CKM_PKCS12_PBE_EXPORT

Supported Operations

Encrypt and Decrypt No
Sign and Verify No
SignRecover and VerifyRecover No
Digest No
Generate Key/Key-Pair No
Wrap and Unwrap Wrap only
Derive No
Available in FIPS Mode No

Key Size Range and Parameters

Minimum 0
Maximum None
Parameter CKM_PKCS12_PBE_EXPORT_PARAMS

Description

The PKCS#12 export mechanism, denoted CKM_PKCS12_PBE_EXPORT is a mechanism for wrapping a private key and a certificate. The outcome of the wrapping operation is a PKCS#12 byte buffer.

This mechanism has a parameter, a CK_PKCS12_PBE_EXPORT_PARAMS structure.

This mechanism will enforce a password length based on the token.  If the PIN is too short, then CKR_PIN_LEN_RANGE is returned.

This mechanism does not require a wrapping key and it only support RSA, ECDSA and DSA private keys and certificates.

During the wrapping operation, this mechanism performs a sign and verify test on the supplied key/certificate pair. Should this test fail, the wrapping operation will abort.

If the exported key is marked CKA_EXPORTABLE=TRUE and CKA_EXTRACTABLE=FALSE this mechanism forces the export to be performed under the Security Officer session. In this case, the user must ensure that the private key is either visible to the Security Ofiicer or made available to the Security Officer by performing a copy.

Note that the user performing the private key export is asked to supply two (2) passwords. These passwords must be identical if MS Windows is to be used to later extract the created PKCS#12 file. For other 3rd party tools such as OpenSSL these two passwords do not have to be the same.

CK_PKCS12_PBE_EXPORT_PARAMS is a structure that provides parameter to the CKM_PKCS12_PBE_EXPORT mechanism. This structure is defined as follows:

typedef struct CK_PKCS12_PBE_EXPORT_PARAMS
{
CK_OBJECT_HANDLE keyCert;
CK_CHAR_PTR passwordAuthSafe;
CK_SIZE passwordAuthSafeLen;
CK_CHAR_PTR passwordHMAC;
CK_SIZE passwordHMACLen;
CK_MECHANISM_TYPE safeBagKgMech;
CK_MECHANISM_TYPE safeContentKgMech;
CK_MECHANISM_TYPE hmacKgMech;
}

The fields of the structure have the following meanings:

keyCert This is the certificate handle for the associated private key.
passwordAuthSafe This is the password for the PBE keys.
passwordAuthSafeLen This is the length of the password.
passwordHMAC This is the password for the PBA keys.
passwordHMACLen This is the length of the password.
safeBagKgMech

This is the key generation mechanism for SafeBag encryption. It is only applicable to pkcs8ShroudedKeyBag. Valid options are:

>CKM_PBE_SHA1_RC4_128

>CKM_PBE_SHA1_RC4_40

>CKM_PBE_SHA1_DES3_EDE_CBC

>CKM_PBE_SHA1_DES2_EDE_CBC

>CKM_PBE_SHA1_RC2_128_CBC

>CKM_PBE_SHA1_RC2_40_CBC

safeContentKgMech

This is the key generation mechanism for SafeContent encryption. It is only applicable to EncryptedData. Valid options are:

>CKM_PBE_SHA1_RC4_128

>CKM_PBE_SHA1_RC4_40

>CKM_PBE_SHA1_DES3_EDE_CBC

>CKM_PBE_SHA1_DES2_EDE_CBC

>CKM_PBE_SHA1_RC2_128_CBC

>CKM_PBE_SHA1_RC2_40_CBC

hmacKgMech

This is the key generation mechanism for generating PFX MAC. Valid option is:

>CKM_PBA_SHA1_WITH_SHA1_HMAC

Return to ProtectToolkit-C Mechanisms