Key Objects

The following figure illustrates details of key objects:

Figure 1: Key Attribute Detail

Key objects hold encryption or authentication keys, which can be public keys, private keys, or secret keys. The following common footnotes apply to all the tables describing attributes of keys:

Table 2: Common footnotes for key attribute tables
¹ Must be specified when object is created with C_CreateObject.
² Must not be specified when object is created with C_CreateObject.
³ Must be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.
⁴ Must not be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.
⁵ Must be specified when object is unwrapped with C_UnwrapKey.
⁶ Must not be specified when object is unwrapped with C_Unwrap.
⁷Cannot be revealed if object has CKA_SENSITIVE attribute set to TRUE or its CKA_EXTRACTABLE attribute set to FALSE.
⁸ May be modified after object is created with a C_SetAttributeValue call, or in the process of copying object with a C_CopyObject call. As mentioned previously, however, it is possible that a particular token may not permit modification of the attribute.
⁹ Default value is token-specific, and may depend on the values of other attributes.
¹⁰ SafeNet Extension

The following table defines the attributes common to public key, private key and secret key classes, in addition to the common attributes listed in Common Object Attributes and Common Storage Object Attributes

Table 3: Common Key Attributes
Attribute	Data Type	Meaning
`CKA_KEY_TYPE`^1,3,5	`CK_KEY_TYPE`	Type of key
`CKA_ID`⁸	Byte array	Key identifier for key (default empty)
`CKA_START_DATE`⁸	`CK_DATE`	Start date for the key (default empty). If not empty then the attribute holds starting date for the key.
`CKA_END_DATE`⁸	`CK_DATE`	End date for the key (default empty). If not empty then the attribute holds expiry date for the key.
`CKA_ADMIN_CERT`¹⁰	Byte array	DER encoded certificate of the key administrator. See more details in the discussion on Key Usage Limits.
`CKA_DERIVE`⁸	`CK_BBOOL`	TRUE if key supports key derivation (that is, if other keys can be derived from this one (default FALSE)
`CKA_LOCAL`^2,4,6	`CK_BBOOL`	TRUE only if key was either >generated locally (that is, on the token) with a C_GenerateKey or C_GenerateKeyPaircall >created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to TRUE
`CKA_MECHANISM_LIST`¹⁰	`CKA_MECHANISM_TYPE` array	List of allowable mechanisms that can be used. For more information see the entry for this attribute in Additional Attribute Types.

Common footnotes for key attribute tables