PKCS#11 key usage event

This subtype consists of a number of tag-length-value (TLV) triplets. The following triplets may be contained in the record. The specific set of triplets is dependent on the type of event and the information that is available.

Table 1. Subtype 46 PKCS#11 key usage event
Tag value Name Length Format Description
Dec Hex
257 101 KDS_LABEL 72 EBCDIC The 44-byte key handle left-justified and padded on the right with blanks. If the sequence number of the handle is 'FFFFFFFF', this was a raw object.
259 103 KEY_NAME 1 - 513 EBCDIC The CKA_LABEL attribute from the object. If the CKA_Label is greater than 512 characters, the plus (+) symbol is placed at the 513th character to indicate truncation.
260 104 OBJ_TYPE 1 binary Object type.
X'01'
Symmetric key.
X'02'
Public key.
X'03'
Private key.
X'05'
Certificate.
X'06'
Domain parameters.
X'07'
Data object.
X'0C'
PKCS #11 token.
261 105 KEY_FPRINT 1 - 64 binary

One or more key fingerprints.

The first byte is the number (n) of fingerprints present for the key. Following that are n type-length-value triplets. Within each of these triplets is a 1-byte fingerprint type, followed by a 1-byte length for the triplet, followed by the fingerprint.

Fingerprint types:
X'01'
Ciphertext obtained from encrypting a data block filled with binary zeros in ECB mode.
X'02'
SHA-1 hash of the public key.
For example, X'010105010203' indicates that there is one fingerprint value (01) which is the ciphertext obtained from using the key to encrypt 8 bytes of binary zeros in ECB mode (01). The fingerprint is 3 bytes in length (05 – 2) and the value is X'010203'.
262 106 SERVICE 8 EBCDIC The service associated with the event.
265 109 KEY_SEC 1 binary Key security.
X'02'
Clear key.
X'03'
Key encrypted under master key.
266 10A KEY_ALG 1 binary Key algorithm.
X'01'
Generic symmetric.
X'02'
DES.
X'03'
AES.
X'05'
RC4.
X'06'
Blowfish.
X'07'
RSA.
X'08'
DSA.
X'09'
ECC.
X'0A'
Diffie-Hellman.
270 10E KEY_LEN 2 binary The length of the key (in bits). For RSA, this is the modulus length. For other asymmetric keys, this is the length of the public key.
273 111 KEY_USAGE_TKDS 4 binary Key usage.
Bit
Meaning when set
0
Data encryption allowed.
1
Data decryption allowed.
2
Key derivation allowed.
3
Sign allowed where signature is appendix.
4
Verify allowed where signature is appendix.
5
Sign allowed where data is recovered from signature.
6
Verify allowed where data is recovered from signature.
7
Key wrapping allowed.
8
Key unwrapping allowed.
9
Key usage must be FIPS-compliant.
10-31
Reserved.
274 112 KEY_EC_CURVE 1 binary ECC curve type.
X'01'
Prime curve.
X'02'
Brainpool curve.
275 113 START_TOD 16 binary Start time of the interval in STCKE format.
276 114 END_TOD 16 binary End time of the interval in STCKE format.
277 115 USG_COUNT 4 binary Number of usages accounted for in this record.
279 117 FIPS_INFO 4 binary FIPS information related to the event.
Bit
Meaning when set
0
FIPSMODE(YES) in effect.
1
FIPSMODE(COMPAT) in effect.
2
Request was evaluated for FIPS-compliance due to system settings. (Either FIPSMODE(YES) is in effect or FIPSMODE(COMPAT) is in effect, but the request was not exempt from FIPS-compliance.)
3
Request was evaluated for FIPS-compliance at user request. (Either the object involved had the FIPS compliance flag on or FIPS-compliance was requested via a parameter on the service call.)
4
Request passed FIPS evaluation.
5-31
Reserved.
The following tags may be present in the end user audit section:
  • X500_IDN
  • X500_SDN
  • IDID_USRI
  • IDID_USRF
  • IDID_REG
  • USRI
See Audit header and audit section for more details.