Cryptographic Token Interface Standard

PKCS#11


X.509 attribute certificate objects

X.509 attribute certificate objects (certificate type CKC_X_509_ATTR_CERT) hold X.509 attribute certificates. The following table defines the X.509 attribute certificate object attributes, in addition to the common attributes listed in Table 15 , Table 19 and Table 21 :

Table 23, X.509 Attribute Certificate Object Attributes
Attribute
Data Type
Meaning
CKA_OWNER1
Byte Array
DER-encoding of the attribute certificate's subject field. This is distinct from the CKA_SUBJECT attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different.
CKA_AC_ISSUER
Byte Array
DER-encoding of the attribute certificate's issuer field. This is distinct from the CKA_ISSUER attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. (default empty)
CKA_SERIAL_NUMBER
Byte Array
DER-encoding of the certificate serial number. (default empty)
CKA_ATTR_TYPES
Byte Array
BER-encoding of a sequence of object identifier values corresponding to the attribute types contained in the certificate. When present, this field offers an opportunity for applications to search for a particular attribute certificate without fetching and parsing the certificate itself. (default empty)
CKA_VALUE1
Byte Array
BER-encoding of the certificate.

1Must be specified when the object is created

Only the CKA_AC_ISSUER, CKA_SERIAL_NUMBER and CKA_ATTR_TYPES attributes may be modified after the object is created.

The following is a sample template for creating an X.509 attribute certificate object:

CK_OBJECT_CLASS class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE certType = CKC_X_509_ATTR_CERT;
CK_UTF8CHAR label[] = "An attribute certificate object";
CK_BYTE owner[] = {...};
CK_BYTE certificate[] = {...};
CK_BBOOL true = TRUE;
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_CERTIFICATE_TYPE, &certType, sizeof(certType)};
{CKA_TOKEN, &true, sizeof(true)},
{CKA_LABEL, label, sizeof(label)-1},
{CKA_OWNER, owner, sizeof(owner)},
{CKA_VALUE, certificate, sizeof(certificate)}
};


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v211