CKM_PKCS12_PBE_IMPORT
Supported Operations
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | No |
Wrap and Unwrap | Unwrap only |
Derive | No |
Available in FIPS Mode | No |
Key Size Range and Parameters
Minimum | 0 |
Maximum | None |
Parameter | CK_PBE_PARAMS
|
Description
The PKCS#12 import mechanism, denoted CKM_PKCS12_PBE_IMPORT
is a mechanism for unwrapping a private key and certificate(s). This mechanism shall return the user a handle to a private key and handle(s) to certificate(s). Note that multiple certificate handles could be returned depending on the contents of the PKCS#12 file.
NOTE This mechanism does not import optional PKCS#12 bag attributes and PKCS#8 private-key attributes. These components are discarded during import.
The mechanism has a parameter, a CK_PKCS12_PBE_IMPORT_PARAMS structure. This mechanism does not require an unwrapping key and supports RSA, DH, DSA and EC Private Keys and certificates.
CK_PKCS12_PBE_IMPORT_PARAMS is a structure that provides parameters to the CKM_PKCS12_PBE_IMPORT
mechanism. This structure is defined as follows:
typedef struct CK_PKCS12_PBE_IMPORT_PARAMS
{
/** AuthenticatedSafe password */
CK_CHAR_PTR passwordAuthSafe;
/** Size of AuthenticatedSafe password */
CK_SIZE passwordAuthSafeLen; /** HMAC password */
CK_CHAR_PTR passwordHMAC; /** Size of HMAC password */
CK_SIZE passwordHMACLen; /** Certificate attributes */
CK_ATTRIBUTE_PTR certAttr; /** Number of certificate attributes */
CK_COUNT certAttrCount; /** Handle to returned certificate(s) */
CK_OBJECT_HANDLE_PTR hCert; /** Number of returned certificate handle(s) */
CK_COUNT_PTR hCertCount; }CK_PKCS12_PBE_IMPORT_PARAMS;
The fields of the structure have the following meanings:
passwordAuthSafe | This is the password to the authenticated safe container. |
passwordAuthSafeLen | This is the length of password. |
passwordHMAC | This is the password to HMAC. |
certAttr | These are the attributes assigned to certificate. |
certAttrCount | This is the number of entries in certAttr. |
hCert | This is the returned certificate handle(s). |
hCertCount | This is the number of handles allocated for hCert or the number of certificates found in PKCS#12 file. See below. |
Length Prediction
The PKCS#12 file may contain more than one certificate, as such, the user would need to allocate sufficient buffer to hold the returned handles. The user needs to specify NULL as a parameter to the returned certificate handle (hCert), the import mechanism shall then return a count (hCertCount) of the certificate found the in the PKCS#12 file. Using the value of hCertCount, the user then allocates the required buffer to hold the returned certificate handles for the next C_UnwrapKey function call.
Returning Multiple Ceritificates
Assuming the user has allocated sufficient buffer to hold the certificate handles and there is multiple certificate in the PKCS#12 files, the import mechanism shall populate buffer hCert with the allocated certificate handles. The returned hCertCount shall match the specified value.
Reporting Remaining Certificates
In the event of the user not reserving sufficient buffer in hCert and there are more certificates to be unwrapped, the import mechanism shall unwrap up to a maximum of cerficate handles allocated by the user and return the total count of the certificates found in the PKCS#12 file. For example, if the user initially allocated one handle (hCertCount=1) and the PKCS#12 contains 2 certificates, the import mechanism shall extract the first certificate it encounters and return hCertCount=2. In this case, the returned hCertCount shall always be larger than the specified value.
PKCS#12 Import Return Code
The following vendor specific return code may be returned in the event of errors:
CKR_PKCS12_DECODE
|
This error code is returned when there is an error decoding the PKCS#12 file. |
CKR_PKCS12_UNSUPPORTED_SAFEBAG_TYPE
|
This error code is returned when unsupported SafeBag is found. The import mechanism for this release only supports keyBag, pkcs8ShroudedKeyBag, and certBag. |
CKR_PKCS12_UNSUPPORTED_PRIVACY_MODE
|
This error code is returned when a PKCS#12 file with unsupported privacy mode is encountered. The import mechanism for this release only supports password privacy mode. |
CKR_PKCS12_UNSUPPORTED_INTEGRITY_MODE
|
This error code is returned when a PKCS#12 file with unsupported integrity mode is encountered. The import mechanism for this release only supports password integrity mode. |
Return to ProtectToolkit-C Mechanisms