PKCS#11 – Supported Attributes
Create EC and RSA Public Key Attributes Support
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates no specific value is assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library. |
| C_CreateObject | ||||
|---|---|---|---|---|
| Attributes | KeyTypes | Default Values | Note | |
| EC Public | RSA Public | |||
|
CKA_CLASS |
Yes |
Yes |
CKO_PUBLIC_KEY |
Mandatory template attribute. |
|
CKA_TOKEN |
Yes |
Yes |
FALSE |
- |
|
CKA_PRIVATE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. All objects are private. |
|
CKA_LABEL |
Yes |
Yes |
|
|
|
CKA_VALUE |
No |
No |
|
|
|
CKA_TRUSTED |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
No |
No |
|
|
|
CKA_KEY_TYPE |
Yes |
Yes |
|
Mandatory template attribute. |
|
CKA_SUBJECT |
No |
No |
NVIDIA limitation. Attribute not supported. |
|
|
CKA_ID |
Yes |
Yes |
|
NVIDIA limitation. Mandatory template. |
|
CKA_SENSITIVE |
No |
No |
|
|
|
CKA_ENCRYPT |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Public key encryption is not supported. |
|
CKA_DECRYPT |
No |
No |
||
|
CKA_WRAP |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Public key wrap is not supported. |
|
CKA_UNWRAP |
No |
No |
||
|
CKA_SIGN |
No |
No |
||
|
CKA_VERIFY |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules |
|
CKA_VERIFY_RECOVER |
No |
No |
|
NVIDIA limitation. Attribute not supported. |
|
CKA_DERIVE |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot derive from a Public key. |
|
CKA_START_DATE |
Yes |
Yes |
|
|
|
CKA_END_DATE |
Yes |
Yes |
|
|
|
CKA_MODULUS |
No |
Yes |
|
Mandatory template attribute. |
|
CKA_MODULUS_BITS |
No |
Read-only |
(Result of library function) |
Must not be template attribute. |
|
CKA_PUBLIC_EXPONENT |
No |
Yes |
|
Mandatory template attribute. |
|
CKA_PUBLIC_KEY_INFO |
No |
No |
|
NVIDIA limitation. Attribute not supported. |
|
CKA_VALUE_LEN |
No |
No |
|
|
|
CKA_EXTRACTABLE |
No |
No |
|
|
|
CKA_LOCAL |
Read-only |
Read-only |
FALSE |
Must not be template attribute. |
|
CKA_NEVER_EXTRACTABLE |
No |
No |
|
|
|
CKA_ALWAYS_SENSITIVE |
No |
No |
|
|
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read-only |
CK_UNAVAILABLE_INFORMATION |
Due to CKA_LOCAL set FALSE. |
|
CKA_MODIFIABLE |
Yes |
Yes |
TRUE |
|
|
CKA_COPYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_DESTROYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_EC_PARAMS |
Yes |
No |
|
Mandatory template attribute. |
|
CKA_EC_POINT |
Yes |
No |
|
Mandatory template attribute. |
|
CKA_WRAP_WITH_TRUSTED |
No |
No |
||
|
CKA_WRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
|
|
|
CKA_ALLOWED_MECHANISMS |
Yes |
Yes |
Mandatory template attribute. |
|
| CKA_NVIDIA_CALLER_NONCE | No | No | ||
Create Secret Key Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for the specific key type. |
| No | Indicates that PKCS#11 library does not support the attribute for the specific key type. |
| Read-only | The attribute is set to read-only for the specific key type. |
| An empty cell in Default Value column indicates there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the PKCS#11 library determines the attribute value. |
| C_CreateObject | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| Generic Secret | AES | |||
| CKA_CLASS | Yes | Yes | CKO_SECRET_KEY | Mandatory template attribute. |
| CKA_TOKEN | Yes | Yes | FALSE | |
| CKA_PRIVATE | Read-only | Read-only | TRUE | NVIDIA limitation. All objects are private. |
| CKA_LABEL | Yes | Yes | ||
| CKA_VALUE | Yes | Yes | Mandatory template attribute. | |
| CKA_TRUSTED | Read-only | Read-only | FALSE | NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
| CKA_CHECK_VALUE | No | No | NVIDIA limitation. Attribute not supported. | |
| CKA_KEY_TYPE | Yes | Yes | Mandatory template attribute. | |
| CKA_SUBJECT | No | No | ||
| CKA_ID | Yes | Yes | NVIDIA limitation. Mandatory template attribute. | |
| CKA_SENSITIVE | Read-only | Read-only | TRUE | NVIDIA limitation. No access to secret key material. |
| CKA_ENCRYPT | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_DECRYPT | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_WRAP | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_UNWRAP | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_SIGN | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_VERIFY | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_VERIFY_RECOVER | No | No | ||
| CKA_DERIVE | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_START_DATE | Yes | Yes | ||
| CKA_END_DATE | Yes | Yes | ||
| CKA_MODULUS | No | No | ||
| CKA_MODULUS_BITS | No | No | ||
| CKA_PUBLIC_EXPONENT | No | No | ||
| CKA_PUBLIC_KEY_INFO | No | No | ||
| CKA_VALUE_LEN | Read-only | Read-only | (Result of library function) | Must not be template attribute. |
| CKA_EXTRACTABLE | Yes | Yes | FALSE | |
| CKA_LOCAL | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_NEVER_EXTRACTABLE | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_ALWAYS_SENSITIVE | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_KEY_GEN_MECHANISM | Read-only | Read-only | CK_UNAVAILABLE_INFORMATION | Due to CKA_LOCAL set FALSE. |
| CKA_MODIFIABLE | Yes | Yes | TRUE | |
| CKA_COPYABLE | Yes | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | Yes | TRUE | |
| CKA_EC_PARAMS | No | No | ||
| CKA_EC_POINT | No | No | ||
| CKA_WRAP_WITH_TRUSTED | Yes | Yes | FALSE | |
| CKA_WRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported | |
| CKA_UNWRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported. | |
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Mandatory template attribute. | |
| CKA_NVIDIA_CALLER_NONCE | Read-only | Read-only | FALSE | |
Generate Secret Key Attributes Support
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in the Default Value column indicates there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library. |
| C_GenerateKey | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| Generic Secret | AES | |||
|
CKA_CLASS |
Read-only |
Read-only |
CKO_SECRET_KEY |
Implied by generation mechanism. Cannot be changed. |
|
CKA_TOKEN |
Yes |
Yes |
FALSE |
|
|
CKA_PRIVATE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. All objects are private. |
|
CKA_LABEL |
Yes |
Yes |
|
|
|
CKA_VALUE |
Read-only |
Read-only |
(Result of library function) |
Is set by mechanism. |
|
CKA_TRUSTED |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
No |
No |
NVIDIA limitation. Attribute not supported. |
|
|
CKA_KEY_TYPE |
Read-only |
Read-only |
(Result of library function) |
Is set by mechanism Cannot be changed. |
|
CKA_SUBJECT |
No |
No |
|
|
|
CKA_ID |
Yes |
Yes |
|
NVIDIA limitation. Mandatory template attribute. |
|
CKA_SENSITIVE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. No access to Secret key material. |
|
CKA_ENCRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_DECRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_WRAP |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_UNWRAP |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_SIGN |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_VERIFY |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_VERIFY_RECOVER |
No |
No |
|
|
|
CKA_DERIVE |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_START_DATE |
Yes |
Yes |
|
|
|
CKA_END_DATE |
Yes |
Yes |
|
|
|
CKA_MODULUS |
No |
No |
|
|
|
CKA_MODULUS_BITS |
No |
No |
|
|
|
CKA_PUBLIC_EXPONENT |
No |
No |
|
|
|
CKA_PUBLIC_KEY_INFO |
No |
No |
|
|
|
CKA_VALUE_LEN |
Yes |
Yes |
16 |
Mandatory template attribute. |
|
CKA_EXTRACTABLE |
Yes |
Yes |
FALSE |
|
|
CKA_LOCAL |
Read-only |
Read-only |
TRUE |
Must not be template attribute. |
|
CKA_NEVER_EXTRACTABLE |
Read-only |
Read-only |
(Result of library function) |
Must not be template attribute. |
|
CKA_ALWAYS_SENSITIVE |
Read-only |
Read-only |
TRUE |
Must not be template attribute. NVIDIA limitation. No access to Secret key material. |
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read-only |
(Result of library function) |
Must not be template attribute. |
|
CKA_MODIFIABLE |
Yes |
Yes |
TRUE |
|
|
CKA_COPYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_DESTROYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_EC_PARAMS |
No |
No |
|
|
|
CKA_EC_POINT |
No |
No |
|
|
|
CKA_WRAP_WITH_TRUSTED |
Yes |
Yes |
FALSE |
|
|
CKA_WRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_ALLOWED_MECHANISMS |
Yes |
Yes |
Mandatory template attribute. |
|
| CKA_NVIDIA_CALLER_NONCE | Read-only | Read-only | FALSE | |
Generate Public / Private Key Pair Attributes Support
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for the specific key type. |
| No | Indicates that PKCS#11 library does not support the attribute for the specific key type. |
| Read-only | The attribute is set to read-only for the specific key type. |
| An empty cell in Default Value column indicates there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the PKCS#11 library determines the attribute value. |
| C_GenerateKeyPair | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| EC Public | EC Private | |||
| CKA_CLASS | Read-only | Read-only | (Result of library function) | |
| CKA_TOKEN | Yes | Yes | FALSE | Same value for both templates. |
| CKA_PRIVATE | Read-only | Read-only | TRUE | NVIDIA limitation. All objects are private. |
| CKA_LABEL | Yes | Yes | ||
| CKA_VALUE | No | No | ||
| CKA_TRUSTED | Read-only | No | FALSE | NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
| CKA_CHECK_VALUE | No | No | ||
| CKA_KEY_TYPE | Read-only | Read-only | (Result of library function) | |
| CKA_SUBJECT | No | No | NVIDIA limitation. Attribute not supported. | |
| CKA_ID | Yes | Yes | NVIDIA limitation. Mandatory template attribute, they must be identical. | |
| CKA_SENSITIVE | No | Read-only | TRUE | NVIDIA limitation. No access to private key material. |
| CKA_ENCRYPT | Read-only | No | FALSE | NVIDIA limitation. Public key encryption is not supported. |
| CKA_DECRYPT | No | Read-only | FALSE | NVIDIA limitation. Private key decryption is not supported. |
| CKA_WRAP | Read-only | No | FALSE | NVIDIA limitation. Public key wrap is not supported. |
| CKA_UNWRAP | No | Read-only | FALSE | NVIDIA limitation. Private key unwrap is not supported. |
| CKA_SIGN | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_SIGN_RECOVER | No | No | - | NVIDIA limitation. Attribute not supported. |
| CKA_VERIFY | Yes | No | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_VERIFY_RECOVER | No | No | - | NVIDIA limitation. Attribute not supported. |
| CKA_DERIVE | Read-only | Yes | FALSE | NVIDIA limitation. Cannot derive from a public key. |
| CKA_START_DATE | Yes | Yes | ||
| CKA_END_DATE | Yes | Yes | ||
| CKA_MODULUS | No | No | ||
| CKA_MODULUS_BITS | No | No | ||
| CKA_PUBLIC_EXPONENT | No | No | ||
| CKA_PUBLIC_KEY_INFO | No | No | NVIDIA limitation. Attribute not supported. | |
| CKA_VALUE_LEN | No | No | ||
| CKA_EXTRACTABLE | No | Yes | FALSE | |
| CKA_LOCAL | Read-only | Read-only | TRUE | Must not be template attribute. |
| CKA_NEVER_EXTRACTABLE | No | Read-only | (Result of library function) | Must not be template attribute |
| CKA_ALWAYS_SENSITIVE | No | Read-only | TRUE | Must not be template attribute. NVIDIA limitation. No access to private key material. |
| CKA_KEY_GEN_MECHANISM | Read-only | Read-only | (Result of library function) | Must not be template attribute. |
| CKA_MODIFIABLE | Yes | Yes | TRUE | |
| CKA_COPYABLE | Yes | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | Yes | TRUE | |
| CKA_EC_PARAMS | Yes | Read-only |
Public key: mandatory template attribute. Private key: must not be template attribute. |
|
| CKA_EC_POINT | Read-only | No | (Result of library function) | |
| CKA_WRAP_WITH_TRUSTED | No | Yes | FALSE | |
| CKA_WRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported. | |
| CKA_UNWRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported. | |
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Mandatory template attribute. | |
| CKA_ALWAYS_AUTHENTICATE | No | No | NVIDIA limitation. Not supported for private keys. | |
| CKA_NVIDIA_CALLER_NONCE | No | No | ||
Derive Secret Key Attributes Support
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being derived.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the PKCS#11 library determines the attribute value. |
| C_DeriveKey | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| Generic Secret | AES | |||
|
CKA_CLASS |
Read-only |
Read-only |
CKO_SECRET_KEY |
NVIDIA limitation. Can only derive a Secret key. |
|
CKA_TOKEN |
Yes |
Yes |
FALSE |
NVIDIA limitation. Can only derive a Token key from a Token key. |
|
CKA_PRIVATE |
Read-only |
Read-only |
TRUE |
NVIDIA limitation. All objects are private. |
|
CKA_LABEL |
Yes |
Yes |
|
|
|
CKA_VALUE |
Read-only |
Read-only |
(Result of library function) |
|
|
CKA_TRUSTED |
Read-only |
Read-only |
FALSE |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
No |
No |
NVIDIA limitation. Not supported. |
|
|
CKA_KEY_TYPE |
Yes |
Yes |
Mandatory template attribute. |
|
|
CKA_SUBJECT |
No |
No |
|
|
|
CKA_ID |
Yes |
Yes |
|
NVIDIA limitation. Mandatory template attribute. |
|
CKA_SENSITIVE |
Yes | Yes |
TRUE |
NVIDIA limitation. Any Secret Key with CKA_SENSITIVE False cannot be used for cryptographic operations. |
|
CKA_ENCRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_DECRYPT |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_WRAP |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_UNWRAP |
No |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_SIGN |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_VERIFY |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_VERIFY_RECOVER |
No |
No |
|
|
|
CKA_DERIVE |
Yes |
Yes |
FALSE |
NVIDIA limitation. Observe single purpose rules. |
|
CKA_START_DATE |
Yes |
Yes |
|
|
|
CKA_END_DATE |
Yes |
Yes |
|
|
|
CKA_MODULUS |
No |
No |
|
|
|
CKA_MODULUS_BITS |
No |
No |
|
|
|
CKA_PUBLIC_EXPONENT |
No |
No |
|
|
|
CKA_PUBLIC_KEY_INFO |
No |
No |
|
|
|
CKA_VALUE_LEN |
Yes |
Yes |
16 |
Mandatory template attribute. |
|
CKA_EXTRACTABLE |
Yes |
Yes |
FALSE |
NVIDIA limitation. If the base key has its CKA_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too |
|
CKA_LOCAL |
Read-only |
Read-only |
FALSE |
Must not be template attribute. |
|
CKA_NEVER_EXTRACTABLE |
Read-only |
Read-only |
Inherited from base key depending on CKA_EXTRACTABLE history* |
Must not be template attribute. |
|
CKA_ALWAYS_SENSITIVE |
Read-only |
Read-only |
Inherited from base key depending on CKA_SENSITIVE history** |
Must not be template attribute. |
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read-only |
CK_UNAVAILABLE_INFORMATION |
Due to CKA_LOCAL set FALSE |
|
CKA_MODIFIABLE |
Yes |
Yes |
TRUE |
|
|
CKA_COPYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_DESTROYABLE |
Yes |
Yes |
TRUE |
|
|
CKA_EC_PARAMS |
No |
No |
|
|
|
CKA_EC_POINT |
No |
No |
|
|
|
CKA_WRAP_WITH_TRUSTED |
Yes |
Yes |
FALSE |
|
|
CKA_WRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_ALLOWED_MECHANISMS |
Yes |
Yes |
Mandatory template attribute |
|
| CKA_NVIDIA_CALLER_NONCE | Yes | Yes | FALSE | NVIDIA Extension May be TRUE only for encrypt/decrypt session keys derived using CKM_TLS12_KEY_AND_MAC_DERIVE or CKM_TLS12_KEY_SAFE_DERIVE |
* If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute. If the base key has its CKA_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too.
** If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE, then the derived key will as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.
Unwrap Key Attributes Support with CKM_NVIDIA_AES_GCM_KEY_UNWRAP
PKCS#11 library does not support Cryptoki attributes supplied within a template to be applied to the unwrapped key with CKM_AES_GCM mechanism. The key attributes are instead supplied via the optional Additional authenticated Data (AAD) input when CKM_NVIDIA_AES_GCM_KEY_UNWRAP mechanism is called with C_UnwrapKey.
This change uses a vendor-specific mechanism introduced at 6.0.8.1. It is backwards compatible for customers who already created unwrapping keys with CKM_AES_GCM as the supported mechanism, and where both CKM_AES_GCM and CKM_NVIDIA_AES_GCM_KEY_UNWRAP can coexist and be used.
How does this change affect the customer application? Depending on the combination of how the supported mechanism in the unwrapping key is named, and how the unwrapping mechanism is named when C_UnwrapKey is called, the PKCS#11 library reacts according to one of the four possible combinations, as shown below:
| Unwrap Key Mechanism | |||
|---|---|---|---|
| CKM_AES_GCM | CKM_NVIDIA_AES_GCM_KEY_UNWRAP | ||
| Supported mechanism in the unwrapping key | CKM_AES_GCM |
|
|
| CKM_NVIDIA_AES_GCM_KEY_UNWRAP | return CKR_MECHANISM_INVALID |
|
|
A customer application provisioning keys using the original mechanism will still work with 6.0.8.1. The PKCS#11 Library issues an advisory log to update to the new vendor-specific mechanism naming scheme for that use case.
Unwrap Secret Key Attributes Support with CKM_AES_CBC
PKCS#11 library does support Cryptoki attributes supplied within a template to be applied to the unwrapped ephemeral session secret key with CKM_AES_CBC mechanism.
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates that there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the attribute value is determined by the PKCS#11 library |
| C_UnwrapKey | ||||
|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | |
| Generic Secret | AES | |||
| CKA_CLASS | Yes | Yes | CKO_SECRET_KEY | Mandatory template attribute. |
| CKA_TOKEN | Read-only | Read-only | FALSE | NVIDIA limitation. Only EPHEMERAL keys can be unwrapped if attribute template is supported. |
| CKA_PRIVATE | Read-only | Read-only | TRUE | NVIDIA limitation. All objects are private. |
| CKA_LABEL | Yes | Yes | ||
| CKA_VALUE | No | No | ||
| CKA_TRUSTED | Read-only | Read-only | FALSE | NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
| CKA_CHECK_VALUE | No | No | NVIDIA limitation. Attribute not supported. | |
| CKA_KEY_TYPE | Yes | Yes | Mandatory template attribute. | |
| CKA_SUBJECT | No | No | ||
| CKA_ID | Yes | Yes | NVIDIA limitation. Mandatory template attribute. | |
| CKA_SENSITIVE | Read-only | Read-only | TRUE | NVIDIA limitation. No access to secret key material. |
| CKA_ENCRYPT | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_DECRYPT | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_WRAP | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_UNWRAP | No | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_SIGN | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_VERIFY | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_VERIFY_RECOVER | No | No | ||
| CKA_DERIVE | Yes | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_START_DATE | Yes | Yes | ||
| CKA_END_DATE | Yes | Yes | ||
| CKA_MODULUS | No | No | ||
| CKA_MODULUS_BITS | No | No | ||
| CKA_PUBLIC_EXPONENT | No | No | ||
| CKA_PUBLIC_KEY_INFO | No | No | ||
| CKA_VALUE_LEN | Yes | Yes | Mandatory template attribute. | |
| CKA_EXTRACTABLE | Yes | Yes | FALSE | NVIDIA limitation. Default False on Unwrap. |
| CKA_LOCAL | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_NEVER_EXTRACTABLE | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_ALWAYS_SENSITIVE | Read-only | Read-only | FALSE | Must not be template attribute. |
| CKA_KEY_GEN_MECHANISM | Read-only | Read-only | CK_UNAVAILABLE_INFORMATION | Must not be template attribute. |
| CKA_MODIFIABLE | Yes | Yes | TRUE | |
| CKA_COPYABLE | Yes | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | Yes | TRUE | |
| CKA_EC_PARAMS | No | No | ||
| CKA_EC_POINT | No | No | ||
| CKA_WRAP_WITH_TRUSTED | Yes | Yes | FALSE | |
| CKA_WRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported. | |
| CKA_UNWRAP_TEMPLATE | No | No | NVIDIA limitation. Not supported. | |
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Mandatory template attribute. | |
| CKA_NVIDIA_CALLER_NONCE | Read-only | Read-only | FALSE | |
Unwrap Private Key Attributes Support with CKM_AES_CBC
PKCS#11 library does support Cryptoki attributes supplied within a template to be applied to the unwrapped ephemeral session private key with CKM_AES_CBC mechanism.
The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates that there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the PKCS#11 library determines the attribute value. |
| C_UnwrapKey | |||
|---|---|---|---|
| Attributes | Key Type | Default Value | Note |
| EC Private | |||
| CKA_CLASS | Yes | CKO_PRIVATE_KEY | Mandatory template attribute. |
| CKA_TOKEN | Read-only | FALSE | NVIDIA limitation. Only EPHEMERAL keys can be unwrapped if attribute template is supported. |
| CKA_PRIVATE | Read-only | TRUE | NVIDIA limitation. All objects are private. |
| CKA_LABEL | Yes | ||
| CKA_VALUE | No | ||
| CKA_TRUSTED | No | ||
| CKA_CHECK_VALUE | No | ||
| CKA_KEY_TYPE | Yes | Mandatory template attribute. | |
| CKA_SUBJECT | No | NVIDIA limitation. Attribute not supported. | |
| CKA_ID | Yes | NVIDIA limitation. Mandatory template attribute. | |
| CKA_SENSITIVE | Read-only | TRUE | NVIDIA limitation. No access to private key material. |
| CKA_ENCRYPT | No | ||
| CKA_DECRYPT | Read-only | FALSE | NVIDIA limitation. Private key decryption is not supported. |
| CKA_WRAP | No | ||
| CKA_UNWRAP | Read-only | FALSE | NVIDIA limitation. Private key unwrap is not supported. |
| CKA_SIGN | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_VERIFY | No | ||
| CKA_VERIFY_RECOVER | No | ||
| CKA_DERIVE | Yes | FALSE | NVIDIA limitation. Observe single purpose rules. |
| CKA_START_DATE | Yes | ||
| CKA_END_DATE | Yes | ||
| CKA_MODULUS | No | ||
| CKA_MODULUS_BITS | No | ||
| CKA_PUBLIC_EXPONENT | No | ||
| CKA_PUBLIC_KEY_INFO | No | ||
| CKA_VALUE_LEN | No | ||
| CKA_EXTRACTABLE | Yes | FALSE | NVIDIA limitation. Default False on Unwrap. |
| CKA_LOCAL | Read-only | FALSE | Must not be template attribute. |
| CKA_NEVER_EXTRACTABLE | Read-only | FALSE | Must not be template attribute. |
| CKA_ALWAYS_SENSITIVE | Read-only | FALSE | Must not be template attribute. |
| CKA_KEY_GEN_MECHANISM | Read-only | CK_UNAVAILABLE_INFORMATION | Must not be template attribute. |
| CKA_MODIFIABLE | Yes | TRUE | |
| CKA_COPYABLE | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | TRUE | |
| CKA_EC_PARAMS | Yes | Mandatory template attribute. | |
| CKA_EC_POINT | No | ||
| CKA_WRAP_WITH_TRUSTED | Yes | FALSE | |
| CKA_WRAP_TEMPLATE | No | ||
| CKA_UNWRAP_TEMPLATE | No | NVIDIA limitation. Not supported | |
| CKA_ALLOWED_MECHANISMS | Yes | Mandatory template attribute | |
| CKA_NVIDIA_CALLER_NONCE | No | ||
Copy Key Attributes Support
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being copied.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 library does not support the attribute for the specific key type. |
|
Read-only |
The attribute is set to read-only for the specific key type. |
|
An empty cell in Default Value column indicates that there is no specific value assigned to the attribute. |
|
|
(Result of library function) |
Indicates that the PKCS#11 library determines the attribute value. |
| C_CopyObject | |||||||
|---|---|---|---|---|---|---|---|
| Attributes | Key Type | Default Value | Note | ||||
| EC Private | EC Public | RSA Public | Generic Secret | AES | |||
|
CKA_CLASS |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_TOKEN |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. A token key cannot be copied into a session key or vice versa. |
|
CKA_PRIVATE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_LABEL |
Yes |
Yes |
Yes |
Yes |
Yes |
Inherited from Object being copied |
|
|
CKA_VALUE |
No |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_TRUSTED |
No |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_CHECK_VALUE |
No |
No |
No |
No |
No |
NVIDIA limitation. Attribute not supported. |
|
|
CKA_KEY_TYPE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_SUBJECT |
No |
No |
No |
No |
No |
NVIDIA limitation. Attribute not supported. |
|
|
CKA_ID |
Yes |
Yes |
Yes |
Yes |
Yes |
|
NVIDIA limitation. Mandatory template attribute. |
|
CKA_SENSITIVE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_ENCRYPT |
No |
Read only |
Read only |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_DECRYPT |
Read-only |
No |
No |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_WRAP |
No |
Read-only |
Read-only |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_UNWRAP |
Read-only |
No |
No |
No |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_SIGN |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
| CKA_SIGN_RECOVER | No | No | No | No | No | NVIDIA limitation. Attribute not supported for private keys. | |
|
CKA_VERIFY |
No |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_VERIFY_RECOVER |
No |
No |
No |
No |
No |
|
NVIDIA limitation. Attribute not supported. |
|
CKA_DERIVE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
NVIDIA limitation. Key usage immutability. |
|
CKA_START_DATE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_END_DATE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_MODULUS |
No |
No |
Read-only |
No |
No |
Inherited from Object being copied |
|
|
CKA_MODULUS_BITS |
No |
No |
Read-only |
No |
No |
Inherited from Object being copied |
|
|
CKA_PUBLIC_EXPONENT |
No |
No |
Read-only |
No |
No |
Inherited from Object being copied |
|
|
CKA_PUBLIC_KEY_INFO |
No |
No |
No |
No |
No |
NVIDIA limitation. Attribute not supported |
|
|
CKA_VALUE_LEN |
No |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_EXTRACTABLE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_LOCAL |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_NEVER_EXTRACTABLE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_ALWAYS_SENSITIVE |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_KEY_GEN_MECHANISM |
Read-only |
Read only |
Read only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_MODIFIABLE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_COPYABLE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_DESTROYABLE |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_EC_PARAMS |
Read-only |
Read-only |
No |
No |
No |
Inherited from Object being copied |
|
|
CKA_EC_POINT |
No |
Read-only |
No |
No |
No |
Inherited from Object being copied |
|
|
CKA_WRAP_WITH_TRUSTED |
Read-only |
No |
No |
Read-only |
Read-only |
Inherited from Object being copied |
|
|
CKA_WRAP_TEMPLATE |
No |
No |
No |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_UNWRAP_TEMPLATE |
No |
No |
No |
No |
No |
|
NVIDIA limitation. Not supported. |
|
CKA_ALLOWED_MECHANISMS |
Read-only |
Read-only |
Read-only |
Read-only |
Read-only |
Inherited from Object being copied |
|
| CKA_ALWAYS_AUTHENTICATE | No | No | No | No | No | NVIDIA limitation. Not supported. | |
| CKA_NVIDIA_USER_NONCE | No | No | No | Read-only | Read-only | Inherited from Object being copied | |
Set Attributes Support
Only a single attribute may be set at a time.
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type operation.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 Library supports set attribute for the specific key type. |
|
No |
Indicates that PKCS#11 Library does not support set attribute for the specific key type. |
| C_SetAttributeValue | ||||||
|---|---|---|---|---|---|---|
| Attributes | Key Type | Note | ||||
| EC Private | EC Public | RSA Public | Generic Secret | AES | ||
|
CKA_LABEL |
Yes |
Yes |
Yes |
Yes |
Yes |
NVIDIA limitation. Set a single attribute at a time. |
|
CKA_TRUSTED |
No |
No |
No |
No |
No |
NVIDIA limitation. Cannot create a trusted wrapping key at runtime. |
|
CKA_CHECK_VALUE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_SUBJECT |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_ID |
Yes |
Yes |
Yes |
Yes |
Yes |
NVIDIA limitation. Set a single attribute at a time. |
|
CKA_SENSITIVE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_ENCRYPT |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_DECRYPT |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_WRAP |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_UNWRAP |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_SIGN |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
| CKA_SIGN_RECOVER | No | No | No | No | No | NVIDIA limitation. |
|
CKA_VERIFY |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_VERIFY_RECOVER |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_DERIVE |
No |
No |
No |
No |
No |
NVIDIA limitation. Observe single purpose immutability rule. |
|
CKA_START_DATE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
|
CKA_END_DATE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
| CKA_PUBLIC_KEY_INFO | No | No | No | No | No | NVIDIA limitation. |
|
CKA_EXTRACTABLE |
No |
No |
No |
No |
No |
NVIDIA limitation. |
| CKA_NVIDIA_USER_NONCE | No |
No |
No |
No |
No |
|
Get Attributes Support
The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type.
|
Table Entry |
Meaning |
|---|---|
|
Yes |
Indicates that PKCS#11 Library supports the attribute for the specific key type. |
|
No |
Indicates that PKCS#11 Library does not support the attribute for the specific key type. |
|
No Get |
Indicates that the attribute is sensitive and cannot be revealed. |
| C_GetAttributeValue | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attributes | Key Type | Note | ||||||||||||||
| EC Private | EC Public | RSA Public | Generic Secret | AES | ||||||||||||
| CKA_CLASS | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_TOKEN | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_PRIVATE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_LABEL | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_VALUE | No | No | No | No Get | No Get | NVIDIA limitation. Attribute always sensitive and not returned. | ||||||||||
| CKA_TRUSTED | No | Yes | Yes | Yes | Yes | |||||||||||
| CKA_CHECK_VALUE | No | No | No | No | No | NVIDIA limitation. Attribute not supported. | ||||||||||
| CKA_KEY_TYPE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_SUBJECT | No | No | No | No | No | NVIDIA limitation. Attribute not supported. | ||||||||||
| CKA_ID | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_SENSITIVE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_ENCRYPT | No | Yes | Yes | No | Yes | |||||||||||
| CKA_DECRYPT | Yes | No | No | No | Yes | |||||||||||
| CKA_WRAP | No | Yes | Yes | No | Yes | |||||||||||
| CKA_UNWRAP | Yes | No | No | No | Yes | |||||||||||
| CKA_SIGN | Yes | No | No | Yes | Yes | |||||||||||
| CKA_SIGN_RECOVER | No | No | No | No | No | NVIDIA limitation. Attribute not supported for Private keys. | ||||||||||
| CKA_VERIFY | No | Yes | Yes | Yes | Yes | |||||||||||
| CKA_VERIFY_RECOVER | No | No | No | No | No | NVIDIA limitation. Attribute not supported for public keys. | ||||||||||
| CKA_DERIVE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_START_DATE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_END_DATE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_MODULUS | No | No | Yes | No | No | |||||||||||
| CKA_MODULUS_BITS | No | No | Yes | No | No | |||||||||||
| CKA_PUBLIC_EXPONENT | No | No | Yes | No | No | |||||||||||
| CKA_PUBLIC_KEY_INFO | No | No | No | No | No | NVIDIA limitation. Attribute not supported for public keys. | ||||||||||
| CKA_VALUE_LEN | No | No | No | Yes | Yes | |||||||||||
| CKA_EXTRACTABLE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_LOCAL | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_NEVER_EXTRACTABLE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_ALWAYS_SENSITIVE | Yes | No | No | Yes | Yes | |||||||||||
| CKA_KEY_GEN_MECHANISM | Yes | Yes | Yes | Yes | Yes | Contains a valid value only if CKA_LOCAL is TRUE. Else is CK_UNAVAILABLE_INFORMATION. | ||||||||||
| CKA_MODIFIABLE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_COPYABLE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_DESTROYABLE | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_EC_PARAMS | Yes | Yes | No | No | No | NVIDIA limitation. Contains CK_UNAVAILABLE_INFORMATION. | ||||||||||
| CKA_EC_POINT | No | Yes | No | No | No | |||||||||||
| CKA_WRAP_WITH_TRUSTED | Yes | No | No | Yes | Yes | |||||||||||
| CKA_WRAP_TEMPLATE | No | No | No | No | No | NVIDIA limitation. Not supported. | ||||||||||
| CKA_UNWRAP_TEMPLATE | No | No | No | No | No | NVIDIA limitation. Not supported. | ||||||||||
| CKA_ALLOWED_MECHANISMS | Yes | Yes | Yes | Yes | Yes | |||||||||||
| CKA_ALWAYS_AUTHENTICATE | No | No | No | No | No | NVIDIA limitation. Not supported. | ||||||||||
| CKA_NVIDIA_USER_NONCE | No | No | No | Yes | Yes | |||||||||||
Create Data Object Attributes Support
The following table indicates whether a given attribute in a template is supported for a Data Object being created.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support the attribute for a Data Object. |
| Read-only | The attribute is set to read-only for a Data Object. |
| An empty cell in Default Value column indicates that there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the attribute value is determined by the PKCS#11 library |
| C_CreateObject | |||
|---|---|---|---|
| Attributes | Data Object | Default Value | Note |
| CKA_CLASS | Yes | CKO_DATA | Mandatory template attribute. |
| CKA_TOKEN | Yes | FALSE | |
| CKA_PRIVATE | Read-only | TRUE | NVIDIA limitation. All objects are private. |
| CKA_LABEL | Yes | ||
| CKA_VALUE | Yes | - | |
| CKA_ID | Yes | - | NVIDIA limitation. Mandatory template attribute. |
| CKA_VALUE_LEN | Read-only | (Result of library function) | Must not be template attribute. |
| CKA_MODIFIABLE | Yes | TRUE | |
| CKA_COPYABLE | Yes | TRUE | |
| CKA_DESTROYABLE | Yes | TRUE | |
| CKA_APPLICATION | Yes | ||
| CKA_OBJECT_ID | Yes | ||
Copy Data Object Attributes Support
The table below indicates whether a given attribute in a template is supported for a Data Object being copied.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support the attribute for a Data Object. |
| Read-only | The attribute is set to read-only for a Data Object. |
| An empty cell in Default Value column indicates that there is no specific value assigned to the attribute. | |
| (Result of library function) | Indicates that the PKCS#11 library determines the attribute value. |
| C_CopyObject | |||
|---|---|---|---|
| Attributes | Data Object | Default Value | Note |
| CKA_CLASS | Read-only | Inherited from Object being copied | - |
| CKA_TOKEN | Read-only | Inherited from Object being copied | |
| CKA_PRIVATE | Read-only | Inherited from Object being copied | - |
| CKA_LABEL | Yes | Inherited from Object being copied | |
| CKA_VALUE | Yes | Inherited from Object being copied | - |
| CKA_ID | Yes | - | NVIDIA limitation. Mandatory template attribute. |
| CKA_VALUE_LEN | Read-only | Inherited from Object being copied | - |
| CKA_MODIFIABLE | Read-only | Inherited from Object being copied | |
| CKA_COPYABLE | Read-only | Inherited from Object being copied | |
| CKA_DESTROYABLE | Read-only | Inherited from Object being copied | |
| CKA_APPLICATION | Read-only | Inherited from Object being copied | |
| CKA_OBJECT_ID | Read-only | Inherited from Object being copied | |
Set Data Object Attributes Support
The following table below indicates whether a given attribute in a template is supported for a Data Object set attribute operation after being created.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports set attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support set attribute for a Data Object. |
| C_SetAttributeValue | ||
|---|---|---|
| Attributes | Data Object | Note |
| CKA_LABEL | Yes | NVIDIA limitation. Set a single attribute at a time. |
| CKA_VALUE | Yes | NVIDIA limitation. Set a single attribute at a time. |
| CKA_ID | Yes | NVIDIA limitation. Set a single attribute at a time. |
| CKA_APPLICATION | No | |
| CKA_OBJECT_ID | No | - |
Get Data Object Attributes Support
The following table indicates whether a given attribute in a template is supported for a Data Object attribute being fetched after creation.
| Table Entry | Meaning |
|---|---|
| Yes | Indicates that PKCS#11 library supports the attribute for a Data Object. |
| No | Indicates that PKCS#11 library does not support the attribute for a Data Object. |
| C_GetAttributeValue | ||
|---|---|---|
| Attributes | Data Object | Note |
| CKA_CLASS | Yes | |
| CKA_TOKEN | Yes | |
| CKA_PRIVATE | Yes | |
| CKA_LABEL | Yes | |
| CKA_VALUE | Yes | |
| CKA_ID | Yes | |
| CKA_VALUE_LEN | Yes | |
| CKA_MODIFIABLE | Yes | |
| CKA_COPYABLE | Yes | |
| CKA_DESTROYABLE | Yes | |
| CKA_APPLICATION | Yes | |
| CKA_OBJECT_ID | Yes | |
Key Exclusive Usage Rules
PKCS#11 library limits key usage attributes such that a key is only usable for a single purpose, or for a single class of purposes. The following purposes and purpose combinations are valid:
- Encryption (CKA_ENCRYPT)
- Decryption (CKA_DECRYPT)
- Encryption and decryption (CKA_ENCRYPT | CKA_DECRYPT)
- Signature generation (CKA_SIGN)
- Signature verification (CKA_VERIFY)
- Signature generation and verification (CKA_SIGN | CKA_VERIFY)
- Key unwrapping (CKA_UNWRAP)
- Key wrapping (CKA_WRAP)
- Key unwrapping and wrapping (CKA_UNWRAP | CKA_WRAP)
- Key derivation (CKA_DERIVE)
Key Usage Immutability
PKCS#11 library does not allow modification of key usage attributes after key creation.
CKA_ID
PKCS#11 library requires that any CKA_ID generated by the client application satisfies the following constraints:
- A byte array of CK_BYTEs must be padded with space character to 32 bytes
- No NULL character
- Must not start with "NV"
- Unique
Returns CKR_ATTRIBUTE_VALUE_INVALID if any of these conditions are not met.
Attribute Repeated in Template
PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies the same attribute more than once.
Surplus Attributes in Template
PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies attributes surplus to expectation.
Unwrap Template Not Supported
The attribute CKA_UNWRAP_TEMPLATE is not supported.
Wrap Template Not Supported
The attribute CKA_WRAP_TEMPLATE is not supported.
Unique ID Not Supported
The attribute CKA_UNIQUE_ID is not supported.