PKCS#11 – Persistent Object Secure Storage Support#

The following APIs can operate on the objects in both token (persistent) and session (ephemeral) mode if the token secure storage is available.

  • C_CopyObject

  • C_DestroyObject

  • C_SetAttributeValue

  • C_GenerateKey

  • C_UnwrapKey

  • C_WrapKey

  • C_DeriveKey

  • C_CreateObject

Token Storage Status#

The status of a token’s secure storage and the status of a token itself can be established by calling C_GetTokenInfo.

Token Information flags have been extended in the PKCS#11 library implementation. These follow on from “CKF_ERROR_STATE” defined in Table 6 of PKCS#11 v3.00 specification.

NVIDIA Extensions: Token Information Flags

CKF_NVIDIA_TOKEN_OK

CKF_NVIDIA_SECURE_STORAGE_FAILED

CKF_NVIDIA_SECURE_STORAGE_TAMPERED

CKF_NVIDIA_KEYLOAD_TIMEOUT

CKF_NVIDIA_KEYLOAD_FAILED

CKF_NVIDIA_TOKEN_ERROR

CKF_NVIDIA_SECURE_STORAGE_NOT_PROVISIONED

CKF_NVIDIA_SECURE_STORAGE_NOT_PRESENT

The PKCS#11 Library CK_TOKEN_INFO structure contains the following values:

ulMaxSessionCount

PKCS#11 Specification: maximum number of sessions that can be opened with the token at one time by a single application.

NVIDIA Implementation: represents the total number of sessions available to a library instance across all tokens.

ulMaxRwSessionCount

PKCS#11 Specification: Maximum number of read/write sessions that can be opened with the token at one time by a single application.

NVIDIA Implementation: When both the token and token secure storage status are OK, it represents the total number of read/write sessions available to a library instance across all tokens; otherwise, it will remain as CK_UNAVAILABLE_INFORMATION.

ulMaxRwSessionCount == NVPKCS11_MAX_SESSIONS (defined in the API reference) if secure storage status is OK.

To confirm the status, the application recommended sequence is:

  • C_Initialize()

  • C_GetSlotList(), and then find the slot/token you require

  • C_GetTokenInfo(), and then check the flags entry for CKF_NVIDIA_TOKEN_OK