1c10c16deSRichard Lowe.\" Copyright (c) 2008, Sun Microsystems, Inc. All rights reserved. 2b106467fSJason King.\" Copyright 2016 Jason King. 3b77a2dc4SPeter Tribble.\" Copyright 2019 Peter Tribble. 4b106467fSJason King.\" 5c10c16deSRichard Lowe.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 6c10c16deSRichard Lowe.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 7c10c16deSRichard Lowe.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 8b77a2dc4SPeter Tribble.Dd Aug 27, 2019 9b106467fSJason King.Dt LIBPKCS11 3LIB 10b106467fSJason King.Os 11b106467fSJason King.Sh NAME 12b106467fSJason King.Nm libpkcs11 13b106467fSJason King.Nd PKCS#11 Cryptographic Framework library 14b106467fSJason King.Sh SYNOPSIS 15b106467fSJason King.Lb libpkcs11 16b106467fSJason King.In security/cryptoki.h 17b106467fSJason King.In security/pkcs11.h 18b106467fSJason King.Sh DESCRIPTION 19b106467fSJason KingThe 20b106467fSJason King.Nm 21b106467fSJason Kinglibrary implements the RSA Security Inc. PKCS#11 22b106467fSJason KingCryptographic Token Interface (Cryptoki), v2.40 specification by using plug-ins 23c10c16deSRichard Loweto provide the slots. 24b106467fSJason King.Lp 25b106467fSJason KingEach plug-in, which also implements RSA PKCS#11 v2.40, represents one or more 26c10c16deSRichard Loweslots. 27b106467fSJason King.Lp 28b106467fSJason KingThe 29b106467fSJason King.Nm 3072d3dbb9SYuri Pankovlibrary provides a special slot called the meta slot. 3172d3dbb9SYuri PankovThe meta slot provides a virtual union of capabilities of all other slots. 3272d3dbb9SYuri PankovWhen available, the meta slot is always the first slot provided by 33b106467fSJason King.Nm . 34b106467fSJason King.Lp 35c10c16deSRichard LoweThe meta slot feature can be configured either system-wide or by individual 3672d3dbb9SYuri Pankovusers. 3772d3dbb9SYuri PankovSystem-wide configuration for meta slot features is done with the 38*bbf21555SRichard Lowe.Xr cryptoadm 8 3972d3dbb9SYuri Pankovutility. 4072d3dbb9SYuri PankovUser configuration for meta slot features is performed with environment 4172d3dbb9SYuri Pankovvariables. 42b106467fSJason King.Lp 4372d3dbb9SYuri PankovBy default, the following is the system-wide configuration for meta slot. 4472d3dbb9SYuri PankovMeta slot is enabled. 4572d3dbb9SYuri PankovMeta slot provides token-based object support with the Software RSA PKCS#11 4672d3dbb9SYuri Pankovsofttoken 47*bbf21555SRichard Lowe.Pq Xr pkcs11_softtoken 7 . 48b106467fSJason KingMeta slot is 49c10c16deSRichard Loweallowed to move sensitive token objects to other slots if that is necessary to 50c10c16deSRichard Loweperform an operation. 51b106467fSJason King.Lp 52c10c16deSRichard LoweUsers can overwrite one or more system-wide configuration options for meta slot 53c10c16deSRichard Loweusing these environment variables. 54b106467fSJason King.Lp 55b106467fSJason KingThe 56b106467fSJason King.Ev ${METASLOT_OBJECTSTORE_SLOT} 57b106467fSJason Kingand 58b106467fSJason King.Ev ${METASLOT_OBJECTSTORE_TOKEN} 5972d3dbb9SYuri Pankovenvironment variables are used to specify an alternate token object store. 6072d3dbb9SYuri PankovA user can specify either slot-description in 61b106467fSJason King.Ev ${METASLOT_OBJECTSTORE_SLOT} 62b106467fSJason Kingor token-label in 63b77a2dc4SPeter Tribble.Ev ${METASLOT_OBJECTSTORE_TOKEN} , 64b77a2dc4SPeter Tribbleor both. 6572d3dbb9SYuri PankovValid values for slot-description and token-label are available from output of 6672d3dbb9SYuri Pankovthe command: 67b106467fSJason King.Bd -literal -offset indent 68b106467fSJason King# cryptoadm list -v 69b106467fSJason King.Ed 70b106467fSJason King.Lp 71b106467fSJason KingThe 72b106467fSJason King.Ev ${METASLOT_ENABLED} 73b106467fSJason Kingenvironment variable is used to specify whether 7472d3dbb9SYuri Pankovthe user wants to turn the metaslot feature on or off. 7572d3dbb9SYuri PankovOnly two values are recognized. 7672d3dbb9SYuri PankovThe value "true" means meta slot will be on. 7772d3dbb9SYuri PankovThe value "false" means meta slot will be off. 78b106467fSJason King.Lp 79b106467fSJason KingThe 80b106467fSJason King.Ev ${METASLOT_AUTO_KEY_MIGRATE} 81b106467fSJason Kingenvironment variable is used to specify 82c10c16deSRichard Lowewhether the user wants sensitive token objects to move to other slots for 8372d3dbb9SYuri Pankovcryptographic operations. 8472d3dbb9SYuri PankovOnly two values are recognized. 8572d3dbb9SYuri PankovThe value "true" means meta slot will migrate sensitive token objects to other 8672d3dbb9SYuri Pankovslots if necessary. 8772d3dbb9SYuri PankovThe value "false" means meta slot will not migrate sensitive token objects to 8872d3dbb9SYuri Pankovother slots even if it is necessary. 89b106467fSJason King.Lp 90c10c16deSRichard LoweWhen the meta slot feature is enabled, the slot that provides token-based 9172d3dbb9SYuri Pankovobject support is not shown as one of the available slots. 9272d3dbb9SYuri PankovAll of its functionality can be used with the meta slot. 93b106467fSJason King.Lp 94c10c16deSRichard LoweThis library filters the list of mechanisms available from plug-ins based on 95b106467fSJason Kingthe policy set by 96*bbf21555SRichard Lowe.Xr cryptoadm 8 . 97b106467fSJason King.Lp 9872d3dbb9SYuri PankovThis library provides entry points for all PKCS#11 v2.40 functions. 9972d3dbb9SYuri PankovSee the PKCS#11 v2.40 specifications at 100b106467fSJason King.Lk http://www.oasis-open.org . 101b106467fSJason King.Lp 102b106467fSJason KingPlug-ins are added to 103b106467fSJason King.Nm 104b106467fSJason Kingby the 105b106467fSJason King.Sy pkcs11conf 106b106467fSJason Kingclass action 107b106467fSJason Kingscript during execution of 108*bbf21555SRichard Lowe.Xr pkgadd 8 . 109b106467fSJason KingThe available mechanisms are administered by the 110*bbf21555SRichard Lowe.Xr cryptoadm 8 111b106467fSJason Kingutility. 112b106467fSJason King.Lp 113b77a2dc4SPeter TribblePlug-ins must have all of their library dependencies specified, including 114b106467fSJason King.Xr libc 3LIB . 115b106467fSJason KingLibraries that have unresolved symbols, including those from 116b106467fSJason King.Xr libc 3LIB , 117b106467fSJason Kingwill be rejected and a message will be sent to 118b106467fSJason King.Xr syslog 3C 119b106467fSJason Kingfor such plug-ins. 120b106467fSJason King.Lp 121c10c16deSRichard LoweDue to U.S. Export regulations, all plug-ins are required to be 122b106467fSJason Kingcryptographically signed using the 123b106467fSJason King.Xr elfsign 1 124b106467fSJason Kingutility. 125b106467fSJason King.Lp 126c10c16deSRichard LoweAny plug-in that is not signed or is not a compatible version of PKCS#11 will 127b106467fSJason Kingbe dropped by 128b106467fSJason King.Nm . 129b106467fSJason KingWhen a plug-in is dropped, the administrator is alerted by the 130b106467fSJason King.Xr syslog 3C 131b106467fSJason Kingutility. 132b106467fSJason King.Lp 133b106467fSJason KingThe 134b106467fSJason King.In security/pkcs11f.h 13572d3dbb9SYuri Pankovheader contains function definitions. 13672d3dbb9SYuri PankovThe 137b106467fSJason King.In security/pkcs11t.h 13872d3dbb9SYuri Pankovheader contains type definitions. 13972d3dbb9SYuri PankovApplications can include either of these headers in place of 140b106467fSJason King.In security/pkcs11.h , 141b106467fSJason Kingwhich contains both function and type definitions. 142b106467fSJason King.Sh INTERFACES 143b106467fSJason KingThe shared object 144c66b8046SYuri Pankov.Pa libpkcs11.so.1 14572d3dbb9SYuri Pankovprovides the public interfaces defined below. 14672d3dbb9SYuri PankovSee 147b106467fSJason King.Xr Intro 3 148b106467fSJason Kingfor additional information on shared object interfaces. 149b106467fSJason King.Ss "PKCS#11 Standard" 150b106467fSJason King.\" 151b106467fSJason King.\" Use SUNW_C_GetMechSession for the first column so both sections will 152b106467fSJason King.\" line up better when rendered 153b106467fSJason King.\" 154b106467fSJason King.Bl -column -offset indent ".Sy SUNW_C_GetMechSession" ".Sy C_DecryptDigestUpdate" 155b106467fSJason King.It Sy C_CloseAllSessions Ta Sy C_CloseSession 156b106467fSJason King.It Sy C_CopyObject Ta Sy C_CreateObject 157b106467fSJason King.It Sy C_Decrypt Ta Sy C_DecryptDigestUpdate 158b106467fSJason King.It Sy C_DecryptFinal Ta Sy C_DecryptInit 159b106467fSJason King.It Sy C_DecryptUpdate Ta Sy C_DecryptVerifyUpdate 160b106467fSJason King.It Sy C_DeriveKey Ta Sy C_DestroyObject 161b106467fSJason King.It Sy C_Digest Ta Sy C_DigestEncryptUpdate 162b106467fSJason King.It Sy C_DigestFinal Ta Sy C_DigestInit 163b106467fSJason King.It Sy C_DigestKey Ta Sy C_DigestUpdate 164b106467fSJason King.It Sy C_Encrypt Ta Sy C_EncryptFinal 165b106467fSJason King.It Sy C_EncryptInit Ta Sy C_EncryptUpdate 166b106467fSJason King.It Sy C_Finalize Ta Sy C_FindObjects 167b106467fSJason King.It Sy C_FindObjectsFinal Ta Sy C_FindObjectsInit 168b106467fSJason King.It Sy C_GenerateKey Ta Sy C_GenerateKeyPair 169b106467fSJason King.It Sy C_GenerateRandom Ta Sy C_GetAttributeValue 170b106467fSJason King.It Sy C_GetFunctionList Ta Sy C_GetInfo 171b106467fSJason King.It Sy C_GetMechanismInfo Ta Sy C_GetMechanismList 172b106467fSJason King.It Sy C_GetObjectSize Ta Sy C_GetOperationState 173b106467fSJason King.It Sy C_GetSessionInfo Ta Sy C_GetSlotInfo 174b106467fSJason King.It Sy C_GetSlotList Ta Sy C_GetTokenInfo 175b106467fSJason King.It Sy C_InitPIN Ta Sy C_InitToken 176b106467fSJason King.It Sy C_Initialize Ta Sy C_Login 177b106467fSJason King.It Sy C_Logout Ta Sy C_OpenSession 178b106467fSJason King.It Sy C_SeedRandom Ta Sy C_SetAttributeValue 179b106467fSJason King.It Sy C_SetOperationState Ta Sy C_SetPIN 180b106467fSJason King.It Sy C_Sign Ta Sy C_SignEncryptUpdate 181b106467fSJason King.It Sy C_SignFinal Ta Sy C_SignInit 182b106467fSJason King.It Sy C_SignRecover Ta Sy C_SignRecoverInit 183b106467fSJason King.It Sy C_SignUpdate Ta Sy C_UnwrapKey 184b106467fSJason King.It Sy C_Verify Ta Sy C_VerifyFinal 185b106467fSJason King.It Sy C_VerifyInit Ta Sy C_VerifyRecover 186b106467fSJason King.It Sy C_VerifyRecoverInit Ta Sy C_VerifyUpdate 187b106467fSJason King.It Sy C_WaitForSlotEvent Ta Sy C_WrapKey 188b106467fSJason King.El 189b106467fSJason King.Ss "SUNW Extensions" 190b106467fSJason King.Bl -column -offset indent ".Sy SUNW_C_GetMechSession" ".Sy C_DecryptDigestUpdate" 191b106467fSJason King.It Sy SUNW_C_GetMechSession Ta Sy SUNW_C_KeyToObject 192b106467fSJason King.El 193b106467fSJason King.Sh FILES 194b106467fSJason King.Bl -tag -compact -width Pa 195b106467fSJason King.It Pa /usr/lib/libpkcs11.so.1 196c10c16deSRichard Loweshared object 197b106467fSJason King.It Pa /usr/lib/64/libpkcs11.so.1 198c10c16deSRichard Lowe64-bit shared object 199b106467fSJason King.El 200b106467fSJason King.Sh ATTRIBUTES 201b106467fSJason KingSee 202*bbf21555SRichard Lowe.Xr attributes 7 203b106467fSJason Kingfor descriptions of the following attributes: 204b106467fSJason King.Sh INTERFACE STABILITY 205b106467fSJason King.Sy Committed 206b106467fSJason King.Sh MT-LEVEL 20772d3dbb9SYuri PankovThe SUNW Extension functions are MT-Safe. 20872d3dbb9SYuri PankovThe PKCS#11 Standard functions are MT-Safe with exceptions. 20972d3dbb9SYuri PankovSee Section 2.5.3 of PKCS#11 Cryptographic Token Usage Guide v2.40 and 21072d3dbb9SYuri PankovSection 5.1.5 of PKCS#11 Cryptographic Token Interface Base Standard v2.40 211b106467fSJason King.Sh SEE ALSO 212b106467fSJason King.Xr Intro 3 , 213b106467fSJason King.Xr syslog 3C , 214b106467fSJason King.Xr SUNW_C_GetMechSession 3EXT , 215*bbf21555SRichard Lowe.Xr attributes 7 , 216*bbf21555SRichard Lowe.Xr pkcs11_kernel 7 , 217*bbf21555SRichard Lowe.Xr pkcs11_softtoken 7 , 218*bbf21555SRichard Lowe.Xr cryptoadm 8 , 219*bbf21555SRichard Lowe.Xr pkgadd 8 220b106467fSJason King.Rs 221b106467fSJason King.%T "PKCS#11 Cryptographic Token Interface Base Specification v2.40 Plus Errata 01" 222b106467fSJason King.%U http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os.html 223b106467fSJason King.Re 224b106467fSJason King.Rs 225b106467fSJason King.%T "PKCS#11 Cryptographic Token Interface Profiles v2.40" 226b106467fSJason King.%U http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/pkcs11-profiles-v2.40.html 227b106467fSJason King.Re 228b106467fSJason King.Rs 229b106467fSJason King.%T "PKCS#11 Cryptographic Token Interface Usage Guide v2.40" 230b106467fSJason King.%U http://docs.oasis-open.org/pkcs11/pkcs11-ug/v2.40/pkcs11-ug-v2.40.html 231b106467fSJason King.Re 232b77a2dc4SPeter Tribble.Sh STANDARDS 233b77a2dc4SPeter TribbleThe PKCS#11 Standard functions conform to PKCS#11 Cryptographic Token 234b77a2dc4SPeter TribbleInterface Profiles v2.40 Extended Provider. 235b106467fSJason King.Sh NOTES 236b106467fSJason KingIf an application calls 237b106467fSJason King.Fn C_WaitForSlotEvent 238b106467fSJason Kingwithout the 239b106467fSJason King.Dv CKF_DONT_BLOCK 240b106467fSJason Kingflag set, 241b106467fSJason King.Nm 24272d3dbb9SYuri Pankovmust create threads internally. 24372d3dbb9SYuri PankovIf, however, 244b106467fSJason King.Dv CKF_LIBRARY_CANT_CREATE_OS_THREADS 245b106467fSJason Kingis set, 246b106467fSJason King.Fn C_WaitForSlotEvent 247b106467fSJason Kingreturns 248b106467fSJason King.Dv CKR_FUNCTION_FAILED . 249b106467fSJason King.Lp 250b106467fSJason KingBecause 251b77a2dc4SPeter Tribble.Fn C_Initialize 252b106467fSJason Kingmight have been called by both an application and a 253c10c16deSRichard Lowelibrary, it is not safe for a library or its plugins to call 254b106467fSJason King.Fn C_Finalize . 255b106467fSJason KingA library can be finished calling functions from 256b106467fSJason King.Nm , 257b106467fSJason Kingwhile an application might not. 258