Setting privilege level
CT_SetPrivilege allows elevation of privilege level, circumventing built-in security mechanisms on PKCS#11 objects. Elevated privilege level allows override of sensitive attribute and key usage.
Two possible settings are available:
PRIVILEGE_NORMAL=0
PRIVILEGE_OVERRIDE=1
SetPrivilegeLevel
This function is a SafeNet extension to PKCS#11. It can be used to set the privilege level of the caller to the specified value, if the caller has access to the function.
The function is available in the software cryptoki library to support FM emulation
The function cannot be called from outside the HSM (only from inside an HSM).
Use the CT_SetPrivilegeLevel function to set elevated privilege for a short time during the processing of a message. When the privileged access is complete, call the CT_SetPrivilegeLevel function to set the privilege back to normal.
In the environment of an FM, the privilege is automatically returned to normal when the current message is complete - when the FM Dispatch function or the currently intercepted Cryptoki function returns.
PRIVILEGE_OVERRIDE mode allows the FM to read Sensitive attributes and perform Cryptographic Initialization calls that contradict the usage attributes. For example, you can call C_EncryptInit with an object that has CKA_ENCRYPT set to FALSE.
Synopsis
void CK_ENTRY CT_SetPrivilegeLevel( int level );
Parameter | Description |
---|---|
level |
Desired privilege level |