| Current File : //usr/man/man5/pkcs11_softtoken.5 |
'\" te
.\" Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
.TH pkcs11_softtoken 5 "16 Jun 2015" "SunOS 5.11" "Standards, Environments, and Macros"
.SH NAME
pkcs11_softtoken \- Software RSA PKCS#11 softtoken
.SH SYNOPSIS
.LP
.nf
/usr/lib/security/pkcs11_softtoken.so
/usr/lib/security/64/pkcs11_softtoken.so
.fi
.SH DESCRIPTION
.sp
.LP
The \fBpkcs11_softtoken.so\fR object implements the RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki) v2.20, specification in software. Persistent storage for token objects is provided by this PKCS#11 implementation.
.sp
.LP
The \fBpkcs11_softtoken\fR provider is a required part of Oracle Solaris and must not be disabled using \fBcryptoadm\fR(1M).
.sp
.LP
Some of the cryptographic algorithms may be hardware accelerated. Administrators can run the following command to determine this list for their system, and look at the \fBHW\fR column in the output:
.sp
.in +2
.nf
# \fBcryptoadm list -vm provider='/usr/lib/security/$ISA/pkcs11_softtoken.so'\fR
.fi
.in -2
.sp
.sp
.LP
For developers, the \fBCKF_HW\fR flag is set in the \fBCK_MECHANISM_INFO\fR structure for those PKCS#11 mechanisms that are hardware accelerated.
.sp
.LP
Application developers should link to \fBlibpkcs11.so\fR rather than link directly to \fBpkcs11_softtoken.so\fR. See \fBlibpkcs11\fR(3LIB).
.sp
.LP
The following cryptographic algorithms are implemented: DES, 3DES, AES, Blowfish, RC4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RSA, DSA, DH, ECC, and Camellia.
.sp
.LP
All of the Standard PKCS#11 functions listed on \fBlibpkcs11\fR(3LIB) are implemented except for the following:
.sp
.in +2
.nf
C_GetObjectSize
C_InitPIN
C_WaitForSlotEvent
.fi
.in -2
.sp
.LP
A call to these functions returns \fBCKR_FUNCTION_NOT_SUPPORTED\fR.
.sp
.LP
The following RSA PKCS#11 v2.20 mechanisms are supported:
.sp
.in +2
.nf
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_DSA_KEY_PAIR_GEN
CKM_DSA
CKM_DSA_SHA1
CKM_DH_PKCS_KEY_PAIR_GEN
CKM_DH_PKCS_DERIVE
CKM_EC_KEY_PAIR_GEN
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE
CKM_DES_KEY_GEN
CKM_DES_ECB
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES3_KEY_GEN
CKM_DES3_ECB
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_AES_KEY_GEN
CKM_AES_ECB
CKM_AES_CBC
CKM_AES_CBC_PAD
CKM_AES_CTR
CKM_BLOWFISH_KEY_GEN
CKM_BLOWFISH_CBC
CKM_CAMELLIA_KEY_GEN
CKM_CAMELLIA_ECB
CKM_CAMELLIA_CBC
CKM_CAMELLIA_CBC_PAD
CKM_RC4_KEY_GEN
CKM_RC4
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA224_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_MD5
CKM_SHA_1
CKM_SHA224
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_MD5_HMAC
CKM_MD5_HMAC_GENERAL
CKM_SHA_1_HMAC
CKM_SHA_1_HMAC_GENERAL
CKM_SHA224_HMAC
CKM_SHA256_HMAC
CKM_SHA224_HMAC_GENERAL
CKM_SHA256_HMAC_GENERAL
CKM_SHA384_HMAC
CKM_SHA384_HMAC_GENERAL
CKM_MD5_KEY_DERIVATION
CKM_SHA1_KEY_DERIVATION
CKM_SHA224_KEY_DERIVATION
CKM_SHA256_KEY_DERIVATION
CKM_SHA384_KEY_DERIVATION
CKM_SHA512_KEY_DERIVATION
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_TLS_PRE_MASTER_KEY_GEN
CKM_TLS_MASTER_KEY_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_TLS_MASTER_KEY_DERIVE_DH
.fi
.in -2
.sp
.LP
Each of the following types of key objects has certain token-specific attributes that are set to true by default as a result of object creation, key/key pair generation, and key derivation.
.sp
.ne 2
.mk
.na
\fBPublic key object\fR
.ad
.RS 22n
.rt
\fBCKA_ENCRYPT\fR, \fBCKA_VERIFY\fR, \fBCKA_VERIFY_RECOVER\fR
.RE
.sp
.ne 2
.mk
.na
\fBPrivate key object\fR
.ad
.RS 22n
.rt
\fBCKA_DECRYPT\fR, \fBCKA_SIGN\fR, \fBCKA_SIGN_RECOVER\fR, \fBCKA_EXTRACTABLE\fR
.RE
.sp
.ne 2
.mk
.na
\fBSecret key object\fR
.ad
.RS 22n
.rt
\fBCKA_ENCRYPT\fR, \fBCKA_DECRYPT\fR, \fBCKA_SIGN\fR, \fBCKA_VERIFY\fR, \fBCKA_EXTRACTABLE\fR
.RE
.sp
.LP
The following certificate objects are supported:
.sp
.ne 2
.mk
.na
\fB\fBCKC_X_509\fR\fR
.ad
.RS 23n
.rt
For \fBCKC_X_509\fR certificate objects, the following attributes are supported: \fBCKA_SUBJECT\fR, \fBCKA_VALUE\fR, \fBCKA_LABEL\fR, \fBCKA_ID\fR, \fBCKA_ISSUER\fR, \fBCKA_SERIAL_NUMBER\fR, and \fBCKA_CERTIFICATE_TYPE\fR.
.RE
.sp
.ne 2
.mk
.na
\fB\fBCKC_X_509_ATTR_CERT\fR\fR
.ad
.RS 23n
.rt
For \fBCKC_X_509_ATTR_CERT\fR certificate objects, the following attributes are supported: \fBCKA_OWNER\fR, \fBCKA_VALUE, CKA_LABEL\fR, \fBCKA_SERIAL_NUMBER\fR, \fBCKA_AC_ISSUER\fR, \fBCKA_ATTR_TYPES\fR, and \fBCKA_CERTIFICATE_TYPE\fR.
.RE
.sp
.LP
The search operation of objects matching the template is performed at \fBC_FindObjectsInit\fR. The matched objects are cached for subsequent \fBC_FindObjects\fR operations.
.sp
.LP
The \fBpkcs11_softtoken.so\fR object provides a filesystem-based persistent token object store for storing token objects. The default location of the token object store is \fB/var/user/$USERNAME/pkcs11_softtoken\fR. The user can override the default location by using the \fB${SOFTTOKEN_DIR}\fR environment variable.
.sp
.LP
If the token object store has never been initialized, the \fBC_Login()\fR function might return \fBCKR_OK\fR but the user is not able to create, generate, derive or find any private token object and receives \fBCKR_PIN_EXPIRED\fR.
.sp
.LP
The user must use the \fBpktool\fR(1) \fBsetpin\fR command with the default passphrase "changeme" as the old passphrase to change the passphrase of the object store. This action is needed to initialize and set the passphrase to a newly created token object store.
.sp
.LP
After logging into object store with the new passphrase that was set by the \fBpktool setpin\fR command, the user can create and store the private token object in this newly created object store. Until the token object store is initialized by \fBsetpin\fR, the \fBC_Login()\fR function is allowed, but all attempts by the user to create, generate, derive or find any private token object fails with a \fBCKR_PIN_EXPIRED\fR error.
.sp
.LP
The PIN provided for \fBC_Login()\fR and \fBC_SetPIN()\fR functions can be any string of characters with lengths between 1 and 256 and no embedded nulls.
.SH RETURN VALUES
.sp
.LP
The return values for each of the implemented functions are defined and listed in the RSA PKCS#11 v2.20 specification.
.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/var/user/$USERNAME/pkcs11_softtoken\fR\fR
.ad
.sp .6
.RS 4n
user's default token object store
.RE
.sp
.ne 2
.mk
.na
\fB\fB${SOFTTOKEN_DIR}/pkcs11_softtoken\fR\fR
.ad
.sp .6
.RS 4n
alternate location for token object store
.RE
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for a description of the following attributes:
.sp
.sp
.TS
tab(�) box;
cw(2.75i) |cw(2.75i)
lw(2.75i) |lw(2.75i)
.
ATTRIBUTE TYPE�ATTRIBUTE VALUE
_
Interface Stability�Committed
_
MT-Level�T{
MT-Safe with exceptions. See section 6.6.2 of RSA PKCS#11 v2.20.
T}
_
Standard�PKCS#11 v2.20
.TE
.SH SEE ALSO
.sp
.LP
\fBpktool\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB), \fBattributes\fR(5), \fBpkcs11_kernel\fR(5)