PKCS #11 Attributes
Objects, as described by PKCS #11, consist of a number of attributes that define both the object and its access policy. In general, the ProtectToolkit-C system will define the object’s attributes. Access policy should be provided by the user based on their particular requirements. The following attribute descriptions are intended to assist with these decisions.
Attribute | Description |
---|---|
CKA_LABEL |
This attribute specifies a textual label for an object. This label is used to assist in differentiating the various objects stored on a token. NOTE Although ProtectToolkit-C does not require this attribute to be unique, various other tools may. |
CKA_CLASS |
This attribute is assigned by the system when an object is created. There are a number of classes in common use: >CKO_PUBLIC_KEY >CKO_PRIVATE_KEY >CKO_SECRET_KEY >CKO_CERTIFICATE >CKO_CERTIFICATE_REQUEST >CKO_DATA |
CKA_KEY_TYPE |
This attribute specifies the key type associated with the object. There are many key types supported by ProtectToolkit-C. For example: >CKK_AES, CKK_DES, CKK_DES2, CKK_DES3, CKK_RSA, CKK_DSA, CKK_BIP32 >CKA_ENCRYPT >CKA_DECRYPT >CKA_SIGN >CKA_VERIFY >CKA_WRAP >CKA_UNWRAP The previous attributes describe the cryptographic operations the key may be used for. Careful consideration should be given when assigning these attributes, to avoid key misuse. |
CKA_IMPORT | This attribute is similar to the standard CKA_UNWRAP attribute. It is used to determine if a given key can be used to unwrap encrypted key material. The important difference between these attributes and their standard counterparts is that if CKA_IMPORT is set to True and CKA_UNWRAP attribute is set to False, then the only unwrap mechanism that can be used is CKM_WRAPKEY_DES3_CBC. With this combination, the error code CKR_MECHANISM_INVALID will be returned for all other mechanisms. |
CKA_EXPORT | This attribute is similar to the CKA_WRAP attribute, in that it specifies that the key may be used to encrypt a second key, so that it may be extracted from the HSM in an encrypted form. Unlike the CKA_WRAP attribute, however, only the Security Officer may specify this attribute. |
CKA_SENSITIVE | This attribute specifies that the key object cannot be extracted from the token in the clear. Generally this attribute should be specified to ensure the key material is not exposed. When the No Clear PINs flag is set only sensitive keys may be created on the HSM. |
CKA_EXTRACTABLE/ CKA_EXPORTABLE |
These attributes are used to specify that the key may be extracted from the token in an encrypted (for example, wrapped) form. These attributes determine how the key may be backed up. For more information about setting these attributes to back up keys, see Secure Key Backup and Restoration. |