hsm_mgmt_tool uses integer constants to identify key attributes in the HSM. Use listAttributes to list all attributes and their constants, and getAttribute to retrieve the attribute values for a specific key.
Key attribute constants
| Attribute | Constant | Value |
|---|---|---|
OBJ_ATTR_CLASS | 0 | 2: Public keys in a public-private key pair. 3: Private keys in a public-private key pair. 4: Private (symmetric) keys. |
OBJ_ATTR_TOKEN | 1 | 0: False. Session keys. 1: True. Permanent keys. |
OBJ_ATTR_PRIVATE | 2 | 0: False. 1: True. Indicates whether an unauthenticated user can list the attributes of the key. Because the CloudHSM PKCS#11 provider does not support public sessions, this attribute is set to 1 for all keys, including public keys in public-private key pairs. |
OBJ_ATTR_LABEL | 3 | User-defined string. Does not have to be unique within the cluster. |
OBJ_ATTR_TRUSTED | 134 | 0: False. 1: True. |
OBJ_ATTR_KEY_TYPE | 256 | 0: RSA. 1: DSA. 3: EC. 16: Regular secret. 18: RC4. 21: Triple DES (3DES). 31: Advanced Encryption Standard (AES). |
OBJ_ATTR_ID | 258 | User-defined string. Must be unique within the cluster. The default value is an empty string. |
OBJ_ATTR_SENSITIVE | 259 | 0: False. Public keys in a public-private key pair. 1: True. |
OBJ_ATTR_ENCRYPT | 260 | 0: False. 1: True. The key can be used to encrypt data. |
OBJ_ATTR_DECRYPT | 261 | 0: False. 1: True. The key can be used to decrypt data. |
OBJ_ATTR_WRAP | 262 | 0: False. 1: True. The key can be used to encrypt keys. |
OBJ_ATTR_UNWRAP | 263 | 0: False. 1: True. The key can be used to decrypt keys. |
OBJ_ATTR_SIGN | 264 | 0: False. 1: True. The key can be used for signing (private keys). |
OBJ_ATTR_VERIFY | 266 | 0: False. 1: True. The key can be used for verification (public keys). |
OBJ_ATTR_DERIVE | 268 | 0: False. 1: True. Derives keys. |
OBJ_ATTR_MODULUS | 288 | Modulus used to generate RSA key pairs. For EC keys, this value is the DER encoding of the ANSI X9.62 ecPoint value Q in hexadecimal format. Does not exist for other key types. |
OBJ_ATTR_MODULUS_BITS | 289 | Length of the modulus used to generate RSA key pairs. For EC keys, this value is the elliptic curve ID used to generate the key. Does not exist for other key types. |
OBJ_ATTR_PUBLIC_EXPONENT | 290 | Public exponent used to generate RSA key pairs. Does not exist for other key types. |
OBJ_ATTR_VALUE_LEN | 353 | Key length in bytes. |
OBJ_ATTR_EXTRACTABLE | 354 | 0: False. 1: True. The key can be exported from the HSM. |
OBJ_ATTR_LOCAL | 355 | 0: False. The key has been imported into the HSM. 1: True. |
OBJ_ATTR_NEVER_EXTRACTABLE | 356 | 0: False. 1: True. The key cannot be exported from the HSM. |
OBJ_ATTR_ALWAYS_SENSITIVE | 357 | 0: False. 1: True. |
OBJ_ATTR_DESTROYABLE | 370 | 0: False. 1: True. |
OBJ_ATTR_KCV | 371 | Key Check Value. See Key Check Value (KCV). |
OBJ_ATTR_ALL | 512 | Represents all properties. |
OBJ_ATTR_WRAP_WITH_TRUSTED | 528 | 0: False. 1: True. |
OBJ_ATTR_UNWRAP_TEMPLATE | 1073742354 | The attribute template applied to any key unwrapped with this wrapping key. |
OBJ_ATTR_WRAP_TEMPLATE | 1073742353 | The attribute template used to match the key wrapped with this wrapping key. |
Key Check Value (KCV)
The Key Check Value (KCV) is a 3-byte hash of a key stored in the HSM. Calculate the KCV outside the HSM using the generation rules below and compare it with the value retrieved via getAttribute to verify the identity and integrity of the key.
KCV generation rules for Alibaba Cloud HSM:
Symmetric keys: Encrypt a zero-block (all zeros) with the key, then take the first 3 bytes of the resulting ciphertext.
Asymmetric key pairs: Take the first 3 bytes of the SHA-1 hash of the public key.
HMAC keys: KCV is not supported.
该文章对您有帮助吗?