CKM_PP_LOAD_SECRET_2

Supported Operations

Encrypt and Decrypt No
Sign and Verify No
SignRecover and VerifyRecover No
Digest No
Generate Key/Key-Pair Yes
Wrap and Unwrap No
Derive No
Available in FIPS Mode Yes
Restrictions in FIPS Mode None

Key Size Range (bytes) and Parameters

Minimum 1
FIPS Minimum 1
Maximum None
Parameter CK_PP_LOAD_SECRET_PARAMS

Description

This is a key generate mechanism to provide the capability to load a clear key component from a directly attached PIN pad device.

It has a parameter, a CK_PP_LOAD_SECRET_PARAMS, which holds the operational details for the mechanism.

struct CK_PP_LOAD_SECRET_PARAMS 
{ 
/** Entered characters should be masked with '*' or similar to hide the
* value being entered. An error is returned if this is TRUE * and the device does not support this feature. */
CK_BBOOL bMaskInput;
  /** Entered characters should be converted from the ASCII representation * to binary before being stored, according to the conversion type * supplied. If the device does not support the specified type of input * (e.g. hex input on a decimal keyboard), an error is returned. * The octal and decimal representations will expect 3 digits per byte, * whereas the hexadecimal representations will expect 2 digits per byte. * An error is returned if the data contains invalid encoding (such * as 351 for decimal conversion).   */
CK_PP_CONVERT_TYPE cConvert;
/** The time to wait for operator response - in seconds. An error is * returned if the operation does not complete in the specified time. * This field may be ignored if the device does not support a configurable * timeout. */
CK_CHAR cTimeout;
  /** Reserved for future extensions. Must be set to zero. */ CK_CHAR reserved; /** The prompt to be displayed on the device. If the prompt cannot fit on * the device display, the output is clipped. If the device does not * have any display, the operation will continue without any prompt, or * error.
*
* The following special characters are recognized on the display:
* - Newline (0x0a): Continue the display on the next line.
*/
  CK_CHAR_PTR prompt;
};

An optional object handler parameter, xorWith, can be specified to XOR the value of the created component with the value of this object. The key size of the xorWith object must be the same as the component. Important attributes like CKA_EXTRACTABLE and CKA_SENSITIVE are inherited from the xorWith object.

The template supplied with the call to the C_GenerateKey function determines the type of object generated by the operation. CKA_CLASS may be CKO_SECRETKEY only. All key types are supported, as this mechanism is able to aggregate a complete key. Key creation via PIN-pad-entered components is supported in FIPS mode.

The normal rules for template consistencies apply. In particular the CKA_ALWAYS_SENSITIVE must be set FALSE and the CKA_NEVER_EXTRACTABLE must be FALSE.

The expected size of the object value created by this operation is supplied in the CKA_VALUE_LEN parameter in the template.

Return to ProtectToolkit-C Mechanisms