PKCS11_SOFTTOKEN(7) Standards, Environments, and Macros PKCS11_SOFTTOKEN(7)
NAME
pkcs11_softtoken - Software RSA PKCS#11 softtoken
SYNOPSIS
/usr/lib/security/pkcs11_softtoken.so
/usr/lib/security/64/pkcs11_softtoken.so
DESCRIPTION
The
pkcs11_softtoken.so object implements the RSA PKCS#11 v2.20
specification in software. Persistent storage for "token" objects is
provided by this PKCS#11 implementation.
Application developers should link to
libpkcs11.so rather than link
directly to
pkcs11_softtoken.so. See
libpkcs11(3LIB).
The following cryptographic algorithms are implemented: DES, 3DES,
AES, Blowfish, RC4, MD5, SHA1, SHA256, SHA384, SHA512, RSA, DSA, DH,
and ECC.
All of the Standard PKCS#11 functions listed on
libpkcs11(3LIB) are
implemented except for the following:
C_GetObjectSize
C_InitPIN
C_InitToken
C_WaitForSlotEvent
A call to these functions returns
CKR_FUNCTION_NOT_SUPPORTED.
The following RSA PKCS#11 v2.20 mechanisms are supported:
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_DSA_KEY_PAIR_GEN
CKM_DSA
CKM_DSA_SHA1
CKM_DH_PKCS_KEY_PAIR_GEN
CKM_DH_PKCS_DERIVE
CKM_EC_KEY_PAIR_GEN
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE
CKM_DES_KEY_GEN
CKM_DES_ECB
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES3_KEY_GEN
CKM_DES3_ECB
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_AES_KEY_GEN
CKM_AES_ECB
CKM_AES_CBC
CKM_AES_CBC_PAD
CKM_AES_CTR
CKM_BLOWFISH_KEY_GEN
CKM_BLOWFISH_CBC
CKM_RC4_KEY_GEN
CKM_RC4
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_MD5_HMAC
CKM_MD5_HMAC_GENERAL
CKM_SHA_1_HMAC
CKM_SHA_1_HMAC_GENERAL
CKM_SHA256_HMAC
CKM_SHA256_HMAC_GENERAL
CKM_SHA384_HMAC
CKM_SHA384_HMAC_GENERAL
CKM_MD5_KEY_DERIVATION
CKM_SHA1_KEY_DERIVATION
CKM_SHA256_KEY_DERIVATION
CKM_SHA384_KEY_DERIVATION
CKM_SHA512_KEY_DERIVATION
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_TLS_PRE_MASTER_KEY_GEN
CKM_TLS_MASTER_KEY_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_TLS_MASTER_KEY_DERIVE_DH
Each of the following types of key objects has certain token-specific
attributes that are set to true by default as a result of object
creation, key/key pair generation, and key derivation.
Public key object CKA_ENCRYPT,
CKA_VERIFY,
CKA_VERIFY_RECOVER Private key object CKA_DECRYPT,
CKA_SIGN,
CKA_SIGN_RECOVER,
CKA_EXTRACTABLE Secret key object CKA_ENCRYPT,
CKA_DECRYPT,
CKA_SIGN,
CKA_VERIFY,
CKA_EXTRACTABLE The following certificate objects are supported:
CKC_X_509 For
CKC_X_509 certificate objects, the
following attributes are supported:
CKA_SUBJECT,
CKA_VALUE,
CKA_LABEL,
CKA_ID,
CKA_ISSUER,
CKA_SERIAL_NUMBER, and
CKA_CERTIFICATE_TYPE.
CKC_X_509_ATTR_CERT For
CKC_X_509_ATTR_CERT certificate objects,
the following attributes are supported:
CKA_OWNER,
CKA_VALUE, CKA_LABEL,
CKA_SERIAL_NUMBER,
CKA_AC_ISSUER,
CKA_ATTR_TYPES, and
CKA_CERTIFICATE_TYPE.
The search operation of objects matching the template is performed at
C_FindObjectsInit. The matched objects are cached for subsequent
C_FindObjects operations.
The
pkcs11_softtoken.so object provides a filesystem-based persistent
token object store for storing token objects. The default location of
the token object store is the user's home directory returned by
getpwuid_r(). The user can override the default location by using the
${SOFTTOKEN_DIR} environment variable.
If the token object store has never been initialized, the
C_Login() function might return
CKR_OK but the user will not be able to create,
generate, derive or find any private token object and receives
CKR_PIN_EXPIRED.
The user must use the
pktool(1) setpin command with the default
passphrase "changeme" as the old passphrase to change the passphrase
of the object store. This action is needed to initialize and set the
passphrase to a newly created token object store.
After logging into object store with the new passphrase that was set
by the
pktool setpin command, the user can create and store the
private token object in this newly created object store. Until the
token object store is initialized by
setpin, the
C_Login() function
is allowed, but all attempts by the user to create, generate, derive
or find any private token object fails with a
CKR_PIN_EXPIRED error.
The PIN provided for
C_Login() and
C_SetPIN() functions can be any
string of characters with lengths between 1 and 256 and no embedded
nulls.
RETURN VALUES
The return values for each of the implemented functions are defined
and listed in the RSA PKCS#11 v2.20 specification. See
http://www.rsasecurity.com
FILES
user_home_directory/.sunw/pkcs11_softtoken
user's default token object store
${SOFTTOKEN_DIR}/pkcs11_softtoken alternate token object store
ATTRIBUTES
See
attributes(7) for a description of the following attributes:
+--------------------+--------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+--------------------------+
|Interface Stability | Committed |
+--------------------+--------------------------+
|MT-Level | MT-Safe with exceptions. |
| | See section 6.5.2 of RSA |
| | PKCS#11 v2.20. |
+--------------------+--------------------------+
|Standard | PKCS#11 v2.20 |
+--------------------+--------------------------+
SEE ALSO
pktool(1),
libpkcs11(3LIB),
attributes(7),
pkcs11_kernel(7),
cryptoadm(8) RSA PKCS#11 v2.20 http://www.rsasecurity.com
March 25, 2008 PKCS11_SOFTTOKEN(7)
