Certificate objects

Sections
X.509 public key certificate objects
WTLS public key certificate objects
X.509 attribute certificate objects

Detailed Description

This section defines the object class CKO_CERTIFICATE for type CK_OBJECT_CLASS as used in the CKA_CLASS attribute of objects.

Certificate objects (object class CKO_CERTIFICATE) hold public-key or attribute certificates. Other than providing access to certificate objects, Cryptoki does not attach any special meaning to certificates. The following table defines the common certificate object attributes, in addition to the common attributes defined for this object class:

Table 23, Common Certificate Object Attributes
Attribute Data type Meaning

CKA_CERTIFICATE_TYPE¹ CK_CERTIFICATE_TYPE Type of certificate

CKA_TRUSTED¹⁰ CK_BBOOL The certificate can be trusted for the application that it was created.

CKA_CERTIFICATE_CATEGORY CK_ULONG Categorization of the certificate:0 = unspecified (default value), 1 = token user, 2 = authority, 3 = other entity

CKA_CHECK_VALUE Byte array Checksum

CKA_START_DATE CK_DATE Start date for the certificate (default empty)

CKA_END_DATE CK_DATE End date for the certificate (default empty)

^-Refer to Table 15 for footnotes

The CKA_CERTIFICATE_TYPE attribute may not be modified after an object is created. This version of Cryptoki supports the following certificate types:

X.509 public key certificate
WTLS public key certificate
X.509 attribute certificate The CKA_TRUSTED attribute cannot be set to CK_TRUE by an application. It must be set by a token initialization application or by the token's SO. Trusted certificates cannot be modified.

The CKA_CERTIFICATE_CATEGORY attribute is used to indicate if a stored certificate is a user certificate for which the corresponding private key is available on the token ("token user"), a CA certificate ("authority"), or an other end-entity certificate ("other entity"). This attribute may not be modified after an object is created.

The CKA_CERTIFICATE_CATEGORY and CKA_TRUSTED attributes will together be used to map to the categorization of the certificates. A certificate in the certificates CDF will be marked with category "token user". A certificate in the trustedCertificates CDF or in the usefulCertificates CDF will be marked with category "authority" or "other entity" depending on the CommonCertificateAttribute.authority attribute and the CKA_TRUSTED attribute indicates if it belongs to the trustedCertificates or usefulCertificates CDF.

CKA_CHECK_VALUE : The value of this attribute is derived from the certificate by taking the first three bytes of the SHA-1 hash of the certificate object's CKA_VALUE attribute.

The CKA_START_DATE and CKA_END_DATE attributes are for reference only; Cryptoki does not attach any special meaning to them. When present, the application is responsible to set them to values that match the certificate's encoded "not before" and "not after" fields (if any).

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v220

Attribute	Data type	Meaning
CKA_CERTIFICATE_TYPE¹	CK_CERTIFICATE_TYPE	Type of certificate
CKA_TRUSTED¹⁰	CK_BBOOL	The certificate can be trusted for the application that it was created.
CKA_CERTIFICATE_CATEGORY	CK_ULONG	Categorization of the certificate:0 = unspecified (default value), 1 = token user, 2 = authority, 3 = other entity
CKA_CHECK_VALUE	Byte array	Checksum
CKA_START_DATE	CK_DATE	Start date for the certificate (default empty)
CKA_END_DATE	CK_DATE	End date for the certificate (default empty)

Certificate objects

Sections

Detailed Description