Certificate Objects

The following figure illustrates details of certificate objects:

Figure 1: Certificate Object Attribute

Hierarchy Certificate objects (object class CKO_CERTIFICATE) hold public-key or attribute certificates.  Other than providing access to certificate objects, Cryptoki does not attach any special meaning to certificates.  SafeNet ProtectToolkit-C, however, does include a number of extensions to Cryptoki that allows for more sophisticated certificate processing.

In addition to a number of extension attributes, it is possible to use a certificate object in place of a public key object.  It is also possible to generate certificates (or certification requests) from public keys.  Finally, it is possible to introduce trusted certificates that allow for certificate path verification.

The following table defines the common certificate object attributes, in addition to the common attributes listed in Common Object Attributes and Common Storage Object Attributes:

Table 2: Common Certificate Object Attributes

Attribute

Data Type

Meaning

CKA_CERTIFICATE_TYPE1

CK_CERTIFICATE_TYPE

Type of certificate

CKA_TRUSTED2,3

CK_BBOOL

Trust state of the object; see above description

CKA_DERIVE2

CK_BBOOL

Indicates if certificate can be used in derive mechanisms

1 Must be specified when the object is created.
2 SafeNet Extension
3 May be specified as TRUE only by the Security Officer.
The CKA_CERTIFICATE_TYPE attribute may not be modified after an object is created.

X.509 Public Key Certificate Objects

X.509 certificate objects (certificate type CKC_X_509) hold X.509 public key certificates.  The following table defines the X.509 certificate object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes and Common Certificate Object Attributes:

Table 3: X.509 Certificate Object Attributes

Attribute

Data Type

Meaning

CKA_SUBJECT1

Byte array

DER-encoding of the certificate subject name

CKA_SUBJECT_STR2

Byte array

Printable representation of CKA_SUBJECT attribute

CKA_ID

Byte array

Key identifier for public/private key pair (default empty)

CKA_ISSUER

Byte array

DER-encoding of the certificate issuer name (default empty)

CKA_ISSUER_STR2

Byte array

Printable representation of CKA_ISSUER attribute

CKA_SERIAL_NUMBER

Byte array

DER-encoding of the certificate serial number (default empty)

CKA_SERIAL_NUMBER_INT2

Big Integer

Certificate serial number as an integer (default empty)

CKA_VALUE1

Byte array

BER-encoding of the certificate

1 Must be specified when the object is created.
2 SafeNet Extension

Only the CKA_ID, CKA_ISSUER and CKA_SERIAL_NUMBER attributes may be modified after the object is created.

The CKA_ID attribute is intended to be a means of distinguishing multiple public/private key pairs held by the same subject (whether stored in the same token or not).  Since subject names, as well as identifiers, distinguish keys, it is possible that keys that have different subjects may have the same CKA_ID value without introducing any ambiguity.

It is intended, in the interests of interoperability, that the subject name and key identifier for a certificate is to be the same as those for the corresponding public and private keys (though it is not required that all be stored in the same token). Cryptoki does not enforce this association or even the uniqueness of the key identifier for a given subject.  In fact, an application may leave the key identifier empty.

The CKA_ISSUER and CKA_SERIAL_NUMBER attributes are for compatibility with PKCS #7 and Privacy Enhanced Mail (RFC1421).

NOTE   With the version 3 extensions to X.509 certificates, the key identifier may be carried in the certificate.  It is intended that the CKA_ID value be identical to the key identifier in such a certificate extension, however Cryptoki will not enforce this.

Certificate Request Objects

Certificate request objects (object class CKO_CERTIFICATE_REQUEST) hold a PKCS#10 certificate request. There are mechanisms included to generate a Certificate Request object from an RSA public key (see CKM_ENCODE_PKCS_10) or generate a Certificate from a Certificate Request (see CKM_ENCODE_X_509). This object class is a vendor-defined extension class. The following table defines the Certificate request object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes and Common Certificate Object Attributes:

Table 4: Certificate Request Object Attributes

Attribute

Data Type

Meaning

CKA_SUBJECT

Byte array

DER-encoding of the certificate subject name

CKA_SUBJECT_STR2

Byte array

Printable representation of CKA_SUBJECT attribute

CKA_VALUE1

Byte array

BER-encoding of the certificate

KEY_TYPE CK_KEY_TYPE

Type of public key in request

1 Must be specified when the object is created.
2 SafeNet Extension

Certificate Revocation List

Certificate Revocation List (CRL) objects (object class CKO_CRL) hold a certificate revocation list. This object class is a vendor defined extension class.

The following table defines the CRL object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes and Common Certificate Object Attributes:

Table 5: Certificate Revocation Object Attributes

Attribute

Data Type

Meaning

CKA_SUBJECT

Byte array

DER-encoding of the certificate subject name

CKA_SUBJECT_STR2

Byte array

Printable representation of CKA_SUBJECT attribute

CKA_VALUE1

Byte array

BER-encoding of the certificate

1 Must be specified when the object is created.
2 SafeNet Extension