1libpkcs11(3LIB) Interface Libraries libpkcs11(3LIB)
2
6 libpkcs11 - PKCS#11 Cryptographic Framework library
7
9 cc [ flag... ] file... -lpkcs11 [ library... ]
10 #include <security/cryptoki.h>
11 #include <security/pkcs11.h>
12
15 The libpkcs11 library implements the RSA Security Inc. PKCS#11 Crypto‐
16 graphic Token Interface (Cryptoki), v2.20 specification by using plug-
17 ins to provide the slots.
18 Each plug-in, which also implements RSA PKCS#11 v2.20, represents one
21 or more slots.
22 The libpkcs11 library provides a special slot called the meta slot. The
25 meta slot provides a virtual union of capabilities of all other slots.
26 When available, the meta slot is always the first slot provided by
27 libpkcs11.
28 The meta slot feature can be configured either system-wide or by indi‐
31 vidual users. System-wide configuration for meta slot features is done
32 with the cryptoadm(1M) utility. User configuration for meta slot fea‐
33 tures is performed with environment variables.
34 By default, the following is the system-wide configuration for meta
37 slot. Meta slot is enabled. Meta slot provides token-based object sup‐
38 port with the Software RSA PKCS#11 softtoken (pkcs11_softtoken(5)).
39 Meta slot is allowed to move sensitive token objects to other slots if
40 that is necessary to perform an operation.
41 Users can overwrite one or more system-wide configuration options for
44 meta slot using these environment variables.
45 The ${METASLOT_OBJECTSTORE_SLOT} and ${METASLOT_OBJECTSTORE_TOKEN}
48 environment variables are used to specify an alternate token object
49 store. A user can specify either slot-description in ${METASLOT_OBJECT‐
50 STORE_SLOT} or token-label in ${METASLOT_OBJECTSTORE_TOKEN}, or both.
51 Valid values for slot-description and token-label are available from
52 output of the command:
53 cryptoadm list -v
55 The ${METASLOT_ENABLED} environment variable is used to specify whether
60 the user wants to turn the metaslot feature on or off. Only two values
61 are recognized. The value "true" means meta slot will be on. The value
62 "false" means meta slot will be off.
63 The ${METASLOT_AUTO_KEY_MIGRATE} environment variable is used to spec‐
66 ify whether the user wants sensitive token objects to move to other
67 slots for cryptographic operations. Only two values are recognized. The
68 value "true" means meta slot will migrate sensitive token objects to
69 other slots if necessary. The value "false" means meta slot will not
70 migrate sensitive token objects to other slots even if it is necessary.
71 When the meta slot feature is enabled, the slot that provides token-
74 based object support is not shown as one of the available slots. All of
75 its functionality can be used with the meta slot.
76 This library filters the list of mechanisms available from plug-ins
79 based on the policy set by cryptoadm(1M).
80 This library provides entry points for all PKCS#11 v2.20 functions. See
83 the RSA PKCS#11 v2.20 specification at http://www.rsasecurity.com.
84 Plug-ins are added to libpkcs11 by the pkcs11conf class action script
87 during execution of pkgadd(1M). The available mechanisms are adminis‐
88 tered by the cryptoadm(1M) utility.
89 Plug-ins must have all of their library dependancies specified, includ‐
92 ing libc(3LIB). Libraries that have unresolved symbols, including those
93 from libc, will be rejected and a message will be sent to syslog(3C)
94 for such plug-ins.
95 Due to U.S. Export regulations, all plug-ins are required to be crypto‐
98 graphically signed using the elfsign utility.
99 Any plug-in that is not signed or is not a compatible version of
102 PKCS#11 will be dropped by libpkcs11. When a plug-in is dropped, the
103 administrator is alerted by the syslog(3C) utility.
104 The <security/pkcs11f.h> header contains function definitions. The
107 <security/pkcs11t.h> header contains type definitions. Applications can
108 include either of these headers in place of <security/pkcs11.h>, which
109 contains both function and type definitions.
110
112 The shared object libpkcs11.so.1 provides the public interfaces defined
113 below. See Intro(3) for additional information on shared object inter‐
114 faces.
115 PKCS#11 Standard
117 C_CloseAllSessions C_CloseSession
118 C_CopyObject C_CreateObject
119 C_Decrypt C_DecryptDigestUpdate
120 C_DecryptFinal C_DecryptInit
121 C_DecryptUpdate C_DecryptVerifyUpdate
122 C_DeriveKey C_DestroyObject
123 C_Digest C_DigestEncryptUpdate
124 C_DigestFinal C_DigestInit
125 C_DigestKey C_DigestUpdate
126 C_Encrypt C_EncryptFinal
127 C_EncryptInit C_EncryptUpdate
128 C_Finalize C_FindObjects
129 C_FindObjectsFinal C_FindObjectsInit
130 C_GenerateKey C_GenerateKeyPair
131 C_GenerateRandom C_GetAttributeValue
132 C_GetFunctionList C_GetInfo
134 C_GetMechanismInfo C_GetMechanismList
135 C_GetObjectSize C_GetOperationState
136 C_GetSessionInfo C_GetSlotInfo
137 C_GetSlotList C_GetTokenInfo
138 C_InitPIN C_InitToken
139 C_Initialize C_Login
140 C_Logout C_OpenSession
141 C_SeedRandom C_SetAttributeValue
142 C_SetOperationState C_SetPIN
143 C_Sign C_SignEncryptUpdate
144 C_SignFinal C_SignInit
145 C_SignRecover C_SignRecoverInit
146 C_SignUpdate C_UnwrapKey
147 C_Verify C_VerifyFinal
148 C_VerifyInit C_VerifyRecover
149 C_VerifyRecoverInit C_VerifyUpdate
150 C_WaitForSlotEvent C_WrapKey
151 SUNW Extensions
154 SUNW_C_GetMechSession SUNW_C_KeyToObject
155
158 /usr/lib/libpkcs11.so.1 shared object
159 /usr/lib/64/libpkcs11.so.1 64-bit shared object
162
165 See attributes(5) for descriptions of the following attributes:
166 ┌─────────────────────────────┬─────────────────────────────┐
171 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
172 ├─────────────────────────────┼─────────────────────────────┤
173 │Availability │SUNWcsl (32-bit) │
174 │ │SUNWcslx (64-bit) │
175 ├─────────────────────────────┼─────────────────────────────┤
176 │Interface Stability │Committed │
177 ├─────────────────────────────┼─────────────────────────────┤
178 │MT-Level │See below. │
179 ├─────────────────────────────┼─────────────────────────────┤
180 │Standard │See below. │
181 └─────────────────────────────┴─────────────────────────────┘
182 The SUNW Extension functions are MT-Safe. The PKCS#11 Standard func‐
185 tions are MT-Safe with exceptions. See Section 6.5.2 of RSA PKCS#11
186 v2.20.
187 The PKCS#11 Standard functions conform to PKCS#11 v2.20.
190
192 cryptoadm(1M), pkgadd(1M), Intro(3), SUNW_C_GetMechSession(3EXT), sys‐
193 log(3C), attributes(5) , pkcs11_kernel(5), pkcs11_softtoken(5)
194 RSA PKCS#11 v2.20 http://www.rsasecurity.com
197
199 If an application calls C_WaitForSlotEvent() without the CKF_DONT_BLOCK
200 flag set, libpkcs11 must create threads internally. If, however,
201 CKF_LIBRARY_CANT_CREATE_OS_THREADS is set, C_WaitForSlotEvent() returns
202 CKR_FUNCTION_FAILED.
203 The PKCS#11 library does not work with Netscape 4.x but does work with
206 more recent versions of Netscape and Mozilla.
207 Because C_Initalize() might have been called by both an application and
210 a library, it is not safe for a library or its plugins to call C_Final‐
211 ize(). A library can be finished calling functions from libpkcs11,
212 while an application might not.
213SunOS 5.11 4 Aug 2008 libpkcs11(3LIB)