CKM_DECODE_PKCS_7

Supported Operations

Encrypt and Decrypt

No

Sign and Verify

No

SignRecover and VerifyRecover

No

Digest

No

Generate Key/Key-Pair

No

Wrap and Unwrap

No

Derive

Yes

Available in FIPS Mode

Yes

Restrictions in FIPS Mode None

Key Size Range (bytes) and Parameters

Minimum 0
FIPS Minimum 0
Maximum None
Parameter None

Description

This mechanism is used with the C_DeriveKey function to derive a set of X.509 Certificate objects and X.509 CRL objects from a PKCS#7 object. The base key object handle is a CKO_DATA object (the PKCS#7 encoding) which has a CKA_OBJECT_ID attribute indicating the type of the object as being a PKCS#7 encoding. This mechanism does not take any parameters.

One of the functions of PKCS#7 is a mechanism for distributing certificates and CRLs in a single encoded package. In this case the PKCS#7 message content is usually empty. This mechanism is provided to split certificates and CRLs from such a PKCS7 encoding so that those certificates and CRLs may be further processed.

This mechanism will decode a PKCS#7 encoding and create PKCS#11 objects for all certificates (object class CKO_CERTIFICATE) and CRLs (object class CKO_CRL) that it finds in the encoding. The signature on the PKCS#7 content is not verified. The parameter containing the newly derived key is the last Certificate or CRL that is extracted from the PKCS#7 encoding. The attribute template is applied to all objects extracted from the encoding.

Return to SafeNet ProtectToolkit-C Mechanisms