Wong Timothy wrote:
The CKA_VALUE is the cert in binary. X-509 certificates are encoded in BER (actually v2 certifcates are encoded with DER with is a subset of BER), which is way the PKCS 11 spec specifies this. If the copy of your cert looks like random ascii characters,All:
When creating a cert object, one of the parameters in the template I
have to pass in is CKA_VALUE. According to the PKCS11 specs, CKA_VALUE is the "BER-encoding of the
certificate".
1)What is "BER-encoding of the certificate"? (I am new to the security
arena...so I am not familiar with all the terminologies/acronyms)
your cert is probably coded in Base64, and you will have to base54 decode it first.
2)Is the value to be set for CKA_VALUE something that is alreadyNo, none of the attribute data is passed acrossed the PKCS #11 interface encrypted. There is not reason to encrypt Certificate data (Certificates are public objects in the PKI infrastructure. We communicate by passing these objects in the clear).
encrypted? What if you have data that needs to be encrypted?
You'll find private attributes marked as 'sensitive' in the PKCS #11 spec (certain private key and secret key attributes). When writting a key, you will need to pass these attributes in the clear. Be sure to zero them out after you pass them in. The PKCS #11 module is responsible for protecting them (in general you will not be able to read them back out again, for instance).
Secret attributes can be passed encrypted to the PKCS #11 module using the "C_Unwrap" call.
bob
Tim
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
