Certificate Objects
The following figure illustrates details of certificate objects:
Figure 1: Certificate Object Attribute
Hierarchy Certificate objects (object class CKO_CERTIFICATE) hold public-key or attribute certificates. Other than providing access to certificate objects, Cryptoki does not attach any special meaning to certificates. ProtectToolkit-C, however, does include a number of extensions to Cryptoki that allows for more sophisticated certificate processing.
In addition to a number of extension attributes, it is possible to use a certificate object in place of a public key object. It is also possible to generate certificates (or certification requests) from public keys. Finally, it is possible to introduce trusted certificates that allow for certificate path verification.
The following table defines the common certificate object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes and Table 1: Common Storage Object Attributes:
1 Must be specified when the object is created.
2 SafeNet Extension
3 May be specified as TRUE
only by the Security Officer.
The CKA_CERTIFICATE_TYPE attribute may not be modified after an object is created.
X.509 Public Key Certificate Objects
X.509 certificate objects (certificate type CKC_X_509) hold X.509 public key certificates. The following table defines the X.509 certificate object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes and Common Certificate Object Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_SUBJECT 1
|
Byte array | DER-encoding of the certificate subject name |
CKA_SUBJECT_STR 2
|
Byte array | Printable representation of CKA_SUBJECT attribute |
CKA_ID
|
Byte array | Key identifier for public/private key pair (default empty) |
CKA_ISSUER
|
Byte array | DER-encoding of the certificate issuer name (default empty) |
CKA_ISSUER_STR 2
|
Byte array | Printable representation of CKA_ISSUER attribute |
CKA_SERIAL_NUMBER
|
Byte array | DER-encoding of the certificate serial number (default empty) |
CKA_SERIAL_NUMBER_INT 2
|
Big Integer | Certificate serial number as an integer (default empty) |
CKA_VALUE 1
|
Byte array | BER-encoding of the certificate |
1 Must be specified when the object is created.
2 SafeNet Extension
Only the CKA_ID
, CKA_ISSUER
and CKA_SERIAL_NUMBER
attributes may be modified after the object is created.
The CKA_ID
attribute is intended to be a means of distinguishing multiple public/private key pairs held by the same subject (whether stored in the same token or not). Since subject names, as well as identifiers, distinguish keys, it is possible that keys that have different subjects may have the same CKA_ID
value without introducing any ambiguity.
It is intended, in the interests of interoperability, that the subject name and key identifier for a certificate is to be the same as those for the corresponding public and private keys (though it is not required that all be stored in the same token). Cryptoki does not enforce this association or even the uniqueness of the key identifier for a given subject. In fact, an application may leave the key identifier empty.
The CKA_ISSUER
and CKA_SERIAL_NUMBER
attributes are for compatibility with PKCS #7 and Privacy Enhanced Mail (RFC1421).
NOTE With the version 3 extensions to X.509 certificates, the key identifier may be carried in the certificate. It is intended that the CKA_ID value be identical to the key identifier in such a certificate extension, however Cryptoki will not enforce this.
Certificate Request Objects
Certificate request objects (object class CKO_CERTIFICATE_REQUEST
) hold a PKCS#10 certificate request. There are mechanisms included to generate a Certificate Request object from an RSA public key (see CKM_ENCODE_PKCS_10) or generate a Certificate from a Certificate Request (see CKM_ENCODE_X_509). This object class is a vendor-defined extension class. The following table defines the Certificate request object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes and Common Certificate Object Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_SUBJECT
|
Byte array | DER-encoding of the certificate subject name |
CKA_SUBJECT_STR 2
|
Byte array | Printable representation of CKA_SUBJECT attribute |
CKA_VALUE 1
|
Byte array | BER-encoding of the certificate |
KEY_TYPE
|
CK_KEY_TYPE
|
Type of public key in request |
1 Must be specified when the object is created.
2 SafeNet Extension
Certificate Revocation List
Certificate Revocation List (CRL) objects (object class CKO_CRL) hold a certificate revocation list. This object class is a vendor defined extension class.
The following table defines the CRL object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes and Common Certificate Object Attributes:
Attribute | Data Type | Meaning |
---|---|---|
CKA_SUBJECT
|
Byte array | DER-encoding of the certificate subject name |
CKA_SUBJECT_STR 2
|
Byte array | Printable representation of CKA_SUBJECT attribute |
CKA_VALUE 1
|
Byte array | BER-encoding of the certificate |
1 Must be specified when the object is created.
2 SafeNet Extension