Filter
Top Products
Using Cryptographic Hardware
138 RSA BSAFE Crypto-C Developer’s Guide
want to create a hardware chooser only, and if you want to do the task in hardware,
or if you can't you don't want to do it at all, then pass in a
(B_ALGORITHM_CHOOSER)NULL_PTR as the
swReplacement
argument.
Note that often a software backup is not necessarily possible. A token may possess the
signing key and does not allow it to leave the device. If you can not do the task in
hardware, you can not do it in software, since you do not have the key. On the other
hand, if the token is simply an accelerator, maybe it is possible to have a software
backup. If you have the key data and you can give it to the token or the Crypto-C
software, either "device" will be able to do the job. If the hardware is there, you get the
accelerator. If the hardware is not there, you still get the job done.
Now that we have our choosers our code does not need to change.
The code looks just the same as non-PKCS #11 code. This will work with the PKCS #11
hardware. However, there is a new key generating AI that allows you to include key
attributes. PKCS #11 (and other hardware interfaces) defines key attributes that
specify more about the key than just the key data. For instance, you may want your
private key to be a token key (the data resides on the token) and private (it is not
allowed to leave the token). You may want to define the key as signing only (it is not
allowed to be used to open a digital envelope). In this case, use
AI_KeypairGen.
A_RSA_KEY_GEN_PARAMS keyGenParams;
if ((status = B_CreateKeyObject (&pubKey)) != 0)
break;
if ((status = B_CreateKeyObject (&priKey)) != 0)
break;
if ((status = B_CreateAlgorithmObject (&rsaGen)) != 0)
break;
keyGenParams.modulusBits = 1024;
keyGenParams.publicExponent.data = expo;
keyGenParams.publicExponent.len = sizeof (expo);
if ((status = B_SetAlgorithmInfo
(rsaGen, AI_RSAKeyGen, (POINTER)&keyGenParams)) != 0)
break;