'''AS06.17''' requires that the module record modifications, accesses, deletions, and additions of cryptographic data and CSPs. In our module, cryptographic data and CSPs are cryptographic keys, audit data, and authentication data. We address cryptographic keys in this section and audit data and authentication data in the next section.
To prevent recording secret and private key values in the audit log due to programming errors, we only record key attributes whose values are very different from If a function has an array of bytes:* <code>CKA_CLASS</code>: object class, e.g., <code>CKO_PUBLIC_KEY</code> (0x00000002), <code>CKO_PRIVATE_KEY</code> handle pointer argument (0x00000003), <code>CKO_SECRET_KEY</code> (0x00000004), etc.* <code>CKA_KEY_TYPE</code>: key type, e.g., <code>CKK_RSA</code> (0x00000000''phKey''), <code>CKK_DSA</code> (0x00000001), <code>CKK_EC</code> (0x00000003), <code>CKK_GENERIC_SECRET</code> (0x00000010), <code>CKK_AES</code> (0x0000001F), etc.* <code>CKA_TOKEN</code>: token (persistent) or session (temporary) on a successful return we also record the object. a boolean.* <code>CKA_MODULUS_BITS</code>: (RSA keys only) length handle stored in bits of the RSA modulus. an unsigned long.* <code>CKA_PRIME_BITS</code>: location pointed to by the argument (DSA and Diffie-Hellman keys only) length in bits of the DSA or Diffie-Hellman prime pe. an unsigned longg., "''* <code>CKA_EC_PARAMS</code>: (EC keys only) the elliptic curvephKey = 0x01234567''s name.* <code>CKA_VALUE_LEN</code>: (secret keys") length in bytes of key value. an unsigned long.
Moreover, if a function has an object handle pointer argument (e.g., ''phKey''), on a successful return we also record the object handle we store in the location pointed to by the argument (e.g., "''*phKey = 0x01234567''"). Below we list the functions that we audit and specify the format of the audit messages. For brevity we omit the optional attribute values and returned object handles in the audit message specification.
* Object management functions, when the object is a cryptographic key (object class <code>CKO_PUBLIC_KEY</code>, <code>CKO_PRIVATE_KEY</code>, and <code>CKO_SECRET_KEY</code>)
** <code>[http://developer.mozilla.org/en/docs/FC_CreateObject FC_CreateObject]</code>: addition of cryptographic keys
*** "C_CreateObject(hSession=''<session handle>'', pTemplate=''<template pointer>'', ulCount=''<count>'', phObject=''<object handle pointer>'')=''<return code>''[*phObject=''<object handle>'']"
** <code>[http://developer.mozilla.org/en/docs/FC_CopyObject FC_CopyObject]</code>: access and addition of cryptographic keys
*** "C_CopyObject(hSession=''<session handle>'', hObject=''<object handle>'', pTemplate=''<template pointer>'', ulCount=''<count>'', phNewObject=''<object handle pointer>'')=''<return code>''"
