Cryptoki Extension
The Cryptoki Extension functions to support FMs in a Luna HA Environment
Here are three new functions that help a Luna FM developer to write extensions to the standard Cryptoki API. They improve on the normal FM MD_SendReceive command by adding support for session, slot and object handle management.
This chapter contains the following sections:
Slot numbers and object handles seen by Luna applications are virtual values and do not match the values seen by the HSM. The Cryptoki library performs translations as needed.
If statefull requests are part of the FM design then a method is provided to allow the application to specify which HSM will receive the request (even in HA mode).
Features:
>Map object handles from virtual values to HSM values.
>Map slot number from virtual to actual
>Simple Encode of parameter and mechanism
>Encode an operation command integer
>Encode attribute template
>Encode optional request data
>In HA mode automatically choose least used HSM
>In HA mode allow a message to be sent to a specific HSM
>Remap any returned object handles
>Replicate any returned objects to other HSMs in the HA group.
FM Design
FMs need to be designed to receive these new requests.
The FM must export a specific handler entry point to receive these requests and must pass on any unrecognized requests to the next FM in the list.
If no FM recognizes the request then an error is returned.
The request is not passed to the core standard FW.
Function Descriptions
This section contains the following function descriptions:
