pointer to a CK_FUNCTION_LIST_PTR. |
|
CK_CREATEMUTEXCK_CREATEMUTEX is the type of a pointer to an application-supplied function which creates a new mutex object and returns a pointer to it. It is defined as follows: |
|
CK_DESTROYMUTEXCK_DESTROYMUTEX is the type of a pointer to an application-supplied function which destroys an existing mutex object. |
|
If a CK_LOCKMUTEX function is called on a mutex which is not locked, the calling thread obtains a lock on that mutex and returns.
|
|
CK_UNLOCKMUTEX is defined as follows:. |
|
CK_C_INITIALIZE_ARGS; CK_C_INITIALIZE_ARGS_PTRCK_C_INITIALIZE_ARGS is a structure containing the optional arguments for the C_Initialize function. For this version of Cryptoki, these optional arguments are all concerned with the way the library deals with threads. CK_C_INITIALIZE_ARGS is defined as follows:
The following table defines the flags field:
Table 13, C_Initialize Parameter Flags
CK_C_INITIALIZE_ARGS_PTR is a pointer to a CK_C_INITIALIZE_ARGS. |
|
Pointer to a CK_C_INITIALIZE_ARGS. |
|
CK_RSA_PKCS_MGF_TYPE; CK_RSA_PKCS_MGF_TYPE_PTRCK_RSA_PKCS_MGF_TYPE is used to indicate the Message Generation Function (MGF) applied to a message block when formatting a message block for the PKCS #1 OAEP encryption scheme. |
|
Pointer to a CK_RSA_PKCS_MGF_TYPE. |
|
CK_RSA_PKCS_OAEP_SOURCE_TYPE; CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTRCK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source of the encoding parameter when formatting a message block for the PKCS #1 OAEP encryption scheme. |
|
Pointer to a CK_RSA_PKCS_OAEP_SOURCE_TYPE. |
|
CK_RSA_PKCS_OAEP_PARAMS; CK_RSA_PKCS_OAEP_PARAMS_PTRCK_RSA_PKCS_OAEP_PARAMS is a structure that provides the parameters to the CKM_RSA_PKCS_OAEP mechanism. The structure is defined as follows:
CK_RSA_PKCS_OAEP_PARAMS_PTR is a pointer to a CK_RSA_PKCS_OAEP_PARAMS. |
|
Pointer to a CK_RSA_PKCS_OAEP_PARAMS. |
|
CK_KEA_DERIVE_PARAMS_PTR is a pointer to a CK_KEA_DERIVE_PARAMS. |
|
Pointer to a CK_KEA_DERIVE_PARAMS. |
|
CK_RC2_PARAMS; CK_RC2_PARAMS_PTRCK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and CKM_RC2_MAC mechanisms. It holds the effective number of bits in the RC2 search space. |
|
Pointer to a CK_RC2_PARAMS. |
|
CK_RC2_CBC_PARAMS; CK_RC2_CBC_PARAMS_PTRCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC and CKM_RC2_CBC_PAD mechanisms. It is defined as follows:
CK_RC2_CBC_PARAMS_PTR is a pointer to a CK_RC2_CBC_PARAMS.
CK_RC2_MAC_GENERAL_PARAMS; CK_RC2_MAC_GENERAL_PARAMS_PTRCK_RC2_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC2_MAC_GENERAL mechanism. It is defined as follows:
|
|
Pointer to a CK_RC2_CBC_PARAMS. |
|
CK_RC2_MAC_GENERAL_PARAMS; CK_RC2_MAC_GENERAL_PARAMS_PTRCK_RC2_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC2_MAC_GENERAL mechanism. It is defined as follows:
CK_RC2_MAC_GENERAL_PARAMS_PTR is a pointer to a CK_RC2_MAC_GENERAL_PARAMS. |
|
Pointer to a CK_RC2_MAC_GENERAL_PARAMS. |
|
CK_RC5_PARAMS; CK_RC5_PARAMS_PTRCK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and CKM_RC5_MAC mechanisms.
CK_RC5_PARAMS_PTR is a pointer to a CK_RC5_PARAMS.
CK_RC5_CBC_PARAMS; CK_RC5_CBC_PARAMS_PTRCK_RC5_CBC_PARAMS is a structure that provides the parameters to the CKM_RC5_CBC and CKM_RC5_CBC_PAD mechanisms. It is defined as follows:
|
|
Pointer to a CK_RC5_PARAMS. |
|
CK_RC5_CBC_PARAMS; CK_RC5_CBC_PARAMS_PTRCK_RC5_CBC_PARAMS is a structure that provides the parameters to the CKM_RC5_CBC and CKM_RC5_CBC_PAD mechanisms. It is defined as follows:
CK_RC5_CBC_PARAMS_PTR is a pointer to a CK_RC5_CBC_PARAMS.
CK_RC5_MAC_GENERAL_PARAMS; CK_RC5_MAC_GENERAL_PARAMS_PTRCK_RC5_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC5_MAC_GENERAL mechanism. It is defined as follows:
|
|
Pointer to a CK_RC5_CBC_PARAMS. |
|
CK_RC5_MAC_GENERAL_PARAMS; CK_RC5_MAC_GENERAL_PARAMS_PTRCK_RC5_MAC_GENERAL_PARAMS is a structure that provides the parameters to the CKM_RC5_MAC_GENERAL mechanism. It is defined as follows:
CK_RC5_MAC_GENERAL_PARAMS_PTR is a pointer to a CK_RC5_MAC_GENERAL_PARAMS. |
|
Pointer to a CK_RC5_MAC_GENERAL_PARAMS. |
|
CK_MAC_GENERAL_PARAMS; CK_MAC_GENERAL_PARAMS_PTRCK_MAC_GENERAL_PARAMS provides the parameters to the general-length MACing mechanisms of the DES, DES3 (triple-DES), CAST, CAST3, CAST128 (CAST5), IDEA, and CDMF ciphers. It holds the length of the MAC that these mechanisms will produce. |
|
Pointer to a CK_MAC_GENERAL_PARAMS. |
|
CK_SKIPJACK_PRIVATE_WRAP_PARAMS; CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTRCK_SKIPJACK_PRIVATE_WRAP_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_PRIVATE_WRAP mechanism. It is defined as follows:
CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR is a pointer to a CK_PRIVATE_WRAP_PARAMS.
CK_SKIPJACK_RELAYX_PARAMS; CK_SKIPJACK_RELAYX_PARAMS_PTRCK_SKIPJACK_RELAYX_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_RELAYX mechanism. It is defined as follows:
|
|
Pointer to a CK_PRIVATE_WRAP_PARAMS. |
|
CK_SKIPJACK_RELAYX_PARAMS; CK_SKIPJACK_RELAYX_PARAMS_PTRCK_SKIPJACK_RELAYX_PARAMS is a structure that provides the parameters to the CKM_SKIPJACK_RELAYX mechanism. It is defined as follows:
CK_SKIPJACK_RELAYX_PARAMS_PTR is a pointer to a CK_SKIPJACK_RELAYX_PARAMS. |
|
Pointer to a CK_SKIPJACK_RELAYX_PARAMS. |
|
CK_PBE_PARAMS; CK_PBE_PARAMS_PTRCK_PBE_PARAMS is a structure which provides all of the necessary information required by the CKM_PBE mechanisms (see PKCS #5 and PKCS #12 for information on the PBE generation mechanisms) and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.
CK_PBE_PARAMS_PTR is a pointer to a CK_PBE_PARAMS. |
|
Pointer to a CK_PBE_PARAMS. |
|
Pointer to a CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE. |
|
CK_PKCS5_PBKD2_SALT_SOURCE_TYPE; CK_PKCS5_PBKD2_SALT_SOURCE_TYPE_PTRCK_PKCS5_PBKD2_SALT_SOURCE_TYPE is used to indicate the source of the salt value when deriving a key using PKCS #5 PBKDF2. It is defined as follows: |
|
Pointer to a CK_PKCS5_PBKD2_SALT_SOURCE_TYPE. |
|
CK_PKCS5_PBKD2_PARAMS; CK_PKCS5_PBKD2_PARAMS_PTRCK_PKCS5_PBKD2_PARAMS is a structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism. The structure is defined as follows:
CK_PKCS5_PBKD2_PARAMS_PTR is a pointer to a CK_PKCS5_PBKD2_PARAMS. |
|
Pointer to a CK_PKCS5_PBKD2_PARAMS. |
|
CK_KEY_WRAP_SET_OAEP_PARAMS; CK_KEY_WRAP_SET_OAEP_PARAMS_PTRCK_KEY_WRAP_SET_OAEP_PARAMS is a structure that provides the parameters to the CKM_KEY_WRAP_SET_OAEP mechanism. It is defined as follows:
CK_KEY_WRAP_SET_OAEP_PARAMS_PTR is a pointer to a CK_KEY_WRAP_SET_OAEP_PARAMS. |
|
Pointer to a CK_KEY_WRAP_SET_OAEP_PARAMS. |
|
CK_SSL3_RANDOM_DATACK_SSL3_RANDOM_DATA is a structure which provides information about the random data of a client and a server in an SSL context. This structure is used by both the CKM_SSL3_MASTER_KEY_DERIVE and the CKM_SSL3_KEY_AND_MAC_DERIVE mechanisms.
CK_SSL3_MASTER_KEY_DERIVE_PARAMS is a structure that provides the parameters to the CKM_SSL3_MASTER_KEY_DERIVE mechanism. It is defined as follows:
|
|
CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR is a pointer to a CK_SSL3_MASTER_KEY_DERIVE_PARAMS.
CK_SSL3_KEY_MAT_OUT; CK_SSL3_KEY_MAT_OUT_PTRCK_SSL3_KEY_MAT_OUT is a structure that contains the resulting key handles and initialization vectors after performing a C_DeriveKey function with the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. It is defined as follows:
|
|
Pointer to a CK_SSL3_MASTER_KEY_DERIVE_PARAMS. |
|
CK_SSL3_KEY_MAT_OUT; CK_SSL3_KEY_MAT_OUT_PTRCK_SSL3_KEY_MAT_OUT is a structure that contains the resulting key handles and initialization vectors after performing a C_DeriveKey function with the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. It is defined as follows:
CK_SSL3_KEY_MAT_OUT_PTR is a pointer to a CK_SSL3_KEY_MAT_OUT.
CK_SSL3_KEY_MAT_PARAMS; CK_SSL3_KEY_MAT_PARAMS_PTRCK_SSL3_KEY_MAT_PARAMS is a structure that provides the parameters to the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. It is defined as follows:
|
|
Pointer to a CK_SSL3_KEY_MAT_OUT. |
|
CK_SSL3_KEY_MAT_PARAMS; CK_SSL3_KEY_MAT_PARAMS_PTRCK_SSL3_KEY_MAT_PARAMS is a structure that provides the parameters to the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism. It is defined as follows:
CK_SSL3_KEY_MAT_PARAMS_PTR is a pointer to a CK_SSL3_KEY_MAT_PARAMS. |
|
Pointer to a CK_SSL3_KEY_MAT_PARAMS. |
|
CK_KEY_DERIVATION_STRING_DATA; CK_KEY_DERIVATION_STRING_DATA_PTR.
CK_EXTRACT_PARAMS; CK_EXTRACT_PARAMS_PTRCK_KEY_EXTRACT_PARAMS provides the parameter to the CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit of the base key should be used as the first bit of the derived key. It is defined as follows:
typedef CK_ULONG CK_EXTRACT_PARAMS; CK_EXTRACT_PARAMS_PTR is a pointer to a CK_EXTRACT_PARAMS. |
|
CK_EXTRACT_PARAMS; CK_EXTRACT_PARAMS_PTRCK_KEY_EXTRACT_PARAMS provides the parameter to the CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit of the base key should be used as the first bit of the derived key. It is defined as follows: |
|
Pointer to a CK_EXTRACT_PARAMS. |
|
C_Initialize initializes the Cryptoki library.
If the CKF_LIBRARY_CANT_CREATE_OS_THREADS flag in the flags field is set, that indicates that application threads which are executing calls to the Cryptoki library are not permitted to use the native operation system calls to spawn off new threads. In other words, the library's code may not create its own threads. If the library is unable to function properly under this restriction, C_Initialize should return with the value CKR_NEED_TO_CREATE_THREADS. A call to C_Initialize specifies one of four different ways to support multi-threaded access via the value of the CKF_OS_LOCKING_OK flag in the flags field and the values of the CreateMutex, DestroyMutex, LockMutex, and UnlockMutex function pointer fields:
A call to C_Initialize with pInitArgs set to NULL_PTR is treated like a call to C_Initialize with pInitArgs pointing to a CK_C_INITIALIZE_ARGS which has the CreateMutex, DestroyMutex, LockMutex, UnlockMutex, and pReserved fields set to NULL_PTR, and has the flags field set to 0. C_Initialize should be the first Cryptoki call made by an application, except for calls to C_GetFunctionList. What this function actually does is implementation-dependent; typically, it might cause Cryptoki to initialize its internal memory buffers, or any other resources it requires. If several applications are using Cryptoki, each one should call C_Initialize. Every call to C_Initialize should (eventually) be succeeded by a single call to C_Finalize. See Section 6.5 for more details.
|
|
C_Finalize is called to indicate that an application is finished with the Cryptoki library. It should be the last Cryptoki call made by an application.
''Despite the fact that the parameters supplied to C_Initialize can in general allow for safe multi-threaded access to a Cryptoki library, the behavior of C_Finalize is nevertheless undefined if it is called by an application while other threads of the application are making Cryptoki calls. The exception to this exceptional behavior of C_Finalize occurs when a thread calls C_Finalize while another of the application's threads is blocking on Cryptoki's C_WaitForSlotEvent function. When this happens, the blocked thread becomes unblocked and returns the value CKR_CRYPTOKI_NOT_INITIALIZED.@see C_WaitForSlotEvent for more information.''
|
|
C_GetInfo returns general information about Cryptoki.
CK_INFO info; CK_RV rv; CK_C_INITIALIZE_ARGS InitArgs; InitArgs.CreateMutex = &MyCreateMutex; InitArgs.DestroyMutex = &MyDestroyMutex; InitArgs.LockMutex = &MyLockMutex; InitArgs.UnlockMutex = &MyUnlockMutex; InitArgs.flags = CKF_OS_LOCKING_OK; InitArgs.pReserved = NULL_PTR; rv = C_Initialize((CK_VOID_PTR)&InitArgs); assert(rv == CKR_OK); rv = C_GetInfo(&info); assert(rv == CKR_OK); if(info.version.major == 2) { /* Do lots of interesting cryptographic things with the token */ . . . } rv = C_Finalize(NULL_PTR); assert(rv == CKR_OK); |
|
C_GetFunctionList obtains a pointer to the Cryptoki library's list of function pointers.
CK_FUNCTION_LIST_PTR pFunctionList; CK_C_Initialize pC_Initialize; CK_RV rv; /* It's OK to call C_GetFunctionList before calling C_Initialize */ rv = C_GetFunctionList(&pFunctionList); assert(rv == CKR_OK); pC_Initialize = pFunctionList -> C_Initialize; /* Call the C_Initialize function in the library */ rv = (*pC_Initialize)(NULL_PTR); |
|
C_GetSlotList is used to obtain a list of slots in the system.
All slots which C_GetSlotList reports must be able to be queried as valid slots by C_GetSlotInfo. Furthermore, the set of slots accessible through a Cryptoki library is fixed at the time that C_Initialize is called. If an application calls C_Initialize and C_GetSlotList, and then the user hooks up a new hardware device, that device cannot suddenly appear as a new slot if C_GetSlotList is called again. To recognize the new device, C_Initialize needs to be called again (and to be able to call C_Initialize successfully, C_Finalize needs to be called first). Even if C_Initialize is successfully called, it may or may not be the case that the new device will then be successfully recognized. On some platforms, it may be necessary to restart the entire system.
CK_ULONG ulSlotCount, ulSlotWithTokenCount; CK_SLOT_ID_PTR pSlotList, pSlotWithTokenList; CK_RV rv; /* Get list of all slots */ rv = C_GetSlotList(FALSE, NULL_PTR, &ulSlotCount); if (rv == CKR_OK) { pSlotList = (CK_SLOT_ID_PTR) malloc(ulSlotCount*sizeof(CK_SLOT_ID)); rv = C_GetSlotList(FALSE, pSlotList, &ulSlotCount); if (rv == CKR_OK) { /* Now use that list of all slots */ . . . } free(pSlotList); } /* Get list of all slots with a token present */ pSlotWithTokenList = (CK_SLOT_ID_PTR) malloc(0); ulSlotWithTokenCount = 0; while (1) { rv = C_GetSlotList( TRUE, pSlotWithTokenList, ulSlotWithTokenCount); if (rv != CKR_BUFFER_TOO_SMALL) break; pSlotWithTokenList = realloc( pSlotWithTokenList, ulSlotWithTokenList*sizeof(CK_SLOT_ID)); } if (rv == CKR_OK) { /* Now use that list of all slots with a token present */ . . . } free(pSlotWithTokenList); |
|
C_GetSlotInfo obtains information about a particular slot in the system.
|
|
C_GetTokenInfo obtains information about a particular token in the system.
CK_ULONG ulCount; CK_SLOT_ID_PTR pSlotList; CK_SLOT_INFO slotInfo; CK_TOKEN_INFO tokenInfo; CK_RV rv; rv = C_GetSlotList(FALSE, NULL_PTR, &ulCount); if ((rv == CKR_OK) && (ulCount > 0)) { pSlotList = (CK_SLOT_ID_PTR) malloc(ulCount*sizeof(CK_SLOT_ID)); rv = C_GetSlotList(FALSE, pSlotList, &ulCount); assert(rv == CKR_OK); /* Get slot information for first slot */ rv = C_GetSlotInfo(pSlotList[0], &slotInfo); assert(rv == CKR_OK); /* Get token information for first slot */ rv = C_GetTokenInfo(pSlotList[0], &tokenInfo); if (rv == CKR_TOKEN_NOT_PRESENT) { . . . } . . . free(pSlotList); } |
|
C_WaitForSlotEvent waits for a slot event, such as token insertion or token removal, to occur.
#define CKF_DONT_BLOCK 1 Internally, each Cryptoki application has a flag for each slot which is used to track whether or not any unrecognized events involving that slot have occurred. When an application initially calls C_Initialize, every slot's event flag is cleared. Whenever a slot event occurs, the flag corresponding to the slot in which the event occurred is set. If C_WaitForSlotEvent is called with the CKF_DONT_BLOCK flag set in the flags argument, and some slot's event flag is set, then that event flag is cleared, and the call returns with the ID of that slot in the location pointed to by pSlot. If more than one slot's event flag is set at the time of the call, one such slot is chosen by the library to have its event flag cleared and to have its slot ID returned. If C_WaitForSlotEvent is called with the CKF_DONT_BLOCK flag set in the flags argument, and no slot's event flag is set, then the call returns with the value CKR_NO_EVENT. In this case, the contents of the location pointed to by pSlot when C_WaitForSlotEvent are undefined. If C_WaitForSlotEvent is called with the CKF_DONT_BLOCK flag clear in the flags argument, then the call behaves as above, except that it will block. That is, if no slot's event flag is set at the time of the call, C_WaitForSlotEvent will wait until some slot's event flag becomes set. If a thread of an application has a C_WaitForSlotEvent call blocking when another thread of that application calls C_Finalize, the C_WaitForSlotEvent call returns with the value CKR_CRYPTOKI_NOT_INITIALIZED. Although the parameters supplied to C_Initialize can in general allow for safe multi-threaded access to a Cryptoki library, C_WaitForSlotEvent is exceptional in that the behavior of Cryptoki is undefined if multiple threads of a single application make simultaneous calls to C_WaitForSlotEvent.
CK_FLAGS flags = 0; CK_SLOT_ID slotID; CK_SLOT_INFO slotInfo; . . . /* Block and wait for a slot event */ rv = C_WaitForSlotEvent(flags, &slotID, NULL_PTR); assert(rv == CKR_OK); /* See what's up with that slot */ rv = C_GetSlotInfo(slotID, &slotInfo); assert(rv == CKR_OK); . . . |
|
C_GetMechanismList is used to obtain a list of mechanism types supported by a token.
CK_SLOT_ID slotID; CK_ULONG ulCount; CK_MECHANISM_TYPE_PTR pMechanismList; CK_RV rv; . . . rv = C_GetMechanismList(slotID, NULL_PTR, &ulCount); if ((rv == CKR_OK) && (ulCount > 0)) { pMechanismList = (CK_MECHANISM_TYPE_PTR) malloc(ulCount*sizeof(CK_MECHANISM_TYPE)); rv = C_GetMechanismList(slotID, pMechanismList, &ulCount); if (rv == CKR_OK) { . . . } free(pMechanismList); } |
|
C_GetMechanismInfo obtains information about a particular mechanism possibly supported by a token.
CK_SLOT_ID slotID; CK_MECHANISM_INFO info; CK_RV rv; . . . /* Get information about the CKM_MD2 mechanism for this token */ rv = C_GetMechanismInfo(slotID, CKM_MD2, &info); if (rv == CKR_OK) { if (info.flags & CKF_DIGEST) { . . . } } |
|
C_InitToken initializes a token.
When a token is initialized, all objects that can be destroyed are destroyed (i.e., all except for "indestructible" objects such as keys built into the token). Also, access by the normal user is disabled until the SO sets the normal user's PIN. Depending on the token, some "default" objects may be created, and attributes of some objects may be set to default values. If the token has a "protected authentication path", as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. To initialize a token with such a protected authentication path, the pPin parameter to C_InitToken should be NULL_PTR. During the execution of C_InitToken, the SO's PIN will be entered through the protected authentication path. If the token has a protected authentication path other than a PINpad, then it is token-dependent whether or not C_InitToken can be used to initialize the token. A token cannot be initialized if Cryptoki detects that any application has an open session with it; when a call to C_InitToken is made under such circumstances, the call fails with error CKR_SESSION_EXISTS. Unfortunately, it may happen when C_InitToken is called that some other application does have an open session with the token, but Cryptoki cannot detect this, because it cannot detect anything about other applications using the token. If this is the case, then the consequences of the C_InitToken call are undefined. The C_InitToken function may not be sufficient to properly initialize complex tokens. In these situations, an initialization mechanism outside the scope of Cryptoki must be employed. The definition of "complex token" is product specific.
CK_SLOT_ID slotID; CK_CHAR_PTR pin = "MyPIN"; CK_UTF8CHAR label[32]; CK_RV rv; . . . memset(label, ' ', sizeof(label)); memcpy(label, "My first token", strlen("My first token")); rv = C_InitToken(slotID, pin, strlen(pin), label); if (rv == CKR_OK) { . . . } |
|
C_InitPIN initializes the normal user's PIN.
If the token has a "protected authentication path", as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. To initialize the normal user's PIN on a token with such a protected authentication path, the pPin parameter to C_InitPIN should be NULL_PTR. During the execution of C_InitPIN, the SO will enter the new PIN through the protected authentication path. If the token has a protected authentication path other than a PINpad, then it is token-dependent whether or not C_InitPIN can be used to initialize the normal user's token access.
CK_SESSION_HANDLE hSession; CK_CHAR newPin[]= {"NewPIN"}; CK_RV rv; rv = C_InitPIN(hSession, newPin, sizeof(newPin)); if (rv == CKR_OK) { . . . } |
|
C_SetPIN modifies the PIN of the user that is currently logged in.
If the token has a "protected authentication path", as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. To modify the current user's PIN on a token with such a protected authentication path, the pOldPin and pNewPin parameters to C_SetPIN should be NULL_PTR. During the execution of C_SetPIN, the current user will enter the old PIN and the new PIN through the protected authentication path. It is not specified how the PINpad should be used to enter two PINs; this varies. If the token has a protected authentication path other than a PINpad, then it is token-dependent whether or not C_SetPIN can be used to modify the current user's PIN.
|
|
C_OpenSession opens a session between an application and a token in a particular slot.
There may be a limit on the number of concurrent sessions an application may have with the token, which may depend on whether the session is "read-only" or "read/write". An attempt to open a session which does not succeed because there are too many existing sessions of some type should return CKR_SESSION_COUNT. If the token is write-protected (as indicated in the CK_TOKEN_INFO structure), then only read-only sessions may be opened with it. If the application calling C_OpenSession already has a R/W SO session open with the token, then any attempt to open a R/O session with the token fails with error code CKR_SESSION_READ_WRITE_SO_EXISTS (see Section 6.6.7). The Notify callback function is used by Cryptoki to notify the application of certain events. If the application does not wish to support callbacks, it should pass a value of NULL_PTR as the Notify parameter. See Section 11.17 for more information about application callbacks.
|
|
C_CloseSession closes a session between an application and a token.
If this function is successful and it closes the last session between the application and the token, the login state of the token for the application returns to public sessions. Any new sessions to the token opened by the application will be either R/O Public or R/W Public sessions. Depending on the token, when the last open session any application has with the token is closed, the token may be "ejected" from its reader (if this capability exists). Despite the fact this C_CloseSession is supposed to close a session, the return value CKR_SESSION_CLOSED is an error return. It actually indicates the (probably somewhat unlikely) event that while this function call was executing, another call was made to C_CloseSession to close this particular session, and that call finished executing first. Such uses of sessions are a bad idea, and Cryptoki makes little promise of what will occur in general if an application indulges in this sort of behavior.
CK_SLOT_ID slotID; CK_BYTE application; CK_NOTIFY MyNotify; CK_SESSION_HANDLE hSession; CK_RV rv; . . . application = 17; MyNotify = &EncryptionSessionCallback; rv = C_OpenSession( slotID, CKF_RW_SESSION,(CK_VOID_PTR) &application, MyNotify, &hSession); if (rv == CKR_OK) { . . . C_CloseSession(hSession); } |
|
C_CloseAllSessions closes all sessions an application has with a token.
After successful execution of this function, the login state of the token for the application returns to public sessions. Any new sessions to the token opened by the application will be either R/O Public or R/W Public sessions. Depending on the token, when the last open session any application has with the token is closed, the token may be "ejected" from its reader (if this capability exists).
CK_SLOT_ID slotID; CK_RV rv; . . . rv = C_CloseAllSessions(slotID); |
|
C_GetSessionInfo obtains information about a session.
CK_SESSION_HANDLE hSession; CK_SESSION_INFO info; CK_RV rv; . . . rv = C_GetSessionInfo(hSession, &info); if (rv == CKR_OK) { if (info.state == CKS_RW_USER_FUNCTIONS) { . . . } . . . } |
|
C_GetOperationState obtains a copy of the cryptographic operations state of a session, encoded as a string of bytes.
Precisely what the "cryptographic operations state" this function saves is varies from token to token; however, this state is what is provided as input to C_SetOperationState to restore the cryptographic activities of a session. Consider a session which is performing a message digest operation using SHA-1 (i.e., the session is using the CKM_SHA_1 mechanism). Suppose that the message digest operation was initialized properly, and that precisely 80 bytes of data have been supplied so far as input to SHA-1. The application now wants to "save the state" of this digest operation, so that it can continue it later. In this particular case, since SHA-1 processes 512 bits (64 bytes) of input at a time, the cryptographic operations state of the session most likely consists of three distinct parts: the state of SHA-1's 160-bit internal chaining variable; the 16 bytes of unprocessed input data; and some administrative data indicating that this saved state comes from a session which was performing SHA-1 hashing. Taken together, these three pieces of information suffice to continue the current hashing operation at a later time. Consider next a session which is performing an encryption operation with DES (a block cipher with a block size of 64 bits) in CBC (cipher-block chaining) mode (i.e., the session is using the CKM_DES_CBC mechanism). Suppose that precisely 22 bytes of data (in addition to an IV for the CBC mode) have been supplied so far as input to DES, which means that the first two 8-byte blocks of ciphertext have already been produced and output. In this case, the cryptographic operations state of the session most likely consists of three or four distinct parts: the second 8-byte block of ciphertext (this will be used for cipher-block chaining to produce the next block of ciphertext); the 6 bytes of data still awaiting encryption; some administrative data indicating that this saved state comes from a session which was performing DES encryption in CBC mode; and possibly the DES key being used for encryption (see C_SetOperationState for more information on whether or not the key is present in the saved state). If a session is performing two cryptographic operations simultaneously (see Section 11.13), then the cryptographic operations state of the session will contain all the necessary information to restore both operations. An attempt to save the cryptographic operations state of a session which does not currently have some active saveable cryptographic operation(s) (encryption, decryption, digesting, signing without message recovery, verification without message recovery, or some legal combination of two of these) should fail with the error CKR_OPERATION_NOT_INITIALIZED. An attempt to save the cryptographic operations state of a session which is performing an appropriate cryptographic operation (or two), but which cannot be satisfied for any of various reasons (certain necessary state information and/or key information can't leave the token, for example) should fail with the error CKR_STATE_UNSAVEABLE.
|
|
C_SetOperationState restores the cryptographic operations state of a session from a string of bytes obtained with C_GetOperationState.
If C_SetOperationState is supplied with alleged saved cryptographic operations state which it can determine is not valid saved state (or is cryptographic operations state from a session with a different session state, or is cryptographic operations state from a different token), it fails with the error CKR_SAVED_STATE_INVALID. Saved state obtained from calls to C_GetOperationState may or may not contain information about keys in use for ongoing cryptographic operations. If a saved cryptographic operations state has an ongoing encryption or decryption operation, and the key in use for the operation is not saved in the state, then it must be supplied to C_SetOperationState in the hEncryptionKey argument. If it is not, then C_SetOperationState will fail and return the error CKR_KEY_NEEDED. If the key in use for the operation is saved in the state, then it can be supplied in the hEncryptionKey argument, but this is not required. Similarly, if a saved cryptographic operations state has an ongoing signature, MACing, or verification operation, and the key in use for the operation is not saved in the state, then it must be supplied to C_SetOperationState in the hAuthenticationKey argument. If it is not, then C_SetOperationState will fail with the error CKR_KEY_NEEDED. If the key in use for the operation is saved in the state, then it can be supplied in the hAuthenticationKey argument, but this is not required. If an irrelevant key is supplied to C_SetOperationState call (e.g., a nonzero key handle is submitted in the hEncryptionKey argument, but the saved cryptographic operations state supplied does not have an ongoing encryption or decryption operation, then C_SetOperationState fails with the error CKR_KEY_NOT_NEEDED. If a key is supplied as an argument to C_SetOperationState, and C_SetOperationState can somehow detect that this key was not the key being used in the source session for the supplied cryptographic operations state (it may be able to detect this if the key or a hash of the key is present in the saved state, for example), then C_SetOperationState fails with the error CKR_KEY_CHANGED. An application can look at the CKF_RESTORE_KEY_NOT_NEEDED flag in the flags field of the CK_TOKEN_INFO field for a token to determine whether or not it needs to supply key handles to C_SetOperationState calls. If this flag is TRUE, then a call to C_SetOperationState never needs a key handle to be supplied to it. If this flag is FALSE, then at least some of the time, C_SetOperationState requires a key handle, and so the application should probably always pass in any relevant key handles when restoring cryptographic operations state to a session. C_SetOperationState can successfully restore cryptographic operations state to a session even if that session has active cryptographic or object search operations when C_SetOperationState is called (the ongoing operations are abruptly cancelled).
CK_SESSION_HANDLE hSession; CK_MECHANISM digestMechanism; CK_ULONG ulStateLen; CK_BYTE data1[] = {0x01, 0x03, 0x05, 0x07}; CK_BYTE data2[] = {0x02, 0x04, 0x08}; CK_BYTE data3[] = {0x10, 0x0F, 0x0E, 0x0D, 0x0C}; CK_BYTE pDigest[20]; CK_ULONG ulDigestLen; CK_RV rv; . . . /* Initialize hash operation */ rv = C_DigestInit(hSession, &digestMechanism); assert(rv == CKR_OK); /* Start hashing */ rv = C_DigestUpdate(hSession, data1, sizeof(data1)); assert(rv == CKR_OK); /* Find out how big the state might be */ rv = C_GetOperationState(hSession, NULL_PTR, &ulStateLen); assert(rv == CKR_OK); /* Allocate some memory and then get the state */ pState = (CK_BYTE_PTR) malloc(ulStateLen); rv = C_GetOperationState(hSession, pState, &ulStateLen); /* Continue hashing */ rv = C_DigestUpdate(hSession, data2, sizeof(data2)); assert(rv == CKR_OK); /* Restore state. No key handles needed */ rv = C_SetOperationState(hSession, pState, ulStateLen, 0, 0); assert(rv == CKR_OK); /* Continue hashing from where we saved state */ rv = C_DigestUpdate(hSession, data3, sizeof(data3)); assert(rv == CKR_OK); /* Conclude hashing operation */ ulDigestLen = sizeof(pDigest); rv = C_DigestFinal(hSession, pDigest, &ulDigestLen); if (rv == CKR_OK) { /* pDigest[] now contains the hash of 0x01030507100F0E0D0C */ . . . } |
|
C_Login logs a user into a token.
If the token has a "protected authentication path", as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. Or the user might not even use a PIN"authentication could be achieved by some fingerprint-reading device, for example. To log into a token with a protected authentication path, the pPin parameter to C_Login should be NULL_PTR. When C_Login returns, whatever authentication method supported by the token will have been performed; a return value of CKR_OK means that the user was successfully authenticated, and a return value of CKR_PIN_INCORRECT means that the user was denied access. If there are any active cryptographic or object finding operations in an application's session, and then C_Login is successfully executed by that application, it may or may not be the case that those operations are still active. Therefore, before logging in, any active operations should be finished. If the application calling C_Login has a R/O session open with the token, then it will be unable to log the SO into a session (see Section 6.6.7). An attempt to do this will result in the error code CKR_SESSION_READ_ONLY_EXISTS.
|
|
C_Logout logs a user out from a token.
When C_Logout successfully executes, any of the application's handles to private objects become invalid (even if a user is later logged back into the token, those handles remain invalid). In addition, all private session objects from sessions belonging to the application are destroyed. If there are any active cryptographic or object-finding operations in an application's session, and then C_Logout is successfully executed by that application, it may or may not be the case that those operations are still active. Therefore, before logging out, any active operations should be finished.
|
|
C_CreateObject creates a new object.
If C_CreateObject is used to create a key object, the key object will have its CKA_LOCAL attribute set to FALSE. Only session objects can be created during a read-only session. Only public objects can be created unless the normal user is logged in.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hData, hCertificate, hKey; CK_OBJECT_CLASS dataClass = CKO_DATA, certificateClass = CKO_CERTIFICATE, keyClass = CKO_PUBLIC_KEY; CK_KEY_TYPE keyType = CKK_RSA; CK_CHAR application[] = {"My Application"}; CK_BYTE dataValue[] = {...}; CK_BYTE subject[] = {...}; CK_BYTE id[] = {...}; CK_BYTE certificateValue[] = {...}; CK_BYTE modulus[] = {...}; CK_BYTE exponent[] = {...}; CK_BYTE true = TRUE; CK_ATTRIBUTE dataTemplate[] = { {CKA_CLASS, &dataClass, sizeof(dataClass)}, {CKA_TOKEN, &true, sizeof(true)}, {CKA_APPLICATION, application, sizeof(application)}, {CKA_VALUE, dataValue, sizeof(dataValue)} }; CK_ATTRIBUTE certificateTemplate[] = { {CKA_CLASS, &certificateClass, sizeof(certificateClass)}, {CKA_TOKEN, &true, sizeof(true)}, {CKA_SUBJECT, subject, sizeof(subject)}, {CKA_ID, id, sizeof(id)}, {CKA_VALUE, certificateValue, sizeof(certificateValue)} }; CK_ATTRIBUTE keyTemplate[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_WRAP, &true, sizeof(true)}, {CKA_MODULUS, modulus, sizeof(modulus)}, {CKA_PUBLIC_EXPONENT, exponent, sizeof(exponent)} }; CK_RV rv; . . . /* Create a data object */ rv = C_CreateObject(hSession, &dataTemplate, 4, &hData); if (rv == CKR_OK) { . . . } /* Create a certificate object */ rv = C_CreateObject( hSession, &certificateTemplate, 5, &hCertificate); if (rv == CKR_OK) { . . . } /* Create an RSA public key object */ rv = C_CreateObject(hSession, &keyTemplate, 5, &hKey); if (rv == CKR_OK) { . . . } |
|
C_CopyObject copies an object, creating a new object for the copy.
If a call to C_CopyObject cannot support the precise template supplied to it, it will fail and return without creating any object. Only session objects can be created during a read-only session. Only public objects can be created unless the normal user is logged in.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey, hNewKey; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_DES; CK_BYTE id[] = {...}; CK_BYTE keyValue[] = {...}; CK_BYTE false = FALSE; CK_BYTE true = TRUE; CK_ATTRIBUTE keyTemplate[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_TOKEN, &false, sizeof(false)}, {CKA_ID, id, sizeof(id)}, {CKA_VALUE, keyValue, sizeof(keyValue)} }; CK_ATTRIBUTE copyTemplate[] = { {CKA_TOKEN, &true, sizeof(true)} }; CK_RV rv; . . . /* Create a DES secret key session object */ rv = C_CreateObject(hSession, &keyTemplate, 5, &hKey); if (rv == CKR_OK) { /* Create a copy which is a token object */ rv = C_CopyObject(hSession, hKey, ©Template, 1, &hNewKey); . . . } |
|
C_DestroyObject destroys an object.
|
|
C_GetObjectSize gets the size of an object in bytes.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_OBJECT_CLASS dataClass = CKO_DATA; CK_CHAR application[] = {"My Application"}; CK_BYTE dataValue[] = {...}; CK_BYTE value[] = {...}; CK_BYTE true = TRUE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &dataClass, sizeof(dataClass)}, {CKA_TOKEN, &true, sizeof(true)}, {CKA_APPLICATION, application, sizeof(application)}, {CKA_VALUE, value, sizeof(value)} }; CK_ULONG ulSize; CK_RV rv; . . . rv = C_CreateObject(hSession, &template, 4, &hObject); if (rv == CKR_OK) { rv = C_GetObjectSize(hSession, hObject, &ulSize); if (rv != CKR_INFORMATION_SENSITIVE) { . . . } rv = C_DestroyObject(hSession, hObject); . . . } |
|
C_GetAttributeValue obtains the value of one or more attributes of an object.
Note that the error codes CKR_ATTRIBUTE_SENSITIVE, CKR_ATTRIBUTE_TYPE_INVALID, and CKR_BUFFER_TOO_SMALL do not denote true errors for C_GetAttributeValue. If a call to C_GetAttributeValue returns any of these three values, then the call must nonetheless have processed every attribute in the template supplied to C_GetAttributeValue. Each attribute in the template whose value can be returned by the call to C_GetAttributeValue will be returned by the call to C_GetAttributeValue.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_BYTE_PTR pModulus, pExponent; CK_ATTRIBUTE template[] = { {CKA_MODULUS, NULL_PTR, 0}, {CKA_PUBLIC_EXPONENT, NULL_PTR, 0} }; CK_RV rv; . . . rv = C_GetAttributeValue(hSession, hObject, &template, 2); if (rv == CKR_OK) { pModulus = (CK_BYTE_PTR) malloc(template[0].ulValueLen); template[0].pValue = pModulus; /* template[0].ulValueLen was set by C_GetAttributeValue */ pExponent = (CK_BYTE_PTR) malloc(template[1].ulValueLen); template[1].pValue = pExponent; /* template[1].ulValueLen was set by C_GetAttributeValue */ rv = C_GetAttributeValue(hSession, hObject, &template, 2); if (rv == CKR_OK) { . . . } free(pModulus); free(pExponent); } |
|
C_SetAttributeValue modifies the value of one or more attributes of an object.
The template may specify new values for any attributes of the object that can be modified. If the template specifies a value of an attribute which is incompatible with other existing attributes of the object, the call fails with the return code CKR_TEMPLATE_INCONSISTENT. Not all attributes can be modified; see Section 9.7 for more details.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_UTF8CHAR label[] = {"New label"}; CK_ATTRIBUTE template[] = { CKA_LABEL, label, sizeof(label)-1 }; CK_RV rv; . . . rv = C_SetAttributeValue(hSession, hObject, &template, 1); if (rv == CKR_OK) { . . . } |
|
C_FindObjectsInit initializes a search for token and session objects that match a template.
The object search operation will only find objects that the session can view. For example, an object search in an "R/W Public Session" will not find any private objects (even if one of the attributes in the search template specifies that the search is for private objects). If a search operation is active, and objects are created or destroyed which fit the search template for the active search operation, then those objects may or may not be found by the search operation. Note that this means that, under these circumstances, the search operation may return invalid object handles. Even though C_FindObjectsInit can return the values CKR_ATTRIBUTE_TYPE_INVALID and CKR_ATTRIBUTE_VALUE_INVALID, it is not required to. For example, if it is given a search template with nonexistent attributes in it, it can return CKR_ATTRIBUTE_TYPE_INVALID, or it can initialize a search operation which will match no objects and return CKR_OK.
|
|
C_FindObjects continues a search for token and session objects that match a template, obtaining additional object handles.
The search must have been initialized with C_FindObjectsInit.
|
|
C_FindObjectsFinal terminates a search for token and session objects.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_ULONG ulObjectCount; CK_RV rv; . . . rv = C_FindObjectsInit(hSession, NULL_PTR, 0); assert(rv == CKR_OK); while (1) { rv = C_FindObjects(hSession, &hObject, 1, &ulObjectCount); if (rv != CKR_OK || ulObjectCount == 0) break; . . . } rv = C_FindObjectsFinal(hSession); assert(rv == CKR_OK); |
|
C_EncryptInit initializes an encryption operation.
After calling C_EncryptInit, the application can either call C_Encrypt to encrypt data in a single part; or call C_EncryptUpdate zero or more times, followed by C_EncryptFinal, to encrypt data in multiple parts. The encryption operation is active until the application uses a call to C_Encrypt or C_EncryptFinal to actually obtain the final piece of ciphertext. To process additional data (in single or multiple parts), the application must call C_EncryptInit again.
|
|
C_Encrypt encrypts single-part data.
The encryption operation must have been initialized with C_EncryptInit. A call to C_Encrypt always terminates the active encryption operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the ciphertext. C_Encrypt can not be used to terminate a multi-part operation, and must be called after C_EncryptInit without intervening C_EncryptUpdate calls. For some encryption mechanisms, the input plaintext data has certain length constraints (either because the mechanism can only encrypt relatively short pieces of plaintext, or because the mechanism's input data must consist of an integral number of blocks). If these constraints are not satisfied, then C_Encrypt will fail with return code CKR_DATA_LEN_RANGE. The plaintext and ciphertext can be in the same place, i.e., it is OK if pData and pEncryptedData point to the same location. For most mechanisms, C_Encrypt is equivalent to a sequence of C_EncryptUpdate operations followed by C_EncryptFinal.
|
|
C_EncryptUpdate continues a multiple-part encryption operation, processing another data part.
The encryption operation must have been initialized with C_EncryptInit. This function may be called any number of times in succession. A call to C_EncryptUpdate which results in an error other than CKR_BUFFER_TOO_SMALL terminates the current encryption operation. The encryption operation must have been initialized with C_EncryptInit. A call to C_Encrypt always terminates the active encryption operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the ciphertext. The plaintext and ciphertext can be in the same place, i.e., it is OK if pPart and pEncryptedPart point to the same location.
|
|
C_EncryptFinal finishes a multiple-part encryption operation.
The encryption operation must have been initialized with C_EncryptInit. A call to C_EncryptFinal always terminates the active encryption operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the ciphertext. For some multi-part encryption mechanisms, the input plaintext data has certain length constraints, because the mechanism's input data must consist of an integral number of blocks. If these constraints are not satisfied, then C_EncryptFinal will fail with return code CKR_DATA_LEN_RANGE.
#define PLAINTEXT_BUF_SZ 200 #define CIPHERTEXT_BUF_SZ 256 CK_ULONG firstPieceLen, secondPieceLen; CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM mechanism = { CKM_DES_CBC_PAD, iv, sizeof(iv) }; CK_BYTE data[PLAINTEXT_BUF_SZ]; CK_BYTE encryptedData[CIPHERTEXT_BUF_SZ]; CK_ULONG ulEncryptedData1Len; CK_ULONG ulEncryptedData2Len; CK_ULONG ulEncryptedData3Len; CK_RV rv; . . . firstPieceLen = 90; secondPieceLen = PLAINTEXT_BUF_SZ-firstPieceLen; rv = C_EncryptInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { /* Encrypt first piece */ ulEncryptedData1Len = sizeof(encryptedData); rv = C_EncryptUpdate( hSession, &data[0], firstPieceLen, &encryptedData[0], &ulEncryptedData1Len); if (rv != CKR_OK) { . . . } /* Encrypt second piece */ ulEncryptedData2Len = sizeof(encryptedData)-ulEncryptedData1Len; rv = C_EncryptUpdate( hSession, &data[firstPieceLen], secondPieceLen, &encryptedData[ulEncryptedData1Len], &ulEncryptedData2Len); if (rv != CKR_OK) { . . . } /* Get last little encrypted bit */ ulEncryptedData3Len = sizeof(encryptedData)-ulEncryptedData1Len-ulEncryptedData2Len; rv = C_EncryptFinal( hSession, &encryptedData[ulEncryptedData1Len+ulEncryptedData2Len], &ulEncryptedData3Len); if (rv != CKR_OK) { . . . } } |
|
C_DecryptInit initializes a decryption operation.
After calling C_DecryptInit, the application can either call C_Decrypt to decrypt data in a single part; or call C_DecryptUpdate zero or more times, followed by C_DecryptFinal, to decrypt data in multiple parts. The decryption operation is active until the application uses a call to C_Decrypt or C_DecryptFinal to actually obtain the final piece of plaintext. To process additional data (in single or multiple parts), the application must call C_DecryptInit again
|
|
C_Decrypt decrypts encrypted data in a single part.
The decryption operation must have been initialized with C_DecryptInit. A call to C_Decrypt always terminates the active decryption operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the plaintext. C_Decrypt can not be used to terminate a multi-part operation, and must be called after C_DecryptInit without intervening C_DecryptUpdate calls. The ciphertext and plaintext can be in the same place, i.e., it is OK if pEncryptedData and pData point to the same location. If the input ciphertext data cannot be decrypted because it has an inappropriate length, then either CKR_ENCRYPTED_DATA_INVALID or CKR_ENCRYPTED_DATA_LEN_RANGE may be returned. For most mechanisms, C_Decrypt is equivalent to a sequence of C_DecryptUpdate operations followed by C_DecryptFinal.
|
|
C_DecryptUpdate continues a multiple-part decryption operation, processing another encrypted data part.
The decryption operation must have been initialized with C_DecryptInit. This function may be called any number of times in succession. A call to C_DecryptUpdate which results in an error other than CKR_BUFFER_TOO_SMALL terminates the current decryption operation. The ciphertext and plaintext can be in the same place, i.e., it is OK if pEncryptedPart and pPart point to the same location.
|
|
C_DecryptFinal finishes a multiple-part decryption operation.
The decryption operation must have been initialized with C_DecryptInit. A call to C_DecryptFinal always terminates the active decryption operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the plaintext. If the input ciphertext data cannot be decrypted because it has an inappropriate length, then either CKR_ENCRYPTED_DATA_INVALID or CKR_ENCRYPTED_DATA_LEN_RANGE may be returned.
#define CIPHERTEXT_BUF_SZ 256 #define PLAINTEXT_BUF_SZ 256 CK_ULONG firstEncryptedPieceLen, secondEncryptedPieceLen; CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM mechanism = { CKM_DES_CBC_PAD, iv, sizeof(iv) }; CK_BYTE data[PLAINTEXT_BUF_SZ]; CK_BYTE encryptedData[CIPHERTEXT_BUF_SZ]; CK_ULONG ulData1Len, ulData2Len, ulData3Len; CK_RV rv; . . . firstEncryptedPieceLen = 90; secondEncryptedPieceLen = CIPHERTEXT_BUF_SZ-firstEncryptedPieceLen; rv = C_DecryptInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { /* Decrypt first piece */ ulData1Len = sizeof(data); rv = C_DecryptUpdate( hSession, &encryptedData[0], firstEncryptedPieceLen, &data[0], &ulData1Len); if (rv != CKR_OK) { . . . } /* Decrypt second piece */ ulData2Len = sizeof(data)-ulData1Len; rv = C_DecryptUpdate( hSession, &encryptedData[firstEncryptedPieceLen], secondEncryptedPieceLen, &data[ulData1Len], &ulData2Len); if (rv != CKR_OK) { . . . } /* Get last little decrypted bit */ ulData3Len = sizeof(data)-ulData1Len-ulData2Len; rv = C_DecryptFinal( hSession, &data[ulData1Len+ulData2Len], &ulData3Len); if (rv != CKR_OK) { . . . } } |
|
C_DigestInit initializes a message-digesting operation.
|
|
C_Digest digests data in a single part.
The digest operation must have been initialized with C_DigestInit. A call to C_Digest always terminates the active digest operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the message digest. C_Digest can not be used to terminate a multi-part operation, and must be called after C_DigestInit without intervening C_DigestUpdate calls. The input data and digest output can be in the same place, i.e., it is OK if pData and pDigest point to the same location. C_Digest is equivalent to a sequence of C_DigestUpdate operations followed by C_DigestFinal.
|
|
C_DigestUpdate continues a multiple-part message-digesting operation, processing another data part.
|
|
C_DigestKey continues a multiple-part message-digesting operation by digesting the value of a secret key.
If the value of the supplied key cannot be digested purely for some reason related to its length, C_DigestKey should return the error code CKR_KEY_SIZE_RANGE.
|
|
C_DigestFinal finishes a multiple-part message-digesting operation, returning the message digest.
The digest operation must have been initialized with C_DigestInit. A call to C_DigestFinal always terminates the active digest operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the message digest.
CK_SESSION_HANDLE hSession; CK_MECHANISM mechanism = { CKM_MD5, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE digest[16]; CK_ULONG ulDigestLen; CK_RV rv; . . . rv = C_DigestInit(hSession, &mechanism); if (rv != CKR_OK) { . . . } rv = C_DigestUpdate(hSession, data, sizeof(data)); if (rv != CKR_OK) { . . . } rv = C_DigestKey(hSession, hKey); if (rv != CKR_OK) { . . . } ulDigestLen = sizeof(digest); rv = C_DigestFinal(hSession, digest, &ulDigestLen); . . . |
|
C_SignInit initializes a signature operation, where the signature is an appendix to the data.
After calling C_SignInit, the application can either call C_Sign to sign in a single part; or call C_SignUpdate one or more times, followed by C_SignFinal, to sign data in multiple parts. The signature operation is active until the application uses a call to C_Sign or C_SignFinal to actually obtain the signature. To process additional data (in single or multiple parts), the application must call C_SignInit again.
|
|
C_Sign signs data in a single part, where the signature is an appendix to the data.
The signing operation must have been initialized with C_SignInit. A call to C_Sign always terminates the active signing operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the signature. C_Sign can not be used to terminate a multi-part operation, and must be called after C_SignInit without intervening C_SignUpdate calls. For most mechanisms, C_Sign is equivalent to a sequence of C_SignUpdate operations followed by C_SignFinal.
|
|
C_SignUpdate continues a multiple-part signature operation, processing another data part.
|
|
C_SignFinal finishes a multiple-part signature operation, returning the signature.
The signing operation must have been initialized with C_SignInit. A call to C_SignFinal always terminates the active signing operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the signature.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_MAC, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE mac[4]; CK_ULONG ulMacLen; CK_RV rv; . . . rv = C_SignInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { rv = C_SignUpdate(hSession, data, sizeof(data)); . . . ulMacLen = sizeof(mac); rv = C_SignFinal(hSession, mac, &ulMacLen); . . . } |
|
C_SignRecoverInit initializes a signature operation, where the data can be recovered from the signature.
After calling C_SignRecoverInit, the application may call C_SignRecover to sign in a single part. The signature operation is active until the application uses a call to C_SignRecover to actually obtain the signature. To process additional data in a single part, the application must call C_SignRecoverInit again.
|
|
C_SignRecover signs data in a single operation, where the data can be recovered from the signature.
The signing operation must have been initialized with C_SignRecoverInit. A call to C_SignRecover always terminates the active signing operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the signature.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_RSA_9796, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE signature[128]; CK_ULONG ulSignatureLen; CK_RV rv; . . . rv = C_SignRecoverInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { ulSignatureLen = sizeof(signature); rv = C_SignRecover( hSession, data, sizeof(data), signature, &ulSignatureLen); if (rv == CKR_OK) { . . . } } |
|
C_VerifyInit initializes a verification operation, where the signature is an appendix to the data.
After calling C_VerifyInit, the application can either call C_Verify to verify a signature on data in a single part; or call C_VerifyUpdate one or more times, followed by C_VerifyFinal, to verify a signature on data in multiple parts. The verification operation is active until the application calls C_Verify or C_VerifyFinal. To process additional data (in single or multiple parts), the application must call C_VerifyInit again.
|
|
C_Verify verifies a signature in a single-part operation, where the signature is an appendix to the data.
A successful call to C_Verify should return either the value CKR_OK (indicating that the supplied signature is valid) or CKR_SIGNATURE_INVALID (indicating that the supplied signature is invalid). If the signature can be seen to be invalid purely on the basis of its length, then CKR_SIGNATURE_LEN_RANGE should be returned. In any of these cases, the active signing operation is terminated. C_Verify can not be used to terminate a multi-part operation, and must be called after C_VerifyInit without intervening C_VerifyUpdate calls. For most mechanisms, C_Verify is equivalent to a sequence of C_VerifyUpdate operations followed by C_VerifyFinal.
|
|
C_VerifyUpdate continues a multiple-part verification operation, processing another data part.
|
|
C_VerifyFinal finishes a multiple-part verification operation, checking the signature.
A successful call to C_VerifyFinal should return either the value CKR_OK (indicating that the supplied signature is valid) or CKR_SIGNATURE_INVALID (indicating that the supplied signature is invalid). If the signature can be seen to be invalid purely on the basis of its length, then CKR_SIGNATURE_LEN_RANGE should be returned. In any of these cases, the active verifying operation is terminated.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_MAC, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE mac[4]; CK_RV rv; . . . rv = C_VerifyInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { rv = C_VerifyUpdate(hSession, data, sizeof(data)); . . . rv = C_VerifyFinal(hSession, mac, sizeof(mac)); . . . } |
|
C_VerifyRecoverInit initializes a signature verification operation, where the data is recovered from the signature.
After calling C_VerifyRecoverInit, the application may call C_VerifyRecover to verify a signature on data in a single part. The verification operation is active until the application uses a call to C_VerifyRecover to actually obtain the recovered message.
|
|
C_VerifyRecover verifies a signature in a single-part operation, where the data is recovered from the signature.
The verification operation must have been initialized with C_VerifyRecoverInit. A call to C_VerifyRecover always terminates the active verification operation unless it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which returns CKR_OK) to determine the length of the buffer needed to hold the recovered data. A successful call to C_VerifyRecover should return either the value CKR_OK (indicating that the supplied signature is valid) or CKR_SIGNATURE_INVALID (indicating that the supplied signature is invalid). If the signature can be seen to be invalid purely on the basis of its length, then CKR_SIGNATURE_LEN_RANGE should be returned. The return codes CKR_SIGNATURE_INVALID and CKR_SIGNATURE_LEN_RANGE have a higher priority than the return code CKR_BUFFER_TOO_SMALL, i.e., if C_VerifyRecover is supplied with an invalid signature, it will never return CKR_BUFFER_TOO_SMALL.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_RSA_9796, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_ULONG ulDataLen; CK_BYTE signature[128]; CK_RV rv; . . . rv = C_VerifyRecoverInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { ulDataLen = sizeof(data); rv = C_VerifyRecover( hSession, signature, sizeof(signature), data, &ulDataLen); . . . } |
|
C_DigestEncryptUpdate continues multiple-part digest and encryption operations, processing another data part.
Digest and encryption operations must both be active (they must have been initialized with C_DigestInit and C_EncryptInit, respectively). This function may be called any number of times in succession, and may be interspersed with C_DigestUpdate, C_DigestKey, and C_EncryptUpdate calls (it would be somewhat unusual to intersperse calls to C_DigestEncryptUpdate with calls to C_DigestKey, however).
#define BUF_SZ 512 CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM digestMechanism = { CKM_MD5, NULL_PTR, 0 }; CK_MECHANISM encryptionMechanism = { CKM_DES_ECB, iv, sizeof(iv) }; CK_BYTE encryptedData[BUF_SZ]; CK_ULONG ulEncryptedDataLen; CK_BYTE digest[16]; CK_ULONG ulDigestLen; CK_BYTE data[(2*BUF_SZ)+8]; CK_RV rv; int i; . . . memset(iv, 0, sizeof(iv)); memset(data, 'A', ((2*BUF_SZ)+5)); rv = C_EncryptInit(hSession, &encryptionMechanism, hKey); if (rv != CKR_OK) { . . . } rv = C_DigestInit(hSession, &digestMechanism); if (rv != CKR_OK) { . . . } ulEncryptedDataLen = sizeof(encryptedData); rv = C_DigestEncryptUpdate( hSession, &data[0], BUF_SZ, encryptedData, &ulEncryptedDataLen); . . . ulEncryptedDataLen = sizeof(encryptedData); rv = C_DigestEncryptUpdate( hSession, &data[BUF_SZ], BUF_SZ, encryptedData, &ulEncryptedDataLen); . . . /* * The last portion of the buffer needs to be handled with * separate calls to deal with padding issues in ECB mode */ /* First, complete the digest on the buffer */ rv = C_DigestUpdate(hSession, &data[BUF_SZ*2], 5); . . . ulDigestLen = sizeof(digest); rv = C_DigestFinal(hSession, digest, &ulDigestLen); . . . /* Then, pad last part with 3 0x00 bytes, and complete encryption */ for(i=0;i<3;i++) data[((BUF_SZ*2)+5)+i] = 0x00; /* Now, get second-to-last piece of ciphertext */ ulEncryptedDataLen = sizeof(encryptedData); rv = C_EncryptUpdate( hSession, &data[BUF_SZ*2], 8, encryptedData, &ulEncryptedDataLen); . . . /* Get last piece of ciphertext (should have length 0, here) */ ulEncryptedDataLen = sizeof(encryptedData); rv = C_EncryptFinal(hSession, encryptedData, &ulEncryptedDataLen); . . . |
|
C_DecryptDigestUpdate continues a multiple-part combined decryption and digest operation, processing another data part.
Decryption and digesting operations must both be active (they must have been initialized with C_DecryptInit and C_DigestInit, respectively). This function may be called any number of times in succession, and may be interspersed with C_DecryptUpdate, C_DigestUpdate, and C_DigestKey calls (it would be somewhat unusual to intersperse calls to C_DigestEncryptUpdate with calls to C_DigestKey, however). Use of C_DecryptDigestUpdate involves a pipelining issue that does not arise when using C_DigestEncryptUpdate, the "inverse function" of C_DecryptDigestUpdate. This is because when C_DigestEncryptUpdate is called, precisely the same input is passed to both the active digesting operation and the active encryption operation; however, when C_DecryptDigestUpdate is called, the input passed to the active digesting operation is the output of the active decryption operation. This issue comes up only when the mechanism used for decryption performs padding. In particular, envision a 24-byte ciphertext which was obtained by encrypting an 18-byte plaintext with DES in CBC mode with PKCS padding. Consider an application which will simultaneously decrypt this ciphertext and digest the original plaintext thereby obtained. After initializing decryption and digesting operations, the application passes the 24-byte ciphertext (3 DES blocks) into C_DecryptDigestUpdate. C_DecryptDigestUpdate returns exactly 16 bytes of plaintext, since at this point, Cryptoki doesn't know if there's more ciphertext coming, or if the last block of ciphertext held any padding. These 16 bytes of plaintext are passed into the active digesting operation. Since there is no more ciphertext, the application calls C_DecryptFinal. This tells Cryptoki that there's no more ciphertext coming, and the call returns the last 2 bytes of plaintext. However, since the active decryption and digesting operations are linked only through the C_DecryptDigestUpdate call, these 2 bytes of plaintext are not passed on to be digested. A call to C_DigestFinal, therefore, would compute the message digest of the first 16 bytes of the plaintext, not the message digest of the entire plaintext. It is crucial that, before C_DigestFinal is called, the last 2 bytes of plaintext get passed into the active digesting operation via a C_DigestUpdate call. Because of this, it is critical that when an application uses a padded decryption mechanism with C_DecryptDigestUpdate, it knows exactly how much plaintext has been passed into the active digesting operation. Extreme caution is warranted when using a padded decryption mechanism with C_DecryptDigestUpdate.
#define BUF_SZ 512 CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM decryptionMechanism = { CKM_DES_ECB, iv, sizeof(iv) }; CK_MECHANISM digestMechanism = { CKM_MD5, NULL_PTR, 0 }; CK_BYTE encryptedData[(2*BUF_SZ)+8]; CK_BYTE digest[16]; CK_ULONG ulDigestLen; CK_BYTE data[BUF_SZ]; CK_ULONG ulDataLen, ulLastUpdateSize; CK_RV rv; . . . memset(iv, 0, sizeof(iv)); memset(encryptedData, 'A', ((2*BUF_SZ)+8)); rv = C_DecryptInit(hSession, &decryptionMechanism, hKey); if (rv != CKR_OK) { . . . } rv = C_DigestInit(hSession, &digestMechanism); if (rv != CKR_OK){ . . . } ulDataLen = sizeof(data); rv = C_DecryptDigestUpdate( hSession, &encryptedData[0], BUF_SZ, data, &ulDataLen); . . . ulDataLen = sizeof(data); rv = C_DecryptDigestUpdate( hSession, &encryptedData[BUF_SZ], BUF_SZ, data, &ulDataLen); . . . /* * The last portion of the buffer needs to be handled with * separate calls to deal with padding issues in ECB mode */ /* First, complete the decryption of the buffer */ ulLastUpdateSize = sizeof(data); rv = C_DecryptUpdate( hSession, &encryptedData[BUF_SZ*2], 8, data, &ulLastUpdateSize); . . . /* Get last piece of plaintext (should have length 0, here) */ ulDataLen = sizeof(data)-ulLastUpdateSize; rv = C_DecryptFinal(hSession, &data[ulLastUpdateSize], &ulDataLen); if (rv != CKR_OK) { . . . } /* Digest last bit of plaintext */ rv = C_DigestUpdate(hSession, &data[BUF_SZ*2], 5); if (rv != CKR_OK) { . . . } ulDigestLen = sizeof(digest); rv = C_DigestFinal(hSession, digest, &ulDigestLen); if (rv != CKR_OK) { . . . } |
|
C_SignEncryptUpdate continues a multiple-part combined signature and encryption operation, processing another data part.
Signature and encryption operations must both be active (they must have been initialized with C_SignInit and C_EncryptInit, respectively). This function may be called any number of times in succession, and may be interspersed with C_SignUpdate and C_EncryptUpdate calls.
#define BUF_SZ 512 CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hEncryptionKey, hMacKey; CK_BYTE iv[8]; CK_MECHANISM signMechanism = { CKM_DES_MAC, NULL_PTR, 0 }; CK_MECHANISM encryptionMechanism = { CKM_DES_ECB, iv, sizeof(iv) }; CK_BYTE encryptedData[BUF_SZ]; CK_ULONG ulEncryptedDataLen; CK_BYTE MAC[4]; CK_ULONG ulMacLen; CK_BYTE data[(2*BUF_SZ)+8]; CK_RV rv; int i; . . . memset(iv, 0, sizeof(iv)); memset(data, 'A', ((2*BUF_SZ)+5)); rv = C_EncryptInit(hSession, &encryptionMechanism, hEncryptionKey); if (rv != CKR_OK) { . . . } rv = C_SignInit(hSession, &signMechanism, hMacKey); if (rv != CKR_OK) { . . . } ulEncryptedDataLen = sizeof(encryptedData); rv = C_SignEncryptUpdate( hSession, &data[0], BUF_SZ, encryptedData, &ulEncryptedDataLen); . . . ulEncryptedDataLen = sizeof(encryptedData); rv = C_SignEncryptUpdate( hSession, &data[BUF_SZ], BUF_SZ, encryptedData, &ulEncryptedDataLen); . . . /* * The last portion of the buffer needs to be handled with * separate calls to deal with padding issues in ECB mode */ /* First, complete the signature on the buffer */ rv = C_SignUpdate(hSession, &data[BUF_SZ*2], 5); . . . ulMacLen = sizeof(MAC); rv = C_DigestFinal(hSession, MAC, &ulMacLen); . . . /* Then pad last part with 3 0x00 bytes, and complete encryption */ for(i=0;i<3;i++) data[((BUF_SZ*2)+5)+i] = 0x00; /* Now, get second-to-last piece of ciphertext */ ulEncryptedDataLen = sizeof(encryptedData); rv = C_EncryptUpdate( hSession, &data[BUF_SZ*2], 8, encryptedData, &ulEncryptedDataLen); . . . /* Get last piece of ciphertext (should have length 0, here) */ ulEncryptedDataLen = sizeof(encryptedData); rv = C_EncryptFinal(hSession, encryptedData, &ulEncryptedDataLen); . . . |
|
C_DecryptVerifyUpdate continues a multiple-part combined decryption and verification operation, processing another data part.
Decryption and signature operations must both be active (they must have been initialized with C_DecryptInit and C_VerifyInit, respectively). This function may be called any number of times in succession, and may be interspersed with C_DecryptUpdate and C_VerifyUpdate calls. Use of C_DecryptVerifyUpdate involves a pipelining issue that does not arise when using C_SignEncryptUpdate, the "inverse function" of C_DecryptVerifyUpdate. This is because when C_SignEncryptUpdate is called, precisely the same input is passed to both the active signing operation and the active encryption operation; however, when C_DecryptVerifyUpdate is called, the input passed to the active verifying operation is the output of the active decryption operation. This issue comes up only when the mechanism used for decryption performs padding. In particular, envision a 24-byte ciphertext which was obtained by encrypting an 18-byte plaintext with DES in CBC mode with PKCS padding. Consider an application which will simultaneously decrypt this ciphertext and verify a signature on the original plaintext thereby obtained. After initializing decryption and verification operations, the application passes the 24-byte ciphertext (3 DES blocks) into C_DecryptVerifyUpdate. C_DecryptVerifyUpdate returns exactly 16 bytes of plaintext, since at this point, Cryptoki doesn't know if there's more ciphertext coming, or if the last block of ciphertext held any padding. These 16 bytes of plaintext are passed into the active verification operation. Since there is no more ciphertext, the application calls C_DecryptFinal. This tells Cryptoki that there's no more ciphertext coming, and the call returns the last 2 bytes of plaintext. However, since the active decryption and verification operations are linked only through the C_DecryptVerifyUpdate call, these 2 bytes of plaintext are not passed on to the verification mechanism. A call to C_VerifyFinal, therefore, would verify whether or not the signature supplied is a valid signature on the first 16 bytes of the plaintext, not on the entire plaintext. It is crucial that, before C_VerifyFinal is called, the last 2 bytes of plaintext get passed into the active verification operation via a C_VerifyUpdate call. Because of this, it is critical that when an application uses a padded decryption mechanism with C_DecryptVerifyUpdate, it knows exactly how much plaintext has been passed into the active verification operation. Extreme caution is warranted when using a padded decryption mechanism with C_DecryptVerifyUpdate.
#define BUF_SZ 512 CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hDecryptionKey, hMacKey; CK_BYTE iv[8]; CK_MECHANISM decryptionMechanism = { CKM_DES_ECB, iv, sizeof(iv) }; CK_MECHANISM verifyMechanism = { CKM_DES_MAC, NULL_PTR, 0 }; CK_BYTE encryptedData[(2*BUF_SZ)+8]; CK_BYTE MAC[4]; CK_ULONG ulMacLen; CK_BYTE data[BUF_SZ]; CK_ULONG ulDataLen, ulLastUpdateSize; CK_RV rv; . . . memset(iv, 0, sizeof(iv)); memset(encryptedData, 'A', ((2*BUF_SZ)+8)); rv = C_DecryptInit(hSession, &decryptionMechanism, hDecryptionKey); if (rv != CKR_OK) { . . . } rv = C_VerifyInit(hSession, &verifyMechanism, hMacKey); if (rv != CKR_OK){ . . . } ulDataLen = sizeof(data); rv = C_DecryptVerifyUpdate( hSession, &encryptedData[0], BUF_SZ, data, &ulDataLen); . . . ulDataLen = sizeof(data); rv = C_DecryptVerifyUpdate( hSession, &encryptedData[BUF_SZ], BUF_SZ, data, &uldataLen); . . . /* * The last portion of the buffer needs to be handled with * separate calls to deal with padding issues in ECB mode */ /* First, complete the decryption of the buffer */ ulLastUpdateSize = sizeof(data); rv = C_DecryptUpdate( hSession, &encryptedData[BUF_SZ*2], 8, data, &ulLastUpdateSize); . . . /* Get last little piece of plaintext. Should have length 0 */ ulDataLen = sizeof(data)-ulLastUpdateSize; rv = C_DecryptFinal(hSession, &data[ulLastUpdateSize], &ulDataLen); if (rv != CKR_OK) { . . . } /* Send last bit of plaintext to verification operation */ rv = C_VerifyUpdate(hSession, &data[BUF_SZ*2], 5); if (rv != CKR_OK) { . . . } rv = C_VerifyFinal(hSession, MAC, ulMacLen); if (rv == CKR_SIGNATURE_INVALID) { . . . } |
|
C_GenerateKey generates a secret key, creating a new key object.
If a call to C_GenerateKey cannot support the precise template supplied to it, it will fail and return without creating any key object. The key object created by a successful call to C_GenerateKey will have its CKA_LOCAL attribute set to TRUE.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_KEY_GEN, NULL_PTR, 0 }; CK_RV rv; . . . rv = C_GenerateKey(hSession, &mechanism, NULL_PTR, 0, &hKey); if (rv == CKR_OK) { . . . } |
|
C_GenerateKeyPair generates a public/private key pair, creating new key objects.
If a call to C_GenerateKeyPair cannot support the precise templates supplied to it, it will fail and return without creating any key objects. A call to C_GenerateKeyPair will never create just one key and return. A call can fail, and create no keys; or it can succeed, and create a matching public/private key pair. The key objects created by a successful call to C_GenerateKeyPair will have their CKA_LOCAL attributes set to TRUE. Note carefully the order of the arguments to C_GenerateKeyPair. The last two arguments do not have the same order as they did in the original Cryptoki Version 1.0 document. The order of these two arguments has caused some unfortunate confusion.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hPublicKey, hPrivateKey; CK_MECHANISM mechanism = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CK_ULONG modulusBits = 768; CK_BYTE publicExponent[] = { 3 }; CK_BYTE subject[] = {...}; CK_BYTE id[] = {123}; CK_BBOOL true = TRUE; CK_ATTRIBUTE publicKeyTemplate[] = { {CKA_ENCRYPT, &true, sizeof(true)}, {CKA_VERIFY, &true, sizeof(true)}, {CKA_WRAP, &true, sizeof(true)}, {CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits)}, {CKA_PUBLIC_EXPONENT, publicExponent, sizeof (publicExponent)} }; CK_ATTRIBUTE privateKeyTemplate[] = { {CKA_TOKEN, &true, sizeof(true)}, {CKA_PRIVATE, &true, sizeof(true)}, {CKA_SUBJECT, subject, sizeof(subject)}, {CKA_ID, id, sizeof(id)}, {CKA_SENSITIVE, &true, sizeof(true)}, {CKA_DECRYPT, &true, sizeof(true)}, {CKA_SIGN, &true, sizeof(true)}, {CKA_UNWRAP, &true, sizeof(true)} }; CK_RV rv; rv = C_GenerateKeyPair( hSession, &mechanism, publicKeyTemplate, 5, privateKeyTemplate, 8, &hPublicKey, &hPrivateKey); if (rv == CKR_OK) { . . . } |
|
C_WrapKey wraps (i.e., encrypts) a private or secret key.
The CKA_WRAP attribute of the wrapping key, which indicates whether the key supports wrapping, must be TRUE. The CKA_EXTRACTABLE attribute of the key to be wrapped must also be TRUE. If the key to be wrapped cannot be wrapped for some token-specific reason, despite its having its CKA_EXTRACTABLE attribute set to TRUE, then C_WrapKey fails with error code CKR_KEY_NOT_WRAPPABLE. If it cannot be wrapped with the specified wrapping key and mechanism solely because of its length, then C_WrapKey fails with error code CKR_KEY_SIZE_RANGE. C_WrapKey can be used in the following situations:
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hWrappingKey, hKey; CK_MECHANISM mechanism = { CKM_DES3_ECB, NULL_PTR, 0 }; CK_BYTE wrappedKey[8]; CK_ULONG ulWrappedKeyLen; CK_RV rv; . . . ulWrappedKeyLen = sizeof(wrappedKey); rv = C_WrapKey( hSession, &mechanism, hWrappingKey, hKey, wrappedKey, &ulWrappedKeyLen); if (rv == CKR_OK) { . . . } |
|
C_UnwrapKey unwraps (i.e. decrypts) a wrapped key, creating a new private key or secret key object.
The new key will have the CKA_ALWAYS_SENSITIVE attribute set to FALSE, and the CKA_EXTRACTABLE attribute set to TRUE. When C_UnwrapKey is used to unwrap a key with the CKM_KEY_WRAP_SET_OAEP mechanism (see Section 12.32.1), additional "extra data" is decrypted at the same time that the key is unwrapped. The return of this data follows the convention in Section 11.2 on producing output. If the extra data is not returned from a call to C_UnwrapKey (either because the call was only to find out how large the extra data is, or because the buffer provided for the extra data was too small), then C_UnwrapKey will not create a new key, either. If a call to C_UnwrapKey cannot support the precise template supplied to it, it will fail and return without creating any key object. The key object created by a successful call to C_UnwrapKey will have its CKA_LOCAL attribute set to FALSE.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hUnwrappingKey, hKey; CK_MECHANISM mechanism = { CKM_DES3_ECB, NULL_PTR, 0 }; CK_BYTE wrappedKey[8] = {...}; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_DES; CK_BBOOL true = TRUE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_ENCRYPT, &true, sizeof(true)}, {CKA_DECRYPT, &true, sizeof(true)} }; CK_RV rv; . . . rv = C_UnwrapKey( hSession, &mechanism, hUnwrappingKey, wrappedKey, sizeof(wrappedKey), template, 4, &hKey); if (rv == CKR_OK) { . . . } |
|
C_DeriveKey derives a key from a base key, creating a new key object.
If a call to C_DeriveKey cannot support the precise template supplied to it, it will fail and return without creating any key object. The key object created by a successful call to C_DeriveKey will have its CKA_LOCAL attribute set to FALSE.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hPublicKey, hPrivateKey, hKey; CK_MECHANISM keyPairMechanism = { CKM_DH_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CK_BYTE prime[] = {...}; CK_BYTE base[] = {...}; CK_BYTE publicValue[128]; CK_BYTE otherPublicValue[128]; CK_MECHANISM mechanism = { CKM_DH_PKCS_DERIVE, otherPublicValue, sizeof(otherPublicValue) }; CK_ATTRIBUTE pTemplate[] = { CKA_VALUE, &publicValue, sizeof(publicValue)} }; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_DES; CK_BBOOL true = TRUE; CK_ATTRIBUTE publicKeyTemplate[] = { {CKA_PRIME, prime, sizeof(prime)}, {CKA_BASE, base, sizeof(base)} }; CK_ATTRIBUTE privateKeyTemplate[] = { {CKA_DERIVE, &true, sizeof(true)} }; CK_ATTRIBUTE template[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_ENCRYPT, &true, sizeof(true)}, {CKA_DECRYPT, &true, sizeof(true)} }; CK_RV rv; . . . rv = C_GenerateKeyPair( hSession, &keyPairMechanism, publicKeyTemplate, 2, privateKeyTemplate, 1, &hPublicKey, &hPrivateKey); if (rv == CKR_OK) { rv = C_GetAttributeValue(hSession, hPublicKey, &pTemplate, 1); if (rv == CKR_OK) { /* Put other guy's public value in otherPublicValue */ . . . rv = C_DeriveKey( hSession, &mechanism, hPrivateKey, template, 4, &hKey); if (rv == CKR_OK) { . . . } } } |
|
C_SeedRandom mixes additional seed material into the token's random number generator.
|
|
C_GenerateRandom generates random or pseudo-random data.
CK_SESSION_HANDLE hSession; CK_BYTE seed[] = {...}; CK_BYTE randomData[] = {...}; CK_RV rv; . . . rv = C_SeedRandom(hSession, seed, sizeof(seed)); if (rv != CKR_OK) { . . . } rv = C_GenerateRandom(hSession, randomData, sizeof(randomData)); if (rv == CKR_OK) { . . . } |
|
In previous versions of Cryptoki, C_GetFunctionStatus obtained the status of a function running in parallel with an application. Now, however, C_GetFunctionStatus is a legacy function which should simply return the value CKR_FUNCTION_NOT_PARALLEL.
|
|
In previous versions of Cryptoki, C_CancelFunction cancelled a function running in parallel with an application. Now, however, C_CancelFunction is a legacy function which should simply return the value CKR_FUNCTION_NOT_PARALLEL.
|
|
CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTRCK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to indicate the Pseudo-Random Function (PRF) used to generate key bits using PKCS #5 PBKDF2. |