PKCS#11 and CORE Terms

This section maps the terms used by the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 to the corresponding terms used in CORE documentation and API.

Tokens and Slots

PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 term Token refers to the device that stores crypto-material and performs crypto-operations. The term Slot refers to the logical number of a connector on a machine that is occupied by Token. In the CORE terms:

  • The term Token specifies the CORE partition name.
  • The term Slot specifies the serial number assigned to a partition by CORE client on its machine,

The number of slots matches the number of partitions that the client machine is registered with. Each slot represents a different partition. To map the CORE partition name to PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 slot, run the ucl partition list command.

Note
The partition number next to its name corresponds to the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 slot number.

In the following example, the slot number of the partition msca is 2.

ucl partition list

Partition 0: codesign
Partition 1: tde
Partition 2: msca

Warning
CORE client uses continuous slot numbering starting from 0.
A partition registration or un-registration may change the numbering of the remaining partitions. In particular, registration of a new partition not necessarily appends it to the bottom of the list.
Following any change in a client's partitions list, rediscover the new numbering.

CKA_ID and CKA_LABEL

The CORE key material Name and Description attributes are mapped to PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 terms as follows:

CORE term

PKCS#11 term

Key Name

CKA_ID

Key Description

CKA_LABEL

Note
By default, if the name (CKA_ID) was not provided as part of the key generation Key Name holds the key's UID.

CKU_USER and CKU_SO

To use the CORE key material, you must log in (call C_Login).

With CORE you can call C_Login using one of the following options:

  1. Using user type CKU_USER and the password of the default user “user” of the relevant partition.
    By default, this password is empty, so use NULL as the password.
  2. To use it with another user, use it with user type CKU_USER and the following JSON format for the password field:

    3. {"username":"<username in the partition>", "password" :"<its password>"}

  3. The OpenID Connect format for the password is in JSON format:

    4. {"token":"<OIDC token>"}

Note
To perform admin operations that are not permitted to CKU_USER users, use user type CKU_SOClosedSecurity officer - UKC partition administrator role. and the password of the partition's user “so”. However, CKU_SOClosedSecurity officer - UKC partition administrator role. is not permitted to perform any crypto operation.