svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
libpkcs11(3lib)
libpkcs11(3LIB) Interface Libraries libpkcs11(3LIB)
NAME
libpkcs11 - PKCS#11 Cryptographic Framework library
SYNOPSIS
cc [ flag... ] file... -lpkcs11 [ library... ]
#include <security/cryptoki.h>
#include <security/pkcs11.h>
DESCRIPTION
The libpkcs11 library implements the OASIS PKCS#11 Cryptographic Token
Interface (Cryptoki), v2.40, specification by using plug-ins to provide
the slots.
Each plug-in, which also implements OASIS PKCS#11 v2.40, represents one
or more slots.
The libpkcs11 library provides a special slot called the meta slot. The
meta slot provides a virtual union of capabilities of all other slots.
When available, the meta slot is always the first slot provided by
libpkcs11. The order of the rest of the slots is not guaranteed and may
vary with every load of this library.
The meta slot feature can be configured either system-wide or by indi‐
vidual users. System-wide configuration for meta slot features is done
with the cryptoadm(8) utility. User configuration for meta slot fea‐
tures is performed with environment variables.
By default, the following is the system-wide configuration for meta
slot. Meta slot is enabled. Meta slot provides token-based object sup‐
port with the Software OASIS PKCS#11 softtoken (pkcs11_softtoken(7)).
Meta slot is allowed to move sensitive token objects to other slots if
that is necessary to perform an operation.
Users can overwrite one or more system-wide configuration options for
meta slot using these environment variables.
The ${METASLOT_OBJECTSTORE_SLOT} and ${METASLOT_OBJECTSTORE_TOKEN}
environment variables are used to specify an alternate token object
store. A user can specify either slot-description in ${METASLOT_OBJECT‐
STORE_SLOT} or token-label in ${METASLOT_OBJECTSTORE_TOKEN}, or both.
If metaslot is unable to honor both the slot and token configurations,
then it will default to the first available slot. Valid values for
slot-description and token-label are available from output of the com‐
mand:
cryptoadm list -v
While setting the ${METASLOT_OBJECTSTORE_SLOT} environment variable,
whitespaces are required to be padded up to 64th byte. For example,
export METASLOT_OBJECTSTORE_SLOT="my slot description (pad whitespace up to 64th byte in here...)"
Similarly, while setting the ${METASLOT_OBJECTSTORE_TOKEN} environment
variable, whitespaces are required to be padded up to 32nd byte. For
example,
export METASLOT_OBJECTSTORE_TOKEN="KMS (pad whitespace up to 32nd byte in here...)"
The ${METASLOT_ENABLED} environment variable is used to specify whether
the user wants to turn the metaslot feature on or off. Only two values
are recognized. The value "true" means meta slot will be on. The value
"false" means meta slot will be off.
The ${METASLOT_AUTO_KEY_MIGRATE} environment variable is used to spec‐
ify whether the user wants sensitive token objects to move to other
slots for cryptographic operations. Only two values are recognized. The
value "true" means meta slot will migrate sensitive token objects to
other slots if necessary. The value "false" means meta slot will not
migrate sensitive token objects to other slots even if it is necessary.
When the meta slot feature is enabled, the slot that provides token-
based object support is not shown as one of the available slots. All of
its functionality can be used with the meta slot.
This library filters the list of mechanisms available from plug-ins
based on the policy set by cryptoadm(8).
This library provides entry points for all PKCS#11 v2.40 functions. See
the OASIS PKCS#11 v2.40 specification at https://www.oasis-
open.org/committees/pkcs11/ .
The cryptoadm(8) command can be used to add plugins to libpkcs11, as
well as to administer the available mechanisms.
Plug-ins are added to libpkcs11 by the cryptoadm(8) install subcommand,
and available mechanisms are administered by the cryptoadm(8) utility.
Plug-ins must have all of their library dependencies specified, includ‐
ing libc(3LIB). Libraries that have unresolved symbols, including those
from libc, will be rejected and a message will be sent to syslog(3C)
for such plug-ins.
Any plug-in that is not a compatible version of PKCS#11 will be dropped
by libpkcs11. When a plug-in is dropped, the administrator is alerted
by the syslog(3C) utility.
The <security/pkcs11f.h> header contains function definitions. The
<security/pkcs11t.h> header contains type definitions. Applications can
include either of these headers in place of <security/pkcs11.h>, which
contains both function and type definitions.
INTERFACES
The shared object libpkcs11.so.1 provides the public interfaces defined
below. See intro(3) for additional information on shared object inter‐
faces.
PKCS#11 Standard
tab(); lw(2.75i) lw(2.75i) C_CloseAllSessionsC_CloseSession C_CopyOb‐
jectC_CreateObject C_DecryptC_DecryptDigestUpdate C_DecryptFi‐
nalC_DecryptInit C_DecryptUpdateC_DecryptVerifyUpdate C_DeriveK‐
eyC_DestroyObject C_DigestC_DigestEncryptUpdate C_DigestFinalC_Diges‐
tInit C_DigestKeyC_DigestUpdate C_EncryptC_EncryptFinal C_Encryp‐
tInitC_EncryptUpdate C_FinalizeC_FindObjects C_FindObjectsFinalC_Find‐
ObjectsInit C_GenerateKeyC_GenerateKeyPair C_GenerateRandomC_GetAt‐
tributeValue C_GetFunctionListC_GetInfo C_GetMechanismInfoC_GetMecha‐
nismList C_GetObjectSizeC_GetOperationState C_GetSessionInfoC_GetSlot‐
Info C_GetSlotListC_GetTokenInfo C_InitPINC_InitToken C_Initial‐
izeC_Login C_LogoutC_OpenSession C_SeedRandomC_SetAttributeValue C_Set‐
OperationStateC_SetPIN C_SignC_SignEncryptUpdate C_SignFinalC_SignInit
C_SignRecoverC_SignRecoverInit C_SignUpdateC_UnwrapKey C_VerifyC_Veri‐
fyFinal C_VerifyInitC_VerifyRecover C_VerifyRecoverInitC_VerifyUpdate
C_WaitForSlotEventC_WrapKey
SUNW Extensions
tab(); lw(2.75i) lw(2.75i) SUNW_C_GetMechSessionSUNW_C_KeyToObject
FILES
/usr/lib/libpkcs11.so.1 shared object
/usr/lib/64/libpkcs11.so.1 64-bit shared object
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/library/security/pkcs11 _ Interface
StabilityCommitted _ MT-LevelT{ MT-Safe with exceptions. See section
1.9.3 of OASIS PKCS#11 v2.40 Usage Guide T} _ StandardPKCS#11 v2.40
The PKCS#11 Standard functions conform to PKCS#11 v2.40.
SEE ALSO
syslog(3C), SUNW_C_GetMechSession(3EXT), intro(3), attributes(7),
pkcs11_softtoken(7), cryptoadm(8)
OASIS PKCS#11 v2.40 specification
https://www.oasis-open.org/committees/pkcs11/
NOTES
If an application calls C_WaitForSlotEvent() without the CKF_DONT_BLOCK
flag set, libpkcs11 must create threads internally. If, however,
CKF_LIBRARY_CANT_CREATE_OS_THREADS is set, C_WaitForSlotEvent() returns
CKR_FUNCTION_FAILED.
Because C_Initialize() might have been called by both an application
and a library, it is not safe for a library or its plugins to call
C_Finalize(). A library can be finished calling functions from libp‐
kcs11, while an application might not.
Oracle Solaris 11.4 14 May 2018 libpkcs11(3LIB)