According to the latest PKCS#11 spec the typical attribute structure of a RSA private key is the following:
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &keyType, sizeof(keyType)},
{CKA_TOKEN, &true, 1},
{CKA_LABEL, label, sizeof(label)},
{CKA_SUBJECT, subject, sizeof(subject)},
{CKA_ID, id, sizeof(id)},
{CKA_SENSITIVE, &true, 1},
{CKA_DECRYPT, &true, 1},
{CKA_SIGN, &true, 1},
{CKA_MODULUS, modulus, sizeof(modulus)},
{CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent)},
{CKA_PRIVATE_EXPONENT, privateExponent, sizeof(privateExponent)},
{CKA_PRIME_1, prime1, sizeof(prime1)},
{CKA_PRIME_2, prime2, sizeof(prime2)},
{CKA_EXPONENT_1, exponent1, sizeof(exponent1)},
{CKA_EXPONENT_2, exponent2, sizeof(exponent2)},
{CKA_COEFFICIENT, coefficient, sizeof(coefficient)}
};
However, there is another attribute CK_VALUE that can only be used for creating pkcs 'data objects' and NOT 'key objects'. When I use this field CK_VALUE to create key objects PKCS throws me an invalid attribute error.
I would like to use a similar field in the which contains a string formatted value that can hold metadata information related to the key (like IV used to wrap the RSA key, date of generation of the key, etc). Is there a way to store these information in the existing pkcs11 template without tinkering with the attribute data structure in the implementation? I am using OpenDNSSec community's SoftHSM n2.0 package for the pkcs implementation.
Any suggestions would be appreciated.