ProtectServer 3 HSM and ProtectToolkit 7
Customer release notes
- ProtectToolkit 7 releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 HSM firmware releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- ProtectServer 3 Network HSM Appliance Software releases
  - Releases for FIPS 140-2 Level 3 deployments
  - Releases for FIPS 140-3 Level 3 deployments
- Supported ProtectToolkit 7 platforms
- Supported ProtectServer 3 HSM firmware and boot loader versions
- Known and resolved issues
ProtectServer 3 HSM and ProtectToolkit 7 installation and configuration
- ProtectServer 3 PCIe hardware installation
- ProtectServer 3 External installation and configuration
  - ProtectServer 3 External overview
  - ProtectServer 3 External required items
  - Installing the ProtectServer 3 External hardware
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3 External
  - Updating the ProtectServer 3 External appliance software image
- ProtectServer 3+ External installation and configuration
  - ProtectServer 3+ External overview
  - ProtectServer 3+ External required items
  - Installing the ProtectServer 3+ External in a server rack
  - Physical features
  - Deployment guidelines
  - First log on and system test
  - Network configuration
  - Powering off the ProtectServer 3+ External
  - Updating the ProtectServer 3+ External appliance software image
- ProtectToolkit 7 software installation
  - Installing ProtectToolkit 7 on Windows
  - Installing ProtectToolkit 7 on Unix/Linux
  - Installing ProtectToolkit 7 on Unix/Linux manually
  - Deploying ProtectToolkit 7 in a Docker container on Linux
  - Available ProtectToolkit 7 components
- Configuration items
- Utilities command reference
PSESH command reference
- Using PSESH
- PSESH commands
  - audit
    - audit audit
      - audit audit changepwd
      - audit audit init
      - audit audit secret
    - audit log
      - audit log clear
      - audit log rotation
      - audit log show
      - audit log tarlogs
    - audit service
      - audit service enable
      - audit service disable
  - exit
  - files
    - files clear
    - files delete
    - files show
  - help
  - hsm
    - hsm cert
    - hsm factoryreset
    - hsm reset
    - hsm show
    - hsm state
  - network
    - network dns
      - network dns add
        
        network dns add nameserver
        
        network dns add searchdomain
      - network dns delete
        
        network dns delete nameserver
        
        network dns delete searchdomain
    - network domain
    - network hostname
    - network interface
      - network interface bonding
        
        network interface bonding config
        
        network interface bonding disable
        
        network interface bonding enable
        
        network interface bonding show
      - network interface delete
      - network interface dhcp
      - network interface ipv6
      - network interface static
    - network iptables
      - network iptables addrule
        
        network iptables addrule accept
        
        network iptables addrule drop
      - network iptables clear
      - network iptables delrule
      - network iptables save
      - network iptables show
    - network ping
    - network route
      - network route add
      - network route clear
      - network route delete
      - network route show
      - network route default
    - network show
  - package
    - package list
      - package list all
      - package list ptk
    - package install
    - package listfile
  - service
    - service list
    - service restart
    - service start
    - service status
    - service stop
  - status
    - status cpu
    - status date
    - status disk
    - status interface
    - status mac
    - status mem
    - status netstat
    - status ps
    - status time
    - status zone
  - sysconf
    - sysconf appliance
      - sysconf appliance factory
      - sysconf appliance poweroff
      - sysconf appliance reboot
      - sysconf appliance backup create
      - sysconf appliance backup restore
    - sysconf etnetcfg
      - sysconf etnetcfg set
      - sysconf etnetcfg show
    - sysconf snmp
      - sysconf snmp config
      - sysconf snmp disable
      - sysconf snmp enable
      - sysconf snmp show
    - sysconf time
    - sysconf timezone
      - sysconf timezone set
      - sysconf timezone show
  - syslog
    - syslog cleanup
    - syslog export
    - syslog period
    - syslog remotehost
      - syslog remotehost add
      - syslog remotehost clear
      - syslog remotehost delete
      - syslog remotehost list
    - syslog rotate
    - syslog rotations
    - syslog show
    - syslog tail
    - syslog tarlogs
  - user password
ProtectServer HSM migration
- Migrating keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs
- Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs
ProtectToolkit-C administration
- Introduction
- Cryptoki configuration
  - ProtectToolkit-C model
  - Initial configuration
    - Trust management
    - ProtectServer owner and identity certificates
    - Secure messaging
    - Token replication
  - Changing the Cryptoki provider
  - Work Load Distribution and High Availability
    - WLD system setup
    - Operation in WLD Mode
    - Operation in High Availability Mode
  - Real-time clock
  - ProtectToolkit-C configuration items
- Security policies and user roles
  - Typical security policies
  - Security flags
  - Security policy options
  - User roles
- Audit logging
  - Audit logging overview
  - Configuring and using audit logging
  - Audit log entries and structure
- SNMP monitoring
- Self-tests
- Operational tasks
  - Changing a user or Security Officer PIN
  - Secure key backup and restoration
  - Adding and removing slots
  - Re-initializing a token
  - Multifactor authentication (one-time password)
  - Connecting and removing smart card readers
  - Using Transport Mode to avoid a board removal tamper
  - Adjusting the HSM clock
  - Changing secure messaging mode
  - Using the system event log
  - Updating the HSM firmware or boot loader
  - Installing a functionality module
  - Key entry via PIN pad
  - Resetting the HSM to factory settings
  - Resetting the ProtectServer 3 Network HSM appliance to factory settings
  - Tampering or decommissioning the HSM
  - RMA and shipping back to Thales
- Command-line utilities reference
  - ctcert
  - ctcheck
  - ctconf
  - ctfm
  - ctident
  - ctlimits
  - ctmultitoken
  - ctotp
  - ctkmu
  - ctperf
  - ctstat
  - auditverify
  - ptk7tokmigration
- PKCS#11 attributes
- Sample EC domain parameter files
ProtectToolkit-C programming
- Introduction to PKCS#11
- Environments
- Object classes
  - Creating, modifying, copying, and deleting objects
  - Additional attribute types
  - Common attributes
  - Hardware feature objects
  - Clock objects
  - Monotonic counter objects
  - Storage objects
  - Data objects
  - Certificate objects
  - Key objects
    - Public key objects
    - Private key objects
    - Secret key objects
    - Key parameter objects
- ProtectToolkit-C mechanisms
  - CKM_AES_CBC
  - CKM_AES_CBC_ENCRYPT_DATA
  - CKM_AES_CBC_PAD
  - CKM_AES_CCM
  - CKM_AES_CMAC
  - CKM_AES_CMAC_GENERAL
  - CKM_AES_CTR
  - CKM_AES_ECB
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_GCM
  - CKM_AES_GCM_OLD
  - CKM_AES_GMAC
  - CKM_AES_KEY_GEN
  - CKM_AES_KEY_WRAP
  - CKM_AES_KEY_WRAP_PAD
  - CKM_AES_KW
  - CKM_AES_KWP
  - CKM_AES_MAC
  - CKM_AES_MAC_GENERAL
  - CKM_AES_OFB
  - CKM_ARDFP
  - CKM_ARIA_CBC
  - CKM_ARIA_CBC_PAD
  - CKM_ARIA_ECB
  - CKM_ARIA_KEY_GEN
  - CKM_ARIA_MAC
  - CKM_ARIA_MAC_GENERAL
  - CKM_BIP32_CHILD_DERIVE
  - CKM_BIP32_MASTER_DERIVE
  - CKM_CAST128_CBC
  - CKM_CAST128_CBC_PAD
  - CKM_CAST128_ECB
  - CKM_CAST128_ECB_PAD
  - CKM_CAST128_KEY_GEN
  - CKM_CAST128_MAC
  - CKM_CAST128_MAC_GENERAL
  - CKM_CONCATENATE_BASE_AND_DATA
  - CKM_CONCATENATE_BASE_AND_KEY
  - CKM_CONCATENATE_DATA_AND_BASE
  - CKM_DECODE_PKCS_7
  - CKM_DECODE_X_509
  - CKM_DES2_KEY_GEN
  - CKM_DES3_BCF
  - CKM_DES3_CBC
  - CKM_DES3_CBC_ENCRYPT_DATA
  - CKM_DES3_CBC_PAD
  - CKM_DES3_CMAC
  - CKM_DES3_CMAC_GENERAL
  - CKM_DES3_DDD_CBC
  - CKM_DES3_DERIVE_CBC_DEPRECATED
  - CKM_DES3_DERIVE_ECB_DEPRECATED
  - CKM_DES3_ECB
  - CKM_DES3_ECB_ENCRYPT_DATA
  - CKM_DES3_ECB_PAD
  - CKM_DES3_KEY_GEN
  - CKM_DES3_MAC
  - CKM_DES3_MAC_GENERAL
  - CKM_DES3_OFB64
  - CKM_DES3_RETAIL_CFB_MAC
  - CKM_DES3_X919_MAC
  - CKM_DES3_X919_MAC_GENERAL
  - CKM_DES_BCF
  - CKM_DES_CBC
  - CKM_DES_CBC_ENCRYPT_DATA
  - CKM_DES_CBC_PAD
  - CKM_DES_DERIVE_CBC_DEPRECATED
  - CKM_DES_DERIVE_ECB_DEPRECATED
  - CKM_DES_ECB
  - CKM_DES_ECB_ENCRYPT_DATA
  - CKM_DES_ECB_PAD
  - CKM_DES_KEY_GEN
  - CKM_DES_MAC
  - CKM_DES_MAC_GENERAL
  - CKM_DES_MDC_2_PAD1
  - CKM_DES_OFB64
  - CKM_DH_PKCS_DERIVE
  - CKM_DH_PKCS_KEY_PAIR_GEN
  - CKM_DH_PKCS_PARAMETER_GEN
  - CKM_DSA
  - CKM_DSA_KEY_PAIR_GEN
  - CKM_DSA_PARAMETER_GEN
  - CKM_DSA_SHA1
  - CKM_DSA_SHA1_PKCS
  - CKM_DSA_SHA224
  - CKM_DSA_SHA224_PKCS
  - CKM_DSA_SHA256
  - CKM_DSA_SHA256_PKCS
  - CKM_DSA_SHA384
  - CKM_DSA_SHA384_PKCS
  - CKM_DSA_SHA512
  - CKM_DSA_SHA512_PKCS
  - CKM_EC_EDWARDS_KEY_PAIR_GEN
  - CKM_EC_KEY_PAIR_GEN
  - CKM_EC_MONTGOMERY_KEY_PAIR_GEN
  - CKM_ECDH1_DERIVE
  - CKM_ECDSA
  - CKM_ECDSA_GBCS_SHA256
  - CKM_ECDSA_SHA1
  - CKM_ECDSA_SHA224
  - CKM_ECDSA_SHA256
  - CKM_ECDSA_SHA384
  - CKM_ECDSA_SHA3_224
  - CKM_ECDSA_SHA3_256
  - CKM_ECDSA_SHA3_384
  - CKM_ECDSA_SHA3_512
  - CKM_ECDSA_SHA512
  - CKM_ECIES
  - CKM_EDDSA
  - CKM_ENCODE_ATTRIBUTES
  - CKM_ENCODE_PKCS_10
  - CKM_ENCODE_PUBLIC_KEY
  - CKM_ENCODE_X_509
  - CKM_ENCODE_X_509_LOCAL_CERT
  - CKM_EXTRACT_KEY_FROM_KEY
  - CKM_GENERIC_SECRET_KEY_GEN
  - CKM_IDEA_CBC
  - CKM_IDEA_CBC_PAD
  - CKM_IDEA_ECB
  - CKM_IDEA_ECB_PAD
  - CKM_IDEA_KEY_GEN
  - CKM_IDEA_MAC
  - CKM_IDEA_MAC_GENERAL
  - CKM_KECCAK_1600
  - CKM_KEY_TRANSLATION
  - CKM_KEY_WRAP_SET_OAEP
  - CKM_MD2
  - CKM_MD2_HMAC
  - CKM_MD2_HMAC_GENERAL
  - CKM_MD2_KEY_DERIVATION
  - CKM_MD2_RSA_PKCS
  - CKM_MD5
  - CKM_MD5_HMAC
  - CKM_MD5_HMAC_GENERAL
  - CKM_MD5_KEY_DERIVATION
  - CKM_MD5_RSA_PKCS
  - CKM_MILENAGE_DERIVE
  - CKM_MILENAGE_SIGN
  - CKM_NVB
  - CKM_PBA_SHA1_WITH_SHA1_HMAC
  - CKM_PBE_MD2_DES_CBC
  - CKM_PBE_MD5_CAST128_CBC
  - CKM_PBE_MD5_DES_CBC
  - CKM_PBE_SHA1_CAST128_CBC
  - CKM_PBE_SHA1_DES2_EDE_CBC
  - CKM_PBE_SHA1_DES3_EDE_CBC
  - CKM_PBE_SHA1_RC2_128_CBC
  - CKM_PBE_SHA1_RC2_40_CBC
  - CKM_PBE_SHA1_RC4_128
  - CKM_PBE_SHA1_RC4_40
  - CKM_PKCS12_PBE_EXPORT
  - CKM_PKCS12_PBE_IMPORT
  - CKM_PP_LOAD_SECRET
  - CKM_PP_LOAD_SECRET_2
  - CKM_RC2_CBC
  - CKM_RC2_CBC_PAD
  - CKM_RC2_ECB
  - CKM_RC2_ECB_PAD
  - CKM_RC2_KEY_GEN
  - CKM_RC2_MAC
  - CKM_RC2_MAC_GENERAL
  - CKM_RC4
  - CKM_RC4_KEY_GEN
  - CKM_REPLICATE_TOKEN_RSA_AES
  - CKM_RIPEMD128
  - CKM_RIPEMD128_HMAC
  - CKM_RIPEMD128_HMAC_GENERAL
  - CKM_RIPEMD128_RSA_PKCS
  - CKM_RIPEMD160
  - CKM_RIPEMD160_HMAC
  - CKM_RIPEMD160_HMAC_GENERAL
  - CKM_RIPEMD160_RSA_PKCS
  - CKM_RSA_9796
  - CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_ GEN
  - CKM_RSA_PKCS
  - CKM_RSA_PKCS_KEY_PAIR_GEN
  - CKM_RSA_PKCS_OAEP
  - CKM_RSA_PKCS_PSS
  - CKM_RSA_X9_31_KEY_PAIR_GEN
  - CKM_RSA_X_509
  - CKM_SECRET_RECOVER_WITH_ATTRIBUTES
  - CKM_SECRET_SHARE_WITH_ATTRIBUTES
  - CKM_SEED_CBC
  - CKM_SEED_CBC_PAD
  - CKM_SEED_ECB
  - CKM_SEED_ECB_PAD
  - CKM_SEED_KEY_GEN
  - CKM_SEED_MAC
  - CKM_SEED_MAC_GENERAL
  - CKM_SET_ATTRIBUTES
  - CKM_SHA1
  - CKM_SHA1_EDDSA
  - CKM_SHA1_HMAC
  - CKM_SHA1_HMAC_GENERAL
  - CKM_SHA1_KEY_DERIVATION
  - CKM_SHA1_RSA_PKCS
  - CKM_SHA1_RSA_PKCS_PSS
  - CKM_SHA1_RSA_PKCS_TIMESTAMP
  - CKM_SHA224
  - CKM_SHA224_EDDSA
  - CKM_SHA224_HMAC
  - CKM_SHA224_HMAC_GENERAL
  - CKM_SHA224_KEY_DERIVATION
  - CKM_SHA224_RSA_PKCS
  - CKM_SHA224_RSA_PKCS_PSS
  - CKM_SHA256
  - CKM_SHA256_EDDSA
  - CKM_SHA256_HMAC
  - CKM_SHA256_HMAC_GENERAL
  - CKM_SHA256_KEY_DERIVATION
  - CKM_SHA256_RSA_PKCS
  - CKM_SHA256_RSA_PKCS_PSS
  - CKM_SHA384
  - CKM_SHA384_EDDSA
  - CKM_SHA384_HMAC
  - CKM_SHA384_HMAC_GENERAL
  - CKM_SHA384_KEY_DERIVATION
  - CKM_SHA384_RSA_PKCS
  - CKM_SHA384_RSA_PKCS_PSS
  - CKM_SHA3_224
  - CKM_SHA3_224_EDDSA
  - CKM_SHA3_224_HMAC
  - CKM_SHA3_224_HMAC_GENERAL
  - CKM_SHA3_224_KEY_DERIVE
  - CKM_SHA3_224_RSA_PKCS
  - CKM_SHA3_224_RSA_PKCS_PSS
  - CKM_SHA3_256
  - CKM_SHA3_256_EDDSA
  - CKM_SHA3_256_HMAC
  - CKM_SHA3_256_HMAC_GENERAL
  - CKM_SHA3_256_KEY_DERIVE
  - CKM_SHA3_256_RSA_PKCS
  - CKM_SHA3_256_RSA_PKCS_PSS
  - CKM_SHA3_384
  - CKM_SHA3_384_EDDSA
  - CKM_SHA3_384_HMAC
  - CKM_SHA3_384_HMAC_GENERAL
  - CKM_SHA3_384_KEY_DERIVE
  - CKM_SHA3_384_RSA_PKCS
  - CKM_SHA3_384_RSA_PKCS_PSS
  - CKM_SHA3_512
  - CKM_SHA3_512_EDDSA
  - CKM_SHA3_512_HMAC
  - CKM_SHA3_512_HMAC_GENERAL
  - CKM_SHA3_512_KEY_DERIVE
  - CKM_SHA3_512_RSA_PKCS
  - CKM_SHA3_512_RSA_PKCS_PSS
  - CKM_SHA512
  - CKM_SHA512_EDDSA
  - CKM_SHA512_HMAC
  - CKM_SHA512_HMAC_GENERAL
  - CKM_SHA512_KEY_DERIVATION
  - CKM_SHA512_RSA_PKCS
  - CKM_SHA512_RSA_PKCS_PSS
  - CKM_SSL3_KEY_AND_MAC_DERIVE
  - CKM_SSL3_MASTER_KEY_DERIVE
  - CKM_SSL3_MD5_MAC
  - CKM_SSL3_PRE_MASTER_KEY_GEN
  - CKM_SSL3_SHA1_MAC
  - CKM_TDEA_TKW
  - CKM_TUAK_DERIVE
  - CKM_TUAK_SIGN
  - CKM_UNWRAP_TR31
  - CKM_VISA_CVV
  - CKM_WRAP_TR31_DERIVE
  - CKM_WRAP_TR31_VARIANT
  - CKM_WRAPKEY_AES_CBC
  - CKM_WRAPKEY_AES_KWP
  - CKM_WRAPKEY_DES3_CBC
  - CKM_WRAPKEY_DES3_ECB
  - CKM_WRAPKEYBLOB_AES_CBC
  - CKM_WRAPKEYBLOB_DES3_CBC
  - CKM_X9_42_DH_DERIVE
  - CKM_X9_42_DH_KEY_PAIR_GEN
  - CKM_X9_42_DH_PARAMETER_GEN
  - CKM_XOR_BASE_AND_DATA
  - CKM_XOR_BASE_AND_KEY
  - CKM_ZKA_MDC_2_KEY_DERIVATION
  - PTK-C vendor-defined error codes
- Supported ECC curves
- C sample programs
- Best practice guidelines
  - Application security
  - Application usability
  - Performance
  - Capacity
  - Setup and configuration
  - Maintainability
  - Debugging
  - Interoperability
  - Programming in FIPS Mode
  - Key management
  - Hierarchical deterministic wallets in ProtectToolkit
- ctbrowse - token browser
- API tutorial: development of a sample application
- PKCS#11 logger library
- PKCS#11 command reference
  - General purpose functions
  - Slot and token management functions
  - Session management functions
  - Object management functions
  - Encryption functions
  - Decryption functions
  - Message digesting functions
  - Signing and MACing functions
  - Functions for verifying signatures and MACs
  - Dual-function cryptographic functions
  - Key management functions
  - Random number generation functions
  - Parallel function management functions
  - Extra functions
- ctutil.h functionality reference
- ctextra.h library reference
- hex2bin.h library reference
- hsmadmin.h library reference
- Attribute certificate
ProtectToolkit-C management libraries programming
- KMLIB sample applications
- KMLIB callback prototypes reference
- KMLIB function reference
ProtectToolkit-J reference
- ProtectToolkit-J overview
- JCA/JCE API overview
  - Encryption and decryption
  - Message digests
  - Message authentication code (MAC)
  - Authentication
  - Key management
  - Error handling and exceptions
- Supported ciphers
  - DES
  - DESede
  - AES
  - IDEA
  - CAST128
  - RC2
  - RC4
  - PBE ciphers
  - RSA
- Supported signature algorithms
- Supported MAC algorithms
- Supported message digest algorithms
- Key Management Utility (KMU) reference
  - Compatibility issues
  - Main KMU interface
  - Logging into and out from tokens
  - Creating keys
  - Editing key attributes
  - Deleting a key
  - Display key check value
  - Importing and exporting keys
  - Key backup feature tutorial
- Administration Utility (gCTAdmin) reference
  - Logging in and out
  - Main gCTAdmin Interface
  - Slot and token management
  - HSM management
- KMU key check value (KCV) calculation
- Key generation
- Key management
- Best practice guidelines
- Java sample programs
- JCA/JCE API tutorial
  - Public key cryptography
  - FileCrypt application
  - File encryption
  - File decryption
  - Accessing public keys
  - Main()
- Random number generation
- References
ProtectToolkit-M reference
- Overview
- Setup and configuration
  - User roles
  - Initial configuration: mandatory steps
  - Security mode descriptions
  - Security mode flag descriptions
  - Allocating keyset space
  - Configuration options
  - SafeNet KSP for CNG registration utilities
  - Configuring IIS7 (Win2008) with CNG
- Administrative tasks
  - Changing the device administrator password
  - Allocating keyset space
  - De-allocating keyset space
  - Creating user keysets
  - Deleting a keyset
  - Setting the adapter Transport Mode
  - Correcting clock drift
  - Viewing and purging the HSM event log
  - Checking and upgrading HSM firmware
  - Tampering the HSM
  - Backing up a keyset
  - Restoring a keyset
  - Enabling private key clear export
- User tasks
- Administration and user utilities
  - Administration Utility
  - Keyset Management Utility
  - createcert
- Integration with Microsoft CA
  - Setting up a CA with ProtectToolkit-M
  - Certificate template support for SafeNet CSPs
  - CA replication (key backup and recovery)
  - Private key archiving and recovery
- Integration with IIS
  - Creating a certificate
  - Installing a certificate for use with IIS
- Work Load Distribution
- Registry configuration
FM SDK programming
- Overview
- FM architecture
- FM development
- FM samples
- Building sample FMs in Emulation Mode on Windows
- Configuring WSL 2 for FM development and deployment
- FM deployment
- Utilities reference
- Cipher object
  - FmCreateCipherObject
  - Cipher object functions
  - Algorithm-specific cipher information
- Hash object
  - FmCreateHashObject
  - Hash object functions
- Setting privilege level
- SMFS reference
- FMDEBUG reference
- Message Dispatch API reference
- HSM functions reference
  - HIFACE reply management functions
  - Functionality module dispatch switcher function
  - Serial communication functions
  - High resolution timer functions
  - Cprov function patching helper function
  - Current application ID functions
  - PKCS#11 state management functions
  - Functionality module header definition macro
- USB API reference
ProtectServer 3 HSM and ProtectToolkit 7 troubleshooting
- Installation troubleshooting
- ProtectToolkit-J troubleshooting
- ProtectToolkit-M troubleshooting
Third-Party Software Licenses

ctextra.h library reference

The ProtectToolkit-C SDK offers a number of extended API libraries with functionality that is extended to that of the standard PKCS#11 function set.

The following additional features do not form part of the standard PKCS#11 functionality, but are provided by Thales as part of the SafeNet ProtectToolkit-C API within the ctextra.h library.

AddAttributeSets

Add two attribute sets being careful to drop duplicates. The 'base' attributes will override 'user' attributes where duplicates are concerned. Resulting set is located in *pSum.

Synopsis

CK_RV AddAttributeSets(TOK_ATTR_DATA ** pSum,const TOK_ATTR_DATA * base,const TOK_ATTR_DATA * user);

Parameter	Description
pSum	Reference to addition of base and user sets
base	Attribute set to add to user set
user	Attribute set to add to base set

On successful return

*pSum — reference to a newly allocated attribute set resulting from the addition. This memory needs to be released via a call to FreeAttributeSet.

at_assign

Assign one attribute value to another. Attribute types and lengths have to match up.

Synopsis

CK_RV at_assign(
CK_ATTRIBUTE * tgtNa,
const CK_ATTRIBUTE * srcNa);

Parameter	Description
tgtNa	Target attribute
srcNa	Source attribute

To determine the length of tgtNa->pValue required, set tgtNa->pValue to NULL and check tgtNa->valueLen after invocation.

ConcatAttributeSets

Append attributes from the user set to the base set. The 'base' attributes will override 'user' attributes where duplicates are concerned.

Synopsis

CK_RV ConcatAttributeSets(
TOK_ATTR_DATA * base,
const TOK_ATTR_DATA * user);

Parameter	Description
base	Reference to attribute set to append to
user	Reference to attribute set to append

CopyAttribute

Make a copy of an attribute from one attribute set to another. Only copy it if it is in 'src'. Overwrite it if it is in 'tgt'. Returns reference to the copied attribute in tgt attribute set.

Synopsis

CK_ATTRIBUTE * CopyAttribute(
CK_ATTRIBUTE_TYPE at,
TOK_ATTR_DATA * tgt,
const TOK_ATTR_DATA * src);

Parameter	Description
at	Attribute to copy
tgt	Target attribute set
src	Source attribute set

On successful return

tgt — contains value of the specified attribute from src

DupAttributes

Make a copy of an array of attributes. The returned attribute set is newly allocated. This memory needs to be released via a call to FreeAttributeSet.

Synopsis

TOK_ATTR_DATA * DupAttributes(
const CK_ATTRIBUTE * attr,
CK_COUNT attrCount);

Parameter	Description
attr	Attribute array to duplicate
attrCount	Number of attributes in attr

DupAttributeSet

Make a copy of an attribute set. The returned attribute set is newly allocated. This memory needs to be released via a call to FreeAttributeSet. Synopsis

TOK_ATTR_DATA * DupAttributeSet(
const TOK_ATTR_DATA * attrData);

Parameter	Description
attrData	Attribute set to duplicate

ExtractAllAttributes

Extract all non-sensitive valid attributes of an object.

Synopsis

CK_RV ExtractAllAttributes(
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hobj,
TOK_ATTR_DATA ** pna);

Parameter	Description
hSession	Open session handle
hObj	Object to extract from
pna	Reference to a reference to extracted attribute set

On successful return

*pna — newly allocated attribute set of extracted attributes; this memory needs to be freed (see FreeAttributeSet)

FindAttr

Find the first attribute of the specified type in an attribute set.

Synopsis

CK_ATTRIBUTE * FindAttr(CK_ATTRIBUTE_TYPE attrType,const TOK_ATTR_DATA * attrData);

Parameter	Description
attrType	Type of attribute to locate
attrData	Attribute set

On successful return

Return a pointer to the attribute of the specified type.

FreeAttributes

Free all attributes contained in the attribute array, then free the array itself. This function also explicitly writes 0xaa to the memory to be freed before freeing.

Synopsis

void FreeAttributes(
CK_ATTRIBUTE_PTR attr,
CK_COUNT attrCount);

Parameter	Description
attr	Attribute array to free
attrCount	Number of attributes in the array

FreeAttributeSet

Free all of the attributes contained in the attribute set, and then free the set itself. This function also explicitly writes 0xaa to the memory to be freed before freeing.

Synopsis

void FreeAttributeSet(
TOK_ATTR_DATA * attr);

Parameter	Description
attr	Reference to the attribute set to free

FreeAttributesNoClear

Free all attributes contained in the attribute array, then free the array itself. This function does not explicitly write 0xaa to the memory to be freed before freeing.

Synopsis

void FreeAttributesNoClear(
CK_ATTRIBUTE_PTR attr,
CK_COUNT attrCount);

Parameter	Description
attr	Attribute array to free
attrCount	Number of attributes in the array

FreeMechData

Free dynamic memory of pMech, including pMech itself.

Synopsis

void FreeMechData(
TOK_MECH_DATA * pMech);

Parameter	Description
pMech	Mechanism list to free

genkMechanismTabFromMechanismTab

Creates a key generation mechanism table for the list of mechanisms supplied in mTab

Synopsis

CK_MECHANISM_TYPE * genkMechanismTabFromMechanismTab(

TOK_MECH_DATA * mTab,

unsigned int * len);

Parameter	Description
mTab	Number of mechanisms to look up
len	Number of returned mechanisms

genkpMechanismTabFromMechanismTab

Creates a key pair generation mechanism table for the list of mechanisms supplied in mTab.

Synopsis

CK_MECHANISM_TYPE * genkpMechanismTabFromMechanismTab(TOK_MECH_DATA * mTab,unsigned int * len);

Parameter	Description
mTab	List of mechanisms to look up
len	Number of returned mechanisms

genMechanismTabFromMechanismTab

Creates a mechanism table for the list of mechanisms supplied in mTab.

Synopsis

CK_MECHANISM_TYPE * genMechanismTabFromMechanismTab(

TOK_MECH_DATA * mTab,

unsigned int * len);

Parameter	Description
mTab	List of mechanisms to look up
len	Number of returned mechanisms

GetCryptokiVersion

Returns the Cryptoki version information.

Synopsis

CK_VOID GetCryptokiVersion(CK_VERSION_PTR pVer);

Parameter	Description
pVer	Returned Cryptoki version

On successful return

pVer — pointer to a value which holds Cryptoki version

GetObjAttrInfo

Get the list of attributes (type and size) of the specified object.

This function relies on the SafeNet extension CKA_ENUM_ATTRIBUTES to retrieve the list of attributes. Only the attribute type and size are returned. Attribute values must be retrieved by the caller as required.

Synopsis

CK_RV GetObjAttrInfo(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObj,
CK_ATTRIBUTE_PTR* ppAttributes,
CK_ULONG_PTR pAttrCount);

Parameter	Description
hSession	Handle to a valid session
hObj	Handle to the object to operate on
ppAttributes	Location to receive the attribute array (on return, ppAttributes references an array of CK_ATTRIBUTE - the caller must free the memory allocated at ppAttributes).
pAttrCount	Location to hold the number of CK_ATTRIBUTE entries (on return, pAttrCount is the number of CK_ATTRIBUTE entries referenced by ppAttributes).

On successful return

*ppAttributes — handle that points to the returned attributes

pAttrCount — number of returned attributes

GetObjectClassAndKeyType

Extract the object class and key type from an attribute set.

Synopsis

CK_RV GetObjectClassAndKeyType(
const TOK_ATTR_DATA * attr,
CK_OBJECT_CLASS * at_class,
CK_KEY_TYPE * kt);

Parameter	Description
attr	Attribute set to extract from
at_class	Reference to object class to hold resulting value
kt	Reference to key type to hold resulting value

On successful return

at_class — references located object class

kt — references located key type

hashMech

Return an array of all related mechanisms.

Synopsis

CK_MECHANISM_TYPE * hashMech(
unsigned int * len);

Parameter	Description
len	Reference to int to hold the number of items returned

intAttr

Return the value of the attribute as an int.

Synopsis

unsigned int intAttr(
const CK_ATTRIBUTE * at);

Parameter	Description
at	Reference to attribute whose value is to be returned

intAttrLookup

Extract an int attribute from an attribute template.

Synopsis

unsigned int intAttrLookup(CK_ATTRIBUTE_TYPE atype,const CK_ATTRIBUTE * attr,CK_COUNT attrCount);

Parameter	Description
atype	Type of attribute to extract attr array of attributes to search attrCount number of attributes in attr array

isBooleanAttr

Return TRUE if an attribute is a Boolean.

Synopsis

int isBooleanAttr(const CK_ATTRIBUTE * na);

Parameter	Description
na	Reference to attribute to check

isEnumeratedAttr

Return TRUE if attribute is enumerated and can have vendor-defined values.

Synopsis

int isEnumeratedAttr(
const CK_ATTRIBUTE * na);

Parameter	Description
na	Reference to attribute to check

isGenMech

Return TRUE if mechType is a key or key pair generation mechanism.

Synopsis

int isGenMech(
CK_MECHANISM_TYPE mechType);

Parameter	Description
mechType	Mechanism type to check

isNumericAttr

Return TRUE if an attribute is a numeric.

Synopsis

int isNumericAttr(const CK_ATTRIBUTE * na);

Parameter	Description
na	Reference to attribute to check

isSensitiveAttr

Report TRUE for potentially sensitive attributes, as per the PKCS#11 spec. Note that the object has to be marked sensitive for this to have any effect.

ProtectToolkit-C extension: all objects have the CKA_VALUE as sensitive if the object has CKA_SENSITIVE set to TRUE. This is useful for objects that are used internally only, or just wrapped for transmission elsewhere.

Synopsis

int isSensitiveAttr(
const struct TOK_ATTR_DATA * attrData,
const CK_ATTRIBUTE * na);

Parameter	Description
na	Reference to attribute to check

KeyFromPin

Generate a double length key from a PIN, using PKCS#5 password based encryption.

Synopsis

void KeyFromPin(
unsigned char key[16],
unsigned int klen,
CK_USER_TYPE user,
const unsigned char * pin,
unsigned int pinLen);

Parameter	Description
key	Buffer to hold generated key
keylen	Number of bytes in key (should be 16)
user	Salt value for key generation
pin	Password used for key generation
pinLen	Number of bytes referenced by pin

On successful return

key — contains the generated key

kgMech

Return an array of all key generation related mechanisms.

Synopsis

CK_MECHANISM_TYPE * kgMech(
unsigned int * len);

Parameter	Description
mechType	Reference to int to hold the number of items returned

kpgMech

Return an array of all key pair generation related mechanisms.

Synopsis

CK_MECHANISM_TYPE * kpgMech(
unsigned int * len);

Parameter	Description
len	Reference to int to hold the number of items returned

ktFromMech

Return an array of key types valid for the given mechanism. The returned array does not need to be freed.

Synopsis

CK_KEY_TYPE * ktFromMech(
CK_MECHANISM_TYPE mt,
unsigned int * len);

Parameter	Description
mt	Mechanism type to get key types for
len	Reference to int to hold the number of items in returned array

On successful return

*len number of items in returned array

LookupMech

Return TRUE if mechType is in the pMech list.

Synopsis

int LookupMech(
TOK_MECH_DATA * pMech,
CK_MECHANISM_TYPE mechType);

Parameters	Description
pMech	Reference to mechanism list
mechType	Mechanism to look for in pMech list

MatchAttributeSet

Do a comparison of two attribute sets. Every attribute in the 'match' set must be found in the 'ad' set. It is OK if 'ad' is a super set of 'match'. Return TRUE if all attributes in 'match' were found in 'ad'.

Synopsis

int MatchAttributeSet(
const TOK_ATTR_DATA * match,
const TOK_ATTR_DATA * ad);

Parameter	Description
match	Attribute set to look for
ad	Attribute set to compare to

mechDeriveFromKt

Return an array of derive mechanisms valid for the given key type. The returned array is newly allocated and needs to be freed.

Synopsis

CK_MECHANISM_TYPE * mechDeriveFromKt(CK_KEY_TYPE kt,unsigned int * len);

Parameter	Description
kt	Key type to look up
len	Pointer to integer that receives length of returned array

On successful return

Array of CK_MECHANISM_TYPE values or NULL if key type is invalid. Caller should free the array when finished.

mechFromKt

Return an array of mechanisms valid for the given key type. The returned array is newly allocated and needs to be freed.

Synopsis

CK_MECHANISM_TYPE * mechFromKt(
CK_KEY_TYPE kt,
unsigned int * len);

Parameter	Description
kt	Key type to get mechanisms for
len	Reference to int to hold number of items in returned array

On successful return

Array of CK_MECHANISM_TYPE values or NULL if key type is invalid. Caller should free the array when finished.

mechFromTokKt

Return an array of mechanisms valid for the given key type. The returned array is newly allocated and needs to be freed.

Synopsis

CK_MECHANISM_TYPE * mechFromTokKt(
TOK_MECH_DATA * mTab,

CK_KEY_TYPE kt,
unsigned int * len);

Parameter	Description
mTab	List of mechanisms to look up
kt	Key type to get mechanisms for
len	Reference to int to hold number of items in returned array

On successful return

Array of CK_MECHANISM_TYPE values or NULL if key type is invalid. Caller should free the array when finished.

mechSignFromKt

Return an array of signing mechanisms valid for the given key type. The returned array is newly allocated and needs to be freed.

Synopsis

CK_MECHANISM_TYPE * mechSignFromKt(CK_KEY_TYPE kt,unsigned int * len);

Parameter	Description
kt	Key type to get mechanisms for
len	Reference to int to hold number of items in returned array

On successful return

Array of CK_MECHANISM_TYPE values or NULL if key type is invalid. Caller should free the array when finished.

mechSignRecFromKt

Return an array of signing mechanisms valid for the given key type. The returned array is newly allocated and needs to be freed.

Synopsis

CK_MECHANISM_TYPE * mechSignRecFromKt(CK_KEY_TYPE kt,unsigned int * len);

Parameter	Description
kt	Key type to get mechanisms for
len	Reference to int to hold number of items in returned array

On successful return

Array of CK_MECHANISM_TYPE values or NULL if key type is invalid. Caller should free the array when finished.

NewAttributeSet

Allocate memory for an attribute set to hold the specified number of attributes. The returned memory needs to be freed (see FreeAttributeSet)

Synopsis

TOK_ATTR_DATA * NewAttributeSet(
unsigned int count);

Parameter	Description
count	Number of attribute place holders to allocate in the set

numAttr

Return the value of the attribute as a numeric.

Synopsis

CK_NUMERIC numAttr(
const CK_ATTRIBUTE * at);

Parameter	Description
at	Reference to attribute whose value is to be returned

numAttrLookup

Extract a numeric attribute from an attribute template.

Synopsis

CK_NUMERIC numAttrLookup(CK_ATTRIBUTE_TYPE atype,const CK_ATTRIBUTE * attr,CK_COUNT attrCount);

Parameter	Description
atype	Type of attribute to extract attr array of attributes to search
attrCount	Number of attributes in attr array

NUMITEMS

This is a macro that returns the number of elements in an array.

Note

Only array definitions can be sized by this macro, not pointer definitions.

It is used wherever object templates are defined since the number of items in the template is always passed along with the template address into Cryptoki functions. Use of this macro is preferred to hard coding the number of items in the template that may change with code maintenance.

Synopsis

#define NUMITEMS(type)  (sizeof((type))/sizeof((type)[0]))

PvcFromPin

Create a PVC from a PIN using PKCS#5 password based encryption.

Synopsis

void PvcFromPin(unsigned char * key,unsigned int klen,CK_USER_TYPE user,const unsigned char * pin,unsigned int pinLen);

Parameter	Description
key	Resulting pvc
klen	Number of bytes referenced by key
user	Salt value
pin	Password
pinLen	Number of bytes referenced by pin

On successful return

key — contains the pvc

ReadAttr

Read an attribute value from an attribute set. Return TRUE if the attribute was present.

Synopsis

int ReadAttr(
void * buf,
unsigned int len,
unsigned int * plen,
CK_ATTRIBUTE_TYPE attrType,
const TOK_ATTR_DATA * attr);

Parameter	Description
buf	Buffer to receive attribute value
len	Number of bytes referenced by buf
plen	Reference to int to hold number of bytes copied to buf
attrType	Type of attribute to extract from attr
attr	Attribute set to search

On successful return

buf — contains attribute value

plen — references number of bytes copied into buf

slotIDfromSes

Extract a CK_SLOT_ID from a CK_SESSION_HANDLE. This function only works with SafeNet’s Cryptoki product because it includes an encoding of the SLOT id in the session handle. For other PKCS#11 implementations the slot ID can be obtained from the session info C_GetSessionInfo() call.

Synopsis

CK_SLOT_ID slotIDfromSes(CK_SESSION_HANDLE h);

TransferAttr

Using at_assign, copy attribute values from one array to another. The order of the attributes must be the same in both arrays.

Synopsis

CK_RV TransferAttr(
CK_ATTRIBUTE * pTgtTemplate,
const CK_ATTRIBUTE * pSrcTemplate,
CK_COUNT attrCount);

Parameter	Description
pTgtTemplate	Target attribute array
pSrcTemplate	Source attribute array
attrCount	Number of attributes to copy from source to target

On successful return

pTgtTemplate — contains copy of attribute values from pSrcTemplate

UnwrapDec

Unwrap a key and decode its attributes.

Synopsis

int UnwrapDec(
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hUnwrapper,
CK_OBJECT_HANDLE * hUnwrappedKey,
unsigned char * buf,
unsigned int bufLen);

Parameter	Description
hSession	Open session handle
hUnwrapper	Handle to unwrapping key
hUnwrappedKey	Reference to handle to the key unwrapped
buf	Reference to bytes containing the key and attributes
bufLen	Number of bytes referenced by buf

On successful return

*hUnwrappedKey — handle to unwrapped key with attributes

WrapEnc

Wrap a key, encode its attributes and write it to a buffer.

Synopsis

int WrapEnc (
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hWrapper,
CK_OBJECT_HANDLE hWrappee,
unsigned char * buf,
unsigned int bufLen,
CK_SIZE * bytesWritten);

Parameter	Description
hSession	Open session handle
hWrapper	Handle to wrapping key
hWrappee	Wrappee handle to the key to wrap
buf	Reference to bytes to hold the result
bufLen	Number of bytes referenced by buf
bytesWritten	Reference to value to hold the number of bytes written to buf

On successful return

buf — contains the wrapped key and encoded attributes *bytesWritten number of bytes written to buf

WriteAttr

Add/Replace an attribute to an attribute set. Delete attribute if len is 0.

Synopsis

CK_RV WriteAttr(
const void * buf,
unsigned int len,
CK_ATTRIBUTE_TYPE attrType,
TOK_ATTR_DATA * attr);

Parameter	Description
buf	Value to add to attribute set
len	Number of bytes to add from buf
attrType	Type of attribute to add
attr	Attribute set to modify

On successful return

attr — modified attribute set