All Products
Search
Document Center

Attributes

Last Updated: Jan 08, 2021

The PKCS #11 library table contains a list of attributes that differ by key types. It indicates whether a given attribute is supported for a particular key type when using a specific cryptographic function with HSM.

Attribute

Description

Can be changedafter objectcreation?

Default Value

CKA_SIGN

Boolean type, CK_TRUE if key supports signatures.

Yes

FALSE

CKA_VERIFY

Boolean type, CK_True if key supports verification.

Yes

FALSE

CKA_ENCRYPT

Boolean type, CK_TRUE if key supports encryption.

Yes

FALSE

CKA_DECRYPT

Boolean type, CK_TRUE if key supports decryption.

Yes

FALSE

CKA_WRAP

Boolean type, CK_TRUE if key supports wrapping.

Yes

FALSE

CKA_UNWRAP

Boolean type, CK_TRUE if key supports unwrapping.

Yes

FALSE

CKA_LABEL

Description of the object.

Yes

NA

CKA_ID

Byte array; key identifier for key.

No

NA

CKA_CHECK_VALUE

Byte array; KeyChecksum.

No

NA

CKA_CLASS

Object class.

No

NA

CKA_LOCAL

Boolean type, True if key was generated locally.

No

True

CKA_EXTRACTABLE

Boolean type, TRUE if key is extractable and can be wrapped.

No

TRUE

CKA_EC_PARAMS

No

NA

CKA_EC_POINT(only for create public key)

No

NA

CKA_PRIVATE_EXPONENT (only for create private object)

Private exponent d.

No

NA

CKA_SENSITIVE

TRUE if key is sensitive.

Yes

TRUE

CKA_DERIVE

  • CK_TRUE if key supports key derivation.

  • This attribute is used to derive another key from the input key. This attribute must be FALSE for all public keys and cannot be set to TRUE.

  • For secret and EC private keys, this can be TRUE or FALSE.See CKA_DERIVE for more details.

Yes

FALSE

CKA_TRUSTED

  • Can be set to TRUE or FALSE by CO only.

  • The key can be trusted for the application that it was created.

Yes

FALSE

CKA_NEVER_EXTRACTABLE

Returns the value set by the HSM.

No

TRUE for private and secret keys

CKA_ALWAYS_SENSITIVE

CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE.

No

TRUE

CKA_WRAP_WITH_TRUSTED

  • Can be set from FALSE to TRUE but cannot be changed after set to TRUE.

  • CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE.

Depends on initial value

FALSE

CKA_DESTROYABLE

  • Can be set to TRUE or FALSE.

  • CK_TRUE if the object can be destroyed

using C_DestroyObject. Note: This attribute is not applied to session keys. This is a deviation from the specification.

Yes

TRUE

CKA_WRAP_TEMPLATE

For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped.

See CKA_WRAP_TEMPLATE for more information.

Yes

Not defined

CKA_UNWRAP_TEMPLATE

For wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user-supplied template is applied after this template as if the object has already been created.

See CKA_UNWRAP_TEMPLATE for more information.

Yes

Not defined

The following attributes have specific behaviors that are detailed below:
  • CKA_NEVER_EXTRACTABLE

  • CKA_ALWAYS_SENSITIVE

  • CKA_WRAP_TEMPLATE

  • CKA_UNWRAP_TEMPLATE

  • CKA_DERIVE

CKA_NEVER_EXTRACTABLE

The CKA_NEVER_EXTRACTABLE attribute tracks according to the history of the CKA_EXTRACTABLE attribute of the key. It is a READ-ONLY attribute andcannotbe set by any user as part of the create/generate template.

CKA_ALWAYS_SENSITIVE

The CKA_ALWAYS_SENSITIVE attribute tracks according to the history of the CKA_SENSITIVE attribute of the key and cannot be set by the user as part of an import/generate template. This is a READ-ONLY attribute.

CKA_WRAP_TEMPLATE

The CKA_WRAP_TEMPLATE attribute is applicable only for wrapping keys. It specifies a template of attributes that must match the attributes of the keys to be wrapped. If it does not match, the wrapping operation will fail.

The default is empty to avoid having a single wrapping key used to wrap all keys.

CKA_WRAP must be TRUE to use this attribute.

The following table lists the sub-attributes supported as part of CKA_WRAP_TEMPLATE for operations C_GenerateKeyPair, C_GenerateKey, and C_CreateObject:

Supported Sub-attributes

Input Accepted by HSM

CKA_CLASS

Accepts private and secret class.

CKA_KEY_TYPE

Accepts based on key class.

CKA_LOCAL

Accepts if TRUE or FALSE.

CKA_TOKEN

Accepts if TRUE or FALSE.

CKA_PRIVATE

Accepts if TRUE or FALSE.

CKA_ENCRYPT

Accepts if TRUE or FALSE.

CKA_DECRYPT

Accepts if TRUE or FALSE.

CKA_DERIVE

Accepts if TRUE or FALSE.

CKA_DESTROYABLE

Accepts if TRUE or FALSE.

CKA_SIGN

Accepts if TRUE or FALSE.

CKA_VERIFY

Accepts if TRUE or FALSE.

CKA_WRAP

Accepts if TRUE or FALSE.

CKA_UNWRAP

Accepts if TRUE or FALSE.

CKA_SENSITIVE

Accepts if TRUE or FALSE.

CKA_ALWAYS_SENSITIVE

Accepts if TRUE or FALSE.

CKA_MODULUS_BITS

Accepts values between 1024 to 4096.

CKA_VALUE_LEN

Applicable for secret keys. Accepts values between 1 and 800.

CKA_WRAP_WITH_TRUSTED

Accepts if TRUE or FALSE.

CKA_TRUSTED

Accepts if TRUE or FALSE.

CKA_UNWRAP_TEMPLATE

The CKA_UNWRAP_TEMPLATE is applicable only for unwrapping keys. During an unwrap operation, a template of CKA_UNWRAP_TEMPLATE attributes can be prefixed to the template of each unwrapped key provided there is no conflict with the user-defined template.

The default is empty.

CKA_UNWRAP must be TRUE to use this attribute.

The following table lists the sub-attributes supported as part of CKA_UNWRAP_TEMPLATE for operations C_GenerateKeyPair, C_GenerateKey, and C_CreateObject:

Supported Sub-attributes Input Accepted by Firmware Read

CKA_CLASS

Accepts only private and secret class.

CKA_KEY_TYPE

Accepts based on key class.

CKA_TOKEN

Accepts if TRUE or FALSE.

CKA_PRIVATE

Accepts if TRUE or FALSE.

CKA_ENCRYPT

Accepts if TRUE or FALSE.

CKA_DECRYPT

Accepts if TRUE or FALSE.

CKA_DERIVE

Accepts if TRUE or FALSE.

CKA_DESTROYABLE

Accepts if TRUE or FALSE.

CKA_SIGN

Accepts if TRUE or FALSE.

CKA_VERIFY

Accepts if TRUE or FALSE.

CKA_WRAP

Accepts if TRUE or FALSE.

CKA_UNWRAP

Accepts if TRUE or FALSE.

CKA_SENSITIVE

Accepts if TRUE or FALSE.

CKA_EXTRACTABLE

Accepts if TRUE or FALSE.

CKA_MODULUS_BITS

Accepts values between 1024 and 4096.

CKA_VALUE_LEN

Applicable for secret keys. Accepts values between 1 and 800.

CKA_WRAP_WITH_TRUSTED

Accepts if TRUE or FALSE.

CKA_DERIVE

The CKA_DERIVE attribute is used to derive another key from the input key. This attribute must be FALSE for all public keys and cannot be set to TRUE. For secret and EC private keys, it can be TRUE or FALSE.