Standards, Environments, and Macros pkcs11softtoken(5)
NAME
pkcs11softtoken - Software RSA PKCS#11 softtoken
SYNOPSIS
/usr/lib/security/pkcs11softtoken.so
/usr/lib/security/64/pkcs11softtoken.so
DESCRIPTION
The pkcs11softtoken.so object implements the RSA PKCS#11
v2.20 specification in software. Persistent storage for
"token" objects is provided by this PKCS#11 implementation.
Application developers should link to libpkcs11.so rather
than link directly to pkcs11softtoken.so. See
libpkcs11(3LIB).
The following cryptographic algorithms are implemented: DES,
3DES, AES, Blowfish, RC4, MD5, SHA1, SHA256, SHA384, SHA512,
RSA, DSA, DH, and EC.
All of the Standard PKCS#11 functions listed on
libpkcs11(3LIB) are implemented except for the following:
CGetObjectSize
CInitPIN
CInitToken
CWaitForSlotEvent
A call to these functions returns
CKRFUNCTIONOTSUPORTED.
The following RSA PKCS#11 v2.20 mechanisms are supported:
CKMRSAPKCSKEYPAIRGEN
CKMRSAPKCS
CKMRSAX509
CKMDSAKEYPAIRGEN
CKMDSA
CKMDSASHA1
CKMDHPKCSKEYPAIRGEN
CKMDHPKCSDERIVE
CKMECKEYPAIRGEN
SunOS 5.11 Last change: 25 Mar 2008 1
Standards, Environments, and Macros pkcs11softtoken(5)
CKMECDSA
CKMECDSASHA1
CKMECDH1DERIVE
CKMDESKEYGEN
CKMDESECB
CKMDESCBC
CKMDESCBCPAD
CKMDES3KEYGEN
CKMDES3ECB
CKMDES3CBC
CKMDES3CBCPAD
CKMAESKEYGEN
CKMAESECB
CKMAESCBC
CKMAESCBCPAD
CKMAESCTR
CKMBLOWFISHKEYGEN
CKMBLOWFISHCBC
CKMRC4KEYGEN
CKMRC4
CKMD5RSAPKCS
CKMSHA1RSAPKCS
CKMSHA256RSAPKCS
CKMSHA384RSAPKCS
CKMSHA512RSAPKCS
CKMD5
CKMSHA1
CKMSHA256
CKMSHA384
CKMSHA512
CKMD5HMAC
CKMD5HMACGENERAL
CKMSHA1HMAC
CKMSHA1HMACGENERAL
CKMSHA256HMAC
CKMSHA256HMACGENERAL
CKMSHA384HMAC
CKMSHA384HMACGENERAL
CKMD5KEYDERIVATION
CKMSHA1KEYDERIVATION
CKMSHA256KEYDERIVATION
CKMSHA384KEYDERIVATION
CKMSHA512KEYDERIVATION
SunOS 5.11 Last change: 25 Mar 2008 2
Standards, Environments, and Macros pkcs11softtoken(5)
CKMSL3PREMASTERKEYGEN
CKMSL3MASTERKEYDERIVE
CKMSL3KEYANDMACDERIVE
CKMSL3MASTERKEYDERIVEDH
CKMTLSPREMASTERKEYGEN
CKMTLSMASTERKEYDERIVE
CKMTLSKEYANDMACDERIVE
CKMTLSMASTERKEYDERIVEDH
Each of the following types of key objects has certain
token-specific attributes that are set to true by default as
a result of object creation, key/key pair generation, and
key derivation.
Public key object CKAENCRYPT, CKAVERIFY,
CKAVERIFYRECOVER
Private key object CKADECRYPT, CKASIGN,
CKASIGNRECOVER, CKAEXTRACTABLE
Secret key object CKAENCRYPT, CKADECRYPT, CKASIGN,
CKAVERIFY, CKAEXTRACTABLE
The following certificate objects are supported:
CKCX509 For CKCX509 certificate objects,
the following attributes are sup-
ported: CKASUBJECT, CKAVALUE,
CKALABEL, CKAID, CKAISUER,
CKASERIALNUMBER, and
CKACERTIFICATETYPE.
CKCX509ATRCERT For CKCX509ATRCERT certificate
objects, the following attributes are
supported: CKAOWNER, CKAVALUE,
CKALABEL, CKASERIALNUMBER,
CKACISUER, CKATRTYPES, and
CKACERTIFICATETYPE.
The search operation of objects matching the template is
performed at CFindObjectsInit. The matched objects are
cached for subsequent CFindObjects operations.
SunOS 5.11 Last change: 25 Mar 2008 3
Standards, Environments, and Macros pkcs11softtoken(5)
The pkcs11softtoken.so object provides a filesystem-based
persistent token object store for storing token objects. The
default location of the token object store is the user's
home directory returned by getpwuidr(). The user can over-
ride the default location by using the ${SOFTOKENDIR}
environment variable.
If the token object store has never been initialized, the
CLogin() function might return CKROK but the user will not
be able to create, generate, derive or find any private
token object and receives CKRPINEXPIRED.
The user must use the pktool(1) setpin command with the
default passphrase "changeme" as the old passphrase to
change the passphrase of the object store. This action is
needed to initialize and set the passphrase to a newly
created token object store.
After logging into object store with the new passphrase that
was set by the pktool setpin command, the user can create
and store the private token object in this newly created
object store. Until the token object store is initialized by
setpin, the CLogin() function is allowed, but all attempts
by the user to create, generate, derive or find any private
token object fails with a CKRPINEXPIRED error.
The PIN provided for CLogin() and CSetPIN() functions can
be any string of characters with lengths between 1 and 256
and no embedded nulls.
RETURN VALUES
The return values for each of the implemented functions are
defined and listed in the RSA PKCS#11 v2.20 specification.
See http:/www.rsasecurity.com
FILES
userhomedirectory/.sunw/pkcs11softtoken
user's default token object store
${SOFTOKENDIR}/pkcs11softtoken
alternate token object store
ATRIBUTES
SunOS 5.11 Last change: 25 Mar 2008 4
Standards, Environments, and Macros pkcs11softtoken(5)
See attributes(5) for a description of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Committed
MT-Level MT-Safe with exceptions.
See section 6.5.2 of RSA
PKCS#11 v2.20.
Standard PKCS#11 v2.20
SEE ALSO
pktool(1), cryptoadm(1M), libpkcs11(3LIB), attributes(5),
pkcs11kernel(5)
RSA PKCS#11 v2.20 http:/www.rsasecurity.com
SunOS 5.11 Last change: 25 Mar 2008 5
|
