Cryptographic Token Interface Standard |
PKCS#11 |
The following figure illustrates details of key objects:
Key objects hold encryption or authentication keys, which can be public keys, private keys, or secret keys. The following common footnotes apply to all the tables describing attributes of keys:
Table 24, Common footnotes for key attribute tables
Footnote | Meaning |
1 | Must be specified when object is created with C_CreateObject. |
2 | Must not be specified when object is created with C_CreateObject. |
3 | Must be specified when object is generated with C_GenerateKey or C_GenerateKeyPair. |
4 | Must not be specified when object is generated with C_GenerateKey or C_GenerateKeyPair. |
5 | Must be specified when object is unwrapped with C_UnwrapKey. |
6 | Must not be specified when object is unwrapped with C_UnwrapKey. |
7 | Cannot be revealed if object has its CKA_SENSITIVE attribute set to TRUE or its CKA_EXTRACTABLE attribute set to FALSE. |
8 | May be modified after object is created with a C_SetAttributeValue call, or in the process of copying object with a C_CopyObject call. As mentioned previously, however, it is possible that a particular token may not permit modification of the attribute, or may not permit modification of the attribute during the course of a C_CopyObject call. |
9 | Default value is token-specific, and may depend on the values of other attributes. |
10 | Can only be set to TRUE by the SO user. |
The following table defines the attributes common to public key, private key and secret key classes, in addition to the common attributes listed in Table 15 and Table 19 :
Table 25, Common Key Attributes
Attribute | Data Type | Meaning |
CKA_KEY_TYPE1,3,5 | CK_KEY_TYPE | Type of key |
CKA_ID8 | Byte array | Key identifier for key (default empty) |
CKA_START_DATE8 | CK_DATE | Start date for the key (default empty) |
CKA_END_DATE8 | CK_DATE | End date for the key (default empty) |
CKA_DERIVE8 | CK_BBOOL | TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default FALSE) |
CKA_LOCAL2,4,6 | CK_BBOOL | TRUE only if key was either * generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call * created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to TRUE |
CKA_KEY_GEN_MECHANISM2,4,6 | CK_MECHANISM_TYPE | Identifier of the mechanism used to generate the key material. |
The CKA_ID field is intended to distinguish among multiple keys. In the case of public and private keys, this field assists in handling multiple keys held by the same subject; the key identifier for a public key and its corresponding private key should be the same. The key identifier should also be the same as for the corresponding certificate, if one exists. Cryptoki does not enforce these associations, however. (See Section 10.6 for further commentary.)
In the case of secret keys, the meaning of the CKA_ID attribute is up to the application.
Note that the CKA_START_DATE and CKA_END_DATE attributes are for reference only; Cryptoki does not attach any special meaning to them. In particular, it does not restrict usage of a key according to the dates; doing this is up to the application.
The CKA_DERIVE attribute has the value TRUE if and only if it is possible to derive other keys from the key.
The CKA_LOCAL attribute has the value TRUE if and only if the value of the key was originally generated on the token by a C_GenerateKey or C_GenerateKeyPair call.
The CKA_KEY_GEN_MECHANISM attribute identifies the key generation mechanism used to generate the key material. It contains a valid value only if the CKA_LOCAL attribute has the value TRUE. If CKA_LOCAL has the value FALSE, the value of the attribute is CK_UNAVAILABLE_INFORMATION.