Key Parameter Objects

SafeNet ProtectToolkit-C includes support for key parameter objects (as specified in PKCS#11 2.11 draft 3). These objects are used to store parameters associated with DSA or DH keys. It is possible to generate new objects of this type using the C_GenerateKey function.

Key parameter objects (object class CKO_DOMAIN_PARAMETERS) hold public key generation parameters. This version of Cryptoki recognizes the following types of key parameters: DSA and Diffie-Hellman. The following table defines the footnotes that apply to each of the following attribute tables:

Table 1: Common footnotes for key parameter attribute tables
1 Must be specified when object is created with C_CreateObject.
2 Must not be specified when object is created with C_CreateObject.
3 Must be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.
4 Must not be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.

The following table defines the attributes common to key attribute objects in addition to the common attributes listed in Common Object Attributes and Common Storage Object Attributes:

Table 2: Common Key Parameter Attributes
Attribute Data Type Meaning
CKA_KEY_TYPE1 CK_KEY_TYPE Type of key the parameters can be used to generate.
CKA_LOCAL2,4 CK_BBOOL

TRUE only if key parameters were either:

>generated locally (that is, on the token) with a C_GenerateKey

>created with a C_CopyObject call as a copy of key parameters which had its CKA_LOCAL attribute set to TRUE

Common footnotes for key parameter attribute tables

The rules applying to the CKA_LOCAL mean that this attribute has the value TRUE if and only if the key was originally generated on the token by a C_GenerateKey call.

DSA Public Key Parameter Objects

DSA public key parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_DSA) hold DSA public key parameters.  The following table defines the DSA public key parameter object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:

Table 3: DSA Public Key Parameter Object Attributes
Attribute Data Type Meaning
CKA_PRIME1,4 Big integer Prime p (512 to 1024 bits, in steps of 64 bits)
CKA_SUBPRIME1,4 Big integer Subprime q (160 bits)
CKA_BASE1,4 Big integer Base g
CKA_PRIME_BITS2,3 CK_ULONG Length of the prime value

Common footnotes for key parameter attribute tables

The CKA_PRIME, CKA_SUBPRIME and CKA_BASE attribute values are collectively the “DSA parameters”. See FIPS PUB 186 for more information on DSA key parameters.

Objects of this type may be generated by using the C_GenerateKey with the CKM_DSA_PARAMETER_GEN mechanism.

Diffie-Hellman Public Key Parameter Objects

Diffie-Hellman public key parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_DH) hold Diffie-Hellman public key parameters. The following table defines the Diffie-Hellman public key parameter object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:

Table 4: Diffie-Hellman Public Key Parameter Object Attributes
Attribute Data Type Meaning
CKA_PRIME1,4 Big integer Prime p
CKA_BASE1,4 Big integer Base g
CKA_PRIME_BITS2,3 CK_ULONG Length of the prime value

Common footnotes for key parameter attribute tables

The CKA_PRIME and CKA_BASE attribute values are collectively the “Diffie-Hellman parameters”. Depending on the token, there may be limits on the length of the key components. See PKCS #3 for more information on Diffie-Hellman key parameters.

Objects of this type may be generated by using the C_GenerateKey with the CKM_DH_PKCS_PARAMETER_GEN mechanism.

Elliptic Curve Public Key Parameter Objects

Elliptic Curve public key parameter objects (object class CKO_DOMAIN_PARAMETERS, key type CKK_EC or CKK_EC_EDWARDS) hold Elliptic Curve public key parameters.

The following table defines the Elliptic Curve public key parameter object attributes, in addition to the common attributes listed in Common Object Attributes, Common Storage Object Attributes, and Common footnotes for key parameter attribute tables:

Table 5: Elliptic Curve Public Key Parameter Object Attributes
Attribute Data Type Meaning
CKA_EC_PARAMS1,3,6 Byte Array DER encoding of ANSI X9.62 Parameters value. Applies to CKK_EC keys.

Common footnotes for key parameter attribute tables

The CKA_EC_PARAMS attribute values is the “Elliptic Curve parameters”. Depending on the token, there may be limits on the length of the key components.

SafeNet ProtectToolkit-C does not support generation of this type of object.

When objects of this type are stored using the C_CreateObject then the domain parameters are verified.

Key Generation Parameter Objects

This object type is used to hold DSA or DH key generation parameters.

The CKA_KEY_TYPE attribute indicates which type of parameters it is holding.

Where the key type is CKK_DSA the attributes should be as follows:

Attribute Data Type Meaning
CKA_KEY_TYPE CK_KEY_TYPE Type of key. Must be CKK_DSA.
CKA_PRIME Big integer Prime
CKA_SUBPRIME Big integer Prime
CKA_BASE Big integer Prime

Where the key type is CKK_DH the attributes should be as follows:

Attribute Data Type Meaning
CKA_KEY_TYPE CK_KEY_TYPE Type of key. Must be CKK_DH.
CKA_PRIME Big integer Prime
CKA_BASE Big integer Prime

See CKM_EC_KEY_PAIR_GEN for more details on the Parameter value.


Customer Support Portal

SafeNet ProtectToolkit 5.9 Product Documentation  06 January 2020  Copyright 2009-2020 Thales. All rights reserved.