CKM_DECODE_PKCS_7
Supported Operations
|
Encrypt and Decrypt |
No |
|
Sign and Verify |
No |
|
SignRecover and VerifyRecover |
No |
|
Digest |
No |
|
Generate Key/Key-Pair |
No |
|
Wrap and Unwrap |
No |
|
Derive |
Yes |
|
FIPS-approved |
Yes |
Key Size Range (bytes) and Parameters
| Minimum | 0 |
| FIPS Minimum | 0 |
| Maximum | 0 |
| Parameter | None |
Description
This mechanism is used with the C_DeriveKey function to derive a set of X.509 Certificate objects and X.509 CRL objects from a PKCS#7 object. The base key object handle is a CKO_DATA object (the PKCS#7 encoding) which has a CKA_OBJECT_ID attribute indicating the type of the object as being a PKCS#7 encoding. This mechanism does not take any parameters.
One of the functions of PKCS#7 is a mechanism for distributing certificates and CRLs in a single encoded package. In this case the PKCS#7 message content is usually empty. This mechanism is provided to split certificates and CRLs from such a PKCS7 encoding so that those certificates and CRLs may be further processed.
This mechanism will decode a PKCS#7 encoding and create PKCS#11 objects for all certificates (object class CKO_CERTIFICATE) and CRLs (object class CKO_CRL) that it finds in the encoding. The signature on the PKCS#7 content is not verified. The parameter containing the newly derived key is the last Certificate or CRL that is extracted from the PKCS#7 encoding. The attribute template is applied to all objects extracted from the encoding.
Return to SafeNet ProtectToolkit-C Mechanisms
