canmove, Confirmed users
937
edits
FIPS Operational Environment: Difference between revisions
Jump to navigation
Jump to search
FIPS Operational Environment (view source)
Revision as of 23:39, 27 September 2006
, 27 September 2006→AS06.17
| Line 178: | Line 178: | ||
To prevent recording secret and private key values in the audit log due to programming errors, we only record key attributes whose values are very different from an array of bytes: | To prevent recording secret and private key values in the audit log due to programming errors, we only record key attributes whose values are very different from an array of bytes: | ||
* <code>CKA_CLASS</code>: object class, e.g., | * <code>CKA_CLASS</code>: object class, e.g., <code>CKO_PUBLIC_KEY</code> (0x00000002), <code>CKO_PRIVATE_KEY</code> (0x00000003), <code>CKO_SECRET_KEY</code> (0x00000004), etc. | ||
* <code>CKA_KEY_TYPE</code>: key type, e.g., | * <code>CKA_KEY_TYPE</code>: key type, e.g., <code>CKK_RSA</code> (0x00000000), <code>CKK_DSA</code> (0x00000001), <code>CKK_EC</code> (0x00000003), <code>CKK_GENERIC_SECRET</code> (0x00000010), <code>CKK_AES</code> (0x0000001F), etc. | ||
* <code>CKA_TOKEN</code>: token (persistent) or session (temporary) object. a boolean. | * <code>CKA_TOKEN</code>: token (persistent) or session (temporary) object. a boolean. | ||
* <code>CKA_MODULUS_BITS</code>: (RSA keys only) length of RSA modulus | * <code>CKA_MODULUS_BITS</code>: (RSA keys only) length in bits of the RSA modulus. an unsigned long. | ||
* <code>CKA_PRIME_BITS</code>: (DSA and Diffie-Hellman keys only) length of DSA or Diffie-Hellman prime p | * <code>CKA_PRIME_BITS</code>: (DSA and Diffie-Hellman keys only) length in bits of the DSA or Diffie-Hellman prime p. an unsigned long. | ||
* <code>CKA_EC_PARAMS</code>: (EC keys only) the elliptic curve's name. | * <code>CKA_EC_PARAMS</code>: (EC keys only) the elliptic curve's name. | ||
* <code>CKA_VALUE_LEN</code>: (secret keys) length of key. an unsigned long. | * <code>CKA_VALUE_LEN</code>: (secret keys) length in bytes of key value. an unsigned long. | ||
Moreover, if a function has an object handle pointer argument (e.g., ''phKey''), on a successful return we also record the object handle we store in the location pointed to by the argument (e.g., '' | Moreover, if a function has an object handle pointer argument (e.g., ''phKey''), on a successful return we also record the object handle we store in the location pointed to by the argument (e.g., "''*phKey = 0x01234567''"). | ||
Below we list the functions that we audit and the format of the audit messages. | Below we list the functions that we audit and specify the format of the audit messages. For brevity we omit the optional attribute values and returned object handles in the audit message specification. | ||
* Object management functions, where the object is a cryptographic key (object class <code>CKO_PUBLIC_KEY</code>, <code>CKO_PRIVATE_KEY</code>, and <code>CKO_SECRET_KEY</code>) | * Object management functions, where the object is a cryptographic key (object class <code>CKO_PUBLIC_KEY</code>, <code>CKO_PRIVATE_KEY</code>, and <code>CKO_SECRET_KEY</code>) | ||
** <code>[http://developer.mozilla.org/en/docs/FC_CreateObject FC_CreateObject]</code>: addition of cryptographic keys | ** <code>[http://developer.mozilla.org/en/docs/FC_CreateObject FC_CreateObject]</code>: addition of cryptographic keys | ||