The PKCS #11 library table contains a list of attributes that differ by key types. It indicates whether a given attribute is supported for a particular key type when using a specific cryptographic function with HSM.
Attribute | Description | Can be changedafter objectcreation? | Default Value |
CKA_SIGN | Boolean type, CK_TRUE if key supports signatures. | Yes | FALSE |
CKA_VERIFY | Boolean type, CK_True if key supports verification. | Yes | FALSE |
CKA_ENCRYPT | Boolean type, CK_TRUE if key supports encryption. | Yes | FALSE |
CKA_DECRYPT | Boolean type, CK_TRUE if key supports decryption. | Yes | FALSE |
CKA_WRAP | Boolean type, CK_TRUE if key supports wrapping. | Yes | FALSE |
CKA_UNWRAP | Boolean type, CK_TRUE if key supports unwrapping. | Yes | FALSE |
CKA_LABEL | Description of the object. | Yes | NA |
CKA_ID | Byte array; key identifier for key. | No | NA |
CKA_CHECK_VALUE | Byte array; KeyChecksum. | No | NA |
CKA_CLASS | Object class. | No | NA |
CKA_LOCAL | Boolean type, True if key was generated locally. | No | True |
CKA_EXTRACTABLE | Boolean type, TRUE if key is extractable and can be wrapped. | No | TRUE |
CKA_EC_PARAMS | No | NA | |
CKA_EC_POINT(only for create public key) | No | NA | |
CKA_PRIVATE_EXPONENT (only for create private object) | Private exponent d. | No | NA |
CKA_SENSITIVE | TRUE if key is sensitive. | Yes | TRUE |
CKA_DERIVE |
| Yes | FALSE |
CKA_TRUSTED |
| Yes | FALSE |
CKA_NEVER_EXTRACTABLE | Returns the value set by the HSM. | No | TRUE for private and secret keys |
CKA_ALWAYS_SENSITIVE | CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE. | No | TRUE |
CKA_WRAP_WITH_TRUSTED |
| Depends on initial value | FALSE |
CKA_DESTROYABLE |
using C_DestroyObject. Note: This attribute is not applied to session keys. This is a deviation from the specification. | Yes | TRUE |
CKA_WRAP_TEMPLATE | For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. See CKA_WRAP_TEMPLATE for more information. | Yes | Not defined |
CKA_UNWRAP_TEMPLATE | For wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user-supplied template is applied after this template as if the object has already been created. See CKA_UNWRAP_TEMPLATE for more information. | Yes | Not defined |
The following attributes have specific behaviors that are detailed below:
CKA_NEVER_EXTRACTABLE
CKA_ALWAYS_SENSITIVE
CKA_WRAP_TEMPLATE
CKA_UNWRAP_TEMPLATE
CKA_DERIVE
CKA_NEVER_EXTRACTABLE
The CKA_NEVER_EXTRACTABLE attribute tracks according to the history of the CKA_EXTRACTABLE attribute of the key. It is a READ-ONLY attribute and cannot be set by any user as part of the create/generate template.
CKA_ALWAYS_SENSITIVE
The CKA_ALWAYS_SENSITIVE attribute tracks according to the history of the CKA_SENSITIVE attribute of the key and cannot be set by the user as part of an import/generate template. This is a READ-ONLY attribute.
CKA_WRAP_TEMPLATE
The CKA_WRAP_TEMPLATE attribute is applicable only for wrapping keys. It specifies a template of attributes that must match the attributes of the keys to be wrapped. If it does not match, the wrapping operation will fail.
The default is empty to avoid having a single wrapping key used to wrap all keys.
CKA_WRAP must be TRUE to use this attribute.
The following table lists the sub-attributes supported as part of CKA_WRAP_TEMPLATE for operations C_GenerateKeyPair, C_GenerateKey, and C_CreateObject:
Supported Sub-attributes | Input Accepted by HSM |
CKA_CLASS | Accepts private and secret class. |
CKA_KEY_TYPE | Accepts based on key class. |
CKA_LOCAL | Accepts if TRUE or FALSE. |
CKA_TOKEN | Accepts if TRUE or FALSE. |
CKA_PRIVATE | Accepts if TRUE or FALSE. |
CKA_ENCRYPT | Accepts if TRUE or FALSE. |
CKA_DECRYPT | Accepts if TRUE or FALSE. |
CKA_DERIVE | Accepts if TRUE or FALSE. |
CKA_DESTROYABLE | Accepts if TRUE or FALSE. |
CKA_SIGN | Accepts if TRUE or FALSE. |
CKA_VERIFY | Accepts if TRUE or FALSE. |
CKA_WRAP | Accepts if TRUE or FALSE. |
CKA_UNWRAP | Accepts if TRUE or FALSE. |
CKA_SENSITIVE | Accepts if TRUE or FALSE. |
CKA_ALWAYS_SENSITIVE | Accepts if TRUE or FALSE. |
CKA_MODULUS_BITS | Accepts values between 1024 to 4096. |
CKA_VALUE_LEN | Applicable for secret keys. Accepts values between 1 and 800. |
CKA_WRAP_WITH_TRUSTED | Accepts if TRUE or FALSE. |
CKA_TRUSTED | Accepts if TRUE or FALSE. |
CKA_UNWRAP_TEMPLATE
The CKA_UNWRAP_TEMPLATE is applicable only for unwrapping keys. During an unwrap operation, a template of CKA_UNWRAP_TEMPLATE attributes can be prefixed to the template of each unwrapped key provided there is no conflict with the user-defined template.
The default is empty.
CKA_UNWRAP must be TRUE to use this attribute.
The following table lists the sub-attributes supported as part of CKA_UNWRAP_TEMPLATE for operations C_GenerateKeyPair, C_GenerateKey, and C_CreateObject:
Supported Sub-attributes Input Accepted by Firmware Read | |
CKA_CLASS | Accepts only private and secret class. |
CKA_KEY_TYPE | Accepts based on key class. |
CKA_TOKEN | Accepts if TRUE or FALSE. |
CKA_PRIVATE | Accepts if TRUE or FALSE. |
CKA_ENCRYPT | Accepts if TRUE or FALSE. |
CKA_DECRYPT | Accepts if TRUE or FALSE. |
CKA_DERIVE | Accepts if TRUE or FALSE. |
CKA_DESTROYABLE | Accepts if TRUE or FALSE. |
CKA_SIGN | Accepts if TRUE or FALSE. |
CKA_VERIFY | Accepts if TRUE or FALSE. |
CKA_WRAP | Accepts if TRUE or FALSE. |
CKA_UNWRAP | Accepts if TRUE or FALSE. |
CKA_SENSITIVE | Accepts if TRUE or FALSE. |
CKA_EXTRACTABLE | Accepts if TRUE or FALSE. |
CKA_MODULUS_BITS | Accepts values between 1024 and 4096. |
CKA_VALUE_LEN | Applicable for secret keys. Accepts values between 1 and 800. |
CKA_WRAP_WITH_TRUSTED | Accepts if TRUE or FALSE. |
CKA_DERIVE
The CKA_DERIVE attribute is used to derive another key from the input key. This attribute must be FALSE for all public keys and cannot be set to TRUE. For secret and EC private keys, it can be TRUE or FALSE.