CKM_DECODE_PKCS_7
Supported Operations
| Encrypt and Decrypt | No |
| Sign and Verify | No |
| SignRecover and VerifyRecover | No |
| Digest | No |
| Generate Key/Key-Pair | No |
| Wrap and Unwrap | No |
| Derive | Yes |
| Available in FIPS Mode | Yes |
| Restrictions in FIPS Mode | None |
Key Size Range and Parameters
| Minimum | 0 |
| FIPS Minimum | 0 |
| Maximum | None |
| Parameter | None |
Description
This mechanism is used with the C_DeriveKey function to derive a set of X.509 Certificate objects and X.509 CRL objects from a PKCS#7 object. The base key object handle is a CKO_DATA object (the PKCS#7 encoding) which has a CKA_OBJECT_ID attribute indicating the type of the object as being a PKCS#7 encoding. This mechanism does not take any parameters.
One of the functions of PKCS#7 is a mechanism for distributing certificates and CRLs in a single encoded package. In this case the PKCS#7 message content is usually empty. This mechanism is provided to split certificates and CRLs from such a PKCS7 encoding so that those certificates and CRLs may be further processed.
This mechanism will decode a PKCS#7 encoding and create PKCS#11 objects for all certificates (object class CKO_CERTIFICATE) and CRLs (object class CKO_CRL) that it finds in the encoding. The signature on the PKCS#7 content is not verified. The parameter containing the newly derived key is the last Certificate or CRL that is extracted from the PKCS#7 encoding. The attribute template is applied to all objects extracted from the encoding.
Return to SafeNet ProtectToolkit-C Mechanisms
