1pkcs11_softtoken(5) Standards, Environments, and Macros pkcs11_softtoken(5)
2
3
4
6 pkcs11_softtoken - Software RSA PKCS#11 softtoken
7
9 /usr/lib/security/pkcs11_softtoken.so
10 /usr/lib/security/64/pkcs11_softtoken.so
11
12
14 The pkcs11_softtoken.so object implements the RSA PKCS#11 v2.20 speci‐
15 fication in software. Persistent storage for "token" objects is pro‐
16 vided by this PKCS#11 implementation.
17
18
19 Application developers should link to libpkcs11.so rather than link
20 directly to pkcs11_softtoken.so. See libpkcs11(3LIB).
21
22
23 The following cryptographic algorithms are implemented: DES, 3DES, AES,
24 Blowfish, RC4, MD5, SHA1, SHA256, SHA384, SHA512, RSA, DSA, DH, and
25 ECC.
26
27
28 All of the Standard PKCS#11 functions listed on libpkcs11(3LIB) are
29 implemented except for the following:
30
31 C_GetObjectSize
32 C_InitPIN
33 C_InitToken
34 C_WaitForSlotEvent
35
36
37
38 A call to these functions returns CKR_FUNCTION_NOT_SUPPORTED.
39
40
41 The following RSA PKCS#11 v2.20 mechanisms are supported:
42
43 CKM_RSA_PKCS_KEY_PAIR_GEN
44 CKM_RSA_PKCS
45 CKM_RSA_X_509
46
47 CKM_DSA_KEY_PAIR_GEN
48 CKM_DSA
49 CKM_DSA_SHA1
50
51 CKM_DH_PKCS_KEY_PAIR_GEN
52 CKM_DH_PKCS_DERIVE
53
54 CKM_EC_KEY_PAIR_GEN
55 CKM_ECDSA
56 CKM_ECDSA_SHA1
57 CKM_ECDH1_DERIVE
58
59 CKM_DES_KEY_GEN
60 CKM_DES_ECB
61 CKM_DES_CBC
62 CKM_DES_CBC_PAD
63
64 CKM_DES3_KEY_GEN
65 CKM_DES3_ECB
66 CKM_DES3_CBC
67 CKM_DES3_CBC_PAD
68
69 CKM_AES_KEY_GEN
70 CKM_AES_ECB
71 CKM_AES_CBC
72 CKM_AES_CBC_PAD
73 CKM_AES_CTR
74
75 CKM_BLOWFISH_KEY_GEN
76 CKM_BLOWFISH_CBC
77
78 CKM_RC4_KEY_GEN
79 CKM_RC4
80
81 CKM_MD5_RSA_PKCS
82 CKM_SHA1_RSA_PKCS
83 CKM_SHA256_RSA_PKCS
84 CKM_SHA384_RSA_PKCS
85 CKM_SHA512_RSA_PKCS
86
87 CKM_MD5
88 CKM_SHA_1
89 CKM_SHA256
90 CKM_SHA384
91 CKM_SHA512
92
93 CKM_MD5_HMAC
94 CKM_MD5_HMAC_GENERAL
95 CKM_SHA_1_HMAC
96 CKM_SHA_1_HMAC_GENERAL
97 CKM_SHA256_HMAC
98 CKM_SHA256_HMAC_GENERAL
99 CKM_SHA384_HMAC
100 CKM_SHA384_HMAC_GENERAL
101
102 CKM_MD5_KEY_DERIVATION
103 CKM_SHA1_KEY_DERIVATION
104 CKM_SHA256_KEY_DERIVATION
105 CKM_SHA384_KEY_DERIVATION
106 CKM_SHA512_KEY_DERIVATION
107
108 CKM_SSL3_PRE_MASTER_KEY_GEN
109 CKM_SSL3_MASTER_KEY_DERIVE
110 CKM_SSL3_KEY_AND_MAC_DERIVE
111 CKM_SSL3_MASTER_KEY_DERIVE_DH
112 CKM_TLS_PRE_MASTER_KEY_GEN
113 CKM_TLS_MASTER_KEY_DERIVE
114 CKM_TLS_KEY_AND_MAC_DERIVE
115 CKM_TLS_MASTER_KEY_DERIVE_DH
116
117
118
119 Each of the following types of key objects has certain token-specific
120 attributes that are set to true by default as a result of object cre‐
121 ation, key/key pair generation, and key derivation.
122
123 Public key object CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER
124
125
126 Private key object CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER,
127 CKA_EXTRACTABLE
128
129
130 Secret key object CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY,
131 CKA_EXTRACTABLE
132
133
134
135 The following certificate objects are supported:
136
137 CKC_X_509 For CKC_X_509 certificate objects, the following
138 attributes are supported: CKA_SUBJECT,
139 CKA_VALUE, CKA_LABEL, CKA_ID, CKA_ISSUER,
140 CKA_SERIAL_NUMBER, and CKA_CERTIFICATE_TYPE.
141
142
143 CKC_X_509_ATTR_CERT For CKC_X_509_ATTR_CERT certificate objects, the
144 following attributes are supported: CKA_OWNER,
145 CKA_VALUE, CKA_LABEL, CKA_SERIAL_NUMBER,
146 CKA_AC_ISSUER, CKA_ATTR_TYPES, and CKA_CERTIFI‐
147 CATE_TYPE.
148
149
150
151 The search operation of objects matching the template is performed at
152 C_FindObjectsInit. The matched objects are cached for subsequent
153 C_FindObjects operations.
154
155
156 The pkcs11_softtoken.so object provides a filesystem-based persistent
157 token object store for storing token objects. The default location of
158 the token object store is the user's home directory returned by getp‐
159 wuid_r(). The user can override the default location by using the
160 ${SOFTTOKEN_DIR} environment variable.
161
162
163 If the token object store has never been initialized, the C_Login()
164 function might return CKR_OK but the user will not be able to create,
165 generate, derive or find any private token object and receives
166 CKR_PIN_EXPIRED.
167
168
169 The user must use the pktool(1) setpin command with the default
170 passphrase "changeme" as the old passphrase to change the passphrase of
171 the object store. This action is needed to initialize and set the
172 passphrase to a newly created token object store.
173
174
175 After logging into object store with the new passphrase that was set by
176 the pktool setpin command, the user can create and store the private
177 token object in this newly created object store. Until the token object
178 store is initialized by setpin, the C_Login() function is allowed, but
179 all attempts by the user to create, generate, derive or find any pri‐
180 vate token object fails with a CKR_PIN_EXPIRED error.
181
182
183 The PIN provided for C_Login() and C_SetPIN() functions can be any
184 string of characters with lengths between 1 and 256 and no embedded
185 nulls.
186
188 The return values for each of the implemented functions are defined and
189 listed in the RSA PKCS#11 v2.20 specification. See http://www.rsasecu‐
190 rity.com
191
193 user_home_directory/.sunw/pkcs11_softtoken
194
195 user's default token object store
196
197
198 ${SOFTTOKEN_DIR}/pkcs11_softtoken
199
200 alternate token object store
201
202
204 See attributes(5) for a description of the following attributes:
205
206
207
208
209 ┌─────────────────────────────┬─────────────────────────────┐
210 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
211 ├─────────────────────────────┼─────────────────────────────┤
212 │Interface Stability │Committed │
213 ├─────────────────────────────┼─────────────────────────────┤
214 │MT-Level │MT-Safe with exceptions. │
215 │ │See section 6.5.2 of RSA │
216 │ │PKCS#11 v2.20. │
217 ├─────────────────────────────┼─────────────────────────────┤
218 │Standard │PKCS#11 v2.20 │
219 └─────────────────────────────┴─────────────────────────────┘
220
222 pktool(1), cryptoadm(1M), libpkcs11(3LIB), attributes(5), pkcs11_ker‐
223 nel(5)
224
225
226 RSA PKCS#11 v2.20 http://www.rsasecurity.com
227
228
229
230SunOS 5.11 25 Mar 2008 pkcs11_softtoken(5)