Generic secret key objects

Generic secret key objects (object class CKO_SECRET_KEY, key type CKK_GENERIC_SECRET) hold generic secret keys. These keys do not support encryption, decryption, signatures or verification; however, other keys can be derived from them. The following table defines the generic secret key object attributes, in addition to the common attributes defined for this object class:

These key types are used in several of the mechanisms described in this section.

Table 70, Generic Secret Key Object Attributes
Attribute Data type Meaning

CKA_VALUE^1,4,6,7 Byte array Key value (arbitrary length)

CKA_VALUE_LEN^2,3 CK_ULONG Length in bytes of key value

^-Refer to Table 15 for footnotes

The following is a sample template for creating a generic secret key object:

CK_OBJECT_CLASS class = CKO_SECRET_KEY;
CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
CK_UTF8CHAR label[] = "A generic secret key object";
CK_BYTE value[] = {...};
CK_BBOOL true = CK_TRUE;
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &keyType, sizeof(keyType)},
{CKA_TOKEN, &true, sizeof(true)},
{CKA_LABEL, label, sizeof(label)-1},
{CKA_DERIVE, &true, sizeof(true)},
{CKA_VALUE, value, sizeof(value)}
};

CKA_CHECK_VALUE: The value of this attribute is derived from the key object by taking the first three bytes of the SHA-1 hash of the generic secret key object's CKA_VALUE attribute.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v220

Attribute	Data type	Meaning
CKA_VALUE^1,4,6,7	Byte array	Key value (arbitrary length)
CKA_VALUE_LEN^2,3	CK_ULONG	Length in bytes of key value