CKM_REPLICATE_TOKEN_RSA_AES

Supported Operations

Encrypt and Decrypt No
Sign and Verify No
SignRecover and VerifyRecover No
Digest No
Generate Key/Key-Pair No
Wrap and Unwrap Yes
Derive No
Available in FIPS Mode Yes
Restrictions in FIPS Mode None

Key Size Range (bytes) and Parameters

Minimum 2048
FIPS Minimum 2048
Maximum 4096
Parameter CK_REPLICATE_TOKEN_PARAMS

Description

This is a Gemalto vendor-defined mechanism for wrapping and unwrapping tokens.

Wrapping Tokens

The mechanism wraps the token associated with the hSession parameter to C_WrapKey() into a protected format. When the mechanism is used to wrap a token it has a required parameter, a CK_REPLICATE_TOKEN_PARAMS_PTR.

The CK_REPLICATE_TOKEN_PARAMS structure is defined as follows:

typedef struct CK_REPLICATE_TOKEN_PARAMS {
CK_CHAR peerId[CK_SERIAL_NUMBER_SIZE];
} CK_REPLICATE_TOKEN_PARAMS;

The peerId field identifies the peer public key on the administrative token. The public key is used to wrap the token encryption key and therefore must identify the public key of the destination HSM.

CK_REPLICATE_TOKEN_PARAMS_PTR is a pointer to a CK_REPLICATE_TOKEN_PARAMS.

The following conditions must be satisfied:

>The token being wrapped which is associated with the hSession parameter to the C_WrapKey() must be a regular user token (i.e. NOT the administrative token or a smart-card token).

>The session state for hSession must be one of CKS_RO_USER_FUNCTIONS or CKS_RW_USER_FUNCTIONS.

>The hWrappingKey parameter to C_WrapKey() must specify CK_INVALID_HANDLE.

>The hKey parameter to C_WrapKey() must specify CK_INVALID_HANDLE.

Unwrapping Tokens

This mechanism unwraps the protected token information, replacing the entire token contents of the token associated with the hSession parameter to C_UnwrapKey().When the mechanism is used for unwrapping a token, a mechanism parameter must not be specified.

The following conditions must be satisfied:

>The token being unwrapped which is associated with the hSession parameter to C_UnwrapKey() must be a regular user token. That is, NOT the administrative token or a smart card token.

>The session state for hSession must be CKS_RW_USER_FUNCTIONS.

>The hUnwrappingKey parameter to C_UnwrapKey() must specify CK_INVALID_HANDLE.

>The pTemplate parameter to C_UnwrapKey() must specify NULL.

>The ulAttributeCount parameter to C_UnwrapKey() must specify zero.

>The phKey parameter to C_UnwrapKey() must specify NULL.

>Any new sessions must be deferred until the operation has finished.

>The current session must be the only session in existence for the token.

>The application should call C_Finalize() upon completion.

Return to SafeNet ProtectToolkit-C Mechanisms