xref: /illumos-gate/usr/src/man/man7/pkcs11_kernel.7 (revision 2570281cf351044b6936651ce26dbe1f801dcbd8)
te
Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
PKCS11_KERNEL 7 "Oct 27, 2005"
NAME
pkcs11_kernel - PKCS#11 interface to Kernel Cryptographic Framework
SYNOPSIS

/usr/lib/security/pkcs11_kernel.so
/usr/lib/security/64/pkcs11_kernel.so
DESCRIPTION

The pkcs11_kernel.so object implements the RSA PKCS#11 v2.20 specification by using a private interface to communicate with the Kernel Cryptographic Framework.

Each unique hardware provider is represented by a PKCS#11 slot. In a system with no hardware Kernel Cryptographic Framework providers, this PKCS#11 library presents no slots.

The PKCS#11 mechanisms provided by this library is determined by the available hardware providers.

Application developers should link to libpkcs11.so rather than link directly to pkcs11_kernel.so. See libpkcs11(3LIB).

All of the Standard PKCS#11 functions listed on libpkcs11(3LIB) are implemented except for the following:

C_DecryptDigestUpdate
C_DecryptVerifyUpdate
C_DigestEncryptUpdate
C_GetOperationState
C_InitToken
C_InitPIN
C_SetOperationState
C_SignEncryptUpdate
C_WaitForSlotEvent

A call to these functions returns CKR_FUNCTION_NOT_SUPPORTED.

Buffers cannot be greater than 2 megabytes. For example, C_Encrypt() can be called with a 2 megabyte buffer of plaintext and a 2 megabyte buffer for the ciphertext.

The maximum number of object handles that can be returned by a call to C_FindObjects() is 512.

The maximum amount of kernel memory that can be used for crypto operations is limited by the project.max-crypto-memory resource control. Allocations in the kernel for buffers and session-related structures are charged against this resource control.

RETURN VALUES

The return values of each of the implemented functions are defined and listed in the RSA PKCS#11 v2.20 specification. See http://www.rsasecurity.com.

ATTRIBUTES

See attributes(7) for a description of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Standard: PKCS#11 v2.20
MT-Level
MT-Safe with exceptions. See section 6.5.2 of RSA PKCS#11 v2.20
SEE ALSO

libpkcs11 (3LIB), attributes (7), pkcs11_softtoken (7), cryptoadm (8), rctladm (8)

RSA PKCS#11 v2.20 http://www.rsasecurity.com

NOTES

Applications that have an open session to a PKCS#11 slot make the corresponding hardware provider driver not unloadable. An administrator must close the applications that have an PKCS#11 session open to the hardware provider to make the driver unloadable.