Cryptoki: a cryptographic Token Interface



Download 360.55 Kb.
Page30/196
Date22.12.2023
Size360.55 Kb.
#63026
1   ...   26   27   28   29   30   31   32   33   ...   196
v201-95
pkcs11-base-v2.40-cos01
Bit Flag

Mask

Meaning

CKF_RNG

0x00000001

TRUE if the token has its own random number generator

CKF_WRITE_PROTECTED

0x00000002

TRUE if the token is write-protected (see below)

CKF_LOGIN_REQUIRED

0x00000004

TRUE if there are some cryptographic functions that a user must be logged in to perform

CKF_USER_PIN_INITIALIZED

0x00000008

TRUE if the normal user’s PIN has been initialized

CKF_RESTORE_KEY_NOT_NEEDED

0x00000020

TRUE if a successful save of a session’s cryptographic operations state always contains all keys needed to restore the state of the session

CKF_CLOCK_ON_TOKEN

0x00000040

TRUE if token has its own hardware clock

CKF_PROTECTED_AUTHENTICATION_PATH

0x00000100

TRUE if token has a “protected authentication path”, whereby a user can log into the token without passing a PIN through the Cryptoki library

CKF_DUAL_CRYPTO_OPERATIONS

0x00000200

TRUE if a single session with the token can perform dual cryptographic operations (see Section )

Exactly what the CKF_WRITE_PROTECTED flag means is not specified in Cryptoki. An application may be unable to perform certain actions on a write-protected token; these actions can include any of the following, among others:



  • Creating/modifying/deleting any object on the token.

  • Creating/modifying/deleting a token object on the token.

  • Changing the SO’s PIN.

  • Changing the normal user’s PIN.

Note: The fields ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, ulRwSessionCount, ulTotalPublicMemory, ulFreePublicMemory, ulTotalPrivateMemory, and ulFreePrivateMemory can have the special value CK_UNAVAILABLE_INFORMATION, which means that the token and/or library is unable or unwilling to provide that information. In addition, the fields ulMaxSessionCount and ulMaxRwSessionCount can have the special value CK_EFFECTIVELY_INFINITE, which means that there is no practical limit on the number of sessions (resp. R/W sessions) an application can have open with the token.
These values are defined as
#define CK_UNAVAILABLE_INFORMATION (~0UL)
#define CK_EFFECTIVELY_INFINITE 0

It is important to check these fields for these special values. This is particularly true for CK_EFFECTIVELY_INFINITE, since an application seeing this value in the ulMaxSessionCount or ulMaxRwSessionCount field would otherwise conclude that it can’t open any sessions with the token, which is far from being the case.


The upshot of all this is that the correct way to interpret (for example) the ulMaxSessionCount field is something along the lines of the following:
CK_TOKEN_INFO info;

.
.
.


if ((CK_LONG) info.ulMaxSessionCount
== CK_UNAVAILABLE_INFORMATION) {
/* Token refuses to give value of ulMaxSessionCount */
.
.
.
} else if (info.ulMaxSessionCount == CK_EFFECTIVELY_INFINITE) {
/* Application can open as many sessions as it wants */
.
.
.
} else {
/* ulMaxSessionCount really does contain what it should */
.
.
.
}



Download 360.55 Kb.

Share with your friends:
1   ...   26   27   28   29   30   31   32   33   ...   196




The database is protected by copyright ©ininet.org 2024
send message

    Main page