OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pkcs11] CKM_SEAL_KEY


On 7/3/2013 9:08 PM, Oscar K So Jr. wrote:
Michael,

One more question, what if the private key that you are trying to wrap with CKM_SEAL_KEY is NOT EXPORTABLE due to the hardware restriction, what can you do ?

I know that during key generation on "some types" of crypto chip, there is an option to mark the key as exportable.
But, what if the key had been generated with exportable=false, what do you do in this case ?

Thanks!

Best,
Oscar

Is this a trick question?  The token controls the policy for the keys.  If there are some keys that the underlying hardware won't emit (and that isn't the case with most HSMs I've seen - its controlled by the firmware/software for the HSM), then the hardware will emit an error code and that error code will propagate to the C_WrapKey as an appropriate PKCS11 error code.  Probably CKR_KEY_NOT_WRAPPABLE.  I would hope the documentation for the token would describe the conditions under which this would occur.

Mike



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]