Usage notes for CCA library functions

Edit online

Read important information about the usage and restrictions of CCA library functions.

  • Plain CCA key objects, that is, CCA secure key objects generated by the CCA token internally via the CCA library libcsulcca.so, which can also be imagined as a blob (binary large object), can be extracted from sensitive openCryptoki key objects for the CCA token by accessing the value of the CKA_IBM_OPAQUE attribute.
    A CCA key blob created by a native CCA application via the CCA library libcsulcca.so can be imported into sensitive openCryptoki key objects for the CCA token by assigning the content of the CCA key blob to the CKA_IBM_OPAQUE attribute. This is valid for the C_CreateObject() function. This import is supported for key types (called key tokens in CCA):
    • CCA DES key token
    • CCA DES3 key token
    • CCA AESDATA key token. For AES XTS, two such AESDATA key tokens are concatenated.
    • CCA internal RSA private key token (RSA-AESM and RSA-AESC)
    • CCA RSA public key token (RSA-AESM and RSA-AESC)
    • CCA HMAC key token
    • CCA internal EC private key token
    • CCA EC public key token

    CCA AESCIPHER key token import is not supported and C_CreateObject() returns with CKR_TEMPLATE_INCONSISTENT.

    Clear keys can also be imported into sensitive openCryptoki key objects for the CCA token by assigning the clear key value to the CKA_VALUE attribute or other key-type specific attributes using the PKCS #11 C_CreateObject() function. This is supported for RSA private keys and for RSA public keys. The CCA token also supports the C_CreateObject() function for AES, DES, DES3, and generic secret keys, as well as plain HMAC and ECC keys with different curves.

  • The default CKA_SENSITIVE setting for generating a key is CK_FALSE although the openCryptoki CCA token handles only secure keys, which correspond to sensitive keys in PKCS #11.

    Setting the value of CKA_SENSITIVE to CK_FALSE does not inhibit inspecting the value of CKA_VALUE. This setting does not compromise security because CKA_VALUE does not contain any sensitive or secret information. Also, CKA_IBM_OPAQUE does not contain any information that can be exploited without the corresponding CCA master key.

  • The function C_DigestKey is not supported by the CCA token.