PKCS#11 – Supported Attributes
Create EC and RSA Public Key Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library |
| C_CreateObject | ||||
|---|---|---|---|---|
| Attributes | KeyTypes | Default Values | Note | |
| EC Public | RSA Public | |||
|
CKA_CLASS |
Yes |
Yes |
CKO_PUBLIC_KEY |
Mandatory template attribute. |
|
CKA_TOKEN |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Create token public key not supported. |
|
CKA_PRIVATE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. All objects are private. |
|
CKA_LABEL |
Yes |
Yes |
|
|
|
CKA_VALUE |
No |
No |
|
|
|
CKA_TRUSTED |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
No |
No |
|
|
|
CKA_KEY_TYPE |
Yes |
Yes |
|
Mandatory template attribute. |
|
CKA_SUBJECT |
No |
No |
NVIDIA limitation. Attribute not supported |
|
|
CKA_ID |
Yes |
Yes |
|
Mandatory template attribute |
|
CKA_SENSITIVE |
No |
No |
|
|
|
CKA_ENCRYPT |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Public key encryption is not supported. |
|
CKA_DECRYPT |
No |
No |
||
|
CKA_WRAP |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Public key wrap is not supported. |
|
CKA_UNWRAP |
No |
No |
||
|
CKA_SIGN |
No |
No |
||
|
CKA_VERIFY |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_VERIFY_RECOVER |
No |
No |
|
NVIDIA limitation. Attribute not supported |
|
CKA_DERIVE |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot derive from a Public key. |
|
CKA_START_DATE |
Yes |
Yes |
|
|
|
CKA_END_DATE |
Yes |
Yes |
|
|
|
CKA_MODULUS |
No |
Yes |
|
Mandatory template attribute |
|
CKA_MODULUS_BITS |
No |
Read-only |
(Result of library function) |
Must not be template attribute |
|
CKA_PUBLIC_EXPONENT |
No |
Yes |
|
Mandatory template attribute |
|
CKA_PUBLIC_KEY_INFO |
No |
No |
|
NVIDIA limitation. Attribute not supported |
|
CKA_VALUE_LEN |
No |
No |
|
|
|
CKA_EXTRACTABLE |
No |
No |
|
|
|
CKA_LOCAL |
Read-only |
Read-only |
FALSE |
Must not be template attribute |
|
CKA_NEVER_EXTRACTABLE |
No |
No |
|
|
|
CKA_ALWAYS_SENSITIVE |
No |
No |
|
|
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read-only |
CK_UNAVAILABLE_INFORMATION |
Due to CKA_LOCAL set FALSE |
|
CKA_MODIFIABLE |
Yes |
Yes |
TRUE |
|
|
CKA_COPYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_DESTROYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_EC_PARAMS |
Yes |
No |
|
Mandatory template attribute |
|
CKA_EC_POINT |
Yes |
No |
|
Mandatory template attribute |
|
CKA_WRAP_WITH_TRUSTED |
No |
No |
||
|
CKA_WRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
|
|
|
CKA_ALLOWED_MECHANISMS |
Yes |
Yes |
Mandatory template attribute |
|
Create Secret Key Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.
| Table Entry | Meaning |
| Yes | Indicates that PKCS#11 library supports the attribute for the specific key type. |
| No | Indicates that PKCS#11 library does not support the attribute for the specific key type. |
| Read-only | The attribute is set to read-only for the specific key type. |
| An empty cell in Default Value column indicates there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the attribute value is determined by the PKCS#11 library |
| C_CreateObject | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| GENERIC SECRET | AES | |||
| CKA_CLASS | Yes | Yes | CKO_SECRET_KEY | Mandatory template attribute |
| CKA_TOKEN | Yes | Yes | FALSE | |
| CKA_PRIVATE | Read-only | Read-only | TRUE | NVIDIA limitation. All objects are private |
| CKA_LABEL | Yes | Yes | ||
| CKA_VALUE | Yes | Yes | Mandatory template attribute | |
| CKA_TRUSTED | Read-only | Read-only | FALSE | NVIDIA limitation. Cannot create a trusted wrapping key at runtime |
| CKA_CHECK_VALUE | No | No | ||
| CKA_KEY_TYPE | Yes | Yes | Mandatory template attribute | |
| CKA_SUBJECT | No | No | NVIDIA limitation. Attribute not supported | |
| CKA_ID | Yes | Yes | Mandatory template attribute | |
| CKA_SENSITIVE | Read-only | Read-only | TRUE | NVIDIA limitation. No access to secret key material |
| CKA_ENCRYPT | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_DECRYPT | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_WRAP | No | Yes | FALSE | |
| CKA_UNWRAP | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_SIGN | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_VERIFY | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_VERIFY_RECOVER | No | No | ||
| CKA_DERIVE | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_START_DATE | Yes | Yes | ||
| CKA_END_DATE | Yes | Yes | ||
| CKA_MODULUS | No | No | ||
| CKA_MODULUS_BITS | No | No | ||
| CKA_PUBLIC_EXPONENT | No | No | ||
| CKA_PUBLIC_KEY_INFO | No | No | ||
| CKA_VALUE_LEN | Read-only | Read-only | (Result of library function) | Must not be template attribute |
| CKA_EXTRACTABLE | Yes | Yes | FALSE | |
| CKA_LOCAL | Read-only | Read-only | FALSE | Must not be template attribute |
| CKA_NEVER_EXTRACTABLE | Read-only | Read-only | FALSE | Must not be template attribute |
| CKA_ALWAYS_SENSITIVE | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_KEY_GEN_MECHANISM | Read-only | Read-only | CK_UNAVAILABLE_INFORMATION | Due to CKA_LOCAL set FALSE |
| CKA_MODIFIABLE | Yes | Yes | TRUE | |
| CKA_COPYABLE | Yes | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | Yes | TRUE | |
| CKA_EC_PARAMS | No | No | ||
| CKA_EC_POINT | No | No | ||
| CKA_WRAP_WITH_TRUSTED | Yes | Yes | FALSE | |
| CKA_WRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported | |
| CKA_UNWRAP_TEMPLATE | No | No | ||
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Mandatory template attribute | |
Generate Secret Key Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library |
| C_GenerateKey | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| Generic Secret | AES | |||
|
CKA_CLASS |
Read-only |
Read-only |
CKO_SECRET_KEY |
Implied by generation mechanism Cannot be changed |
|
CKA_TOKEN |
Yes |
Yes |
FALSE |
|
|
CKA_PRIVATE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. All objects are private. |
|
CKA_LABEL |
Yes |
Yes |
|
|
|
CKA_VALUE |
Read-only |
Read-only |
(Result of library function) |
Is set by mechanism. |
|
CKA_TRUSTED |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
Read-only |
Read-only |
(Result of library function) |
|
|
CKA_KEY_TYPE |
Read-only |
Read-only |
(Result of library function) |
Is set by mechanism Cannot be changed |
|
CKA_SUBJECT |
No |
No |
|
|
|
CKA_ID |
Yes |
Yes |
|
Mandatory template attribute |
|
CKA_SENSITIVE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. No access to Secret key material. |
|
CKA_ENCRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_DECRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_WRAP |
No |
Yes |
FALSE |
|
|
CKA_UNWRAP |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_SIGN |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_VERIFY |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_VERIFY_RECOVER |
No |
No |
|
|
|
CKA_DERIVE |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_START_DATE |
Yes |
Yes |
|
|
|
CKA_END_DATE |
Yes |
Yes |
|
|
|
CKA_MODULUS |
No |
No |
|
|
|
CKA_MODULUS_BITS |
No |
No |
|
|
|
CKA_PUBLIC_EXPONENT |
No |
No |
|
|
|
CKA_PUBLIC_KEY_INFO |
No |
No |
|
|
|
CKA_VALUE_LEN |
Yes |
Yes |
16 |
Mandatory template attribute |
|
CKA_EXTRACTABLE |
Yes |
Yes |
FALSE |
|
|
CKA_LOCAL |
Read-only |
Read-only |
TRUE |
Must not be template attribute |
|
CKA_NEVER_EXTRACTABLE |
Read-only |
Read-only |
(Result of library function) |
Must not be template attribute |
|
CKA_ALWAYS_SENSITIVE |
Read-only |
Read-only |
TRUE |
Must not be template attribute. NVIDIA limitation. No access to Secret key material. |
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read-only |
(Result of library function) |
Must not be template attribute |
|
CKA_MODIFIABLE |
Yes |
Yes |
TRUE |
|
|
CKA_COPYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_DESTROYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_EC_PARAMS |
No |
No |
|
|
|
CKA_EC_POINT |
No |
No |
|
|
|
CKA_WRAP_WITH_TRUSTED |
Yes |
Yes |
FALSE |
|
|
CKA_WRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_ALLOWED_MECHANISMS |
Yes |
Yes |
Mandatory template attribute |
|
Generate Public / Private Key Pair Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for the specific key type. |
| No | Indicates that PKCS#11 library does not support the attribute for the specific key type. |
| Read-only | The attribute is set to read-only for the specific key type. |
| An empty cell in Default Value column indicates there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the attribute value is determined by the PKCS#11 library |
| C_GenerateKeyPair | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| EC Public | EC Private | |||
| CKA_CLASS | Read-only | Read-only | (Result of library function) | |
| CKA_TOKEN | Yes | Yes | FALSE | Same value for both templates |
| CKA_PRIVATE | Read-only | Read-only | TRUE | NVIDIA limitation. All objects are private. |
| CKA_LABEL | Yes | Yes | ||
| CKA_VALUE | No | No | ||
| CKA_TRUSTED | Read-only | No | FALSE | NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
| CKA_CHECK_VALUE | No | No | ||
| CKA_KEY_TYPE | Read-only | Read-only | (Result of library function) | |
| CKA_SUBJECT | No | No | NVIDIA limitation. Attribute not supported | |
| CKA_ID | Yes | Yes | Mandatory template attribute, they must be identical | |
| CKA_SENSITIVE | No | Read-only | TRUE | NVIDIA limitation. No access to private key material |
| CKA_ENCRYPT | Read-only | No | FALSE | NVIDIA limitation. Public key encryption is not supported |
| CKA_DECRYPT | No | Read-only | FALSE | NVIDIA limitation. Private key decryption is not supported |
| CKA_WRAP | Read-only | No | FALSE | NVIDIA limitation. Public key wrap is not supported |
| CKA_UNWRAP | No | Read-only | FALSE | NVIDIA limitation. Private key unwrap is not supported |
| CKA_SIGN | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_SIGN_RECOVER | No | No | - | NVIDIA limitation. Attribute not supported |
| CKA_VERIFY | Yes | No | FALSE | NVIDIA limitation. Observe single purpose rules |
| CKA_VERIFY_RECOVER | No | No | - | NVIDIA limitation. Attribute not supported |
| CKA_DERIVE | Read-only | Yes | FALSE | NVIDIA limitation. Cannot derive from a public key |
| CKA_START_DATE | Yes | Yes | ||
| CKA_END_DATE | Yes | Yes | ||
| CKA_MODULUS | No | No | ||
| CKA_MODULUS_BITS | No | No | ||
| CKA_PUBLIC_EXPONENT | No | No | ||
| CKA_PUBLIC_KEY_INFO | No | No | NVIDIA limitation. Attribute not supported | |
| CKA_VALUE_LEN | No | No | ||
| CKA_EXTRACTABLE | No | Read-only | FALSE | NVIDIA limitation. Private key extraction is not supported |
| CKA_LOCAL | Read-only | Read-only | TRUE | Must not be template attribute |
| CKA_NEVER_EXTRACTABLE | No | Read-only | (Result of library function) | Must not be template attribute |
| CKA_ALWAYS_SENSITIVE | No | Read-only | TRUE | Must not be template attribute. NVIDIA limitation. No access to private key material |
| CKA_KEY_GEN_MECHANISM | Read-only | Read-only | (Result of library function) | Must not be template attribute |
| CKA_MODIFIABLE | Yes | Yes | TRUE | |
| CKA_COPYABLE | Yes | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | Yes | TRUE | |
| CKA_EC_PARAMS | Yes | Read-only |
Public key: mandatory template attribute Private key: must not be template attribute |
|
| CKA_EC_POINT | Read-only | Read-only | (Result of library function) | |
| CKA_WRAP_WITH_TRUSTED | No | Yes | FALSE | |
| CKA_WRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported | |
| CKA_UNWRAP_TEMPLATE | No | No | ||
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Mandatory template attribute | |
| CKA_ALWAYS_AUTHENTICATE | No | No | NVIDIA limitation. Not supported for private keys | |
Derive Secret Key Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being derived.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library |
| C_DeriveKey | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| GENERIC SECRET | AES | |||
|
CKA_CLASS |
Read-only |
Read-only |
CKO_SECRET_KEY |
NVIDIA limitation. Can only derive a Secret key |
|
CKA_TOKEN |
Yes |
Yes |
FALSE |
NVIDIA limitation. Can only derive a Token key from a Token key |
|
CKA_PRIVATE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. All objects are private |
|
CKA_LABEL |
Yes |
Yes |
|
|
|
CKA_VALUE |
Read-only |
Read-only |
(Result of library function) |
|
|
CKA_TRUSTED |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime |
|
CKA_CHECK_VALUE |
No |
No |
NVIDIA limitation. Not supported |
|
|
CKA_KEY_TYPE |
Yes |
Yes |
Mandatory template attribute |
|
|
CKA_SUBJECT |
No |
No |
|
|
|
CKA_ID |
Yes |
Yes |
|
Mandatory template attribute |
|
CKA_SENSITIVE |
Yes | Yes |
TRUE |
|
|
CKA_ENCRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_DECRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_WRAP |
No |
Yes |
FALSE |
|
|
CKA_UNWRAP |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_SIGN |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_VERIFY |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_VERIFY_RECOVER |
No |
No |
|
|
|
CKA_DERIVE |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_START_DATE |
Yes |
Yes |
|
|
|
CKA_END_DATE |
Yes |
Yes |
|
|
|
CKA_MODULUS |
No |
No |
|
|
|
CKA_MODULUS_BITS |
No |
No |
|
|
|
CKA_PUBLIC_EXPONENT |
No |
No |
|
|
|
CKA_PUBLIC_KEY_INFO |
No |
No |
|
|
|
CKA_VALUE_LEN |
Yes |
Yes |
16 |
Mandatory template attribute. |
|
CKA_EXTRACTABLE |
Yes |
Yes |
FALSE |
|
|
CKA_LOCAL |
Read-only |
Read-only |
FALSE |
Must not be template attribute |
|
CKA_NEVER_EXTRACTABLE |
Read-only |
Read-only |
Inherited from base key depending on CKA_EXTRACTABLE history* |
Must not be template attribute |
|
CKA_ALWAYS_SENSITIVE |
Read-only |
Read-only |
Inherited from base key depending on CKA_SENSITIVE history** |
Must not be template attribute |
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read-only |
CK_UNAVAILABLE_INFORMATION |
Due to CKA_LOCAL set FALSE |
|
CKA_MODIFIABLE |
Yes |
Yes |
TRUE |
|
|
CKA_COPYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_DESTROYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_EC_PARAMS |
No |
No |
|
|
|
CKA_EC_POINT |
No |
No |
|
|
|
CKA_WRAP_WITH_TRUSTED |
Yes |
Yes |
FALSE |
|
|
CKA_WRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_ALLOWED_MECHANISMS |
Yes |
Yes |
Mandatory template attribute |
|
* If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute.
** If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE, then the derived key will as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.
Unwrap key attributes support
PKCS#11 library does not support Cryptoki attributes supplied within a template to be applied to the unwrapped key. The key attributes are instead supplied via the optional AAD (additional authenticated data) input of the CKM_AES_GCM mechanism called with C_UnwrapKey.
Copy key attributes support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being copied.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library |
| C_CopyObject | |||||||
|---|---|---|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | ||||
| EC Private | EC Public | RSA Public | Generic Secret | AES | |||
|
CKA_CLASS |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_TOKEN |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. A token key cannot be copied into a session key or visa versa. |
|
CKA_PRIVATE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_LABEL |
Yes |
Yes |
Yes |
Yes |
Yes |
Inherited from Object being copied |
|
|
CKA_VALUE |
No |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_TRUSTED |
No |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_CHECK_VALUE |
No |
No |
No |
No |
No |
NVIDIA limitation. Attribute not supported. |
|
|
CKA_KEY_TYPE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_SUBJECT |
No |
No |
No |
No |
No |
NVIDIA limitation. Attribute not supported |
|
|
CKA_ID |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Mandatory template attribute |
|
CKA_SENSITIVE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_ENCRYPT |
No |
Read only |
Read only |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_DECRYPT |
Read-only |
No |
No |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_WRAP |
No |
Read-only |
Read-only |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_UNWRAP |
Read-only |
No |
No |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_SIGN |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
| CKA_SIGN_RECOVER | No | No | No | No | No | Nvidia limitation. Attribute not supported for private keys. | |
|
CKA_VERIFY |
No |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_VERIFY_RECOVER |
No |
No |
No |
No |
No |
|
NVIDIA limitation. Attribute not supported. |
|
CKA_DERIVE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_START_DATE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_END_DATE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_MODULUS |
No |
No |
Read-only |
No |
No |
Inherited from Object being copied |
|
|
CKA_MODULUS_BITS |
No |
No |
Read-only |
No |
No |
Inherited from Object being copied |
|
|
CKA_PUBLIC_EXPONENT |
No |
No |
Read-only |
No |
No |
Inherited from Object being copied |
|
|
CKA_PUBLIC_KEY_INFO |
No |
No |
No |
No |
No |
NVIDIA limitation. Attribute not supported |
|
|
CKA_VALUE_LEN |
No |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_EXTRACTABLE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_LOCAL |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_NEVER_EXTRACTABLE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_ALWAYS_SENSITIVE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read only |
Read only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_MODIFIABLE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_COPYABLE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_DESTROYABLE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_EC_PARAMS |
Read-only |
Read-only |
No |
No |
No |
Inherited from Object being copied |
|
|
CKA_EC_POINT |
No |
Read-only |
No |
No |
No |
Inherited from Object being copied |
|
|
CKA_WRAP_WITH_TRUSTED |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_WRAP_TEMPLATE |
No |
No |
No |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
No |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_ALLOWED_MECHANISMS |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
| CKA_ALWAYS_AUTHENTICATE | No | No | No | No | No | NVIDIA limitation. Not supported. | |
Set attributes support
Only a single attribute may be set at a time.
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type operation.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 Library supports set attribute for the specific key type. |
|
No |
Indicates that PKCS#11 Library does not support set attribute for the specific key type. |
| C_SetAttributeValue | ||||||
|---|---|---|---|---|---|---|
| Attributes | Key Type | Note | ||||
| EC Private | EC Public | RSA Public | Generic Secret | AES | ||
|
CKA_LABEL |
Yes |
Yes |
Yes |
Yes |
Yes |
NVIDIA limitation. Set a single attribute at a time. |
|
CKA_TRUSTED |
No |
No |
No |
No |
No |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_SUBJECT |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_ID |
Yes |
Yes |
Yes |
Yes |
Yes |
NVIDIA limitation. Set a single attribute at a time. |
|
CKA_SENSITIVE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_ENCRYPT |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_DECRYPT |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_WRAP |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_UNWRAP |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_SIGN |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
| CKA_SIGN_RECOVER | No | No | No | No | No | NVIDIA limitation. |
|
CKA_VERIFY |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_VERIFY_RECOVER |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_DERIVE |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_START_DATE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_END_DATE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
| CKA_PUBLIC_KEY_INFO | No | No | No | No | No | NVIDIA limitation. |
|
CKA_EXTRACTABLE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
Get attributes support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 Library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 Library does not support the attribute for the specific key type. |
|
No Get |
Indicates that the attribute is sensitive and cannot be revealed. |
| C_GetAttributeValue | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attributes | Key Type | Note | ||||||||||||||
| EC Private | EC Public | RSA Public | GENERIC SECRET | AES | ||||||||||||
| CKA_CLASS | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_TOKEN | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_PRIVATE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_LABEL | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_VALUE | No | No | No | No Get | No Get | NVIDIA limitation. Attribute always sensitive and not returned. | ||||||||||
| CKA_TRUSTED | No | Yes | Yes | Yes | Yes | |||||||||||
| CKA_CHECK_VALUE | No | No | No | No | No | NVIDIA limitation. Attribute not supported. | ||||||||||
| CKA_KEY_TYPE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_SUBJECT | No | No | No | No | No | NVIDIA limitation. Attribute not supported | ||||||||||
| CKA_ID | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_SENSITIVE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_ENCRYPT | No | Yes | Yes | No | Yes | |||||||||||
| CKA_DECRYPT | Yes | No | No | No | Yes | |||||||||||
| CKA_WRAP | No | Yes | Yes | No | Yes | |||||||||||
| CKA_UNWRAP | Yes | No | No | No | Yes | |||||||||||
| CKA_SIGN | Yes | No | No | Yes | Yes | |||||||||||
| CKA_SIGN_RECOVER | No | No | No | No | No | Nvidia limitation. Attribute not supported for Private keys | ||||||||||
| CKA_VERIFY | No | Yes | Yes | Yes | Yes | |||||||||||
| CKA_VERIFY_RECOVER | No | No | No | No | No | NVIDIA limitation. Attribute not supported for public keys. | ||||||||||
| CKA_DERIVE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_START_DATE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_END_DATE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_MODULUS | No | No | Yes | No | No | |||||||||||
| CKA_MODULUS_BITS | No | No | Yes | No | No | |||||||||||
| CKA_PUBLIC_EXPONENT | No | No | Yes | No | No | |||||||||||
| CKA_PUBLIC_KEY_INFO | No | No | No | No | No | NVIDIA limitation. Attribute not supported for public keys. | ||||||||||
| CKA_VALUE_LEN | No | No | No | Yes | Yes | |||||||||||
| CKA_EXTRACTABLE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_LOCAL | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_NEVER_EXTRACTABLE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_ALWAYS_SENSITIVE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_KEY_GEN_MECHANISM | Yes | Yes | Yes | Yes | Yes | Contains a valid value only if CKA_LOCAL is TRUE. Else is CK_UNAVAILABLE_INFORMATION | ||||||||||
| CKA_MODIFIABLE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_COPYABLE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_DESTROYABLE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_EC_PARAMS | Yes | Yes | No | No | No | NVIDIA limitation. Contains CK_UNAVAILABLE_INFORMATION | ||||||||||
| CKA_EC_POINT | No | Yes | No | No | No | |||||||||||
| CKA_WRAP_WITH_TRUSTED | Yes | No | No | Yes | Yes | |||||||||||
| CKA_WRAP_TEMPLATE | No | No | No | No | No | NVIDIA limitation. Not supported. | ||||||||||
| CKA_UNWRAP_TEMPLATE | No | No | No | No | No | NVIDIA limitation. Not supported. | ||||||||||
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_ALWAYS_AUTHENTICATE | No | No | No | No | No | NVIDIA limitation. Not supported | ||||||||||
Create Data Object Attributes Support
The table below indicates whether a given attribute in a template is supported for a Data Object being created.
| Table Entry | Meaning |
| Yes | Indicates that PKCS#11 library supports the attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support the attribute for a Data Object. |
| Read-only | The attribute is set to read-only for a Data Object. |
| An empty cell in Default Value column indicates there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the attribute value is determined by the PKCS#11 library |
| C_CreateObject | |||
|---|---|---|---|
| Attributes | DATA OBJECT | Default Value | Note |
| CKA_CLASS | Yes | CKO_DATA | Mandatory template attribute |
| CKA_TOKEN | Yes | FALSE | |
| CKA_PRIVATE | Read-only | TRUE | NVIDIA limitation. All objects are private |
| CKA_LABEL | Yes | ||
| CKA_VALUE | Yes | - | |
| CKA_ID | Yes | - | Mandatory template attribute |
| CKA_VALUE_LEN | Read-only | (Result of library function) | Must not be template attribute |
| CKA_MODIFIABLE | Yes | TRUE | |
| CKA_COPYABLE | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | TRUE | |
| CKA_APPLICATION | Yes | ||
| CKA_OBJECT_ID | Yes | ||
Copy Data Object Attributes Support
The table below indicates whether a given attribute in a template is supported for a Data Object being copied.
| Table Entry | Meaning |
| Yes | Indicates that PKCS#11 library supports the attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support the attribute for a Data Object. |
| Read-only | The attribute is set to read-only for a Data Object. |
| An empty cell in Default Value column indicates there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the attribute value is determined by the PKCS#11 library |
| C_CopyObject | |||
|---|---|---|---|
| Attributes | DATA OBJECT | Default Value | Note |
| CKA_CLASS | Read-only | Inherited from Object being copied | - |
| CKA_TOKEN | Read-only | Inherited from Object being copied | |
| CKA_PRIVATE | Read-only | Inherited from Object being copied | - |
| CKA_LABEL | Yes | Inherited from Object being copied | |
| CKA_VALUE | Read-only | Inherited from Object being copied | - |
| CKA_ID | Yes | - | Mandatory template attribute |
| CKA_VALUE_LEN | Read-only | Inherited from Object being copied | - |
| CKA_MODIFIABLE | Read-only | Inherited from Object being copied | |
| CKA_COPYABLE | Read-only | Inherited from Object being copied | |
| CKA_DESTROYABLE | Read-only | Inherited from Object being copied | |
| CKA_APPLICATION | Read-only | Inherited from Object being copied | |
| CKA_OBJECT_ID | Read-only | Inherited from Object being copied | |
Set Data Object Attributes Support
The table below indicates whether a given attribute in a template is supported for a Data Object set attribute operation after being created.
| Table Entry | Meaning |
| Yes | Indicates that PKCS#11 library supports set attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support set attribute for a Data Object. |
| C_SetAttributeValue | ||
|---|---|---|
| Attributes | DATA OBJECT | Note |
| CKA_LABEL | Yes | NVIDIA limitation. Set a single attribute at a time. |
| CKA_VALUE | No | |
| CKA_ID | Yes | NVIDIA limitation. Set a single attribute at a time. |
| CKA_APPLICATION | No | |
| CKA_OBJECT_ID | No | - |
Get Data Object Attributes Support
The table below indicates whether a given attribute in a template is supported for a Data Object attribute being fetched after creation.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support the attribute for a Data Object. |
| C_GetAttributeValue | ||
|---|---|---|
| Attributes | DATA OBJECT | Note |
| CKA_CLASS | Yes | |
| CKA_TOKEN | Yes | |
| CKA_PRIVATE | Yes | |
| CKA_LABEL | Yes | |
| CKA_VALUE | Yes | |
| CKA_ID | Yes | |
| CKA_VALUE_LEN | Yes | |
| CKA_MODIFIABLE | Yes | |
| CKA_COPYABLE | Yes | |
| CKA_DESTROYABLE | Yes | |
| CKA_APPLICATION | Yes | |
| CKA_OBJECT_ID | Yes | |
Key Exclusive Usage Rules
PKCS#11 library limits key usage attributes such that a key is only usable for a single purpose, or for a single class of purposes. The following purposes and purpose combinations are valid:
- Encryption (CKA_ENCRYPT)
- Decryption (CKA_DECRYPT)
- Encryption and decryption (CKA_ENCRYPT | CKA_DECRYPT)
- Signature generation (CKA_SIGN)
- Signature verification (CKA_VERIFY)
- Signature generation and verification (CKA_SIGN | CKA_VERIFY)
- Key unwrapping (CKA_UNWRAP)
- Key wrapping (CKA_WRAP)
- Key unwrapping and wrapping (CKA_UNWRAP | CKA_WRAP)
- Key derivation (CKA_DERIVE)
Key Usage Immutability
PKCS#11 library does not allow modification of key usage attributes after key creation.
CKA_ID
PKCS#11 library requires that any CKA_ID generated by the client application satisfies the following constraints:
- A byte array of CK_BYTEs must be padded with space character to 32 bytes
- No NULL character
- Must not start with "NV"
- Unique
Returns CKR_ATTRIBUTE_VALUE_INVALID if any of these conditions are not met.
Attribute Repeated in Template
PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies the same attribute more than once.
Surplus Attributes in Template
PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies attributes surplus to expectation
Unwrap Template Not Supported
The attribute CKA_UNWRAP_TEMPLATE is not supported.
Wrap Template Not Supported
The attribute CKA_WRAP_TEMPLATE is not supported.
CKA_UNIQUE_ID
PKCS#11 library does not support this attribute.