PKCS#11 – Persistent Object Secure Storage Support#
The following APIs can operate on the objects in both token (persistent) and session (ephemeral) mode if the token secure storage is available.
C_CopyObject
C_DestroyObject
C_SetAttributeValue
C_GenerateKey
C_UnwrapKey
C_WrapKey
C_DeriveKey
C_CreateObject
Token Storage Status#
The status of a token’s secure storage and the status of a token itself can be established by calling C_GetTokenInfo.
Token Information flags have been extended in the PKCS#11 library implementation. These follow on from “CKF_ERROR_STATE” defined in Table 6 of PKCS#11 v3.00 specification.
NVIDIA Extensions: Token Information Flags |
---|
CKF_NVIDIA_TOKEN_OK |
CKF_NVIDIA_SECURE_STORAGE_FAILED |
CKF_NVIDIA_SECURE_STORAGE_TAMPERED |
CKF_NVIDIA_KEYLOAD_TIMEOUT |
CKF_NVIDIA_KEYLOAD_FAILED |
CKF_NVIDIA_TOKEN_ERROR |
CKF_NVIDIA_SECURE_STORAGE_NOT_PROVISIONED |
CKF_NVIDIA_SECURE_STORAGE_NOT_PRESENT |
The PKCS#11 Library CK_TOKEN_INFO structure contains the following values:
ulMaxSessionCount |
PKCS#11 Specification: maximum number of sessions that can be opened with the token at one time by a single application. |
NVIDIA Implementation: represents the total number of sessions available to a library instance across all tokens. |
ulMaxRwSessionCount |
PKCS#11 Specification: Maximum number of read/write sessions that can be opened with the token at one time by a single application. |
NVIDIA Implementation: When both the token and token secure storage status are OK, it represents the total number of read/write sessions available to a library instance across all tokens; otherwise, it will remain as CK_UNAVAILABLE_INFORMATION. ulMaxRwSessionCount == NVPKCS11_MAX_SESSIONS (defined in the API reference) if secure storage status is OK. |
To confirm the status, the application recommended sequence is:
C_Initialize()
C_GetSlotList()
, and then find the slot/token you requireC_GetTokenInfo()
, and then check the flags entry forCKF_NVIDIA_TOKEN_OK