CKM_DECODE_PKCS_7

Supported Operations

Encrypt and Decrypt No
Sign and Verify No
SignRecover and VerifyRecover No
Digest No
Generate Key/Key-Pair No
Wrap and Unwrap No
Derive Yes
Available in FIPS Mode Yes
Restrictions in FIPS Mode None

Key Size Range and Parameters

Minimum 0
FIPS Minimum 0
Maximum None
Parameter None

Description

This mechanism is used with the C_DeriveKey function to derive a set of X.509 Certificate objects and X.509 CRL objects from a PKCS#7 object. The base key object handle is a CKO_DATA object (the PKCS#7 encoding) which has a CKA_OBJECT_ID attribute indicating the type of the object as being a PKCS#7 encoding. This mechanism does not take any parameters.

One of the functions of PKCS#7 is a mechanism for distributing certificates and CRLs in a single encoded package. In this case the PKCS#7 message content is usually empty. This mechanism is provided to split certificates and CRLs from such a PKCS7 encoding so that those certificates and CRLs may be further processed.

This mechanism will decode a PKCS#7 encoding and create PKCS#11 objects for all certificates (object class CKO_CERTIFICATE) and CRLs (object class CKO_CRL) that it finds in the encoding. The signature on the PKCS#7 content is not verified. The parameter containing the newly derived key is the last Certificate or CRL that is extracted from the PKCS#7 encoding. The attribute template is applied to all objects extracted from the encoding.

Return to ProtectToolkit-C Mechanisms