PKCS #11 库支持的密钥属性

密钥对象可以是公有、私有或秘密密钥。通过属性指定密钥对象上允许的操作。属性是在创建密钥对象时定义的。当您使用 CloudHSM 的 PKCS#11 开发工具包时，我们将按照 PKCS #11 标准的要求分配默认值。

AWS CloudHSM 不支持 PKCS #11 规范中列出的所有属性。对于我们支持的所有属性，我们符合此规范。这些属性列在各自的表中。

创建、修改或复制对象的加密函数（如 C_CreateObject、C_GenerateKey、C_GenerateKeyPair、C_UnwrapKey 和 C_DeriveKey）将属性模板作为它们的一个参数。有关在对象创建期间传递属性模板的更多信息，请参阅通过 PKCS #11 库生成密钥了解样例。

解释 PKCS#11 库属性表格

PKCS#11 库表格包含依密钥类型而不同的属性的列表。它表示在使用特定加密函数时，特定密钥类型是否支持给定属性。 AWS CloudHSM

图例：

• ✔ 表示 CloudHSM 对特定密钥类型支持此属性。

• ✖ 表示 CloudHSM 对特定密钥类型不支持此属性。

• R 表示特定密钥类型的属性值设置为只读的。

• S 表示无法通过 GetAttributeValue 读取该属性，因为它是敏感属性。

• 默认值列中的空单元格表示没有给该属性分配特定的默认值。

GenerateKeyPair

属性	密钥类型				默认值
	EC 私有	EC 公有	RSA 私有	RSA 公有
CKA_CLASS	✔	✔	✔	✔
CKA_KEY_TYPE	✔	✔	✔	✔
CKA_LABEL	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔
CKA_LOCAL	R	R	R	R	True
CKA_TOKEN	✔	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	✔1	True
CKA_ENCRYPT	✖	✔	✖	✔	False
CKA_DECRYPT	✔	✖	✔	✖	False
CKA_DERIVE	✔	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	✔	True
CKA_SIGN	✔	✖	✔	✖	False
CKA_SIGN_RECOVER	✖	✖	✖	✖
CKA_VERIFY	✖	✔	✖	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖	✖
CKA_WRAP	✖	✔	✖	✔	False
CKA_WRAP_TEMPLATE	✖	✔	✖	✔
CKA_TRUSTED	✖	✔	✖	✔	False
CKA_WRAP_WITH_TRUSTED	✔	✖	✔	✖	False
CKA_UNWRAP	✔	✖	✔	✖	False
CKA_UNWRAP_TEMPLATE	✔	✖	✔	✖
CKA_SENSITIVE	✔1	✖	✔1	✖	True
CKA_ALWAYS_SENSITIVE	R	✖	R	✖
CKA_EXTRACTABLE	✔	✖	✔	✖	True
CKA_NEVER_EXTRACTABLE	R	✖	R	✖
CKA_MODULUS	✖	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✔2
CKA_PRIME_1	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖	✔2
CKA_EC_PARAMS	✖	✔2	✖	✖
CKA_EC_POINT	✖	✖	✖	✖
CKA_VALUE	✖	✖	✖	✖
CKA_VALUE_LEN	✖	✖	✖	✖
CKA_CHECK_VALUE	R	R	R	R

GenerateKey

属性	密钥类型			默认值
	AES	DES3	普通机密
CKA_CLASS	✔	✔	✔
CKA_KEY_TYPE	✔	✔	✔
CKA_LABEL	✔	✔	✔
CKA_ID	✔	✔	✔
CKA_LOCAL	R	R	R	True
CKA_TOKEN	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	True
CKA_ENCRYPT	✔	✔	✖	False
CKA_DECRYPT	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	True
CKA_SIGN	✔	✔	✔	True
CKA_SIGN_RECOVER	✖	✖	✖
CKA_VERIFY	✔	✔	✔	True
CKA_VERIFY_RECOVER	✖	✖	✖
CKA_WRAP	✔	✔	✖	False
CKA_WRAP_TEMPLATE	✔	✔	✖
CKA_TRUSTED	✔	✔	✖	False
CKA_WRAP_WITH_TRUSTED	✔	✔	✔	False
CKA_UNWRAP	✔	✔	✖	False
CKA_UNWRAP_TEMPLATE	✔	✔	✖
CKA_SENSITIVE	✔	✔	✔	True
CKA_ALWAYS_SENSITIVE	✖	✖	✖
CKA_EXTRACTABLE	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	R	R
CKA_MODULUS	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖
CKA_PRIME_1	✖	✖	✖
CKA_PRIME_2	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖
CKA_EC_PARAMS	✖	✖	✖
CKA_EC_POINT	✖	✖	✖
CKA_VALUE	✖	✖	✖
CKA_VALUE_LEN	✔2	✖	✔2
CKA_CHECK_VALUE	R	R	R

CreateObject

属性	密钥类型							默认值
	EC 私有	EC 公有	RSA 私有	RSA 公有	AES	DES3	普通机密
CKA_CLASS	✔2	✔2	✔2	✔2	✔2	✔2	✔2
CKA_KEY_TYPE	✔2	✔2	✔2	✔2	✔2	✔2	✔2
CKA_LABEL	✔	✔	✔	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔	✔	✔	✔
CKA_LOCAL	R	R	R	R	R	R	R	False
CKA_TOKEN	✔	✔	✔	✔	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	✔1	✔1	✔1	✔1	True
CKA_ENCRYPT	✖	✖	✖	✔	✔	✔	✖	False
CKA_DECRYPT	✖	✖	✔	✖	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	✔	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	✔1	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	✔	✔	✔	✔	True
CKA_SIGN	✔	✖	✔	✖	✔	✔	✔	False
CKA_SIGN_RECOVER	✖	✖	✖	✖	✖	✖	✖	False
CKA_VERIFY	✖	✔	✖	✔	✔	✔	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖	✖	✖	✖	✖
CKA_WRAP	✖	✖	✖	✔	✔	✔	✖	False
CKA_WRAP_TEMPLATE	✖	✔	✖	✔	✔	✔	✖
CKA_TRUSTED	✖	✔	✖	✔	✔	✔	✖	False
CKA_WRAP_WITH_TRUSTED	✔	✖	✔	✖	✔	✔	✔	False
CKA_UNWRAP	✖	✖	✔	✖	✔	✔	✖	False
CKA_UNWRAP_TEMPLATE	✔	✖	✔	✖	✔	✔	✖
CKA_SENSITIVE	✔	✖	✔	✖	✔	✔	✔	True
CKA_ALWAYS_SENSITIVE	R	✖	R	✖	R	R	R
CKA_EXTRACTABLE	✔	✖	✔	✖	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	✖	R	✖	R	R	R
CKA_MODULUS	✖	✖	✔2	✔2	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✖	✖	✖	✖
CKA_PRIME_1	✖	✖	✔	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	✔	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✔	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✔	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✔	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✔2	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✔2	✔2	✖	✖	✖
CKA_EC_PARAMS	✔2	✔2	✖	✖	✖	✖	✖
CKA_EC_POINT	✖	✔2	✖	✖	✖	✖	✖
CKA_VALUE	✔2	✖	✖	✖	✔2	✔2	✔2
CKA_VALUE_LEN	✖	✖	✖	✖	✖	✖	✖
CKA_CHECK_VALUE	R	R	R	R	R	R	R

UnwrapKey

属性	密钥类型					默认值
	EC 私有	RSA 私有	AES	DES3	普通机密
CKA_CLASS	✔2	✔2	✔2	✔2	✔2
CKA_KEY_TYPE	✔2	✔2	✔2	✔2	✔2
CKA_LABEL	✔	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔	✔
CKA_LOCAL	R	R	R	R	R	False
CKA_TOKEN	✔	✔	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	✔1	✔1	True
CKA_ENCRYPT	✖	✖	✔	✔	✖	False
CKA_DECRYPT	✖	✔	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	✔	✔	True
CKA_SIGN	✔	✔	✔	✔	✔	False
CKA_SIGN_RECOVER	✖	✖	✖	✖	✖	False
CKA_VERIFY	✖	✖	✔	✔	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖	✖	✖
CKA_WRAP	✖	✖	✔	✔	✖	False
CKA_UNWRAP	✖	✔	✔	✔	✖	False
CKA_SENSITIVE	✔	✔	✔	✔	✔	True
CKA_EXTRACTABLE	✔	✔	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	R	R	R	R
CKA_ALWAYS_SENSITIVE	R	R	R	R	R
CKA_MODULUS	✖	✖	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✖	✖
CKA_PRIME_1	✖	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖	✖	✖
CKA_EC_PARAMS	✖	✖	✖	✖	✖
CKA_EC_POINT	✖	✖	✖	✖	✖
CKA_VALUE	✖	✖	✖	✖	✖
CKA_VALUE_LEN	✖	✖	✖	✖	✖
CKA_CHECK_VALUE	R	R	R	R	R

DeriveKey

属性	密钥类型			默认值
	AES	DES3	普通机密
CKA_CLASS	✔2	✔2	✔2
CKA_KEY_TYPE	✔2	✔2	✔2
CKA_LABEL	✔	✔	✔
CKA_ID	✔	✔	✔
CKA_LOCAL	R	R	R	True
CKA_TOKEN	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	True
CKA_ENCRYPT	✔	✔	✖	False
CKA_DECRYPT	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔1	✔1	✔1	True
CKA_SIGN	✔	✔	✔	False
CKA_SIGN_RECOVER	✖	✖	✖
CKA_VERIFY	✔	✔	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖
CKA_WRAP	✔	✔	✖	False
CKA_UNWRAP	✔	✔	✖	False
CKA_SENSITIVE	R	R	R	True
CKA_EXTRACTABLE	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	R	R
CKA_ALWAYS_SENSITIVE	R	R	R
CKA_MODULUS	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖
CKA_PRIME_1	✖	✖	✖
CKA_PRIME_2	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖
CKA_EC_PARAMS	✖	✖	✖
CKA_EC_POINT	✖	✖	✖
CKA_VALUE	✖	✖	✖
CKA_VALUE_LEN	✔2	✖	✔2
CKA_CHECK_VALUE	R	R	R

GetAttributeValue

属性	密钥类型
	EC 私有	EC 公有	RSA 私有	RSA 公有	AES	DES3	普通机密
CKA_CLASS	✔	✔	✔	✔	✔	✔	✔
CKA_KEY_TYPE	✔	✔	✔	✔	✔	✔	✔
CKA_LABEL	✔	✔	✔	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔	✔	✔	✔
CKA_LOCAL	✔	✔	✔	✔	✔	✔	✔
CKA_TOKEN	✔	✔	✔	✔	✔	✔	✔
CKA_PRIVATE	✔1	✔1	✔1	✔1	✔1	✔1	✔1
CKA_ENCRYPT	✖	✖	✖	✔	✔	✔	✖
CKA_DECRYPT	✖	✖	✔	✖	✔	✔	✖
CKA_DERIVE	✔	✔	✔	✔	✔	✔	✔
CKA_MODIFIABLE	✔	✔	✔	✔	✔	✔	✔
CKA_DESTROYABLE	✔	✔	✔	✔	✔	✔	✔
CKA_SIGN	✔	✖	✔	✖	✔	✔	✔
CKA_SIGN_RECOVER	✖	✖	✔	✖	✖	✖	✖
CKA_VERIFY	✖	✔	✖	✔	✔	✔	✔
CKA_VERIFY_RECOVER	✖	✖	✖	✔	✖	✖	✖
CKA_WRAP	✖	✖	✖	✔	✔	✔	✖
CKA_WRAP_TEMPLATE	✖	✔	✖	✔	✔	✔	✖
CKA_TRUSTED	✖	✔	✖	✔	✔	✔	✔
CKA_WRAP_WITH_TRUSTED	✔	✖	✔	✖	✔	✔	✔
CKA_UNWRAP	✖	✖	✔	✖	✔	✔	✖
CKA_UNWRAP_TEMPLATE	✔	✖	✔	✖	✔	✔	✖
CKA_SENSITIVE	✔	✖	✔	✖	✔	✔	✔
CKA_EXTRACTABLE	✔	✖	✔	✖	✔	✔	✔
CKA_NEVER_EXTRACTABLE	✔	✖	✔	✖	✔	✔	✔
CKA_ALWAYS_SENSITIVE	R	R	R	R	R	R	R
CKA_MODULUS	✖	✖	✔	✔	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✔	✖	✖	✖
CKA_PRIME_1	✖	✖	S	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	S	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	S	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	S	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	S	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	S	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✔	✔	✖	✖	✖
CKA_EC_PARAMS	✔	✔	✖	✖	✖	✖	✖
CKA_EC_POINT	✖	✔	✖	✖	✖	✖	✖
CKA_VALUE	S	✖	✖	✖	✔	✔	✔
CKA_VALUE_LEN	✖	✖	✖	✖	✔	✖	✔
CKA_CHECK_VALUE	✔	✔	✔	✔	✔	✔	✖

属性注释

• [1] 此属性由固件部分支持且必须明确地仅设置为默认值。

• [2] 必需属性。

修改属性

对象的一些属性可以在对象创建后修改，有一些则不能。若要修改属性，请使用 cloudhsm_mgmt_util 中的 setAttribute 命令。您还可通过 cloudhsm_mgmt_util 中的 listAttribute 命令派生出属性列表和代表这些属性的常量。

以下列表显示了对象创建后允许修改的属性：

• CKA_LABEL

• CKA_TOKEN

  注意

  修改仅允许将会话密钥更改为令牌密钥。使用 key_mgmt_util 中的 setAttribute 命令更改属性值。

• CKA_ENCRYPT

• CKA_DECRYPT

• CKA_SIGN

• CKA_VERIFY

• CKA_WRAP

• CKA_UNWRAP

• CKA_LABEL

• CKA_SENSITIVE

• CKA_DERIVE

  注意

  此属性支持密钥派生。它对所有公有密钥必须为 False，并且无法设置为 True。对于秘密和 EC 私有密钥，它可以设置为 True 或 False。

• CKA_TRUSTED

  注意

  此属性仅可通过加密员（CO) 设置为 True 或 False。

• CKA_WRAP_WITH_TRUSTED

  注意

  将此属性应用于可导出的数据密钥，以表示此密钥只能更换为标记CKA_TRUSTED的密钥。将 CKA_WRAP_WITH_TRUSTED 设置为 true 后，该属性将变为只读，并且您无法更改或移除该属性。

解释错误代码

在模板中指定特定密钥不支持的属性会导致错误。下表包含当您违反规范时生成的错误代码：

错误代码	描述
CKR_TEMPLATE_INCONSISTENT	当您在属性模板中指定一个属性而该属性符合 PKCS #11 规范但不受 CloudHSM 支持时，您会收到此错误。
CKR_ATTRIBUTE_TYPE_INVALID	当您在属性模板中检索符合 PKCS #11 规范但不受 CloudHSM 支持的属性的值时，您会收到此错误。
CKR_ATTRIBUTE_INCOMPLETE	当您未在属性模板中指定必需属性时，您会收到此错误。
CKR_ATTRIBUTE_READ_ONLY	当您在属性模板中指定只读属性时，您会收到此错误。