Public key objects

Sections
RSA public key objects
DSA public key objects
ECDSA public key objects
Diffie-Hellman public key objects
X9.42 Diffie-Hellman public key objects
KEA public key objects

Detailed Description

Public key objects (object class CKO_PUBLIC_KEY) hold public keys. This version of Cryptoki recognizes the following types of public keys: RSA, DSA, EC (also related to ECDSA), Diffie-Hellman, X9.42 Diffie-Hellman and KEA. The following table defines the attributes common to all public keys, in addition to the common attributes listed in Table 15 , Table 19 and Table 25 :

Table 26, Common Public Key Attributes
Attribute Data type Meaning

CKA_SUBJECT⁸ Byte array DER-encoding of the key subject name (default empty)

CKA_ENCRYPT⁸ CK_BBOOL TRUE if key supports encryption⁹

CKA_VERIFY⁸ CK_BBOOL TRUE if key supports verification where the signature is an appendix to the data⁹

CKA_VERIFY_RECOVER⁸ CK_BBOOL TRUE if key supports verification where the data is recovered from the signature⁹

CKA_WRAP⁸ CK_BBOOL TRUE if key supports wrapping (i.e., can be used to wrap other keys)⁹

CKA_TRUSTED¹⁰ CK_BBOOL The key can be trusted for the application that it was created.

It is intended in the interests of interoperability that the subject name and key identifier for a public key will be the same as those for the corresponding certificate and private key. However, Cryptoki does not enforce this, and it is not required that the certificate and private key also be stored on the token.

To map between ISO/IEC 9594-8 (X.509) keyUsage flags for public keys and the PKCS #11 attributes for public keys, use the following table.

Table 27, Mapping of X.509 key usage flags to cryptoki attributes for public keys
'''Key usage flags for public keys in X.509 public key certificates''' Corresponding cryptoki attributes for public keys.

dataEncipherment CKA_ENCRYPT

digitalSignature, keyCertSign, cRLSign CKA_VERIFY

digitalSignature, keyCertSign, cRLSign CKA_VERIFY_RECOVER

keyAgreement CKA_DERIVE

keyEncipherment CKA_WRAP

nonRepudiation CKA_VERIFY

nonRepudiation CKA_VERIFY_RECOVER

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v211

Attribute	Data type	Meaning
CKA_SUBJECT⁸	Byte array	DER-encoding of the key subject name (default empty)
CKA_ENCRYPT⁸	CK_BBOOL	TRUE if key supports encryption⁹
CKA_VERIFY⁸	CK_BBOOL	TRUE if key supports verification where the signature is an appendix to the data⁹
CKA_VERIFY_RECOVER⁸	CK_BBOOL	TRUE if key supports verification where the data is recovered from the signature⁹
CKA_WRAP⁸	CK_BBOOL	TRUE if key supports wrapping (i.e., can be used to wrap other keys)⁹
CKA_TRUSTED¹⁰	CK_BBOOL	The key can be trusted for the application that it was created.

'''Key usage flags for public keys in X.509 public key certificates'''	Corresponding cryptoki attributes for public keys.
dataEncipherment	CKA_ENCRYPT
digitalSignature, keyCertSign, cRLSign	CKA_VERIFY
digitalSignature, keyCertSign, cRLSign	CKA_VERIFY_RECOVER
keyAgreement	CKA_DERIVE
keyEncipherment	CKA_WRAP
nonRepudiation	CKA_VERIFY
nonRepudiation	CKA_VERIFY_RECOVER

Public key objects

Sections

Detailed Description