Using Key object handle in PKCS#11

3.1k views Asked by At

I am trying to interact with HSM using PKCS#11 functions given by vendor. I use below series of function to generate secret key, encrypt and decrypt data. Below sequence works good.

  1. C_Initialize
  2. C_OpenSession
  3. C_Login
  4. C_GenerateKey //3DES KEY
  5. C_EncryptInit
  6. C_Encrypt
  7. C_DecryptInit
  8. C_Decrypt
  9. C_Logout
  10. C_CloseSession

My Questions:

  1. After using C_Logout & C_CloseSession is there a way to reuse same KEY(generated earlier) again by logging back and opening session again with same login credentials?

  2. When I use C_CreateObject does it create session object and destroy it on using C_CloseSession?

1

There are 1 answers

0
Maarten Bodewes On BEST ANSWER

Question: After using C_Logout & C_CloseSession is there a way to reuse same KEY(generated earlier) again by logging back and opening session again with same login credentials?

Yes, just set CKA_TOKEN to CK_TRUE and provide a label using CKA_LABEL to search for it using C_FindObjects.


Question: When I use C_CreateObject does it create session object and destroy it on using C_CloseSession?

Well, yes, according to the PKCS#11 specifications (v2.20, 10.4, Table 21):

CKA_TOKEN is CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE.


Note that your token may not allow all possible attributes or attribute combinations to be set, and may have memory and other limitations.