PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
Data Fields | |
| CK_BYTE | bBC |
| block contents byte. More... | |
| CK_BYTE_PTR | pX |
| extra data. More... | |
| CK_ULONG | ulXLen |
| length in bytes of extra data. More... | |
| bBC | block contents byte |
| pX | extra data |
| ulXLen | length in bytes of extra data CK_KEY_WRAP_SET_OAEP_PARAMS_PTR |
CK_KEY_WRAP_SET_OAEP_PARAMS_PTR points to a CK_KEY_WRAP_SET_OAEP_PARAMS structure. It is implementation-dependent.
SET mechanisms
OAEP key wrapping for SET
The OAEP key wrapping for SET mechanism, denoted CKM_KEY_WRAP_SET_OAEP, is a mechanism for wrapping and unwrapping DES keys (and possibly some extra data) with RSA keys. This mechanism is defined in the SET protocol specifications.
It takes a parameter, a CK_KEY_WRAP_SET_OAEP_PARAMS structure. This structure holds the "Block Contents" byte of the data, as well as any extra data. If no extra data is present, that is indicated by the ulXLen field having the value 0.
When this mechanism is used to unwrap a key, the extra data is returned following the convention described in Section on producing output. If the inputs to C_UnwrapKey are such that the extra data is not returned (e.g., the buffer supplied in the CK_KEY_WRAP_SET_OAEP_PARAMS structure is NULL_PTR), then the unwrapped key object will not be created, either.
Note that when this mechanism is used to unwrap a key, the bBC and pX fields of the parameter supplied to the mechanism may be modified.
If an application uses C_UnwrapKey with CKM_KEY_WRAP_SET_OAEP, it is general preferable to simply allocate a 128-byte buffer for the extra data (the extra data is never larger than 128 bytes), rather than calling C_UnwrapKey twice. Each call of C_UnwrapKey with CKM_KEY_WRAP_SET_OAEP requires an RSA decryption operation to be performed, and this overhead can be avoided by this means.
LYNKS mechanisms
LYNKS key wrapping
The LYNKS key wrapping mechanism, denoted CKM_WRAP_LYNKS, is a mechanism for wrapping and unwrapping secret keys with DES keys. It can wrap any 8-byte secret key, and it produces a 10-byte wrapped key, containing a cryptographic checksum.
It does not have a parameter.
When unwrapping a key with this mechanism, if the cryptographic checksum does not check out properly, an error is returned. In addition, if a DES key or CDMF key is unwrapped with this mechanism, the parity bits on the wrapped key must be set appropriately; if they are not set properly, an error is returned.
SSL mechanism parameters
|
|
block contents byte. |
|
|
extra data. |
|
|
length in bytes of extra data. |