Key Parameter Objects
SafeNet ProtectToolkit-C includes support for key parameter objects (as specified in PKCS#11 2.11 draft 3). These objects are used to store parameters associated with DSA or DH keys. It is possible to generate new objects of this type using the C_GenerateKey function.
Key parameter objects (object class CKO_DOMAIN_PARAMETERS
) hold public key generation parameters. This version of Cryptoki recognizes the following types of key parameters: DSA and Diffie-Hellman. The following table defines the footnotes that apply to each of the following attribute tables:
The following table defines the attributes common to key attribute objects in addition to the common attributes listed in Common Object Attributes and Common Storage Object Attributes:
Attribute |
Data Type |
Meaning |
---|---|---|
|
CK_KEY_TYPE
|
Type of key the parameters can be used to generate. |
|
CK_BBOOL
|
>generated locally (that is, on the token) with a C_GenerateKey >created with a C_CopyObject call as a copy of key parameters which had its |
Common footnotes for key parameter attribute tables
The rules applying to the CKA_LOCAL
mean that this attribute has the value TRUE
if and only if the key was originally generated on the token by a C_GenerateKey call.
DSA Public Key Parameter Objects
DSA public key parameter objects (object class CKO_DOMAIN_PARAMETERS
, key type CKK_DSA
) hold DSA public key parameters. The following table defines the DSA public key parameter object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:
Attribute |
Data Type |
Meaning |
---|---|---|
|
Big integer |
Prime p (512 to 1024 bits, in steps of 64 bits) |
|
Big integer |
Subprime q (160 bits) |
|
Big integer |
Base g |
|
|
Length of the prime value |
Common footnotes for key parameter attribute tables
The CKA_PRIME
, CKA_SUBPRIME
and CKA_BASE
attribute values are collectively the “DSA parameters”. See FIPS PUB 186 for more information on DSA key parameters.
Objects of this type may be generated by using the C_GenerateKey with the CKM_DSA_PARAMETER_GEN
mechanism.
Diffie-Hellman Public Key Parameter Objects
Diffie-Hellman public key parameter objects (object class CKO_DOMAIN_PARAMETERS
, key type CKK_DH
) hold Diffie-Hellman public key parameters. The following table defines the Diffie-Hellman public key parameter object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:
Attribute |
Data Type |
Meaning |
---|---|---|
|
Big integer |
Prime p |
|
Big integer |
Base g |
|
|
Length of the prime value |
Common footnotes for key parameter attribute tables
The CKA_PRIME
and CKA_BASE
attribute values are collectively the “Diffie-Hellman parameters”. Depending on the token, there may be limits on the length of the key components. See PKCS #3 for more information on Diffie-Hellman key parameters.
Objects of this type may be generated by using the C_GenerateKey with the CKM_DH_PKCS_PARAMETER_GEN
mechanism.
Elliptic Curve Public Key Parameter Objects
Elliptic Curve public key parameter objects (object class CKO_DOMAIN_PARAMETERS
, key type CKK_EC
) hold Elliptic Curve public key parameters.
The following table defines the Elliptic Curve public key parameter object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:
Attribute |
Data Type |
Meaning |
---|---|---|
|
Byte Array |
DER encoding of ANSI X9.62 Parameters value |
Common footnotes for key parameter attribute tables
The CKA_EC_PARAMS
attribute values is the “Elliptic Curve parameters”. Depending on the token, there may be limits on the length of the key components.
SafeNet ProtectToolkit-C does not support generation of this type of object.
When objects of this type are stored using the C_CreateObject then the domain parameters are verified.
Key Generation Parameter Objects
This object type is used to hold DSA or DH key generation parameters.
The CKA_KEY_TYPE attribute indicates which type of parameters it is holding.
Where the key type is CKK_DSA the attributes should be as follows:
Attribute | Data Type | Meaning |
---|---|---|
CKA_KEY_TYPE | CK_KEY_TYPE |
Type of key. Must be CKK_DSA |
CKA_PRIME |
Big integer |
Prime |
CKA_SUBPRIME |
Big integer |
Prime |
CKA_BASE |
Big integer |
Prime |
Where the key type is CKK_DH the attributes should be as follows:
Attribute | Data Type | Meaning |
---|---|---|
CKA_KEY_TYPE | CK_KEY_TYPE |
Type of key. Must be CKK_DH |
CKA_PRIME |
Big integer |
Prime |
CKA_BASE |
Big integer |
Prime |
See CKM_EC_KEY_PAIR_GEN for more details on the Parameter value.