PKCS#11 attributes
Objects, as described by PKCS#11, consist of a number of attributes that define both the object and its access policy. In general, the ProtectToolkit-C system will define the object’s attributes. Access policy should be provided by the user based on their particular requirements. The following attribute descriptions are intended to assist with these decisions.
CKA_LABEL
This attribute specifies a textual label for an object. This label is used to assist in differentiating the various objects stored on a token.
Note
Although ProtectToolkit-C does not require this attribute to be unique, various other tools may.
CKA_CLASS
This attribute is assigned by the system when an object is created. There are a number of classes in common use:
-
CKO_PUBLIC_KEY
-
CKO_PRIVATE_KEY
-
CKO_SECRET_KEY
-
CKO_CERTIFICATE
-
CKO_CERTIFICATE_REQUEST
-
CKO_DATA
CKA_KEY_TYPE
This attribute specifies the key type associated with the object. There are many key types supported by ProtectToolkit-C. For example:
-
CKK_AES, CKK_DES, CKK_DES2, CKK_DES3, CKK_RSA, CKK_DSA, CKK_BIP32
-
CKA_ENCRYPT
-
CKA_DECRYPT
-
CKA_SIGN
-
CKA_VERIFY
-
CKA_WRAP
-
CKA_UNWRAP
The previous attributes describe the cryptographic operations the key can be used for. Careful consideration should be given when assigning these attributes, to avoid key misuse.
CKA_IMPORT
This attribute is similar to the standard CKA_UNWRAP attribute. It is used to determine if a given key can be used to unwrap encrypted key material. The important difference between these attributes and their standard counterparts is that if CKA_IMPORT is set to True and CKA_UNWRAP attribute is set to False, then the only unwrap mechanism that can be used is CKM_WRAPKEY_DES3_CBC. With this combination, the error code CKR_MECHANISM_INVALID will be returned for all other mechanisms.
CKA_EXPORT
This attribute is similar to the CKA_WRAP attribute, in that it specifies that the key can be used to encrypt a second key, so that it can be extracted from the HSM in an encrypted form. Unlike the CKA_WRAP attribute, however, only the Security Officer can specify this attribute.
CKA_SENSITIVE
This attribute specifies that the key object cannot be extracted from the token in the clear. Generally this attribute should be specified to ensure the key material is not exposed. When the No Clear PINs flag is set only sensitive keys can be created on the HSM.
CKA_EXTRACTABLE/CKA_EXPORTABLE
These attributes are used to specify that the key can be extracted from the token in an encrypted (for example, wrapped) form. These attributes determine how the key can be backed up. For more information about setting these attributes to back up keys, see Secure Key Backup and Restoration.