CKM_PP_LOAD_SECRET_2
Supported Operations
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | Yes |
Wrap and Unwrap | No |
Derive | No |
Available in FIPS Mode | Yes |
Restrictions in FIPS Mode | None |
Key Size Range (bytes) and Parameters
Minimum | 1 |
FIPS Minimum | 1 |
Maximum | None |
Parameter | CK_PP_LOAD_SECRET_PARAMS
|
Description
This is a key generate mechanism to provide the capability to load a clear key component from a directly attached PIN pad device.
It has a parameter, a CK_PP_LOAD_SECRET_PARAMS, which holds the operational details for the mechanism.
struct CK_PP_LOAD_SECRET_PARAMS {
/** Entered characters should be masked with '*' or similar to hide the
* value being entered. An error is returned if this is TRUE * and the device does not support this feature. */
CK_BBOOL bMaskInput;
/** Entered characters should be converted from the ASCII representation * to binary before being stored, according to the conversion type * supplied. If the device does not support the specified type of input * (e.g. hex input on a decimal keyboard), an error is returned. * The octal and decimal representations will expect 3 digits per byte, * whereas the hexadecimal representations will expect 2 digits per byte. * An error is returned if the data contains invalid encoding (such * as 351 for decimal conversion). */
CK_PP_CONVERT_TYPE cConvert;
/** The time to wait for operator response - in seconds. An error is * returned if the operation does not complete in the specified time. * This field may be ignored if the device does not support a configurable * timeout. */
CK_CHAR cTimeout;
/** Reserved for future extensions. Must be set to zero. */ CK_CHAR reserved; /** The prompt to be displayed on the device. If the prompt cannot fit on * the device display, the output is clipped. If the device does not * have any display, the operation will continue without any prompt, or * error.
*
* The following special characters are recognized on the display:
* - Newline (0x0a): Continue the display on the next line.
*/
CK_CHAR_PTR prompt;
};
An optional object handler parameter, xorWith, can be specified to XOR the value of the created component with the value of this object. The key size of the xorWith object must be the same as the component. Important attributes like CKA_EXTRACTABLE
and CKA_SENSITIVE
are inherited from the xorWith object.
The template supplied with the call to the C_GenerateKey function determines the type of object generated by the operation. CKA_CLASS may be CKO_SECRETKEY only. All key types are supported, as this mechanism is able to aggregate a complete key. Key creation via PIN-pad-entered components is supported in FIPS mode.
The normal rules for template consistencies apply. In particular the CKA_ALWAYS_SENSITIVE
must be set FALSE
and the CKA_NEVER_EXTRACTABLE
must be FALSE
.
The expected size of the object value created by this operation is supplied in the CKA_VALUE_LEN parameter in the template.
Return to ProtectToolkit-C Mechanisms