Interface Libraries libpkcs11(3LIB)
NAME
libpkcs11 - PKCS#11 Cryptographic Framework library
SYNOPSIS
cc [ flag... ] file... -lpkcs11 [ library... ]
#include
#include
DESCRIPTION
The libpkcs11 library implements the RSA Security Inc.
PKCS#11 Cryptographic Token Interface (Cryptoki), v2.20
specification by using plug-ins to provide the slots.
Each plug-in, which also implements RSA PKCS#11 v2.20,
represents one or more slots.
The libpkcs11 library provides a special slot called the
meta slot. The meta slot provides a virtual union of capa-
bilities of all other slots. When available, the meta slot
is always the first slot provided by libpkcs11.
The meta slot feature can be configured either system-wide
or by individual users. System-wide configuration for meta
slot features is done with the cryptoadm(1M) utility. User
configuration for meta slot features is performed with
environment variables.
By default, the following is the system-wide configuration
for meta slot. Meta slot is enabled. Meta slot provides
token-based object support with the Software RSA PKCS#11
softtoken (pkcs11softtoken(5)). Meta slot is allowed to
move sensitive token objects to other slots if that is
necessary to perform an operation.
Users can overwrite one or more system-wide configuration
options for meta slot using these environment variables.
The ${METASLOTOBJECTSTORESLOT} and
${METASLOTOBJECTSTORETOKEN} environment variables are used
to specify an alternate token object store. A user can
specify either slot-description in
${METASLOTOBJECTSTORESLOT} or token-label in
${METASLOTOBJECTSTORETOKEN}, or both. Valid values for
slot-description and token-label are available from output
of the command:
SunOS 5.11 Last change: 4 Aug 2008 1
Interface Libraries libpkcs11(3LIB)
cryptoadm list -v
The ${METASLOTENABLED} environment variable is used to
specify whether the user wants to turn the metaslot feature
on or off. Only two values are recognized. The value "true"
means meta slot will be on. The value "false" means meta
slot will be off.
The ${METASLOTAUTOKEYMIGRATE} environment variable is
used to specify whether the user wants sensitive token
objects to move to other slots for cryptographic operations.
Only two values are recognized. The value "true" means meta
slot will migrate sensitive token objects to other slots if
necessary. The value "false" means meta slot will not
migrate sensitive token objects to other slots even if it is
necessary.
When the meta slot feature is enabled, the slot that pro-
vides token-based object support is not shown as one of the
available slots. All of its functionality can be used with
the meta slot.
This library filters the list of mechanisms available from
plug-ins based on the policy set by cryptoadm(1M).
This library provides entry points for all PKCS#11 v2.20
functions. See the RSA PKCS#11 v2.20 specification at
http:/www.rsasecurity.com.
Plug-ins are added to libpkcs11 by the pkcs11conf class
action script during execution of pkgadd(1M). The available
mechanisms are administered by the cryptoadm(1M) utility.
Plug-ins must have all of their library dependancies speci-
fied, including libc(3LIB). Libraries that have unresolved
symbols, including those from libc, will be rejected and a
message will be sent to syslog(3C) for such plug-ins.
Due to U.S. Export regulations, all plug-ins are required to
be cryptographically signed using the elfsign utility.
SunOS 5.11 Last change: 4 Aug 2008 2
Interface Libraries libpkcs11(3LIB)
Any plug-in that is not signed or is not a compatible ver-
sion of PKCS#11 will be dropped by libpkcs11. When a plug-in
is dropped, the administrator is alerted by the syslog(3C)
utility.
The header contains function defini-
tions. The header contains type defini-
tions. Applications can include either of these headers in
place of , which contains both function
and type definitions.
INTERFACES
The shared object libpkcs11.so.1 provides the public inter-
faces defined below. See Intro(3) for additional information
on shared object interfaces.
PKCS#11 Standard
CloseAllSessions CloseSession
CopyObject CreateObject
CDecrypt CDecryptDigestUpdate
CDecryptFinal CDecryptInit
CDecryptUpdate CDecryptVerifyUpdate
CDeriveKey CDestroyObject
CDigest CDigestEncryptUpdate
CDigestFinal CDigestInit
CDigestKey CDigestUpdate
CEncrypt CEncryptFinal
CEncryptInit CEncryptUpdate
CFinalize CFindObjects
CFindObjectsFinal CFindObjectsInit
CGenerateKey CGenerateKeyPair
CGenerateRandom CGetAttributeValue
CGetFunctionList CGetInfo
CGetMechanismInfo CGetMechanismList
CGetObjectSize CGetOperationState
CGetSessionInfo CGetSlotInfo
CGetSlotList CGetTokenInfo
CInitPIN CInitToken
CInitialize CLogin
CLogout COpenSession
CSeedRandom CSetAttributeValue
CSetOperationState CSetPIN
CSign CSignEncryptUpdate
CSignFinal CSignInit
CSignRecover CSignRecoverInit
CSignUpdate CUnwrapKey
CVerify CVerifyFinal
CVerifyInit CVerifyRecover
CVerifyRecoverInit CVerifyUpdate
CWaitForSlotEvent CWrapKey
SunOS 5.11 Last change: 4 Aug 2008 3
Interface Libraries libpkcs11(3LIB)
SUNW Extensions
SUNWCGetMechSession SUNWCKeyToObject
FILES
/usr/lib/libpkcs11.so.1 shared object
/usr/lib/64/libpkcs11.so.1 64-bit shared object
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsl (32-bit)
SUNWcslx (64-bit)
Interface Stability Committed
MT-Level See below.
Standard See below.
The SUNW Extension functions are MT-Safe. The PKCS#11 Stan-
dard functions are MT-Safe with exceptions. See Section
6.5.2 of RSA PKCS#11 v2.20.
The PKCS#11 Standard functions conform to PKCS#11 v2.20.
SEE ALSO
cryptoadm(1M), pkgadd(1M), Intro(3),
SUNWCGetMechSession(3EXT), syslog(3C), attributes(5) ,
pkcs11kernel(5), pkcs11softtoken(5)
RSA PKCS#11 v2.20 http:/www.rsasecurity.com
NOTES
If an application calls CWaitForSlotEvent() without the
CKFDONTBLOCK flag set, libpkcs11 must create threads
internally. If, however, CKFLIBRARYCANTCREATEOSTHREADS
is set, CWaitForSlotEvent() returns CKRFUNCTIONFAILED.
SunOS 5.11 Last change: 4 Aug 2008 4
Interface Libraries libpkcs11(3LIB)
The PKCS#11 library does not work with Netscape 4.x but does
work with more recent versions of Netscape and Mozilla.
Because CInitalize() might have been called by both an
application and a library, it is not safe for a library or
its plugins to call CFinalize(). A library can be finished
calling functions from libpkcs11, while an application might
not.
SunOS 5.11 Last change: 4 Aug 2008 5
|
