PKCS#11 –Persistent Object Secure Storage Support
The following APIs can operate on the objects in both token (persistent) and session (ephemeral) mode if the token secure storage is available.
- C_CopyObject
- C_DestroyObject
- C_SetAttributeValue
- C_GenerateKey
- C_UnwrapKey
- C_WrapKey
- C_DeriveKey
- C_CreateObject
Token Storage Status
The status of a token's secure storage and the status of a token itself can be established by calling C_GetTokenInfo.
Token Information flags have been extended in the PKCS#11 library implementation. These follow on from “CKF_ERROR_STATE” defined in Table 6 of PKCS#11 v3.00 specification.
NVIDIA Extensions | Token Information Flags |
---|---|
CKF_NVIDIA_TOKEN_OK | |
CKF_NVIDIA_SECURE_STORAGE_FAILED | |
CKF_NVIDIA_SECURE_STORAGE_TAMPERED | |
CKF_NVIDIA_KEYLOAD_TIMEOUT | |
CKF_NVIDIA_KEYLOAD_FAILED | |
CKF_NVIDIA_TOKEN_ERROR |
The PKCS#11 Library CK_TOKEN_INFO structure contains the following values:
ulMaxSessionCount | PKCS#11 Specification: maximum number of sessions that can be opened with the token at one time by a single application | NVIDIA Implementation: represents the total number of sessions available to a library instance across all tokens |
ulMaxRwSessionCount | PKCS#11 Specification: Maximum number of read/write sessions that can be opened with the token at one time by a single application. | NVIDIA Implementation: When both the token and token secure storage status are OK, it represents the total number of read/write sessions available to a library instance across all tokens; otherwise, it will remain as CK_UNAVAILABLE_INFORMATION. |
To confirm the status, the application recommended sequence is:
C_Initialize()
C_GetSlotList()
, and then find the slot/token you requireC_GetTokenInfo()
, and then check the flags entry forCKF_NVIDIA_TOKEN_OK