A SERVICE OF

logo

Open as PDF
next previous
Chapter 4 Using Crypto-C 139
Using Cryptographic Hardware
This AI has an associated info data struct that allows you to set attributes. See the
Reference Manual for complete lists of valid flags. To set more than one attribute, OR
them together.
Notice the start and end attributes. Those are for when you want to have a validity
period on your key. If you want to require the user to generate a new key every so
often, set the start and end dates. If not, pass in 0. The value to pass in is the number of
seconds since 12:00 AM GMT, January 1, 1970. This is generally the result of the
system call
T_Time (or some such name). It is generally a 32-bit integer. We define it as
RSA_TIME_T which is typedef'd to a 32-bit unsigned int. In the future, some platforms
may decide to use a 64-bit integer for time. For those platforms,
RSA_TIME_T will be
typedef'd to a 64-bit integer.
If you do not use this AI to generate your key pair, Crypto-C will allow the token to
decide what the attributes will be. That is, PKCS #11 defines some default attributes
and defines what is the default for each token attribute that PKCS #11 does not define.
However, some tokens still may not allow such a scheme. For instance, PKCS #11
defines an attribute
CKA_TOKEN as false by default. If you set the token flag to TF-
RESIDE_ON_TOKEN
, you are overriding the default value. But if you do not specify any
attributes, the token must create a non-token key pair. Some manufacturers may not
allow this, so a token may not be able to perform the default behavior. Therefore, you
B_KEYPAIR_GEN_PARAMS keypairGenParams;
keypairGenParams.privateKeyAttributes.keyUsage =
CF_DIGITAL_SIGNATURE;
keypairGenParams.privateKeyAttributes.tokenFlag =
TF_PRIVATE;
keypairGenParams.privateKeyAttributes.start = 0;
keypairGenParams.privateKeyAttributes.end = 0;
keypairGenParams.publicKeyAttributes.keyUsage =
CF_DIGITAL_SIGNATURE;
keypairGenParams.publicKeyAttributes.tokenFlag =
TF_RESIDE_ON_TOKEN;
keypairGenParams.publicKeyAttributes.start = 0;
keypairGenParams.publicKeyAttributes.end = 0;
keypairGenParams.keypairGenInfoType = AI_RSAKeyGen;
keypairGenParams.keypairGenInfo = (POINTER)&keyGenParams;
if ((status = B_SetAlgorithmInfo
(rsaGen, AI_KeypairGen,
(POINTER)&keypairGenParams)) != 0)
break;