CKM_ENCODE_X_509_LOCAL_CERT

Supported Operations

Encrypt and Decrypt	No
Sign and Verify	No
SignRecover and VerifyRecover	No
Digest	No
Generate Key/Key-Pair	No
Wrap and Unwrap	No
Derive	Yes
Available in FIPS Mode	Yes
Restrictions in FIPS Mode	None

Key Size Range and Parameters

Minimum	0
FIPS Minimum	0
Maximum	None
Parameter	None

Description

This mechanism is similar to the CKM_ENCODE_X_509 mechanism in that it is used to create an X 509 public key certificate.  The basic difference is that this mechanism has additional usage controls.

This mechanism will only create certificates for public keys locally generated on the adapter.  That is, the base key must have a CKA_CLASS attribute of CKO_PUBLIC_KEYand have the CKA_LOCAL attribute set to TRUE.

In addition, the signing key specified in the mechanism parameter (see below) must have the CKA_SIGN_LOCAL_CERT attribute set to TRUE. It is used with the C_KeyDerive function only, (that is, it is a derive mechanism). 

It takes a parameter that is a pointer to a CK_MECH_TYPE_AND_OBJECT structure.

typedef struct CK_MECH_TYPE_AND_OBJECT {
CK_MECHANISM_TYPE mechanism;
CK_OBJECT_HANDLE obj;
} CK_MECH_TYPE_AND_OBJECT; 

The above mechanism field specifies the actual signature mechanism to use in generation of the certificate signature. This must be one of the multipart digest RSA or DSA algorithms.  The obj field above specifies the signature generation key. That is, it should specify a RSA or DSA private key as appropriate for the chosen signature mechanism.

To create a X.509 local certificate that uses EC keys, either provide a PKCS#10 certificate request that was created with EC keys, or provide an EC public key for the hBaseKey parameter to the function. To sign the certificate as a CA using EC keys, use the CKM_ECDSA_SHA1 mechanism to initialize the sign operation before calling C_DeriveKey(). The CKM_ECDSA_SHA1 mechanism and EC key must also be specified in the mechanism parameter.

Return to SafeNet ProtectToolkit-C Mechanisms