I'm reading PKCS 11 documentation, and I can not understand cleary, what does CKA_SENSITIVE attribute of a key means.
And more common: where can I read attributes description?
I found out that if CKA_SENSITIVE = FALSE
, then the clear value of the key (for secret keys) can be retrieved by the C_GetAttributeValue
function, while you cannot retrieve the value itself if CKA_SENSITIVE = TRUE
.
Quote from PKCS#11 spec v2.20:
If the CKA_SENSITIVEattribute is CK_TRUE, or if the CKA_EXTRACTABLE attribute is CK_FALSE, then certain attributesof the secret key cannot be revealed in plaintext outside the token. Which attributes these are is specified for each type of secret key in the attribute table in the section describing that type of key
In general this means that the actual value of the secret key is not exposed. It depends on the key which attributes make up the value. For secret keys it is generally CKA_VALUE
, for private RSA keys this would be CKA_PRIVATE_EXPONENT
and the Chinese Remainder Theorem parameters - if those are part of the key.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With