Interpreting the PKCS #11 library attributes table Modifying attributes Interpreting error codes

Supported key attributes

A key object can be a public, private, or secret key. Actions permitted on a key object are specified through attributes. Attributes are defined when the key object is created. When you use the PKCS #11 library, we assign default values as specified by the PKCS #11 standard.

AWS CloudHSM does not support all attributes listed in the PKCS #11 specification. We are compliant with the specification for all attributes we support. These attributes are listed in the respective tables.

Cryptographic functions such as C_CreateObject, C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, and C_DeriveKey that create, modify, or copy objects take an attribute template as one of their parameters. For more information about passing an attribute template during object creation, see Generate keys through PKCS #11 library for examples.

Interpreting the PKCS #11 library attributes table

The PKCS #11 library table contains a list of attributes that differ by key types. It indicates whether a given attribute is supported for a particular key type when using a specific cryptographic function with AWS CloudHSM.

Legend:

✔ indicates that CloudHSM supports the attribute for the specific key type.
✖ indicates that CloudHSM does not support the attribute for the specific key type.
R indicates that the attribute value is set to read-only for the specific key type .
S indicates that the attribute cannot be read by the GetAttributeValue as it is sensitive.
An empty cell in the Default Value column indicates that there is no specific default value assigned to the attribute.

Attribute	Key Type				Default Value
	EC private	EC public	RSA private	RSA public
`CKA_CLASS`	✔	✔	✔	✔
`CKA_KEY_TYPE`	✔	✔	✔	✔
`CKA_LABEL`	✔	✔	✔	✔
`CKA_ID`	✔	✔	✔	✔
`CKA_LOCAL`	R	R	R	R	True
`CKA_TOKEN`	✔	✔	✔	✔	False
`CKA_PRIVATE`	✔¹	✔¹	✔¹	✔¹	True
`CKA_ENCRYPT`	✖	✔	✖	✔	False
`CKA_DECRYPT`	✔	✖	✔	✖	False
`CKA_DERIVE`	✔	✔	✔	✔	False
`CKA_MODIFIABLE`	✔¹	✔¹	✔¹	✔¹	True
`CKA_DESTROYABLE`	✔	✔	✔	✔	True
`CKA_SIGN`	✔	✖	✔	✖	False
`CKA_SIGN_RECOVER`	✖	✖	✖	✖
`CKA_VERIFY`	✖	✔	✖	✔	False
`CKA_VERIFY_RECOVER`	✖	✖	✖	✖
`CKA_WRAP`	✖	✔	✖	✔	False
`CKA_WRAP_TEMPLATE`	✖	✔	✖	✔
`CKA_TRUSTED`	✖	✔	✖	✔	False
`CKA_WRAP_WITH_TRUSTED`	✔	✖	✔	✖	False
`CKA_UNWRAP`	✔	✖	✔	✖	False
`CKA_UNWRAP_TEMPLATE`	✔	✖	✔	✖
`CKA_SENSITIVE`	✔¹	✖	✔¹	✖	True
`CKA_ALWAYS_SENSITIVE`	R	✖	R	✖
`CKA_EXTRACTABLE`	✔	✖	✔	✖	True
`CKA_NEVER_EXTRACTABLE`	R	✖	R	✖
`CKA_MODULUS`	✖	✖	✖	✖
`CKA_MODULUS_BITS`	✖	✖	✖	✔²
`CKA_PRIME_1`	✖	✖	✖	✖
`CKA_PRIME_2`	✖	✖	✖	✖
`CKA_COEFFICIENT`	✖	✖	✖	✖
`CKA_EXPONENT_1`	✖	✖	✖	✖
`CKA_EXPONENT_2`	✖	✖	✖	✖
`CKA_PRIVATE_EXPONENT`	✖	✖	✖	✖
`CKA_PUBLIC_EXPONENT`	✖	✖	✖	✔²
`CKA_EC_PARAMS`	✖	✔²	✖	✖
`CKA_EC_POINT`	✖	✖	✖	✖
`CKA_VALUE`	✖	✖	✖	✖
`CKA_VALUE_LEN`	✖	✖	✖	✖
`CKA_CHECK_VALUE`	R	R	R	R

Attribute	Key Type			Default Value
	AES	DES3	Generic Secret
`CKA_CLASS`	✔	✔	✔
`CKA_KEY_TYPE`	✔	✔	✔
`CKA_LABEL`	✔	✔	✔
`CKA_ID`	✔	✔	✔
`CKA_LOCAL`	R	R	R	True
`CKA_TOKEN`	✔	✔	✔	False
`CKA_PRIVATE`	✔¹	✔¹	✔¹	True
`CKA_ENCRYPT`	✔	✔	✖	False
`CKA_DECRYPT`	✔	✔	✖	False
`CKA_DERIVE`	✔	✔	✔	False
`CKA_MODIFIABLE`	✔¹	✔¹	✔¹	True
`CKA_DESTROYABLE`	✔	✔	✔	True
`CKA_SIGN`	✔	✔	✔	True
`CKA_SIGN_RECOVER`	✖	✖	✖
`CKA_VERIFY`	✔	✔	✔	True
`CKA_VERIFY_RECOVER`	✖	✖	✖
`CKA_WRAP`	✔	✔	✖	False
`CKA_WRAP_TEMPLATE`	✔	✔	✖
`CKA_TRUSTED`	✔	✔	✖	False
`CKA_WRAP_WITH_TRUSTED`	✔	✔	✔	False
`CKA_UNWRAP`	✔	✔	✖	False
`CKA_UNWRAP_TEMPLATE`	✔	✔	✖
`CKA_SENSITIVE`	✔	✔	✔	True
`CKA_ALWAYS_SENSITIVE`	✖	✖	✖
`CKA_EXTRACTABLE`	✔	✔	✔	True
`CKA_NEVER_EXTRACTABLE`	R	R	R
`CKA_MODULUS`	✖	✖	✖
`CKA_MODULUS_BITS`	✖	✖	✖
`CKA_PRIME_1`	✖	✖	✖
`CKA_PRIME_2`	✖	✖	✖
`CKA_COEFFICIENT`	✖	✖	✖
`CKA_EXPONENT_1`	✖	✖	✖
`CKA_EXPONENT_2`	✖	✖	✖
`CKA_PRIVATE_EXPONENT`	✖	✖	✖
`CKA_PUBLIC_EXPONENT`	✖	✖	✖
`CKA_EC_PARAMS`	✖	✖	✖
`CKA_EC_POINT`	✖	✖	✖
`CKA_VALUE`	✖	✖	✖
`CKA_VALUE_LEN`	✔²	✖	✔²
`CKA_CHECK_VALUE`	R	R	R

Attribute	Key Type							Default Value
	EC private	EC public	RSA private	RSA public	AES	DES3	Generic Secret
`CKA_CLASS`	✔²	✔²	✔²	✔²	✔²	✔²	✔²
`CKA_KEY_TYPE`	✔²	✔²	✔²	✔²	✔²	✔²	✔²
`CKA_LABEL`	✔	✔	✔	✔	✔	✔	✔
`CKA_ID`	✔	✔	✔	✔	✔	✔	✔
`CKA_LOCAL`	R	R	R	R	R	R	R	False
`CKA_TOKEN`	✔	✔	✔	✔	✔	✔	✔	False
`CKA_PRIVATE`	✔¹	✔¹	✔¹	✔¹	✔¹	✔¹	✔¹	True
`CKA_ENCRYPT`	✖	✖	✖	✔	✔	✔	✖	False
`CKA_DECRYPT`	✖	✖	✔	✖	✔	✔	✖	False
`CKA_DERIVE`	✔	✔	✔	✔	✔	✔	✔	False
`CKA_MODIFIABLE`	✔¹	✔¹	✔¹	✔¹	✔¹	✔¹	✔¹	True
`CKA_DESTROYABLE`	✔	✔	✔	✔	✔	✔	✔	True
`CKA_SIGN`	✔	✖	✔	✖	✔	✔	✔	False
`CKA_SIGN_RECOVER`	✖	✖	✖	✖	✖	✖	✖	False
`CKA_VERIFY`	✖	✔	✖	✔	✔	✔	✔	False
`CKA_VERIFY_RECOVER`	✖	✖	✖	✖	✖	✖	✖
`CKA_WRAP`	✖	✖	✖	✔	✔	✔	✖	False
`CKA_WRAP_TEMPLATE`	✖	✔	✖	✔	✔	✔	✖
`CKA_TRUSTED`	✖	✔	✖	✔	✔	✔	✖	False
`CKA_WRAP_WITH_TRUSTED`	✔	✖	✔	✖	✔	✔	✔	False
`CKA_UNWRAP`	✖	✖	✔	✖	✔	✔	✖	False
`CKA_UNWRAP_TEMPLATE`	✔	✖	✔	✖	✔	✔	✖
`CKA_SENSITIVE`	✔	✖	✔	✖	✔	✔	✔	True
`CKA_ALWAYS_SENSITIVE`	R	✖	R	✖	R	R	R
`CKA_EXTRACTABLE`	✔	✖	✔	✖	✔	✔	✔	True
`CKA_NEVER_EXTRACTABLE`	R	✖	R	✖	R	R	R
`CKA_MODULUS`	✖	✖	✔²	✔²	✖	✖	✖
`CKA_MODULUS_BITS`	✖	✖	✖	✖	✖	✖	✖
`CKA_PRIME_1`	✖	✖	✔	✖	✖	✖	✖
`CKA_PRIME_2`	✖	✖	✔	✖	✖	✖	✖
`CKA_COEFFICIENT`	✖	✖	✔	✖	✖	✖	✖
`CKA_EXPONENT_1`	✖	✖	✔	✖	✖	✖	✖
`CKA_EXPONENT_2`	✖	✖	✔	✖	✖	✖	✖
`CKA_PRIVATE_EXPONENT`	✖	✖	✔²	✖	✖	✖	✖
`CKA_PUBLIC_EXPONENT`	✖	✖	✔²	✔²	✖	✖	✖
`CKA_EC_PARAMS`	✔²	✔²	✖	✖	✖	✖	✖
`CKA_EC_POINT`	✖	✔²	✖	✖	✖	✖	✖
`CKA_VALUE`	✔²	✖	✖	✖	✔²	✔²	✔²
`CKA_VALUE_LEN`	✖	✖	✖	✖	✖	✖	✖
`CKA_CHECK_VALUE`	R	R	R	R	R	R	R

Attribute	Key Type					Default Value
	EC private	RSA private	AES	DES3	Generic Secret
`CKA_CLASS`	✔²	✔²	✔²	✔²	✔²
`CKA_KEY_TYPE`	✔²	✔²	✔²	✔²	✔²
`CKA_LABEL`	✔	✔	✔	✔	✔
`CKA_ID`	✔	✔	✔	✔	✔
`CKA_LOCAL`	R	R	R	R	R	False
`CKA_TOKEN`	✔	✔	✔	✔	✔	False
`CKA_PRIVATE`	✔¹	✔¹	✔¹	✔¹	✔¹	True
`CKA_ENCRYPT`	✖	✖	✔	✔	✖	False
`CKA_DECRYPT`	✖	✔	✔	✔	✖	False
`CKA_DERIVE`	✔	✔	✔	✔	✔	False
`CKA_MODIFIABLE`	✔¹	✔¹	✔¹	✔¹	✔¹	True
`CKA_DESTROYABLE`	✔	✔	✔	✔	✔	True
`CKA_SIGN`	✔	✔	✔	✔	✔	False
`CKA_SIGN_RECOVER`	✖	✖	✖	✖	✖	False
`CKA_VERIFY`	✖	✖	✔	✔	✔	False
`CKA_VERIFY_RECOVER`	✖	✖	✖	✖	✖
`CKA_WRAP`	✖	✖	✔	✔	✖	False
`CKA_UNWRAP`	✖	✔	✔	✔	✖	False
`CKA_SENSITIVE`	✔	✔	✔	✔	✔	True
`CKA_EXTRACTABLE`	✔	✔	✔	✔	✔	True
`CKA_NEVER_EXTRACTABLE`	R	R	R	R	R
`CKA_ALWAYS_SENSITIVE`	R	R	R	R	R
`CKA_MODULUS`	✖	✖	✖	✖	✖
`CKA_MODULUS_BITS`	✖	✖	✖	✖	✖
`CKA_PRIME_1`	✖	✖	✖	✖	✖
`CKA_PRIME_2`	✖	✖	✖	✖	✖
`CKA_COEFFICIENT`	✖	✖	✖	✖	✖
`CKA_EXPONENT_1`	✖	✖	✖	✖	✖
`CKA_EXPONENT_2`	✖	✖	✖	✖	✖
`CKA_PRIVATE_EXPONENT`	✖	✖	✖	✖	✖
`CKA_PUBLIC_EXPONENT`	✖	✖	✖	✖	✖
`CKA_EC_PARAMS`	✖	✖	✖	✖	✖
`CKA_EC_POINT`	✖	✖	✖	✖	✖
`CKA_VALUE`	✖	✖	✖	✖	✖
`CKA_VALUE_LEN`	✖	✖	✖	✖	✖
`CKA_CHECK_VALUE`	R	R	R	R	R

Attribute	Key Type			Default Value
	AES	DES3	Generic Secret
`CKA_CLASS`	✔²	✔²	✔²
`CKA_KEY_TYPE`	✔²	✔²	✔²
`CKA_LABEL`	✔	✔	✔
`CKA_ID`	✔	✔	✔
`CKA_LOCAL`	R	R	R	True
`CKA_TOKEN`	✔	✔	✔	False
`CKA_PRIVATE`	✔¹	✔¹	✔¹	True
`CKA_ENCRYPT`	✔	✔	✖	False
`CKA_DECRYPT`	✔	✔	✖	False
`CKA_DERIVE`	✔	✔	✔	False
`CKA_MODIFIABLE`	✔¹	✔¹	✔¹	True
`CKA_DESTROYABLE`	✔¹	✔¹	✔¹	True
`CKA_SIGN`	✔	✔	✔	False
`CKA_SIGN_RECOVER`	✖	✖	✖
`CKA_VERIFY`	✔	✔	✔	False
`CKA_VERIFY_RECOVER`	✖	✖	✖
`CKA_WRAP`	✔	✔	✖	False
`CKA_UNWRAP`	✔	✔	✖	False
`CKA_SENSITIVE`	R	R	R	True
`CKA_EXTRACTABLE`	✔	✔	✔	True
`CKA_NEVER_EXTRACTABLE`	R	R	R
`CKA_ALWAYS_SENSITIVE`	R	R	R
`CKA_MODULUS`	✖	✖	✖
`CKA_MODULUS_BITS`	✖	✖	✖
`CKA_PRIME_1`	✖	✖	✖
`CKA_PRIME_2`	✖	✖	✖
`CKA_COEFFICIENT`	✖	✖	✖
`CKA_EXPONENT_1`	✖	✖	✖
`CKA_EXPONENT_2`	✖	✖	✖
`CKA_PRIVATE_EXPONENT`	✖	✖	✖
`CKA_PUBLIC_EXPONENT`	✖	✖	✖
`CKA_EC_PARAMS`	✖	✖	✖
`CKA_EC_POINT`	✖	✖	✖
`CKA_VALUE`	✖	✖	✖
`CKA_VALUE_LEN`	✔²	✖	✔²
`CKA_CHECK_VALUE`	R	R	R

Attribute	Key Type
	EC private	EC public	RSA private	RSA public	AES	DES3	Generic Secret
`CKA_CLASS`	✔	✔	✔	✔	✔	✔	✔
`CKA_KEY_TYPE`	✔	✔	✔	✔	✔	✔	✔
`CKA_LABEL`	✔	✔	✔	✔	✔	✔	✔
`CKA_ID`	✔	✔	✔	✔	✔	✔	✔
`CKA_LOCAL`	✔	✔	✔	✔	✔	✔	✔
`CKA_TOKEN`	✔	✔	✔	✔	✔	✔	✔
`CKA_PRIVATE`	✔¹	✔¹	✔¹	✔¹	✔¹	✔¹	✔¹
`CKA_ENCRYPT`	✖	✖	✖	✔	✔	✔	✖
`CKA_DECRYPT`	✖	✖	✔	✖	✔	✔	✖
`CKA_DERIVE`	✔	✔	✔	✔	✔	✔	✔
`CKA_MODIFIABLE`	✔	✔	✔	✔	✔	✔	✔
`CKA_DESTROYABLE`	✔	✔	✔	✔	✔	✔	✔
`CKA_SIGN`	✔	✖	✔	✖	✔	✔	✔
`CKA_SIGN_RECOVER`	✖	✖	✔	✖	✖	✖	✖
`CKA_VERIFY`	✖	✔	✖	✔	✔	✔	✔
`CKA_VERIFY_RECOVER`	✖	✖	✖	✔	✖	✖	✖
`CKA_WRAP`	✖	✖	✖	✔	✔	✔	✖
`CKA_WRAP_TEMPLATE`	✖	✔	✖	✔	✔	✔	✖
`CKA_TRUSTED`	✖	✔	✖	✔	✔	✔	✔
`CKA_WRAP_WITH_TRUSTED`	✔	✖	✔	✖	✔	✔	✔
`CKA_UNWRAP`	✖	✖	✔	✖	✔	✔	✖
`CKA_UNWRAP_TEMPLATE`	✔	✖	✔	✖	✔	✔	✖
`CKA_SENSITIVE`	✔	✖	✔	✖	✔	✔	✔
`CKA_EXTRACTABLE`	✔	✖	✔	✖	✔	✔	✔
`CKA_NEVER_EXTRACTABLE`	✔	✖	✔	✖	✔	✔	✔
`CKA_ALWAYS_SENSITIVE`	R	R	R	R	R	R	R
`CKA_MODULUS`	✖	✖	✔	✔	✖	✖	✖
`CKA_MODULUS_BITS`	✖	✖	✖	✔	✖	✖	✖
`CKA_PRIME_1`	✖	✖	S	✖	✖	✖	✖
`CKA_PRIME_2`	✖	✖	S	✖	✖	✖	✖
`CKA_COEFFICIENT`	✖	✖	S	✖	✖	✖	✖
`CKA_EXPONENT_1`	✖	✖	S	✖	✖	✖	✖
`CKA_EXPONENT_2`	✖	✖	S	✖	✖	✖	✖
`CKA_PRIVATE_EXPONENT`	✖	✖	S	✖	✖	✖	✖
`CKA_PUBLIC_EXPONENT`	✖	✖	✔	✔	✖	✖	✖
`CKA_EC_PARAMS`	✔	✔	✖	✖	✖	✖	✖
`CKA_EC_POINT`	✖	✔	✖	✖	✖	✖	✖
`CKA_VALUE`	S	✖	✖	✖	✔	✔	✔
`CKA_VALUE_LEN`	✖	✖	✖	✖	✔	✖	✔
`CKA_CHECK_VALUE`	✔	✔	✔	✔	✔	✔	✖

Attribute annotations

[1] This attribute is partially supported by the firmware and must be explicitly set only to the default value.
[2] Mandatory attribute.

Modifying attributes

Some attributes of an object can be modified after the object has been created, whereas some cannot. To modify attributes, use the setAttribute command from cloudhsm_mgmt_util. You can also derive a list of attributes and the constants that represent them by using the listAttribute command from cloudhsm_mgmt_util.

The following list displays attributes that are allowed for modification after object creation:

CKA_LABEL
CKA_TOKEN

Note
Modification is allowed only for changing a session key to a token key. Use the setAttribute command from key_mgmt_util to change the attribute value.
CKA_ENCRYPT
CKA_DECRYPT
CKA_SIGN
CKA_VERIFY
CKA_WRAP
CKA_UNWRAP
CKA_LABEL
CKA_SENSITIVE
CKA_DERIVE

Note
This attribute supports key derivation. It must be False for all public keys and cannot be set to True. For secret and EC private keys, it can be set to True or False.
CKA_TRUSTED

Note
This attribute can be set to True or False by Crypto Officer (CO) only.
CKA_WRAP_WITH_TRUSTED

Note
Apply this attribute to an exportable data key to specify that you can only wrap this key with keys marked as CKA_TRUSTED. Once you set CKA_WRAP_WITH_TRUSTED to true, the attribute becomes read-only and you cannot change or remove the attribute.

Interpreting error codes

Specifying in the template an attribute that is not supported by a specific key results in an error. The following table contains error codes that are generated when you violate specifications:

Error Code	Description
`CKR_TEMPLATE_INCONSISTENT`	You receive this error when you specify an attribute in the attribute template, where the attribute complies with the PKCS #11 specification, but is not supported by CloudHSM.
`CKR_ATTRIBUTE_TYPE_INVALID`	You receive this error when you retrieve value for an attribute, which complies with the PKCS #11 specification, but is not supported by CloudHSM.
`CKR_ATTRIBUTE_INCOMPLETE`	You receive this error when you do not specify the mandatory attribute in the attribute template.
`CKR_ATTRIBUTE_READ_ONLY`	You receive this error when you specify a read-only attribute in the attribute template.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

API operations

Code samples

Supported key attributes

Interpreting the PKCS #11 library attributes table

Modifying attributes

Note

Note

Note

Note

Interpreting error codes