Object Classes
Cryptoki recognizes a number of object classes, as defined in the CK_OBJECT_CLASS
data type. An object consists of a set of attributes, each of which has a given value. Each object attribute has precisely one value. Object Attribute Hierarchy illustrates the high-level hierarchy of the Cryptoki objects and some of the attributes they support:
Figure 1: Object Attribute Hierarchy
Cryptoki provides functions for creating, destroying, and copying objects and for obtaining or modifying their attribute values. Some of the cryptographic functions (for example, C_GenerateKey) also create key objects to hold their results.
Objects are always “well-formed” in Cryptoki—that is, an object always contains a minimum set of attributes for its proper operation, and the attributes are always consistent with one another from the time the object is created. It is possible, however, for an object to have one or more optional attributes missing.
A token can hold several identical objects. That is, it is permissible for two or more objects to have exactly the same values for all of their attributes.
Some object attributes possess default values, and need not be specified when creating an object. Some of these default values may even be the empty string (“”). Nevertheless, the object possesses these attributes. A given object has a single value for each attribute it possesses. Optional attributes are, by default, not created.
In addition to possessing Cryptoki attributes, objects may possess additional vendor-specific attributes. The meanings and values of the attributes not specified by Cryptoki are described below.
This chapter contains the following sections: