CKM_ENCODE_X_509_LOCAL_CERT
This section provides a summary of CKM_ENCODE_X_509_LOCAL_CERT.
Supported operations
Operation | Supported |
---|---|
Encrypt and Decrypt | No |
Sign and Verify | No |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | No |
Wrap and Unwrap | No |
Derive | Yes |
FIPS Mode support
Available in FIPS Mode | Restrictions in FIPS Mode |
---|---|
Yes | None |
Key Size Range and Parameters
Key size minimum/maximum | Value |
---|---|
Minimum | 0 |
FIPS Minimum | 0 |
Maximum | None |
Parameter
None
Mechanism description
This mechanism is similar to the CKM_ENCODE_X_509
mechanism in that it is used to create an X 509 public key certificate. The basic difference is that this mechanism has additional usage controls.
This mechanism will only create certificates for public keys locally generated on the adapter. That is, the base key must have a CKA_CLASS
attribute of CKO_PUBLIC_KEY
and have the CKA_LOCAL
attribute set to TRUE
.
In addition, the signing key specified in the mechanism parameter (see below) must have the CKA_SIGN_LOCAL_CERT
attribute set to TRUE
. It is used with the C_KeyDerive function only, (that is, it is a derive mechanism).
It takes a parameter that is a pointer to a CK_MECH_TYPE_AND_OBJECT
structure.
typedef struct CK_MECH_TYPE_AND_OBJECT {
CK_MECHANISM_TYPE mechanism;
CK_OBJECT_HANDLE obj;
} CK_MECH_TYPE_AND_OBJECT;
The above mechanism field specifies the actual signature mechanism to use in generation of the certificate signature. This must be one of the multipart digest RSA or DSA algorithms. The obj field above specifies the signature generation key. That is, it should specify a RSA or DSA private key as appropriate for the chosen signature mechanism.
To create a X.509 local certificate that uses EC keys, either provide a PKCS#10 certificate request that was created with EC keys, or provide an EC public key for the hBaseKey parameter to the function. To sign the certificate as a CA using EC keys, use the CKM_ECDSA_SHA1
mechanism to initialize the sign operation before calling C_DeriveKey(). The CKM_ECDSA_SHA1
mechanism and EC key must also be specified in the mechanism parameter.
Return to ProtectToolkit-C mechanisms.