Harsha Harsha - 3 months ago 18
C Question

Using Key object handle in PKCS#11

I am trying to interact with HSM using PKCS#11 functions given by vendor.
I use below series of function to generate secret key, encrypt and decrypt data.
Below sequence works good.


  1. C_Initialize

  2. C_OpenSession

  3. C_Login

  4. C_GenerateKey //3DES KEY

  5. C_EncryptInit

  6. C_Encrypt

  7. C_DecryptInit

  8. C_Decrypt

  9. C_Logout

  10. C_CloseSession



My Questions:


  1. After using C_Logout & C_CloseSession is there a way to reuse same KEY(generated earlier) again by logging back and opening session again with same login credentials?

  2. When I use C_CreateObject does it create session object and destroy it on using C_CloseSession?


Answer

Question: After using C_Logout & C_CloseSession is there a way to reuse same KEY(generated earlier) again by logging back and opening session again with same login credentials?

Yes, just set CKA_TOKEN to CK_TRUE and provide a label using CKA_LABEL to search for it using C_FindObjects.


Question: When I use C_CreateObject does it create session object and destroy it on using C_CloseSession?

Well, yes, according to the PKCS#11 specifications (v2.20, 10.4, Table 21):

CKA_TOKEN is CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE.


Note that your token may not allow all possible attributes or attribute combinations to be set, and may have memory and other limitations.

Comments