Key Objects

The following figure illustrates details of key objects:

Figure 1: Key Attribute Detail

Key objects hold encryption or authentication keys, which can be public keys, private keys, or secret keys. The HSM has a key storage capacity of 4 MB.

The following common footnotes apply to all the tables describing attributes of keys:

Table 2: Common footnotes for key attribute tables
¹ Must be specified when object is created with C_CreateObject.
² Must not be specified when object is created with C_CreateObject.
³ Must be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.
⁴ Must not be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.
⁵ Must be specified when object is unwrapped with C_UnwrapKey.
⁶ Must not be specified when object is unwrapped with C_Unwrap.
⁷Cannot be revealed if object has CKA_SENSITIVE attribute set to TRUE or its CKA_EXTRACTABLE attribute set to FALSE.
⁸ May be modified after object is created with a C_SetAttributeValue call, or in the process of copying object with a C_CopyObject call. As mentioned previously, however, it is possible that a particular token may not permit modification of the attribute.
⁹ Default value is token-specific, and may depend on the values of other attributes.
¹⁰ SafeNet Extension

The following table defines the attributes common to public key, private key and secret key classes, in addition to the common attributes listed in Table 1: Common Object Attributes and Table 1: Common Storage Object Attributes

Table 3: Common Key Attributes
Attribute	Data Type	Meaning
`CKA_KEY_TYPE`^1,3,5	`CK_KEY_TYPE`	Type of key
`CKA_ID`⁸	Byte array	Key identifier for key (default empty)
`CKA_START_DATE`⁸	`CK_DATE`	Start date for the key (default empty). If not empty then the attribute holds starting date for the key.
`CKA_END_DATE`⁸	`CK_DATE`	End date for the key (default empty). If not empty then the attribute holds expiry date for the key.
`CKA_ADMIN_CERT`¹⁰	Byte array	DER encoded certificate of the key administrator. See more details in the discussion on Key Usage Limits.
`CKA_DERIVE`⁸	`CK_BBOOL`	TRUE if key supports key derivation (that is, if other keys can be derived from this one (default FALSE)
`CKA_LOCAL`^2,4,6	`CK_BBOOL`	TRUE only if key was either >generated locally (that is, on the token) with a C_GenerateKey or C_GenerateKeyPaircall >created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to TRUE
`CKA_MECHANISM_LIST`¹⁰	`CKA_MECHANISM_TYPE` array	List of allowable mechanisms that can be used. For more information see the entry for this attribute in Additional Attribute Types.

Table 2: Common footnotes for key attribute tables