1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
.\" Copyright (c) 2008, Sun Microsystems, Inc. All rights reserved.
.\" Copyright 2016 Jason King.
.\"
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.Dd Oct 19, 2016
.Dt LIBPKCS11 3LIB
.Os
.Sh NAME
.Nm libpkcs11
.Nd PKCS#11 Cryptographic Framework library
.Sh SYNOPSIS
.Lb libpkcs11
.In security/cryptoki.h
.In security/pkcs11.h
.Sh DESCRIPTION
The
.Nm
library implements the RSA Security Inc. PKCS#11
Cryptographic Token Interface (Cryptoki), v2.40 specification by using plug-ins
to provide the slots.
.Lp
Each plug-in, which also implements RSA PKCS#11 v2.40, represents one or more
slots.
.Lp
The
.Nm
library provides a special slot called the meta slot.
The meta slot provides a virtual union of capabilities of all other slots.
When available, the meta slot is always the first slot provided by
.Nm .
.Lp
The meta slot feature can be configured either system-wide or by individual
users.
System-wide configuration for meta slot features is done with the
.Xr cryptoadm 1M
utility.
User configuration for meta slot features is performed with environment
variables.
.Lp
By default, the following is the system-wide configuration for meta slot.
Meta slot is enabled.
Meta slot provides token-based object support with the Software RSA PKCS#11
softtoken
.Pq Xr pkcs11_softtoken 5 .
Meta slot is
allowed to move sensitive token objects to other slots if that is necessary to
perform an operation.
.Lp
Users can overwrite one or more system-wide configuration options for meta slot
using these environment variables.
.Lp
The
.Ev ${METASLOT_OBJECTSTORE_SLOT}
and
.Ev ${METASLOT_OBJECTSTORE_TOKEN}
environment variables are used to specify an alternate token object store.
A user can specify either slot-description in
.Ev ${METASLOT_OBJECTSTORE_SLOT}
or token-label in
.Ev ${METASLOT_OBJECTSTORE_TOKEN} , or both.
Valid values for slot-description and token-label are available from output of
the command:
.Bd -literal -offset indent
# cryptoadm list -v
.Ed
.Lp
The
.Ev ${METASLOT_ENABLED}
environment variable is used to specify whether
the user wants to turn the metaslot feature on or off.
Only two values are recognized.
The value "true" means meta slot will be on.
The value "false" means meta slot will be off.
.Lp
The
.Ev ${METASLOT_AUTO_KEY_MIGRATE}
environment variable is used to specify
whether the user wants sensitive token objects to move to other slots for
cryptographic operations.
Only two values are recognized.
The value "true" means meta slot will migrate sensitive token objects to other
slots if necessary.
The value "false" means meta slot will not migrate sensitive token objects to
other slots even if it is necessary.
.Lp
When the meta slot feature is enabled, the slot that provides token-based
object support is not shown as one of the available slots.
All of its functionality can be used with the meta slot.
.Lp
This library filters the list of mechanisms available from plug-ins based on
the policy set by
.Xr cryptoadm 1M .
.Lp
This library provides entry points for all PKCS#11 v2.40 functions.
See the PKCS#11 v2.40 specifications at
.Lk http://www.oasis-open.org.
.Lp
Plug-ins are added to
.Nm
by the
.Sy pkcs11conf
class action
script during execution of
.Xr pkgadd 1M .
The available mechanisms are administered by the
.Xr cryptoadm 1M
utility.
.Lp
Plug-ins must have all of their library dependancies specified, including
.Xr libc 3LIB .
Libraries that have unresolved symbols, including those from
.Xr libc 3LIB ,
will be rejected and a message will be sent to
.Xr syslog 3C
for such plug-ins.
.Lp
Due to U.S. Export regulations, all plug-ins are required to be
cryptographically signed using the
.Xr elfsign 1
utility.
.Lp
Any plug-in that is not signed or is not a compatible version of PKCS#11 will
be dropped by
.Nm .
When a plug-in is dropped, the administrator is alerted by the
.Xr syslog 3C
utility.
.Lp
The
.In security/pkcs11f.h
header contains function definitions.
The
.In security/pkcs11t.h
header contains type definitions.
Applications can include either of these headers in place of
.In security/pkcs11.h ,
which contains both function and type definitions.
.Sh INTERFACES
The shared object
.Pa libpkcs11.so.1
provides the public interfaces defined below.
See
.Xr Intro 3
for additional information on shared object interfaces.
.Ss "PKCS#11 Standard"
.\"
.\" Use SUNW_C_GetMechSession for the first column so both sections will
.\" line up better when rendered
.\"
.Bl -column -offset indent ".Sy SUNW_C_GetMechSession" ".Sy C_DecryptDigestUpdate"
.It Sy C_CloseAllSessions Ta Sy C_CloseSession
.It Sy C_CopyObject Ta Sy C_CreateObject
.It Sy C_Decrypt Ta Sy C_DecryptDigestUpdate
.It Sy C_DecryptFinal Ta Sy C_DecryptInit
.It Sy C_DecryptUpdate Ta Sy C_DecryptVerifyUpdate
.It Sy C_DeriveKey Ta Sy C_DestroyObject
.It Sy C_Digest Ta Sy C_DigestEncryptUpdate
.It Sy C_DigestFinal Ta Sy C_DigestInit
.It Sy C_DigestKey Ta Sy C_DigestUpdate
.It Sy C_Encrypt Ta Sy C_EncryptFinal
.It Sy C_EncryptInit Ta Sy C_EncryptUpdate
.It Sy C_Finalize Ta Sy C_FindObjects
.It Sy C_FindObjectsFinal Ta Sy C_FindObjectsInit
.It Sy C_GenerateKey Ta Sy C_GenerateKeyPair
.It Sy C_GenerateRandom Ta Sy C_GetAttributeValue
.It Sy C_GetFunctionList Ta Sy C_GetInfo
.It Sy C_GetMechanismInfo Ta Sy C_GetMechanismList
.It Sy C_GetObjectSize Ta Sy C_GetOperationState
.It Sy C_GetSessionInfo Ta Sy C_GetSlotInfo
.It Sy C_GetSlotList Ta Sy C_GetTokenInfo
.It Sy C_InitPIN Ta Sy C_InitToken
.It Sy C_Initialize Ta Sy C_Login
.It Sy C_Logout Ta Sy C_OpenSession
.It Sy C_SeedRandom Ta Sy C_SetAttributeValue
.It Sy C_SetOperationState Ta Sy C_SetPIN
.It Sy C_Sign Ta Sy C_SignEncryptUpdate
.It Sy C_SignFinal Ta Sy C_SignInit
.It Sy C_SignRecover Ta Sy C_SignRecoverInit
.It Sy C_SignUpdate Ta Sy C_UnwrapKey
.It Sy C_Verify Ta Sy C_VerifyFinal
.It Sy C_VerifyInit Ta Sy C_VerifyRecover
.It Sy C_VerifyRecoverInit Ta Sy C_VerifyUpdate
.It Sy C_WaitForSlotEvent Ta Sy C_WrapKey
.El
.Ss "SUNW Extensions"
.Bl -column -offset indent ".Sy SUNW_C_GetMechSession" ".Sy C_DecryptDigestUpdate"
.It Sy SUNW_C_GetMechSession Ta Sy SUNW_C_KeyToObject
.El
.Sh FILES
.Bl -tag -compact -width Pa
.It Pa /usr/lib/libpkcs11.so.1
shared object
.It Pa /usr/lib/64/libpkcs11.so.1
64-bit shared object
.El
.Sh ATTRIBUTES
See
.Xr attributes 5
for descriptions of the following attributes:
.Sh INTERFACE STABILITY
.Sy Committed
.Sh MT-LEVEL
The SUNW Extension functions are MT-Safe.
The PKCS#11 Standard functions are MT-Safe with exceptions.
See Section 2.5.3 of PKCS#11 Cryptographic Token Usage Guide v2.40 and
Section 5.1.5 of PKCS#11 Cryptographic Token Interface Base Standard v2.40
.Sh STANDARD
The PKCS#11 Standard functions conform to PKCS#11 Cryptographic Token
Interface Profiles v2.40 Extended Provider.
.Sh SEE ALSO
.Xr cryptoadm 1M ,
.Xr pkgadd 1M ,
.Xr Intro 3 ,
.Xr syslog 3C ,
.Xr SUNW_C_GetMechSession 3EXT ,
.Xr attributes 5 ,
.Xr pkcs11_kernel 5 ,
.Xr pkcs11_softtoken 5
.Rs
.%T "PKCS#11 Cryptographic Token Interface Base Specification v2.40 Plus Errata 01"
.%U http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os.html
.Re
.Rs
.%T "PKCS#11 Cryptographic Token Interface Profiles v2.40"
.%U http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/pkcs11-profiles-v2.40.html
.Re
.Rs
.%T "PKCS#11 Cryptographic Token Interface Usage Guide v2.40"
.%U http://docs.oasis-open.org/pkcs11/pkcs11-ug/v2.40/pkcs11-ug-v2.40.html
.Re
.Sh NOTES
If an application calls
.Fn C_WaitForSlotEvent
without the
.Dv CKF_DONT_BLOCK
flag set,
.Nm
must create threads internally.
If, however,
.Dv CKF_LIBRARY_CANT_CREATE_OS_THREADS
is set,
.Fn C_WaitForSlotEvent
returns
.Dv CKR_FUNCTION_FAILED .
.Lp
The PKCS#11 library does not work with Netscape 4.\fIx\fR but does work with
more recent versions of Netscape and Mozilla.
.Lp
Because
.Fn C_Initalize
might have been called by both an application and a
library, it is not safe for a library or its plugins to call
.Fn C_Finalize .
A library can be finished calling functions from
.Nm ,
while an application might not.
|
