Creating, Modifying, Copying, and Deleting Objects
Cryptoki functions that create, modify, or copy objects, take a template as one of their arguments, where the template specifies attribute values. Cryptographic functions that create objects may also contribute some additional attribute values themselves. Which attributes have values contributed by a cryptographic function call depends on which cryptographic mechanism is being performed.
In any case, all the required attributes supported by an object class that do not have default values must be specified when an object is created, either in the template or by the function itself.
Creating Objects
Objects may be created with the Cryptoki functions C_CreateObject, C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, and C_DeriveKey. In addition, copying an existing object, with the function C_CopyObject or CT_CopyObject, also creates a new object.
Attempting to create an object with any of these functions requires an appropriate template to be supplied.
>If the supplied template specifies a value for an unrecognized attribute, then the attribute is stored but ignored.
>If the supplied template specifies an inappropriate value for a valid attribute, then the attribute is stored, except when it is the value attribute for a key, in which case the length is checked. Checks are made on the validity of attributes when the object is used in later operations.
>When a token has the CKF_LOGIN_REQUIRED
flag set in the flags field of the CK_TOKEN_INFO
structure, the token is read-only until the user (or SO) has been authenticated to the token.
>If the attribute values in the supplied template, any default attribute values, and any attribute values contributed by the object-creation function itself are insufficient to fully specify the object to be created, then the attempt will fail with the error code CKR_TEMPLATE_INCOMPLETE
.
>If the supplied template specifies the same value for a particular attribute more than once (or the template specifies the same value for a particular attribute that the object-creation function itself contributes to the object), then the duplicate attribute is ignored.
Modifying Objects
If the “Increased Security” flag is set as part of the security policy, then C_CopyObject does not allow changing the CKA_MODIFIABLE
flag from FALSE
to TRUE
(See ProtectToolkit-C Administration Manual for details on setting HSM security policy).
Apart from the above exception, all PKCS#11 version 2.20 rules for object modification are applied.
Copying Objects
All PKCS#11 version 2.20 rules for copying objects are applied.
Deleting Objects
In addition to standard object deletion rules, there is support for the CKA_DELETABLE
attribute. This is an optional attribute that may be specified for token objects. For token objects with CKA_DELETABLE
set to FALSE
, the C_DestroyObject function will not delete the object and will instead return the error CKR_OBJECT_READ_ONLY
.