Home >

SDK Reference Guide > Extensions to PKCS#11 > SafeNet Extensions to PKCS#11

SafeNet Extensions to PKCS#11

This section presents a set of extensions which have been added to PKCS#11 by SafeNet. They cover several areas of cryptographic protocol/standard support and system information, as follows:

FIPS 140-2 validation including a secure PIN and data port

Key CloningTM support

secret sharing activation support

support for sharing login state across applications

support for an alternate login scheme, referred to as "Indirect Login"

support for manipulating token state vectors

support for synchronization of multiple SafeNet XL tokens for enhanced cryptographic acceleration.

Other APIs

These commands and functions can also be used as extensions to other Application Programming Interfaces (for example, OpenSSL).

Summary of New Functions

The several functions defined in this extension to PKCS#11 are introduced in the following table. These functions are described in more detail in later sections of this document.

Table 1: Summary of new Cryptoki Functions
Category Function Description

Key cloning

CA_SetCloningDomain

Sets the domain string used during token initialization.

CA_ClonePrivateKey

Permits the secure transfer a private key (RSA) between a source token and a target token.

CA_GenerateTokenKeys

Generate the private keys used for secure key cloning operations.

CA_GetTokenCertificateInfo

Obtain the cloning certificate.

CA_SetTokenCertificate
Signature

Sign the cloning certificate with the private keys generated for key cloning operations

Secret Sharing Activation (commonly referred to as MofN)

CA_SetMofN

Sets the security policy for the token to use the secret sharing feature.

CA_GenerateMofN

Generates the secret informa-tion on a token.

CA_ActivateMofN

Activates a token that has the secret sharing feature enabled.

CA_GenerateCloneableMofN

Creates a clonable secret-splitting vector on a token.

CA_CloneMofN

Copy a clonable secret-splitting vector from one token to another.

CA_DuplicateMofN

Creates duplicates (copies) of all MofN secret splits.

CA_ModifyMofN

Modifies the secret-splitting vector on a token.

CA_GetMofNStatus

Retrieves the MofN structure of the specified token.

Share login state across applications

CA_SetApplicationID

Sets the application's identifier.

CA_OpenApplicationID

Activates an application identifier, independent of any open sessions.

CA_CloseApplicationID

Deactivates an application identifier.

Indirect Login

CA_InitIndirectPIN

Initializes a user PIN so that it may be used normally or indirectly.

CA_IndirectLogin

Performs an indirect login operation.

Token State Vector Manipulation

CA_GetFPV

Retrieves the token's Fixed Policy Vector (FPV).

CA_GetTPV

Retrieves the token's Token Policy Vector (TPV).

CA_GetExtendedTPV

Retrieves the token's TPV and extended TPV.

CA_SetTPV

Sets the token's TPV.

CA_SetExtendedTPV

Sets the token's TPV and extended TPV.

XL

CA_GetNumberOfSSLSlots

Determine the number of accelerator slots (distinct from authentication slots, when SafeNet XL is also used with SafeNet CA 3 .)

CA_SSLSynchronizeObjects

Designates a master slot in an XL installation (you pass the slot number with the call) then clones the content of the master slot to all other accelerator slots

Derive and Wrap CA_DeriveKeyAndWrap This is an optimization of C_DeriveKey with C_Wrap, merging the two functions into one (the in and out constraints are the same as for the individual functions). A further optimization is applied when mechanism CKM_ECDH1_DERIVE is used with CA_DeriveKeyAndWrap.

Cryptoki Version Supported

The current release of SafeNet SafeNet Toolkit provides the Chrystoki library supporting version 2.20 of the Cryptoki standard.