Secret key objects
Secret key objects (object class CKO_SECRET_KEY
) hold secret keys. This version of Cryptoki recognizes the following types of secret key: generic, RC2, RC4, DES, DES2, DES3, CAST128 (also known as CAST5), IDEA, and AES. The following table defines the attributes common to all secret keys, in addition to the common attributes listed in Common object attributes, Common storage object attributes, and Common key attributes:
Common Secret Key Attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_SENSITIVE 8(see below) |
CK_BBOOL |
TRUE , if object is sensitive (default FALSE ) |
CKA_ENCRYPT 8 |
CK_BBOOL |
TRUE , if key supports encryption9 |
CKA_DECRYPT 8 |
CK_BBOOL |
TRUE , if key supports decryption9 |
CKA_SIGN 8 |
CK_BBOOL |
TRUE , if key supports signatures (that is, authentication codes) where the signature is an appendix to the data9 |
CKA_VERIFY 8 |
CK_BBOOL |
TRUE , if key supports verification (that is, of authentication codes) where the signature is an appendix to the data9 |
CKA_WRAP 8 |
CK_BBOOL |
TRUE , if key supports wrapping (that is, can be used to wrap other keys)9 |
CKA_UNWRAP 8 |
CK_BBOOL |
TRUE , if key supports unwrapping (that is, can be used to unwrap other keys)9 |
CKA_EXTRACTABLE 8(see below) |
CK_BBOOL |
TRUE , if key is extractable9 |
CKA_ALWAYS_SENSITIVE 2,4,6 |
CK_BBOOL |
TRUE if key has always had the CKA_SENSITIVE attribute set to TRUE |
CKA_NEVER_EXTRACTABLE 2,4,6 |
CK_BBOOL |
TRUE , if key has never had the CKA_EXTRACTABLE attribute set to TRUE |
CKA_SUBJECT 8 |
Byte array | DER-encoding of certificate subject name (default empty) |
CKA_EXPORT 10 |
CK_BBOOL |
TRUE , if the key can be used to wrap exportable keys. Restrictions apply on who can set this attribute to TRUE . |
CKA_EXPORTABLE 10 |
CK_BBOOL |
TRUE , if key can be wrapped with a key attribute set with CKA_EXPORT . |
CKA_IMPORT 10 |
CK_BBOOL |
If TRUE and CKA_UNWRAP is FALSE supports unwrapping only using CKM_WRAPKEY_DES3_CBC . |
CKA_CHECK_VALUE |
Byte array | A calculated key check value. Fixed size of 3 bytes. |
Common footnotes for key attribute tables
After an object is created, the CKA_SENSITIVE
attribute can be changed, but only to the value TRUE
. Similarly, after an object is created, the CKA_EXTRACTABLE
attribute can be changed, but only to the value FALSE
. Attempts to make other changes to the values of these attributes should return the error code CKR_ATTRIBUTE_READ_ONLY
.
If the CKA_SENSITIVE
attribute is TRUE
, or if the CKA_EXTRACTABLE
attribute is FALSE
, then certain attributes of the secret key cannot be revealed in plain text outside the token. The attributes that are affected by the sensitive and extractable attributes are specified by the 7-superscript in the attribute table, in the section describing that type of key.
If the CKA_EXTRACTABLE
and CKA_EXPORTABLE
attribute is FALSE
, then the key cannot be wrapped.
Generic secret key objects
Generic secret key objects (object class CKO_SECRET_KEY
, key type CKK_GENERIC_SECRET
) hold generic secret keys. These keys do not support encryption, decryption, signatures or verification (other than HMAC algorithms); however, other keys can be derived from them. The following table defines attributes of generic secret key objects, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
Generic secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (arbitrary length) |
CKA_VALUE_LEN 2,3,6 |
CK_ULONG |
Length in bytes of key value |
Common footnotes for key attribute tables
RC2 secret key objects
RC2 secret key objects (object class CKO_SECRET_KEY
, key type CKK_RC2
) hold RC2 keys. The following table defines the RC2 secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
RC2 secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (1 to 128 bytes) |
CKA_VALUE_LEN 2,3,6 |
CK_ULONG |
Length in bytes of key value |
Common footnotes for key attribute tables
RC4 secret key objects
RC4 secret key objects (object class CKO_SECRET_KEY
, key type CKK_RC4
) hold RC4 keys. The following table defines the RC4 secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
RC4 secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (1 to 256 bytes) |
CKA_VALUE_LEN 2,3,6 |
CK_ULONG |
Length in bytes of key value |
Common footnotes for key attribute tables
AES secret key objects
AES secret key objects (object class CKO_SECRET_KEY
, key type CKK_AES
) hold AES keys. The following table defines the AES secret key object attributes, in addition to the common attributes listed in Common object attributes, Common key attributes, and Common secret key attributes:
AES secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (16 to 32 bytes) |
CKA_VALUE_LEN 2,3,6 |
CK_ULONG |
Length in bytes of key value |
Common footnotes for key attribute tables
DES secret key objects
DES secret key objects (object class CKO_SECRET_KEY
, key type CKK_DES
) hold single-length DES keys. The following table defines the DES secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
DES secret key object
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (always 8 bytes long) |
Common footnotes for key attribute tables
DES keys should always have their parity bits properly set as described in FIPS PUB 46-2. However, attempting to create or unwrap a DES key with incorrect parity will not return an error as the key will still function correctly.
DES2 secret key objects
DES2 secret key objects (object class CKO_SECRET_KEY
, key type CKK_DES2
) hold double-length DES keys. The following table defines the DES2 secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
DES2 secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (always 16 bytes long) |
Common footnotes for key attribute tables
DES2 keys should have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES2 key should have its parity bits properly set). However, attempting to create or unwrap a DES2 key with incorrect parity will not return an error as the key will still function correctly.
DES3 secret key objects
DES3 secret key objects (object class CKO_SECRET_KEY
, key type CKK_DES3
) hold triple-length DES keys. The following table defines the DES3 secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
DES3 secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (always 24 bytes long) |
Common footnotes for key attribute tables
DES3 keys should always have their parity bits properly set as described in FIPS PUB 46-2 (that is, each of the DES keys comprising a DES3 key should have its parity bits properly set). However, attempting to create or unwrap a DES3 key with incorrect parity will not return an error as the key will still function correctly.
CAST128 (CAST5) secret key objects
CAST128 (also known as CAST5) secret key objects (object class CKO_SECRET_KEY
, key type CKK_CAST128
or CKK_CAST5
) hold CAST128 keys. The following table defines the CAST128 secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
CAST128 (CAST5) secret key object attributes
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (1 to 16 bytes) |
CKA_VALUE_LEN 2,3,6 |
CK_ULONG |
Length in bytes of key value |
Common footnotes for key attribute tables
IDEA secret key objects
IDEA secret key objects (object class CKO_SECRET_KEY
, key type CKK_IDEA
) hold IDEA keys. The following table defines the IDEA secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
IDEA secret key object
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,7 |
Byte array | Key value (always 16 bytes long) |
Common footnotes for key attribute tables
SEED secret key objects
SEED secret key objects (object class CKO_SECRET_KEY
, key type CKK_SEED
) hold SEED keys. The following table defines the SEED secret key object attributes, in addition to the common attributes listed in Common object attributes, Common storage object attributes, Common key attributes, and Common secret key attributes:
Attribute | Data type | Meaning |
---|---|---|
CKA_VALUE 1,4,6,710 |
Byte array | Key value (always 16 bytes long) |