CKM_DECODE_PKCS_7
Supported Operations
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | No |
Wrap and Unwrap | No |
Derive | Yes |
Available in FIPS Mode | Yes |
Restrictions in FIPS Mode | None |
Key Size Range and Parameters
Minimum | 0 |
FIPS Minimum | 0 |
Maximum | None |
Parameter | None |
Description
This mechanism is used with the C_DeriveKey function to derive a set of X.509 Certificate objects and X.509 CRL objects from a PKCS#7 object. The base key object handle is a CKO_DATA
object (the PKCS#7 encoding) which has a CKA_OBJECT_ID
attribute indicating the type of the object as being a PKCS#7 encoding. This mechanism does not take any parameters.
One of the functions of PKCS#7 is a mechanism for distributing certificates and CRLs in a single encoded package. In this case the PKCS#7 message content is usually empty. This mechanism is provided to split certificates and CRLs from such a PKCS7 encoding so that those certificates and CRLs may be further processed.
This mechanism will decode a PKCS#7 encoding and create PKCS#11 objects for all certificates (object class CKO_CERTIFICATE
) and CRLs (object class CKO_CRL
) that it finds in the encoding. The signature on the PKCS#7 content is not verified. The parameter containing the newly derived key is the last Certificate or CRL that is extracted from the PKCS#7 encoding. The attribute template is applied to all objects extracted from the encoding.
Return to ProtectToolkit-C Mechanisms