PKCS规范培训实用教案

写在前面(qin mian)的 PKCS11是什么(shn me) 为什么(shn me)会有PKCS11 PKCS11能干什么(shn me) PKCS11的特点第1页/共129页第一页，共130页。PKCS11是什么(shn me) PKCS系列规范的第11部分 Cryptographic Token Interface STD 68个函数(hnsh)接口 应用程序与加密Token之间的接口第2页/共129页第二页，共130页。为什么会有PKCS11 为使用加密Token的应用程序提供统一的编程接口 为应用程序提供独立(dl)于设备的编程接口 屏蔽加密设备的复杂性 应用程序可以方便的更换设备 既生瑜何生亮 PKCS11 vs CSP第3页/共129页第三页，共130页。PKCS11能干什么 完成所有(据我所知)的密码操作 加密 解密 签名 验证 摘要 密钥生成/派生 对象的创建，存储，查找，修改，使用，删除 应用程序会话(huhu)管理第4页/共129页第四页，共130页。PKCS11的特点(tdin) 跨平台 可扩展 支持多设备，多线程 更专注(zhunzh)于加密Token 简化的应用模式（一个User，一个SO）第5页/共129页第五页，共130页。内容(nirng)I.关于PKCS#11II.概述III.基本概念IV.IV. 典型对象属性分析(fnx)V.V. API分析(fnx)与应用实例第6页/共129页第六页，共130页。I.关于(guny)PKCS#11是一套针对加密Token的应用编程接口( ji ku)屏蔽了硬件细节针对ANSI C编写的接口( ji ku)也称作Cryptoki广泛应用于Token相关的产品中（例如Netscape, Mozilla, Firefox, Thunderbird）简化的应用模式（一个User，一个SO）第7页/共129页第七页，共130页。7816-1/2/3/4/5/6/8ASN.1PKCS-1/13/14/15, 7816-15, DES, AES, SHA,MD2,MD5,PKCS-11, CSPX509, PKCS-3/5/7/8/9/10/12SSL, S/MIME IE, Outlook, Foxmail, Word, Netscape, Mozilla, Firefox, ThunderbirdI.关于(guny)PKCS#11第8页/共129页第八页，共130页。内容(nirng)I.关于PKCS#11II.概述III.基本概念IV.IV. 典型对象属性分析(fnx)V.V. API分析(fnx)与应用实例第9页/共129页第九页，共130页。II.概述(i sh) 总体(zngt)模型Other Security LayersApplication 1CryptokiOther Security LayersApplication kCryptokiDevice Contention/SynchronizationSlot 1Token 1(Device 1)Slot nToken n(Device n)第10页/共129页第十页，共130页。II.概述(i sh) Token逻辑(lu j)视图ObjectCertificateKeyDataSecret KeyPrivate KeyPublic Key令牌逻辑视图是一个能存储对象和能执行(zhxng)密码函数的设备 第11页/共129页第十一页，共130页。II.概述(i sh)函数接口概述通用(tngyng)目的函数第12页/共129页第十二页，共130页。II.概述(i sh)函数接口概述槽和令牌(ln pi)管理函数第13页/共129页第十三页，共130页。II.概述(i sh)函数接口(ji ku)概述会话管理函数第14页/共129页第十四页，共130页。II.概述(i sh)函数接口概述对象(duxing)管理函数第15页/共129页第十五页，共130页。II.概述(i sh)函数接口概述(i sh)加密和解密函数第16页/共129页第十六页，共130页。II.概述(i sh)函数接口概述摘要(zhiyo)计算函数第17页/共129页第十七页，共130页。II.概述(i sh)函数接口概述(i sh)签名和MAC计算函数第18页/共129页第十八页，共130页。II.概述(i sh)函数(hnsh)接口概述签名和MAC验证函数(hnsh)第19页/共129页第十九页，共130页。II.概述(i sh)函数(hnsh)接口概述双功能密码函数(hnsh)第20页/共129页第二十页，共130页。II.概述(i sh)函数接口概述(i sh)密钥管理函数第21页/共129页第二十一页，共130页。II.概述(i sh)函数(hnsh)接口概述其他函数(hnsh)第22页/共129页第二十二页，共130页。内容(nirng)I.关于PKCS#11II.概述III.基本概念IV.IV. 典型对象属性分析(fnx)V.V. API分析(fnx)与应用实例第23页/共129页第二十三页，共130页。III.基本概念 Slot & Token Object Attribute Users Sessions 状态(zhungti)转换（与Session有关） Mechnism 应用程序与多线程第24页/共129页第二十四页，共130页。 3.1 Slot & TokenIII.基本概念第25页/共129页第二十五页，共130页。III.基本概念3.2 Object 对象 证书 密钥 数据 保密密钥 私有密钥 公共密钥 对象(duxing)的层次结构 第26页/共129页第二十六页，共130页。III.基本概念3.2 ObjectToken对象(duxing)Sesssion对象(duxing)Public对象(duxing)Private对象(duxing)第27页/共129页第二十七页，共130页。III.基本概念 3.3 Attribute对象包括一套属性，每个对象都具有一个给定值。一个对象处理的每个属性都有一个唯一(wi y)确定的值。 第28页/共129页第二十八页，共130页。 Cryptoki provides functions for creating, destroying, and copying objects in general, and for obtaining and modifying the values of their attributes. Some of the cryptographic functions (e.g., C_GenerateKey) also create key objects to hold their results.Objects are always “well-formed” in Cryptokithat is, an object always contains all required attributes, and the attributes are always consistent with one another from the time the object is created. This contrasts with some object-based paradigms where an object has no attributes other than perhaps a class when it is created, and is uninitialized for some time. In Cryptoki, objects are always initialized.III.基本概念Attribute第29页/共129页第二十九页，共130页。 A token can hold several identical objects, i.e., it is permissible for two or more objects to have exactly the same values for all their attributes. In most cases each type of object in the Cryptoki specification possesses a completely well-defined set of Cryptoki attributes. Some of these attributes possess default values, and need not be specified when creating an object; some of these default values may even be the empty string (“”). Nonetheless, the object possesses these attributes. A given object has a single value for each attribute it possesses, even if the attribute is a vendor specific attribute whose meaning is outside the scope of Cryptoki. In addition to possessing Cryptoki attributes, objects may possess additional vendor specific attributes whose meanings and values are not specified by Cryptoki. III.基本概念Attribute第30页/共129页第三十页，共130页。III.基本概念 3.4 Users PKCS11识别两种令牌用户类型。一个类型就是安全官员（SO）。另一个类型就是普通用户。只有普通用户才能访问令牌上的私有对象，而且只有普通用户在得到(d do)授权后才能进行这种访问。 一些令牌可能需要用户在执行令牌上的任意密码功能之前得到(d do)授权，不管令牌是否涉及私有对象。SO的作用是初始化一个令牌，设置普通用户的PIN（或由Cryptoki版本以外的方式确定普通用户怎样得到(d do)授权），或许还要操作某些公共对象。普通用户只有在SO设置普通用户的PIN以后才能注册。 第31页/共129页第三十一页，共130页。 3.5 SessionsIII.基本概念 会话在应用程序和令牌之间提供一个逻辑(lu j)连接。 Cryptoki 需要用令牌打开一个以上的会话以便使用令牌的对象和函数。会话可以是读/写（R/W）会话，也可以是只读（R/O）会话。读/写和只读指的是通向令牌对象的入口，而不是会话对象。在这两种会话类型下，应用程序能够创建、读、写和破坏会话对象。但是，只有在读/写会话中，应用程序能够创建、修改和破坏令牌对象。第32页/共129页第三十二页，共130页。 3.6 状态转换（与Session有关） 一个打开的会话可以在几种状态之一。会话状态决定通向对象和在会话上执行的函数允许(ynx)的通道 。III.基本概念 打开一个会话后，应用程序便可访问令牌的公共对象。所给应用程序的所有线程可访问相同会话和相同会话对象。为了访问令牌私有对象，不同用户必须先登录并得到授权。 当关闭一个会话后，在该会话过程中创建的任何会话对象都会被破坏(phui)。这甚至适用于其它会话正在使用的会话对象。如果单个应用程序打开同一令牌的多个会话，并使用其中一个创建会话对象，那么这些会话对象就可以被该应用程序的所有会话看到。但是，当创建对象的会话关闭时，对象也被破坏(phui)了。 Cryptoki 支持在多令牌上的多个会话。应用程序可以和一个以上的令牌进行一个以上的会话。一个令牌可以和一个以上的应用程序进行多个会话。但是，一个特定的令牌可能要求应用程序只能有限定数量的会话，或只能有限定数量的读/写会话。第33页/共129页第三十三页，共130页。 R/O Public Session R/O User Functions Login User Logout Open Session Open Session Close Session/ Device Removed Close Session/ Device Removed 状态转换状态转换(zhunhun) (zhunhun) 只读会话只读会话III.基本概念状态(zhungti)转换第34页/共129页第三十四页，共130页。State State Description Description R/O Public R/O Public Session Session The application has opened a read-only session. The The application has opened a read-only session. The application has read-only access to public token application has read-only access to public token objects and read/write access to public session objects and read/write access to public session objects.objects.R/O User R/O User Functions Functions The normal user has been authenticated to the The normal user has been authenticated to the token. The application has read-only access to all token. The application has read-only access to all token objects (public or private) and read/write token objects (public or private) and read/write access to all session objects (public or private). access to all session objects (public or private). RO sessionRO sessionIII.基本概念状态(zhungti)转换Note: Read-Only SO Session do not exists.第35页/共129页第三十五页，共130页。 R/W SO Functions R/W Public Session Login SO Logout Open Session Open Session Close Session/ Device Removed Close Session/ Device Removed R/W User Functions Login User Logout Open Session Close Session/ Device Removed 状态转换状态转换(zhunhun) (zhunhun) 读写会话读写会话III.基本概念状态(zhungti)转换第36页/共129页第三十六页，共130页。RW sessionStateStateDescription Description R/W Public R/W Public Session Session The application has opened a read/write session. The application has opened a read/write session. The application has read/write access to all public The application has read/write access to all public objects.objects.R/W SO R/W SO Functions Functions The Security Officer has been authenticated to the The Security Officer has been authenticated to the token. The application has read/write access only to token. The application has read/write access only to public objects on the token, not to private objects. public objects on the token, not to private objects. The SO can set the normal users PIN.The SO can set the normal users PIN.R/W User R/W User Functions Functions The normal user has been authenticated to the The normal user has been authenticated to the token. The application has read/write access to all token. The application has read/write access to all objects. objects. III.III.基本概念基本概念状态状态(zhungti)(zhungti)转换转换第37页/共129页第三十七页，共130页。状态转换 会话(huhu)权限Type of objectType of sessionR/O PublicR/W PublicR/O UserR/W UserR/W SOPublic session objectR/WR/WR/WR/WR/WPrivate session objectR/WR/WPublic token objectR/OR/WR/OR/WR/WPrivate token objectR/OR/WIII.III.基本概念基本概念状态状态(zhungti)(zhungti)转换转换第38页/共129页第三十八页，共130页。 Session eventsIII.基本概念状态(zhungti)转换第39页/共129页第三十九页，共130页。 在Cryptoki Version 2.1中, 使用令牌的一个应用程序的所有会话必须有相同的登录/注销状态（对于一个给定的应用程序和令牌，只能处于下列情况(qngkung)之一：所有会话是公共会话，所有会话是SO会话或所有会话是用户会话）。当一个应用程序的会话登录一个令牌，使用该令牌的应用程序的所有会话也被登录；当一个应用程序的会话注销一个令牌，该应用程序的所有会话也被注销。同样，例如，如果使用令牌的一个应用程序已经有一个打开的R/O用户，并且用该令牌打开一个R/W会话，该R/W会话会自动地登录。 这意味着一个给定的应用程序使用一个给定的令牌不可能同时有打开的SO会话和用户会话。这也意味着如果使用一个令牌，一个应用程序有一个R/W SO会话，那么它不能用这个令牌打开一个R/O会话，因为R/O SO会话不存在。同理，如果一个应用程序有一个打开的R/O会话，那么它不可能作为SO把其它会话登录到该令牌。III.基本概念状态(zhungti)转换第40页/共129页第四十页，共130页。 机制描述了密码操作应该怎样被执行 typedef struct CK_MECHANISM CK_MECHANISM_TYPE mechanism; CK_VOID_PTR pParameter; CK_ULONG ulParameterLen; CK_MECHANISM; C_GetMechanismList获取(huq)支持的机制列表III.III.基本概念基本概念机制机制(jzh)(jzh)3.7 Mechanism第41页/共129页第四十一页，共130页。 调用(dioyng)C_Initialize后的应用程序才称为“Cryptoki应用程序” Cryptoki应用程序是否需要Cryptoki的多线程支持，需要在C_Initialize函数中指定。3.8 3.8 应用程序与多线程应用程序与多线程III.III.基本概念基本概念第42页/共129页第四十二页，共130页。内容(nirng)I.关于PKCS#11II.概述III.基本概念IV.IV. 典型对象属性分析V.V. API分析与应用(yngyng)实例第43页/共129页第四十三页，共130页。4.1对象属性脚注(jiozh)说明1 Must be specified when object is created with C_CreateObject.2 Must not be specified when object is created with C_CreateObject.3 Must be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.4 Must not be specified when object is generated with C_GenerateKey or C_GenerateKeyPair.5 Must be specified when object is unwrapped with C_UnwrapKey.6 Must not be specified when object is unwrapped with C_UnwrapKey.7 Cannot be revealed if object has its CKA_SENSITIVE attribute set to CK_TRUE or its CKA_EXTRACTABLE attribute set to CK_FALSE.IV IV 典型对象典型对象(duxing)(duxing)属性分析属性分析第44页/共129页第四十四页，共130页。4.1对象属性脚注(jiozh)说明8 May be modified after object is created with a C_SetAttributeValue call, or in the process of copying object with a C_CopyObject call. However, it is possible that a particular token may not permit modification of the attribute during the course of a C_CopyObject call.9 Default value is token-specific, and may depend on the values of other attributes.10 Can only be set to CK_TRUE by the SO user.11 Attribute cannot be changed once set to CK_TRUE. It becomes a read only attribute.12 Attribute cannot be changed once set to CK_FALSE. It becomes a read only attribute.IV IV 典型对象典型对象(duxing)(duxing)属性分析属性分析第45页/共129页第四十五页，共130页。4.2通用(tngyng)对象属性AttributeData TypeMeaningCKA_CLASSCK_OBJECT_CLASSObject class (type) 第46页/共129页第四十六页，共130页。4.3通用存储(cn ch)对象属性AttributeData TypeMeaningCKA_TOKENCK_BBOOLCK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE.CKA_PRIVATECK_BBOOLCK_TRUE if object is a private object; CK_FALSE if object is a public object. Default value is token-specific, and may depend on the values of other attributes of the object.CKA_MODIFIABLECK_BBOOLCK_TRUE if object can be modified Default is CK_TRUE.CKA_LABELRFC2279 stringDescription of the object (default empty).当对象创建以后(yhu)，只有CKA_TOKEN值可以被修改第47页/共129页第四十七页，共130页。4.4数据对象(duxing)属性AttributeData typeMeaningCKA_APPLICATIONRFC2279 stringDescription of the application that manages the object (default empty)CKA_OBJECT_IDByte ArrayDER-encoding of the object identifier indicating the data object type (default empty)CKA_VALUEByte arrayValue of the object (default empty)第48页/共129页第四十八页，共130页。4.5通用(tngyng)证书对象属性AttributeData typeMeaningCKA_CERTIFICATE_TYPE1CK_CERTIFICATE_TYPEType of certificateCKA_TRUSTED10 CK_BBOOLThe certificate can be trusted for the application that it was created.CKA_CERTIFICATE_CATEGORYCK_ULONGCategorization of the certificate:0 = unspecified (default value), 1 = token user, 2 = authority, 3 = other entityCKA_CHECK_VALUEByte arrayChecksumCKA_START_DATECK_DATEStart date for the certificate (default empty)CKA_END_DATE CK_DATE End date for the certificate (default empty)第49页/共129页第四十九页，共130页。4.6 X.509公钥证书(zhngsh)对象AttributeData typeMeaningCKA_SUBJECT1Byte arrayDER-encoding of the certificate subject nameCKA_IDByte arrayKey identifier for public/private key pair (default empty)CKA_ISSUERByte arrayDER-encoding of the certificate issuer name (default empty)CKA_SERIAL_NUMBERByte arrayDER-encoding of the certificate serial number (default empty)CKA_VALUE1Byte arrayBER-encoding of the certificateCKA_URL3RFC2279 stringIf not empty this attribute gives the URL where the complete certificate can be obtained (default empty)CKA_HASH_OF_SUBJECT_PUBLIC_KEY4Byte arraySHA-1 hash of the subject public key (default empty)CKA_HASH_OF_ISSUER_PUBLIC_KEY4Byte arraySHA-1 hash of the issuer public key (default empty)CKA_JAVA_MIDP_SECURITY_DOMAINCK_ULONGJava MIDP security domain: 0 = unspecified (default value), 1 = manufacturer, 2 = operator, 3 = third party第50页/共129页第五十页，共130页。4.7 WTLS公钥证书(zhngsh)对象AttributeData typeMeaningCKA_SUBJECT1Byte arrayWTLS-encoding (Identifier type) of the certificate subject CKA_ISSUER2Byte arrayWTLS-encoding (Identifier type) of the certificate issuer (default empty)CKA_VALUEByte arrayWTLS-encoding of the certificateCKA_URL3RFC2279 stringIf not empty this attribute gives the URL where the complete certificate can be obtainedCKA_HASH_OF_SUBJECT_PUBLIC_KEY4Byte arraySHA-1 hash of the subject public key (default empty)CKA_HASH_OF_ISSUER_PUBLIC_KEY4Byte arraySHA-1 hash of the issuer public key (default empty)第51页/共129页第五十一页，共130页。4.8 X.509属性证书(zhngsh)对象AttributeData TypeMeaningCKA_OWNER1Byte ArrayDER-encoding of the attribute certificates subject field. This is distinct from the CKA_SUBJECT attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different.CKA_AC_ISSUERByte ArrayDER-encoding of the attribute certificates issuer field. This is distinct from the CKA_ISSUER attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. (default empty)CKA_SERIAL_NUMBERByte ArrayDER-encoding of the certificate serial number. (default empty)CKA_ATTR_TYPESByte ArrayBER-encoding of a sequence of object identifier values corresponding to the attribute types contained in the certificate. When present, this field offers an opportunity for applications to search for a particular attribute certificate without fetching and parsing the certificate itself. (default empty)CKA_VALUE1Byte ArrayBER-encoding of the certificate.第52页/共129页第五十二页，共130页。4.9通用(tngyng)KEY属性AttributeData TypeMeaningCKA_KEY_TYPE1,5 CK_KEY_TYPEType of keyCKA_ID8Byte arrayKey identifier for key (default empty)CKA_START_DATE8CK_DATEStart date for the key (default empty)CKA_END_DATE8CK_DATEEnd date for the key (default empty)CKA_DERIVE8CK_BBOOLCK_TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default CK_FALSE)CKA_LOCAL2,4,6 CK_BBOOLCK_TRUE only if key was either1.generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call2.created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to CK_TRUECKA_KEY_GEN_MECHANISM2,4,6 CK_MECHANISM_TYPEIdentifier of the mechanism used to generate the key material.CKA_ALLOWED_MECHANISMSCK_MECHANISM_TYPE _PTR, pointer to a CK_MECHANISM_TYPE arrayA list of mechanisms allowed to be used with this key. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the sizeof CK_MECHANISM_TYPE.第53页/共129页第五十三页，共130页。4.10 通用(tngyng)公钥对象AttributeData typeMeaningCKA_SUBJECT 8Byte arrayDER-encoding of the key subject name (default empty)CKA_ENCRYPT 8CK_BBOOLCK_TRUE if key supports encryption9CKA_VERIFY 8CK_BBOOLCK_TRUE if key supports verification where the signature is an appendix to the data9CKA_VERIFY_RECOVER 8CK_BBOOLCK_TRUE if key supports verification where the data is recovered from the signature9CKA_WRAP 8CK_BBOOLCK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)9CKA_TRUSTED10CK_BBOOLThe key can be trusted for the application that it was created.The wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE.CKA_WRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE.第54页/共129页第五十四页，共130页。RSA 公钥对象(duxing)属性第55页/共129页第五十五页，共130页。4.11通用(tngyng)私钥对象(1)AttributeData typeMeaningCKA_SUBJECT8Byte arrayDER-encoding of certificate subject name (default empty)CKA_SENSITIVE8CK_BBOOLCK_TRUE if key is sensitive9 CKA_DECRYPT8CK_BBOOLCK_TRUE if key supports decryption9CKA_SIGN8CK_BBOOLCK_TRUE if key supports signatures where the signature is an appendix to the data9CKA_SIGN_RECOVER8CK_BBOOLCK_TRUE if key supports signatures where the data can be recovered from the signature9CKA_UNWRAP8CK_BBOOLCK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9CKA_EXTRACTABLE 8，12CK_BBOOLCK_TRUE if key is extractable and can be wrapped 9CKA_ALWAYS_SENSITIVE 2，4，6CK_BBOOLCK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUECKA_NEVER_EXTRACTABLE 2，4，6CK_BBOOLCK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE第56页/共129页第五十六页，共130页。4.11 通用(tngyng)私钥对象(2)AttributeData TypeMeaningCKA_WRAP_WITH_TRUSTED11CK_BBOOLCK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE.Default is CK_FALSE.CKA_UNWRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user supplied template is applied after this template as if the object has already been created. The number of attributes in the array is the ulValueLen component of the attribute divided by the size ofCK_ATTRIBUTE.CKA_ALWAYS_AUTHENTICATECK_BBOOLIf CK_TRUE, the user has to supply the PIN for each use (sign or decrypt) with the key. Default is CK_FALSE.第57页/共129页第五十七页，共130页。RSA 私钥对象(duxing)属性NoImage第58页/共129页第五十八页，共130页。4.12 通用(tngyng)密钥对象(1)AttributeData TypeMeaningCKA_SENSITIVE8,11 CK_BBOOLCK_TRUE if object is sensitive (default CK_FALSE)CKA_ENCRYPT8CK_BBOOLCK_TRUE if key supports encryption9CKA_DECRYPT8CK_BBOOLCK_TRUE if key supports decryption9CKA_SIGN8CK_BBOOLCK_TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data9CKA_VERIFY8CK_BBOOLCK_TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data9CKA_WRAP8CK_BBOOLCK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)9CKA_UNWRAP8 CK_BBOOL CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9CKA_ALWAYS_SENSITIVE2,4,6CK_BBOOL CK_TRUE if key is extractable and can be wrapped 9 CKA_NEVER_EXTRACTABLE2,4,6CK_BBOOL CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE 第59页/共129页第五十九页，共130页。4.12 通用(tngyng)密钥对象(2)AttributeData TypeMeaningCKA_CHECK_VALUEByte arrayKey checksumCKA_WRAP_WITH_TRUSTED11CK_BBOOLCK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE.Default is CK_FALSE.CKA_TRUSTED10CK_BBOOLThe wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE.CKA_WRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is theulValueLen component of the attribute divided by the size ofCK_ATTRIBUTECKA_UNWRAP_TEMPLATECK_ATTRIBUTE_PTRFor wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user supplied template is applied after this template as if the object has already been created. The number of attributes in the array is the ulValueLen component of the attribute divided by the size ofCK_ATTRIBUTE.第60页/共129页第六十页，共130页。DES 密钥对象(duxing)属性第61页/共129页第六十一页，共130页。RC4 密钥对象(duxing)属性第62页/共129页第六十二页，共130页。4.13对象(duxing)属性总结 PKCS#11规定了每个对象的每一个属性 属性脚注表非常重要，对象的创建、修改、拷贝等操作时设定的属性模板应不违背属性标注 （例如，在C_GenerateKey生成3DES密钥时需要指定CKA_KEY_TYPE，而不能指定CKA_LOCAL）。 PKCS#11标准的各个版本(bnbn)中对象属性的脚注存在差别 （例如，Ver2.1中C_GenerateKeyPair时必须指定 CKA_PUBLIC_EXPONENT，而在Ver2.2中可以不用指定此属性）第63页/共129页第六十三页，共130页。内容(nirng)关于PKCS#11概述基本概念典型(dinx