PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
Go to the source code of this file.
Data Structures | |
| CK_VERSION | |
CK_VERSIONCK_VERSION is a structure that describes the version of Cryptoki. More... | |
| CK_INFO | |
CK_INFOCK_INFO provides general information about Cryptoki. More... | |
| CK_SLOT_INFO | |
CK_SLOT_INFOCK_SLOT_INFO provides information about a slot. More... | |
| CK_TOKEN_INFO | |
CK_TOKEN_INFOCK_TOKEN_INFO provides information about a token. More... | |
| CK_SESSION_INFO | |
CK_SESSION_INFOCK_SESSION_INFO provides information about a session. More... | |
| CK_ATTRIBUTE | |
CK_ATTRIBUTECK_ATTRIBUTE is a structure that includes the type, length and value of an attribute. More... | |
| CK_DATE | |
CK_DATECK_DATE is a structure that defines a date. More... | |
| CK_MECHANISM | |
CK_MECHANISMCK_MECHANISM is a structure that specifies a particular mechanism. More... | |
| CK_MECHANISM_INFO | |
CK_MECHANISM_INFOCK_MECHANISM_INFO is a structure that provides information about a particular mechanism. More... | |
| CK_RC2_CBC | |
CK_RC2_CBC_PARAMSCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC mechanism. More... | |
Defines | |
| #define | CK_INVALID_HANDLE |
| An invalid handle. More... | |
| #define | CK_TRUE |
| CK_BBOOL true. More... | |
| #define | CK_FALSE |
| CK_BBOOL false. More... | |
| #define | CK_UNAVAILABLE_INFORMATION |
| Information unavailable. More... | |
| #define | CK_EFFECTIVELY_INFINITE |
| Effectively infinite. More... | |
| CKU_SO | |
| Security Officer. More... | |
| CKU_USER | |
| User. More... | |
| #define | CKU_CONTEXT_SPECIFIC |
| Context specific. More... | |
| CKS_RO_PUBLIC_SESSION | |
| Read only public session. More... | |
| CKS_RO_USER_FUNCTIONS | |
| Read only user functions. More... | |
| CKS_RW_PUBLIC_SESSION | |
| Read write public session. More... | |
| CKS_RW_USER_FUNCTIONS | |
| Read write user functions. More... | |
| #define | CKS_RW_SO_FUNCTIONS |
| Read write security officer functions. More... | |
| #define | TRUE |
| True. More... | |
| #define | FALSE |
| False. More... | |
| #define | CKF_TOKEN_PRESENT |
| TRUE if a token is present in the slot (e.g., a device is in the reader). More... | |
| #define | CKF_REMOVABLE_DEVICE |
| TRUE if the reader supports removable devices. More... | |
| #define | CKF_HW_SLOT |
| TRUE if the slot is a hardware slot as opposed to a software slot implementing a "soft token". More... | |
| #define | CKF_RNG |
| TRUE if the token has its own random number generator. More... | |
| #define | CKF_WRITE_PROTECTED |
| TRUE if the token is write-protected. More... | |
| #define | CKF_LOGIN_REQUIRED |
| TRUE if a user must be logged in to perform cryptographic functions. More... | |
| #define | CKF_USER_PIN_INITIALIZED |
| TRUE if the normal user's PIN has been initialized. More... | |
| #define | CKF_EXCLUSIVE_EXISTS |
| TRUE if an exclusive session exists. More... | |
| #define | CKF_EXCLUSIVE_SESSION |
| TRUE if the session is exclusive; FALSE if the session is shared. More... | |
| #define | CKF_RW_SESSION |
| TRUE if the session is read/write; FALSE if the session is read-only. More... | |
| #define | CKF_SERIAL_SESSION |
| TRUE if cryptographic functions are performed in serial with the application; FALSE if the functions may be performed in parallel with the application. More... | |
| #define | CKF_HW |
| TRUE if the mechanism is performed by the device; FALSE if the mechanism is performed in software. More... | |
| #define | CKF_EXTENSION |
| TRUE if an extension to the flags; FALSE if no extensions. More... | |
| #define | CKA_CLASS |
| Object class (type). More... | |
| #define | CKA_TOKEN |
| TRUE if object is a token object (vs. More... | |
| #define | CKA_PRIVATE |
| TRUE if object is a private object (vs. More... | |
| #define | CKA_LABEL |
| Description of the object (default empty). More... | |
| #define | CKA_APPLICATION |
| Description of the application that manages the object (default empty). More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_CERTIFICATE_TYPE |
| Type of certificate. More... | |
| #define | CKA_SUBJECT |
| DER encoding of the certificate subject name. More... | |
| #define | CKA_ID |
| Key identifier for public/private key pair (default empty). More... | |
| #define | CKA_ISSUER |
| DER encoding of the certificate issuer name (default empty). More... | |
| #define | CKA_SERIAL_NUMBER |
| DER encoding of the certificate serial number (default empty). More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_KEY_TYPE |
| Type of key. More... | |
| #define | CKA_ID |
| Key identifier for public/private key pair (default empty). More... | |
| #define | CKA_START_DATE |
| Start date for the key (default empty). More... | |
| #define | CKA_END_DATE |
| End date for the key (default empty). More... | |
| #define | CKA_DERIVE |
| TRUE if key supports key derivation (default FALSE). More... | |
| #define | CKA_SUBJECT |
| DER encoding of the certificate subject name. More... | |
| #define | CKA_ENCRYPT |
| TRUE if key supports encryption1. More... | |
| #define | CKA_VERIFY |
| TRUE if key supports verification1. More... | |
| #define | CKA_VERIFY_RECOVER |
| TRUE if key supports verification where the data is recovered from the signature1. More... | |
| #define | CKA_WRAP |
| TRUE if key supports wrapping1. More... | |
| #define | CKA_MODULUS |
| Modulus ''n''. More... | |
| #define | CKA_MODULUS_BITS |
| Length in bits of modulus ''n''. More... | |
| #define | CKA_PUBLIC_EXPONENT |
| Public exponent ''e''. More... | |
| #define | CKA_PRIME |
| Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
| #define | CKA_SUBPRIME |
| Subprime ''q'' (160 bits). More... | |
| #define | CKA_BASE |
| Base ''g''. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_PRIME |
| Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
| #define | CKA_BASE |
| Base ''g''. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_SUBJECT |
| DER encoding of the certificate subject name. More... | |
| #define | CKA_SENSITIVE |
| TRUE if object is sensitive1. More... | |
| #define | CKA_DECRYPT |
| TRUE if key supports decryption1. More... | |
| #define | CKA_SIGN |
| TRUE if key supports signatures where the signature is an appendix to the data1. More... | |
| #define | CKA_SIGN_RECOVER |
| TRUE if key supports signatures where the data can be recovered from the signature1. More... | |
| #define | CKA_UNWRAP |
| TRUE if key supports unwrapping1. More... | |
| #define | CKA_MODULUS |
| Modulus ''n''. More... | |
| #define | CKA_PUBLIC_EXPONENT |
| Public exponent ''e''. More... | |
| #define | CKA_PRIVATE_EXPONENT |
| Private exponent ''d''. More... | |
| #define | CKA_PRIME_1 |
| Prime ''p''. More... | |
| #define | CKA_PRIME_2 |
| Prime ''q''. More... | |
| #define | CKA_EXPONENT_1 |
| Private exponent ''d'' modulo ''p''-1. More... | |
| #define | CKA_EXPONENT_2 |
| Private exponent ''d'' modulo ''q''-1. More... | |
| #define | CKA_COEFFICIENT |
| CRT coefficient ''q''-1 mod ''p''. More... | |
| #define | CKA_PRIME |
| Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
| #define | CKA_SUBPRIME |
| Subprime ''q'' (160 bits). More... | |
| #define | CKA_BASE |
| Base ''g''. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_PRIME |
| Prime ''p'' (512 to 1024 bits, in steps of 64 bits). More... | |
| #define | CKA_BASE |
| Base ''g''. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_VALUE_BITS |
| Length in bits of private value ''x''. More... | |
| #define | CKA_SENSITIVE |
| TRUE if object is sensitive1. More... | |
| #define | CKA_ENCRYPT |
| TRUE if key supports encryption1. More... | |
| #define | CKA_DECRYPT |
| TRUE if key supports decryption1. More... | |
| #define | CKA_SIGN |
| TRUE if key supports signatures where the signature is an appendix to the data1. More... | |
| #define | CKA_VERIFY |
| TRUE if key supports verification1. More... | |
| #define | CKA_WRAP |
| TRUE if key supports wrapping1. More... | |
| #define | CKA_UNWRAP |
| TRUE if key supports unwrapping1. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_VALUE_LEN |
| Length in bytes of key value. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_VALUE_LEN |
| Length in bytes of key value. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_VALUE_LEN |
| Length in bytes of key value. More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
| #define | CKA_VALUE |
| Value of the object (default empty). More... | |
Typedefs | |
| typedef unsigned char | CK_BYTE |
| an unsigned 8-bit value. More... | |
| typedef CK_BYTE | CK_CHAR |
| an unsigned 8-bit character. More... | |
| typedef CK_BYTE | CK_BBOOL |
| a BYTE-sized Boolean flag. More... | |
| typedef unsigned short int | CK_USHORT |
| an unsigned value, at least 16 bits long. More... | |
| typedef unsigned long int | CK_ULONG |
| an unsigned value, at least 32 bits long. More... | |
| typedef CK_ULONG | CK_FLAGS |
| at least 32 bits, each bit is a Boolean flag. More... | |
| typedef CK_BYTE CK_PTR | CK_BYTE_PTR |
| Pointer to a CK_BYTE. More... | |
| typedef CK_CHAR CK_PTR | CK_CHAR_PTR |
| Pointer to a CK_CHAR. More... | |
| typedef CK_USHORT CK_PTR | CK_USHORT_PTR |
| Pointer to a CK_USHORT. More... | |
| typedef void CK_PTR | CK_VOID_PTR |
| Pointer to a void. More... | |
| typedef struct | CK_VERSION |
CK_VERSIONCK_VERSION is a structure that describes the version of Cryptoki. More... | |
| typedef struct | CK_INFO |
CK_INFOCK_INFO provides general information about Cryptoki. More... | |
| typedef enum | CK_NOTIFICATION |
CK_NOTIFICATIONCK_NOTIFICATION enumerates the types of notifications that Cryptoki provides to an application. More... | |
| typedef CK_ULONG | CK_SLOT_ID |
CK_SLOT_IDCK_SLOT_ID is a Cryptoki assigned value that identifies a slot. More... | |
| typedef struct | CK_SLOT_INFO |
CK_SLOT_INFOCK_SLOT_INFO provides information about a slot. More... | |
| typedef struct | CK_TOKEN_INFO |
CK_TOKEN_INFOCK_TOKEN_INFO provides information about a token. More... | |
| typedef CK_ULONG | CK_SESSION_HANDLE |
CK_SESSION_HANDLECK_SESSION_HANDLE is a Cryptoki-assigned value that identifies a session. More... | |
| typedef enum | CK_USER_TYPE |
CK_USER_TYPECK_USER_TYPE enumerates the types of Cryptoki users described in Section .. More... | |
| typedef enum | CK_STATE |
CK_STATECK_STATE enumerates the session states decribed in Sections and . More... | |
| typedef struct | CK_SESSION_INFO |
CK_SESSION_INFOCK_SESSION_INFO provides information about a session. More... | |
| typedef CK_ULONG | CK_OBJECT_HANDLE |
CK_OBJECT_HANDLECK_OBJECT_HANDLE is a token-specific identifier for an object. More... | |
| typedef CK_USHORT | CK_OBJECT_CLASS |
CK_OBJECT_CLASSCK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes. More... | |
| typedef CK_USHORT | CK_KEY_TYPE |
CK_KEY_TYPECK_KEY_TYPE is a value that identifies a key type. More... | |
| typedef CK_USHORT | CK_CERTIFICATE_TYPE |
CK_CERTIFICATE_TYPECK_CERTIFICATE_TYPE is a value that identifies a certificate type. More... | |
| typedef CK_USHORT | CK_ATTRIBUTE_TYPE |
CK_ATTRIBUTE_TYPECK_ATTRIBUTE_TYPE is a value that identifies an attribute type. More... | |
| typedef struct | CK_ATTRIBUTE |
CK_ATTRIBUTECK_ATTRIBUTE is a structure that includes the type, length and value of an attribute. More... | |
| typedef struct | CK_DATE |
CK_DATECK_DATE is a structure that defines a date. More... | |
| typedef CK_USHORT | CK_MECHANISM_TYPE |
CK_MECHANISM_TYPECK_MECHANISM_TYPE is a value that identifies a mechanism type. More... | |
| typedef struct | CK_MECHANISM |
CK_MECHANISMCK_MECHANISM is a structure that specifies a particular mechanism. More... | |
| typedef struct | CK_MECHANISM_INFO |
CK_MECHANISM_INFOCK_MECHANISM_INFO is a structure that provides information about a particular mechanism. More... | |
| typedef struct | CK_RC2_CBC |
CK_RC2_CBC_PARAMSCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC mechanism. More... | |
| typedef CK_USHORT | CK_RV |
CK_RVCK_RV is a value that identifies the return value of a Cryptoki function. More... | |
Enumerations | |
| enum | CK_NOTIFICATION { CKN_SURRENDER, CKN_COMPLETE, CKN_DEVICE_REMOVED } |
CK_NOTIFICATIONCK_NOTIFICATION enumerates the types of notifications that Cryptoki provides to an application. More... | |
| enum | CK_USER_TYPE |
CK_USER_TYPECK_USER_TYPE enumerates the types of Cryptoki users described in Section .. More... | |
| enum | CK_STATE { CKS_RO_SO_FUNCTIONS } |
CK_STATECK_STATE enumerates the session states decribed in Sections and . More... | |
Functions | |
| CK_RV | C_Initialize (CK_VOID_PTR pReserved) |
| C_Initialize initializes the Cryptoki library. More... | |
| CK_RV | C_GetInfo (CK_INFO_PTR pInfo) |
| C_GetInfo returns general information about Cryptoki. More... | |
| CK_RV | C_GetSlotList (CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_USHORT_PTR pusCount) |
| C_GetSlotList obtains a list of slots in the system. More... | |
| CK_RV | C_GetSlotInfo (CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) |
| C_GetSlotInfo obtains information about a particular slot in the system. More... | |
| CK_RV | C_GetTokenInfo (CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) |
| C_GetTokenInfo obtains information about a particular token in the system. More... | |
| CK_RV | C_GetMechanismList (CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_USHORT_PTR pusCount) |
| C_GetMechanismList obtains a list of mechanism types supported by a token. More... | |
| CK_RV | C_GetMechanismInfo (CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo) |
| C_GetMechanismInfo obtains information about a particular mechanism possibly supported by a token. More... | |
| CK_RV | C_InitToken (CK_SLOT_ID slotID, CK_CHAR_PTR pPin, CK_USHORT usPinLen, CK_CHAR_PTR pLabel) |
| C_InitToken initializes a token. More... | |
| CK_RV | C_InitPIN (CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin, CK_USHORT usPinLen) |
| C_InitPIN initializes the normal user's PIN. More... | |
| CK_RV | C_SetPIN (CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, CK_USHORT usOldLen, CK_CHAR_PTR pNewPin, CK_USHORT usNewLen) |
| C_SetPIN modifies the PIN of user that is currently logged in. More... | |
| CK_RV | C_OpenSession (CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_RV(*Notify)(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event, CK_VOID_PTR pApplication), CK_SESSION_HANDLE_PTR phSession) |
| C_OpenSession opens a session between an application and a token. More... | |
| CK_RV | C_CloseSession (CK_SESSION_HANDLE hSession) |
| C_CloseSession closes a session between an application and a token. More... | |
| CK_RV | C_CloseAllSessions (CK_SLOT_ID slotID) |
| C_CloseAllSessions closes all sessions with a token. More... | |
| CK_RV | C_GetSessionInfo (CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) |
| C_GetSessionInfo obtains information about the session. More... | |
| CK_RV | C_Login (CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_CHAR_PTR pPin, CK_USHORT usPinLen) |
| C_Login logs a user into a token. More... | |
| CK_RV | C_Logout (CK_SESSION_HANDLE hSession) |
| C_Logout logs a user out from a token. More... | |
| CK_RV | C_CreateObject (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usCount, CK_OBJECT_HANDLE_PTR phObject) |
| C_CreateObject creates a new object. More... | |
| CK_RV | C_CopyObject (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usCount, CK_OBJECT_HANDLE_PTR phNewObject) |
| C_CopyObject copies an object, creating a new object for the copy. More... | |
| CK_RV | C_DestroyObject (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) |
| C_DestroyObject destroys an object. More... | |
| CK_RV | C_GetObjectSize (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_USHORT_PTR pusSize) |
| C_GetObjectSize gets the size of an object in bytes. More... | |
| CK_RV | C_GetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usCount) |
| C_GetAttributeValue obtains the value of one or more object attributes. More... | |
| CK_RV | C_SetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usCount) |
| C_SetAttributeValue modifies the value of one or more attributes of an object. More... | |
| CK_RV | C_FindObjectsInit (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usCount) |
| C_FindObjectsInit initializes a search for token and session objects that match a template. More... | |
| CK_RV | C_FindObjects (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_USHORT usMaxObjectCount, CK_USHORT_PTR pusObjectCount) |
| C_FindObjects continues a search for token and session objects that match a template, obtaining additional object handles. More... | |
| CK_RV | C_EncryptInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
| C_EncryptInit initializes an encryption operation. More... | |
| CK_RV | C_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_USHORT usDataLen, CK_BYTE_PTR pEncryptedData, CK_USHORT_PTR pusEncryptedDataLen) |
| C_Encrypt encrypts single-part data. More... | |
| CK_RV | C_EncryptUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_USHORT usPartLen, CK_BYTE_PTR pEncryptedPart, CK_USHORT_PTR pusEncryptedPartLen) |
| C_EncryptUpdate continues a multiple-part encryption operation, processing another data part. More... | |
| CK_RV | C_EncryptFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_USHORT_PTR pusEncryptedPartLen) |
| C_EncryptFinal finishes a multiple-part encryption operation. More... | |
| CK_RV | C_DecryptInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
| C_DecryptInit initializes a decryption operation. More... | |
| CK_RV | C_Decrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, CK_USHORT usEncryptedDataLen, CK_BYTE_PTR pData, CK_USHORT_PTR pusDataLen) |
| C_Decrypt decrypts encrypted data in a single part. More... | |
| CK_RV | C_DecryptUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_USHORT usEncryptedPartLen, CK_BYTE_PTR pPart, CK_USHORT_PTR pusPartLen) |
| C_DecryptUpdate continues a multiple-part decryption operation, processing another encrypted data part. More... | |
| CK_RV | C_DecryptFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_USHORT_PTR usLastPartLen) |
| C_DecryptFinal finishes a multiple-part decryption operation. More... | |
| CK_RV | C_DigestInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) |
| C_DigestInit initializes a message-digesting operation. More... | |
| CK_RV | C_Digest (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_USHORT usDataLen, CK_BYTE_PTR pDigest, CK_USHORT_PTR pusDigestLen) |
| C_Digest digests data in a single part. More... | |
| CK_RV | C_DigestUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_USHORT usPartLen) |
| C_DigestUpdate continues a multiple-part message-digesting operation, processing another data part. More... | |
| CK_RV | C_DigestFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_USHORT_PTR pusDigestLen) |
| C_DigestFinal finishes a multiple-part message-digesting operation, returning the message digest. More... | |
| CK_RV | C_SignInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
| C_SignInit initializes a signature operation, where the signature is an appendix to the data. More... | |
| CK_RV | C_Sign (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_USHORT usDataLen, CK_BYTE_PTR pSignature, CK_USHORT_PTR pusSignatureLen) |
| C_Sign signs data in a single part, where the signature is an appendix to the data. More... | |
| CK_RV | C_SignUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_USHORT usPartLen) |
| C_SignUpdate continues a multiple-part signature operation, processing another data part. More... | |
| CK_RV | C_SignFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_USHORT_PTR pusSignatureLen) |
| C_SignFinal finishes a multiple-part signature operation, returning the signature. More... | |
| CK_RV | C_SignRecoverInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
| C_SignRecoverInit initializes a signature operation, where the data can be recovered from the signature. More... | |
| CK_RV | C_SignRecover (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_USHORT usDataLen, CK_BYTE_PTR pSignature, CK_USHORT_PTR pusSignatureLen) |
| C_SignRecover signs data in a single operation, where the data can be recovered from the signature. More... | |
| CK_RV | C_VerifyInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
| C_VerifyInit initializes a verification operation, where the signature is an appendix to the data. More... | |
| CK_RV | C_Verify (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_USHORT usDataLen, CK_BYTE_PTR pSignature, CK_USHORT usSignatureLen) |
| C_Verify verifies a signature in a single-part operation, where the signature is an appendix to the data. More... | |
| CK_RV | C_VerifyUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_USHORT usPartLen) |
| C_VerifyUpdate continues a multiple-part verification operation, processing another data part. More... | |
| CK_RV | C_VerifyFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_USHORT usSignatureLen) |
| C_VerifyFinal finishes a multiple-part verification operation, checking the signature. More... | |
| CK_RV | C_VerifyRecoverInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) |
| C_VerifyRecoverInit initializes a signature verification operation, where the data is recovered from the signature. More... | |
| CK_RV | C_VerifyRecover (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_USHORT usSignatureLen, CK_BYTE_PTR pData, CK_USHORT_PTR pusDataLen) |
| C_VerifyRecover verifies a signature in a single-part operation, where the data is recovered from the signature. More... | |
| CK_RV | C_GenerateKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usCount, CK_OBJECT_HANDLE_PTR phKey) |
| C_GenerateKey generates a secret key, creating a new key object. More... | |
| CK_RV | C_GenerateKeyPair (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_USHORT usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_USHORT usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPrivateKey, CK_OBJECT_HANDLE_PTR phPublicKey) |
| C_GenerateKeyPair generates a public-key/private-key pair, creating new key objects. More... | |
| CK_RV | C_WrapKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, CK_USHORT_PTR pusWrappedKeyLen) |
| C_WrapKey wraps (i.e., encrypts) a key. More... | |
| CK_RV | C_UnwrapKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey, CK_USHORT usWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usAttributeCount, CK_OBJECT_HANDLE_PTR phKey) |
| C_UnwrapKey unwraps (i.e. More... | |
| CK_RV | C_DeriveKey (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_USHORT usAttributeCount, CK_OBJECT_HANDLE_PTR phKey) |
| C_DeriveKey derives a key from a base key, creating a new key object. More... | |
| CK_RV | C_SeedRandom (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_USHORT usSeedLen) |
| C_SeedRandom mixes additional seed material into the token's random number generator. More... | |
| CK_RV | C_GenerateRandom (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_USHORT usRandomLen) |
| C_GenerateRandom generates random data. More... | |
| CK_RV | C_GetFunctionStatus (CK_SESSION_HANDLE hSession) |
| C_GetFunctionStatus obtains an updated status of a function running in parallel with an application. More... | |
| CK_RV | C_CancelFunction (CK_SESSION_HANDLE hSession) |
| C_CancelFunction cancels a function running in parallel with an application. More... | |
Definition in file pkcs11_all.h.
|
|
An invalid handle. |
|
|
CK_BBOOL true. |
|
|
CK_BBOOL false. |
|
|
Information unavailable. |
|
|
Effectively infinite. |
|
|
Security Officer. |
|
|
User. |
|
|
Context specific. |
|
|
Read only public session. |
|
|
Read only user functions. |
|
|
Read write public session. |
|
|
Read write user functions. |
|
|
Read write security officer functions. |
|
|
True. |
|
|
False. |
|
|
TRUE if a token is present in the slot (e.g., a device is in the reader). |
|
|
TRUE if the reader supports removable devices. |
|
|
TRUE if the slot is a hardware slot as opposed to a software slot implementing a "soft token". |
|
|
TRUE if the token has its own random number generator. |
|
|
TRUE if the token is write-protected. |
|
|
TRUE if a user must be logged in to perform cryptographic functions. |
|
|
TRUE if the normal user's PIN has been initialized. |
|
|
TRUE if an exclusive session exists. |
|
|
TRUE if the session is exclusive; FALSE if the session is shared. |
|
|
TRUE if the session is read/write; FALSE if the session is read-only. |
|
|
TRUE if cryptographic functions are performed in serial with the application; FALSE if the functions may be performed in parallel with the application. |
|
|
TRUE if the mechanism is performed by the device; FALSE if the mechanism is performed in software. |
|
|
TRUE if an extension to the flags; FALSE if no extensions. Must be FALSE for this version. |
|
|
Object class (type). |
|
|
TRUE if object is a token object (vs. session object) (default FALSE) |
|
|
TRUE if object is a private object (vs. public object) (default FALSE) |
|
|
Description of the object (default empty). |
|
|
Description of the application that manages the object (default empty). |
|
|
Value of the object (default empty). |
|
|
Type of certificate. |
|
|
DER encoding of the certificate subject name. |
|
|
Key identifier for public/private key pair (default empty). |
|
|
DER encoding of the certificate issuer name (default empty). |
|
|
DER encoding of the certificate serial number (default empty). |
|
|
Value of the object (default empty). |
|
|
Type of key. |
|
|
Key identifier for public/private key pair (default empty). |
|
|
Start date for the key (default empty). |
|
|
End date for the key (default empty). |
|
|
TRUE if key supports key derivation (default FALSE). |
|
|
DER encoding of the certificate subject name. |
|
|
TRUE if key supports encryption1. |
|
|
TRUE if key supports verification1. |
|
|
TRUE if key supports verification where the data is recovered from the signature1. |
|
|
TRUE if key supports wrapping1. |
|
|
Modulus ''n''. |
|
|
Length in bits of modulus ''n''. |
|
|
Public exponent ''e''. |
|
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
|
Subprime ''q'' (160 bits). |
|
|
Base ''g''. |
|
|
Value of the object (default empty). |
|
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
|
Base ''g''. |
|
|
Value of the object (default empty). |
|
|
DER encoding of the certificate subject name. |
|
|
TRUE if object is sensitive1. |
|
|
TRUE if key supports decryption1. |
|
|
TRUE if key supports signatures where the signature is an appendix to the data1. |
|
|
TRUE if key supports signatures where the data can be recovered from the signature1. |
|
|
TRUE if key supports unwrapping1. |
|
|
Modulus ''n''. |
|
|
Public exponent ''e''. |
|
|
Private exponent ''d''. |
|
|
Prime ''p''. |
|
|
Prime ''q''. |
|
|
Private exponent ''d'' modulo ''p''-1. |
|
|
Private exponent ''d'' modulo ''q''-1. |
|
|
CRT coefficient ''q''-1 mod ''p''. |
|
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
|
Subprime ''q'' (160 bits). |
|
|
Base ''g''. |
|
|
Value of the object (default empty). |
|
|
Prime ''p'' (512 to 1024 bits, in steps of 64 bits). |
|
|
Base ''g''. |
|
|
Value of the object (default empty). |
|
|
Length in bits of private value ''x''. |
|
|
TRUE if object is sensitive1. |
|
|
TRUE if key supports encryption1. |
|
|
TRUE if key supports decryption1. |
|
|
TRUE if key supports signatures where the signature is an appendix to the data1. |
|
|
TRUE if key supports verification1. |
|
|
TRUE if key supports wrapping1. |
|
|
TRUE if key supports unwrapping1. |
|
|
Value of the object (default empty). |
|
|
Length in bytes of key value. |
|
|
Value of the object (default empty). |
|
|
Length in bytes of key value. |
|
|
Value of the object (default empty). |
|
|
Length in bytes of key value. |
|
|
Value of the object (default empty). |
|
|
Value of the object (default empty). |
|
|
Value of the object (default empty). |
|
|
an unsigned 8-bit value. |
|
|
an unsigned 8-bit character. |
|
|
a BYTE-sized Boolean flag. |
|
|
an unsigned value, at least 16 bits long. |
|
|
an unsigned value, at least 32 bits long. |
|
|
at least 32 bits, each bit is a Boolean flag. |
|
|
Pointer to a CK_BYTE. |
|
|
Pointer to a CK_CHAR. |
|
|
Pointer to a CK_USHORT. |
|
|
Pointer to a void. |
|
|
CK_VERSIONCK_VERSION is a structure that describes the version of Cryptoki.
For version 1.0, major = 1 and minor = For version 2.1, major = 2 and minor = 10. Minor revisions of the standard are always upwardly compatible within the same major version number.
CK_INFOCK_INFO provides general information about Cryptoki. It is defined as follows:
|
|
|
CK_INFOCK_INFO provides general information about Cryptoki. It is defined as follows:
CK_INFO_PTR points to a CK_INFO structure. It is implementation dependent.
CK_NOTIFICATIONCK_NOTIFICATION enumerates the types of notifications that Cryptoki provides to an application. It is defined as follows:
typedef enum CK_NOTIFICATION {
CKN_SURRENDER,
CKN_COMPLETE,
CKN_DEVICE_REMOVED
} CK_NOTIFICATION;
The notifications have the following meanings: CKN_SURRENDER Cryptoki is surrendering the execution of a function so that the application may perform other operations. After performing such operations, the application should indicate to Cryptoki whether to continue or cancel the function. CKN_COMPLETE A function running in parallel has completed. CKN_DEVICE_REMOVED Cryptoki detected that the device underlying the token has been removed from the reader (assuming the token has the capability) Slot and token types Cryptoki represents slot and token information with the following types.
CK_SLOT_IDCK_SLOT_ID is a Cryptoki assigned value that identifies a slot. It is defined as follows:
typedef CK_ULONG CK_SLOT_ID; A CK_SLOT_ID is returned by C_GetSlotList.
CK_SLOT_ID_PTRCK_SLOT_ID_PTR points to a CK_SLOT_ID. It is implementation dependent.
CK_SLOT_INFOCK_SLOT_INFO provides information about a slot. It is defined as follows:
|
|
|
CK_NOTIFICATIONCK_NOTIFICATION enumerates the types of notifications that Cryptoki provides to an application. |
|
|
CK_SLOT_IDCK_SLOT_ID is a Cryptoki assigned value that identifies a slot. It is defined as follows: |
|
|
CK_SLOT_INFOCK_SLOT_INFO provides information about a slot. It is defined as follows:
The following table defines the flags.
Table 7-1, Slot Information Flags
CK_SLOT_INFO_PTRCK_SLOT_INFO_PTR points to a CK_SLOT_INFO structure. It is implementation dependent.
CK_TOKEN_INFOCK_TOKEN_INFO provides information about a token. It is defined as follows:
|
|
|
CK_TOKEN_INFOCK_TOKEN_INFO provides information about a token. It is defined as follows:
The flags parameter is defined as follows:
Table 7-2, Token Information Flags
CK_TOKEN_INFO_PTRCK_TOKEN_INFO_PTR points to a CK_TOKEN_INFO structure. It is implementation dependent.Session types Cryptoki represents session information with the following types.
CK_SESSION_HANDLECK_SESSION_HANDLE is a Cryptoki-assigned value that identifies a session. It is defined as follows:
typedef CK_ULONG CK_SESSION_HANDLE;
CK_SESSION_HANDLE_PTRCK_SESSION_HANDLE_PTR points to a CK_SESSION_HANDLE. It is implementation dependent.
CK_USER_TYPECK_USER_TYPE enumerates the types of Cryptoki users described in Section . It is defined as follows:
typedef enum CK_USER_TYPE {
CKU_SO, /* Security Officer */
CKU_USER /* Normal user */
} CK_USER_TYPE;
CK_STATECK_STATE enumerates the session states decribed in Sections and . It is defined as follows:
typedef enum CK_STATE {
CKS_RW_PUBLIC_SESSION,
CKS_RW_USER_FUNCTIONS,
CKS_RO_PUBLIC_SESSION,
CKS_RO_SO_FUNCTIONS,
CKS_RO_USER_FUNCTIONS
} CK_STATE;
CK_SESSION_INFOCK_SESSION_INFO provides information about a session. It is defined as follows:
|
|
|
CK_SESSION_HANDLECK_SESSION_HANDLE is a Cryptoki-assigned value that identifies a session. |
|
|
CK_USER_TYPECK_USER_TYPE enumerates the types of Cryptoki users described in Section .. |
|
|
CK_STATECK_STATE enumerates the session states decribed in Sections and . |
|
|
CK_SESSION_INFOCK_SESSION_INFO provides information about a session. It is defined as follows:
The flags are defined in the following table.
Table 7-3, Session Information Flags
CK_SESSION_INFO_PTRCK_SESSION_INFO_PTR points to a CK_SESSION_INFO structure. It is implementation dependent.Object types Cryptoki represents object information with the following types.
CK_OBJECT_HANDLECK_OBJECT_HANDLE is a token-specific identifier for an object. It is defined as follows:
typedef CK_ULONG CK_OBJECT_HANDLE; The handle is assigned by Cryptoki when an object is created. The handle for an object is unique among all objects in the token at a given time, and remains constant until the object is destroyed. Cryptoki considers an object handle valid if and only if the object exists and is accessible to the application. In particular, object handles for private objects are valid if only if a user is logged in.
CK_OBJECT_HANDLE_PTRCK_OBJECT_HANDLE_PTR points to a CK_OBJECT_HANDLE. It is implementation dependent.
CK_OBJECT_CLASSCK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes. It is defined as follows:
typedef CK_USHORT CK_OBJECT_CLASS; For this version of Cryptoki, the following classed of objects are defined:
#define CKO_DATA 0x0000 #define CKO_CERTIFICATE 0x0001 #define CKO_PUBLIC_KEY 0x0002 #define CKO_PRIVATE_KEY 0x0003 #define CKO_SECRET_KEY 0x0004 #define CKO_VENDOR_DEFINED 0x8000 Object classes CKO_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their object classes through the PKCS process.
CK_OBJECT_CLASS_PTRCK_OBJECT_CLASS_PTR points to a CK_OBJECT_CLASS structure. It is implementation dependent.
CK_KEY_TYPECK_KEY_TYPE is a value that identifies a key type. It is defined as follows:
typedef CK_USHORT CK_KEY_TYPE; For this version of Cryptoki, the following key types are defined:
#define CKK_RSA 0x0000 #define CKK_DSA 0x0001 #define CKK_DH 0x0002 #define CKK_GENERIC_SECRET 0x0010 #define CKK_RC2 0x0011 #define CKK_RC4 0x0012 #define CKK_DES 0x0013 #define CKK_DES2 0x0014 #define CKK_DES3 0x0015 #define CKK_VENDOR_DEFINED 0x8000 Key types CKK_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their key types through the PKCS process.
CK_CERTIFICATE_TYPECK_CERTIFICATE_TYPE is a value that identifies a certificate type. It is defined as follows:
typedef CK_USHORT CK_CERTIFICATE_TYPE; For this version of Cryptoki, the following certificate types are defined:
#define CKC_X_509 0x0000 #define CKC_VENDOR_DEFINED 0x8000 Certificate types CKC_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their certificate types through the PKCS process.
CK_ATTRIBUTE_TYPECK_ATTRIBUTE_TYPE is a value that identifies an attribute type. It is defined as follows:
typedef CK_USHORT CK_ATTRIBUTE_TYPE; For this version of Cryptoki, the following attribute types are defined:
#define CKA_CLASS 0x0000 #define CKA_TOKEN 0x0001 #define CKA_PRIVATE 0x0002 #define CKA_LABEL 0x0003 #define CKA_APPLICATION 0x0010 #define CKA_VALUE 0x0011 #define CKA_CERTIFICATE_TYPE 0x0080 #define CKA_ISSUER 0x0081 #define CKA_SERIAL_NUMBER 0x0082 #define CKA_KEY_TYPE 0x0100 #define CKA_SUBJECT 0x0101 #define CKA_ID 0x0102 #define CKA_SENSITIVE 0x0103 #define CKA_ENCRYPT 0x0104 #define CKA_DECRYPT 0x0105 #define CKA_WRAP 0x0106 #define CKA_UNWRAP 0x0107 #define CKA_SIGN 0x0108 #define CKA_SIGN_RECOVER 0x0109 #define CKA_VERIFY 0x010A #define CKA_VERIFY_RECOVER 0x010B #define CKA_DERIVE 0x010C #define CKA_MODULUS 0x0120 #define CKA_MODULUS_BITS 0x0121 #define CKA_PUBLIC_EXPONENT 0x0122 #define CKA_PRIVATE_EXPONENT 0x0123 #define CKA_PRIME_1 0x0124 #define CKA_PRIME_2 0x0125 #define CKA_EXPONENT_1 0x0126 #define CKA_EXPONENT_2 0x0127 #define CKA_COEFFICIENT 0x0128 #define CKA_PRIME 0x0130 #define CKA_SUBPRIME 0x0131 #define CKA_BASE 0x0132 #define CKA_VALUE_BITS 0x0160 #define CKA_VALUE_LEN 0x0161 #define CKA_VENDOR_DEFINED 0x8000 Section defines the attributes for each object class. Attribute types CKA_VENDOR_DEFINED and above are permanently reserved for token vendors. For interoperability, vendors should register their attribute types through the PKCS process.
CK_ATTRIBUTECK_ATTRIBUTE is a structure that includes the type, length and value of an attribute. It is defined as follows:
|
|
|
CK_OBJECT_HANDLECK_OBJECT_HANDLE is a token-specific identifier for an object. It is defined as follows: |
|
|
CK_OBJECT_CLASSCK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes. |
|
|
CK_KEY_TYPECK_KEY_TYPE is a value that identifies a key type. It is defined as follows: |
|
|
CK_CERTIFICATE_TYPECK_CERTIFICATE_TYPE is a value that identifies a certificate type. |
|
|
CK_ATTRIBUTE_TYPECK_ATTRIBUTE_TYPE is a value that identifies an attribute type. It is defined as follows: |
|
|
CK_ATTRIBUTECK_ATTRIBUTE is a structure that includes the type, length and value of an attribute.
If an attribute has no value, then pValue = NULL_PTR, and usValueLen = 0. An array of CK_ATTRIBUTEs is called a "template" and is used for creating, manipulating and searching for objects. Note that pValue is an "void" pointer, facilitating the passing of arbitrary values. Both the application and Cryptoki library must ensure that the pointer can be safely cast to the expected type (e.g., without word-alignment errors).
CK_ATTRIBUTE_PTRCK_ATTRIBUTE_PTR points to a CK_ATTRIBUTE structure. It is implementation dependent.
CK_DATECK_DATE is a structure that defines a date. It is defined as follows:
|
|
|
CK_DATECK_DATE is a structure that defines a date. It is defined as follows:
The fields hold numeric characters from the character set in Table 4 -3, not the literal byte values. |
|
|
CK_MECHANISM_TYPECK_MECHANISM_TYPE is a value that identifies a mechanism type. It is defined as follows: |
|
|
CK_MECHANISMCK_MECHANISM is a structure that specifies a particular mechanism.
Note that pParameter is an "void" pointer, facilitating the passing of arbitrary values. Both the application and Cryptoki library must ensure that the pointer can be safely cast to the expected type (e.g., without word-alignment errors).
CK_MECHANISM_PTRCK_MECHANISM_PTR points to a CK_MECHANISM structure. It is implementation dependent.
CK_MECHANISM_INFOCK_MECHANISM_INFO is a structure that provides information about a particular mechanism. It is defined as follows:
|
|
|
CK_MECHANISM_INFOCK_MECHANISM_INFO is a structure that provides information about a particular mechanism.
The flags are defined as follows.
Table 7-4, Mechanism Information FLags
CK_MECHANISM_INFO_PTRCK_MECHANISM_INFO_PTR points to a CK_MECHANISM_INFO structure. It is implementation dependent.
CK_RC2_CBC_PARAMSCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC mechanism. It is defined as follows:
|
|
|
CK_RC2_CBC_PARAMSCK_RC2_CBC_PARAMS is a structure that provides the parameters to the CKM_RC2_CBC mechanism.
|
|
|
CK_RVCK_RV is a value that identifies the return value of a Cryptoki function. |
|
|
CK_NOTIFICATIONCK_NOTIFICATION enumerates the types of notifications that Cryptoki provides to an application. |
|
|
CK_USER_TYPECK_USER_TYPE enumerates the types of Cryptoki users described in Section .. |
|
|
CK_STATECK_STATE enumerates the session states decribed in Sections and . |
|
|
C_Initialize initializes the Cryptoki library. C_Initialize should be the first call made by an application. This function is implementation defined; Cryptoki may, for example, initialize its internal memory buffers, or any other resources it may require. The pReserved parameter is reserved for future versions. For this version, it should be set to NULL_PTR.
CK_RV rv; rv = C_Initialize(NULL_PTR); |
|
|
C_GetInfo returns general information about Cryptoki.
CK_INFO info; CK_RV rv; rv = C_GetInfo(&info); if( rv == CKR_OK ){ if( info.version.major == 1 ){ . . . } } Slot and token management Cryptoki provides the following functions for slot and token management. |
|
||||||||||||||||
|
C_GetSlotList obtains a list of slots in the system.
CK_SLOT_ID_PTR pSlotList; CK_USHORT usCount; CK_RV rv; rv = C_GetSlotList(FALSE, NULL_PTR, &usCount); if( (rv == CKR_OK) && (usCount > 0) ){ pSlotList = (CK_SLOT_ID_PTR) malloc(usCount * sizeof(CK_SLOT_ID)); rv = C_GetSlotList(FALSE, pSlotList, &usCount); if( rv == CKR_OK ){ . . . } free(pSlotList); } |
|
||||||||||||
|
C_GetSlotInfo obtains information about a particular slot in the system.
CK_SLOT_ID_PTR pSlotList; CK_USHORT usCount; CK_SLOT_INFO info; CK_RV rv; rv = C_GetSlotList(FALSE, NULL_PTR, &usCount); if( (rv == CKR_OK) && (usCount > 0) ){ pSlotList = (CK_SLOT_ID_PTR) malloc(usCount * sizeof(CK_SLOT_ID)); rv = C_GetSlotList(FALSE, pSlotList, &usCount); if( rv == CKR_OK ){ rv = C_GetSlotInfo(pSlotList[0], &info); . . . } free(pSlotList); } |
|
||||||||||||
|
C_GetTokenInfo obtains information about a particular token in the system.
CK_SLOT_ID_PTR pSlotList; CK_USHORT usCount; CK_TOKEN_INFO info; CK_RV rv; rv = C_GetSlotList(TRUE, NULL_PTR, &usCount); if( (rv == CKR_OK) && (usCount > 0) ){ pSlotList = (CK_SLOT_ID_PTR) malloc(usCount * sizeof(CK_SLOT_ID)); rv = C_GetSlotList(TRUE, pSlotList, &usCount); if( rv == CKR_OK ){ rv = C_GetTokenInfo(pSlotList[0], &info); . . . } free(pSlotList); } |
|
||||||||||||||||
|
C_GetMechanismList obtains a list of mechanism types supported by a token.
CK_SLOT_ID slotID; CK_MECHANISM_TYPE_PTR pMechanismList; CK_USHORT usCount; CK_RV rv; rv = C_GetMechanismList(slotID, NULL_PTR, &usCount); if( (rv == CKR_OK) && (usCount > 0) ){ pMechanismList = (CK_MECHANISM_TYPE_PTR) malloc(usCount * sizeof(CK_MECHANISM_TYPE)); rv = C_GetMechanismList(slotID, pMechanismList, &usCount); if( rv == CKR_OK ){ . . . } free(pMechanismList); } |
|
||||||||||||||||
|
C_GetMechanismInfo obtains information about a particular mechanism possibly supported by a token.
CK_SLOT_ID_PTR pSlotList; CK_USHORT usCount; CK_MECHANISM_INFO info; CK_RV rv; rv = C_GetSlotList(TRUE, NULL_PTR, &usCount); if( (rv == CKR_OK) && (usCount > 0) ){ pSlotList = (CK_SLOT_ID_PTR) malloc(usCount * sizeof(CK_SLOT_ID)); rv = C_GetSlotList(TRUE, pSlotList, &usCount); if( rv == CKR_OK ){ rv = C_GetMechanismInfo(pSlotList[0], CKM_MD2, &info); . . . } free(pSlotList); } |
|
||||||||||||||||||||
|
C_InitToken initializes a token.
CK_SLOT_ID slotID; CK_CHAR pin[] = {"MyPIN"}; CK_CHAR label[32]; CK_RV rv; memset(label, ' ', sizeof(label)); memcpy(label, "My first token", sizeof("My first token")); rv = C_InitToken(slotID, pin, sizeof(pin), label); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||
|
C_InitPIN initializes the normal user's PIN.
CK_SESSION_HANDLE hSession; CK_CHAR newPin[]= {"NewPIN"}; CK_RV rv; rv = C_InitPIN(hSession, newPin, sizeof(newPin)); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||||||
|
C_SetPIN modifies the PIN of user that is currently logged in.
CK_SESSION_HANDLE hSession; CK_CHAR oldPin[] = {"OldPIN"}; CK_CHAR newPin[] = {"NewPIN"}; CK_RV rv; rv = C_SetPIN(hSession, oldPin, sizeof(oldPin), newPin, sizeof(newPin)); if( rv == CKR_OK ){ . . . } Session management Cryptoki provides the following functions for session management. A typical application would call C_OpenSession after selecting a token and C_CloseSession after completing all operations with the token. Only in special cases, such as when other applications connected to a token have failed, would an application call C_CloseAllSessions. An application may have concurrent sessions with more than one token. It is also possible that a token may have concurrent sessions with more than one application. |
|
||||||||||||||||||||||||
|
C_OpenSession opens a session between an application and a token.
In a parallel session, cryptographic functions may return control to the application before completing (the return value CKR_FUNCTION_PARALLEL indicates this condition). The application may call C_GetFunctionStatus to obtain updated status of the function, which will be CKR_FUNCTION_PARALLEL until the function completes, and CKR_OK or another return value indicating an error when the function completes. Alternatively, the application can wait until Cryptoki sends notification that the function has completed through the Notify callback. The application may also call C_CancelFunction to cancel the function. If an application calls another function (cryptographic or otherwise) before one that is executing in parallel completes, Cryptoki will wait until the one that is executing completes. Thus an application can run only one function at any given time in a given session. (To achieve parallel execution of multiple functions, the application should open additional sessions.) Cryptographic functions running in serial with the application may surrender control through the Notify callback, so that the application may perform other operations or cancel the function. Non-cryptographic functions always run in serial with the application, and do not surrender control. There may be a limit on the number of concurrent sessions with the token, which may depend on whether the session is "read-only" or "read/write." There can only be one exclusive session with a token. If the token is in "write-protected" (as indicated in the CK_TOKEN_INFO structure), then the session also must be "read-only." The Notify callback function is used by Cryptoki to notify the application of certain events. If the application does not support the callback, it should pass NULL_PTR as the address. The Notify callback function is described in Section .
CK_SESSION_HANDLE hSession; CK_SLOT_ID slotID; CK_RV rv; CK_BYTE application; CK_RV MyNotify(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event, CK_VOID_PTR pApplication); slotID = 1; rv = C_OpenSession(slotID, CKF_EXCLUSIVE_SESSION, &application, MyNotify, &hSession); if( rv == CKR_OK ){ . . . } |
|
|
C_CloseSession closes a session between an application and a token.
Depending on the token, when the last session with the token is closed, the token may be "ejected" from its reader, assuming this capability exists.
CK_SESSION_HANDLE hSession; CK_SLOT_ID slotID; CK_RV rv; CK_BYTE application; CK_RV MyNotify(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event, CK_VOID_PTR pApplication); slotID = 1; rv = C_OpenSession(slotID, CKF_EXCLUSIVE_SESSION, &application, MyNotify, &hSession); if( rv == CKR_OK ){ . . . C_CloseSession(hSession); } |
|
|
C_CloseAllSessions closes all sessions with a token.
Depending on the token, the token may be "ejected" from its reader, assuming this capability exists. When an application is disconnected from a token in this manner, it receives a CKR_SESSION_CLOSED error on its next call to Cryptoki.
CK_SLOT_ID slotID; CK_RV rv; slotID = 1; rv = C_CloseAllSessions(slotID); |
|
||||||||||||
|
C_GetSessionInfo obtains information about the session.
CK_SESSION_HANDLE hSession; CK_SESSION_INFO info; CK_RV rv; rv = C_GetSessionInfo(hSession, &info); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||
|
C_Login logs a user into a token.
CK_SESSION_HANDLE hSession; CK_CHAR userPIN[] = {"MyPIN"}; CK_RV rv; rv = C_Login(hSession, CKU_USER, userPIN, sizeof(userPIN)); if( rv == CKR_OK ){ . . . } |
|
|
C_Logout logs a user out from a token.
CK_SESSION_HANDLE hSession; CK_CHAR userPIN[] = {"MyPIN"}; CK_RV rv; rv = C_Login(hSession, CKU_USER, userPIN, sizeof(userPIN)); if( rv == CKR_OK ){ . . . C_Logout(hSession); } Object management Cryptoki provides the following functions for managing objects. Additional functions for managing key objects are described in Section ." |
|
||||||||||||||||||||
|
C_CreateObject creates a new object.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hData, hCertificate, hKey; CK_OBJECT_CLASS dataClass = CKO_DATA, certificateClass = CKO_CERTIFICATE, keyClass = CKO_PUBLIC_KEY; CK_KEY_TYPE keyType = CKK_RSA; CK_CHAR application[] = {"My Application"}; CK_BYTE dataValue[] = {...}; CK_BYTE subject[] = {...}; CK_BYTE id[] = {...}; CK_BYTE certificateValue[] = {...}; CK_BYTE modulus[] = {...}; CK_BYTE exponent[] = {...}; CK_BYTE true = TRUE; CK_ATTRIBUTE dataTemplate[] = { {CKA_CLASS, &dataClass, sizeof(dataClass)}, {CKA_TOKEN, &true, 1}, {CKA_APPLICATION, application, sizeof(application)}, {CKA_VALUE, dataValue, sizeof(dataValue)} }; CK_ATTRIBUTE certificateTemplate[] = { {CKA_CLASS, &certificateClass, sizeof(certificateClass)}, {CKA_TOKEN, &true, 1}, {CKA_SUBJECT, subject, sizeof(subject)}, {CKA_ID, id, sizeof(id)}, {CKA_VALUE, certificateValue, sizeof(certificateValue)} }; CK_ATTRIBUTE keyTemplate[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_WRAP, &true, 1}, {CKA_MODULUS, modulus, sizeof(modulus)}, {CKA_PUBLIC_EXPONENT, exponent, sizeof(exponent)} }; CK_RV rv; /* Create a data object */ rv = C_CreateObject(hSession, &dataTemplate, 4, &hData); if( rv == CKR_OK ){ . . . } /* Create a certificate object */ rv = C_CreateObject(hSession, &certificateTemplate, 5, &hCertificate); if( rv == CKR_OK ){ . . . } /* Create a RSA private key object */ rv = C_CreateObject(hSession, &keyTemplate, 5, &hKey); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||||||
|
C_CopyObject copies an object, creating a new object for the copy.
Only session objects can be created during a read-only session. Only public objects can be created when no user is logged in.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_OBJECT_HANDLE hNewKey; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_DES; CK_BYTE id[] = {...}; CK_BYTE keyValue[] = {...}; CK_BYTE false = FALSE; CK_BYTE true = TRUE; CK_ATTRIBUTE keyTemplate[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_TOKEN, &false, 1}, {CKA_ID, id, sizeof(id)}, {CKA_VALUE, keyValue, sizeof(keyValue)} }; CK_ATTRIBUTE copyTemplate[] = { {CKA_TOKEN, &true, 1} }; CK_RV rv; /* Create a DES secret key session object */ rv = C_CreateObject(hSession, &keyTemplate, 5, &hKey); if( rv == CKR_OK ){ /* Create a copy on the token */ rv = C_CopyObject(hSession, hKey, ©Template, 1, &hNewKey); . . . } |
|
||||||||||||
|
C_DestroyObject destroys an object.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_OBJECT_CLASS dataClass = CKO_DATA; CK_CHAR application[] = {"My Application"}; CK_BYTE value[] = {...}; CK_BYTE true = TRUE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &dataClass, sizeof(dataClass)}, {CKA_TOKEN, &true, 1}, {CKA_APPLICATION, application, sizeof(application)}, {CKA_VALUE, value, sizeof(value)} }; CK_RV rv; rv = C_CreateObject(hSession, &template, 4, &hObject); if( rv == CKR_OK ){ . . . C_DestroyObject(hSession, hObject); } |
|
||||||||||||||||
|
C_GetObjectSize gets the size of an object in bytes.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_OBJECT_CLASS dataClass = CKO_DATA; CK_CHAR application[] = {"My Application"}; CK_BYTE dataValue[] = {...}; CK_BYTE value[] = {...}; CK_BYTE true = TRUE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &dataClass, sizeof(dataClass)}, {CKA_TOKEN, &true, 1}, {CKA_APPLICATION, application, sizeof(application)}, {CKA_VALUE, value, sizeof(value)} }; CK_USHORT usSize; CK_RV rv; rv = C_CreateObject(hSession, &template, 4, &hObject); if( rv == CKR_OK ){ rv = C_GetObjectSize(hSession, hObject, &usSize); . . . C_DestroyObject(hSession, hObject); } |
|
||||||||||||||||||||
|
C_GetAttributeValue obtains the value of one or more object attributes.
If the object is marked "sensitive", it may not be possible to obtain the value of the attribute.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_BYTE_PTR pModulus, pExponent; CK_ATTRIBUTE template[] = { {CKA_MODULUS, NULL_PTR, 0}, {CKA_PUBLIC_EXPONENT, NULL_PTR, 0} }; CK_RV rv; rv = C_GetAttributeValue(hSession, hObject, &template, 2); if( rv == CKR_OK ){ pModulus = (CK_BYTE_PTR) malloc(template[0].usValueLen); template[0].pValue = pModulus; pExponent = (CK_BYTE_PTR) malloc(template[1].usValueLen); template[1].pValue = pExponent; rv = C_GetAttributeValue(hSession, hObject, &template, 2); if( rv == CKR_OK ){ . . . } free(pModulus); free(pExponent); } |
|
||||||||||||||||||||
|
C_SetAttributeValue modifies the value of one or more attributes of an object.
Not all attributes can be modified; see Section for more details.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_CHAR label[] = {"New label"}; CK_ATTRIBUTE template[] = { CKA_LABEL, label, sizeof(label) }; CK_RV rv; rv = C_SetAttributeValue(hSession, hObject, &template, 1); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||
|
C_FindObjectsInit initializes a search for token and session objects that match a template.
|
|
||||||||||||||||||||
|
C_FindObjects continues a search for token and session objects that match a template, obtaining additional object handles.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_USHORT usObjectCount; CK_RV rv; rv = C_FindObjectsInit(hSession, NULL_PTR, 0); if( rv == CKR_OK ){ while (1) { rv = C_FindObjects(hSession, &hObject, 1, &usObjectCount); if (rv != CKR_OK || usObjectCount == 0) break; . . . } } Encryption and decryption Cryptoki provides the following functions for encrypting and decrypting data. All these functions run in parallel with the application if the session was opened with the CKF_SERIAL_SESSION flag set to FALSE and the token supports parallel execution. |
|
||||||||||||||||
|
C_EncryptInit initializes an encryption operation.
After calling C_EncryptInit, the application may call C_Encrypt to encrypt data in a single part, or C_EncryptUpdate one or more times followed by C_EncryptFinal to encrypt data in multiple parts. The encryption operation is "active" until the application calls C_Encrypt or C_EncryptFinal. To process additional data (in single or multiple parts), the application must call C_EncryptInit again. At most one cryptographic operation may be active at a given time in a given session. C_EncryptInit cannot initialize a new operation if another is already active. The following mechanisms are supported in this version:
Table 9-2, Encryption Mechanisms
1 Single-part only. Section provides more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_Encrypt encrypts single-part data.
For constraints on data length, refer to the description of the encryption mechanism. C_Encrypt is equivalent to a sequence of C_EncryptUpdate and C_EncryptFinal.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_ECB, NULL_PTR, 0 }; CK_BYTE encryptedData[8]; CK_USHORT usEncryptedDataLen; CK_BYTE data[8]; CK_RV rv; memset(data, 'A', sizeof(data)); rv = C_EncryptInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_Encrypt(hSession, data, sizeof(data), encryptedData, &usEncryptedDataLen); } |
|
||||||||||||||||||||||||
|
C_EncryptUpdate continues a multiple-part encryption operation, processing another data part.
For constraints on data length, refer to the description of the encryption mechanism.
|
|
||||||||||||||||
|
C_EncryptFinal finishes a multiple-part encryption operation.
For constraints on data length, refer to the description of the encryption mechanism.
#define BUF_SZ 512 CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM mechanism = { CKM_DES_CBC, iv, sizeof(iv) }; CK_BYTE encryptedData[BUF_SZ]; CK_USHORT usEncryptedDataLen; CK_BYTE data[2*BUF_SZ]; CK_RV rv; memset(iv, 0, sizeof(iv)); memset(data, 'A', 2*BUF_SZ); rv = C_EncryptInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ C_EncryptUpdate(hSession, &data[0], BUF_SZ, encryptedData, &usEncryptedDataLen); . . . C_EncryptUpdate(hSession, &data[BUF_SZ], BUF_SZ, encryptedData, &usEncryptedDataLen); . . . C_EncryptFinal(hSession, encryptedData, &usEncryptedDataLen); } |
|
||||||||||||||||
|
C_DecryptInit initializes a decryption operation.
After calling C_DecryptInit, the application may call C_Decrypt to encrypt data in a single part, or C_DecryptUpdate one or more times followed by C_DecryptFinal to encrypt data in multiple parts. The decryption operation is "active" until the application calls C_Decrypt or C_DecryptFinal. To process additional data (in single or multiple parts), the application must call C_DecryptInit again. At most one cryptographic operation may be active at a given time in a given session. C_DecryptInit cannot initialize a new operation if another is already active. The following mechanisms are supported in this version:
Table 9-3, Decryption Mechanisms
1 Single-part only. Section 10 gives more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_Decrypt decrypts encrypted data in a single part.
For constraints on data length, refer to the description of the decryption mechanism. C_Decrypt is equivalent to a sequence of C_DecryptUpdate and C_DecryptFinal.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_ECB, NULL_PTR, 0 }; CK_BYTE encryptedData[8]; CK_BYTE data[8]; CK_USHORT usDataLen; CK_RV rv; memset(encryptedData, 'A', sizeof(encryptedData)); rv = C_DecryptInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_Decrypt(hSession, encryptedData, sizeof(encryptedData), data, &usDataLen); } |
|
||||||||||||||||||||||||
|
C_DecryptUpdate continues a multiple-part decryption operation, processing another encrypted data part.
For constraints on data length, refer to the description of the decryption mechanism.
|
|
||||||||||||||||
|
C_DecryptFinal finishes a multiple-part decryption operation.
For constraints on data length, refer to the description of the decryption mechanism.
#define BUF_SZ 512 CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM mechanism = { CKM_DES_CBC, iv, sizeof(iv) }; CK_BYTE encryptedData[2*BUF_SZ]; CK_BYTE data[BUF_SZ]; CK_USHORT usDataLen; CK_RV rv; memset(iv, 0, sizeof(iv)); memset(encryptedData, 'A', 2*BUF_SZ); rv = C_DecryptInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ C_DecryptUpdate(hSession, &encryptedData[0], BUF_SZ, data, &usDataLen); . . . C_DecryptUpdate(hSession, &encryptedData[BUF_SZ], BUF_SZ, data, &usDataLen); . . . C_DecryptFinal(hSession, data, &usDataLen); } Message digesting Cryptoki provides the following functions for digesting data. All these functions run in parallel with the application if the session was opened with the CKF_SERIAL_SESSION flag set to FALSE and the token supports parallel execution. |
|
||||||||||||
|
C_DigestInit initializes a message-digesting operation.
The following mechanisms are supported in this version:
Table 9-4, Digesting Mechanisms
Section 10 gives more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_Digest digests data in a single part.
For constraints on data length, refer to the description of the message-digesting mechanism. C_Digest is equivalent to a sequence of C_DigestUpdate and C_DigestFinal.
CK_SESSION_HANDLE hSession; CK_MECHANISM mechanism = { CKM_MD2, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE digest[16]; CK_USHORT usDigestLen; CK_RV rv; rv = C_DigestInit(hSession, &mechanism); if( rv == CKR_OK ){ rv = C_Digest(hSession, data, sizeof(data), digest, &usDigestLen); } |
|
||||||||||||||||
|
C_DigestUpdate continues a multiple-part message-digesting operation, processing another data part.
For constraints on data length, refer to the description of the message-digesting mechanism.
|
|
||||||||||||||||
|
C_DigestFinal finishes a multiple-part message-digesting operation, returning the message digest.
For constraints on data length, refer to the description of the message-digesting mechanism.
CK_SESSION_HANDLE hSession; CK_MECHANISM mechanism = { CKM_MD2, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE digest[16]; CK_USHORT usDigestLen; CK_RV rv; rv = C_DigestInit(hSession, &mechanism); if( rv == CKR_OK ){ rv = C_DigestUpdate(hSession, data, sizeof(data)); . . . rv = C_DigestFinal(hSession, digest, &usDigestLen); } Signature and verification Cryptoki provides the following functions for signing data and verifying signatures. (For the purposes of Cryptoki, these operations also encompass data authentication codes.) All these functions run in parallel with the application if the session was opened with the CKF_SERIAL_SESSION flag set to FALSE and the token supports parallel execution. |
|
||||||||||||||||
|
C_SignInit initializes a signature operation, where the signature is an appendix to the data.
After calling C_SignInit, the application may call C_Sign to sign in a single part, or C_SignUpdate one or more times followed by C_SignFinal to sign data in multiple parts. The signature operation is "active" until the application calls C_Sign or C_SignFinal. To process additional data (in single or multiple parts), the application must call C_SignInit again. At most one cryptographic operation may be active at a given time in a given session. C_SignInit cannot initialize a new operation if another is already active. The following mechanisms are supported in this version:
Table 9-5, Signature Mechanisms
1 Single-part only. Section 10 gives more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_Sign signs data in a single part, where the signature is an appendix to the data.
For constraints on data length, refer to the description of the signature mechanism. C_Sign is equivalent to a sequence of C_SignUpdate and C_SignFinal.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DSA, NULL_PTR, 0 }; CK_BYTE data[20] = {...}; CK_BYTE signature[40]; CK_USHORT usSignatureLen; CK_RV rv; rv = C_SignInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_Sign(hSession, data, sizeof(data), signature, &usSignatureLen); } |
|
||||||||||||||||
|
C_SignUpdate continues a multiple-part signature operation, processing another data part.
For constraints on data length, refer to the description of the signature mechanism.
|
|
||||||||||||||||
|
C_SignFinal finishes a multiple-part signature operation, returning the signature.
For constraints on data length, refer to the description of the signature mechanism.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_MAC, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE mac[4]; CK_USHORT usMacLen; CK_RV rv; rv = C_SignInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_SignUpdate(hSession, data, sizeof(data)); . . . rv = C_SignFinal(hSession, mac, &usMacLen); } |
|
||||||||||||||||
|
C_SignRecoverInit initializes a signature operation, where the data can be recovered from the signature.
After calling C_SignRecoverInit, the application may call C_SignRecover to sign in a single part. The signature operation is "active" until the application calls C_SignRecover. At most one cryptographic operation may be active at a given time in a given session. C_SignRecoverInit cannot initialize a new operation if another is already active. The following mechanisms are supported in this version:
Table 9-6, Signature With Recovery Mechanisms
Section 10 gives more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_SignRecover signs data in a single operation, where the data can be recovered from the signature.
For constraints on data length, refer to the description of the signature mechanism.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_RSA_9796, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE signature[128]; CK_USHORT usSignatureLen; CK_RV rv; rv = C_SignRecoverInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_SignRecover(hSession, data, sizeof(data), signature, &usSignatureLen); } |
|
||||||||||||||||
|
C_VerifyInit initializes a verification operation, where the signature is an appendix to the data.
After calling C_VerifyInit, the application may call C_Verify to verify a signature on data in a single part, or C_VerifyUpdate one or more times followed by C_VerifyFinal to verify a signature on data in multiple parts. The verification operation is "active" until the application calls C_Verify or C_VerifyFinal. To process additional data (in single or multiple parts), the application must call C_VerifyInit again. At most one cryptographic operation may be active at a given time in a given session. C_VerifyInit cannot initialize a new operation if another is already active. The following mechanisms are supported in this version:
Table 9-7, Verification Mechanisms
1 Single-part only. Section 10 gives more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_Verify verifies a signature in a single-part operation, where the signature is an appendix to the data.
For constraints on data length, refer to the description of the verification mechanism. C_Verify is equivalent to a sequence of C_VerifyUpdate and C_VerifyFinal.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DSA, NULL_PTR, 0 }; CK_BYTE data[20] = {...}; CK_BYTE signature[40]; CK_RV rv; rv = C_VerifyInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_Verify(hSession, data, sizeof(data), signature, sizeof(signature)); } |
|
||||||||||||||||
|
C_VerifyUpdate continues a multiple-part verification operation, processing another data part.
For constraints on data length, refer to the description of the verification mechanism.
|
|
||||||||||||||||
|
C_VerifyFinal finishes a multiple-part verification operation, checking the signature.
For constraints on data length, refer to the description of the verification mechanism.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_MAC, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_BYTE mac[4]; CK_RV rv; rv = C_VerifyInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_VerifyUpdate(hSession, data, sizeof(data)); . . . rv = C_VerifyFinal(hSession, mac, sizeof(mac)); } |
|
||||||||||||||||
|
C_VerifyRecoverInit initializes a signature verification operation, where the data is recovered from the signature.
After calling C_VerifyRecoverInit, the application may call C_VerifyRecover to verify a signature on data in a single part. The verification operation is "active" until the application calls C_VerifyRecover. At most one cryptographic operation may be active at a given time in a given session. C_VerifyRecoverInit cannot initialize a new operation if another is already active. The following mechanisms are supported in this version:
Table 9-8, Verification With Recovery Mechanisms
Section 10 gives more details on the mechanisms.
|
|
||||||||||||||||||||||||
|
C_VerifyRecover verifies a signature in a single-part operation, where the data is recovered from the signature.
For constraints on data length, refer to the description of the verification mechanism.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_RSA_9796, NULL_PTR, 0 }; CK_BYTE data[] = {...}; CK_USHORT usDataLen; CK_BYTE signature[128]; CK_RV rv; rv = C_VerifyRecoverInit(hSession, &mechanism, hKey); if( rv == CKR_OK ){ rv = C_VerifyRecover(hSession, signature, sizeof(signature), data, &usDataLen); } Key management Cryptoki provides the following functions for key management. All these functions run in parallel with the application if the session was opened with the CKF_SERIAL_SESSION flag set to FALSE and the token supports parallel execution. |
|
||||||||||||||||||||||||
|
C_GenerateKey generates a secret key, creating a new key object.
Table 9-9, Key Generation Mechanisms
1 No known "weak" or "semi-weak" DES keys are generated (see FIPS PUB 74). Section 10 provides more details on the mechanisms and on which attributes the template must specify.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_DES_KEY_GEN, NULL_PTR, 0 }; CK_RV rv; rv = C_GenerateKey(hSession, &mechanism, NULL_PTR, 0, &hKey); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||||||||||||||||||
|
C_GenerateKeyPair generates a public-key/private-key pair, creating new key objects. On input, hSession is the session's handle;
Table 9-10, Key Pair Generation Mechanisms
Section 10 provides more details on the mechanisms and on which attributes the template must specify.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hPublicKey, hPrivateKey; CK_MECHANISM mechanism = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CK_USHORT modulusBits = 768; CK_BYTE publicExponent[] = { 3 }; CK_BYTE subject[] = {...}; CK_BYTE id[] = {123}; CK_BBOOL true = TRUE; CK_ATTRIBUTE publicKeyTemplate[] = { {CKA_ENCRYPT, &true, 1}, {CKA_VERIFY, &true, 1}, {CKA_WRAP, &true, 1}, {CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits)}, {CKA_PUBLIC_EXPONENT, publicExponent, sizeof (publicExponent)} }; CK_ATTRIBUTE privateKeyTemplate[] = { {CKA_TOKEN, &true, 1}, {CKA_PRIVATE, &true, 1}, {CKA_SUBJECT, subject, sizeof(subject)}, {CKA_ID, id, sizeof(id)}, {CKA_SENSITIVE, &true, 1}, {CKA_DECRYPT, &true, 1}, {CKA_SIGN, &true, 1}, {CKA_UNWRAP, &true, 1} }; CK_RV rv; rv = C_GenerateKeyPair(hSession, &mechanism, publicKeyTemplate, 5, privateKeyTemplate, 8, &hPublicKey, &hPrivateKey); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||||||||||
|
C_WrapKey wraps (i.e., encrypts) a key.
The following mechanisms are supported in this version:
Table 9-11, Wrapping Mechanisms
Section 10 provides more details on the mechanisms and on which attributes the template must specify.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hWrappingKey, hKey; CK_MECHANISM mechanism = { CKM_DES3_ECB, NULL_PTR, 0 }; CK_BYTE wrappedKey[8]; CK_USHORT usWrappedKeyLen; CK_RV rv; rv = C_WrapKey(hSession, &mechanism, hWrappingKey, hKey, wrappedKey, &usWrappedKeyLen); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||||||||||||||||||
|
C_UnwrapKey unwraps (i.e. decrypts) a wrapped key, creating a new key object.
The following mechanisms are supported in this version:
Table 9-12, Unwrapping Mechanisms
Section 10 provides more details on the mechanisms and on which attributes the template must specify.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hUnwrappingKey, hKey; CK_MECHANISM mechanism = { CKM_DES3_ECB, NULL_PTR, 0 }; CK_BYTE wrappedKey[8] = {...}; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_DES; CK_BBOOL true = TRUE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_ENCRYPT, &true, 1}, {CKA_DECRYPT, &true, 1} }; CK_RV rv; rv = C_UnwrapKey(hSession, &mechanism, hUnwrappingKey, wrappedKey, sizeof(wrappedKey), template, 4, &hKey); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||||||||||||||
|
C_DeriveKey derives a key from a base key, creating a new key object.
Table 9-13, Key Derivation Mechanisms
Section 10 provides more details on the mechanisms and on which attributes the template must specify.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hPublicKey, hPrivateKey, hKey; CK_MECHANISM keyPairMechanism = { CKM_DH_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CK_BYTE prime[] = {...}; CK_BYTE base[] = {...}; CK_BYTE publicValue[128]; CK_BYTE otherPublicValue[128]; CK_MECHANISM mechanism = { CKM_DH_PKCS_DERIVE, otherPublicValue, sizeof(otherPublicValue) }; CK_ATTRIBUTE pTemplate[] = { CKA_VALUE, &publicValue, sizeof(publicValue)} }; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_DES; CK_BBOOL true = TRUE; CK_ATTRIBUTE publicKeyTemplate[] = { {CKA_PRIME, prime, sizeof(prime)}, {CKA_BASE, base, sizeof(base)} }; CK_ATTRIBUTE privateKeyTemplate[] = { {CKA_DERIVE, &true, 1} }; CK_ATTRIBUTE template[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_ENCRYPT, &true, 1}, {CKA_DECRYPT, &true, 1} }; CK_RV rv; rv = C_GenerateKeyPair(hSession, &keyPairMechanism, publicKeyTemplate, 2, privateKeyTemplate, 1, &hPublicKey, &hPrivateKey); if( rv == CKR_OK ){ rv = C_GetAttributeValue(hSession, hPublicKey, &pTemplate, 1); if( rv == CKR_OK ){ . /* exchange public values */ . rv = C_DeriveKey(hSession, &mechanism, hPrivateKey, template, 4, &hKey); if( rv == CKR_OK ){ . . . } } } Random number generation Cryptoki provides the following functions for generating random numbers. All these functions run in parallel with the application if the session was opened with the CKF_SERIAL_SESSION flag set to FALSE and the token supports parallel execution. |
|
||||||||||||||||
|
C_SeedRandom mixes additional seed material into the token's random number generator.
CK_SESSION_HANDLE hSession; CK_BYTE seed[] = {...}; CK_RV rv; rv = C_SeedRandom(hSession, seed, sizeof(seed)); if( rv == CKR_OK ){ . . . } |
|
||||||||||||||||
|
C_GenerateRandom generates random data.
CK_SESSION_HANDLE hSession; CK_BYTE randomData[] = {...}; CK_RV rv; rv = C_GenerateRandom(hSession, randomData, sizeof(randomData)); if( rv == CKR_OK ){ . . . } Parallel function management Cryptoki provides the following functions for managing parallel execution of cryptographic functions. |
|
|
C_GetFunctionStatus obtains an updated status of a function running in parallel with an application.
|
|
|
C_CancelFunction cancels a function running in parallel with an application.
CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hPublicKey, hPrivateKey; CK_MECHANISM mechanism = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CK_USHORT modulusBits = 768; CK_BYTE publicExponent[] = {...}; CK_BYTE subject[] = {...}; CK_BYTE id[] = {123}; CK_BBOOL true = TRUE; CK_ATTRIBUTE publicKeyTemplate[] = { {CKA_ENCRYPT, &true, 1}, {CKA_VERIFY, &true, 1}, {CKA_WRAP, &true, 1}, {CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits)}, {CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent)} }; CK_ATTRIBUTE privateKeyTemplate[] = { {CKA_TOKEN, &true, 1}, {CKA_PRIVATE, &true, 1}, {CKA_SUBJECT, subject, sizeof(subject)}, {CKA_ID, id, sizeof(id)}, {CKA_SENSITIVE, &true, 1}, {CKA_DECRYPT, &true, 1}, {CKA_SIGN, &true, 1}, {CKA_UNWRAP, &true, 1} }; CK_RV rv; rv = C_GenerateKeyPair(hSession, &mechanism, publicKeyTemplate, 5, privateKeyTemplate, 8, &hPublicKey, &hPrivateKey); while ( rv == CKR_FUNCTION_PARALLEL ) { /* Check if user want to cancel function */ if( kbhit() ){ if( getch() == 27 ){ /* If user hit ESCape key */ C_CancelFunction(hSession); break; } } /* Perform other tasks or delay */ . . . rv = C_GetFunctionStatus(hSession); } Callback function Cryptoki uses the following callback function to notify the application of certain events.
Notify
CK_RV Notify( CK_SESSION_HANDLE hSession, CK_NOTIFICATION event, CK_VOID_PTR pApplication ); Notify is an application callback that processes events. hSession is the session's handle; event is the event; and pApplication is an application-defined value (the same as passed to C_OpenSession). When event is CKN_SURRENDER, the callback may return CKR_CANCEL to cancel the operation that is currently active. If the callback returns CKR_OK, Cryptoki continues the operation. For other events, the callback should return CKR_OK.
|