KMLIB function reference
This section describes KMLIB functions.
KM_SetCallbacks
Set the callbacks for KMLIB to use.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
pCallbacks | Pointer to the structure containing the callbacks to set. See KMLIB Callback Prototypes Reference for callback prototypes. |
Returns
KM_GetCallbacks
Get callbacks currently used by KMLIB.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
pCallbacks | Location to store the callback structure used by KMLIB. See KMLIB Callback Prototypes Reference for callback prototypes. |
Returns
KM_GenerateSecretKey
Generate a secret key.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
keyType | The type of PKCS#11 key to generate. Examples are: - CKK_AES - CKK_CAST128 - CKK_DES - CKK_DES2 - CKK_DES3 - CKK_IDEA - CKK_RC2 - CKK_RC4 - CKK_GENERIC_SECRET |
keySizeInBits | Size, in bits, of the key to generate. This is not needed for fixed length key types. The size ranges for the supported PKCS#11 key types are: - CKK_AES - 128, 192 or 256 bits - CKK_CAST128 - 8, 64 or 128 bits - CKK_DES - 64 bits - CKK_DES2 - 128 bits - CKK_DES3 - 192 bits - CKK_IDEA - 128 bits - CKK_RC2 - 8 to 1024 bits in 8 bit increments - CKK_RC4 - 8 to 2048 bits in 8 bit increments - CKK_GENERIC_SECRET - 8 to "Effectively Infinite" bits |
pTpl | The attribute template of the new key. |
tplSize | Number of attributes in pTpl. |
numComps | The number of components to generate if XORable key components are required. This parameter should be set to 0 or 1 if component generation is not required. |
phKey | Location to store the handle of the generated key. |
Returns
KM_GenerateKeyPair
Generate a key pair.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
keyType | The type of key pair to generate. Options are: - CKK_RSA - CKK_DSA - CKK_DH |
keySizeInBits | Size, in bits, of the key pair to generate. The size ranges for the supported key types are: - CKK_RSA - 512 to 4096 bits in 256 bit increments - CKK_DSA - 512 to 1024 bits in 64 bit |
pPublicKeyTpl | The attribute template the public key will have. |
publicKeyTplSize | The number of attributes in pPublicKeyTpl. |
pPrivateKeyTpl | The attribute template the public key will have. |
privateKeyTplSize | The number of attributes in pPrivateKeyTpl. |
phPublicKey | Location to store the handle of the new public key. |
phPrivateKey | Location to store the handle of the new private key. |
Returns
KM_ModifyBoolAttrs
Toggles the Boolean attributes of an object.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pUserPin | Token User’s PIN. If setting the CKA_EXPORT attribute, then the Token SO PIN is required. In this case, the session is logged off, then the SO is logged on to perform the operation, and eventually the User is logged back in. |
userPinLen | Length of the users PIN. |
pSoPin | Token SO PIN. If setting the CKA_EXPORT attribute, then the Token SO PIN is required. In this case, the session is logged off, then the SO is logged on to perform the operation, and eventually the User is logged back in. If the SO PIN is not provided, and is required, then it is prompted for. |
soPinLen | Length of the SO PIN. |
hObj | Handle to the object whose attributes are to be toggled. |
pAttrs | Array of attribute types to modify. Each attribute specified in the array will be toggled. |
numAttrs | The number of attributes to be toggled. |
KM_ImportFromSC
Import objects from one or more smart cards.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameters | Description |
---|---|
hSession | Handle to an open session. |
cardSlotId | ID of the smart card slot to read smart cards from. |
hUnwrapKey | Handle to the unwrapping key. Set to CK_INVALID_HANDLE for multiple custodian import. |
importVersion | Version of import data to process. One of: - 200 - import Cprov2 backup data - 300 - import Cprov3/PTKC3 backup data |
Returns
KM_ImportFromFile
Import objects from a file.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pszFileName | Fully qualified path to the file to read from. |
hUnwrapKey | Handle to the unwrapping key. |
importVersion | Version of import data to process. One of: - 200 - import Cprov2 backup data - 300 - import Cprov3/PTKC3 backup data |
Returns
KM_ImportFromScreen
Import a key from console as either encrypted parts OR clear components.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pszLabel | Label to give to the resulting key. |
keyType | The type of the resulting key. Options are: - CKK_AES - CKK_CAST128 - CKK_DES - CKK_DES2 - CKK_DES3 - CKK_IDEA - CKK_RC2 - CKK_RC4 - CKK_GENERIC_SECRET |
keySizeInBits | Size, in bits, of the resulting key. This is not needed for fixed length key types. The size ranges for the supported key types are: - CKK_AES - 128, 192 or 256 bits - CKK_CAST128 - 8, 64 or 128 bits - CKK_DES - 64 bits - CKK_DES2 - 128 bits - CKK_DES3 - 192 bits - CKK_IDEA - 128 bits - CKK_RC2 - 8 to 1024 bits in 8 bit increments - CKK_RC4 - 8 to 2048 bits in 8 bit increments - CKK_GENERIC_SECRET - 8 to "Effectively Infinite" bits |
pTpl | The attribute template the imported key will have. |
tplSize | The number of attributes in pTpl. |
numComps | The number of XORable components that need to be entered to create the resulting key. This parameter is ignored if hUnwrap is not CK_INVALID_HANDLE. |
hUnwrapKey | Handle to the unwrapping key to use to decrypt the entered encrypted parts. This parameter should be CK_INVALID_HANDLE if entering XORable components. |
isEncMultiPart | Flag indicating if the key is to be imported by more than one encrypted part. The decrypted parts are concatenated to get the final key. This parameter only applies if hUnwrapkey is not CK_INVALID_HANDLE, and the key type is one of: - CKK_DES2 - CKK_DES3 |
Returns
KM_ImportFromPinPad
Import a key from components entered on a PIN Pad device.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pszLabel | Label to give resulting key. |
keyType | The type of the resulting PKCS#11 key. For example: - CKK_AES - CKK_CAST128 - CKK_DES - CKK_DES2 - CKK_DES3 - CKK_IDEA - CKK_RC2 - CKK_RC4 - CKK_GENERIC_SECRET |
keySizeInBits | Size, in bits, of the resulting key. This is not needed for fixed length key types. The size ranges for the supported PKCS#11 key types. For example: - CKK_AES - 128, 192 or 256 bits - CKK_CAST128 - 8, 64 or 128 bits - CKK_DES - 64 bits - CKK_DES2 - 128 bits - CKK_DES3 - 192 bits - CKK_IDEA - 128 bits - CKK_RC2 - 8 to 1024 bits in 8 bit increments - CKK_RC4 - 8 to 2048 bits in 8 bit increments - CKK_GENERIC_SECRET - 8 to "Effectively Infinite" bits |
pTpl | The attribute template the resulting key will have. |
tplSize | The number of attributes in template. |
numComps | The number of XORable components that need to be entered to create the resulting key. This must be >= 2. |
phKey | Location to store the handle of the resulting key. |
Returns
KM_ImportP12File
Import a certificate and private key from a PKCS #12 file.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pszFileName | Fully qualified name of the file to import from. |
pPrivateKeyTpl | The attribute template the private key will have. Must have all boolean attributes that need to be TRUE, as well as the label. No other attributes are required. |
privateKeyTplSize | The number of attributes in pPrivateKeyTpl. |
pCertTpl | The attribute template the certificate will have. Must have all boolean attributes that need to be TRUE, as well as the label. No other attributes are required. |
certTplSize | The number of attributes in pCertTpl. |
phPrivateKey | Location to hold the handle of the resulting private key. |
phCert | Location to store the handle of the resulting certificate. |
Returns
KM_ExportToP12Pbe
Wrap private keys and certificates using PKCS #12 export mechanisms.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
hPrivKey | Handle to private key to be exported. |
hKeyCert | Handle to certificate to be exported. |
safeBagKgMech | Key generation mechanism for SafeBag encryption. Valid options are the following: - CKM_PBE_SHA1_RC2_40_CBC - CKM_PBE_SHA1_RC2_128_CBC - CKM_PBE_SHA1_RC4_40 - CKM_PBE_SHA1_RC4_128 - CKM_PBE_SHA1_DES2_EDE_CBC - CKM_PBE_SHA1_DES3_EDE_CBC |
safeContentKgMech | Key generation mechanism for SafeContent encryption. Valid options are the following: - CKM_PBE_SHA1_RC2_40_CBC - CKM_PBE_SHA1_RC2_128_CBC - CKM_PBE_SHA1_RC4_40 - CKM_PBE_SHA1_RC4_128 - CKM_PBE_SHA1_DES2_EDE_CBC - CKM_PBE_SHA1_DES3_EDE_CBC |
hmacKgMech | Key generation mechanism for HMAC: - CKM_PBA_SHA1_WITH_SHA1_HMAC |
p12FileName | File name for output. |
Returns
CKR_OK if successful, otherwise other CK_RV value.
KM_ExportToSCwMethodAlg
Export one or more objects to one or more smart cards.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pUserPIN | Token's User PIN. |
userPinLen | Length of the user PIN number. |
phWrapeeObjs | Array of handles to objects that are to be exported. |
numWrapeeObjs | Number of objects in phWrapeeObjs. |
hWrapKey | Label of the wrapping key. For multiple custodian export, this parameter is set to CK_INVALID_HANDLE. |
cardSlotId | ID of the smart card slot to write to. |
deriveMech | Mechanism used to derive component keys: - KM_XOR_MECHANISM - KM_NOFM_MECHANISM |
algType | Algorithm of transport key: - KM_ALG_DES3 - KM_ALG_AES - KM_ALG_AES_KWP |
Returns
Status of operation.
KM_ExportToSCwMethod
Export one or more objects to one or more smart cards. It allows users to select the method used to generate component keys.
Note
This function is deprecated. Thales recommends using KM_ExportToSCwMethodAlg instead.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pUserPIN | The Token's User PIN. |
userPinLen | Length of user PIN number |
phWrapeeObjs | Array of handles to objects that are to be exported. |
numWrapeeObjs | Number of objects in phWrapeeObjs. |
hWrapKey | Label of the wrapping key. For multiple custodian export, this parameter is set to CK_INVALID_HANDLE. |
cardSlotId | ID of the smart card slot to write to. |
deriveMech | Mechanism used to derive component keys: - KM_XOR_MECHANISM - KM_NOFM_MECHANISM |
Returns
KM_ExportToSC
Export one or more objects to one or more smart cards.
Note
This function is deprecated. Thales recommends using KM_ExportToSCwMethodAlg instead.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
pUserPIN | The Token's User PIN. |
userPinLen | Length of user PIN number. |
phWrapeeObjs | Array of handles to objects that are to be exported. |
numWrapeeObjs | Number of objects in phWrapeeObjs. |
hWrapKey | Label of the wrapping key. For multiple custodian export, this parameter is set to CK_INVALID_HANDLE. - KM_XOR_MECHANISM - KM_NOFM_MECHANISM |
cardSlotId | ID of the smart card slot to write to. |
Returns
KM_ExportToFile
Export an encrypted object set to a file.
Note
This function is deprecated. Thales recommends using KM_ExportToFileAlg instead.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
phWrapeeObjs | Array of handles to objects that are to be exported. |
numWrapeeObjs | Number of objects in the phWrapeeObjs array. |
hWrapKey | Handle to the wrapping key. |
pszFileName | Fully qualified path to the file to export to. |
Returns
KM_ExportToFileAlg
Export an encrypted object set to a file.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
algType | Algorithm of transport key: - KM_ALG_DES3 - KM_ALG_AES - KM_ALG_AES_KWP |
phWrapeeObjs | Array of handles to objects that are to be exported. |
numWrapeeObjs | Number of objects in the phWrapeeObjs array. |
hWrapKey | Handle o the wrapping key. |
pszFileName | Fully qualified path to the file to export to. |
Returns
Status of operation.
KM_ExportToScreen
Export a key to the console in encrypted parts. At this stage, only symmetric keys can be exported using this function.
Callbacks
This function uses the UICB_ShowMsg_t callback.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
hWrapeeKey | Handle to the key to export. |
hWrapKey | Handle to the wrapping key. |
isEncMuliPart | Flag indicating if the key is to exported in one or more encrypted parts. This parameter only applies if the wrappee key one of: - CKK_DES2 - exported as two parts - CKK_DES3 - exported as three parts |
Returns
KM_DisplaySCStatus
Display information about the smart card entered in the specified slot.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
cardSlot | Card slot ID. |
Returns
KM_EnumerateAttributes
Enumerate all attributes for an object, returning a complete template containing all the objects attributes.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to valid session. |
hObj | Handle to the object whose attributes are to be enumerated. |
pTpl | Points to an array of attributes, which are to be filled out by the function. If this parameter is NULL, no attributes are copied into the array. |
pTplSize | The size of the pTpl array. Upon successful completion of the function, this parameter will contain the number of attributes contained in hObj. |
Returns
KM_ImportDomainParams
Create a domain parmeters object based on file contents.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Cryptoki session handle - may or not be logged on. |
pin | Token user pin - optional (if required and not provided, then it is prompted for). |
userPinLen | Length of the user pin (if any). |
pObjTpl | Attributes of new object. Should only contain the following attributes: - CKA_CLASS (optional) - if provided then must be CKO_DOMAIN_PARAMETERS - CKA_LABEL (mandatory) - indicates label of new object - CKA_MODIFIABLE (optional) - defaults to TRUE - CKA_PRIVATE (optional) - defaults to FALSE (if true user pin is required or session must already be logged on) - CKA_KEY_TYPE (mandatory) - currently must be CKK_EC, this attribute determines expected file contents - CKA_DELETABLE (optional) - no default provided - CKA_TOKEN (optional) - defaults to TRUE |
ObjTplSize | Number of entries in pObjTpl. |
filename | Path and file name of the file to read domain parameters from. |
phObj | Pointer to where the object handle is returned. |
Returns
Status of operation.
KM_EncodeECParamsP
Windows library: Kmlib.lib
Unix library: Libkmlib.a
Do DER enc of ECC Domain Parameters Prime
All integer values are variable length big endian numbers with optional leading zeros. Integer lengths are all in bytes.
Parameter | Description |
---|---|
prime | Prime modulus |
primeLen | Prime modulus len |
curveA | Elliptic Curve coefficient a |
curveALen | Elliptic Curve coefficient a length |
curveB | Elliptic Curve coefficient b |
curveBLen | Elliptic Curve coefficient b length |
curveSeed | Seed (optional may be NULL) |
curveSeedLen | Seed length |
baseX | Elliptic Curve point X coord |
baseXLen | Elliptic Curve point X coord length |
baseY | Elliptic Curve point Y coord |
baseYLen | Elliptic Curve point Y coord length |
bpOrder | Order n of the Base Point |
bpOrderLen | Order n of the Base Point length |
cofactor | The integer h = #E(Fq)/n (optional) |
cofactorLen | h length |
result | Resultant Encoding (length prediction supported if NULL) |
resultLen | Buffer len/Length of resultant encoding |
Return | Status of operation. CKR_OK if ok |
KM_EncodeECParams2M
Windows library: Kmlib.lib
Unix library: Libkmlib.a
Do DER enc of ECC Domain Parameters 2^M
All long integer values are variable length big endian numbers with optional leading zeros, lengths are all in bytes.
Parameter | Description |
---|---|
M | Degree of field |
basis | Should be ECBT_GnBasis or ECBT_TpBasis or ECBT_PpBasis |
parameters | Array of three integers - values depend on basis ECBT_GnBasis - parameters = 0. 0. 0 ECBT_TpBasis - parameters = k. 0. 0 ECBT_PpBasis - parameters = k1.k2.k3 |
curveA | Elliptic Curve coefficient a |
curveALen | Elliptic Curve coefficient a length |
curveB | Elliptic Curve coefficient b |
curveBLen | Elliptic Curve coefficient b length |
curveSeed | Seed (optional may be NULL) |
curveSeedLen | Seed length |
baseX | Elliptic Curve point X coord |
baseXLen | Elliptic Curve point X coord length |
baseY | Elliptic Curve point Y coord |
baseYLen | Elliptic Curve point Y coord length |
bpOrder | Order n of the Base Point |
bpOrderLen | Order n of the Base Point length |
cofactor | The integer h = #E(Fq)/n (optional) |
cofactorLen | h length |
result | Resultant Encoding (length prediction supported if NULL) |
resultLen | Buffer len/Length of resultant encoding |
Return | Status of operation. CKR_OK if ok |
KM_GenerateDomainParams
Generate a domain param object.
Callbacks
This function uses the following callbacks:
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to an open session. |
keyType | The type of PKCS#11 domain param to generate, such as the following: - CKK_DH - CKK_DSA |
keySizeInBits | Size, in bits, of the params to generate. The size ranges for the supported PKCS#11 key types are the following: - CKK_DH - 512 to 4096 bits - CKK_DSA - 512 to 4096 bits |
pTpl | The attribute template the new key will have. |
tplSize | Number of attributes in pTpl. |
phKey | Location to store the handle of the generated key. |
Returns
Status of operation.
KM_ExportToken
Export a token for a specific device.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to a USER logged on session on the token to be exported. |
serialNumber | The serial number of the destination device for which the token is being exported. |
tokenData | Location to store the exported token data. If NULL is specified no data will be exported, however pTokenDataSize will still return the size of exported token data. |
pTokenDataSize | The size of the tokenData buffer. Upon completion of the function, this parameter will contain the size of the exported data. If pTokenDataSize is too small, no data will be placed in tokenData. |
Returns
KM_ImportToken
Import exported token data previously imported with KM_ExportToken() At this stage, only symmetric keys can be exported via this function.
Synopsis
#include <kmlib.h>
Parameter | Description |
---|---|
hSession | Handle to a USER logged on session on the token to be imported. |
tokenData | The token data to import. |
tokenDataLen | The size of the tokenData buffer. |