Using Cryptographic Hardware

Advanced PKCS #11

This chapter earlier described internalKey as the collection of three items: CKA_CLASS, CKA_TYPE and the digest of the modulus. A more rigorous description would be CKA_CLASS, CKA_TYPE and CKA_ID. When Crypto-C generates a key pair, it uses the SHA-1 digest of the modulus as the CKA_ID.

CKA_CLASSCKA_TYPECKA_ID

For an RSA private key, it would be this.

CKO_PRIVATE_KEY

CKK_RSA

<digest>

 

 

 

 

 

 

00 00 00 03

00 00 00 00

66 a9 47 2d 80 5a. . .

 

 

 

 

Suppose you have a generated key pair already, it has a CKA_ID already set, and you want Crypto-C to be able to use it. Just create a buffer that looks like the previous example, making sure you use the right value for the class and type. Then the next part of the buffer will be your CKA_ID. Now create a KI_TOKEN_INFO struct with the manufacturer's ID and the new buffer you created as the internal key. Crypto-C will find it.

When Crypto-C asks for the key with the appropriate attributes, it receives in return a key handle. This handle is valid only during the active session. If you get a key handle for a particular key one day, the next day the handle for that very same key may be different. Suppose you have that handle for the active session. You could give Crypto- C the previously defined internalKey and Crypto-C would ask the token to return a handle for that key. In other words, you searched for the key once, got a handle, and now Crypto-C will search again. And it will probably get a new handle.

You could also pass in CKO_VENDOR_DEFINED CKO_PRIVATE_KEY for the class, CKK_RSA for the type, and then the rest would be the handle. It might look like this.

80

00

00

03

00

00

00

00

00

00

00

02

 

 

 

 

 

 

 

 

 

 

 

 

In this case, Crypto-C will recognize the most significant bit of the class set (the 8 in the 80000003) and know that the value which would normally be the CKA_ID is actually the key handle. It would then use that key handle. That is what VENDOR_DEFINED means, the class is vendor-defined. We are the vendor, so we are defining it to mean "private key class key handle," not just "private key."

C h a p t e r 4 U s i n g C r y p t o - C

1 4 7

Page 169
Image 169
RSA Security 5.2.2 manual Advanced Pkcs #11, For an RSA private key, it would be this, Digest, 00 00 00 66 a9 47 2d 80 5a