public final class JNIPKCS11
extends java.lang.Object
This class contains many of the functions described in the PKCS11 standard, which specifies an application programming interface (API), called 'Cryptoki', to devices that hold cryptographic information and perform cryptographic functions — tokens. It is used internally by the Toolkit for all token access.
| Modifier and Type | Class and Description |
|---|---|
static class |
JNIPKCS11.EcdsaDigestFormat
Supported ECDSA digest formats.
|
| Modifier and Type | Field and Description |
|---|---|
static java.lang.String |
CIPHER_AES_CBC_NOPADDING |
static java.lang.String |
CIPHER_AES_CBC_PKCS5PADING |
static java.lang.String |
CIPHER_AES_KEY_WRAP |
static java.lang.String |
CIPHER_AES_KEY_WRAP_PAD |
static java.lang.String |
CIPHER_DESEDE_CBC_PKCS5PADING
Cipher algorithm names
|
static java.lang.String |
CIPHER_ECDH_DERIVE1 |
static java.lang.String |
CIPHER_RSA_OAEP_PKCS1 |
static long |
CKG_MGF1_SHA1
Indicator for the MGF1 with SHA1 mask generation function.
|
static long |
CKG_MGF1_SHA224
Indicator for the MGF1 with SHA224 mask generation function.
|
static long |
CKG_MGF1_SHA256
Indicator for the MGF1 with SHA256 mask generation function.
|
static long |
CKG_MGF1_SHA384
Indicator for the MGF1 with SHA384 mask generation function.
|
static long |
CKG_MGF1_SHA512
Indicator for the MGF1 with SHA512 mask generation function.
|
static int |
CKK_DSA
Indicator for the DSA key-type.
|
static int |
CKK_EC
Indicator for the EC key-type.
|
static int |
CKK_RSA
Indicator for the RSA key-type.
|
static int |
CKU_SO
Indicator for a Security Officer user.
|
static int |
CKU_USER
Indicator for a Normal user.
|
static java.lang.String |
KEY_ALGORITHM_DSA |
static java.lang.String |
KEY_ALGORITHM_EC |
static java.lang.String |
KEY_ALGORITHM_ECDSA |
static java.lang.String |
KEY_ALGORITHM_RSA
Key algorithms
|
static java.lang.String |
KEY_MANAGEMENT_TYPE_ECDH |
static java.lang.String |
KEY_MANAGEMENT_TYPE_RSA_PKCS
Key management types
|
static java.lang.String |
KEY_MANAGEMENT_TYPE_RSA_PKCS_OAEP |
static java.lang.String |
SYMMETRIC_KEY_ALGORITHM_AES |
static java.lang.String |
SYMMETRIC_KEY_ALGORITHM_DESEDE
Symmetric key algorithms
|
| Modifier and Type | Method and Description |
|---|---|
long |
addDecryptionKey(long sessionHandle,
byte[] id,
byte[] modulus,
byte[] publicExponent,
byte[] privateExponent,
byte[] prime1,
byte[] prime2,
byte[] exponent1,
byte[] exponent2,
byte[] coefficient)
Creates a new RSA decryption key object on a token (a token object).
|
long |
addDecryptionKeySecure(long sessionHandle,
SecretKey wrappingKey,
long wrappingKeyHandle,
byte[] decryptionKey,
byte[] id)
Creates a new decryption key object on a token by transferring it to the
token securely.
|
void |
closeAllSessions(long slotID)
Closes all sessions an application has with a token.
|
void |
closeSession(long sessionHandle)
Closes a session between an application and a token.
|
void |
closeTemporarySessions(long slotID)
Closes all released temporary session handles for a particular slot.
|
static byte[] |
convertEcdsaSignaturePkcs11ToAnsix963(byte[] signature)
Converts an ECDSA signature produced by a PKCS#11 device to standard ASNI
X9-63-2005 format.
|
long |
create3DESKey(long sessionHandle)
Generates an DESede unwrapping key on the token.
|
long[] |
createDSASigningKeys(long sessionHandle,
byte[] prime,
byte[] subprime,
byte[] base)
Generates an DSA signing key pair on the token.
|
long[] |
createDSASigningKeys(long sessionHandle,
int strength)
Generates an DSA signing key pair on the token.
|
long[] |
createECSigningKeys(long sessionHandle,
java.security.spec.ECParameterSpec ecDomainParams)
Generates an EC signing key pair on the token.
|
long[] |
createRSADecryptionKeys(long sessionHandle,
int strength)
Generates an RSA encryption key pair on the token.
|
long[] |
createRSADecryptionKeys(long sessionHandle,
int strength,
byte[] publicExponent)
Generates an RSA decryption key pair on the token.
|
long[] |
createRSASigningKeys(long sessionHandle,
int strength)
Generates an RSA signing key pair on the token.
|
long[] |
createRSASigningKeys(long sessionHandle,
int strength,
byte[] publicExponent)
Generates an RSA signing key pair on the token.
|
long |
createSymmetricKey(long sessionHandle,
java.lang.String label,
SymmetricKeyType keyType,
int keySizeInBytes,
boolean tokenObject,
boolean extractable,
boolean forEncrypt,
boolean forMac)
Creates a symmetric key object of the given type, return the handle to
it.
|
byte[] |
decrypt(long sessionHandle,
byte[] ciphertext)
Decrypts encrypted data in a single part.
|
byte[] |
decryptFinal(long sessionHandle)
Finishes a multiple-part decryption operation.
|
void |
decryptInit(long sessionHandle,
long mechanism,
long keyHandle)
Initializes a decryption operation.
|
void |
decryptInit(long sessionHandle,
long mechanism,
long keyHandle,
byte[] iv)
Initializes a decryption operation, passing in a byte array to use as an
initialization vector with a symmetric cipher.
|
void |
decryptInit(long sessionHandle,
long mechanism,
long keyHandle,
long hashAlg,
long mgftype,
long source,
byte[] psourcedata)
Initializes a decryption operation, passing in a byte array to use as an
initialization vector with a symmetric cipher.
|
byte[] |
decryptUpdate(long sessionHandle,
byte[] ciphertext)
Continues a multiple-part decryption operation, processing another
encrypted data part.
|
int |
decryptUpdate(long sessionHandle,
byte[] input,
int inputOffset,
int inputLength,
byte[] output,
int outputOffset)
Continues a multiple-part decryption operation, processing another
encrypted data part and placing the result in a pre-allocated array.
|
void |
destroyObject(long sessionHandle,
long objectHandle)
Destroys (deletes) an object on the token.
|
byte[] |
encrypt(long sessionHandle,
byte[] plaintext)
Encrypts single-part data.
|
byte[] |
encryptFinal(long sessionHandle)
Finishes a multiple-part encryption operation.
|
void |
encryptInit(long sessionHandle,
long mechanism,
long keyHandle)
Initializes an encryption operation.
|
void |
encryptInit(long sessionHandle,
long mechanism,
long keyHandle,
byte[] iv)
Initializes an encryption operation, passing in a byte array to use as an
initialization vector with a symmetric cipher.
|
void |
encryptInit(long sessionHandle,
long mechanism,
long keyHandle,
long hashAlg,
long mgftype,
long source,
byte[] psourcedata)
Initializes an encryption operation, passing in a byte array to use as an
initialization vector with a symmetric cipher.
|
byte[] |
encryptUpdate(long sessionHandle,
byte[] plaintext)
Continues a multiple-part encryption operation, processing another data
part.
|
int |
encryptUpdate(long sessionHandle,
byte[] input,
int inputOffset,
int inputLength,
byte[] output,
int outputOffset)
Continues a multiple-part encryption operation, processing another data
part and placing the result in a pre-allocated array.
|
static byte[] |
formatEcdsaDigest(byte[] digest,
JNIPKCS11.EcdsaDigestFormat format,
java.security.spec.ECParameterSpec ecDomainParams)
Formats a digest using one of the supported ECDSA digest format methods.
|
long[] |
generateDSAKeyPair(long sessionHandle,
java.lang.String label,
boolean encryptAllowed,
boolean signAllowed,
byte[] prime,
byte[] subprime,
byte[] base)
Generates an DSA key pair on the token.
|
long |
generateECDHKeyAgreementDeriveKey(long sessionHandle,
long ec_privateKeyHandle,
byte[] otherPublicKeyEcPoint,
int deriveKeySize,
boolean extractable)
Using the Diffie-Hellman key agreement algorithm to securely establish a shared secret
between the token and toolkit.
|
long[] |
generateECKeyPair(long sessionHandle,
java.lang.String label,
boolean tokenObject,
boolean encryptAllowed,
boolean signAllowed,
boolean deriveAllowed,
java.security.spec.ECParameterSpec ecDomainParams)
Generates an EC key pair on the token for the purpose of securely establish a shared secret between two parties
using ECDH key agreement.
|
long[] |
generateECKeyPair(long sessionHandle,
java.lang.String label,
boolean encryptAllowed,
boolean signAllowed,
java.security.spec.ECParameterSpec ecDomainParams)
Generates an EC key pair on the token.
|
long[] |
generateRSAKeyPair(long sessionHandle,
java.lang.String label,
boolean encryptAllowed,
boolean signAllowed,
int strength,
byte[] publicExponent)
Generates an RSA key pair on the token.
|
SecretKey |
get3DESKeySecure(long sessionHandle,
long keyHandle)
Securely obtains a DESede secret key from a token using RSA wrapping.
|
long[] |
getAllDecryptionKeyHandles(long sessionHandle)
Obtains the object handles for a all decryption key objects stored on a
token.
|
long[] |
getAllObjectHandles(long sessionHandle)
Obtains the object handles for all objects stored on a token.
|
long |
getByteArrayHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
Obtains the object handle for a byte array object stored on a token.
|
byte[] |
getByteArrayObject(long sessionHandle,
long objectHandle)
Obtains a byte array object from a token by reading the CKA_VALUE
attribute an object.
|
byte[] |
getCertificate(long sessionHandle,
long objectHandle)
Obtains a certificate object from a token by reading the CKA_VALUE
attribute an object.
|
long |
getCertificateHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
Obtains the object handle for a certificate object stored on a token.
|
long |
getCertificateHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] id)
Obtains the object handle for a certificate object stored on a token.
|
long[] |
getCertificateHandles(long sessionHandle,
boolean isPrivate,
java.lang.String label)
Obtains the object handles for a set certificate objects stored on a
token.
|
long |
getDataObjectHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
Obtains the object handle for a data object stored on a token.
|
long[] |
getDataObjectHandles(long sessionHandle,
boolean isPrivate,
java.lang.String label)
Obtains the object handles for a set data objects stored on a token.
|
long[] |
getDataObjectHandles(long sessionHandle,
java.lang.String application)
Obtains the object handles for a set data objects stored on a token.
|
long |
getDecryptionKeyHandle(long sessionHandle,
byte[] id)
Obtains the object handle for a decryption key object stored on a token.
|
int |
getDecryptUpdateLength(long sessionHandle,
byte[] input,
int inputLength)
When performing a multiple-part decryption operation, this call returns
the number of bytes that would be required in an array passed to
decryptUpdate to hold the output. |
java.security.spec.DSAParameterSpec |
getDSAParams(long sessionHandle,
long objectHandle)
Extracts the DSA parameters from a DSA key object stored on a PKCS#11
device.
|
byte[] |
getDSAPublicKeyY(long sessionHandle,
long objectHandle)
Obtains the public value from a DSA key object stored on a token by
reading the CKA_VALUE attribute of the object.
|
java.security.spec.ECParameterSpec |
getECDomainParams(long sessionHandle,
long objectHandle)
Extracts the EC domain parameters from an EC key object stored on a
PKCS#11 device.
|
JNIPKCS11.EcdsaDigestFormat |
getEcdsaDigestFormat(long slotId)
Determines the ECDSA digest format used by the PKCS#11 device.
|
java.security.spec.ECPoint |
getECPublicPoint(long sessionHandle,
long objectHandle,
java.security.spec.ECParameterSpec ecDomainParams)
Extracts the EC public point from an EC public key object stored on a
PKCS#11 device.
|
int |
getEncryptUpdateLength(long sessionHandle,
byte[] input,
int inputLength)
When performing a multiple-part encryption operation, this call returns
the number of bytes that would be required in an array passed to
encryptUpdate to hold the output. |
Info |
getInfo()
Returns general information about Cryptoki.
|
java.lang.String |
getKeyID(long sessionHandle,
long objectHandle)
Obtains the key identifier from a key object on the token by reading the
CKA_ID attribute of the object.
|
int |
getKeyType(long sessionHandle,
long objectHandle)
Obtains the key type from a key object on the token by reading the
CKA_KEY_TYPE attribute of the object.
|
java.lang.String |
getLabel(long sessionHandle,
long objectHandle)
Obtains the label of an object on the token by reading the CKA_LABEL
attribute of the object.
|
MechanismInfo |
getMechanismInfo(long slotID,
long mechanismType)
Used to obtain information about a particular mechanism possibly
supported by a token.
|
MechanismList |
getMechanismList(long slotID)
Used to obtain a list of mechanism types supported by a token.
|
long |
getOldSigningKeyHandle(long sessionHandle)
Obtains the object handle for an "old" signing key object stored on a
token.
|
long |
getPrivateKeyHandle(long sessionHandle,
byte[] id)
Obtains the object handle for a private key object stored on a token.
|
long |
getPrivateKeyHandle(long sessionHandle,
java.lang.String label)
Obtains the object handle for a private key object stored on a token.
|
long |
getPrivateKeyHandle(long sessionHandle,
java.lang.String label,
byte[] id) |
long[] |
getPrivateKeyHandles(long sessionHandle,
java.lang.String label)
Obtains the object handles for a set private key objects stored on a
token.
|
byte[] |
getRSAPrivateKeyModulus(long sessionHandle,
long objectHandle)
Obtains the modulus from an RSA private key object stored on a token by
reading the CKA_MODULUS attribute of the object.
|
byte[] |
getRSAPublicKeyModulus(long sessionHandle,
long objectHandle)
Obtains the modulus from an RSA key object stored on a token by reading
the CKA_MODULUS attribute of the object.
|
byte[] |
getRSAPublicKeyPublicExp(long sessionHandle,
long objectHandle)
Obtains the public exponent from an RSA key object stored on a token by
reading the CKA_PUBLIC_EXPONENT attribute of the object.
|
int |
getSecretKeyLength(long sessionHandle,
long objectHandle)
Obtains the key length from a secret key object stored on a token by
reading the CKA_VALUE_LEN attribute of the object.
|
SessionInfo |
getSessionInfo(long sessionHandle)
Obtains information about a session.
|
long |
getSigningKeyHandle(long sessionHandle)
Obtains the object handle for a signing key object stored on a token.
|
int |
getSigningKeyType(long sessionHandle,
long objectHandle)
Obtains the key type from a signing key object on the token by reading
the CKA_KEY_TYPE attribute of the object.
|
SlotInfo |
getSlotInfo(long slotID)
Obtains information about a particular slot in the system.
|
SlotList |
getSlotList(boolean tokenPresent)
Used to obtain a list of slots in the system.
|
long |
getStringHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
Obtains the object handle for a string object stored on a token.
|
java.lang.String |
getStringObject(long sessionHandle,
long objectHandle)
Obtains a string object from a token by reading the CKA_VALUE attribute
an object.
|
long |
getTemporarySession(long slotID)
Gets a temporary session handle from the PKCS11 library, to be used when
crypto operations may be executed by multiple threads simultaneously.
|
TokenInfo |
getTokenInfo(long slotID)
Obtains information about a particular token in the system.
|
SecretKey |
getWrappingKeySecure(long sessionHandle,
long keyHandle,
SymmetricKeyType symmetricKeyAlgType,
int wrappingKeySize,
long keyWrapMechanism)
Securely obtains a AES or DESede secret key from a token using RSA wrapping.
|
void |
initPin(long sessionHandle,
java.lang.String userPin)
Initializes the Normal User's PIN.
|
void |
initToken(long slotID,
java.lang.String soPin,
java.lang.String label)
Initializes a token.
|
static boolean |
isUseAutomaticPkcs11Initialization() |
void |
login(long sessionHandle,
int userType,
java.lang.String pin)
Logs a user into a token.
|
void |
logout(long sessionHandle)
Logs a user out from a token.
|
long |
openSession(long slotID,
boolean readWrite)
This function opens a session between an application and a token in a
particular slot.
|
void |
releaseTemporarySession(long slotID,
long sessionHandle)
Releases a temporary session handle previously obtained through a call to
getTemporarySession(long). |
long |
setByteArrayObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] value)
Creates a new byte array object on a token (a token object).
|
long |
setByteArrayObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
java.lang.String application,
byte[] value)
Creates a new byte array object on a token (a token object), setting the
CKA_APPLICATION attribute.
|
long |
setCertificate(long sessionHandle,
boolean isToken,
boolean isPrivate,
boolean isModifiable,
java.lang.String label,
byte[] subject,
byte[] id,
byte[] issuer,
byte[] serialNumber,
byte[] value)
Creates a new X.509 public key certificate object on a token (a token
object).
|
long |
setCertificate(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] subject,
byte[] value)
Creates a new X.509 public key certificate object on a token (a token
object).
|
long |
setCertificate(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] id,
X509Certificate certificate)
Creates a new X.509 public key certificate object on a token (a token
object).
|
long |
setCertificate(long sessionHandle,
boolean isPrivate,
java.lang.String label,
X509Certificate certificate)
Creates a new X.509 public key certificate object on a token (a token
object).
|
long |
setDSAPrivateKey(long sessionHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] prime,
byte[] subprime,
byte[] base,
byte[] value)
Creates a new DSA private key object on a token (a token object).
|
long |
setDSAPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey)
Creates a new DSA private key object on a token by transferring it to the
token securely.
|
long |
setDSASigningKey(long sessionHandle,
byte[] prime,
byte[] subprime,
byte[] base,
byte[] value)
Creates a new DSA signing key object on a token (a token object).
|
long |
setECPrivateKey(long sessionHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] d,
java.security.spec.ECParameterSpec ecDomainParams)
Creates a new EC private key object on a token (a token object).
|
long |
setECPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey)
Creates a new EC private key object on a token by transferring it to the
token securely.
|
long |
setIntObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
int value)
Creates a new integer object on a token (a token object).
|
void |
setKeyID(long sessionHandle,
long objectHandle,
java.lang.String keyId)
Sets the key identifier of a key object that already exists on the token
by writing the CKA_ID attribute of the object.
|
void |
setNewLabel(long sessionHandle,
long objectHandle,
java.lang.String label)
Sets the label of an object that already exists on the token by writing
the CKA_LABEL attribute of the object.
|
void |
setPin(long sessionHandle,
java.lang.String oldPin,
java.lang.String newPin)
Modifies the PIN of the user currently logged in.
|
long |
setPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey,
java.lang.String privateKeyAlgorithm,
long keyWrapMode)
Creates a new private key object on a token by transferring it to the
token securely.
|
long |
setRSAPrivateKey(long sessionHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] modulus,
byte[] publicExponent,
byte[] privateExponent,
byte[] prime1,
byte[] prime2,
byte[] exponent1,
byte[] exponent2,
byte[] coefficient)
Creates a new RSA private key object on a token (a token object).
|
long |
setRSAPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey)
Creates a new RSA private key object on a token by transferring it to the
token securely.
|
long |
setRSASigningKey(long sessionHandle,
byte[] modulus,
byte[] publicExponent,
byte[] privateExponent,
byte[] prime1,
byte[] prime2,
byte[] exponent1,
byte[] exponent2,
byte[] coefficient)
Creates a new RSA signing key object on a token (a token object).
|
long |
setStringObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
java.lang.String value)
Creates a new string object on a token (a token object).
|
long |
setStringObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
java.lang.String application,
java.lang.String value)
Creates a new string object on a token (a token object).
|
static void |
setUseAutomaticPkcs11Initialization(boolean useAutomaticPkcs11Initialization)
Call this method with useAutomaticPkcs11Initialization = false if you wish handle of loading Native library
|
byte[] |
sign(long sessionHandle,
byte[] data)
Signs data in a single part, where the signature is an appendix to the
data.
|
byte[] |
signFinal(long sessionHandle)
Finishes a multiple-part signature operation, returning the signature.
|
void |
signInit(long sessionHandle,
long mechanism,
long keyHandle)
Initializes a signature operation, where the signature is an appendix to
the data.
|
void |
SignInitWithRSAPSSParameters(long sessionHandle,
long mechanism,
long keyHandle,
long hashAlg,
long mgfType,
long saltLength)
Initializes a signature operation, where the signature is an appendix to
the data.
|
void |
signUpdate(long sessionHandle,
byte[] part)
Continues a multiple-part signature operation, processing another data
part.
|
void |
signUpdate(long sessionHandle,
byte[] part,
int offset,
int length)
Continues a multiple-part signature operation, processing another data
part.
|
long |
unwrapDecryptionKey(long sessionHandle,
long wrappingKeyHandle,
byte[] wrappedKey,
byte[] id)
Unwraps an RSA decryption key on the token using the specified DESede
secret key.
|
long |
unwrapDSAPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey)
Unwraps an DSA private key on the token using the specified AES or DESede secret key.
|
long |
unwrapECPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey)
Unwraps an EC private key on the token using the specified AES or DESede secret key.
|
long |
unwrapPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey,
java.lang.String wrappedKeyAlgorithm,
long wrapKeyMechanism,
byte[] iv)
Unwraps a private key on the token using the specified AES or DESede secret key.
|
long |
unwrapRSAPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey)
Unwraps an RSA private key on the token using the specified AES or DESede secret key.
|
boolean |
verify(long sessionHandle,
byte[] data,
byte[] signature)
Verifies a signature in a single-part operation, where the signature is
an appendix to the data.
|
boolean |
verifyFinal(long sessionHandle,
byte[] signature)
Finishes a multiple-part verification operation, checking the signature.
|
void |
verifyInit(long sessionHandle,
long mechanism,
long keyHandle)
Initializes a verification operation, where the signature is an appendix
to the data.
|
void |
verifyUpdate(long sessionHandle,
byte[] part)
Continues a multiple-part verification operation, processing another data
part.
|
byte[] |
wrapKeyRSA(long sessionHandle,
long keyHandle,
byte[] modulus,
byte[] publicExponent)
Wraps a DESede or AES key on the token with the provided RSA public key.
|
byte[] |
wrapKeyRSAPKCSOrOAEP(long sessionHandle,
long keyHandle,
byte[] modulus,
byte[] publicExponent,
long hashAlg,
long mgftype,
long source,
byte[] psourcedata,
long psourcedatalen)
Wraps a DESede or AES key on the token with the provided RSA public key using
either PKCS or OAEP Padding
|
public static final int CKK_RSA
public static final int CKK_DSA
public static final int CKK_EC
public static final int CKU_SO
public static final int CKU_USER
public static final java.lang.String SYMMETRIC_KEY_ALGORITHM_DESEDE
public static final java.lang.String SYMMETRIC_KEY_ALGORITHM_AES
public static final java.lang.String KEY_ALGORITHM_RSA
public static final java.lang.String KEY_ALGORITHM_DSA
public static final java.lang.String KEY_ALGORITHM_EC
public static final java.lang.String KEY_ALGORITHM_ECDSA
public static final java.lang.String KEY_MANAGEMENT_TYPE_RSA_PKCS
public static final java.lang.String KEY_MANAGEMENT_TYPE_RSA_PKCS_OAEP
public static final java.lang.String KEY_MANAGEMENT_TYPE_ECDH
public static final java.lang.String CIPHER_DESEDE_CBC_PKCS5PADING
public static final java.lang.String CIPHER_AES_CBC_NOPADDING
public static final java.lang.String CIPHER_AES_CBC_PKCS5PADING
public static final java.lang.String CIPHER_RSA_OAEP_PKCS1
public static final java.lang.String CIPHER_AES_KEY_WRAP
public static final java.lang.String CIPHER_AES_KEY_WRAP_PAD
public static final java.lang.String CIPHER_ECDH_DERIVE1
public static final long CKG_MGF1_SHA1
public static final long CKG_MGF1_SHA256
public static final long CKG_MGF1_SHA384
public static final long CKG_MGF1_SHA512
public static final long CKG_MGF1_SHA224
public static boolean isUseAutomaticPkcs11Initialization()
public static void setUseAutomaticPkcs11Initialization(boolean useAutomaticPkcs11Initialization)
useAutomaticPkcs11Initialization - public Info getInfo() throws UserFatalException
UserFatalException - [FIPS 140-2 status output] thrown if an error occurs
accessing the general information about CryptokiFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic SlotList getSlotList(boolean tokenPresent) throws UserFatalException
The set of slots accessible through a Cryptoki library is fixed when the
PKCS11 API is loaded and initialized. If an application calls
getSlotList, and then the user connects a new hardware
device, the new device will not appear as a new slot if
getSlotList is called again.
To recognize the new device, the PKCS11 API must be loaded and initialized again. To be able to load an initialized successfully, the PKCS11 API must first be unloaded an finalized. Even if the PKCS11 API is loaded and initialized successfully, the new device might not be recognized. On some platforms, it might be necessary to restart the entire system.
tokenPresent - [FIPS 140-2 control input] indicates whether the list obtained
includes only those slots with a token present (
true), or all slots (false)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining a list of slotsFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic SlotInfo getSlotInfo(long slotID) throws UserFatalException
slotID - [FIPS 140-2 control input] the ID of the slotUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining information about the slotFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic TokenInfo getTokenInfo(long slotID) throws UserFatalException
slotID - [FIPS 140-2 control input] the ID of the token's slotUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining information about a tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic MechanismList getMechanismList(long slotID) throws UserFatalException
slotID - [FIPS 140-2 control input] the ID of the token's slotUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining a list of mechanism typesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic MechanismInfo getMechanismInfo(long slotID, long mechanismType) throws UserFatalException
slotID - [FIPS 140-2 control input] the ID of the token's slotmechanismType - [FIPS 140-2 control input] the type of mechanismUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining information about the mechanismFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void initToken(long slotID,
java.lang.String soPin,
java.lang.String label)
throws UserFatalException
If the token has not been initialized (because it is new from the
factory, for example), the soPin parameter becomes the
initial value of the SO PIN. If the token is being reinitialized, the
soPin parameter is checked against the existing SO PIN to
authorize the initialization operation. In both cases, the SO PIN is set
to the value soPin after the function completes
successfully.
When a token is initialized, all objects that can be destroyed are destroyed (except "indestructible" objects such as keys built into the token). Also, access by the normal user is disabled until the SO sets the normal user's PIN.
A token cannot be initialized if Cryptoki detects that any application
has an open session. When a call to this function is made under such
circumstances, the call fails with error CKR_SESSION_EXISTS.
If the token has a "protected authentication path", as indicated by the
CKF_PROTECTED_AUTHENTICATION_PATH flag in the CK_TOKEN_INFO being set;
then there is some other way for a user to be authenticated to the token
without sending a PIN through the Cryptoki library. One such possibility
is that the user enters a PIN on a PIN-pad connected to the token itself.
To initialize token a token with such a protected authentication path,
the soPin parameter must be set to null. Then,
during the execution of this API, the Security Officer must enter their
PIN through the protected authentication path.
slotID - [FIPS 140-2 control input] the ID of the token's slotsoPin - [FIPS 140-2 data input] [FIPS 140-2 CSP] the the Security
Officers initial PINlabel - [FIPS 140-2 data input] a label for the tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void initPin(long sessionHandle,
java.lang.String userPin)
throws UserFatalException
This method can be called only in the R/W SO Functions state. An
attempt to call it from a session in any other state fails with error
CKR_USER_NOT_LOGGED_IN.
If the token has a "protected authentication path", as indicated by the
CKF_PROTECTED_AUTHENTICATION_PATH flag in the CK_TOKEN_INFO being set;
then there is some other way for a user to be authenticated to the token
without sending a PIN through the Cryptoki library. One such possibility
is that the user enters a PIN on a PIN-pad connected to the token itself.
To initialize the Normal User's PIN on a token with such a protected
authentication path, the userPin parameter must be set to
null. Then, during the execution of this API, the Security
Officer must enter the Normal User's PIN through the protected
authentication path.
sessionHandle - [FIPS 140-2 control input] the session's handleuserPin - [FIPS 140-2 data input] [FIPS 140-2 CSP] the normal user's PINUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the normal user's PINFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void setPin(long sessionHandle,
java.lang.String oldPin,
java.lang.String newPin)
throws UserFatalException
This method can be called only in the R/W SO Functions or R/W
User Functions states. An attempt to call it from a session in any
other state fails with error CKR_SESSION_READ_ONLY.
If the token has a "protected authentication path", as indicated by the
CKF_PROTECTED_AUTHENTICATION_PATH flag in the CK_TOKEN_INFO being set;
then there is some other way for a user to be authenticated to the token
without sending a PIN through the Cryptoki library. One such possibility
is that the user enters a PIN on a PIN-pad connected to the token itself.
To modify the current user's PIN on a token with such a protected
authentication path, the oldPin and newPin
parameters must be set to null. Then, during the execution
of this API, the current user must enter the old PIN and the new PIN
through the protected authentication path.
sessionHandle - [FIPS 140-2 control input] the session's handleoldPin - [FIPS 140-2 data input] [FIPS 140-2 CSP] the user's old PINnewPin - [FIPS 140-2 data input] [FIPS 140-2 CSP] the user's new PINUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
setting the user's PINFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long openSession(long slotID,
boolean readWrite)
throws UserFatalException
There might be a limit on the number of concurrent sessions an
application can have with the token, which may depend on whether the
session is read-only or read/write. An attempt to open a session that
does not succeed because there are too many existing sessions of some
type, will fail with error CKR_SESSION_COUNT.
If the token is write-protected, then only read-only sessions can be
opened with it. If the application calling openSession
already has a read/write SO session open with the token, any attempt to
open a read-only session with the token fails with error code
CKR_SESSION_READ_WRITE_SO_EXISTS.
slotID - [FIPS 140-2 control input] the slot's IDreadWrite - [FIPS 140-2 control input] indicates the type of session(
read/write or read-only )UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
opening the sessionFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void closeSession(long sessionHandle)
throws UserFatalException
If this function is successful and it closes the last session between the application and the token, the login state of the token for the application returns to public sessions. Any new sessions with the token opened by the application will be either read-only Public or read/write Public sessions.
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
closing the sessionpublic void closeAllSessions(long slotID)
throws UserFatalException
After successful execution of this function, the login state of the token for the application returns to public sessions. Any new sessions to the token opened by the application will be either read-only Public or read/write Public sessions.
slotID - [FIPS 140-2 control input] specifies the token's slotUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
closing all the sessionspublic SessionInfo getSessionInfo(long sessionHandle) throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining information about the sessionFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void login(long sessionHandle,
int userType,
java.lang.String pin)
throws UserFatalException,
UserAlreadyLoggedInException
Depending on the user type, if the call succeeds, each of the application's sessions will enter either the R/W SO Functions state, the R/W User Functions state, or the R/O User Functions' state.
If the application calling login has a read-only session
open with the token, it will be unable to log the SO into a session. An
attempt to do this will result in the error code
CKR_SESSION_READ_ONLY_EXISTS.
If the token has a "protected authentication path", as indicated by the
CKF_PROTECTED_AUTHENTICATION_PATH flag in the CK_TOKEN_INFO being set;
then there is some other way for a user to be authenticated to the token
without sending a PIN through the Cryptoki library. One such possibility
is that the user enters a PIN on a PIN-pad connected to the token itself.
To login to a token with such a protected authentication path, the
pin parameter must be set to null. Then, during
the execution of this API, the user attempting to login must enter their
PIN through the protected authentication path.
sessionHandle - [FIPS 140-2 control input] a session handleuserType - [FIPS 140-2 control input] the user type ( 0 = security
officer, 1 = user )pin - [FIPS 140-2 data input] [FIPS 140-2 CSP] the user's PINUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
logging in the userUserAlreadyLoggedInException - [FIPS 140-2 status output] thrown if the user is already
logged inFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void logout(long sessionHandle)
throws UserFatalException
Depending on the current user type, if the call succeeds, each of the application's sessions will enter either the R/W Public Session state or the R/O Public Session state.
When logout successfully executes, any of the application's
handles to private objects become invalid (even if a user is later logged
back into the token, the handles remain invalid).
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while logging out the userFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setStringObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
java.lang.String value)
throws UserFatalException
The Data object is created with the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_APPLICATION = default
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectvalue - [FIPS 140-2 data input] the string valueUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the string object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setStringObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
java.lang.String application,
java.lang.String value)
throws UserFatalException
The Data object is created with the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_APPLICATION = <CODE>application</CODE>
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectapplication - [FIPS 140-2 data input] an identifier for the application that
created the object (OPTIONAL)value - [FIPS 140-2 data input] the string valueUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the string object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setIntObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
int value)
throws UserFatalException
The Data object is created with the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_APPLICATION = default
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectvalue - [FIPS 140-2 data input] the integer valueUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the integer object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setByteArrayObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] value)
throws UserFatalException
The Data object is created with the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_APPLICATION = default
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectvalue - [FIPS 140-2 data input] the byte arrayUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the byte array object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setByteArrayObject(long sessionHandle,
boolean isPrivate,
java.lang.String label,
java.lang.String application,
byte[] value)
throws UserFatalException
The Data object is created with the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_APPLICATION = <CODE>application</CODE>
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectapplication - [FIPS 140-2 data input] an identifier for the application that
created the object (OPTIONAL)value - [FIPS 140-2 data input] the byte arrayUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the byte array object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setCertificate(long sessionHandle,
boolean isPrivate,
java.lang.String label,
X509Certificate certificate)
throws UserFatalException
The Certificate object is created with the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
CKA_SUBJECT = <CODE>certificate.getSubjectDN()</CODE>
CKA_ID = default
CKA_ISSUER = default
CKA_SERIAL_NUMBER = default
CKA_VALUE = <CODE>certificate.getEncoded()</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectcertificate - [FIPS 140-2 data input] the certificateUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the certificate object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setCertificate(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] id,
X509Certificate certificate)
throws UserFatalException
The Certificate object is created with the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
CKA_SUBJECT = <CODE>certificate.getSubjectDN()</CODE>
CKA_ID = <CODE>id</CODE>
CKA_ISSUER = default
CKA_SERIAL_NUMBER = default
CKA_VALUE = <CODE>certificate.getEncoded()</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the certificate
(OPTIONAL)certificate - [FIPS 140-2 data input] the certificateUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the certificate object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setCertificate(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] subject,
byte[] value)
throws UserFatalException
The Certificate object is created with the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
CKA_SUBJECT = <CODE>subject</CODE>
CKA_ID = default
CKA_ISSUER = default
CKA_SERIAL_NUMBER = default
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectsubject - [FIPS 140-2 data input] DER-encoding of the certificate
subject namevalue - [FIPS 140-2 data input] the BER encoding of the certificateUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the certificate object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setCertificate(long sessionHandle,
boolean isToken,
boolean isPrivate,
boolean isModifiable,
java.lang.String label,
byte[] subject,
byte[] id,
byte[] issuer,
byte[] serialNumber,
byte[] value)
throws UserFatalException
The Certificate object is created with the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = <CODE>isToken</CODE>
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
CKA_SUBJECT = <CODE>subject</CODE>
CKA_ID = <CODE>id</CODE>
CKA_ISSUER = <CODE>issuer</CODE>
CKA_SERIAL_NUMBER = <CODE>serialNumber</CODE>
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisToken - [FIPS 140-2 control input] indicates if the object is to be
created as a token object or a session objectisPrivate - [FIPS 140-2 control input] indicates whether the object is
created in the public or private memory on the tokenisModifiable - [FIPS 140-2 control input] this value is ignored and the
default value is used instead because some vendors do not
support the setting of this valuelabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectsubject - [FIPS 140-2 data input] DER-encoding of the certificate
subject nameid - [FIPS 140-2 data input] key identifier for the certificateissuer - [FIPS 140-2 data input] DER-encoding of the certificate issuer
nameserialNumber - [FIPS 140-2 data input] DER encoding of the certificate serial
numbervalue - [FIPS 140-2 data input] the BER encoding of the certificateUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the certificate object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setRSASigningKey(long sessionHandle,
byte[] modulus,
byte[] publicExponent,
byte[] privateExponent,
byte[] prime1,
byte[] prime2,
byte[] exponent1,
byte[] exponent2,
byte[] coefficient)
throws UserFatalException
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = <CODE>modulus</CODE>
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
CKA_PRIVATE_EXPONENT = <CODE>privateExponent</CODE>
CKA_PRIME_1 = <CODE>prime1</CODE>
CKA_PRIME_2 = <CODE>prime2</CODE>
CKA_EXPONENT_1 = <CODE>exponent1</CODE>
CKA_EXPONENT_2 = <CODE>exponent2</CODE>
CKA_COEFFICIENT = <CODE>coefficient</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlemodulus - [FIPS 140-2 data input] the key's modulus (n)publicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's public
exponent (e)privateExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's private
exponent (d)prime1 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's first prime
(p)prime2 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's second
prime (q)exponent1 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's first
exponent (d mod p-1)exponent2 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's second
exponent (d mod q-1)coefficient - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's coefficient
(1/q mod p)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the RSA signing key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setDSASigningKey(long sessionHandle,
byte[] prime,
byte[] subprime,
byte[] base,
byte[] value)
throws UserFatalException
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>Signing Key</CODE>
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME = <CODE>subPrime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleprime - [FIPS 140-2 data input] the key's prime (p)subprime - [FIPS 140-2 data input] the key's sub-prime (q)base - [FIPS 140-2 data input] the key's base (g)value - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's private
value (x)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the DSA signing key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long addDecryptionKey(long sessionHandle,
byte[] id,
byte[] modulus,
byte[] publicExponent,
byte[] privateExponent,
byte[] prime1,
byte[] prime2,
byte[] exponent1,
byte[] exponent2,
byte[] coefficient)
throws UserFatalException
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>Private Keys</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = true
CKA_SIGN = false
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = <CODE>modulus</CODE>
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
CKA_PRIVATE_EXPONENT = <CODE>privateExponent</CODE>
CKA_PRIME_1 = <CODE>prime1</CODE>
CKA_PRIME_2 = <CODE>prime2</CODE>
CKA_EXPONENT_1 = <CODE>exponent1</CODE>
CKA_EXPONENT_2 = <CODE>exponent2</CODE>
CKA_COEFFICIENT = <CODE>coefficient</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleid - [FIPS 140-2 data input] key identifier for the private keymodulus - [FIPS 140-2 data input] the key's modulus (n)publicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's public
exponent (e)privateExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's private
exponent (d)prime1 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's first prime
(p)prime2 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's second
prime (q)exponent1 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's first
exponent (d mod p-1)exponent2 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's second
exponent (d mod q-1)coefficient - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's coefficient
(1/q mod p)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the RSA decryption key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setRSAPrivateKey(long sessionHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] modulus,
byte[] publicExponent,
byte[] privateExponent,
byte[] prime1,
byte[] prime2,
byte[] exponent1,
byte[] exponent2,
byte[] coefficient)
throws UserFatalException
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = <CODE>modulus</CODE>
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
CKA_PRIVATE_EXPONENT = <CODE>privateExponent</CODE>
CKA_PRIME_1 = <CODE>prime1</CODE>
CKA_PRIME_2 = <CODE>prime2</CODE>
CKA_EXPONENT_1 = <CODE>exponent1</CODE>
CKA_EXPONENT_2 = <CODE>exponent2</CODE>
CKA_COEFFICIENT = <CODE>coefficient</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationmodulus - [FIPS 140-2 data input] the key's modulus (n)publicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's public
exponent (e)privateExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's private
exponent (d)prime1 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's first prime
(p)prime2 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's second
prime (q)exponent1 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's first
exponent (d mod p-1)exponent2 - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's second
exponent (d mod q-1)coefficient - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's coefficient
(1/q mod p)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the RSA private key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setDSAPrivateKey(long sessionHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] prime,
byte[] subprime,
byte[] base,
byte[] value)
throws UserFatalException
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_DSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME = <CODE>subPrime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationprime - [FIPS 140-2 data input] the key's prime (p)subprime - [FIPS 140-2 data input] the key's sub-prime (q)base - [FIPS 140-2 data input] the key's base (g)value - [FIPS 140-2 data input] [FIPS 140-2 CSP] the key's private
value (x)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the DSA private key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setECPrivateKey(long sessionHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] d,
java.security.spec.ECParameterSpec ecDomainParams)
throws UserFatalException
An attempt is first made to create the key pair using EC domain parameters encoded in 'named' format. If this fails, a second attempt is made to create the key pair using EC domain parameters encoded in 'specified' format.
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_EC
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = <CODE>d</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationd - [FIPS 140-2 data input] [FIPS 140-2 CSP] the private key value
(also called s)ecDomainParams - [FIPS 140-2 data input] EC domain parametersUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
creating the EC private key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long addDecryptionKeySecure(long sessionHandle,
SecretKey wrappingKey,
long wrappingKeyHandle,
byte[] decryptionKey,
byte[] id)
throws UserFatalException
This is done by first wrapping the decryption key in software using a DESede key that was generated on the token and securely transfered to software. The wrapped decryption key is then transfered onto the token and unwrapped on the token using the same DESede key.
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>Private Keys</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = true
CKA_SIGN = false
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = from wrapped key
CKA_PUBLIC_EXPONENT = from wrapped key
CKA_PRIVATE_EXPONENT = from wrapped key
CKA_PRIME_1 = from wrapped key
CKA_PRIME_2 = from wrapped key
CKA_EXPONENT_1 = from wrapped key
CKA_EXPONENT_2 = from wrapped key
CKA_COEFFICIENT = from wrapped key
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DESede key used
for wrapping the decryption key in softwarewrappingKeyHandle - [FIPS 140-2 control input] the handle of the DESede key used
for unwrapping the decryption key on the tokendecryptionKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DER encoding of
the decryption keyid - [FIPS 140-2 data input] key identifier for the decryption keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
securely creating the RSA decryption key object on the
tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setRSAPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. This is done by first wrapping the decryption key in software using a AES or DESede key that was generated on the token and securely transfered to software. The default key wrap mechanism for the AES key is: 'CKM_AES_CBC_PAD', and the default key wrap mechanism is 'CKM_DES3_CBC_PAD' for DESede key. You may use the API setPrivateKeySecure() if you wish to indicate the key wrap mechanism 'CKM_AES_KEY_WRAP_KWP' for the AES key supported by the toolkit. The wrapped decryption key is then transfered onto the token and unwrapped on the token using the same AES or DESede key.
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = from wrapped key
CKA_PUBLIC_EXPONENT = from wrapped key
CKA_PRIVATE_EXPONENT = from wrapped key
CKA_PRIME_1 = from wrapped key
CKA_PRIME_2 = from wrapped key
CKA_EXPONENT_1 = from wrapped key
CKA_EXPONENT_2 = from wrapped key
CKA_COEFFICIENT = from wrapped key
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the AES or DESede key used
for wrapping the private key in softwarewrappingKeyHandle - [FIPS 140-2 control input] the handle of the AES or DESede key,
or the ECDH derive key used for unwrapping the private key on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationprivateKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DER encoding of
the private keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
securely creating the RSA private key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey,
java.lang.String privateKeyAlgorithm,
long keyWrapMode)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. This is done by first wrapping the private key in software, using an ECDH Key agreement derived AES key or an AES or DESede key that was generated on the token. The key wrap mechanisms available for the AES key are: CKM_AES_KEY_WRAP_KWP or CKM_AES_CBC_PAD, while the key wrapping mechanism for DESede key is CKM_DES3_CBC_PAD. You may use the older APIs: setRSAPrivateKeySecure, setDSAPrivateKeySecure and setECPrivateKeySecure where these functions will use the default key wrap mechanism for the wrapping key. The wrapped key along with the wrapping key handle are then transfered onto the token and unwrapped on the token using the same AES or DESede key.
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = from wrapped key
CKA_PUBLIC_EXPONENT = from wrapped key
CKA_PRIVATE_EXPONENT = from wrapped key
CKA_PRIME_1 = from wrapped key
CKA_PRIME_2 = from wrapped key
CKA_EXPONENT_1 = from wrapped key
CKA_EXPONENT_2 = from wrapped key
CKA_COEFFICIENT = from wrapped key
sessionHandle - the session's handlewrappingKeyHandle - the handle of the AES or DESede, or the ECDH derive key used
for unwrapping the private key on the tokenwrappingKey - the AES or DESede key used for wrapping the private key in softwarelabel - the object's label on the token — a description of the objectid - key identifier for the private keyencryptAllowed - indicates if the private key can be used for encryption/decryptionsignAllowed - indicates if the private key can be used for signing/verificationprivateKey - the DER encoding of the private keyprivateKeyAlgorithm - the key algorithm name of the private keykeyWrapMode - the key wrapping mechanism used to wrap the private key will be
used to unwrap the key on tokenUserFatalExceptionpublic long setDSAPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. This is done by first wrapping the decryption key in software using a AES or DESede key that was generated on the token and securely transfered to software. The default key wrap mechanism for the AES key is: 'CKM_AES_CBC_PAD', and the default key wrap mechanism is 'CKM_DES3_CBC_PAD' for DESede key. You may use the API setPrivateKeySecure() if you wish to indicate the key wrap mechanism 'CKM_AES_KEY_WRAP_KWP' for the AES key supported by the toolkit. The wrapped decryption key is then transfered onto the token and unwrapped on the token using the same AES or DESede key.
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_DSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME = <CODE>subPrime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = <CODE>value</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the AES or DESede key used
for wrapping the private key in softwarewrappingKeyHandle - [FIPS 140-2 control input] the handle of the AES or DESede key used
for unwrapping the private key on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationprivateKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DER encoding of
the private keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
securely creating the DSA private key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long setECPrivateKeySecure(long sessionHandle,
long wrappingKeyHandle,
SecretKey wrappingKey,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] privateKey)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. This is done by first wrapping the decryption key in software using a AES or DESede key that was generated on the token and securely transfered to software. The default key wrap mechanism for the AES key is: 'CKM_AES_CBC_PAD', and the default key wrap mechanism is 'CKM_DES3_CBC_PAD' for DESede key. You may use the API setPrivateKeySecure() if you wish to indicate the key wrap mechanism 'CKM_AES_KEY_WRAP_KWP' for the AES key supported by the toolkit. The wrapped decryption key is then transfered onto the token and unwrapped on the token using the same AES or DESede key.
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_EC
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_EC_PARAMS = <CODE>encodedParams</CODE>
CKA_VALUE = <CODE>d</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the AES or DESede key used
for wrapping the private key in softwarewrappingKeyHandle - [FIPS 140-2 control input] the handle of the AES or DESede key used
for unwrapping the private key on the tokenlabel - [FIPS 140-2 data input] the object's label on the token —
a description of the objectid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationprivateKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DER encoding of
the private keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
securely creating the DSA private key object on the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long generateECDHKeyAgreementDeriveKey(long sessionHandle,
long ec_privateKeyHandle,
byte[] otherPublicKeyEcPoint,
int deriveKeySize,
boolean extractable)
throws UserFatalException
The Elliptic-curve Diffie–Hellman (ECDH) allows the two parties, each having an elliptic-curve public–private key pair, to establish the shared secret. This shared secret is used as a secret key (AES key) in wrapping the private key object to be transfered into the token securely.
sessionHandle - the session's handleec_privateKeyHandle - the private key handle to the token generated elliptic-curve key pairotherPublicKeyEcPoint - the public key's DER encoded EC point of the software ephemeral
elliptic-curve key pairderiveKeySize - the key size of the derive keyextractable - indicates if the derive key can be extractedUserFatalExceptionpublic void destroyObject(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the object's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
destroying the objectpublic java.lang.String getStringObject(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the string's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the string objectFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] getByteArrayObject(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the byte array's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the byte array objectFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] getCertificate(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the certificate's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the certificate objectFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic java.lang.String getLabel(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the object's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object's labelFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic java.lang.String getKeyID(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the key object's key identifierFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int getKeyType(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the key object's key typeFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int getSigningKeyType(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the signing key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the signing key object's key typeFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] getRSAPublicKeyModulus(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the RSA key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the RSA key object's modulusFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] getRSAPrivateKeyModulus(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the RSA key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the RSA key object's modulusFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] getRSAPublicKeyPublicExp(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the RSA key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the RSA key object's public exponentFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] getDSAPublicKeyY(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the DSA key's object handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the DSA key object's public valueFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic java.security.spec.DSAParameterSpec getDSAParams(long sessionHandle,
long objectHandle)
throws UserFatalException
This is done by reading and DER-decoding the CKA_PRIME,
CKA_SUBPRIME, and CKA_BASE attributes of the
key object.
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the DSA key's object handleUserFatalException - [FIPS 140-2 status output] if an error occurred while
attempting to extract the DSA parameters from the PKCS#11
deviceFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic java.security.spec.ECPoint getECPublicPoint(long sessionHandle,
long objectHandle,
java.security.spec.ECParameterSpec ecDomainParams)
throws UserFatalException
This is done by reading and DER-decoding the CKA_EC_POINT
attribute value, which contains the DER-encoding of an ANSI X9.62
ECPoint structure, then parsing the contents into
ECPoint representation.
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the EC public key's object handleecDomainParams - [FIPS 140-2 data input] the EC domain parameters associated
with this EC public keyUserFatalException - [FIPS 140-2 status output] if an error occurred while
attempting to extract the EC public point from the PKCS#11
deviceFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic java.security.spec.ECParameterSpec getECDomainParams(long sessionHandle,
long objectHandle)
throws UserFatalException
This is done by reading and DER-decoding the CKA_EC_PARAMS
attribute value, which contains the DER-encoding of an ANSI X9.62
ECDomainParameters structure, then parsing the contents into
ECParameterSpec representation.
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the EC key's object handleUserFatalException - [FIPS 140-2 status output] if an error occurred while
attempting to extract the EC domain parameters from the
PKCS#11 deviceFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void setNewLabel(long sessionHandle,
long objectHandle,
java.lang.String label)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the object's handlelabel - [FIPS 140-2 data input] the object's new label — a
description of the objectUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
setting the label attributeFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void setKeyID(long sessionHandle,
long objectHandle,
java.lang.String keyId)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the key's object handlekeyId - [FIPS 140-2 data input] the key's new key identifierUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
setting the key identifierFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] getAllObjectHandles(long sessionHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handlesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getStringHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
throws UserFatalException
The Data object is searched for using the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object exists
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's current label on the
tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getByteArrayHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
throws UserFatalException
The Data object is searched for using the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object exists
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's current label on the
tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getDataObjectHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
throws UserFatalException
The Data object is searched for using the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object exists
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's current label on the
tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] getDataObjectHandles(long sessionHandle,
boolean isPrivate,
java.lang.String label)
throws UserFatalException
The Data objects are searched for using the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the objects exist
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the objects' current label on the
tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handlesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] getDataObjectHandles(long sessionHandle,
java.lang.String application)
throws UserFatalException
The Data objects are searched for using the following attribute values:
CKA_CLASS = CKO_DATA
CKA_TOKEN = TRUE
CKA_APPLICATION = <CODE>application</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleapplication - [FIPS 140-2 data input] an identifier for the application that
created the object (OPTIONAL)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handlesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getCertificateHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label)
throws UserFatalException
The Certificate object is searched for using the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = true
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object exists
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's current label on the
tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getCertificateHandle(long sessionHandle,
boolean isPrivate,
java.lang.String label,
byte[] id)
throws UserFatalException
The Certificate object is searched for using the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = true
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
CKA_ID = <CODE>id</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the object exists
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the object's current label on the
token (OPTIONAL)id - [FIPS 140-2 data input] the certificate's key identifier on
the tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] getCertificateHandles(long sessionHandle,
boolean isPrivate,
java.lang.String label)
throws UserFatalException
The Certificate objects are searched for using the following attribute values:
CKA_CLASS = CKO_CERTIFICATE
CKA_TOKEN = true
CKA_PRIVATE = <CODE>isPrivate</CODE>
CKA_LABEL = <CODE>label</CODE>
CKA_CERTIFICATE_TYPE = CKC_X_509
sessionHandle - [FIPS 140-2 control input] the session's handleisPrivate - [FIPS 140-2 control input] indicates whether the objects exist
in the public or private memory on the tokenlabel - [FIPS 140-2 data input] the objects' current label on the
token (OPTIONAL)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handlesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getSigningKeyHandle(long sessionHandle)
throws UserFatalException
The Private Key object is searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_LABEL = "Signing Key"
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getOldSigningKeyHandle(long sessionHandle)
throws UserFatalException
The Private Key object is searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_LABEL = "DELETE THIS"
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getDecryptionKeyHandle(long sessionHandle,
byte[] id)
throws UserFatalException
The Private Key object is searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_LABEL = "Private Keys"
CKA_ID = <CODE>id</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleid - [FIPS 140-2 data input] the private key's key identifier on
the tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] getAllDecryptionKeyHandles(long sessionHandle)
throws UserFatalException
The Private Key objects are searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_LABEL = "Private Keys"
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handlesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getPrivateKeyHandle(long sessionHandle,
java.lang.String label)
throws UserFatalException
The Private Key object is searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_LABEL = <CODE>label</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the object's current label on the
tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getPrivateKeyHandle(long sessionHandle,
byte[] id)
throws UserFatalException
The Private Key object is searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_ID = <CODE>id</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handleid - [FIPS 140-2 data input] the private key's key identifier on
the tokenUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handleFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getPrivateKeyHandle(long sessionHandle,
java.lang.String label,
byte[] id)
throws UserFatalException
UserFatalExceptionpublic long[] getPrivateKeyHandles(long sessionHandle,
java.lang.String label)
throws UserFatalException
The Private Key objects are searched for using the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_LABEL = <CODE>label</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the objects' current label on the
token (OPTIONAL)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
obtaining the object handlesFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void encryptInit(long sessionHandle,
long mechanism,
long keyHandle)
throws UserFatalException
After calling encryptInit, the application can call either
encrypt (to encrypt data in a single part), or
encryptUpdate zero or more times, followed by
encryptFinal (to encrypt data in multiple parts). The
encryption operation is active until the application uses a call to
encrypt, or to encryptFinal to obtain the final
piece of ciphertext. To process additional data (in single or multiple
parts), the application must call encryptInit again.
Do not use this call when using symmetric ciphers which require an
initialization vector; use encryptInit(long, long, long, byte[])
instead.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the encryption mechanismkeyHandle - [FIPS 140-2 control input] the handle of the encryption keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void encryptInit(long sessionHandle,
long mechanism,
long keyHandle,
long hashAlg,
long mgftype,
long source,
byte[] psourcedata)
throws UserFatalException
After calling encryptInit, the application can call either
encrypt (to encrypt data in a single part), or
encryptUpdate zero or more times, followed by
encryptFinal (to encrypt data in multiple parts). The
encryption operation is active until the application uses a call to
encrypt, or to encryptFinal to obtain the final
piece of ciphertext. To process additional data (in single or multiple
parts), the application must call encryptInit again.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the encryption mechanismkeyHandle - [FIPS 140-2 control input] the handle of the encryption keypsourcedata - [FIPS 140-2 data input] a bytes array containing the
initialization vector to use with symmetric ciphers. May be
null, in which case this call is equivalent to
encryptInit(long, long, long)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void encryptInit(long sessionHandle,
long mechanism,
long keyHandle,
byte[] iv)
throws UserFatalException
After calling encryptInit, the application can call either
encrypt (to encrypt data in a single part), or
encryptUpdate zero or more times, followed by
encryptFinal (to encrypt data in multiple parts). The
encryption operation is active until the application uses a call to
encrypt, or to encryptFinal to obtain the final
piece of ciphertext. To process additional data (in single or multiple
parts), the application must call encryptInit again.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the encryption mechanismkeyHandle - [FIPS 140-2 control input] the handle of the encryption keyiv - [FIPS 140-2 data input] a bytes array containing the
initialization vector to use with symmetric ciphers. May be
null, in which case this call is equivalent to
encryptInit(long, long, long)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] encrypt(long sessionHandle,
byte[] plaintext)
throws UserFatalException
The encryption operation must have been initialized with
encryptInit. A call to encrypt always
terminates the active encryption operation unless it fails with error
CKR_BUFFER_TOO_SMALL. It cannot be used to terminate a
multi-part operation, and must be called after encryptInit
without intervening encryptUpdate calls.
For some encryption mechanisms, the input plaintext data has certain
length constraints (either because the mechanism can encrypt only
relatively short pieces of plaintext, or because the mechanism's input
data must consist of an integral number of blocks). If these constraints
are not satisfied, encrypt will fail with error
CKR_DATA_LEN_RANGE.
sessionHandle - [FIPS 140-2 control input] the session's handleplaintext - [FIPS 140-2 data input] the data to encryptUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] encryptUpdate(long sessionHandle,
byte[] plaintext)
throws UserFatalException
The encryption operation must have been initialized with
encryptInit. This function can be called any number of times
in succession. A call to encryptUpdate, that results in an
error other than CKR_BUFFER_TOO_SMALL, terminates the
current encryption operation.
sessionHandle - [FIPS 140-2 control input] the session's handleplaintext - [FIPS 140-2 data input] the data part to encryptUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int encryptUpdate(long sessionHandle,
byte[] input,
int inputOffset,
int inputLength,
byte[] output,
int outputOffset)
throws UserFatalException
UserFatalException is
thrown with error CKR_BUFFER_TOO_SMALL. The operation may
then be repeated with a larger buffer.
The encryption operation must have been initialized with
encryptInit. This function can be called any number of times
in succession. A call to encryptUpdate that results in an
error other than CKR_BUFFER_TOO_SMALL terminates the current
encryption operation.
sessionHandle - [FIPS 140-2 control input] the session's handleinput - [FIPS 140-2 data input] the input data to encryptinputOffset - [FIPS 140-2 data input] the offset in to the
input array. Data is encrypted starting at this
offset.inputLength - [FIPS 140-2 data input] the number of bytes in the
input array to encrypt, starting from offset
inputOffset.output - [FIPS 140-2 data output] the array in which the encrypted
output is placed.outputOffset - [FIPS 140-2 data input] the offset in to the
output array. Encrypted data is written to the
array starting at this offset.output array.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int getEncryptUpdateLength(long sessionHandle,
byte[] input,
int inputLength)
throws UserFatalException
encryptUpdate to hold the output.
The encryption operation must have been initialized with
encryptInit prior to calling this method.
sessionHandle - [FIPS 140-2 data input] the session's handleinput - [FIPS 140-2 data input] the input data to encryptinputLength - [FIPS 140-2 data input] the number of bytes in the
input array to encrypt.encryptUpdate to be
called with this input and number of bytes to encrypt. The actual
call to encryptUpdate may return fewer bytes than
the number returned by this method, but it will not return more.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the call to find the output length.Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] encryptFinal(long sessionHandle)
throws UserFatalException
The encryption operation must have been initialized with
encryptInit. A call to encryptFinal always
terminates the active encryption operation unless it returns a
CKR_BUFFER_TOO_SMALL error.
For some multi-part encryption mechanisms, the input plaintext data has
certain length constraints, because the mechanism's input data must
consist of an integral number of blocks. If these constraints are not
satisfied, encryptFinal will fail with error
CKR_DATA_LEN_RANGE.
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the encryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void decryptInit(long sessionHandle,
long mechanism,
long keyHandle)
throws UserFatalException
After calling decryptInit, the application can call either
decrypt (to decrypt data in a single part), or
decryptUpdate zero or more times, followed by
decryptFinal (to decrypt data in multiple parts). The
decryption operation is active until the application uses a call to
decrypt or to decryptFinal to obtain the final
piece of plaintext. To process additional data (in single or multiple
parts), the application must call decryptInit again.
Do not use this call when using symmetric ciphers which require an
initialization vector; use decryptInit(long, long, long, byte[])
instead.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the decryption mechanismkeyHandle - [FIPS 140-2 control input] the handle of the decryption keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void decryptInit(long sessionHandle,
long mechanism,
long keyHandle,
byte[] iv)
throws UserFatalException
After calling decryptInit, the application can call either
decrypt (to decrypt data in a single part), or
decryptUpdate zero or more times, followed by
decryptFinal (to decrypt data in multiple parts). The
decryption operation is active until the application uses a call to
decrypt or to decryptFinal to obtain the final
piece of plaintext. To process additional data (in single or multiple
parts), the application must call decryptInit again.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the decryption mechanismkeyHandle - [FIPS 140-2 control input] the handle of the decryption keyiv - [FIPS 140-2 data input] a bytes array containing the
initialization vector to use with symmetric ciphers. May be
null, in which case this call is equivalent to
decryptInit(long, long, long)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void decryptInit(long sessionHandle,
long mechanism,
long keyHandle,
long hashAlg,
long mgftype,
long source,
byte[] psourcedata)
throws UserFatalException
After calling decryptInit, the application can call either
decrypt (to decrypt data in a single part), or
decryptUpdate zero or more times, followed by
decryptFinal (to decrypt data in multiple parts). The
decryption operation is active until the application uses a call to
decrypt or to decryptFinal to obtain the final
piece of plaintext. To process additional data (in single or multiple
parts), the application must call decryptInit again.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the decryption mechanismkeyHandle - [FIPS 140-2 control input] the handle of the decryption keypsourcedata - [FIPS 140-2 data input] a bytes array containing the
initialization vector to use with symmetric ciphers. May be
null, in which case this call is equivalent to
decryptInit(long, long, long)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] decrypt(long sessionHandle,
byte[] ciphertext)
throws UserFatalException
The decryption operation must have been initialized with
decryptInit. A call to decrypt always
terminates the active decryption operation unless it fails with error
CKR_BUFFER_TOO_SMALL. It cannot be used to terminate a
multi-part operation, and must be called after decryptInit
without intervening decryptUpdate calls.
If the input ciphertext data cannot be decrypted because it has an
inappropriate length, it might fail with error
CKR_ENCRYPTED_DATA_INVALID or
CKR_ENCRYPTED_DATA_LEN_RANGE.
sessionHandle - [FIPS 140-2 control input] the session's handleciphertext - [FIPS 140-2 data input] the data to decryptUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] decryptUpdate(long sessionHandle,
byte[] ciphertext)
throws UserFatalException
The decryption operation must have been initialized with
decryptInit. This method can be called any number of times
in succession. A call to decryptUpdate that results in an
error other than CKR_BUFFER_TOO_SMALL terminates the current
decryption operation.
sessionHandle - [FIPS 140-2 control input] the session's handleciphertext - [FIPS 140-2 data input] the data part to decryptUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int decryptUpdate(long sessionHandle,
byte[] input,
int inputOffset,
int inputLength,
byte[] output,
int outputOffset)
throws UserFatalException
UserFatalException is thrown with error
CKR_BUFFER_TOO_SMALL. The operation may then be repeated
with a larger buffer.
The encryption operation must have been initialized with
decryptInit. This function can be called any number of times
in succession. A call to decryptUpdate that results in an
error other than CKR_BUFFER_TOO_SMALL terminates the current
encryption operation.
sessionHandle - [FIPS 140-2 control input] the session's handleinput - [FIPS 140-2 data input] the encrypted data to decryptinputOffset - [FIPS 140-2 data input] the offset in to the
input array. Data is decrypted starting at this
offset.inputLength - [FIPS 140-2 data input] the number of bytes in the
input array to decrypt, starting from offset
inputOffset.output - [FIPS 140-2 data output] the array in which the decrypted
output is placed.outputOffset - [FIPS 140-2 data input] the offset in to the
output array. Decrypted data is written to the
array starting at this offset.output array.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int getDecryptUpdateLength(long sessionHandle,
byte[] input,
int inputLength)
throws UserFatalException
decryptUpdate to hold the output.
The decryption operation must have been initialized with
decryptInit prior to calling this method.
sessionHandle - [FIPS 140-2 control input] the session's handleinput - [FIPS 140-2 data input] the input data to decryptinputLength - [FIPS 140-2 data input] the number of bytes in the
input array to decrypt.decryptUpdate to be
called with this input and number of bytes to decrypt. The actual
call to decryptUpdate may return fewer bytes than
the number returned by this method, but it will not return more.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the call to find the output length.Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] decryptFinal(long sessionHandle)
throws UserFatalException
The decryption operation must have been initialized with
decryptInit. A call to C_DecryptFinal always
terminates the active decryption operation unless it fails with error
CKR_BUFFER_TOO_SMALL.
If the input ciphertext data cannot be decrypted because it has an
inappropriate length, then it might fail with error
CKR_ENCRYPTED_DATA_INVALID or
CKR_ENCRYPTED_DATA_LEN_RANGE.
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the decryption operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void signInit(long sessionHandle,
long mechanism,
long keyHandle)
throws UserFatalException
After calling signInit, the application can call either
sign (to sign in a single part) or signUpdate
one or more times, followed by signFinal (to sign data in
multiple parts). The signature operation is active until the application
uses a call to sign or to signFinal to obtain
the signature. To process additional data (in single or multiple parts),
the application must call signInit again.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the signature mechanismkeyHandle - [FIPS 140-2 control input] the handle of the signature keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the signing operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void SignInitWithRSAPSSParameters(long sessionHandle,
long mechanism,
long keyHandle,
long hashAlg,
long mgfType,
long saltLength)
throws UserFatalException
signInit(long sessionHandle, long mechanism, long keyHandle)
but you can pass in mechanism parameters if required.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the signature mechanismkeyHandle - [FIPS 140-2 control input] the handle of the signature keyhashAlg - [FIPS 140-2 control input] hash algorithm used in the PSS
encoding; if the signature mechanism does not include message
hashing, then this value must be the mechanism used by the
application to generate the message hash; if the signature
mechanism includes hashing, then this value must match the
hash algorithm indicated by the signature mechanismmgfType - [FIPS 140-2 control input] mask generation function to use on
the encoded blocksaltLength - [FIPS 140-2 data input] length, in bytes, of the salt value
used in the PSS encoding; typical values are the length of the
message hash and zeroUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the signing operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] sign(long sessionHandle,
byte[] data)
throws UserFatalException
The signing operation must have been initialized with
signInit. A call to sign always terminates the
active signing operation unless it fails with error
CKR_BUFFER_TOO_SMALL. It cannot be used to terminate a
multi-part operation, and must be called after signInit
without intervening signUpdate calls.
sessionHandle - [FIPS 140-2 control input] the session's handledata - [FIPS 140-2 data input] the data to signUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the signing operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void signUpdate(long sessionHandle,
byte[] part)
throws UserFatalException
The signing operation must have been initialized with
signInit. This function can be called any number of times in
succession. A call to signUpdate that results in an error
terminates the current signature operation.
sessionHandle - [FIPS 140-2 control input] the session's handlepart - [FIPS 140-2 data input] the data part to signUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the signing operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void signUpdate(long sessionHandle,
byte[] part,
int offset,
int length)
throws UserFatalException
The signing operation must have been initialized with
signInit. This function can be called any number of times in
succession. A call to signUpdate that results in an error
terminates the current signature operation.
sessionHandle - [FIPS 140-2 control input] the session's handlepart - [FIPS 140-2 data input] the array containing the data to signoffset - [FIPS 140-2 data input] the offset in to the part
array from which to read the data.length - [FIPS 140-2 data input] the number of bytes in
part to include in the signature, starting from
offset.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the signing operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] signFinal(long sessionHandle)
throws UserFatalException
The signing operation must have been initialized with
signInit. A call to signFinal always terminates
the active signing operation unless it fails with error
CKR_BUFFER_TOO_SMALL.
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the signing operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void verifyInit(long sessionHandle,
long mechanism,
long keyHandle)
throws UserFatalException
After calling verifyInit, the application can call either
verify (to verify a signature on data in a single part) or
verifyUpdate one or more times, followed by
verifyFinal (to verify a signature on data in multiple
parts). The verification operation is active until the application calls
verify or verifyFinal. To process additional
data (in single or multiple parts), the application must call
verifyInit again.
sessionHandle - [FIPS 140-2 control input] the session's handlemechanism - [FIPS 140-2 control input] the verification mechanismkeyHandle - [FIPS 140-2 control input] the handle of the verification keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
initializing the verification operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic boolean verify(long sessionHandle,
byte[] data,
byte[] signature)
throws UserFatalException
The verification operation must have been initialized with
verifyInit. A call to verify always terminates
the active verification operation. It cannot be used to terminate a
multi-part operation, and must be called after verifyInit
without intervening verifyUpdate calls.
A successful call to verify should return either
true (indicating that the supplied signature is valid) or
false (indicating that the supplied signature is invalid).
If the signature can be seen to be invalid purely on the basis of its
length, the operation fails with error
CKR_SIGNATURE_LEN_RANGE. In any of these cases, the active
signing operation is terminated.
sessionHandle - [FIPS 140-2 control input] the session's handledata - [FIPS 140-2 data input] the data the signature is oversignature - [FIPS 140-2 data input] the signature to verifytrue if the signature was
verified, false otherwiseUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the verification operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void verifyUpdate(long sessionHandle,
byte[] part)
throws UserFatalException
The verification operation must have been initialized with
verifyInit. This function can be called any number of times
in succession. A call to verifyUpdate that results in an
error terminates the current verification operation.
sessionHandle - [FIPS 140-2 control input] the session's handlepart - [FIPS 140-2 data input] the data part the signature is overUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the verification operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic boolean verifyFinal(long sessionHandle,
byte[] signature)
throws UserFatalException
The verification operation must have been initialized with
verifyInit. A call to verifyFinal always
terminates the active verification operation.
A successful call to verifyFinal should return either
true (indicating that the supplied signature is valid) or
false (indicating that the supplied signature is invalid).
If the signature can be seen to be invalid purely on the basis of its
length, the operation fails with error
CKR_SIGNATURE_LEN_RANGE. In any of these cases, the active
verifying operation is terminated.
sessionHandle - [FIPS 140-2 control input] the session's handlesignature - [FIPS 140-2 data input] the signature to verifytrue if the signature was
verified, false otherwiseUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
during the verification operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createRSASigningKeys(long sessionHandle,
int strength)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = generated
CKA_PUBLIC_EXPONENT = generated
CKA_PRIVATE_EXPONENT = generated
CKA_PRIME_1 = generated
CKA_PRIME_2 = generated
CKA_EXPONENT_1 = generated
CKA_EXPONENT_2 = generated
CKA_COEFFICIENT = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_MODULUS = generated
CKA_MODULUS_BITS = <CODE>strength</CODE>
CKA_PUBLIC_EXPONENT = generated
sessionHandle - [FIPS 140-2 control input] the session's handlestrength - [FIPS 140-2 data input] the strength (modulus length) of the
RSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the RSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createRSASigningKeys(long sessionHandle,
int strength,
byte[] publicExponent)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = generated
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
CKA_PRIVATE_EXPONENT = generated
CKA_PRIME_1 = generated
CKA_PRIME_2 = generated
CKA_EXPONENT_1 = generated
CKA_EXPONENT_2 = generated
CKA_COEFFICIENT = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_MODULUS = generated
CKA_MODULUS_BITS = <CODE>strength</CODE>
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlestrength - [FIPS 140-2 data input] the strength (modulus length) of the
RSA key pairpublicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the public exponent
value (e) of the RSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the RSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createDSASigningKeys(long sessionHandle,
int strength)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = generated
CKA_SUBPRIME = generated
CKA_BASE = generated
CKA_VALUE = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_PRIME = generated
CKA_SUBPRIME = generated
CKA_BASE = generated
CKA_VALUE = generated
sessionHandle - [FIPS 140-2 control input] the session's handlestrength - [FIPS 140-2 data input] the strength of the DSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the DSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createDSASigningKeys(long sessionHandle,
byte[] prime,
byte[] subprime,
byte[] base)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME = <CODE>subprime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME <CODE>subprime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = generated
sessionHandle - [FIPS 140-2 control input] the session's handleprime - [FIPS 140-2 data input] the prime value (p) of the DSA key
pairsubprime - [FIPS 140-2 data input] the subprime value (q) of the DSA key
pairbase - [FIPS 140-2 data input] the base value (g) of the DSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the DSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createECSigningKeys(long sessionHandle,
java.security.spec.ECParameterSpec ecDomainParams)
throws UserFatalException
An attempt is first made to generate the key pair using EC domain parameters encoded in 'named' format. If this fails, a second attempt is made to generate the key pair using EC domain parameters encoded in 'specified' format.
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_EC
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_EC
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = generated
sessionHandle - [FIPS 140-2 control input] the session's handleecDomainParams - [FIPS 140-2 data input] EC domain parametersUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the EC key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createRSADecryptionKeys(long sessionHandle,
int strength)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Private Keys"
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = true
CKA_SIGN = false
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = generated
CKA_PUBLIC_EXPONENT = generated
CKA_PRIVATE_EXPONENT = generated
CKA_PRIME_1 = generated
CKA_PRIME_2 = generated
CKA_EXPONENT_1 = generated
CKA_EXPONENT_2 = generated
CKA_COEFFICIENT = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = true
CKA_VERIFY = false
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_MODULUS = generated
CKA_MODULUS_BITS = <CODE>strength</CODE>
CKA_PUBLIC_EXPONENT = generated
sessionHandle - [FIPS 140-2 control input] the session's handlestrength - [FIPS 140-2 data input] the strength (modulus length) of the
RSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the RSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] createRSADecryptionKeys(long sessionHandle,
int strength,
byte[] publicExponent)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = true
CKA_SIGN = false
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = generated
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
CKA_PRIVATE_EXPONENT = generated
CKA_PRIME_1 = generated
CKA_PRIME_2 = generated
CKA_EXPONENT_1 = generated
CKA_EXPONENT_2 = generated
CKA_COEFFICIENT = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = true
CKA_VERIFY = false
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_MODULUS = generated
CKA_MODULUS_BITS = <CODE>strength</CODE>
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlestrength - [FIPS 140-2 data input] the strength (modulus length) of the
RSA key pairpublicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the public exponent
value (e) of the RSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the RSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] generateRSAKeyPair(long sessionHandle,
java.lang.String label,
boolean encryptAllowed,
boolean signAllowed,
int strength,
byte[] publicExponent)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = generated
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
CKA_PRIVATE_EXPONENT = generated
CKA_PRIME_1 = generated
CKA_PRIME_2 = generated
CKA_EXPONENT_1 = generated
CKA_EXPONENT_2 = generated
CKA_COEFFICIENT = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_RSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = <CODE>encryptAllowed</CODE>
CKA_VERIFY = <CODE>signAllowed</CODE>
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_MODULUS = generated
CKA_MODULUS_BITS = <CODE>strength</CODE>
CKA_PUBLIC_EXPONENT = <CODE>publicExponent</CODE>
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the private key object's label on the
token — a description of the objectencryptAllowed - [FIPS 140-2 control input] indicates if the key pair can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the key pair can be
used for signing/verificationstrength - [FIPS 140-2 data input] the strength (modulus length) of the
RSA key pairpublicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the public exponent
value (e) of the RSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the RSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] generateDSAKeyPair(long sessionHandle,
java.lang.String label,
boolean encryptAllowed,
boolean signAllowed,
byte[] prime,
byte[] subprime,
byte[] base)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1].
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME = <CODE>subprime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_DSA
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = <CODE>encryptAllowed</CODE>
CKA_VERIFY = <CODE>signAllowed</CODE>
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_PRIME = <CODE>prime</CODE>
CKA_SUBPRIME = <CODE>subprime</CODE>
CKA_BASE = <CODE>base</CODE>
CKA_VALUE = generated
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the private key object's label on the
token — a description of the objectencryptAllowed - [FIPS 140-2 control input] indicates if the key pair can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the key pair can be
used for signing/verificationprime - [FIPS 140-2 data input] the prime value (p) of the DSA key
pairsubprime - [FIPS 140-2 data input] the subprime value (q) of the DSA key
pairbase - [FIPS 140-2 data input] the base value (g) of the DSA key pairUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the DSA key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] generateECKeyPair(long sessionHandle,
java.lang.String label,
boolean encryptAllowed,
boolean signAllowed,
java.security.spec.ECParameterSpec ecDomainParams)
throws UserFatalException
An attempt is first made to generate the key pair using EC domain parameters encoded in 'named' format. If this fails, a second attempt is made to generate the key pair using EC domain parameters encoded in 'specified' format.
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1]. If the private key is for securely establish a shared secret between two parties using ECDH key agreement, the CKA_DERIVE attribute must be set to 'TRUE', use the other generateECKeyPair with the deriveAllowed parameter.
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_EC
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_EC
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = generated
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the private key object's label on the
token — a description of the objectencryptAllowed - [FIPS 140-2 control input] indicates if the key pair can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the key pair can be
used for signing/verificationecDomainParams - [FIPS 140-2 data input] EC domain parametersUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the EC key pairFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long[] generateECKeyPair(long sessionHandle,
java.lang.String label,
boolean tokenObject,
boolean encryptAllowed,
boolean signAllowed,
boolean deriveAllowed,
java.security.spec.ECParameterSpec ecDomainParams)
throws UserFatalException
The private key is created on the token and the public key is created as a session object (not saved on the token). This method returns an array containing the handle for the public key [0] and the handle for the private key [1]. If you wish to use the default value for the CKA_DERIVE attribute, i.e. you are not using the private key for establishing a shared secret between two parties using ECDH key agreement, use the other generateECKeyPair without the deriveAllowed parameter.
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Signing Key"
CKA_KEY_TYPE = CKK_EC
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = "DeriveAllowed"
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = false
CKA_SIGN = true
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = generated
The Public Key object is created with the following attribute values:
CKA_CLASS = CKO_PUBLIC_KEY
CKA_TOKEN = false
CKA_PRIVATE = default
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_EC
CKA_ID = default
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = true
CKA_SUBJECT = default
CKA_ENCRYPT = false
CKA_VERIFY = true
CKA_VERIFY_RECOVER = default
CKA_WRAP = default
CKA_EC_PARAMS = DER-encoding of <CODE>ecDomainParams</CODE>
CKA_VALUE = generated
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 data input] the private key object's label on the token — a description of the objecttokenObject - [FIPS 140-2 data input] indicates whether the private key should be stored as a token object or
a session object.encryptAllowed - [FIPS 140-2 control input] indicates if the key pair can be used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the key pair can be used for signing/verificationderiveAllowed - [FIPS 140-2 control input] indicates if the key pair can be used for deriving shared secret key using ECDH key agreementecDomainParams - [FIPS 140-2 data input] EC domain parametersUserFatalExceptionpublic long create3DESKey(long sessionHandle)
throws UserFatalException
The Secret Key object is created with the following attribute values:
CKA_CLASS = CKO_SECRET_KEY
CKA_TOKEN = true/false
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = default
CKA_KEY_TYPE = CKK_DES3
CKA_SENSITIVE = default
CKA_ENCRYPT = default
CKA_DECRYPT = default
CKA_SIGN = default
CKA_VERIFY = default
CKA_WRAP default
CKA_UNWRAP true
CKA_EXTRACTABLE true
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (false)
CKA_VALUE = generated
CKA_VALUE_LEN = default
An attempt is first made to generate the DESede key as a token object, if that fails, a second attempt is made to generate the DESede key as a session object (required to support DataKey).
sessionHandle - [FIPS 140-2 control input] the session's handleUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the DESede keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic SecretKey get3DESKeySecure(long sessionHandle, long keyHandle) throws UserFatalException
The DESede secret key is obtained as follows:
sessionHandle - [FIPS 140-2 control input] the session's handlekeyHandle - [FIPS 140-2 control input] the handle of the DESede key to be
securely obtainUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
securely obtaining the DESede key object from the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic SecretKey getWrappingKeySecure(long sessionHandle, long keyHandle, SymmetricKeyType symmetricKeyAlgType, int wrappingKeySize, long keyWrapMechanism) throws UserFatalException
The secret key is obtained as follows:
sessionHandle - [FIPS 140-2 control input] the session's handlekeyHandle - [FIPS 140-2 control input] the handle of the AES or DESede key to be
securely obtainsymmetricKeyAlgType - the wrapping key type of either AES or DESedewrappingKeySize - the key size for the wrapping keykeyWrapMechanism - the key wrap mechanism of either RSA PKCS OAEP or RSA PKCS to use
for wrapping the key.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
securely obtaining the AES or DESede key object from the tokenFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] wrapKeyRSA(long sessionHandle,
long keyHandle,
byte[] modulus,
byte[] publicExponent)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handlekeyHandle - [FIPS 140-2 control input] the handle of the DESede or AES key to be
wrappedmodulus - [FIPS 140-2 data input] [FIPS 140-2 CSP] the modulus value (n)
of the RSA public keypublicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the public exponent
value (e) of the RSA public keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
wrapping the DESede or AES keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic byte[] wrapKeyRSAPKCSOrOAEP(long sessionHandle,
long keyHandle,
byte[] modulus,
byte[] publicExponent,
long hashAlg,
long mgftype,
long source,
byte[] psourcedata,
long psourcedatalen)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handlekeyHandle - [FIPS 140-2 control input] the handle of the DESede or AES key to be
wrappedmodulus - [FIPS 140-2 data input] [FIPS 140-2 CSP] the modulus value (n)
of the RSA public keypublicExponent - [FIPS 140-2 data input] [FIPS 140-2 CSP] the public exponent
value (e) of the RSA public keyhashAlg - [FIPS 140-2 data input] [FIPS 140-2 CSP] The hash algorithm used by the OAEP parameters,
Use a value of -1 to indicate no OAEP parameters are specifiedmgftype - [FIPS 140-2 data input] [FIPS 140-2 CSP] The Mask Generation Function used by the OAEP parameterssource - [FIPS 140-2 data input] [FIPS 140-2 CSP] The pSource used by OAEP parameters (Optional for OAEP)
The only Source type support in PKCS11 is CKZ_DATA_SPECIFIEDpsourcedata - [FIPS 140-2 data input] [FIPS 140-2 CSP] The pSource data bytes (Optional or OAEP)UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
wrapping the DESede or AES keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long unwrapDecryptionKey(long sessionHandle,
long wrappingKeyHandle,
byte[] wrappedKey,
byte[] id)
throws UserFatalException
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = "Private Keys"
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = true
CKA_SIGN = false
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = unwrapped
CKA_PUBLIC_EXPONENT = unwrapped
CKA_PRIVATE_EXPONENT = unwrapped
CKA_PRIME_1 = unwrapped
CKA_PRIME_2 = unwrapped
CKA_EXPONENT_1 = unwrapped
CKA_EXPONENT_2 = unwrapped
CKA_COEFFICIENT = unwrapped
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKeyHandle - [FIPS 140-2 control input] the handle of the DESede key used
for unwrappingwrappedKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DESede wrapped
decryption key to be unwrappedid - [FIPS 140-2 data input] key identifier for the decryption keyUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
unwrapping the decryption keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long unwrapPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey,
java.lang.String wrappedKeyAlgorithm,
long wrapKeyMechanism,
byte[] iv)
throws UserFatalException
The key wrap mechanism indicated must match the mechanism used in the key wrapping in software. If you use the APIs: setRSAPrivateKeySecure(), setDSAPrivateKeySecure(), or setECPrivateKeySecure() where default key wrap mechanism is used, you must use the matching unwrapRSAPrivateKey(), unwrapDSAPrivateKey() and unwrapECPrivateKey(). If you use the API: setPrivateKeySecure() where you indicate a key wrap mechanism, either CKM_AES_KEY_WRAP_KWP or CKM_AES_CBC_PAD for AES secret key or CKM_DES3_CBC_PAD for the DESede secret key, you must use the match wrap key mechanism in unwrapPrivateKey().
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = <CODE>signAllowed</CODE>
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = unwrapped
CKA_PUBLIC_EXPONENT = unwrapped
CKA_PRIVATE_EXPONENT = unwrapped
CKA_PRIME_1 = unwrapped
CKA_PRIME_2 = unwrapped
CKA_EXPONENT_1 = unwrapped
CKA_EXPONENT_2 = unwrapped
CKA_COEFFICIENT = unwrapped
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKeyHandle - [FIPS 140-2 control input] the handle of the AES or DESede key used
for unwrappinglabel - [FIPS 140-2 data input] key label for the private keyid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationwrappedKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the AES or DESede wrapped
RSA key to be unwrappedwrappedKeyAlgorithm - [FIPS 140-2 data input] indicates the wrapped key algorithm type
of CKK_RSA, CKK_DSA or CKK_ECwrapKeyMechanism - indicates the unwrapping algorithm mechanism of CKM_AES KEY_WRAP_KWP or
CKM_AES_CBC_PAD for AES symmetric key; CKM_DES3_CBC_PAD or -1 for
DESede symmetric key.iv - Random generated IV. The size requirement depends on the Algorithm.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
unwrapping the private keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long unwrapRSAPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. The default key wrap mechanism 'CKM_DES3_CBC_PAD' will be used for the DESede secret key and the default key wrap mechanism 'CKM_AES_CBC_PAD' will be used for the AES secret key in the key unwrapping in token. If you use an AES secret key with the APIs: setRSAPrivateKeySecure(), setDSAPrivateKeySecure(), or setECPrivateKeySecure() to wrap the key, where the default key wrap mechanism is used, you may also use the unwrapPrivateKey() and indicate the CKM_AES_CBC_PAD as the wrap mechanism to unwrap the key in token.
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_RSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_MODULUS = unwrapped
CKA_PUBLIC_EXPONENT = unwrapped
CKA_PRIVATE_EXPONENT = unwrapped
CKA_PRIME_1 = unwrapped
CKA_PRIME_2 = unwrapped
CKA_EXPONENT_1 = unwrapped
CKA_EXPONENT_2 = unwrapped
CKA_COEFFICIENT = unwrapped
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKeyHandle - [FIPS 140-2 control input] the handle of the DESede key used
for unwrappingid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationwrappedKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DESede wrapped
RSA key to be unwrappedUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
unwrapping the private keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long unwrapDSAPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. The default key wrap mechanism 'CKM_DES3_CBC_PAD' will be used for the DESede secret key and the default key wrap mechanism 'CKM_AES_CBC_PAD' will be used for the AES secret key in the key unwrapping in token. If you use an AES secret key with the APIs: setRSAPrivateKeySecure(), setDSAPrivateKeySecure(), or setECPrivateKeySecure() to wrap the key, where the default key wrap mechanism is used, you may also use the unwrapPrivateKey() and indicate the CKM_AES_CBC_PAD as the wrap mechanism to unwrap the key in token.
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_DSA
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_PRIME = unwrapped
CKA_SUBPRIME = unwrapped
CKA_BASE = unwrapped
CKA_VALUE = unwrapped
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKeyHandle - [FIPS 140-2 control input] the handle of the DESede key used
for unwrappingid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationwrappedKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DESede wrapped
DSA key to be unwrappedUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
unwrapping the private keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long unwrapECPrivateKey(long sessionHandle,
long wrappingKeyHandle,
java.lang.String label,
byte[] id,
boolean encryptAllowed,
boolean signAllowed,
byte[] wrappedKey)
throws UserFatalException
Updated in 9.0 to allow either an AES or DESede secret key to the key wrapping operation to transfer a private key object into the token securely. The default key wrap mechanism 'CKM_DES3_CBC_PAD' will be used for the DESede secret key and the default key wrap mechanism 'CKM_AES_CBC_PAD' will be used for the AES secret key in the key unwrapping in token. If you use an AES secret key with the APIs: setRSAPrivateKeySecure(), setDSAPrivateKeySecure(), or setECPrivateKeySecure() to wrap the key, where the default key wrap mechanism is used, you may also use the unwrapPrivateKey() and indicate the CKM_AES_CBC_PAD as the wrap mechanism to unwrap the key in token.
The Private Key object is created with the following attribute values:
CKA_CLASS = CKO_PRIVATE_KEY
CKA_TOKEN = true
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_LABEL = <CODE>label</CODE>
CKA_KEY_TYPE = CKK_EC
CKA_ID = <CODE>id</CODE>
CKA_START_DATE = default
CKA_END_DATE = default
CKA_DERIVE = default
CKA_LOCAL = false
CKA_SUBJECT = default
CKA_SENSITIVE = true
CKA_DECRYPT = <CODE>encryptAllowed</CODE>
CKA_SIGN = <CODE>signAllowed</CODE>
CKA_SIGN_RECOVER = default
CKA_UNWRAP = default
CKA_EXTRACTABLE = false
CKA_ALWAYS_SENSITIVE = automatic (true)
CKA_NEVER_EXTRACTABLE = automatic (true)
CKA_EC_PARAMS = unwrapped
CKA_VALUE = unwrapped
sessionHandle - [FIPS 140-2 control input] the session's handlewrappingKeyHandle - [FIPS 140-2 control input] the handle of the DESede key used
for unwrappingid - [FIPS 140-2 data input] key identifier for the private keyencryptAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for encryption/decryptionsignAllowed - [FIPS 140-2 control input] indicates if the private key can be
used for signing/verificationwrappedKey - [FIPS 140-2 data input] [FIPS 140-2 CSP] the DESede wrapped
DSA key to be unwrappedUserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
unwrapping the private keyFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long createSymmetricKey(long sessionHandle,
java.lang.String label,
SymmetricKeyType keyType,
int keySizeInBytes,
boolean tokenObject,
boolean extractable,
boolean forEncrypt,
boolean forMac)
throws UserFatalException
The key object is created with the following attribute values:
CKA_CLASS = CKO_SECRET_KEY
CKA_LABEL = label
CKA_TOKEN = tokenObject
CKA_PRIVATE = true
CKA_MODIFIABLE = default
CKA_KEY_TYPE = keyType
CKA_SENSITIVE = default
CKA_ENCRYPT = forEncrypt
CKA_DECRYPT = forEncrypt
CKA_SIGN = forMac
CKA_VERIFY = forMac
CKA_WRAP forEncrypt
CKA_UNWRAP forEncrypt
CKA_EXTRACTABLE extractable
CKA_VALUE = generated
CKA_VALUE_LEN = keySizeInBytes
The input tokenObject parameter determines if the method is to generate the given key type (AES or DESede) as a token object or as a session object (required to support DataKey).
sessionHandle - [FIPS 140-2 control input] the session's handlelabel - [FIPS 140-2 control input] the text label to give to the key.keyType - [FIPS 140-2 data input] the type of the key to create.keySizeInBytes - [FIPS 140-2 data input] the number of bytes in the key. To use
the default key length for the given key type, set this value
to 0.tokenObject - [FIPS 140-2 control input] whether or not this key should be
created as a token object or a session object.extractable - [FIPS 140-2 control input] the value to give to the
CKA_EXTRACTABLE attribute in the key's template.
Note that marking a key as extractable does not necessarily
mean the actual key can be extracted in plain form.forEncrypt - [FIPS 140-2 control input] whether or not this key is to be
used for encryption, decryption, and key wrapping purposes.forMac - [FIPS 140-2 control input] whether or not this key is to be
used for calculating MAC values.UserFatalException - [FIPS 140-2 status output] thrown if an error occurs while
generating the key.Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic int getSecretKeyLength(long sessionHandle,
long objectHandle)
throws UserFatalException
sessionHandle - [FIPS 140-2 control input] the session's handleobjectHandle - [FIPS 140-2 control input] the secret key's object handleUserFatalException - [FIPS 140-2 status output] if an error occurs while obtaining
the secret key object's lengthFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic long getTemporarySession(long slotID)
throws UserFatalException
slotID - [FIPS 140-2 control input] the ID of the slot on which to
obtain the sessionUserFatalException - [FIPS 140-2 status output] thrown if an error occurs
getting a sessionFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic void releaseTemporarySession(long slotID,
long sessionHandle)
getTemporarySession(long).
It is important to call this function when you are finished with a session, as only a limited number of sessions will be allowed by the PKCS#11 library.
slotID - [FIPS 140-2 control input] the ID of the slot on which to
release the sessionsessionHandle - [FIPS 140-2 control input] the handle of the session to be
releasedpublic void closeTemporarySessions(long slotID)
throws UserFatalException
A released temporary session handle is a session handle that was
previously obtained through a call to
getTemporarySession(long) and also
released through a call to releaseTemporarySession(long, long)
.
It is important to call this function once all temporary sessions for a particular slot have been released, and you are finished using these temporary sessions on the slot; otherwise a later attempt to login a Security Officer could fail with a CKR_SESION_READ_ONLY_EXISTS.
slotID - [FIPS 140-2 control input] the ID of the slot on which to
close the sessionsUserFatalException - [FIPS 140-2 status output] thrown if an error while
closing the temporary sessionspublic JNIPKCS11.EcdsaDigestFormat getEcdsaDigestFormat(long slotId) throws UserFatalException
Refer to JNIPKCS11.EcdsaDigestFormat for additional details.
slotId - [FIPS 140-2 control input] a slot ID on the PKCS#11 device
that the normal user is currently logged intoUserFatalException - [FIPS 140-2 status output] if an error occurred while
attempting to determine the ECDSA digest formatFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic static byte[] formatEcdsaDigest(byte[] digest,
JNIPKCS11.EcdsaDigestFormat format,
java.security.spec.ECParameterSpec ecDomainParams)
Refer to JNIPKCS11.EcdsaDigestFormat for additional details.
digest - [FIPS 140-2 data input] the digestformat - [FIPS 140-2 control input] the ECDSA digest format to be
appliedecDomainParams - [FIPS 140-2 data input] the EC domain parameters of
the key being used to perform the ECDSA operationFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operationspublic static byte[] convertEcdsaSignaturePkcs11ToAnsix963(byte[] signature)
PKCS#11 devices produce signatures in a format that differs from what ASNI X9-63-2005; both signature formats are described below.
ECDSA-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
signature - [FIPS 140-2 data input] an ECDSA signature produced by a
PKCS#11 deviceFips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not
allowed to perform cryptographic operations