1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
|
'\" te
.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH PKCS11_SOFTTOKEN 5 "Mar 25, 2008"
.SH NAME
pkcs11_softtoken \- Software RSA PKCS#11 softtoken
.SH SYNOPSIS
.LP
.nf
/usr/lib/security/pkcs11_softtoken.so
/usr/lib/security/64/pkcs11_softtoken.so
.fi
.SH DESCRIPTION
.sp
.LP
The \fBpkcs11_softtoken.so\fR object implements the RSA PKCS#11 v2.20
specification in software. Persistent storage for "token" objects is provided
by this PKCS#11 implementation.
.sp
.LP
Application developers should link to \fBlibpkcs11.so\fR rather than link
directly to \fBpkcs11_softtoken.so\fR. See \fBlibpkcs11\fR(3LIB).
.sp
.LP
The following cryptographic algorithms are implemented: DES, 3DES, AES,
Blowfish, RC4, MD5, SHA1, SHA256, SHA384, SHA512, RSA, DSA, DH, and ECC.
.sp
.LP
All of the Standard PKCS#11 functions listed on \fBlibpkcs11\fR(3LIB) are
implemented except for the following:
.sp
.in +2
.nf
C_GetObjectSize
C_InitPIN
C_InitToken
C_WaitForSlotEvent
.fi
.in -2
.sp
.LP
A call to these functions returns \fBCKR_FUNCTION_NOT_SUPPORTED\fR.
.sp
.LP
The following RSA PKCS#11 v2.20 mechanisms are supported:
.sp
.in +2
.nf
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_DSA_KEY_PAIR_GEN
CKM_DSA
CKM_DSA_SHA1
CKM_DH_PKCS_KEY_PAIR_GEN
CKM_DH_PKCS_DERIVE
CKM_EC_KEY_PAIR_GEN
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE
CKM_DES_KEY_GEN
CKM_DES_ECB
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES3_KEY_GEN
CKM_DES3_ECB
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_AES_KEY_GEN
CKM_AES_ECB
CKM_AES_CBC
CKM_AES_CBC_PAD
CKM_AES_CTR
CKM_BLOWFISH_KEY_GEN
CKM_BLOWFISH_CBC
CKM_RC4_KEY_GEN
CKM_RC4
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_MD5_HMAC
CKM_MD5_HMAC_GENERAL
CKM_SHA_1_HMAC
CKM_SHA_1_HMAC_GENERAL
CKM_SHA256_HMAC
CKM_SHA256_HMAC_GENERAL
CKM_SHA384_HMAC
CKM_SHA384_HMAC_GENERAL
CKM_MD5_KEY_DERIVATION
CKM_SHA1_KEY_DERIVATION
CKM_SHA256_KEY_DERIVATION
CKM_SHA384_KEY_DERIVATION
CKM_SHA512_KEY_DERIVATION
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_TLS_PRE_MASTER_KEY_GEN
CKM_TLS_MASTER_KEY_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_TLS_MASTER_KEY_DERIVE_DH
.fi
.in -2
.sp
.LP
Each of the following types of key objects has certain token-specific
attributes that are set to true by default as a result of object creation,
key/key pair generation, and key derivation.
.sp
.ne 2
.na
\fBPublic key object\fR
.ad
.RS 22n
\fBCKA_ENCRYPT\fR, \fBCKA_VERIFY\fR, \fBCKA_VERIFY_RECOVER\fR
.RE
.sp
.ne 2
.na
\fBPrivate key object\fR
.ad
.RS 22n
\fBCKA_DECRYPT\fR, \fBCKA_SIGN\fR, \fBCKA_SIGN_RECOVER\fR,
\fBCKA_EXTRACTABLE\fR
.RE
.sp
.ne 2
.na
\fBSecret key object\fR
.ad
.RS 22n
\fBCKA_ENCRYPT\fR, \fBCKA_DECRYPT\fR, \fBCKA_SIGN\fR, \fBCKA_VERIFY\fR,
\fBCKA_EXTRACTABLE\fR
.RE
.sp
.LP
The following certificate objects are supported:
.sp
.ne 2
.na
\fB\fBCKC_X_509\fR\fR
.ad
.RS 23n
For \fBCKC_X_509\fR certificate objects, the following attributes are
supported: \fBCKA_SUBJECT\fR, \fBCKA_VALUE\fR, \fBCKA_LABEL\fR, \fBCKA_ID\fR,
\fBCKA_ISSUER\fR, \fBCKA_SERIAL_NUMBER\fR, and \fBCKA_CERTIFICATE_TYPE\fR.
.RE
.sp
.ne 2
.na
\fB\fBCKC_X_509_ATTR_CERT\fR\fR
.ad
.RS 23n
For \fBCKC_X_509_ATTR_CERT\fR certificate objects, the following attributes are
supported: \fBCKA_OWNER\fR, \fBCKA_VALUE, CKA_LABEL\fR,
\fBCKA_SERIAL_NUMBER\fR, \fBCKA_AC_ISSUER\fR, \fBCKA_ATTR_TYPES\fR, and
\fBCKA_CERTIFICATE_TYPE\fR.
.RE
.sp
.LP
The search operation of objects matching the template is performed at
\fBC_FindObjectsInit\fR. The matched objects are cached for subsequent
\fBC_FindObjects\fR operations.
.sp
.LP
The \fBpkcs11_softtoken.so\fR object provides a filesystem-based persistent
token object store for storing token objects. The default location of the token
object store is the user's home directory returned by \fBgetpwuid_r()\fR. The
user can override the default location by using the \fB${SOFTTOKEN_DIR}\fR
environment variable.
.sp
.LP
If the token object store has never been initialized, the \fBC_Login()\fR
function might return \fBCKR_OK\fR but the user will not be able to create,
generate, derive or find any private token object and receives
\fBCKR_PIN_EXPIRED\fR.
.sp
.LP
The user must use the \fBpktool\fR(1) \fBsetpin\fR command with the default
passphrase "changeme" as the old passphrase to change the passphrase of the
object store. This action is needed to initialize and set the passphrase to a
newly created token object store.
.sp
.LP
After logging into object store with the new passphrase that was set by the
\fBpktool setpin\fR command, the user can create and store the private token
object in this newly created object store. Until the token object store is
initialized by \fBsetpin\fR, the \fBC_Login()\fR function is allowed, but all
attempts by the user to create, generate, derive or find any private token
object fails with a \fBCKR_PIN_EXPIRED\fR error.
.sp
.LP
The PIN provided for \fBC_Login()\fR and \fBC_SetPIN()\fR functions can be any
string of characters with lengths between 1 and 256 and no embedded nulls.
.SH RETURN VALUES
.sp
.LP
The return values for each of the implemented functions are defined and listed
in the RSA PKCS#11 v2.20 specification. See http://www.rsasecurity.com
.SH FILES
.sp
.ne 2
.na
\fB\fB\fIuser_home_directory\fR/.sunw/pkcs11_softtoken\fR\fR
.ad
.sp .6
.RS 4n
user's default token object store
.RE
.sp
.ne 2
.na
\fB\fB${SOFTTOKEN_DIR}/pkcs11_softtoken\fR\fR
.ad
.sp .6
.RS 4n
alternate token object store
.RE
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for a description of the following attributes:
.sp
.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
_
Interface Stability Committed
_
MT-Level T{
MT-Safe with exceptions. See section 6.5.2 of RSA PKCS#11 v2.20.
T}
_
Standard PKCS#11 v2.20
.TE
.SH SEE ALSO
.sp
.LP
\fBpktool\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB),
\fBattributes\fR(5), \fBpkcs11_kernel\fR(5)
.sp
.LP
RSA PKCS#11 v2.20 http://www.rsasecurity.com
|
