|
Home > |
|---|
Public key objects (object class CKO_PUBLIC_KEY) hold public keys. This version of Cryptoki recognizes four types of public keys: RSA, DSA, Diffie-Hellman and Elliptic Curve. The following table defines the attributes common to all public keys, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common Key Attributes:
Common footnotes for key attribute tables
In the interests of interoperability, it is intended that the subject name and key identifier for a public key is to be the same as those for the corresponding certificate and private key. However, this is not enforced, and it is not required that the certificate and private key be stored on the same token.
To map between ISO/IEC 9594-8 (X.509) key usage flags for public keys and the PKCS #11 attributes for public keys, use the following table. SafeNet ProtectToolkit-C does not enforce these usage flags. When a certificate object is created, it may have any of the standard Cryptoki usage attributes, which is enforced.
|
Key Usage Flags for Public Keys |
Corresponding Cryptoki |
|---|---|
|
dataEncipherment |
CKA_ENCRYPT
|
|
digitalSignature, keyCertSign, cRLSign |
CKA_VERIFY
|
|
digitalSignature, keyCertSign, cRLSign |
CKA_VERIFY_RECOVER
|
|
keyAgreement |
CKA_DERIVE
|
|
keyEncipherment |
CKA_WRAP
|
|
nonRepudiation |
CKA_VERIFY
|
|
nonRepudiation |
CKA_VERIFY_RECOVER
|
RSA public key objects (object class CKO_PUBLIC_KEY, key type CKK_RSA) hold RSA public keys. The following table defines the RSA public key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Public Key Attributes:
|
Attribute |
Data Type |
Meaning |
|---|---|---|
|
|
Big integer |
Modulus n |
|
|
CK_ULONG
|
Length in bits of modulus n |
|
|
Big integer |
Public exponent e |
Common footnotes for key attribute tables
Depending on the token, there may be limits on the length of key components. See PKCS #1 for more information on RSA keys.
DSA public key objects (object class CKO_PUBLIC_KEY, key type CKK_DSA) hold DSA public keys. The following table defines the DSA public key object attributes, in addition to the common attributes listed in Common Attributes, Storage Objects, Key Objects, and Common Public Key Attributes:
|
Attribute |
Data Type |
Meaning |
|---|---|---|
|
|
Big integer |
Prime p (512 to 1024 bits, in steps of 64 bits) |
|
|
Big integer |
Subprime q (160 bits) |
|
|
Big integer |
Base g |
|
|
Big integer |
Public value y |
Common footnotes for key attribute tables
The CKA_PRIME, CKA_SUBPRIME and CKA_BASE attribute values are, collectively, the “DSA parameters”.
Diffie-Hellman public key objects (object class CKO_PUBLIC_KEY, key type CKK_DH) hold Diffie-Hellman public keys. The following table defines the Diffie-Hellman public key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Public Key Attributes:
|
Attribute |
Data Type |
Meaning |
|---|---|---|
|
|
Big integer |
Prime p |
|
|
Big integer |
Base g |
|
|
Big integer |
Public value y |
Common footnotes for key attribute tables
The CKA_PRIME and CKA_BASE attribute values are collectively the “Diffie-Hellman parameters”. Depending on the token, there may be limits on the length of the key components. See PKCS #3 for more information on Diffie-Hellman keys.
EC (also related to ECDSA) public key objects (object class CKO_PUBLIC_KEY, key type CKK_EC or CKK_ECDSA in PKCS#11 v2.20) hold EC public keys. The following table defines the EC public key object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, Common Key Attributes, and Common Public Key Attributes:
|
Attribute |
Data Type |
Meaning |
|---|---|---|
|
( |
Byte Array |
DER-encoding of an ANSI X9.62 Parameters value |
|
|
Byte Array |
DER-encoding of an ANSI X9.62 ECPoint value Q |
Common footnotes for key attribute tables
The CKA_EC_PARAMS or CKA_ECDSA_PARAMS attribute value is known as the “EC domain parameters” and is defined in ANSI X9.62 as a choice of three parameter representation methods with the following syntax:
Parameters ::= CHOICE {
ecParameters ECParameters,
namedCurve CURVES.&id({CurveNames}),
implicitlyCA NULL
}
This allows detailed specification of all required values using choice ecParameters, the use of a namedCurve as an object identifier substitute for a particular set of elliptic curve domain parameters, or implicitlyCA to indicate that the domain parameters are explicitly defined elsewhere. The use of a namedCurve is recommended over ecParameters. The choice implicitlyCA must not be used in Cryptoki.
Both the namedCurve and ecParameters methods are supported in SafeNet ProtectToolkit-C. See CKM_EC_KEY_PAIR_GEN for details.