Changes

The following events are auditable by ===AS06.17=== '''AS06.17''' requires that the NSS cryptographic module.* record modifications, accesses, deletions, and additions of cryptographic data (e.gand CSPs.In our module, cryptographic keys and audit data) and CSPs (e.g., secret and private are cryptographic keys, audit data, and authentication data such as passwords . We address cryptographic keys in this section and PINs): audit data and authentication data are handled belowin the next section. Here we  To prevent recording secret and private key values in the audit log due to programming errors, we only handle cryptographic keys.record key attributes whose values are very different from an array of bytes:** Object management functions, where the object is a cryptographic key (object class <code>CKO_PUBLIC_KEY<code>CKA_CLASS</code>: object class, e.g., secret key, public key, or private key.* <code>CKO_PRIVATE_KEYCKA_KEY_TYPE</code>: key type, e.g., AES key, RSA keys, DSA keys, EC keys, and etc.* <code>CKO_SECRET_KEYCKA_TOKEN</code>: token (persistent)or session (temporary) object. a boolean.*** <code>[httpCKA_MODULUS_BITS</code>://developer(RSA keys only) length of RSA modulus in bits.mozillaan unsigned long.org/en/docs/FC_CreateObject FC_CreateObject]* </code>CKA_PRIME_BITS</code>: addition (DSA and Diffie-Hellman keys only) length of cryptographic keysDSA or Diffie-Hellman prime p in bits. an unsigned long.**** "C_CreateObject(hSession=''<session handlecode>CKA_EC_PARAMS</code>: (EC keys only) the elliptic curve'', pTemplate=''s name.* <template pointercode>'', ulCount=''CKA_VALUE_LEN<count/code>'': (secret keys) length of key. an unsigned long. Moreover, phObject=''<if a function has an object handle pointer>argument (e.g., '')=phKey''<), on a successful return code>we also record the object handle we store in the location pointed to by the argument (e.g., ''"*** <code>[http://developerphKey = 0x01234567"'').mozilla Below we list the functions that we audit and the format of the audit messages.org/en/docs* Object management functions, where the object is a cryptographic key (object class <code>CKO_PUBLIC_KEY</FC_CopyObject FC_CopyObject]code>, <code>CKO_PRIVATE_KEY</code>: access , and addition of cryptographic keys<code>CKO_SECRET_KEY</code>)**** "C_CopyObject(hSession=''<session handlecode>'', hObject=''[http://developer.mozilla.org/en/docs/FC_CreateObject FC_CreateObject]<object handle/code>'': addition of cryptographic keys*** "C_CreateObject(hSession=''<session handle>'', pTemplate=''<template pointer>'', ulCount=''<count>'', phNewObjectphObject=''<object handle pointer>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_DestroyObject FC_DestroyObjectFC_CopyObject FC_CopyObject]</code>: deletion access and addition of cryptographic keys**** "C_DestroyObjectC_CopyObject(hSession=''<session handle>'', hObject=''<object handle>''), pTemplate=''<return codetemplate pointer>''"*** , ulCount=''<codecount>[http://developer.mozilla.org/en/docs/FC_GetObjectSize FC_GetObjectSize]'', phNewObject=''<object handle pointer>'')=''</return code>: access of cryptographic keys''"**** "C_GetObjectSize(hSession=''<session handlecode>'', hObject=''[http://developer.mozilla.org/en/docs/FC_DestroyObject FC_DestroyObject]<object handle/code>'', pulSize=: deletion of cryptographic keys*** "C_DestroyObject(hSession=''<session handle>'', hObject=''<size pointerobject handle>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_GetAttributeValue FC_GetAttributeValueFC_GetObjectSize FC_GetObjectSize]</code>: access of cryptographic keys**** "C_GetAttributeValueC_GetObjectSize(hSession=''<session handle>'', hObject=''<object handle>'', pTemplatepulSize=''<template size pointer>'', ulCount=''<count>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_SetAttributeValue FC_SetAttributeValueFC_GetAttributeValue FC_GetAttributeValue]</code>: modification access of cryptographic keys**** "C_SetAttributeValueC_GetAttributeValue(hSession=''<session handle>'', hObject=''<object handle>'', pTemplate=''<template pointer>'', ulCount=''<count>'')=''<return code>''"** Key management functions*** <code><code>[http://developer.mozilla.org/en/docs/FC_GenerateKey FC_GenerateKeyFC_SetAttributeValue FC_SetAttributeValue]</code>: addition modification of cryptographic keys**** "C_GenerateKeyC_SetAttributeValue(hSession=''<session handle>'', pMechanismhObject=''<mechanismobject handle>'', pTemplate=''<template pointer>'', ulCount=''<count>'', phKey)=''<key object handle pointer>'')=''<return code>return code>''"*Key management functions** <code>[http://developer.mozilla.org/en/docs/FC_GenerateKeyPair FC_GenerateKeyPairFC_GenerateKey FC_GenerateKey]</code>: addition of cryptographic keys**** "C_GenerateKeyPairC_GenerateKey(hSession=''<session handle>'', pMechanism=''<mechanism>'', pPublicKeyTemplatepTemplate=''<template pointer>'', ulPublicKeyAttributeCountulCount=''<count>'', pPrivateKeyTemplate=''<template pointer>'', ulPrivateKeyAttributeCount=''<count>'', phPublicKeyphKey=''<key object handle pointer>'', phPrivateKey)=''<key object handle pointer>'')=''<return codereturn code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_WrapKey FC_WrapKeyFC_GenerateKeyPair FC_GenerateKeyPair]</code>: access addition of cryptographic keys**** "C_WrapKeyC_GenerateKeyPair(hSession=''<session handle>'', pMechanism=''<mechanism>'', hWrappingKeypPublicKeyTemplate=''<key object handletemplate pointer>'', hKeyulPublicKeyAttributeCount=''<key object handlecount>'', pWrappedKeypPrivateKeyTemplate=''<buffer that receives the wrapped keytemplate pointer>'', pulWrappedKeyLenulPrivateKeyAttributeCount=''<pointer to lengthcount>''), phPublicKey=''<return codekey object handle pointer>''", phPrivateKey=''<key object handle pointer>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_UnwrapKey FC_UnwrapKeyFC_WrapKey FC_WrapKey]</code>: access and addition of cryptographic keys**** "C_UnwrapKeyC_WrapKey(hSession=''<session handle>'', pMechanism=''<mechanism>'', hUnwrappingKeyhWrappingKey=''<key object handle>'', pWrappedKeyhKey=''<pointer to byteskey object handle>'', ulWrappedKeyLenpWrappedKey=''<lengthbuffer that receives the wrapped key>'', pTemplatepulWrappedKeyLen=''<template pointerto length>'', ulAttributeCount=''<count>'', phKey=''<key object handle pointer>''))=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_DeriveKey FC_DeriveKeyFC_UnwrapKey FC_UnwrapKey]</code>: access and addition of cryptographic keys**** "C_DeriveKeyC_UnwrapKey(hSession=''<session handle>'', pMechanism=''<mechanism>'', hBaseKeyhUnwrappingKey=''<key object handle>'', pWrappedKey=''<pointer to bytes>'', ulWrappedKeyLen=''<length>'', pTemplate=''<template pointer>'', ulAttributeCount=''<count>'', phKey=''<key object handle pointer>'')=''<return code>''"** Cipher "Init" functions*** <code><code>[http://developer.mozilla.org/en/docs/FC_EncryptInit FC_EncryptInitFC_DeriveKey FC_DeriveKey]</code>: access and addition of cryptographic keys**** "C_EncryptInitC_DeriveKey(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKeyhBaseKey=''<key object handle>''), pTemplate=''<return codetemplate pointer>''"*** , ulAttributeCount=''<count>'', phKey=''<key object handle pointer>'')=''<return code>''"* Cipher "Init" functions** <code>[http://developer.mozilla.org/en/docs/FC_DecryptInit FC_DecryptInitFC_EncryptInit FC_EncryptInit]</code>: access of cryptographic keys**** "C_DecryptInitC_EncryptInit(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKey=''<key object handle>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_SignInit FC_SignInitFC_DecryptInit FC_DecryptInit]</code>: access of cryptographic keys**** "C_SignInitC_DecryptInit(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKey=''<key object handle>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_SignRecoverInit FC_SignRecoverInitFC_SignInit FC_SignInit]</code>: access of cryptographic keys**** "C_SignRecoverInitC_SignInit(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKey=''<key object handle>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_VerifyInit FC_VerifyInitFC_SignRecoverInit FC_SignRecoverInit]</code>: access of cryptographic keys**** "C_VerifyInitC_SignRecoverInit(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKey=''<key object handle>'')=''<return code>''"*** <code>[http://developer.mozilla.org/en/docs/FC_VerifyRecoverInit FC_VerifyRecoverInitFC_VerifyInit FC_VerifyInit]</code>: access of cryptographic keys**** "C_VerifyRecoverInitC_VerifyInit(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKey=''<key object handle>'')=''<return code>''"** Miscellaneous*** <code>[http://developer.mozilla.org/en/docs/FC_DigestKey FC_DigestKeyFC_VerifyRecoverInit FC_VerifyRecoverInit]</code>: access of cryptographic keys**** "C_DigestKeyC_VerifyRecoverInit(hSession=''<session handle>'', pMechanism=''<mechanism>'', hKey=''<key object handle>'')=''<return code>''"* Miscellaneous** <code>[http://developer.mozilla.org/en/docs/FC_DigestKey FC_DigestKey]</code>: access of cryptographic keys*** "C_DigestKey(hSession=''<session handle>'', hKey=''<key object handle>'')=''<return code>''" ===AS06.18 and AS06.19=== In compliance with '''AS06.18''' and '''AS06.19''', the following events are auditable by the NSS cryptographic module.