Go to main content

man pages section 3: Library Interfaces and Headers

Exit Print View

Updated: Thursday, June 13, 2019
 
 

libpkcs11(3LIB)

Name

libpkcs11 - PKCS#11 Cryptographic Framework library

Synopsis

cc [ flag... ] file... –lpkcs11 [ library... ]
#include <security/cryptoki.h>
#include <security/pkcs11.h>

Description

The libpkcs11 library implements the OASIS PKCS#11 Cryptographic Token Interface (Cryptoki), v2.40, specification by using plug-ins to provide the slots.

Each plug-in, which also implements OASIS PKCS#11 v2.40, represents one or more slots.

The libpkcs11 library provides a special slot called the meta slot. The meta slot provides a virtual union of capabilities of all other slots. When available, the meta slot is always the first slot provided by libpkcs11. The order of the rest of the slots is not guaranteed and may vary with every load of this library.

The meta slot feature can be configured either system-wide or by individual users. System-wide configuration for meta slot features is done with the cryptoadm(8) utility. User configuration for meta slot features is performed with environment variables.

By default, the following is the system-wide configuration for meta slot. Meta slot is enabled. Meta slot provides token-based object support with the Software OASIS PKCS#11 softtoken (pkcs11_softtoken(7)). Meta slot is allowed to move sensitive token objects to other slots if that is necessary to perform an operation.

Users can overwrite one or more system-wide configuration options for meta slot using these environment variables.

The ${METASLOT_OBJECTSTORE_SLOT} and ${METASLOT_OBJECTSTORE_TOKEN} environment variables are used to specify an alternate token object store. A user can specify either slot-description in ${METASLOT_OBJECTSTORE_SLOT} or token-label in ${METASLOT_OBJECTSTORE_TOKEN}, or both. If metaslot is unable to honor both the slot and token configurations, then it will default to the first available slot. Valid values for slot-description and token-label are available from output of the command:

cryptoadm list -v

While setting the ${METASLOT_OBJECTSTORE_SLOT} environment variable, whitespaces are required to be padded up to 64th byte. For example,

export METASLOT_OBJECTSTORE_SLOT="my slot description (pad whitespace up to 64th byte in here...)"

Similarly, while setting the ${METASLOT_OBJECTSTORE_TOKEN} environment variable, whitespaces are required to be padded up to 32nd byte. For example,

export METASLOT_OBJECTSTORE_TOKEN="KMS (pad whitespace up to 32nd byte in here...)"

The ${METASLOT_ENABLED} environment variable is used to specify whether the user wants to turn the metaslot feature on or off. Only two values are recognized. The value “true” means meta slot will be on. The value “false” means meta slot will be off.

The ${METASLOT_AUTO_KEY_MIGRATE} environment variable is used to specify whether the user wants sensitive token objects to move to other slots for cryptographic operations. Only two values are recognized. The value “true” means meta slot will migrate sensitive token objects to other slots if necessary. The value “false” means meta slot will not migrate sensitive token objects to other slots even if it is necessary.

When the meta slot feature is enabled, the slot that provides token-based object support is not shown as one of the available slots. All of its functionality can be used with the meta slot.

This library filters the list of mechanisms available from plug-ins based on the policy set by cryptoadm(8).

This library provides entry points for all PKCS#11 v2.40 functions. See the OASIS PKCS#11 v2.40 specification at http://www.oasis-open.org.

The cryptoadm(8) command can be used to add plugins to libpkcs11, as well as to administer the available mechanisms.

Plug-ins are added to libpkcs11 by the cryptoadm(8) install subcommand, and available mechanisms are administered by the cryptoadm(8) utility.

Plug-ins must have all of their library dependencies specified, including libc(3LIB). Libraries that have unresolved symbols, including those from libc, will be rejected and a message will be sent to syslog(3C) for such plug-ins.

Any plug-in that is not a compatible version of PKCS#11 will be dropped by libpkcs11. When a plug-in is dropped, the administrator is alerted by the syslog(3C) utility.

The security/pkcs11f.h header contains function definitions. The security/pkcs11t.h header contains type definitions. Applications can include either of these headers in place of security/pkcs11.h, which contains both function and type definitions.

INTERFACES

The shared object libpkcs11.so.1 provides the public interfaces defined below. See intro(3) for additional information on shared object interfaces.

PKCS#11 Standard

C_CloseAllSessions
C_CloseSession
C_CopyObject
C_CreateObject
C_Decrypt
C_DecryptDigestUpdate
C_DecryptFinal
C_DecryptInit
C_DecryptUpdate
C_DecryptVerifyUpdate
C_DeriveKey
C_DestroyObject
C_Digest
C_DigestEncryptUpdate
C_DigestFinal
C_DigestInit
C_DigestKey
C_DigestUpdate
C_Encrypt
C_EncryptFinal
C_EncryptInit
C_EncryptUpdate
C_Finalize
C_FindObjects
C_FindObjectsFinal
C_FindObjectsInit
C_GenerateKey
C_GenerateKeyPair
C_GenerateRandom
C_GetAttributeValue
C_GetFunctionList
C_GetInfo
C_GetMechanismInfo
C_GetMechanismList
C_GetObjectSize
C_GetOperationState
C_GetSessionInfo
C_GetSlotInfo
C_GetSlotList
C_GetTokenInfo
C_InitPIN
C_InitToken
C_Initialize
C_Login
C_Logout
C_OpenSession
C_SeedRandom
C_SetAttributeValue
C_SetOperationState
C_SetPIN
C_Sign
C_SignEncryptUpdate
C_SignFinal
C_SignInit
C_SignRecover
C_SignRecoverInit
C_SignUpdate
C_UnwrapKey
C_Verify
C_VerifyFinal
C_VerifyInit
C_VerifyRecover
C_VerifyRecoverInit
C_VerifyUpdate
C_WaitForSlotEvent
C_WrapKey

SUNW Extensions

SUNW_C_GetMechSession
SUNW_C_KeyToObject

Files

/usr/lib/libpkcs11.so.1

shared object

/usr/lib/64/libpkcs11.so.1

64–bit shared object

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/library/security/pkcs11
Interface Stability
Committed
MT-Level
MT-Safe with exceptions. See section 1.9.3 of OASIS PKCS#11 v2.40 Usage Guide
Standard
PKCS#11 v2.40

The PKCS#11 Standard functions conform to PKCS#11 v2.40.

See Also

syslog(3C), SUNW_C_GetMechSession(3EXT), intro(3), attributes(7), pkcs11_softtoken(7), cryptoadm(8)

OASIS PKCS#11 v2.40 http://www.oasis-open.org

Notes

If an application calls C_WaitForSlotEvent() without the CKF_DONT_BLOCK flag set, libpkcs11 must create threads internally. If, however, CKF_LIBRARY_CANT_CREATE_OS_THREADS is set, C_WaitForSlotEvent() returns CKR_FUNCTION_FAILED.

Because C_Initialize() might have been called by both an application and a library, it is not safe for a library or its plugins to call C_Finalize(). A library can be finished calling functions from libpkcs11, while an application might not.