AWS CloudHSM
User Guide

Supported PKCS #11 Attributes

A key object can be a public, private, or secret key. Actions permitted on a key object are specified through attributes. Attributes are defined when the key object is created. When you use CloudHSM's PKCS #11 SDK, we assign default values as specified by the PKCS #11 standard.

Note

CloudHSM does not support all attributes listed in the PKCS #11 specification. We are compliant with the specification for all attributes we support. These attributes are listed in the respective tables.

Cryptographic functions such as C_CreateObject, C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, and C_DeriveKey that create, modify, or copy objects take an attribute template as one of their parameters. For more information about passing an attribute template during object creation, see Generate keys through PKCS #11 library sample.

Interpreting the PKCS #11 Attributes Table

The PKCS #11 table contains a list of attributes that differ by key types. It indicates whether a given attribute is supported for a particular key type when using a specific cryptographic function with AWS CloudHSM.

Legend:

  • ✔ indicates that CloudHSM supports the attribute for the specific key type.

  • ✖ indicates that CloudHSM does not support the attribute for the specific key type.

  • R indicates that the attribute value is set to read-only for the specific key type .

  • S indicates that the attribute cannot be read by the GetAttributeValue as it is sensitive.

  • An empty cell in the Default Value column indicates that there is no specific default value assigned to the attribute.

GenerateKeyPair

Attribute

Key Type

Default Value

 

EC private

EC public

RSA private

RSA public

 

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

 

CKA_VERIFY

False

CKA_VERIFY_RECOVER

4

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

R

R

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

2

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

2

 

CKA_EC_PARAMS

2

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

 

GenerateKey

Attribute

Key Type

Default Value

 

AES

DES3

Generic Secret

 

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

 

CKA_VERIFY

False

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

2

2

 

CKA_CHECK_VALUE

R

R

R

 

CreateObject

Attribute

Key Type

Default Value

 

EC private

EC public

RSA private

RSA public

AES

DES3

Generic Secret

 

CKA_CLASS

2

2

2

2

2

2

2

CKA_KEY_TYPE

2

2

2

2

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

R

R

R

False

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

False

CKA_VERIFY

False

CKA_VERIFY_RECOVER

4

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

R

R

R

R

R

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

R

R

 

CKA_MODULUS

2

2

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

2

 

CKA_PUBLIC_EXPONENT

2

2

 

CKA_EC_PARAMS

2

2

 

CKA_EC_POINT

2

 

CKA_VALUE

2

2

2

2

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

R

R

R

 

UnwrapKey

Attribute

Key Type

Default Value

 

EC private

RSA private

AES

DES3

Generic Secret

 

CKA_CLASS

2

2

2

2

2

CKA_KEY_TYPE

2

2

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

R

False

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

False

CKA_VERIFY

False

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_UNWRAP

False

CKA_SENSITIVE

True

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

R

R

 

CKA_ALWAYS_SENSITIVE

R

R

R

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

R

 

DeriveKey

Attribute

Key Type

Default Value

 

AES

DES3

Generic Secret

 

CKA_CLASS

2

2

2

CKA_KEY_TYPE

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

True

CKA_DESTROYABLE

1

1

1

True

CKA_SIGN

False

CKA_SIGN_RECOVER

 

CKA_VERIFY

False

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_UNWRAP

False

CKA_SENSITIVE

True

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

 

CKA_ALWAYS_SENSITIVE

R

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

2

2

 

CKA_CHECK_VALUE

R

R

R

 

GetAttributeValue

Attribute

Key Type

 

EC private

EC public

RSA private

RSA public

AES

DES3

Generic Secret

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

CKA_TOKEN

CKA_PRIVATE

1

1

1

1

1

1

1

CKA_ENCRYPT

CKA_DECRYPT

CKA_DERIVE

CKA_MODIFIABLE

CKA_DESTROYABLE

CKA_SIGN

CKA_SIGN_RECOVER

CKA_VERIFY

CKA_VERIFY_RECOVER

CKA_WRAP

CKA_WRAP_TEMPLATE

CKA_TRUSTED

CKA_WRAP_WITH_TRUSTED

CKA_UNWRAP

CKA_UNWRAP_TEMPLATE

CKA_SENSITIVE

CKA_EXTRACTABLE

CKA_NEVER_EXTRACTABLE

CKA_ALWAYS_SENSITIVE

R

R;

R

R

R

R

R

CKA_MODULUS

CKA_MODULUS_BITS

CKA_PRIME_1

S

CKA_PRIME_2

S

CKA_COEFFICIENT

S

CKA_EXPONENT_1

S

CKA_EXPONENT_2

S

CKA_PRIVATE_EXPONENT

S

CKA_PUBLIC_EXPONENT

CKA_EC_PARAMS

CKA_EC_POINT

CKA_VALUE

S

2

2

2

CKA_VALUE_LEN

CKA_CHECK_VALUE

Annotations:

1 This attribute is partially supported by the firmware and must be explicitly set only to the default value.

2 Mandatory attribute.

3 The CKA_SIGN_RECOVER attribute is derived from the CKA_SIGN attribute. If being set, it can only be set to the same value that is set for CKA_SIGN. If not set, it derives the default value of CKA_SIGN. Since CloudHSM only supports RSA-based recoverable signature mechanisms, this attribute is currently applicable to RSA public keys only.

4 The CKA_VERIFY_RECOVER attribute is derived from the CKA_VERIFY attribute. If being set, it can only be set to the same value that is set for CKA_VERIFY. If not set, it derives the default value of CKA_VERIFY. Since CloudHSM only supports RSA-based recoverable signature mechanisms, this attribute is currently applicable to RSA public keys only.

Modifying Attributes

Some attributes of an object can be modified after the object has been created, whereas some cannot. To modify attributes, use the setAttribute command from cloudhsm_mgmt_util. You can also derive a list of attributes and the constants that represent them by using the listAttribute command from cloudhsm_mgmt_util.

The following list displays attributes that are allowed for modification after object creation:

  • CKA_LABEL

  • CKA_TOKEN

    Note

    Modification is allowed only for changing a session key to a token key. Use the setAttribute command from key_mgmt_util to change the attribute value.

  • CKA_ENCRYPT

  • CKA_DECRYPT

  • CKA_SIGN

  • CKA_VERIFY

  • CKA_WRAP

  • CKA_UNWRAP

  • CKA_LABEL

  • CKA_SENSITIVE

  • CKA_DERIVE

    Note

    This attribute supports key derivation. It must be False for all public keys and cannot be set to True. For secret and EC private keys, it can be set to True or False.

  • CKA_TRUSTED

    Note

    This attribute can be set to True or False by Crypto Officer (CO) only.

  • CKA_WRAP_WITH_TRUSTED

    Note

    This attribute can be set to True if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to True. Modification is allowed for changing the attribute value from False to True. Once set to True, you cannot modify the attribute value.

Interpreting Error Codes

Specifying in the template an attribute that is not supported by a specific key results in an error. The following table contains error codes that are generated when you violate specifications:

Error Code Description
CKR_TEMPLATE_INCONSISTENT You receive this error when you specify an attribute in the attribute template, where the attribute complies with the PKCS #11 specification, but is not supported by CloudHSM.
CKR_ATTRIBUTE_TYPE_INVALID You receive this error when you retrieve value for an attribute, which complies with the PKCS #11 specification, but is not supported by CloudHSM.
CKR_ATTRIBUTE_INCOMPLETE You receive this error when you do not specify the mandatory attribute in the attribute template.
CKR_ATTRIBUTE_READ_ONLY You receive this error when you specify a read-only attribute in the attribute template.