Another interesting thing that I have found out is that it will proceed to C_GetMechanismInfo if I include the "CKM_RSA_PKCS_KEY_PAIR_GEN". But to my understanding of Notes it only uses CKM_RSA_PKCS, CKM_MD5_RSA_PKCS and CKM_SHA1_RSA_PKCS (since we will not expect Notes to generate the key pair as our smartcard is pre-loaded with keys and certificates). Please correct me if I'm wrong in this.
Before checking for importable certificates/keys, Notes will verify that the token supports the required crypto capabilities. In 6.0, this means that the CKM_RSA_PKCS mechanism exists, and has at least the CKF_HW, CKF_SIGN, and CKF_DECRYPT flags set.
After I included "CKM_RSA_PKCS_KEY_PAIR_GEN", Notes continue the process and call the C_FindObject with a template that only contains a single attribute which is CKA_CLASS with CKO_PRIVATE_KEY. But I have not notice any calls to C_CreateObject for this. What is Notes trying to achieve?
When importing keys/certificates, we don't create any objects on the token. We create objects on the token when exporting keys from Notes to the token.
Importing:
- Confirm that the token is logged in, that the CKM_RSA_PKCS mechanism is supported, and has at least the CKF_HW, CKF_SIGN, and CKF_DECRYPT flags set.
- Notes calls C_FindObjectsInit, C_FindObjects, and C_FindObjectsFinal to determine the number of CKO_PRIVATE_KEYs that are already on the token and acquire their object handles.
- Notes calls the above C_FindObjects* a number of times to find the CKO_CERTIFICATE/CKC_X_509 with CKA_IDs matching the CKA_IDs from the private keys found in the previous step.
- If using the GUI "Import Internet Certificate From a Smartcard", then each of the "pairs" will be imported into the ID file (the certificates will be imported into the ID file, and "pointers" will be added to the ID file to tell Notes that any operations involving the new private keys should be performed on the appropriate token with the appropriate key.
Exporting involves calling C_CreateObject, but that isn't triggered by "Import Internet Certificate From a Smartcard", it is triggered by "Move Private Key to a Smartcard".
Since the CKA_ID is derived from the key, how does Notes get this "key" information through pkcs#11 function. I believe that this is done when Notes "Import Internet Certificate from a Smartcard" but what function will it calls to get this as we have not coded any part in pkcs#11 that does this.
When we import the a pre-existing key and certificate from the token, the CKA_ID attribute is acquired from CKO_PRIVATE_KEY via C_GetAttributeValue.
According to my understanding, some of the smartcard will not allow the private key information to be release so how will Notes get the hash(MD5/SHA1) of the private key.
The SPKI is the subject public key info, as defined in one of the PKCS specs; I can't remember which off the top of my head. When Notes exports a key that we already have in the Notes ID file to the token, then we have the public key, and can easily hash it. When the key starts out on the token and we are importing it into Notes, then we use whatever value for the CKA_ID that the token gives us.
If we would want to introduce the "Declaration of Independence" CKA_ID to Notes. How can we achieve this? Is this done through pkcs#11 (if yes, which function) or there is a interface provided by Notes to set this.
The "Declaration of Independence" is a document of some historical importance in the USA. The reference was hyperbole.
Basically, if we are importing the key from the token, we will call C_GetAttributeValue on the CKO_PRIVATE_KEY to acquire the CKA_ID. Whatever the token hands us, we'll use and store, regardless of how long or absurd it may be. It could be a simple hash, it could be a MS-CAPI container name, and it could be just about anything else. We don't really care, as long as it's unique to and shared by the CKO_PRIVATE_KEY and the CKO_CERTIFICATE.
dave
Return to top
. . . . . . . . . . . . . . . . . . . . . . RE: The CKA_ID is typically derived... (~Tanita Desweve... 23.Sep.03) 
Print this page
