Key Parameter Objects

ProtectToolkit-C includes support for key parameter objects (as specified in PKCS#11 2.11 draft 3). These objects are used to store parameters associated with DSA or DH keys. It is possible to generate new objects of this type using the C_GenerateKey function.

Key parameter objects (object class CKO_DOMAIN_PARAMETERS) hold public key generation parameters. This version of Cryptoki recognizes the following types of key parameters: DSA and Diffie-Hellman. The following table defines the footnotes that apply to each of the following attribute tables:

Table 1: Common footnotes for key parameter attribute tables
¹ Must be specified when object is created with C_CreateObject.
² Must not be specified when object is created with C_CreateObject.
³ Must be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.
⁴ Must not be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.

The following table defines the attributes common to key attribute objects in addition to the common attributes listed in Table 1: Common Object Attributes and Table 1: Common Storage Object Attributes:

Table 2: Common Key Parameter Attributes
Attribute	Data Type	Meaning
`CKA_KEY_TYPE`¹	`CK_KEY_TYPE`	Type of key the parameters can be used to generate.
`CKA_LOCAL`^2,4	`CK_BBOOL`	`TRUE` only if key parameters were either: >generated locally (that is, on the token) with a C_GenerateKey >created with a C_CopyObject call as a copy of key parameters which had its `CKA_LOCAL` attribute set to `TRUE`

Common footnotes for key parameter attribute tables

The rules applying to the CKA_LOCAL mean that this attribute has the value TRUE if and only if the key was originally generated on the token by a C_GenerateKey call.

DSA Public Key Parameter Objects

DSA public key parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_DSA) hold DSA public key parameters. The following table defines the DSA public key parameter object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:

Table 3: DSA Public Key Parameter Object Attributes
Attribute	Data Type	Meaning
`CKA_PRIME`^1,4	Big integer	Prime p (512 to 1024 bits, in steps of 64 bits)
`CKA_SUBPRIME`^1,4	Big integer	Subprime q (160 bits)
`CKA_BASE`^1,4	Big integer	Base g
`CKA_PRIME_BITS`^2,3	`CK_ULONG`	Length of the prime value

Common footnotes for key parameter attribute tables

The CKA_PRIME, CKA_SUBPRIME and CKA_BASE attribute values are collectively the “DSA parameters”. See FIPS PUB 186 for more information on DSA key parameters.

Objects of this type may be generated by using the C_GenerateKey with the CKM_DSA_PARAMETER_GEN mechanism.

Diffie-Hellman Public Key Parameter Objects

Diffie-Hellman public key parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_DH) hold Diffie-Hellman public key parameters. The following table defines the Diffie-Hellman public key parameter object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:

Table 4: Diffie-Hellman Public Key Parameter Object Attributes
Attribute	Data Type	Meaning
`CKA_PRIME`^1,4	Big integer	Prime p
`CKA_BASE`^1,4	Big integer	Base g
`CKA_PRIME_BITS`^2,3	`CK_ULONG`	Length of the prime value

Common footnotes for key parameter attribute tables

The CKA_PRIME and CKA_BASE attribute values are collectively the “Diffie-Hellman parameters”. Depending on the token, there may be limits on the length of the key components. See PKCS #3 for more information on Diffie-Hellman key parameters.

Objects of this type may be generated by using the C_GenerateKey with the CKM_DH_PKCS_PARAMETER_GEN mechanism.

Elliptic Curve Public Key Parameter Objects

Elliptic Curve public key parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_EC or CKK_EC_EDWARDS) hold Elliptic Curve public key parameters.

The following table defines the Elliptic Curve public key parameter object attributes, in addition to the common attributes listed in Table 1: Common Object Attributes, Table 1: Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:

Table 5: Elliptic Curve Public Key Parameter Object Attributes
Attribute	Data Type	Meaning
`CKA_EC_PARAMS`^1,3,6	Byte Array	DER encoding of ANSI X9.62 Parameters value. Applies to `CKK_EC` keys.

Common footnotes for key parameter attribute tables

The CKA_EC_PARAMS attribute values is the “Elliptic Curve parameters”. Depending on the token, there may be limits on the length of the key components.

ProtectToolkit-C does not support generation of this type of object.

When objects of this type are stored using the C_CreateObject then the domain parameters are verified.

Key Generation Parameter Objects

This object type is used to hold DSA or DH key generation parameters.

The CKA_KEY_TYPE attribute indicates which type of parameters it is holding.

Where the key type is CKK_DSA the attributes should be as follows:

Attribute	Data Type	Meaning
`CKA_KEY_TYPE`	`CK_KEY_TYPE`	Type of key. Must be `CKK_DSA`.
`CKA_PRIME`	Big integer	Prime
`CKA_SUBPRIME`	Big integer	Prime
`CKA_BASE`	Big integer	Prime

Where the key type is CKK_DH the attributes should be as follows:

Attribute	Data Type	Meaning
`CKA_KEY_TYPE`	`CK_KEY_TYPE`	Type of key. Must be `CKK_DH`.
`CKA_PRIME`	Big integer	Prime
`CKA_BASE`	Big integer	Prime

See CKM_EC_KEY_PAIR_GEN for more details on the Parameter value.