svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pkcs11_softtoken(7)
Standards, Environments, Macros, Character Sets, and miscellany
pkcs11_softtoken(7)
NAME
pkcs11_softtoken - Software OASIS PKCS#11 softtoken
SYNOPSIS
/usr/lib/security/pkcs11_softtoken.so
/usr/lib/security/64/pkcs11_softtoken.so
DESCRIPTION
The pkcs11_softtoken.so object implements the OASIS PKCS#11 Crypto‐
graphic Token Interface (Cryptoki), v2.40, specification, in software.
Persistent storage for token objects is provided by this PKCS#11 imple‐
mentation.
The pkcs11_softtoken provider is a required part of Oracle Solaris and
must not be disabled using cryptoadm(8).
Some of the cryptographic algorithms may be hardware accelerated.
Administrators can run the following command to determine this list for
their system, and look at the HW column in the output:
# cryptoadm list -vm provider='/usr/lib/security/$ISA/pkcs11_softtoken.so'
For developers, the CKF_HW flag is set in the CK_MECHANISM_INFO struc‐
ture for those PKCS#11 mechanisms that are hardware accelerated.
Application developers should link to libpkcs11.so rather than link
directly to pkcs11_softtoken.so. See libpkcs11(3LIB).
The following cryptographic algorithms are implemented: DES, 3DES, AES,
Blowfish, RC4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RSA, DSA, DH,
ECC, and Camellia. Note that RC4 can be used only for decryption.
All of the Standard PKCS#11 functions listed on libpkcs11(3LIB) are
implemented except for the following:
C_GetObjectSize
C_InitPIN
C_WaitForSlotEvent
A call to these functions returns CKR_FUNCTION_NOT_SUPPORTED.
The following OASIS PKCS#11 v2.40 mechanisms are supported:
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_DSA_KEY_PAIR_GEN
CKM_DSA
CKM_DSA_SHA1
CKM_DH_PKCS_KEY_PAIR_GEN
CKM_DH_PKCS_DERIVE
CKM_EC_KEY_PAIR_GEN
CKM_ECDSA
CKM_ECDSA_SHA1
CKM_ECDH1_DERIVE
CKM_DES_KEY_GEN
CKM_DES_ECB
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES3_KEY_GEN
CKM_DES3_ECB
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_AES_KEY_GEN
CKM_AES_ECB
CKM_AES_CBC
CKM_AES_CBC_PAD
CKM_AES_CTR
CKM_AES_XCBC_MAC
CKM_AES_XCBC_MAC_96
CKM_AES_GMAC
CKM_AES_GCM
CKM_AES_CCM
CKM_AES_CFB128
CKM_BLOWFISH_KEY_GEN
CKM_BLOWFISH_CBC
CKM_CAMELLIA_KEY_GEN
CKM_CAMELLIA_ECB
CKM_CAMELLIA_CBC
CKM_RC4_KEY_GEN
CKM_RC4 (usable for decryption only)
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA224_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_MD5
CKM_SHA_1
CKM_SHA224
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_SHA512_224
CKM_SHA512_256
CKM_SHA512_T
CKM_MD5_HMAC
CKM_MD5_HMAC_GENERAL
CKM_SHA_1_HMAC
CKM_SHA_1_HMAC_GENERAL
CKM_SHA224_HMAC
CKM_SHA256_HMAC
CKM_SHA224_HMAC_GENERAL
CKM_SHA512_224_HMAC_GENERAL
CKM_SHA512_256_HMAC_GENERAL
CKM_SHA512_T_HMAC_GENERAL
CKM_SHA512_224_HMAC
CKM_SHA512_256_HMAC
CKM_SHA512_T_HMAC
CKM_SHA256_HMAC_GENERAL
CKM_SHA384_HMAC
CKM_SHA384_HMAC_GENERAL
CKM_MD5_KEY_DERIVATION
CKM_SHA1_KEY_DERIVATION
CKM_SHA224_KEY_DERIVATION
CKM_SHA256_KEY_DERIVATION
CKM_SHA384_KEY_DERIVATION
CKM_SHA512_KEY_DERIVATION
CKM_SHA512_224_KEY_DERIVATION
CKM_SHA512_256_KEY_DERIVATION
CKM_SHA512_T_KEY_DERIVATION
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_TLS_PRE_MASTER_KEY_GEN
CKM_TLS_MASTER_KEY_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_TLS_MASTER_KEY_DERIVE_DH
CKM_TLS12_MASTER_KEY_DERIVE
CKM_TLS12_MASTER_KEY_DERIVE_DH
CKM_TLS12_KEY_AND_MAC_DERIVE
CKM_TLS12_KEY_SAFE_DERIVE
CKM_TLS_KDF
CKM_TLS_MAC
Each of the following types of key objects has certain token-specific
attributes that are set to true by default as a result of object cre‐
ation, key/key pair generation, and key derivation.
Public key object CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER
Private key object CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER,
CKA_EXTRACTABLE
Secret key object CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY,
CKA_EXTRACTABLE
The following certificate objects are supported:
CKC_X_509 For CKC_X_509 certificate objects, the following
attributes are supported: CKA_SUBJECT,
CKA_VALUE, CKA_LABEL, CKA_ID, CKA_ISSUER,
CKA_SERIAL_NUMBER, and CKA_CERTIFICATE_TYPE.
CKC_X_509_ATTR_CERT For CKC_X_509_ATTR_CERT certificate objects, the
following attributes are supported: CKA_OWNER,
CKA_VALUE, CKA_LABEL, CKA_SERIAL_NUMBER,
CKA_AC_ISSUER, CKA_ATTR_TYPES, and CKA_CERTIFI‐
CATE_TYPE.
The search operation of objects matching the template is performed at
C_FindObjectsInit. The matched objects are cached for subsequent
C_FindObjects operations.
The pkcs11_softtoken.so object provides a filesystem-based persistent
token object store for storing token objects. The default location of
the token object store is /var/user/$USERNAME/pkcs11_softtoken. The
user can override the default location by using the ${SOFTTOKEN_DIR}
environment variable.
If the token object store has never been initialized, the C_Login()
function might return CKR_OK but the user is not able to create, gener‐
ate, derive or find any private token object and receives
CKR_PIN_EXPIRED.
The user should use the pktool inittoken command with the new or exist‐
ing passphrase to initialize or re-initialize a token object store
respectively. A user-defined token label for softtoken can be set or
changed. More importantly, all objects inside the token object store
will be destroyed. Then, the user may just use the pktool setpin com‐
mand to change the passphrase of the token object store afterward.
After logging into object store with the new passphrase that was set by
the pktool setpin command, the user can create and store the private
token object in this newly created object store. Until the token object
store is initialized by setpin, the C_Login() function is allowed, but
all attempts by the user to create, generate, derive or find any pri‐
vate token object fails with a CKR_PIN_EXPIRED error.
The PIN provided for C_Login() and C_SetPIN() functions can be any
string of characters with lengths between 1 and 256 and no embedded
nulls.
RETURN VALUES
The return values for each of the implemented functions are defined and
listed in the OASIS PKCS#11 v2.40 specification. See https://www.oasis-
open.org/committees/pkcs11/
FILES
/var/user/$USERNAME/pkcs11_softtoken
user's default token object store
${SOFTTOKEN_DIR}/pkcs11_softtoken
alternate location for token object store
ATTRIBUTES
See attributes(7) for a description of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/library/security/pkcs11_softtoken _
Interface StabilityCommitted _ MT-LevelT{ MT-Safe with exceptions. See
section 1.9.3 of OASIS PKCS#11 v2.40 Usage Guide T} _ StandardPKCS#11
v2.40
SEE ALSO
pktool(1), cryptoadm(8), libpkcs11(3LIB), attributes(7)
OASIS PKCS#11 v2.40 specification
https://www.oasis-open.org/committees/pkcs11/
Oracle Solaris 11.4 27 Nov 2017 pkcs11_softtoken(7)