PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
Data Fields | |
| CK_CHAR | label [32] |
| application-defined label, assigned during token initialization. More... | |
| CK_CHAR | manufacturerID [32] |
| ID of the device manufacturer. More... | |
| CK_CHAR | model [16] |
| model of the device. More... | |
| CK_CHAR | serialNumber [16] |
| character-string serial number of the device. More... | |
| CK_FLAGS | flags |
| bit flags indicating capabilities and status of the device as defined below. More... | |
| CK_ULONG | ulMaxSessionCount |
| maximum number of sessions that can be opened with the token at one time. More... | |
| CK_ULONG | ulSessionCount |
| number of sessions that are currently open with the token. More... | |
| CK_ULONG | ulMaxRwSessionCount |
| maximum number of read/write sessions that can be opened with the token at one time. More... | |
| CK_ULONG | ulRwSessionCount |
| number of read/write sessions that are currently open with the token. More... | |
| CK_ULONG | ulMaxPinLen |
| maximum length in bytes of the PIN. More... | |
| CK_ULONG | ulMinPinLen |
| minimum length in bytes of the PIN. More... | |
| CK_ULONG | ulTotalPublicMemory |
| the total amount of memory in bytes in which public objects may be stored. More... | |
| CK_ULONG | ulFreePublicMemory |
| the amount of free (unused) memory in bytes for public objects. More... | |
| CK_ULONG | ulTotalPrivateMemory |
| the total amount of memory in bytes in which private objects may be stored. More... | |
| CK_ULONG | ulFreePrivateMemory |
| the amount of free (unused) memory in bytes for private objects. More... | |
| CK_VERSION | hardwareVersion |
| version number of hardware. More... | |
| CK_VERSION | firmwareVersion |
| version number of firmware. More... | |
| CK_CHAR | utcTime [16] |
| current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). More... | |
| label | application-defined label, assigned during token initialization. Must be padded with the blank character (' ') |
| manufacturerID | ID of the device manufacturer. Must be padded with the blank character (' ') |
| model | model of the device. Must be padded with the blank character (' ') |
| serialNumber | character-string serial number of the device. Must be padded with the blank character (' ') |
| flags | bit flags indicating capabilities and status of the device as defined below |
| ulMaxSessionCount | maximum number of sessions that can be opened with the token at one time |
| ulSessionCount | number of sessions that are currently open with the token |
| ulMaxRwSessionCount | maximum number of read/write sessions that can be opened with the token at one time |
| ulRwSessionCount | number of read/write sessions that are currently open with the token |
| ulMaxPinLen | maximum length in bytes of the PIN |
| ulMinPinLen | minimum length in bytes of the PIN |
| ulTotalPublicMemory | the total amount of memory in bytes in which public objects may be stored |
| ulFreePublicMemory | the amount of free (unused) memory in bytes for public objects |
| ulTotalPrivateMemory | the total amount of memory in bytes in which private objects may be stored |
| ulFreePrivateMemory | the amount of free (unused) memory in bytes for private objects |
| hardwareVersion | version number of hardware |
| firmwareVersion | version number of firmware |
| utcTime | current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value of this field only makes sense for tokens equipped with a clock, as indicated in the token information flags (see below) |
The following table defines the flags parameter:
Table 7-2, Token Information Flags
| Bit Flag | Mask | Meaning |
| CKF_RNG | 0x00000001 | TRUE if the token has its own random number generator |
| CKF_WRITE_PROTECTED | 0x00000002 | TRUE if the token is write-protected |
| CKF_LOGIN_REQUIRED | 0x00000004 | TRUE if a user must be logged in to perform cryptographic functions |
| CKF_USER_PIN_INITIALIZED | 0x00000008 | TRUE if the normal user's PIN has been initialized |
| CKF_EXCLUSIVE_EXISTS | 0x00000010 | TRUE if an exclusive session exists |
| CKF_RESTORE_KEY_NOT_NEEDED | 0x00000020 | TRUE if a successful save of a session's cryptographic operations state always contains all keys needed to restore the state of the session |
| CKF_CLOCK_ON_TOKEN | 0x00000040 | TRUE if token has its own hardware clock |
| CKF_SUPPORTS_PARALLEL | 0x00000080 | TRUE if token supports parallel sessions through this Cryptoki library |
| CKF_PROTECTED_AUTHENTICATION_PATH | 0x00000100 | TRUE if token has a "protected authentication path", whereby a user can log in to the token without passing a PIN through the Cryptoki library |
| CKF_DUAL_CRYPTO_OPERATIONS | 0x00000200 | TRUE if a single session with the token can perform dual cryptographic operations (see Section) |
Exactly what the CKF_WRITE_PROTECTED flag means is not specified in Cryptoki. An application may be unable to perform certain actions on a write-protected token; these actions can include any of the following, among other actions:
CK_TOKEN_INFO info; . . . if ((CK_LONG) info.ulMaxSessionCount == -1) { /* Token refuses to give value of ulMaxSessionCount */ . . . } else { /* info.ulMaxSessionCount really does contain what it should */ . . . }
Session types
Cryptoki represents session information with the following types:
typedef CK_ULONG CK_SESSION_HANDLE;
typedef CK_ULONG CK_USER_TYPE;
For this version of Cryptoki, the following types of users are defined:
#define CKU_SO 0 #define CKU_USER 1
For this version of Cryptoki, the following session states are defined:
#define CKS_RO_PUBLIC_SESSION 0 #define CKS_RO_USER_FUNCTIONS 1 #define CKS_RW_PUBLIC_SESSION 2 #define CKS_RW_USER_FUNCTIONS 3 #define CKS_RW_SO_FUNCTIONS 4
|
|
application-defined label, assigned during token initialization. Must be padded with the blank character (' ') |
|
|
ID of the device manufacturer. Must be padded with the blank character (' ') |
|
|
model of the device. Must be padded with the blank character (' ') |
|
|
character-string serial number of the device. Must be padded with the blank character (' ') |
|
|
bit flags indicating capabilities and status of the device as defined below. |
|
|
maximum number of sessions that can be opened with the token at one time. |
|
|
number of sessions that are currently open with the token. |
|
|
maximum number of read/write sessions that can be opened with the token at one time. |
|
|
number of read/write sessions that are currently open with the token. |
|
|
maximum length in bytes of the PIN. |
|
|
minimum length in bytes of the PIN. |
|
|
the total amount of memory in bytes in which public objects may be stored. |
|
|
the amount of free (unused) memory in bytes for public objects. |
|
|
the total amount of memory in bytes in which private objects may be stored. |
|
|
the amount of free (unused) memory in bytes for private objects. |
|
|
version number of hardware. |
|
|
version number of firmware. |
|
|
current time as a character-string of length 16, represented in the format YYYYMMDDhhmmssxx (4 characters for the year; 2 characters each for the month, the day, the hour, the minute, and the second; and 2 additional reserved '0' characters). The value of this field only makes sense for tokens equipped with a clock, as indicated in the token information flags (see below) |