1libpkcs11(3LIB)               Interface Libraries              libpkcs11(3LIB)
2
3
4

NAME

6       libpkcs11 - PKCS#11 Cryptographic Framework library
7

SYNOPSIS

9       cc [ flag... ] file... -lpkcs11 [ library... ]
10       #include <security/cryptoki.h>
11       #include <security/pkcs11.h>
12
13

DESCRIPTION

15       The  libpkcs11 library implements the RSA Security Inc. PKCS#11 Crypto‐
16       graphic Token Interface (Cryptoki), v2.20 specification by using  plug-
17       ins to provide the slots.
18
19
20       Each  plug-in,  which also implements RSA PKCS#11 v2.20, represents one
21       or more slots.
22
23
24       The libpkcs11 library provides a special slot called the meta slot. The
25       meta  slot provides a virtual union of capabilities of all other slots.
26       When available, the meta slot is always  the  first  slot  provided  by
27       libpkcs11.
28
29
30       The  meta slot feature can be configured either system-wide or by indi‐
31       vidual users. System-wide configuration for meta slot features is  done
32       with  the  cryptoadm(1M) utility. User configuration for meta slot fea‐
33       tures is performed with environment variables.
34
35
36       By default, the following is the  system-wide  configuration  for  meta
37       slot.  Meta slot is enabled. Meta slot provides token-based object sup‐
38       port with the Software  RSA  PKCS#11  softtoken  (pkcs11_softtoken(5)).
39       Meta  slot is allowed to move sensitive token objects to other slots if
40       that is necessary to perform an operation.
41
42
43       Users can overwrite one or more system-wide configuration  options  for
44       meta slot using these environment variables.
45
46
47       The   ${METASLOT_OBJECTSTORE_SLOT}   and  ${METASLOT_OBJECTSTORE_TOKEN}
48       environment variables are used to specify  an  alternate  token  object
49       store. A user can specify either slot-description in ${METASLOT_OBJECT‐
50       STORE_SLOT} or token-label in ${METASLOT_OBJECTSTORE_TOKEN},  or  both.
51       Valid  values  for  slot-description and token-label are available from
52       output of the command:
53
54         cryptoadm list -v
55
56
57
58
59       The ${METASLOT_ENABLED} environment variable is used to specify whether
60       the  user wants to turn the metaslot feature on or off. Only two values
61       are recognized. The value "true" means meta slot will be on. The  value
62       "false" means meta slot will be off.
63
64
65       The  ${METASLOT_AUTO_KEY_MIGRATE} environment variable is used to spec‐
66       ify whether the user wants sensitive token objects  to  move  to  other
67       slots for cryptographic operations. Only two values are recognized. The
68       value "true" means meta slot will migrate sensitive  token  objects  to
69       other  slots  if  necessary. The value "false" means meta slot will not
70       migrate sensitive token objects to other slots even if it is necessary.
71
72
73       When the meta slot feature is enabled, the slot  that  provides  token-
74       based object support is not shown as one of the available slots. All of
75       its functionality can be used with the meta slot.
76
77
78       This library filters the list of  mechanisms  available  from  plug-ins
79       based on the policy set by cryptoadm(1M).
80
81
82       This library provides entry points for all PKCS#11 v2.20 functions. See
83       the RSA PKCS#11 v2.20 specification at http://www.rsasecurity.com.
84
85
86       Plug-ins are added to libpkcs11 by the pkcs11conf class  action  script
87       during  execution  of pkgadd(1M). The available mechanisms are adminis‐
88       tered by the cryptoadm(1M) utility.
89
90
91       Plug-ins must have all of their library dependancies specified, includ‐
92       ing libc(3LIB). Libraries that have unresolved symbols, including those
93       from libc, will be rejected and a message will be  sent  to  syslog(3C)
94       for such plug-ins.
95
96
97       Due to U.S. Export regulations, all plug-ins are required to be crypto‐
98       graphically signed using the elfsign utility.
99
100
101       Any plug-in that is not signed  or  is  not  a  compatible  version  of
102       PKCS#11  will  be  dropped by libpkcs11. When a plug-in is dropped, the
103       administrator is alerted by the syslog(3C) utility.
104
105
106       The <security/pkcs11f.h>  header  contains  function  definitions.  The
107       <security/pkcs11t.h> header contains type definitions. Applications can
108       include either of these headers in place of <security/pkcs11.h>,  which
109       contains both function and type definitions.
110

INTERFACES

112       The shared object libpkcs11.so.1 provides the public interfaces defined
113       below. See Intro(3) for additional information on shared object  inter‐
114       faces.
115
116   PKCS#11 Standard
117       C_CloseAllSessions            C_CloseSession
118       C_CopyObject                  C_CreateObject
119       C_Decrypt                     C_DecryptDigestUpdate
120       C_DecryptFinal                C_DecryptInit
121       C_DecryptUpdate               C_DecryptVerifyUpdate
122       C_DeriveKey                   C_DestroyObject
123       C_Digest                      C_DigestEncryptUpdate
124       C_DigestFinal                 C_DigestInit
125       C_DigestKey                   C_DigestUpdate
126       C_Encrypt                     C_EncryptFinal
127       C_EncryptInit                 C_EncryptUpdate
128       C_Finalize                    C_FindObjects
129       C_FindObjectsFinal            C_FindObjectsInit
130       C_GenerateKey                 C_GenerateKeyPair
131       C_GenerateRandom              C_GetAttributeValue
132
133       C_GetFunctionList             C_GetInfo
134       C_GetMechanismInfo            C_GetMechanismList
135       C_GetObjectSize               C_GetOperationState
136       C_GetSessionInfo              C_GetSlotInfo
137       C_GetSlotList                 C_GetTokenInfo
138       C_InitPIN                     C_InitToken
139       C_Initialize                  C_Login
140       C_Logout                      C_OpenSession
141       C_SeedRandom                  C_SetAttributeValue
142       C_SetOperationState           C_SetPIN
143       C_Sign                        C_SignEncryptUpdate
144       C_SignFinal                   C_SignInit
145       C_SignRecover                 C_SignRecoverInit
146       C_SignUpdate                  C_UnwrapKey
147       C_Verify                      C_VerifyFinal
148       C_VerifyInit                  C_VerifyRecover
149       C_VerifyRecoverInit           C_VerifyUpdate
150       C_WaitForSlotEvent            C_WrapKey
151
152
153   SUNW Extensions
154       SUNW_C_GetMechSession         SUNW_C_KeyToObject
155
156

FILES

158       /usr/lib/libpkcs11.so.1       shared object
159
160
161       /usr/lib/64/libpkcs11.so.1    64-bit shared object
162
163

ATTRIBUTES

165       See attributes(5) for descriptions of the following attributes:
166
167
168
169
170       ┌─────────────────────────────┬─────────────────────────────┐
171       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
172       ├─────────────────────────────┼─────────────────────────────┤
173       │Availability                 │SUNWcsl (32-bit)             │
174       │                             │SUNWcslx (64-bit)            │
175       ├─────────────────────────────┼─────────────────────────────┤
176       │Interface Stability          │Committed                    │
177       ├─────────────────────────────┼─────────────────────────────┤
178       │MT-Level                     │See below.                   │
179       ├─────────────────────────────┼─────────────────────────────┤
180       │Standard                     │See below.                   │
181       └─────────────────────────────┴─────────────────────────────┘
182
183
184       The  SUNW  Extension  functions are MT-Safe. The PKCS#11 Standard func‐
185       tions are MT-Safe with exceptions. See Section  6.5.2  of  RSA  PKCS#11
186       v2.20.
187
188
189       The PKCS#11 Standard functions conform to PKCS#11 v2.20.
190

SEE ALSO

192       cryptoadm(1M),  pkgadd(1M), Intro(3), SUNW_C_GetMechSession(3EXT), sys‐
193       log(3C), attributes(5) , pkcs11_kernel(5), pkcs11_softtoken(5)
194
195
196       RSA PKCS#11 v2.20 http://www.rsasecurity.com
197

NOTES

199       If an application calls C_WaitForSlotEvent() without the CKF_DONT_BLOCK
200       flag  set,  libpkcs11  must  create  threads  internally.  If, however,
201       CKF_LIBRARY_CANT_CREATE_OS_THREADS is set, C_WaitForSlotEvent() returns
202       CKR_FUNCTION_FAILED.
203
204
205       The  PKCS#11 library does not work with Netscape 4.x but does work with
206       more recent versions of Netscape and Mozilla.
207
208
209       Because C_Initalize() might have been called by both an application and
210       a library, it is not safe for a library or its plugins to call C_Final‐
211       ize(). A library can be  finished  calling  functions  from  libpkcs11,
212       while an application might not.
213
214
215
216SunOS 5.11                        4 Aug 2008                   libpkcs11(3LIB)
Impressum