Thanks Michael.
I was assuming that if you have designed and manufactured your own
crypto chip, and firmware, you can still perform CKM_SEAL_KEY
operation without returning CKR_KEY_NOT_WRAPPABLE.
But, if you are using other companies hardwares, and yes, you will
get CKR_KEY_NOT_WRAPPABLE.
Anyway, I think I got the answer. Thanks!
Best,
Oscar
On 07/ 5/13 09:25 AM, Michael StJohns wrote:
On 7/3/2013 9:08 PM, Oscar K So Jr.
wrote:
Michael,
One more question, what if the private key that you are trying
to wrap with CKM_SEAL_KEY is NOT EXPORTABLE due to the hardware
restriction, what can you do ?
I know that during key generation on "some types" of crypto
chip, there is an option to mark the key as exportable.
But, what if the key had been generated with exportable=false,
what do you do in this case ?
Thanks!
Best,
Oscar
Is this a trick question? The token controls the policy for the
keys. If there are some keys that the underlying hardware won't
emit (and that isn't the case with most HSMs I've seen - its
controlled by the firmware/software for the HSM), then the
hardware will emit an error code and that error code will
propagate to the C_WrapKey as an appropriate PKCS11 error code.
Probably CKR_KEY_NOT_WRAPPABLE. I would hope the documentation
for the token would describe the conditions under which this would
occur.
Mike
--
Best,
Oscar
|