pkcs11_softtoken - Software OASIS PKCS#11 softtoken
/usr/lib/security/pkcs11_softtoken.so /usr/lib/security/64/pkcs11_softtoken.so
The pkcs11_softtoken.so object implements the OASIS PKCS#11 Cryptographic Token Interface (Cryptoki), v2.40, specification, in software. Persistent storage for token objects is provided by this PKCS#11 implementation.
The pkcs11_softtoken provider is a required part of Oracle Solaris and must not be disabled using cryptoadm(8).
Some of the cryptographic algorithms may be hardware accelerated. Administrators can run the following command to determine this list for their system, and look at the HW column in the output:
# cryptoadm list -vm provider='/usr/lib/security/$ISA/pkcs11_softtoken.so'
For developers, the CKF_HW flag is set in the CK_MECHANISM_INFO structure for those PKCS#11 mechanisms that are hardware accelerated.
Application developers should link to libpkcs11.so rather than link directly to pkcs11_softtoken.so. See libpkcs11(3LIB).
The following cryptographic algorithms are implemented: DES, 3DES, AES, Blowfish, RC4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RSA, DSA, DH, ECC, and Camellia. Note that RC4 can be used only for decryption.
All of the Standard PKCS#11 functions listed on libpkcs11(3LIB) are implemented except for the following:
C_GetObjectSize C_InitPIN C_WaitForSlotEvent
A call to these functions returns CKR_FUNCTION_NOT_SUPPORTED.
The following OASIS PKCS#11 v2.40 mechanisms are supported:
CKM_RSA_PKCS_KEY_PAIR_GEN CKM_RSA_PKCS CKM_RSA_X_509 CKM_DSA_KEY_PAIR_GEN CKM_DSA CKM_DSA_SHA1 CKM_DH_PKCS_KEY_PAIR_GEN CKM_DH_PKCS_DERIVE CKM_EC_KEY_PAIR_GEN CKM_ECDSA CKM_ECDSA_SHA1 CKM_ECDH1_DERIVE CKM_DES_KEY_GEN CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES3_KEY_GEN CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_AES_KEY_GEN CKM_AES_ECB CKM_AES_CBC CKM_AES_CBC_PAD CKM_AES_CTR CKM_AES_XCBC_MAC CKM_AES_XCBC_MAC_96 CKM_AES_GMAC CKM_AES_GCM CKM_AES_CCM CKM_AES_CFB128 CKM_BLOWFISH_KEY_GEN CKM_BLOWFISH_CBC CKM_CAMELLIA_KEY_GEN CKM_CAMELLIA_ECB CKM_CAMELLIA_CBC CKM_RC4_KEY_GEN CKM_RC4 (usable for decryption only) CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_SHA224_RSA_PKCS CKM_SHA256_RSA_PKCS CKM_SHA384_RSA_PKCS CKM_SHA512_RSA_PKCS CKM_MD5 CKM_SHA_1 CKM_SHA224 CKM_SHA256 CKM_SHA384 CKM_SHA512 CKM_SHA512_224 CKM_SHA512_256 CKM_SHA512_T CKM_MD5_HMAC CKM_MD5_HMAC_GENERAL CKM_SHA_1_HMAC CKM_SHA_1_HMAC_GENERAL CKM_SHA224_HMAC CKM_SHA256_HMAC CKM_SHA224_HMAC_GENERAL CKM_SHA512_224_HMAC_GENERAL CKM_SHA512_256_HMAC_GENERAL CKM_SHA512_T_HMAC_GENERAL CKM_SHA512_224_HMAC CKM_SHA512_256_HMAC CKM_SHA512_T_HMAC CKM_SHA256_HMAC_GENERAL CKM_SHA384_HMAC CKM_SHA384_HMAC_GENERAL CKM_MD5_KEY_DERIVATION CKM_SHA1_KEY_DERIVATION CKM_SHA224_KEY_DERIVATION CKM_SHA256_KEY_DERIVATION CKM_SHA384_KEY_DERIVATION CKM_SHA512_KEY_DERIVATION CKM_SHA512_224_KEY_DERIVATION CKM_SHA512_256_KEY_DERIVATION CKM_SHA512_T_KEY_DERIVATION CKM_SSL3_PRE_MASTER_KEY_GEN CKM_SSL3_MASTER_KEY_DERIVE CKM_SSL3_KEY_AND_MAC_DERIVE CKM_SSL3_MASTER_KEY_DERIVE_DH CKM_TLS_PRE_MASTER_KEY_GEN CKM_TLS_MASTER_KEY_DERIVE CKM_TLS_KEY_AND_MAC_DERIVE CKM_TLS_MASTER_KEY_DERIVE_DH CKM_TLS12_MASTER_KEY_DERIVE CKM_TLS12_MASTER_KEY_DERIVE_DH CKM_TLS12_KEY_AND_MAC_DERIVE CKM_TLS12_KEY_SAFE_DERIVE CKM_TLS_KDF CKM_TLS_MAC
Each of the following types of key objects has certain token-specific attributes that are set to true by default as a result of object creation, key/key pair generation, and key derivation.
CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER
CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_EXTRACTABLE
CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_EXTRACTABLE
The following certificate objects are supported:
For CKC_X_509 certificate objects, the following attributes are supported: CKA_SUBJECT, CKA_VALUE, CKA_LABEL, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, and CKA_CERTIFICATE_TYPE.
For CKC_X_509_ATTR_CERT certificate objects, the following attributes are supported: CKA_OWNER, CKA_VALUE, CKA_LABEL, CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_ATTR_TYPES, and CKA_CERTIFICATE_TYPE.
The search operation of objects matching the template is performed at C_FindObjectsInit. The matched objects are cached for subsequent C_FindObjects operations.
The pkcs11_softtoken.so object provides a filesystem-based persistent token object store for storing token objects. The default location of the token object store is /var/user/$USERNAME/pkcs11_softtoken. The user can override the default location by using the ${SOFTTOKEN_DIR} environment variable.
If the token object store has never been initialized, the C_Login() function might return CKR_OK but the user is not able to create, generate, derive or find any private token object and receives CKR_PIN_EXPIRED.
The user should use the pktool inittoken command with the new or existing passphrase to initialize or re-initialize a token object store respectively. A user-defined token label for softtoken can be set or changed. More importantly, all objects inside the token object store will be destroyed. Then, the user may just use the pktool setpin command to change the passphrase of the token object store afterward.
After logging into object store with the new passphrase that was set by the pktool setpin command, the user can create and store the private token object in this newly created object store. Until the token object store is initialized by setpin, the C_Login() function is allowed, but all attempts by the user to create, generate, derive or find any private token object fails with a CKR_PIN_EXPIRED error.
The PIN provided for C_Login() and C_SetPIN() functions can be any string of characters with lengths between 1 and 256 and no embedded nulls.
The return values for each of the implemented functions are defined and listed in the OASIS PKCS#11 v2.40 specification. See https://www.oasis-open.org/committees/pkcs11/
user's default token object store
alternate location for token object store
See attributes(7) for a description of the following attributes:
|
pktool(1), cryptoadm(8), libpkcs11(3LIB), attributes(7)