Certificate Objects

The following figure illustrates details of certificate objects:

Figure 1: Certificate Object Attribute

Hierarchy Certificate objects (object class CKO_CERTIFICATE) hold public-key or attribute certificates.  Other than providing access to certificate objects, Cryptoki does not attach any special meaning to certificates.  ProtectToolkit-C, however, does include a number of extensions to Cryptoki that allows for more sophisticated certificate processing.

In addition to a number of extension attributes, it is possible to use a certificate object in place of a public key object. It is also possible to generate certificates (or certification requests) from public keys.  Finally, it is possible to introduce trusted certificates that allow for certificate path verification.

The following table defines the common certificate object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes and Table 1: Common Storage Object Attributes:

Table 2: Common Certificate Object Attributes
Attribute Data Type Meaning
CKA_CERTIFICATE_TYPE1 CK_CERTIFICATE_TYPE Type of certificate
CKA_TRUSTED2,3 CK_BBOOL Trust state of the object; see above description
CKA_DERIVE2 CK_BBOOL Indicates if certificate can be used in derive mechanisms

1 Must be specified when the object is created.
2 SafeNet Extension
3 May be specified as TRUE only by the Security Officer.

The CKA_CERTIFICATE_TYPE attribute may not be modified after an object is created.

X.509 Public Key Certificate Objects

X.509 certificate objects (certificate type CKC_X_509) hold X.509 public key certificates.  The following table defines the X.509 certificate object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes and Common Certificate Object Attributes:

Table 3: X.509 Certificate Object Attributes
Attribute Data Type Meaning
CKA_SUBJECT1 Byte array DER-encoding of the certificate subject name
CKA_SUBJECT_STR2 Byte array Printable representation of CKA_SUBJECT attribute
CKA_ID Byte array Key identifier for public/private key pair (default empty)
CKA_ISSUER Byte array DER-encoding of the certificate issuer name (default empty)
CKA_ISSUER_STR2 Byte array Printable representation of CKA_ISSUER attribute
CKA_SERIAL_NUMBER Byte array DER-encoding of the certificate serial number (default empty)
CKA_SERIAL_NUMBER_INT2 Big Integer Certificate serial number as an integer (default empty)
CKA_VALUE1 Byte array BER-encoding of the certificate

1 Must be specified when the object is created.
2 SafeNet Extension

Only the CKA_ID, CKA_ISSUER and CKA_SERIAL_NUMBER attributes may be modified after the object is created.

The CKA_ID attribute is intended to be a means of distinguishing multiple public/private key pairs held by the same subject (whether stored in the same token or not).  Since subject names, as well as identifiers, distinguish keys, it is possible that keys that have different subjects may have the same CKA_ID value without introducing any ambiguity.

It is intended, in the interests of interoperability, that the subject name and key identifier for a certificate is to be the same as those for the corresponding public and private keys (though it is not required that all be stored in the same token). Cryptoki does not enforce this association or even the uniqueness of the key identifier for a given subject.  In fact, an application may leave the key identifier empty.

The CKA_ISSUER and CKA_SERIAL_NUMBER attributes are for compatibility with PKCS #7 and Privacy Enhanced Mail (RFC1421).

NOTE   With the version 3 extensions to X.509 certificates, the key identifier may be carried in the certificate.  It is intended that the CKA_ID value be identical to the key identifier in such a certificate extension, however Cryptoki will not enforce this.

Certificate Request Objects

Certificate request objects (object class CKO_CERTIFICATE_REQUEST) hold a PKCS#10 certificate request. There are mechanisms included to generate a Certificate Request object from an RSA public key (see CKM_ENCODE_PKCS_10) or generate a Certificate from a Certificate Request (see CKM_ENCODE_X_509). This object class is a vendor-defined extension class. The following table defines the Certificate request object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes and Common Certificate Object Attributes:

Table 4: Certificate Request Object Attributes
Attribute Data Type Meaning
CKA_SUBJECT Byte array DER-encoding of the certificate subject name
CKA_SUBJECT_STR2 Byte array Printable representation of CKA_SUBJECT attribute
CKA_VALUE1 Byte array BER-encoding of the certificate
KEY_TYPE CK_KEY_TYPE Type of public key in request

1 Must be specified when the object is created.
2 SafeNet Extension

Certificate Revocation List

Certificate Revocation List (CRL) objects (object class CKO_CRL) hold a certificate revocation list. This object class is a vendor defined extension class.

The following table defines the CRL object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes and Common Certificate Object Attributes:

Table 5: Certificate Revocation Object Attributes
Attribute Data Type Meaning
CKA_SUBJECT Byte array DER-encoding of the certificate subject name
CKA_SUBJECT_STR2 Byte array Printable representation of CKA_SUBJECT attribute
CKA_VALUE1 Byte array BER-encoding of the certificate

1 Must be specified when the object is created.
2 SafeNet Extension