|
Home > |
|---|
This section presents a set of extensions which have been added to PKCS#11 by SafeNet. They cover several areas of cryptographic protocol/standard support and system information, as follows:
•FIPS 140-2 validation including a secure PIN and data port
•Key CloningTM support
•secret sharing activation support
•support for sharing login state across applications
•support for an alternate login scheme, referred to as "Indirect Login"
•support for manipulating token state vectors
•support for synchronization of multiple SafeNet XL tokens for enhanced cryptographic acceleration.
These commands and functions can also be used as extensions to other Application Programming Interfaces (for example, OpenSSL).
The several functions defined in this extension to PKCS#11 are introduced in the following table. These functions are described in more detail in later sections of this document.
| Category | Function | Description |
|---|---|---|
|
Key cloning |
CA_SetCloningDomain |
Sets the domain string used during token initialization. |
|
CA_ClonePrivateKey |
Permits the secure transfer a private key (RSA) between a source token and a target token. |
|
|
CA_GenerateTokenKeys |
Generate the private keys used for secure key cloning operations. |
|
|
CA_GetTokenCertificateInfo |
Obtain the cloning certificate. |
|
|
CA_SetTokenCertificate |
Sign the cloning certificate with the private keys generated for key cloning operations |
|
|
Secret Sharing Activation (commonly referred to as MofN) |
CA_SetMofN |
Sets the security policy for the token to use the secret sharing feature. |
|
CA_GenerateMofN |
Generates the secret informa-tion on a token. |
|
|
CA_ActivateMofN |
Activates a token that has the secret sharing feature enabled. |
|
|
CA_GenerateCloneableMofN |
Creates a clonable secret-splitting vector on a token. |
|
|
CA_CloneMofN |
Copy a clonable secret-splitting vector from one token to another. |
|
|
CA_DuplicateMofN |
Creates duplicates (copies) of all MofN secret splits. |
|
|
CA_ModifyMofN |
Modifies the secret-splitting vector on a token. |
|
|
CA_GetMofNStatus |
Retrieves the MofN structure of the specified token. |
|
|
Share login state across applications |
CA_SetApplicationID |
Sets the application's identifier. |
|
CA_OpenApplicationID |
Activates an application identifier, independent of any open sessions. |
|
|
CA_CloseApplicationID |
Deactivates an application identifier. |
|
|
Indirect Login |
CA_InitIndirectPIN |
Initializes a user PIN so that it may be used normally or indirectly. |
|
CA_IndirectLogin |
Performs an indirect login operation. |
|
|
Token State Vector Manipulation |
CA_GetFPV |
Retrieves the token's Fixed Policy Vector (FPV). |
|
CA_GetTPV |
Retrieves the token's Token Policy Vector (TPV). |
|
|
CA_GetExtendedTPV |
Retrieves the token's TPV and extended TPV. |
|
|
CA_SetTPV |
Sets the token's TPV. |
|
|
CA_SetExtendedTPV |
Sets the token's TPV and extended TPV. |
|
|
XL |
CA_GetNumberOfSSLSlots |
Determine the number of accelerator slots (distinct from authentication slots, when SafeNet XL is also used with SafeNet CA 3 .) |
|
CA_SSLSynchronizeObjects |
Designates a master slot in an XL installation (you pass the slot number with the call) then clones the content of the master slot to all other accelerator slots |
|
| Derive and Wrap | CA_DeriveKeyAndWrap | This is an optimization of C_DeriveKey with C_Wrap, merging the two functions into one (the in and out constraints are the same as for the individual functions). A further optimization is applied when mechanism CKM_ECDH1_DERIVE is used with CA_DeriveKeyAndWrap. |
The current release of SafeNet SafeNet Toolkit provides the Chrystoki library supporting version 2.20 of the Cryptoki standard.