Attributes

The following sections describe how PKCS #11 attributes map to the Access Control List (ACL) given to the key by the nCore API. nCore API ACLs are described in the nCore API Documentation (supplied as HTML).

CKA_SENSITIVE

In a FIPS 140 Level 2 world, CKA_SENSITIVE=FALSE creates a key with an ACL that includes ExportAsPlain. Keys are exported using DeriveMech_EncryptMarshalled even in a FIPS 140 Level 2 world. The presence of the ExportAsPlain permission makes the status of the key clear when a FIPS 140 Level 2 ACL is viewed using GetACL.

CKA_SENSITIVE=FALSE always creates a key with an ACL that includes DeriveKey with DeriveRole_BaseKey and DeriveMech_EncryptMarshalled.

See also CKA_UNWRAP_TEMPLATE.

CKA_PRIVATE

If CKA_PRIVATE is set to TRUE, keys are protected by the logical token of the OCS. If it is set to FALSE, public keys are protected by a well-known module key, and other keys and objects are protected by the Security World module key.

You must set CKA_PRIVATE to:

  • FALSE for public keys

  • TRUE for non-extractable keys on card slots.

CKA_EXTRACTABLE

CKA_EXTRACTABLE creates a key with an ACL including DeriveKey permissions listed in the following table:

Key Type Role Mechanism

Secret key

DeriveRole_BaseKey

DeriveMech_AESKeyWrap

DeriveMech_RawEncrypt

DeriveMech_RawEncryptZeroPad

DeriveMech_ECIESKeyWrap

Private key

DeriveRole_BaseKey

DeriveMech_PKCS8Encrypt

CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY

These attributes create a key with ACL including Encrypt, Decrypt, Sign, or Verify permission.

CKA_WRAP, CKA_UNWRAP

CKA_WRAP creates a key with an ACL including the DeriveKey permissions listed in the following table:

Key Type Role Mechanism

Secret key

DeriveRole_WrapKey

DeriveMech_PKCS8Encrypt

Secret key (AES only)

DeriveRole_WrapKey

DeriveMech_AESKeyWrap

Secret key, public key (RSA only)

DeriveRole_WrapKey

DeriveMech_RawEncrypt

DeriveMech_RawEncryptZeroPad

Public key (elliptic curve only)

DeriveRole_WrapKey

DeriveMech_ECIESKeyWrap

CKA_UNWRAP creates a key with an ACL including the DeriveKey permissions listed in the following table:

Key Type Role Mechanism

Secret key

DeriveRole_WrapKey

DeriveMech_PKCS8Decrypt

DeriveMech_PKCS8DecryptEx

Secret key (AES only)

DeriveRole_WrapKey

DeriveMech_AESKeyUnwrap

Secret key, public key (RSA only)

DeriveRole_WrapKey

DeriveMech_RawDecrypt

DeriveMech_RawDecryptZeroPad

Public key (elliptic curve only)

DeriveRole_WrapKey

DeriveMech_ECIESKeyUnwrap

CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE

CKA_WRAP_TEMPLATE and CKA_UNWRAP_TEMPLATE guard against non-compliance of keys by specifying an attribute template.

The CKA_WRAP_TEMPLATE attribute applies to wrapping keys and specifies the attribute template to match against any of the keys wrapped by the wrapping key. Keys which do not match the attribute template will not be wrapped.

The CKA_UNWRAP_TEMPLATE attribute applies to wrapping keys and specifies the attribute template to apply to any of the keys which are unwrapped by the wrapping key. Keys will not be unwrapped if there is attribute conflict between the CKA_UNWRAP_TEMPLATE and any user supplied template (pTemplate).

Nested occurrences of CKA_WRAP_TEMPLATE or CKA_UNWRAP_TEMPLATE are not supported.

If CKA_MODIFIABLE or CKA_SENSITIVE are defined within the CKA_UNWRAP_TEMPLATE, the behavior is as follows:

CKA_MODIFIABLE (TRUE)
PKCS #11 Attribute Types Unwrap Template Attribute C_Unwrap pTemplate Attribute Attribute Value Comparison Allowed

All supported

Defined

Defined

Equal

Yes

Defined

Defined

Not Equal

Yes

Undefined

Defined

N/A

Yes

Defined

Undefined

N/A

Yes

CKA_MODIFIABLE (FALSE)
PKCS #11 Attribute Types Unwrap Template Attribute C_Unwrap pTemplate Attribute Attribute Value Comparison Allowed

All supported

Defined

Defined

Equal

Yes

Defined

Defined

Not Equal

No

Undefined

Defined

N/A

Yes

Defined

Undefined

N/A

Yes

CKA_SENSITIVE (TRUE)
PKCS #11 Attribute Types C_Unwrap pTemplate Attribute C_Unwrap pTemplate Attribute Value Allowed

CKA_SENSITIVE

Defined

FALSE

No

CKA_EXTRACTABLE

Defined

FALSE

No

CKA_SENSITIVE (FALSE)
PKCS #11 Attribute Types C_Unwrap pTemplate Attribute C_Unwrap pTemplate Attribute Value Allowed

CKA_SENSITIVE

Defined

TRUE

Yes

FALSE

Yes

CKA_EXTRACTABLE

Defined

TRUE

Yes

FALSE

Yes

See also CKA_ALLOWED_MECHANISMS for more information about mechanism-specific restrictions applying to the use of CKA_UNWRAP_TEMPLATE.

CKA_SIGN_RECOVER

C_SignRecover checks CKA_SIGN_RECOVER but is otherwise identical to C_Sign. Setting CKA_SIGN_RECOVER creates a key with an ACL that includes Sign permission.

CKA_VERIFY_RECOVER

Setting CKA_VERIFY_RECOVER creates a public key with an ACL including Encrypt permission.

CKA_DERIVE

For Diffie-Hellman private keys, CKA_DERIVE creates a key with Decrypt permissions.

For secret keys, CKA_DERIVE creates a key with an ACL that includes DeriveRole_BaseKey with one of DeriveMech_DESsplitXOR, DeriveMech_DES2splitXOR, DeriveMech_DES3splitXOR, DeriveMech_RandsplitXOR, or DeriveMech_CASTsplitXOR as appropriate if the key is extractable, because this permission would effectively allow the key to be extracted. The ACL includes DeriveMech_RawEncrypt whether or not the key is extractable.

CKA_ALLOWED_MECHANISMS

CKA_ALLOWED_MECHANISMS is available as a full attribute array for all key types. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the size of CK_MECHANISM_TYPE.

The CKA_ALLOWED_MECHANISMS attribute is set when generating, creating and unwrapping keys.

CKA_ALLOWED_MECHANISMS is an optional attribute and does not have to be set, except when the key is intended for use with one of the mechanisms described below. However, if CKA_ALLOWED_MECHANISMS is set, then the attribute is checked to see if the mechanism you want to use is in the list of allowed mechanisms. If the mechanism is not present, then an error occurs and a value of CKR_MECHANISM_INVALID is returned.

CKM_CONCATENATE_BASE_AND_KEY

You must set CKA_ALLOWED_MECHANISMS with the CKM_CONCATENATE_BASE_AND_KEY mechanism when generating or creating both of the keys that are used in the C_DeriveKey operation with the CKM_CONCATENATE_BASE_AND_KEY mechanism. If CKA_ALLOWED_MECHANISMS is not set at creation time then the correct ConcatenateBytes ACL is not set for the keys.

When CKM_CONCATENATE_BASE_AND_KEY is used with C_DeriveKey, CKA_ALLOWED_MECHANISMS is checked. If CKM_CONCATENATE_BASE_AND_KEY is not present, then an error occurs and a value of CKR_MECHANISM_INVALID is returned.

CKM_RSA_AES_KEY_WRAP

You must set CKA_ALLOWED_MECHANISMS with the CKM_RSA_AES_KEY_WRAP mechanism when generating or creating RSA keys that also have CKA_UNWRAP_TEMPLATE set on the private half if they are to be used in the C_UnwrapKey operation with the CKM_RSA_AES_KEY_WRAP mechanism.

When CKM_RSA_AES_KEY_WRAP is used with C_UnwrapKey, CKA_ALLOWED_MECHANISMS is checked. If CKM_RSA_AES_KEY_WRAP is not present but the unwrapping key has CKA_UNWRAP_TEMPLATE, then an error occurs and a value of CKR_MECHANISM_INVALID is returned.

RSA private keys that have CKA_ALLOWED_MECHANISMS set with the CKM_RSA_AES_KEY_WRAP mechanism cannot be copied if they also have both the following attributes set:

  • CKA_TOKEN with a value of CK_TRUE

  • CKA_UNWRAP_TEMPLATE

The C_CopyObject operation returns CKR_ACTION_PROHIBITED for such keys.

CKA_MODIFIABLE

CKA_MODIFIABLE only restricts access through the PKCS #11 API: all PKCS #11 keys have ACLs that include the ReduceACL permission.

See also CKA_UNWRAP_TEMPLATE.

CKA_TOKEN

Token objects are saved as key blobs. Session objects only ever exist on the module.

CKA_START_DATE, CKA_END_DATE

These attributes are ignored, and the PKCS #11 standard states that these attributes do not restrict key usage.

CKA_TRUSTED and CKA_WRAP_WITH_TRUSTED

CKA_TRUSTED and CKA_WRAP_WITH_TRUSTED guard against a key being wrapped and removed from the HSM by an untrusted wrapping key. A key with a CKA_WRAP_WITH_TRUSTED attribute can only be wrapped by a wrapping key with a CKA_TRUSTED attribute. A trusted key can only be given a CKA_TRUSTED attribute by the PKCS #11 Security officer.

The CKA_WRAP_WITH_TRUSTED attribute gives a key an ACL whose DeriveRole_BaseKey exists in a group protected by a certifier. The ACL therefore requires a certificate generated by the PKCS #11 Security Officer to be able to wrap the key.

The CKA_TRUSTED attribute stores on a wrapping key a certificate signed by the PKCS #11 Security Officer. This certificate can then be used to authenticate a wrapping operation.

CKA_TRUSTED can only be set if the session is logged in as CKU_SO, and the Security Officer’s token and key has been preloaded. If not, the operation will return CKR_USER_NOT_LOGGED_IN.

CKA_WRAP_WITH_TRUSTED does not require the Security Officer token and key to be preloaded, or to be logged in as CKU_SO, but it does require that the role exists. If the role does not exist, the operation returns CKR_USER_NOT_LOGGED_IN. When attributes have been set, the PKCS #11 Security Officer is not needed for C_WrapKey to perform a trusted key wrapping.

If the PKCS #11 Security Officer is deleted, keys with existing CKA_TRUSTED or CKA_WRAP_WITH_TRUSTED attributes continue to be valid. If the PKCS #11 Security Officer is recreated, any new keys that are given the CKA_TRUSTED attribute will not be trusted by existing keys with CKA_WRAP_WITH_TRUSTED, and vice versa.

A CKO_CERTIFICATE object can also be given a CKA_TRUSTED attribute, and also requires the PKCS #11 Security Officer to do so. This includes using ckcerttool with the -T option, which sets CKA_TRUSTED to true.

CKA_COPYABLE and CKA_DESTROYABLE

The CKA_COPYABLE and CKA_DESTROYABLE attributes indicate whether an object can be copied using C_CopyObject or destroyed using C_DestroyObject. If the corresponding function is attempted when the attribute is set to false, the function returns CKR_ACTION_PROHIBITED.

CKA_COPYABLE and CKA_DESTROYABLE can be applied to objects through all interfaces that support setting attributes:

  • C_GenerateKey and C_GenerateKeyPair

  • C_CreateObject

  • C_SetAttributeValue

  • C_CopyObject

Existing and new objects have both attributes set to true by default. When changing an attribute, CKA_COPYABLE cannot be changed from false to true.

RSA key values

CKA_PRIVATE_EXPONENT is not used when importing an RSA private key using C_CreateObject. However, it must be in the template, since the PKCS #11 standard requires it. All the other values are required.

The nCore API allows use of a default public exponent, but the PKCS #11 standard requires CKA_PUBLIC_EXPONENT.

Except for very small keys, the nShield default is 65537, which as a PKCS #11 big integer is CK_BYTEpublic_exponent[ ] = { 1, 0, 1 };

DSA key values

If CKA_PRIME is 1024 bits or less, then the KeyType_DSAPrivate_GenParams_flags_Strict flag is used, because it enforces a 1024 bit limit.

The implementation allows larger values of CKA_PRIME, but in those cases the KeyType_DSAPrivate_GenParams_flags_Strict flag is not used.

Vendor specific error codes

Security World Software defines the following vendor specific error codes:

CKR_FIPS_TOKEN_NOT_PRESENT

This error code indicates that an Operator Card is required even though the card slot is not in use.

CKR_FIPS_MECHANISM_INVALID

This error code indicates that the current mechanism is not allowed in FIPS 140 Level 3 mode.

CKR_FIPS_FUNCTION_NOT_SUPPORTED

This error code indicates that the function is not supported in FIPS 140 Level 3 mode (although it is supported in FIPS 140 Level 2 mode).