Develop at PKCS#11 Level
Here you code at the Cryptoki level, using Java wrapper class for the CORE implementation of the PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#11 standard. This level allows you to use features that are not supported by the standard JCAJava Cryptography Architecture - Java frameworks for implementing cryptography primitives. framework, e.g. creating keys with specific properties.
The CORE Client package provides Java wrapper for the Unbound PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 implementation, as specified in Unbound PKCS#11 Implementation.
- The relevant packages is:
com/dyadicsec/cryptoki - For the API list refer to Functions List.
Functions List
The wrapper API is included in the com.dyadicsec.cryptoki package. The main class, including all functionality, is the com.dyadicsec.cryptoki.Library class, which provides the following methods. For additional information, refer to OASIS PKCS#11 specification.
Note
All methods throw a CKR_Exception.
- C_CloseAllSessions - closes all sessions an application has with a token.
static void C_CloseAllSessions(int slotID)
- C_CloseSession - closes a session between an application and a token.
static void C_CloseSession(CK_SESSION_HANDLE hSession)
- C_CreateObject - creates a new object.
static int C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE[] pTemplate)
- C_Decrypt - decrypts encrypted data in a single part.
static byte[] C_Decrypt(CK_SESSION_HANDLE hSession, byte[] pEncryptedData)
- C_Decrypt - decrypts encrypted data in a single part.
static int C_Decrypt(CK_SESSION_HANDLE hSession, byte[] pEncryptedData, int inOffset, int inLen, byte[] out, int outOffset)
- C_DecryptFinal - finishes a multiple-part decryption operation.
static byte[] C_DecryptFinal(CK_SESSION_HANDLE hSession)
- C_DecryptFinal - finishes a multiple-part decryption operation.
static int C_DecryptFinal(CK_SESSION_HANDLE hSession, byte[] out, int offset)
- C_DecryptInit - initializes a decryption operation.
static void C_DecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hKey)
- C_DecryptUpdate - continues a multiple-part decryption operation, processing another encrypted data part.
static byte[] C_DecryptUpdate(CK_SESSION_HANDLE hSession, byte[] pEncryptedPart)
- C_DecryptUpdate - continues a multiple-part decryption operation, processing another encrypted data part.
static int C_DecryptUpdate(CK_SESSION_HANDLE hSession, byte[] pEncryptedPart, int inOffset, int inLen, byte[] out, int outOffset)
- C_DeriveKey - derives a key from a base key, creating a new key object.
static int C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hBaseKey, CK_ATTRIBUTE[] pTemplate)
- C_DestroyObject - destroys an object.
static void C_DestroyObject(CK_SESSION_HANDLE hSession, int hObject)
- C_Digest - digests data in a single part.
static byte[] C_Digest(CK_SESSION_HANDLE hSession, byte[] data)
- C_Digest - digests data in a single part.
static int C_Digest(CK_SESSION_HANDLE hSession, byte[] data, int inOffset, int inLen, byte[] out, int outOffset)
- C_DigestFinal - finishes a multiple-part message-digesting operation, returning the message digest.
static byte[] C_DigestFinal(CK_SESSION_HANDLE hSession)
- C_DigestFinal - finishes a multiple-part message-digesting operation, returning the message digest.
static int C_DigestFinal(CK_SESSION_HANDLE hSession, byte[] out, int offset)
- C_DigestInit - initializes a message-digesting operation.
static void C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism)
- C_DigestKey - digests a key.
static void C_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
- C_DigestUpdate - continues a multiple-part message-digesting operation, processing another data part.
static void C_DigestUpdate(CK_SESSION_HANDLE hSession, byte[] pPart)
- C_DigestUpdate - continues a multiple-part message-digesting operation, processing another data part.
static void C_DigestUpdate(CK_SESSION_HANDLE hSession, byte[] pPart, int offset, int len)
- C_Encrypt - encrypts single-part data.
static byte[] C_Encrypt(CK_SESSION_HANDLE hSession, byte[] pData)
- C_Encrypt - encrypts single-part data.
static int C_Encrypt(CK_SESSION_HANDLE hSession, byte[] pData, int inOffset, int inLen, byte[] out, int outOffset)
- C_EncryptFinal - finishes a multiple-part encryption operation.
static byte[] C_EncryptFinal(CK_SESSION_HANDLE hSession)
- C_EncryptFinal - finishes a multiple-part encryption operation.
static int C_EncryptFinal(CK_SESSION_HANDLE hSession, byte[] out, int offset)
- C_EncryptInit - initializes an encryption operation.
static void C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hKey)
- C_EncryptUpdate - continues a multiple-part encryption operation, processing another data part.
static byte[] C_EncryptUpdate(CK_SESSION_HANDLE hSession, byte[] pPart)
- C_EncryptUpdate - continues a multiple-part encryption operation, processing another data part.
static int C_EncryptUpdate(CK_SESSION_HANDLE hSession, byte[] pPart, int inOffset, int inLen, byte[] out, int outOffset)
- C_Finalize - is called to indicate that an application is finished with the Cryptoki library.
static void C_Finalize()
- C_FindObjects - continues a search for token and session objects that match a template, obtaining additional object handles.
static int[] C_FindObjects(CK_SESSION_HANDLE hSession, int ulMaxObjectCount)
- C_FindObjectsFinal - terminates a search for token and session objects.
static void C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
- C_FindObjectsInit - initializes a search for token and session objects that match a template.
static void C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE[] pTemplate)
- C_GenerateKey - generates a secret key or set of domain parameters, creating a new object.
static int C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate)
- C_GenerateKeyPair - generates a public/private key pair, creating new key objects.
static int[] C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, CK_ATTRIBUTE[] pPrivateKeyTemplate)
- C_GenerateRandom - generates random or pseudo-random data.
static void C_GenerateRandom(CK_SESSION_HANDLE hSession, byte[] randomData, int offset, int len)
- C_GenerateRandom - generates random or pseudo-random data.
static byte[] C_GenerateRandom(CK_SESSION_HANDLE hSession, int len)
- C_GetAttributeValue - obtains the value of one or more attributes of an object.
static void C_GetAttributeValue(CK_SESSION_HANDLE hSession, int hObject, CK_ATTRIBUTE[] pTemplate)
- C_GetInfo - returns general information about Cryptoki.
static CK_INFO C_GetInfo()
- C_GetMechanismInfo - obtains information about a particular mechanism possibly supported by a token.
static CK_MECHANISM_INFO C_GetMechanismInfo(int slotID, int type)
- C_GetMechanismList - is used to obtain a list of mechanism types supported by a token.
static int[] C_GetMechanismList(int slotID)
- C_GetSessionInfo - obtains information about a session.
static CK_SESSION_INFO C_GetSessionInfo(CK_SESSION_HANDLE hSession)
- C_GetSlotInfo - obtains information about a particular slot in the system.
static CK_SLOT_INFO C_GetSlotInfo(int slotID)
- C_GetSlotList - is used to obtain a list of slots in the system.
static int[] C_GetSlotList(boolean tokenPresent)
- C_GetTokenInfo - obtains information about a particular token in the system.
static CK_TOKEN_INFO C_GetTokenInfo(int slotID)
- C_Initialize - initializes the Cryptoki library.
static void C_Initialize()
- C_Login - logs a user into a token.
static void C_Login(CK_SESSION_HANDLE hSession, int userType, char[] pPin)
- C_Logout - logs a user out from a token.
static void C_Logout(CK_SESSION_HANDLE hSession)
- C_OpenSession - opens a session between an application and a token in a particular slot.
static CK_SESSION_HANDLE C_OpenSession(int slotID, int flags)
- C_SeedRandom - mixes additional seed material into the token’s random number generator.
static void C_SeedRandom(CK_SESSION_HANDLE hSession, byte[] pSeed)
- C_SeedRandom - mixes additional seed material into the token’s random number generator.
static void C_SeedRandom(CK_SESSION_HANDLE hSession, byte[] pSeed, int offset, int len)
- C_SetAttributeValue - modifies the value of one or more attributes of an object.
static void C_SetAttributeValue(CK_SESSION_HANDLE hSession, int hObject, CK_ATTRIBUTE[] pTemplate)
- C_Sign - signs data in a single part, where the signature is an appendix to the data.
static byte[] C_Sign(CK_SESSION_HANDLE hSession, byte[] pData)
- C_Sign - signs data in a single part, where the signature is an appendix to the data.
static int C_Sign(CK_SESSION_HANDLE hSession, byte[] pData, int inOffset, int inLen, byte[] out, int outOffset)
- C_SignFinal - finishes a multiple-part signature operation, returning the signature.
static byte[] C_SignFinal(CK_SESSION_HANDLE hSession)
- C_SignFinal - finishes a multiple-part signature operation, returning the signature.
static int C_SignFinal(CK_SESSION_HANDLE hSession, byte[] out, int offset)
- C_SignInit - initializes a signature operation, where the signature is an appendix to the data.
static void C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hKey)
- C_SignUpdate - continues a multiple-part signature operation, processing another data part.
static void C_SignUpdate(CK_SESSION_HANDLE hSession, byte[] pPart)
- C_SignUpdate - continues a multiple-part signature operation, processing another data part.
static void C_SignUpdate(CK_SESSION_HANDLE hSession, byte[] pPart, int offset, int len)
- C_UnwrapKey - unwraps (i.e. decrypts) a wrapped key, creating a new private key or secret key object.
static int C_UnwrapKey(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate)
- C_UnwrapKey - unwraps (i.e. decrypts) a wrapped key, creating a new private key or secret key object.
static int C_UnwrapKey(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hUnwrappingKey, byte[] pWrappedKey, int offset, int len, CK_ATTRIBUTE[] pTemplate)
- C_Verify - verifies a signature in a single-part operation, where the signature is an appendix to the data.
static void C_Verify(CK_SESSION_HANDLE hSession, byte[] pData, byte[] pSignature)
- C_Verify - verifies a signature in a single-part operation, where the signature is an appendix to the data.
static void C_Verify(CK_SESSION_HANDLE hSession, byte[] pData, int inOffset, int inLen, byte[] pSignature, int sigOffset, int sigLen)
- C_VerifyFinal - finishes a multiple-part verification operation, checking the signature.
static void C_VerifyFinal(CK_SESSION_HANDLE hSession, byte[] pSignature)
- C_VerifyFinal - finishes a multiple-part verification operation, checking the signature.
static void C_VerifyFinal(CK_SESSION_HANDLE hSession, byte[] pSignature, int offset, int len)
- C_VerifyInit - initializes a verification operation, where the signature is an appendix to the data.
static void C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hKey)
- C_VerifyUpdate - continues a multiple-part verification operation, processing another data part.
static void C_VerifyUpdate(CK_SESSION_HANDLE hSession, byte[] pPart)
- C_VerifyUpdate - continues a multiple-part verification operation, processing another data part.
static void C_VerifyUpdate(CK_SESSION_HANDLE hSession, byte[] pPart, int offset, int len)
- C_WrapKey - wraps (i.e. encrypts) a private or secret key.
static byte[] C_WrapKey(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hWrappingKey, int hKey)
- C_WrapKey - wraps (i.e. encrypts) a private or secret key.
static int C_WrapKey(CK_SESSION_HANDLE hSession, CK_MECHANISM pMechanism, int hWrappingKey, int hKey, byte[] out, int offset)
Error Codes
A description of the error codes can be found in the PKCS11 specification. The following table lists the possible errors with links to the error description in the specification.
Code Samples
The following sample code contains examples of the PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 wrapper in Java.
Open a Session
CK_SESSION_HANDLE hSession = Library.C_OpenSession(slotID, CK.CKF_RW_SESSION| CK.CKF_SERIAL_SESSION);
Generate RSA Key Pair
int[] rsaKeyHandles = Library.C_GenerateKeyPair(hSession, new CK_MECHANISM(CK.CKM_RSA_PKCS_KEY_PAIR_GEN),
// Public key template:
new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_TOKEN, false),
new CK_ATTRIBUTE(CK.CKA_CLASS, CK.CKO_PUBLIC_KEY),
new CK_ATTRIBUTE(CK.CKA_KEY_TYPE, CK.CKK_RSA),
new CK_ATTRIBUTE(CK.CKA_MODULUS_BITS, 2048),
},
// Private key template:
new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_TOKEN, true),
new CK_ATTRIBUTE(CK.CKA_CLASS, CK.CKO_PRIVATE_KEY),
new CK_ATTRIBUTE(CK.CKA_KEY_TYPE, CK.CKK_RSA),
});
int rsaPubKeyHandle = rsaKeyHandles[0];
int rsaPrvKeyHandle = rsaKeyHandles[1];
Extract Public Key
CK_ATTRIBUTE[] rsaPubKeyMaterial = new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_MODULUS),
new CK_ATTRIBUTE(CK.CKA_PUBLIC_EXPONENT)
};
Library.C_GetAttributeValue(hSession, rsaPubKeyHandle, rsaPubKeyMaterial);
BigInteger modulus =
(BigInteger)rsaPubKeyMaterial[0].pValue;
BigInteger publicExponent =
(BigInteger)rsaPubKeyMaterial[1].pValue;
KeyFactory kf = KeyFactory.getInstance("RSA", "SunRsaSign");
RSAPublicKey rsaPubKey = (RSAPublicKey)kf.generatePublic(new RSAPublicKeySpec(modulus, publicExponent));
Generate AES key
keyHandle = Library.C_GenerateKey(hSession, new CK_MECHANISM(CK.CKM_AES_KEY_GEN),
new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_TOKEN, true),
new CK_ATTRIBUTE(CK.CKA_CLASS, CK.CKO_SECRET_KEY),
new CK_ATTRIBUTE(CK.CKA_KEY_TYPE, CK.CKK_AES),
new CK_ATTRIBUTE(CK.CKA_VALUE_LEN, 32),
});
Wrap AES key
int srcKeyHandle = …
int wrapKeyHandle = …
byte[] iv = new byte[16];
SecureRandom.getInstanceStrong().nextBytes(iv);
byte[] wrappedKeyData = Library.C_WrapKey(hSession, new CK_MECHANISM(CK.CKM_AES_CBC, iv), wrapKeyHandle, srcKeyHandle);
Unwrap AES key
byte[] wrappedKeyData = …
int wrappedKeyHandle = …
int unwrappedKeyHandle = Library.C_UnwrapKey(hSession,
new CK_MECHANISM(CK.CKM_RSA_PKCS), wrappedKeyHandle, wrappedKeyData,
new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_TOKEN, true),
new CK_ATTRIBUTE(CK.CKA_CLASS, CK.CKO_SECRET_KEY),
new CK_ATTRIBUTE(CK.CKA_KEY_TYPE, CK.CKK_AES),
});