支援的金鑰屬性

金鑰物件可以是公有金鑰、私有金鑰或私密金鑰。系統會透過屬性來指定金鑰物件上允許的動作。金鑰物件建立時，即會一併建立屬性。在您使用 PKCS #11 程式庫時，我們會指派 PKCS #11 標準所指定的預設值。

AWS CloudHSM 並不是 PKCS #11 規格中列出的所有屬性皆受到 CloudHSM 支援。我們會符合所有支援屬性的規格，並在個別表格中列出這些屬性。

用來建立、修改或複製物件的加密函數 (如 C_CreateObject、C_GenerateKey、C_GenerateKeyPair、C_UnwrapKey 和 C_DeriveKey) 會採用屬性範本做為其中一個參數。如需關於在建立物件期間傳遞屬性範本的詳細資訊，請參閱透過 PKCS #11 程式庫產生金鑰（以此為例）。

PKCS #11 程式庫屬性解譯表

PKCS #11 程式庫表包含金鑰類型不同的屬性清單。該表會指出使用指定加密函數搭配 AWS CloudHSM 時，指定屬性是否受特定金鑰類型支援。

圖例：

• ✔ 表示 CloudHSM 支援特定金鑰類型的屬性。

• ✖ 表示 CloudHSM 不支援特定金鑰類型的屬性。

• R 表示特定金鑰類型的屬性值設定為唯讀模式。

• S 表示屬性較為敏感，因此無法透過 GetAttributeValue 讀取。

• 預設值欄位中的空白儲存格表示屬性沒有獲派指定預設值。

GenerateKeyPair

屬性	金鑰類型				預設值
	EC 私有金鑰	EC 公有金鑰	RSA 私有金鑰	RSA 公有金鑰
CKA_CLASS	✔	✔	✔	✔
CKA_KEY_TYPE	✔	✔	✔	✔
CKA_LABEL	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔
CKA_LOCAL	R	R	R	R	True
CKA_TOKEN	✔	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	✔1	True
CKA_ENCRYPT	✖	✔	✖	✔	False
CKA_DECRYPT	✔	✖	✔	✖	False
CKA_DERIVE	✔	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	✔	True
CKA_SIGN	✔	✖	✔	✖	False
CKA_SIGN_RECOVER	✖	✖	✖	✖
CKA_VERIFY	✖	✔	✖	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖	✖
CKA_WRAP	✖	✔	✖	✔	False
CKA_WRAP_TEMPLATE	✖	✔	✖	✔
CKA_TRUSTED	✖	✔	✖	✔	False
CKA_WRAP_WITH_TRUSTED	✔	✖	✔	✖	False
CKA_UNWRAP	✔	✖	✔	✖	False
CKA_UNWRAP_TEMPLATE	✔	✖	✔	✖
CKA_SENSITIVE	✔1	✖	✔1	✖	True
CKA_ALWAYS_SENSITIVE	R	✖	R	✖
CKA_EXTRACTABLE	✔	✖	✔	✖	True
CKA_NEVER_EXTRACTABLE	R	✖	R	✖
CKA_MODULUS	✖	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✔2
CKA_PRIME_1	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖	✔2
CKA_EC_PARAMS	✖	✔2	✖	✖
CKA_EC_POINT	✖	✖	✖	✖
CKA_VALUE	✖	✖	✖	✖
CKA_VALUE_LEN	✖	✖	✖	✖
CKA_CHECK_VALUE	R	R	R	R

GenerateKey

屬性	金鑰類型			預設值
	AES	DES3	一般私密金鑰
CKA_CLASS	✔	✔	✔
CKA_KEY_TYPE	✔	✔	✔
CKA_LABEL	✔	✔	✔
CKA_ID	✔	✔	✔
CKA_LOCAL	R	R	R	True
CKA_TOKEN	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	True
CKA_ENCRYPT	✔	✔	✖	False
CKA_DECRYPT	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	True
CKA_SIGN	✔	✔	✔	True
CKA_SIGN_RECOVER	✖	✖	✖
CKA_VERIFY	✔	✔	✔	True
CKA_VERIFY_RECOVER	✖	✖	✖
CKA_WRAP	✔	✔	✖	False
CKA_WRAP_TEMPLATE	✔	✔	✖
CKA_TRUSTED	✔	✔	✖	False
CKA_WRAP_WITH_TRUSTED	✔	✔	✔	False
CKA_UNWRAP	✔	✔	✖	False
CKA_UNWRAP_TEMPLATE	✔	✔	✖
CKA_SENSITIVE	✔	✔	✔	True
CKA_ALWAYS_SENSITIVE	✖	✖	✖
CKA_EXTRACTABLE	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	R	R
CKA_MODULUS	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖
CKA_PRIME_1	✖	✖	✖
CKA_PRIME_2	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖
CKA_EC_PARAMS	✖	✖	✖
CKA_EC_POINT	✖	✖	✖
CKA_VALUE	✖	✖	✖
CKA_VALUE_LEN	✔2	✖	✔2
CKA_CHECK_VALUE	R	R	R

CreateObject

屬性	金鑰類型							預設值
	EC 私有金鑰	EC 公有金鑰	RSA 私有金鑰	RSA 公有金鑰	AES	DES3	一般私密金鑰
CKA_CLASS	✔2	✔2	✔2	✔2	✔2	✔2	✔2
CKA_KEY_TYPE	✔2	✔2	✔2	✔2	✔2	✔2	✔2
CKA_LABEL	✔	✔	✔	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔	✔	✔	✔
CKA_LOCAL	R	R	R	R	R	R	R	False
CKA_TOKEN	✔	✔	✔	✔	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	✔1	✔1	✔1	✔1	True
CKA_ENCRYPT	✖	✖	✖	✔	✔	✔	✖	False
CKA_DECRYPT	✖	✖	✔	✖	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	✔	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	✔1	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	✔	✔	✔	✔	True
CKA_SIGN	✔	✖	✔	✖	✔	✔	✔	False
CKA_SIGN_RECOVER	✖	✖	✖	✖	✖	✖	✖	False
CKA_VERIFY	✖	✔	✖	✔	✔	✔	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖	✖	✖	✖	✖
CKA_WRAP	✖	✖	✖	✔	✔	✔	✖	False
CKA_WRAP_TEMPLATE	✖	✔	✖	✔	✔	✔	✖
CKA_TRUSTED	✖	✔	✖	✔	✔	✔	✖	False
CKA_WRAP_WITH_TRUSTED	✔	✖	✔	✖	✔	✔	✔	False
CKA_UNWRAP	✖	✖	✔	✖	✔	✔	✖	False
CKA_UNWRAP_TEMPLATE	✔	✖	✔	✖	✔	✔	✖
CKA_SENSITIVE	✔	✖	✔	✖	✔	✔	✔	True
CKA_ALWAYS_SENSITIVE	R	✖	R	✖	R	R	R
CKA_EXTRACTABLE	✔	✖	✔	✖	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	✖	R	✖	R	R	R
CKA_MODULUS	✖	✖	✔2	✔2	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✖	✖	✖	✖
CKA_PRIME_1	✖	✖	✔	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	✔	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✔	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✔	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✔	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✔2	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✔2	✔2	✖	✖	✖
CKA_EC_PARAMS	✔2	✔2	✖	✖	✖	✖	✖
CKA_EC_POINT	✖	✔2	✖	✖	✖	✖	✖
CKA_VALUE	✔2	✖	✖	✖	✔2	✔2	✔2
CKA_VALUE_LEN	✖	✖	✖	✖	✖	✖	✖
CKA_CHECK_VALUE	R	R	R	R	R	R	R

UnwrapKey

屬性	金鑰類型					預設值
	EC 私有金鑰	RSA 私有金鑰	AES	DES3	一般私密金鑰
CKA_CLASS	✔2	✔2	✔2	✔2	✔2
CKA_KEY_TYPE	✔2	✔2	✔2	✔2	✔2
CKA_LABEL	✔	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔	✔
CKA_LOCAL	R	R	R	R	R	False
CKA_TOKEN	✔	✔	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	✔1	✔1	True
CKA_ENCRYPT	✖	✖	✔	✔	✖	False
CKA_DECRYPT	✖	✔	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔	✔	✔	✔	✔	True
CKA_SIGN	✔	✔	✔	✔	✔	False
CKA_SIGN_RECOVER	✖	✖	✖	✖	✖	False
CKA_VERIFY	✖	✖	✔	✔	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖	✖	✖
CKA_WRAP	✖	✖	✔	✔	✖	False
CKA_UNWRAP	✖	✔	✔	✔	✖	False
CKA_SENSITIVE	✔	✔	✔	✔	✔	True
CKA_EXTRACTABLE	✔	✔	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	R	R	R	R
CKA_ALWAYS_SENSITIVE	R	R	R	R	R
CKA_MODULUS	✖	✖	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✖	✖
CKA_PRIME_1	✖	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖	✖	✖
CKA_EC_PARAMS	✖	✖	✖	✖	✖
CKA_EC_POINT	✖	✖	✖	✖	✖
CKA_VALUE	✖	✖	✖	✖	✖
CKA_VALUE_LEN	✖	✖	✖	✖	✖
CKA_CHECK_VALUE	R	R	R	R	R

DeriveKey

屬性	金鑰類型			預設值
	AES	DES3	一般私密金鑰
CKA_CLASS	✔2	✔2	✔2
CKA_KEY_TYPE	✔2	✔2	✔2
CKA_LABEL	✔	✔	✔
CKA_ID	✔	✔	✔
CKA_LOCAL	R	R	R	True
CKA_TOKEN	✔	✔	✔	False
CKA_PRIVATE	✔1	✔1	✔1	True
CKA_ENCRYPT	✔	✔	✖	False
CKA_DECRYPT	✔	✔	✖	False
CKA_DERIVE	✔	✔	✔	False
CKA_MODIFIABLE	✔1	✔1	✔1	True
CKA_DESTROYABLE	✔1	✔1	✔1	True
CKA_SIGN	✔	✔	✔	False
CKA_SIGN_RECOVER	✖	✖	✖
CKA_VERIFY	✔	✔	✔	False
CKA_VERIFY_RECOVER	✖	✖	✖
CKA_WRAP	✔	✔	✖	False
CKA_UNWRAP	✔	✔	✖	False
CKA_SENSITIVE	R	R	R	True
CKA_EXTRACTABLE	✔	✔	✔	True
CKA_NEVER_EXTRACTABLE	R	R	R
CKA_ALWAYS_SENSITIVE	R	R	R
CKA_MODULUS	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖
CKA_PRIME_1	✖	✖	✖
CKA_PRIME_2	✖	✖	✖
CKA_COEFFICIENT	✖	✖	✖
CKA_EXPONENT_1	✖	✖	✖
CKA_EXPONENT_2	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✖
CKA_EC_PARAMS	✖	✖	✖
CKA_EC_POINT	✖	✖	✖
CKA_VALUE	✖	✖	✖
CKA_VALUE_LEN	✔2	✖	✔2
CKA_CHECK_VALUE	R	R	R

GetAttributeValue

屬性	金鑰類型
	EC 私有金鑰	EC 公有金鑰	RSA 私有金鑰	RSA 公有金鑰	AES	DES3	一般私密金鑰
CKA_CLASS	✔	✔	✔	✔	✔	✔	✔
CKA_KEY_TYPE	✔	✔	✔	✔	✔	✔	✔
CKA_LABEL	✔	✔	✔	✔	✔	✔	✔
CKA_ID	✔	✔	✔	✔	✔	✔	✔
CKA_LOCAL	✔	✔	✔	✔	✔	✔	✔
CKA_TOKEN	✔	✔	✔	✔	✔	✔	✔
CKA_PRIVATE	✔1	✔1	✔1	✔1	✔1	✔1	✔1
CKA_ENCRYPT	✖	✖	✖	✔	✔	✔	✖
CKA_DECRYPT	✖	✖	✔	✖	✔	✔	✖
CKA_DERIVE	✔	✔	✔	✔	✔	✔	✔
CKA_MODIFIABLE	✔	✔	✔	✔	✔	✔	✔
CKA_DESTROYABLE	✔	✔	✔	✔	✔	✔	✔
CKA_SIGN	✔	✖	✔	✖	✔	✔	✔
CKA_SIGN_RECOVER	✖	✖	✔	✖	✖	✖	✖
CKA_VERIFY	✖	✔	✖	✔	✔	✔	✔
CKA_VERIFY_RECOVER	✖	✖	✖	✔	✖	✖	✖
CKA_WRAP	✖	✖	✖	✔	✔	✔	✖
CKA_WRAP_TEMPLATE	✖	✔	✖	✔	✔	✔	✖
CKA_TRUSTED	✖	✔	✖	✔	✔	✔	✔
CKA_WRAP_WITH_TRUSTED	✔	✖	✔	✖	✔	✔	✔
CKA_UNWRAP	✖	✖	✔	✖	✔	✔	✖
CKA_UNWRAP_TEMPLATE	✔	✖	✔	✖	✔	✔	✖
CKA_SENSITIVE	✔	✖	✔	✖	✔	✔	✔
CKA_EXTRACTABLE	✔	✖	✔	✖	✔	✔	✔
CKA_NEVER_EXTRACTABLE	✔	✖	✔	✖	✔	✔	✔
CKA_ALWAYS_SENSITIVE	R	R	R	R	R	R	R
CKA_MODULUS	✖	✖	✔	✔	✖	✖	✖
CKA_MODULUS_BITS	✖	✖	✖	✔	✖	✖	✖
CKA_PRIME_1	✖	✖	S	✖	✖	✖	✖
CKA_PRIME_2	✖	✖	S	✖	✖	✖	✖
CKA_COEFFICIENT	✖	✖	S	✖	✖	✖	✖
CKA_EXPONENT_1	✖	✖	S	✖	✖	✖	✖
CKA_EXPONENT_2	✖	✖	S	✖	✖	✖	✖
CKA_PRIVATE_EXPONENT	✖	✖	S	✖	✖	✖	✖
CKA_PUBLIC_EXPONENT	✖	✖	✔	✔	✖	✖	✖
CKA_EC_PARAMS	✔	✔	✖	✖	✖	✖	✖
CKA_EC_POINT	✖	✔	✖	✖	✖	✖	✖
CKA_VALUE	S	✖	✖	✖	✔	✔	✔
CKA_VALUE_LEN	✖	✖	✖	✖	✔	✖	✔
CKA_CHECK_VALUE	✔	✔	✔	✔	✔	✔	✖

屬性註釋

• [1] 此屬性受韌體部分支援，且需明確設定為僅限預設值。

• [2] 必要屬性。

修改屬性

有些物件屬性可在物件建立後進行修改，但有些不行。若要修改屬性，請使用來自 cloudhsm_mgmt_util 的 setAttribute 命令。您也可以使用來自 cloudhsm_mgmt_util 的 listAttribute 命令，來衍生屬性和代表這些屬性的常數清單。

下列清單會顯示物件建立後可修改的屬性：

• CKA_LABEL

• CKA_TOKEN

  注意

  只有在將工作階段金鑰變更為符記金鑰時，才允許進行修改。使用 key_mgmt_util 中的 setAttribute 命令來變更屬性值。

• CKA_ENCRYPT

• CKA_DECRYPT

• CKA_SIGN

• CKA_VERIFY

• CKA_WRAP

• CKA_UNWRAP

• CKA_LABEL

• CKA_SENSITIVE

• CKA_DERIVE

  注意

  這個屬性支援金鑰衍生。所有公有金鑰的屬性須為 False，不能設定為 True。如果是私密金鑰和 EC 私有金鑰，則該屬性可設定為 True 或 False。

• CKA_TRUSTED

  注意

  唯有加密管理員 (CO) 可將這個屬性設定成 True 或 False。

• CKA_WRAP_WITH_TRUSTED

  注意

  將此屬性套用於可匯出的資料金鑰，以表明只能使用標記為 CKA_TRUSTED 的金鑰包裝此金鑰。一旦設定 CKA_WRAP_WITH_TRUSTED 為 true，屬性就會變成唯讀，而且您無法變更或移除屬性。

解譯錯誤代碼

若在範本中指定特定金鑰不支援的屬性，就會導致錯誤。下表包含違反規格時所產生的錯誤代碼：

錯誤代碼	Description
CKR_TEMPLATE_INCONSISTENT	當您在屬性範本中指定的屬性符合 PKCS #11 規格，卻不受 CloudHSM 支援時，就會收到此錯誤。
CKR_ATTRIBUTE_TYPE_INVALID	當您擷取的屬性值符合 PKCS #11 規格，卻不受 CloudHSM 支援時，就會收到此錯誤。
CKR_ATTRIBUTE_INCOMPLETE	當您沒有在屬性範本中指定必要屬性時，就會收到此錯誤。
CKR_ATTRIBUTE_READ_ONLY	當您在屬性範本中指定唯讀屬性時，就會收到此錯誤。