PKCS #11 Attributes

Objects, as described by PKCS #11, consist of a number of attributes that define both the object and its access policy. In general, the SafeNet ProtectToolkit-C system will define the object’s attributes. Access policy should be provided by the user based on their particular requirements. The following attribute descriptions are intended to assist with these decisions.

Attribute Description
CKA_LABEL

This attribute specifies a textual label for an object. This label is used to assist in differentiating the various objects stored on a token.

NOTE   Although SafeNet ProtectToolkit-C does not require this attribute to be unique, various other tools may.

CKA_CLASS

This attribute is assigned by the system when an object is created. There are a number of classes in common use:

>CKO_PUBLIC_KEY

>CKO_PRIVATE_KEY

>CKO_SECRET_KEY

>CKO_CERTIFICATE

>CKO_CERTIFICATE_REQUEST

>CKO_DATA

CKA_KEY_TYPE

This attribute specifies the key type associated with the object. There are many key types supported by SafeNet ProtectToolkit-C. For example:

>CKK_AES, CKK_DES, CKK_DES2, CKK_DES3, CKK_RSA, CKK_DSA, CKK_BIP32

>CKA_ENCRYPT

>CKA_DECRYPT

>CKA_SIGN

>CKA_VERIFY

>CKA_WRAP

>CKA_UNWRAP

The previous attributes describe the cryptographic operations the key may be used for. Careful consideration should be given when assigning these attributes, to avoid key misuse.

CKA_IMPORT

This attribute is similar to the standard CKA_UNWRAP attribute. It is used to determine if a given key can be used to unwrap encrypted key material.  The important difference between these attributes and their standard counterparts is that if CKA_IMPORT is set to True and CKA_UNWRAP attribute is set to False, then the only unwrap mechanism that can be used is CKM_WRAPKEY_DES3_CBC.  With this combination, the error code CKR_MECHANISM_INVALID will be returned for all other mechanisms.

CKA_EXPORT

This attribute is similar to the CKA_WRAP attribute, in that it specifies that the key may be used to encrypt a second key, so that it may be extracted from the HSM in an encrypted form. Unlike the CKA_WRAP attribute, however, only the Security Officer may specify this attribute.

CKA_SENSITIVE

This attribute specifies that the key object cannot be extracted from the token in the clear.  Generally this attribute should be specified to ensure the key material is not exposed. When the No Clear PINs flag is set only sensitive keys may be created on the HSM.

CKA_EXTRACTABLE/

CKA_EXPORTABLE

These attributes are used to specify that the key may be extracted from the token in an encrypted (for example, wrapped) form.  These attributes determine how the key may be backed up. Please consult the key backup section in Unauthenticated Users"Unauthenticated Users" in the SafeNet ProtectToolkit-C Administration Guide for more information.