PKCS#11规范培训(课堂PPT).ppt
129页
Page 1 PKCS#11PKCS#11PKCS#11PKCS#11标准介绍标准介绍标准介绍标准介绍软件开发中心软件开发中心安全软件部安全软件部 Page 2 写在前面的写在前面的ØPKCS11PKCS11是什么是什么Ø为什么会有为什么会有PKCS11PKCS11ØPKCS11PKCS11能干什么能干什么ØPKCS11PKCS11的特点的特点 Page 3 PKCS11PKCS11是什么是什么ØPKCSPKCS系列规范的第系列规范的第1111部分部分ØCryptographic Token Interface STDCryptographic Token Interface STDØ6868个函数接口个函数接口Ø应用程序与加密应用程序与加密TokenToken之间的接口之间的接口 Page 4 为什么会有为什么会有PKCS11PKCS11Ø为使用加密为使用加密TokenToken的应用程序提供统一的编程接口的应用程序提供统一的编程接口Ø为应用程序提供独立于设备的编程接口为应用程序提供独立于设备的编程接口Ø屏蔽加密设备的复杂性屏蔽加密设备的复杂性Ø应用程序可以方便的更换设备应用程序可以方便的更换设备Ø既生瑜何生亮既生瑜何生亮 PKCS11 vs CSP PKCS11 vs CSP Page 5 PKCS11PKCS11能干什么能干什么Ø完成所有完成所有( (据我所知据我所知) )的密码操作的密码操作Ø加密加密 解密解密 签名签名 验证验证 摘要摘要 密钥生成密钥生成/ /派生派生Ø对象的创建,存储,查找,修改,使用,删除对象的创建,存储,查找,修改,使用,删除Ø应用程序会话管理应用程序会话管理 Page 6 PKCS11PKCS11的特点的特点Ø跨平台跨平台Ø可扩展可扩展Ø支持多设备,多线程支持多设备,多线程Ø更专注于加密更专注于加密TokenTokenØ简化的应用模式(一个简化的应用模式(一个UserUser,一个,一个SOSO)) Page 7 内容内容I.I.关于关于PKCS#11PKCS#11II.II.概述概述III.III.基本概念基本概念IV. IV. 典型对象属性分析典型对象属性分析V. APIV. API分析与应用实例分析与应用实例 Page 8 I.I.关于关于PKCS#11PKCS#11Ø是一套针对加密是一套针对加密TokenToken的应用编程接口的应用编程接口Ø屏蔽了硬件细节屏蔽了硬件细节Ø针对针对ANSI CANSI C编写的接口编写的接口Ø也称作也称作CryptokiCryptokiØ广泛应用于广泛应用于TokenToken相关的产品中(例如相关的产品中(例如Netscape, Mozilla, Firefox, Netscape, Mozilla, Firefox, ThunderbirdThunderbird))Ø简化的应用模式(一个简化的应用模式(一个UserUser,一个,一个SOSO)) Page 9 7816-1/2/3/4/5/6/8ASN.1PKCS-1/13/14/15, 7816-15, DES, AES, SHA,MD2,MD5,…PKCS-11, CSPX509, PKCS-3/5/7/8/9/10/12SSL, S/MIME IE, Outlook, Foxmail, Word, Netscape, Mozilla, Firefox, ThunderbirdI.I.I.I.关于关于关于关于PKCS#11PKCS#11PKCS#11PKCS#11 Page 10 内容内容内容内容I.I.关于关于PKCS#11PKCS#11II.II.概述概述III.III.基本概念基本概念IV. IV. 典型对象属性分析典型对象属性分析V. APIV. API分析与应用实例分析与应用实例 Page 11 II.II.概述概述Ø总体模型总体模型 Page 12 II.II.概述概述ØTokenToken逻辑视图逻辑视图ObjectCertificateKeyDataSecret KeyPrivate KeyPublic Key令牌逻辑视图是一个能存储对象和能执行密码函数的设备令牌逻辑视图是一个能存储对象和能执行密码函数的设备 Page 13 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——通用目的函数通用目的函数 Page 14 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——槽和令牌管理函数槽和令牌管理函数 Page 15 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——会话管理函数会话管理函数 Page 16 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——对象管理函数对象管理函数 Page 17 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——加密和解密函数加密和解密函数 Page 18 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——摘要计算函数摘要计算函数 Page 19 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——签名和签名和MAC计算函数计算函数 Page 20 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——签名和签名和MAC验证函数验证函数 Page 21 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——双功能密码函数双功能密码函数 Page 22 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——密钥管理函数密钥管理函数 Page 23 II.II.II.II.概述概述概述概述Ø函数接口概述函数接口概述——其他函数其他函数 Page 24 内容内容内容内容I.I.关于关于PKCS#11PKCS#11II.II.概述概述III.III.基本概念基本概念IV. IV. 典型对象属性分析典型对象属性分析V. APIV. API分析与应用实例分析与应用实例 Page 25 III.III.基本概念基本概念ØSlot & TokenSlot & TokenØObjectObjectØAttributeAttributeØUsersUsersØSessionsSessionsØ状态转换(与状态转换(与SessionSession有关)有关)ØMechnismMechnismØ应用程序与多线程应用程序与多线程 Page 26 Ø3.1 Slot & Token3.1 Slot & TokenIII.III.III.III.基本概念基本概念基本概念基本概念 Page 27 III.III.III.III.基本概念基本概念基本概念基本概念Ø3.2 Object对象的层次结构 Page 28 III.III.III.III.基本概念基本概念基本概念基本概念Ø3.2 ObjectToken对象对象Sesssion对象对象Public对象对象Private对象对象 Page 29 III.III.III.III.基本概念基本概念基本概念基本概念Ø 3.3 Attribute对象包括一套属性,每个对象都具有一个给定值。
一个对象对象包括一套属性,每个对象都具有一个给定值一个对象处理的每个属性都有一个唯一确定的值处理的每个属性都有一个唯一确定的值 Page 30 ØCryptoki provides functions for creating, destroying, and copying objects in general, and for obtaining and modifying the values of their attributes. Some of the cryptographic functions (e.g., C_GenerateKeyC_GenerateKey) also create key objects to hold their results.ØObjects are always “well-formed” in Cryptoki—that is, an object always contains all required attributes, and the attributes are always consistent with one another from the time the object is created. This contrasts with some object-based paradigms where an object has no attributes other than perhaps a class when it is created, and is uninitialized for some time. In Cryptoki, objects are always initialized.III.III.III.III.基本概念基本概念基本概念基本概念————AttributeAttributeAttributeAttribute Page 31 ØA token can hold several identical objects, i.e., it is permissible for two or more objects to have exactly the same values for all their attributes.ØIn most cases each type of object in the Cryptoki specification possesses a completely well-defined set of Cryptoki attributes. Some of these attributes possess default values, and need not be specified when creating an object; some of these default values may even be the empty string (“”). Nonetheless, the object possesses these attributes. A given object has a single value for each attribute it possesses, even if the attribute is a vendor specific attribute whose meaning is outside the scope of Cryptoki.ØIn addition to possessing Cryptoki attributes, objects may possess additional vendor specific attributes whose meanings and values are not specified by Cryptoki. III.III.III.III.基本概念基本概念基本概念基本概念————AttributeAttributeAttributeAttribute Page 32 III.III.III.III.基本概念基本概念基本概念基本概念Ø 3.4 Users PKCS11识别两种令牌用户类型。
一个类型就是安全官员识别两种令牌用户类型一个类型就是安全官员((SO)另一个类型就是普通用户只有普通用户才能访问)另一个类型就是普通用户只有普通用户才能访问令牌上的私有对象,而且只有普通用户在得到授权后才能进令牌上的私有对象,而且只有普通用户在得到授权后才能进行这种访问行这种访问 一些令牌可能需要用户在执行令牌上的任意密一些令牌可能需要用户在执行令牌上的任意密码功能之前得到授权,不管令牌是否涉及私有对象码功能之前得到授权,不管令牌是否涉及私有对象SO的作的作用是初始化一个令牌,设置普通用户的用是初始化一个令牌,设置普通用户的PIN(或由(或由Cryptoki版版本以外的方式确定普通用户怎样得到授权),或许还要操作本以外的方式确定普通用户怎样得到授权),或许还要操作某些公共对象普通用户只有在某些公共对象普通用户只有在SO设置普通用户的设置普通用户的PIN以后以后才能注册才能注册 Page 33 Ø3.5 Sessions3.5 SessionsIII.III.III.III.基本概念基本概念基本概念基本概念 会话在应用程序和令牌之间提供一个逻辑连接会话在应用程序和令牌之间提供一个逻辑连接。
Cryptoki 需要用令牌打开一个以上的会话以便使用令牌的对象和函数需要用令牌打开一个以上的会话以便使用令牌的对象和函数会话可以是读会话可以是读/写(写(R/W)会话,也可以是只读()会话,也可以是只读(R/O)会话读读/写和只读指的是通向令牌对象的入口,而不是会话对象在写和只读指的是通向令牌对象的入口,而不是会话对象在这两种会话类型下,应用程序能够创建、读、写和破坏会话对这两种会话类型下,应用程序能够创建、读、写和破坏会话对象但是,只有在读象但是,只有在读/写会话中,应用程序能够创建、修改和破写会话中,应用程序能够创建、修改和破坏令牌对象坏令牌对象 Page 34 Ø3.6 3.6 状态转换(与状态转换(与SessionSession有关)有关) 一个打开的会话可以在几种状态之一会话状态决定通向一个打开的会话可以在几种状态之一会话状态决定通向对象和在会话上执行的函数允许的通道对象和在会话上执行的函数允许的通道 III.III.III.III.基本概念基本概念基本概念基本概念 打开一个会话后,应用程序便可访问令牌的公共对象所给应用程序打开一个会话后,应用程序便可访问令牌的公共对象。
所给应用程序的所有线程可访问相同会话和相同会话对象为了访问令牌私有对象,不的所有线程可访问相同会话和相同会话对象为了访问令牌私有对象,不同用户必须先登录并得到授权同用户必须先登录并得到授权 当关闭一个会话后,在该会话过程中创建的任何会话对象都会被破坏当关闭一个会话后,在该会话过程中创建的任何会话对象都会被破坏这甚至适用于其它会话正在使用的会话对象如果单个应用程序打开同一这甚至适用于其它会话正在使用的会话对象如果单个应用程序打开同一令牌的多个会话,并使用其中一个创建会话对象,那么这些会话对象就可令牌的多个会话,并使用其中一个创建会话对象,那么这些会话对象就可以被该应用程序的所有会话看到但是,当创建对象的会话关闭时,对象以被该应用程序的所有会话看到但是,当创建对象的会话关闭时,对象也被破坏了也被破坏了 Cryptoki 支持在多令牌上的多个会话应用程序可以和一个以上的令支持在多令牌上的多个会话应用程序可以和一个以上的令牌进行一个以上的会话一个令牌可以和一个以上的应用程序进行多个会牌进行一个以上的会话一个令牌可以和一个以上的应用程序进行多个会话但是,一个特定的令牌可能要求应用程序只能有限定数量的会话,或话。
但是,一个特定的令牌可能要求应用程序只能有限定数量的会话,或只能有限定数量的读只能有限定数量的读/写会话 Page 35 状态转换状态转换状态转换状态转换 – – – – 只读会话只读会话只读会话只读会话III.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换 Page 36 State State Description Description R/O Public R/O Public Session Session The application has opened a read-only session. The application has opened a read-only session. The application has read-only access to public The application has read-only access to public token objects and read/write access to public token objects and read/write access to public session objects.session objects.R/O User R/O User Functions Functions The normal user has been authenticated to the The normal user has been authenticated to the token. The application has read-only access to all token. The application has read-only access to all token objects (public or private) and read/write token objects (public or private) and read/write access to all session objects (public or private). access to all session objects (public or private). RO sessionRO sessionRO sessionRO sessionIII.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换Note: Read-Only SO Session do not exists. Page 37 状态转换状态转换状态转换状态转换 – – – – 读写会话读写会话读写会话读写会话III.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换 Page 38 RW sessionRW sessionStateStateDescription Description R/W Public R/W Public Session Session The application has opened a read/write session. The application has opened a read/write session. The application has read/write access to all The application has read/write access to all public objects.public objects.R/W SO R/W SO Functions Functions The Security Officer has been authenticated to the The Security Officer has been authenticated to the token. The application has read/write access only token. The application has read/write access only to public objects on the token, not to private to public objects on the token, not to private objects. The SO can set the normal user’s PIN.objects. The SO can set the normal user’s PIN.R/W User R/W User Functions Functions The normal user has been authenticated to the The normal user has been authenticated to the token. The application has read/write access to token. The application has read/write access to all objects. all objects. III.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换 Page 39 状态转换状态转换 – – 会话权限会话权限Type of objectType of sessionR/O PublicR/W PublicR/O UserR/W UserR/W SOPublic session objectR/WR/WR/WR/WR/WPrivate session objectR/WR/WPublic token objectR/OR/WR/OR/WR/WPrivate token objectR/OR/WIII.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换 Page 40 ØSession eventsSession eventsIII.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换 Page 41 Ø 在在Cryptoki Version 2.1Cryptoki Version 2.1中中, , 使用令牌的一个应用程序的所有会使用令牌的一个应用程序的所有会话必须有相同的登录话必须有相同的登录/ /注销状态(对于一个给定的应用程序和令牌,只能注销状态(对于一个给定的应用程序和令牌,只能处于下列情况之一:所有会话是公共会话,所有会话是处于下列情况之一:所有会话是公共会话,所有会话是SOSO会话或所有会话会话或所有会话是用户会话)。
当一个应用程序的会话登录一个令牌,使用该令牌的应用是用户会话)当一个应用程序的会话登录一个令牌,使用该令牌的应用程序的所有会话也被登录;当一个应用程序的会话注销一个令牌,该应用程序的所有会话也被登录;当一个应用程序的会话注销一个令牌,该应用程序的所有会话也被注销同样,例如,如果使用令牌的一个应用程序已程序的所有会话也被注销同样,例如,如果使用令牌的一个应用程序已经有一个打开的经有一个打开的R/OR/O用户,并且用该令牌打开一个用户,并且用该令牌打开一个R/WR/W会话,该会话,该R/WR/W会话会会话会自动地登录自动地登录Ø 这意味着一个给定的应用程序使用一个给定的令牌不可能同时这意味着一个给定的应用程序使用一个给定的令牌不可能同时有打开的有打开的SOSO会话和用户会话这也意味着如果使用一个令牌,一个应用程会话和用户会话这也意味着如果使用一个令牌,一个应用程序有一个序有一个R/W SOR/W SO会话,那么它不能用这个令牌打开一个会话,那么它不能用这个令牌打开一个R/OR/O会话,因为会话,因为R/O R/O SOSO会话不存在同理,如果一个应用程序有一个打开的会话不存在。
同理,如果一个应用程序有一个打开的R/OR/O会话,那么它会话,那么它不可能作为不可能作为SOSO把其它会话登录到该令牌把其它会话登录到该令牌III.III.III.III.基本概念基本概念基本概念基本概念————状态转换状态转换状态转换状态转换 Page 42 机制描述了密码操作应该怎样被执行机制描述了密码操作应该怎样被执行 typedeftypedef structstruct CK_MECHANISM { CK_MECHANISM { CK_MECHANISM_TYPE mechanism; CK_VOID_PTR pParameter; CK_ULONG ulParameterLen;} CK_MECHANISM;} CK_MECHANISM; C_GetMechanismList C_GetMechanismList获取支持的机制列表获取支持的机制列表III.III.III.III.基本概念基本概念基本概念基本概念————机制机制机制机制Ø3.7 Mechanism Page 43 •调用调用C_InitializeC_Initialize后的应用程序才称为后的应用程序才称为““CryptokiCryptoki应应用程序用程序””•CryptokiCryptoki应用程序是否需要应用程序是否需要CryptokiCryptoki的多线程支持,的多线程支持,需要在需要在C_InitializeC_Initialize函数中指定。
函数中指定ØØ3.8 3.8 3.8 3.8 应用程序与多线程应用程序与多线程应用程序与多线程应用程序与多线程III.III.III.III.基本概念基本概念基本概念基本概念 Page 44 内容内容内容内容I.I.关于关于PKCS#11PKCS#11II.II.概述概述III.III.基本概念基本概念IV. IV. 典型对象属性分析典型对象属性分析V. APIV. API分析与应用实例分析与应用实例 Page 45 4.14.1对象属性脚注说明对象属性脚注说明Ø1 1 Must be specified when object is created with Must be specified when object is created with C_CreateObjectC_CreateObject. .Ø2 2 Must Must notnot be specified when object is created with be specified when object is created with C_CreateObjectC_CreateObject. .Ø3 3 Must be specified when object is generated with Must be specified when object is generated with C_GenerateKeyC_GenerateKey or or C_GenerateKeyPairC_GenerateKeyPair. .Ø4 4 Must Must notnot be specified when object is generated with be specified when object is generated with C_GenerateKeyC_GenerateKey or or C_GenerateKeyPairC_GenerateKeyPair. .Ø5 5 Must be specified when object is unwrapped with Must be specified when object is unwrapped with C_UnwrapKeyC_UnwrapKey. .Ø6 6 Must Must notnot be specified when object is unwrapped with be specified when object is unwrapped with C_UnwrapKeyC_UnwrapKey. .Ø7 7 Cannot be revealed if object has its CKA_SENSITIVE attribute Cannot be revealed if object has its CKA_SENSITIVE attribute set to CK_TRUE or its CKA_EXTRACTABLE attribute set to CK_FALSE.set to CK_TRUE or its CKA_EXTRACTABLE attribute set to CK_FALSE.IV IV 典型对象属性分析典型对象属性分析 Page 46 4.14.1对象属性脚注说明对象属性脚注说明Ø8 8 May be modified after object is created with a May be modified after object is created with a C_SetAttributeValueC_SetAttributeValue call, or in the process of copying object call, or in the process of copying object with a with a C_CopyObjectC_CopyObject call. However, it is possible that a call. However, it is possible that a particular token may not permit modification of the attribute particular token may not permit modification of the attribute during the course of a C_CopyObject call.during the course of a C_CopyObject call.Ø9 9 Default value is token-specific, and may depend on the values Default value is token-specific, and may depend on the values of other attributes.of other attributes.Ø1010 Can only be set to CK_TRUE by the SO user. Can only be set to CK_TRUE by the SO user.Ø1111 Attribute cannot be changed once set to CK_TRUE. It becomes a Attribute cannot be changed once set to CK_TRUE. It becomes a read only attribute.read only attribute.Ø1212 Attribute cannot be changed once set to CK_FALSE. It becomes Attribute cannot be changed once set to CK_FALSE. It becomes a read only attribute.a read only attribute.IV IV 典型对象属性分析典型对象属性分析 Page 47 4.24.2通用对象属性通用对象属性AttributeData TypeMeaningCKA_CLASSCK_OBJECT_CLASSObject class (type) Page 48 4.34.34.34.3通用存储对象属性通用存储对象属性通用存储对象属性通用存储对象属性AttributeData TypeMeaningCKA_TOKENCK_BBOOLCK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE.CKA_PRIVATECK_BBOOLCK_TRUE if object is a private object; CK_FALSE if object is a public object. Default value is token-specific, and may depend on the values of other attributes of the object.CKA_MODIFIABLECK_BBOOLCK_TRUE if object can be modified Default is CK_TRUE.CKA_LABELRFC2279 stringDescription of the object (default empty).当对象创建以后,只有CKA_TOKEN值可以被修改 Page 49 4.44.44.44.4数据对象属性数据对象属性数据对象属性数据对象属性AttributeData typeMeaningCKA_APPLICATIONRFC2279 stringDescription of the application that manages the object (default empty)CKA_OBJECT_IDByte ArrayDER-encoding of the object identifier indicating the data object type (default empty)CKA_VALUEByte arrayValue of the object (default empty) Page 50 4.54.54.54.5通用证书对象属性通用证书对象属性通用证书对象属性通用证书对象属性AttributeData typeMeaningCKA_CERTIFICATE_TYPE1CK_CERTIFICATE_TYPEType of certificateCKA_TRUSTED10 CK_BBOOLThe certificate can be trusted for the application that it was created.CKA_CERTIFICATE_CATEGORYCK_ULONGCategorization of the certificate:0 = unspecified (default value), 1 = token user, 2 = authority, 3 = other entityCKA_CHECK_VALUEByte arrayChecksumCKA_START_DATECK_DATEStart date for the certificate (default empty)CKA_END_DATE CK_DATE End date for the certificate (default empty) Page 51 4.6 X.5094.6 X.5094.6 X.5094.6 X.509公钥证书对象公钥证书对象公钥证书对象公钥证书对象AttributeData typeMeaningCKA_SUBJECT1Byte arrayDER-encoding of the certificate subject nameCKA_IDByte arrayKey identifier for public/private key pair (default empty)CKA_ISSUERByte arrayDER-encoding of the certificate issuer name (default empty)CKA_SERIAL_NUMBERByte arrayDER-encoding of the certificate serial number (default empty)CKA_VALUE1Byte arrayBER-encoding of the certificateCKA_URL3RFC2279 stringIf not empty this attribute gives the URL where the complete certificate can be obtained (default empty)CKA_HASH_OF_SUBJECT_PUBLIC_KEY4Byte arraySHA-1 hash of the subject public key (default empty)CKA_HASH_OF_ISSUER_PUBLIC_KEY4Byte arraySHA-1 hash of the issuer public key (default empty)CKA_JAVA_MIDP_SECURITY_DOMAINCK_ULONGJava MIDP security domain: 0 = unspecified (default value), 1 = manufacturer, 2 = operator, 3 = third party Page 52 4.7 WTLS4.7 WTLS4.7 WTLS4.7 WTLS公钥证书对象公钥证书对象公钥证书对象公钥证书对象AttributeData typeMeaningCKA_SUBJECT1Byte arrayWTLS-encoding (Identifier type) of the certificate subject CKA_ISSUER2Byte arrayWTLS-encoding (Identifier type) of the certificate issuer (default empty)CKA_VALUEByte arrayWTLS-encoding of the certificateCKA_URL3RFC2279 stringIf not empty this attribute gives the URL where the complete certificate can be obtainedCKA_HASH_OF_SUBJECT_PUBLIC_KEY4Byte arraySHA-1 hash of the subject public key (default empty)CKA_HASH_OF_ISSUER_PUBLIC_KEY4Byte arraySHA-1 hash of the issuer public key (default empty) Page 53 4.8 X.5094.8 X.5094.8 X.5094.8 X.509属性证书对象属性证书对象属性证书对象属性证书对象AttributeData TypeMeaningCKA_OWNER1Byte ArrayDER-encoding of the attribute certificate's subject field. This is distinct from the CKA_SUBJECT attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different.CKA_AC_ISSUERByte ArrayDER-encoding of the attribute certificate's issuer field. This is distinct from the CKA_ISSUER attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. (default empty)CKA_SERIAL_NUMBERByte ArrayDER-encoding of the certificate serial number. (default empty)CKA_ATTR_TYPESByte ArrayBER-encoding of a sequence of object identifier values corresponding to the attribute types contained in the certificate. When present, this field offers an opportunity for applications to search for a particular attribute certificate without fetching and parsing the certificate itself. (default empty)CKA_VALUE1Byte ArrayBER-encoding of the certificate. Page 54 4.94.94.94.9通用通用通用通用KEYKEYKEYKEY属性属性属性属性AttributeData TypeMeaningCKA_KEY_TYPE1,5 CK_KEY_TYPEType of keyCKA_ID8Byte arrayKey identifier for key (default empty)CKA_START_DATE8CK_DATEStart date for the key (default empty)CKA_END_DATE8CK_DATEEnd date for the key (default empty)CKA_DERIVE8CK_BBOOLCK_TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default CK_FALSE)CKA_LOCAL2,4,6 CK_BBOOLCK_TRUE only if key was either1.generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call2.created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to CK_TRUECKA_KEY_GEN_MECHANISM2,4,6 CK_MECHANISM_TYPEIdentifier of the mechanism used to generate the key material.CKA_ALLOWED_MECHANISMSCK_MECHANISM_TYPE _PTR, pointer to a CK_MECHANISM_TYPE arrayA list of mechanisms allowed to be used with this key. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the sizeof CK_MECHANISM_TYPE. Page 55 4.10 4.10 4.10 4.10 通用公钥对象通用公钥对象通用公钥对象通用公钥对象AttributeData typeMeaningCKA_SUBJECT 8Byte arrayDER-encoding of the key subject name (default empty)CKA_ENCRYPT 8CK_BBOOLCK_TRUE if key supports encryption9CKA_VERIFY 8CK_BBOOLCK_TRUE if key supports verification where the signature is an appendix to the data9CKA_VERIFY_RECOVER 8CK_BBOOLCK_TRUE if key supports verification where the data is recovered from the signature9CKA_WRAP 8CK_BBOOLCK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)9CKA_TRUSTED10CK_BBOOLThe key can be trusted for the application that it was created.The wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE.CKA_WRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE. Page 56 RSA RSA RSA RSA 公钥对象属性公钥对象属性公钥对象属性公钥对象属性 Page 57 4.114.114.114.11通用私钥对象通用私钥对象通用私钥对象通用私钥对象(1)(1)(1)(1)AttributeData typeMeaningCKA_SUBJECT8Byte arrayDER-encoding of certificate subject name (default empty)CKA_SENSITIVE8CK_BBOOLCK_TRUE if key is sensitive9 CKA_DECRYPT8CK_BBOOLCK_TRUE if key supports decryption9CKA_SIGN8CK_BBOOLCK_TRUE if key supports signatures where the signature is an appendix to the data9CKA_SIGN_RECOVER8CK_BBOOLCK_TRUE if key supports signatures where the data can be recovered from the signature9CKA_UNWRAP8CK_BBOOLCK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9CKA_EXTRACTABLE 8,12CK_BBOOLCK_TRUE if key is extractable and can be wrapped 9CKA_ALWAYS_SENSITIVE 2,4,6CK_BBOOLCK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUECKA_NEVER_EXTRACTABLE 2,4,6CK_BBOOLCK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE Page 58 4.11 4.11 4.11 4.11 通用私钥对象通用私钥对象通用私钥对象通用私钥对象(2)(2)(2)(2)AttributeData TypeMeaningCKA_WRAP_WITH_TRUSTED11CK_BBOOLCK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE.Default is CK_FALSE.CKA_UNWRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user supplied template is applied after this template as if the object has already been created. The number of attributes in the array is the ulValueLen component of the attribute divided by the size ofCK_ATTRIBUTE.CKA_ALWAYS_AUTHENTICATECK_BBOOLIf CK_TRUE, the user has to supply the PIN for each use (sign or decrypt) with the key. Default is CK_FALSE. Page 59 RSA RSA RSA RSA 私钥对象属性私钥对象属性私钥对象属性私钥对象属性 Page 60 4.12 4.12 4.12 4.12 通用密钥对象通用密钥对象通用密钥对象通用密钥对象(1)(1)(1)(1)AttributeData TypeMeaningCKA_SENSITIVE8,11 CK_BBOOLCK_TRUE if object is sensitive (default CK_FALSE)CKA_ENCRYPT8CK_BBOOLCK_TRUE if key supports encryption9CKA_DECRYPT8CK_BBOOLCK_TRUE if key supports decryption9CKA_SIGN8CK_BBOOLCK_TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data9CKA_VERIFY8CK_BBOOLCK_TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data9CKA_WRAP8CK_BBOOLCK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)9CKA_UNWRAP8 CK_BBOOL CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9CKA_ALWAYS_SENSITIVE2,4,6CK_BBOOL CK_TRUE if key is extractable and can be wrapped 9 CKA_NEVER_EXTRACTABLE2,4,6CK_BBOOL CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE Page 61 4.12 4.12 4.12 4.12 通用密钥对象通用密钥对象通用密钥对象通用密钥对象(2)(2)(2)(2)AttributeData TypeMeaningCKA_CHECK_VALUEByte arrayKey checksumCKA_WRAP_WITH_TRUSTED11CK_BBOOLCK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE.Default is CK_FALSE.CKA_TRUSTED10CK_BBOOLThe wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE.CKA_WRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is theulValueLen component of the attribute divided by the size ofCK_ATTRIBUTECKA_UNWRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user supplied template is applied after this template as if the object has already been created. The number of attributes in the array is the ulValueLen component of the attribute divided by the size ofCK_ATTRIBUTE. Page 62 DES DES DES DES 密钥对象属性密钥对象属性密钥对象属性密钥对象属性 Page 63 RC4 RC4 RC4 RC4 密钥对象属性密钥对象属性密钥对象属性密钥对象属性 Page 64 4.134.134.134.13对象属性总结对象属性总结对象属性总结对象属性总结ØPKCS#11PKCS#11规定了每个对象的每一个属性规定了每个对象的每一个属性Ø属性脚注表非常重要,对象的创建、修改、拷贝等操作时设属性脚注表非常重要,对象的创建、修改、拷贝等操作时设定的属性模板应不违背属性标注定的属性模板应不违背属性标注 (例如,在(例如,在C_GenerateKeyC_GenerateKey生成生成3DES3DES密钥时需要指定密钥时需要指定CKA_KEY_TYPECKA_KEY_TYPE,而,而不能指定不能指定CKA_LOCALCKA_LOCAL))。
ØPKCS#11PKCS#11标准的各个版本中对象属性的脚注存在差别标准的各个版本中对象属性的脚注存在差别 (例如,(例如,Ver2.1Ver2.1中中C_GenerateKeyPairC_GenerateKeyPair时必须指定时必须指定 CKA_PUBLIC_EXPONENTCKA_PUBLIC_EXPONENT,而在,而在Ver2.2Ver2.2中可以不用指定此属性)中可以不用指定此属性) Page 65 内容内容内容内容Ø关于关于PKCS#11PKCS#11Ø概述概述Ø基本概念基本概念Ø典型对象属性分析典型对象属性分析ØAPIAPI分析与应用实例分析与应用实例 Page 66 V APIV API分析与应用实例分析与应用实例Ø通用目的函数通用目的函数–Initialize, cleanup, information about the library itselfØSlot/TokenSlot/Token管理函数管理函数–GetSlotInfo, GetTokenInfo,…Ø会话管理函数会话管理函数–OpenSession, CloseSession…Ø对象管理函数对象管理函数–Create, Destroy, Copy Page 67 Ⅲ APIⅢ API分析与应用实例分析与应用实例(2)(2)Ø加密函数加密函数Ø解密函数解密函数Ø摘要函数摘要函数Ø签名函数签名函数Ø校验函数校验函数Ø密钥管理函数密钥管理函数Ø………… Page 68 通用目的函数通用目的函数1.1.C_InitializeC_Initialize CK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_InitializeC_Initialize)()(CK_VOID_PTR pInitArgs); ); typedef struct CK_C_INITIALIZE_ARGS { CK_CREATEMUTEX CreateMutex; CK_DESTROYMUTEX DestroyMutex; CK_LOCKMUTEX LockMutex; CK_UNLOCKMUTEX UnlockMutex; CK_FLAGS flags; CK_VOID_PTR pReserved;} CK_C_INITIALIZE_ARGS;2.2.C_FinalizeC_FinalizeCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_FinalizeC_Finalize)()( CK_VOID_PTR pReserved); ); Page 69 通用目的函数通用目的函数3. 3. C_GetInfoC_GetInfoCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetInfoC_GetInfo)()( CK_INFO_PTR pInfo););4. 4. C_GetFunctionListC_GetFunctionListCK_DEFINE_FUNCTION( CK_RV, CK_DEFINE_FUNCTION( CK_RV, C_GetFunctionListC_GetFunctionList)()( CK_FUNCTION_LIST_PTR_PTR ppFunctionList CK_FUNCTION_LIST_PTR_PTR ppFunctionList);); Page 70 Slot/TokenSlot/Token管理函数管理函数1.1. C_GetSlotListC_GetSlotList 2.2.CK_DEFINE_FUNCTION( CK_RV, CK_DEFINE_FUNCTION( CK_RV, C_GetSlotListC_GetSlotList)()( CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount);); Page 71 Slot/TokenSlot/Token管理函数管理函数2. 2. C_GetSlotInfoC_GetSlotInfoCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetSlotInfoC_GetSlotInfo)()( CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo);); Page 72 Slot/TokenSlot/Token管理函数管理函数3. 3. C_GetTokenInfoC_GetTokenInfoCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfoC_GetTokenInfo)()( CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);); Page 73 Slot/TokenSlot/Token管理函数管理函数4.4.C_WaitForSlotEventC_WaitForSlotEventCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_WaitForSlotEventC_WaitForSlotEvent)()( CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved);); Page 74 Slot/TokenSlot/Token管理函数管理函数5. 5. C_GetMechanismListC_GetMechanismListCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismListC_GetMechanismList)()( CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount);); Page 75 Slot/TokenSlot/Token管理函数管理函数6. 6. C_GetMechanismInfoC_GetMechanismInfoCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismInfoC_GetMechanismInfo)()( CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo);); Page 76 Slot/TokenSlot/Token管理函数管理函数7. 7. C_InitTokenC_InitTokenCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_InitTokenC_InitToken)()( CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel);); Page 77 Slot/TokenSlot/Token管理函数管理函数8. 8. C_InitPINC_InitPINCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_InitPINC_InitPIN)()( CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen);); Page 78 Slot/TokenSlot/Token管理函数管理函数9. 9. C_SetPINC_SetPIN CK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SetPINC_SetPIN)()( CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen);); Page 79 会话管理函数会话管理函数1. 1. C_OpenSessionC_OpenSessionCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_OpenSessionC_OpenSession)()( CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession);); Page 80 会话管理函数会话管理函数2. 2. C_CloseSessionC_CloseSessionCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_CloseSessionC_CloseSession)()( CK_SESSION_HANDLE hSession);); Page 81 会话管理函数会话管理函数3. 3. C_CloseAllSessionsC_CloseAllSessionsCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_CloseAllSessionsC_CloseAllSessions)()( CK_SLOT_ID slotID);); Page 82 会话管理函数会话管理函数4. 4. C_GetSessionInfoC_GetSessionInfoCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetSessionInfoC_GetSessionInfo)()( CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo);); Page 83 会话管理函数会话管理函数5. 5. C_GetOperationStateC_GetOperationStateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetOperationStateC_GetOperationState)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen);); Page 84 会话管理函数会话管理函数6. 6. C_SetOperationStateC_SetOperationStateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SetOperationStateC_SetOperationState)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen, CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey);); Page 85 会话管理函数会话管理函数7. 7. C_LoginC_LoginCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_LoginC_Login)()( CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen);); Page 86 会话管理函数会话管理函数8. 8. C_LogoutC_LogoutCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_LogoutC_Logout)()( CK_SESSION_HANDLE hSession);); Page 87 对象管理函数对象管理函数1. 1. C_CreateObjectC_CreateObjectCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_CreateObjectC_CreateObject)()( CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject);); Page 88 对象管理函数对象管理函数2. 2. C_CopyObjectC_CopyObjectCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_CopyObjectC_CopyObject)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phNewObject);); Page 89 对象管理函数对象管理函数3. 3. C_DestroyObjectC_DestroyObjectCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DestroyObjectC_DestroyObject)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);); Page 90 对象管理函数对象管理函数4. 4. C_GetObjectSizeC_GetObjectSizeCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetObjectSizeC_GetObjectSize)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize);); Page 91 对象管理函数对象管理函数5. 5. C_GetAttributeValueC_GetAttributeValueCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValueC_GetAttributeValue)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount);); Page 92 对象管理函数对象管理函数6. 6. C_SetAttributeValueC_SetAttributeValueCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SetAttributeValueC_SetAttributeValue)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount);); Page 93 对象管理函数对象管理函数7. 7. C_FindObjectsInitC_FindObjectsInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInitC_FindObjectsInit)()( CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount);); Page 94 对象管理函数对象管理函数8. 8. C_FindObjectsC_FindObjectsCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsC_FindObjects)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount);); Page 95 对象管理函数对象管理函数9. 9. C_FindObjectsFinalC_FindObjectsFinalCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsFinalC_FindObjectsFinal)()( CK_SESSION_HANDLE hSession);); Page 96 加密函数加密函数1. 1. C_EncryptInitC_EncryptInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_EncryptInitC_EncryptInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);); Page 97 加密函数加密函数2. 2. C_EncryptC_EncryptCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_EncryptC_Encrypt)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, CK_ULONG_PTR pulEncryptedDataLen);); Page 98 加密函数加密函数3. 3. C_EncryptUpdateC_EncryptUpdateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_EncryptUpdateC_EncryptUpdate)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen);); Page 99 加密函数加密函数4. 4. C_EncryptFinalC_EncryptFinalCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_EncryptFinalC_EncryptFinal)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen);); Page 100 解密函数解密函数1. 1. C_DecryptInitC_DecryptInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DecryptInitC_DecryptInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);); Page 101 解密函数解密函数2. 2. C_DecryptC_DecryptCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DecryptC_Decrypt)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen);); Page 102 解密函数解密函数3. 3. C_DecryptUpdateC_DecryptUpdateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DecryptUpdateC_DecryptUpdate)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen);); Page 103 解密函数解密函数4. 4. C_DecryptFinalC_DecryptFinalCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DecryptFinalC_DecryptFinal)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen);); Page 104 摘要函数摘要函数1. 1. C_DigestInitC_DigestInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DigestInitC_DigestInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism);); Page 105 摘要函数摘要函数2. 2. C_DigestC_DigestCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DigestC_Digest)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen);); Page 106 摘要函数摘要函数3. 3. C_DigestUpdateC_DigestUpdateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DigestUpdateC_DigestUpdate)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen);); Page 107 摘要函数摘要函数4. 4. C_DigestKeyC_DigestKeyCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DigestKeyC_DigestKey)()( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey);); Page 108 摘要函数摘要函数5. 5. C_DigestFinalC_DigestFinalCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DigestFinalC_DigestFinal)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen);); Page 109 签名函数签名函数1. 1. C_SignInitC_SignInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SignInitC_SignInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);); Page 110 签名函数签名函数2. 2. C_SignC_SignCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SignC_Sign)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen);); Page 111 签名函数签名函数3. 3. C_SignUpdateC_SignUpdateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SignUpdateC_SignUpdate)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen);); Page 112 签名函数签名函数4. 4. C_SignFinalC_SignFinalCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SignFinalC_SignFinal)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen);); Page 113 签名函数签名函数5. 5. C_SignRecoverInitC_SignRecoverInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SignRecoverInitC_SignRecoverInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);); Page 114 签名函数签名函数6. 6. C_SignRecoverC_SignRecoverCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SignRecoverC_SignRecover)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen);); Page 115 校验函数校验函数1. 1. C_VerifyInitC_VerifyInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_VerifyInitC_VerifyInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);); Page 116 校验函数校验函数2. 2. C_VerifyC_VerifyCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_VerifyC_Verify)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen);); Page 117 校验函数校验函数3. 3. C_VerifyUpdateC_VerifyUpdateCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_VerifyUpdateC_VerifyUpdate)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen);); Page 118 校验函数校验函数4. 4. C_VerifyFinalC_VerifyFinalCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_VerifyFinalC_VerifyFinal)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); ); Page 119 校验函数校验函数5. 5. C_VerifyRecoverInitC_VerifyRecoverInitCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_VerifyRecoverInitC_VerifyRecoverInit)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);); Page 120 校验函数校验函数6. 6. C_VerifyRecoverC_VerifyRecoverCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_VerifyRecoverC_VerifyRecover)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen);); Page 121 KEYKEY管理函数管理函数1. 1. C_GenerateKeyC_GenerateKeyCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GenerateKeyC_GenerateKey)()( CK_SESSION_HANDLE hSession CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey);); Page 122 KEYKEY管理函数管理函数2. 2. C_GenerateKeyPairC_GenerateKeyPairCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GenerateKeyPairC_GenerateKeyPair)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey);); Page 123 KEYKEY管理函数管理函数3. 3. C_WrapKeyC_WrapKeyCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_WrapKeyC_WrapKey)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen);); Page 124 KEYKEY管理函数管理函数4. 4. C_UnwrapKeyC_UnwrapKeyCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_UnwrapKeyC_UnwrapKey)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);); Page 125 KEYKEY管理函数管理函数4. 4. C_DeriveKeyC_DeriveKeyCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_DeriveKeyC_DeriveKey)()( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);); Page 126 产生随机数函数产生随机数函数1. 1. C_SeedRandomC_SeedRandomCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_SeedRandomC_SeedRandom)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen); ); Page 127 产生随机数函数产生随机数函数2. 2. C_GenerateRandomC_GenerateRandomCK_DEFINE_FUNCTION(CK_RV, CK_DEFINE_FUNCTION(CK_RV, C_GenerateRandomC_GenerateRandom)()( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen);); Page 128 使用使用PKCS#11PKCS#11注意事项注意事项Ø如果函数返回值为如果函数返回值为CKR_OKCKR_OK,则表明函数执行,则表明函数执行成功,如果返回值为其他值,返回值只能大成功,如果返回值为其他值,返回值只能大致描述出现的错误,但不能精确表达运行中致描述出现的错误,但不能精确表达运行中发生的错误。
发生的错误Ø除了除了C_GetFunctionListC_GetFunctionList外都要在执行外都要在执行C_InitializeC_Initialize后执行Ø注意内存空间的使用注意内存空间的使用 Page 129 Question/AnswerQuestion/Answer 。
小学英语新版五年级上册教材分析.ppt水堆燃料棒损伤机理分析-洞察研究.pptx抽油机示功图辨析(超全).ppt生物化学第五章生物氧化第二节电子传递链课件.ppt智能纺织品在智能家居中的应用-洞察及研究.pptx贵州省铜仁市2023—2024学年高一下学期期末考试语文试题(解析版).docx病理学与病理生理学绪论.ppt2020新译林版新教材高中英语必修三重点短语归纳小结.doc2019版 人教版 高中语文 必修 上册《第一单元》大单元整体教学设计[2020课标].docx教科版小学四年级上册综合实践活动教案.pdf英语故事三年级三年级的英语故事大全.doc2023秋季开学第一课《心中有规矩行为定方圆》主题班会课件.pptx
