CKM_PKCS12_PBE_EXPORT
Supported Operations
Encrypt and Decrypt |
No |
Sign and Verify |
No |
SignRecover and VerifyRecover |
No |
Digest |
No |
Generate Key/Key-Pair |
No |
Wrap and Unwrap |
Wrap only |
Derive |
No |
FIPS-approved |
No |
Key Size Range (bytes) and Parameters
Minimum | 1 |
FIPS Minimum |
N/A |
Maximum | None |
Parameter | CKM_PKCS12_PBE_EXPORT_PARAMS
|
Description
The PKCS#12 export mechanism, denoted CKM_PKCS12_PBE_EXPORT is a mechanism for wrapping a private key and a certificate. The outcome of the wrapping operation is a PKCS#12 byte buffer.
This mechanism has a parameter, a CK_PKCS12_PBE_EXPORT_PARAMS structure.
This mechanism will enforce a password length based on the token. If the PIN is too short, then CKR_PIN_LEN_RANGE
is returned.
This mechanism does not require a wrapping key and it only support RSA, ECDSA and DSA private keys and certificates.
During the wrapping operation, this mechanism performs a sign and verify test on the supplied key/certificate pair. Should this test fail, the wrapping operation will abort.
If the exported key is marked CKA_EXPORTABLE=TRUE
and CKA_EXTRACTABLE=FALSE
this mechanism forces the export to be performed under the Security Officer session. In this case, the user must ensure that the private key is either visible to the Security Ofiicer or made available to the Security Officer by performing a copy.
Note that the user performing the private key export is asked to supply two (2) passwords. These passwords must be identical if MS Windows is to be used to later extract the created PKCS#12 file. For other 3rd party tools such as OpenSSL these two passwords do not have to be the same.
CK_PKCS12_PBE_EXPORT_PARAMS is a structure that provides parameter to the CKM_PKCS12_PBE_EXPORT
mechanism. This structure is defined as follows:
typedef struct CK_PKCS12_PBE_EXPORT_PARAMS
{
CK_OBJECT_HANDLE keyCert;
CK_CHAR_PTR passwordAuthSafe;
CK_SIZE passwordAuthSafeLen;
CK_CHAR_PTR passwordHMAC;
CK_SIZE passwordHMACLen;
CK_MECHANISM_TYPE safeBagKgMech;
CK_MECHANISM_TYPE safeContentKgMech;
CK_MECHANISM_TYPE hmacKgMech;
}
The fields of the structure have the following meanings:
keyCert |
This is the certificate handle for the associated private key. |
passwordAuthSafe |
This is the password for the PBE keys. |
passwordAuthSafeLen |
This is the length of the password. |
passwordHMAC |
This is the password for the PBA keys. |
passwordHMACLen |
This is the length of the password. |
safeBagKgMech |
This is the key generation mechanism for SafeBag encryption. It is only applicable to pkcs8ShroudedKeyBag. Valid options are: > > > > > > |
safeContentKgMech |
This is the key generation mechanism for SafeContent encryption. It is only applicable to EncryptedData. Valid options are: > > > > > > |
hmacKgMech |
This is the key generation mechanism for generating PFX MAC. Valid option is: > |
Return to SafeNet ProtectToolkit-C Mechanisms