PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
EC (also related to ECDSA) private key objects (object class CKO_PRIVATE_KEY, key type CKK_EC or CKK_ECDSA) hold EC private keys. See Section 12.3 for more information about EC. The following table defines the EC private key object attributes, in addition to the common attributes defined for this object class:
Table 56, Elliptic Curve Private Key Object Attributes
| Attribute | Data type | Meaning |
| CKA_EC_PARAMS1,4,6 (CKA_ECDSA_PARAMS) | Byte array | DER-encoding of an ANSI X9.62 Parameters value |
| CKA_VALUE1,4,6,7 | Big integer | ANSI X9.62 private value d |
- Refer to Table 15 for footnotes
The CKA_EC_PARAMS or CKA_ECDSA_PARAMS attribute value is known as the "EC domain parameters" and is defined in ANSI X9.62 as a choice of three parameter representation methods with the following syntax:
Parameters ::= CHOICE {
ecParametersECParameters,
namedCurveCURVES.&id({CurveNames}),
implicitlyCANULL
}
This allows detailed specification of all required values using choice ecParameters, the use of a namedCurve as an object identifier substitute for a particular set of elliptic curve domain parameters, or implicitlyCA to indicate that the domain parameters are explicitly defined elsewhere. The use of a namedCurve is recommended over the choice ecParameters. The choice implicitlyCA must not be used in Cryptoki.
Note that when generating an EC private key, the EC domain parameters are not specified in the key's template. This is because EC private keys are only generated as part of an EC key pair, and the EC domain parameters for the pair are specified in the template for the EC public key.
The following is a sample template for creating an EC (ECDSA) private key object:
CK_OBJECT_CLASS class = CKO_PRIVATE_KEY; CK_KEY_TYPE keyType = CKK_EC; CK_UTF8CHAR label[] = "An EC private key object"; CK_BYTE subject[] = {...}; CK_BYTE id[] = {123}; CK_BYTE ecParams[] = {...}; CK_BYTE value[] = {...}; CK_BBOOL true = CK_TRUE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &class, sizeof(class)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_TOKEN, &true, sizeof(true)}, {CKA_LABEL, label, sizeof(label)-1}, {CKA_SUBJECT, subject, sizeof(subject)}, {CKA_ID, id, sizeof(id)}, {CKA_SENSITIVE, &true, sizeof(true)}, {CKA_DERIVE, &true, sizeof(true)}, {CKA_EC_PARAMS, ecParams, sizeof(ecParams)}, {CKA_VALUE, value, sizeof(value)} };