CKM_REPLICATE_TOKEN_RSA_AES
Supported Operations
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | No |
Wrap and Unwrap | Yes |
Derive | No |
Available in FIPS Mode | Yes |
Restrictions in FIPS Mode | None |
Key Size Range (bits) and Parameters
Minimum | 2048 |
FIPS Minimum | 2048 |
Maximum | 4096 |
Parameter | CK_REPLICATE_TOKEN_PARAMS
|
Description
This is a Thales vendor-defined mechanism for wrapping and unwrapping tokens.
Wrapping Tokens
The mechanism wraps the token associated with the hSession parameter to C_WrapKey() into a protected format. When the mechanism is used to wrap a token it has a required parameter, a CK_REPLICATE_TOKEN_PARAMS_PTR.
The CK_REPLICATE_TOKEN_PARAMS structure is defined as follows:
typedef struct CK_REPLICATE_TOKEN_PARAMS {
CK_CHAR peerId[CK_SERIAL_NUMBER_SIZE];
} CK_REPLICATE_TOKEN_PARAMS;
The peerId field identifies the peer public key on the administrative token. The public key is used to wrap the token encryption key and therefore must identify the public key of the destination HSM.
CK_REPLICATE_TOKEN_PARAMS_PTR is a pointer to a CK_REPLICATE_TOKEN_PARAMS.
The following conditions must be satisfied:
>The token being wrapped which is associated with the hSession parameter to the C_WrapKey() must be a regular user token (i.e. NOT the administrative token or a smart-card token).
>The session state for hSession must be one of CKS_RO_USER_FUNCTIONS
or CKS_RW_USER_FUNCTIONS
.
>The hWrappingKey parameter to C_WrapKey() must specify CK_INVALID_HANDLE
.
>The hKey parameter to C_WrapKey() must specify CK_INVALID_HANDLE
.
Unwrapping Tokens
This mechanism unwraps the protected token information, replacing the entire token contents of the token associated with the hSession parameter to C_UnwrapKey().When the mechanism is used for unwrapping a token, a mechanism parameter must not be specified.
The following conditions must be satisfied:
>The token being unwrapped which is associated with the hSession parameter to C_UnwrapKey() must be a regular user token. That is, NOT the administrative token or a smart card token.
>The session state for hSession must be CKS_RW_USER_FUNCTIONS
.
>The hUnwrappingKey parameter to C_UnwrapKey() must specify CK_INVALID_HANDLE
.
>The pTemplate parameter to C_UnwrapKey() must specify NULL
.
>The ulAttributeCount parameter to C_UnwrapKey() must specify zero.
>The phKey parameter to C_UnwrapKey() must specify NULL
.
>Any new sessions must be deferred until the operation has finished.
>The current session must be the only session in existence for the token.
>The application should call C_Finalize() upon completion.
Return to SafeNet ProtectToolkit-C Mechanisms