The token authorization required and the amount of attribute information
returned is dependent on the values of the attributes the object possesses.
The authority to retrieve the non-sensitive attributes is
as follows:
- For a public object - any authority to the token (USER
(READ) or SO (READ))
- For a private object - USER (READ) or SO (CONTROL)
If the caller is not authorized to retrieve the non-sensitive
attributes, the service fails.
If the caller is authorized to retrieve the non-sensitive
attributes and the object does not possess any sensitive attributes,
the service returns all the object's attributes.
If the caller is authorized to retrieve the non-sensitive
attributes and the object does possess sensitive attributes, processing
is as defined in this table:
Table 301. Get attribute value processing for objects possessing sensitive attributesObject | PKCS #11 role authority | CKA_SENSITIVE | CKA_EXTRACTABLE | Attributes returned |
---|
Public | USER (READ) or SO (READ) | True | True or False | Non-sensitive only | Private | USER (READ) or SO (CONTROL) | True | True or False | Non-sensitive only | Public | USER (READ) or SO (READ) | False | False | Non-sensitive only | Private | USER (READ) or SO (CONTROL) | False | False | Non-sensitive only | Public | USER (READ) or SO (READ) | False | True | Sensitive and non-sensitive | Private | SO (CONTROL) | False | True | Non-sensitive only | Private | USER (READ) | False | True | Sensitive and non-sensitive |
Note:
- Session and token objects require the same authority.
- The sensitive attributes are as follows:
- CKA_VALUE for a secret key, Elliptic Curve private key, DSA
private key, or Diffie-Hellman private key object.
- CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1,
CKA_EXPONENT_2, and CKA_COEFFICIENT for a private key object.
- See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for
more information on the SO and User PKCS #11 roles.
|