Print this page
11628 typos detected by mandoc style
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man3lib/libpkcs11.3lib
+++ new/usr/src/man/man3lib/libpkcs11.3lib
1 1 .\" Copyright (c) 2008, Sun Microsystems, Inc. All rights reserved.
2 2 .\" Copyright 2016 Jason King.
3 +.\" Copyright 2019 Peter Tribble.
3 4 .\"
4 5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 6 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 7 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.Dd Oct 19, 2016
8 +.Dd Aug 27, 2019
8 9 .Dt LIBPKCS11 3LIB
9 10 .Os
10 11 .Sh NAME
11 12 .Nm libpkcs11
12 13 .Nd PKCS#11 Cryptographic Framework library
13 14 .Sh SYNOPSIS
14 15 .Lb libpkcs11
15 16 .In security/cryptoki.h
16 17 .In security/pkcs11.h
17 18 .Sh DESCRIPTION
18 19 The
19 20 .Nm
20 21 library implements the RSA Security Inc. PKCS#11
21 22 Cryptographic Token Interface (Cryptoki), v2.40 specification by using plug-ins
22 23 to provide the slots.
23 24 .Lp
24 25 Each plug-in, which also implements RSA PKCS#11 v2.40, represents one or more
25 26 slots.
26 27 .Lp
27 28 The
28 29 .Nm
29 30 library provides a special slot called the meta slot.
30 31 The meta slot provides a virtual union of capabilities of all other slots.
31 32 When available, the meta slot is always the first slot provided by
32 33 .Nm .
33 34 .Lp
34 35 The meta slot feature can be configured either system-wide or by individual
35 36 users.
36 37 System-wide configuration for meta slot features is done with the
37 38 .Xr cryptoadm 1M
38 39 utility.
39 40 User configuration for meta slot features is performed with environment
40 41 variables.
41 42 .Lp
42 43 By default, the following is the system-wide configuration for meta slot.
43 44 Meta slot is enabled.
44 45 Meta slot provides token-based object support with the Software RSA PKCS#11
45 46 softtoken
46 47 .Pq Xr pkcs11_softtoken 5 .
47 48 Meta slot is
48 49 allowed to move sensitive token objects to other slots if that is necessary to
49 50 perform an operation.
50 51 .Lp
51 52 Users can overwrite one or more system-wide configuration options for meta slot
|
↓ open down ↓ |
34 lines elided |
↑ open up ↑ |
52 53 using these environment variables.
53 54 .Lp
54 55 The
55 56 .Ev ${METASLOT_OBJECTSTORE_SLOT}
56 57 and
57 58 .Ev ${METASLOT_OBJECTSTORE_TOKEN}
58 59 environment variables are used to specify an alternate token object store.
59 60 A user can specify either slot-description in
60 61 .Ev ${METASLOT_OBJECTSTORE_SLOT}
61 62 or token-label in
62 -.Ev ${METASLOT_OBJECTSTORE_TOKEN} , or both.
63 +.Ev ${METASLOT_OBJECTSTORE_TOKEN} ,
64 +or both.
63 65 Valid values for slot-description and token-label are available from output of
64 66 the command:
65 67 .Bd -literal -offset indent
66 68 # cryptoadm list -v
67 69 .Ed
68 70 .Lp
69 71 The
70 72 .Ev ${METASLOT_ENABLED}
71 73 environment variable is used to specify whether
72 74 the user wants to turn the metaslot feature on or off.
73 75 Only two values are recognized.
74 76 The value "true" means meta slot will be on.
75 77 The value "false" means meta slot will be off.
76 78 .Lp
77 79 The
78 80 .Ev ${METASLOT_AUTO_KEY_MIGRATE}
79 81 environment variable is used to specify
80 82 whether the user wants sensitive token objects to move to other slots for
81 83 cryptographic operations.
82 84 Only two values are recognized.
83 85 The value "true" means meta slot will migrate sensitive token objects to other
84 86 slots if necessary.
85 87 The value "false" means meta slot will not migrate sensitive token objects to
86 88 other slots even if it is necessary.
87 89 .Lp
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
88 90 When the meta slot feature is enabled, the slot that provides token-based
89 91 object support is not shown as one of the available slots.
90 92 All of its functionality can be used with the meta slot.
91 93 .Lp
92 94 This library filters the list of mechanisms available from plug-ins based on
93 95 the policy set by
94 96 .Xr cryptoadm 1M .
95 97 .Lp
96 98 This library provides entry points for all PKCS#11 v2.40 functions.
97 99 See the PKCS#11 v2.40 specifications at
98 -.Lk http://www.oasis-open.org.
100 +.Lk http://www.oasis-open.org .
99 101 .Lp
100 102 Plug-ins are added to
101 103 .Nm
102 104 by the
103 105 .Sy pkcs11conf
104 106 class action
105 107 script during execution of
106 108 .Xr pkgadd 1M .
107 109 The available mechanisms are administered by the
108 110 .Xr cryptoadm 1M
109 111 utility.
110 112 .Lp
111 -Plug-ins must have all of their library dependancies specified, including
113 +Plug-ins must have all of their library dependencies specified, including
112 114 .Xr libc 3LIB .
113 115 Libraries that have unresolved symbols, including those from
114 116 .Xr libc 3LIB ,
115 117 will be rejected and a message will be sent to
116 118 .Xr syslog 3C
117 119 for such plug-ins.
118 120 .Lp
119 121 Due to U.S. Export regulations, all plug-ins are required to be
120 122 cryptographically signed using the
121 123 .Xr elfsign 1
122 124 utility.
123 125 .Lp
124 126 Any plug-in that is not signed or is not a compatible version of PKCS#11 will
125 127 be dropped by
126 128 .Nm .
127 129 When a plug-in is dropped, the administrator is alerted by the
128 130 .Xr syslog 3C
129 131 utility.
130 132 .Lp
131 133 The
132 134 .In security/pkcs11f.h
133 135 header contains function definitions.
134 136 The
135 137 .In security/pkcs11t.h
136 138 header contains type definitions.
137 139 Applications can include either of these headers in place of
138 140 .In security/pkcs11.h ,
139 141 which contains both function and type definitions.
140 142 .Sh INTERFACES
141 143 The shared object
142 144 .Pa libpkcs11.so.1
143 145 provides the public interfaces defined below.
144 146 See
145 147 .Xr Intro 3
146 148 for additional information on shared object interfaces.
147 149 .Ss "PKCS#11 Standard"
148 150 .\"
149 151 .\" Use SUNW_C_GetMechSession for the first column so both sections will
150 152 .\" line up better when rendered
151 153 .\"
152 154 .Bl -column -offset indent ".Sy SUNW_C_GetMechSession" ".Sy C_DecryptDigestUpdate"
153 155 .It Sy C_CloseAllSessions Ta Sy C_CloseSession
154 156 .It Sy C_CopyObject Ta Sy C_CreateObject
155 157 .It Sy C_Decrypt Ta Sy C_DecryptDigestUpdate
156 158 .It Sy C_DecryptFinal Ta Sy C_DecryptInit
157 159 .It Sy C_DecryptUpdate Ta Sy C_DecryptVerifyUpdate
158 160 .It Sy C_DeriveKey Ta Sy C_DestroyObject
159 161 .It Sy C_Digest Ta Sy C_DigestEncryptUpdate
160 162 .It Sy C_DigestFinal Ta Sy C_DigestInit
161 163 .It Sy C_DigestKey Ta Sy C_DigestUpdate
162 164 .It Sy C_Encrypt Ta Sy C_EncryptFinal
163 165 .It Sy C_EncryptInit Ta Sy C_EncryptUpdate
164 166 .It Sy C_Finalize Ta Sy C_FindObjects
165 167 .It Sy C_FindObjectsFinal Ta Sy C_FindObjectsInit
166 168 .It Sy C_GenerateKey Ta Sy C_GenerateKeyPair
167 169 .It Sy C_GenerateRandom Ta Sy C_GetAttributeValue
168 170 .It Sy C_GetFunctionList Ta Sy C_GetInfo
169 171 .It Sy C_GetMechanismInfo Ta Sy C_GetMechanismList
170 172 .It Sy C_GetObjectSize Ta Sy C_GetOperationState
171 173 .It Sy C_GetSessionInfo Ta Sy C_GetSlotInfo
172 174 .It Sy C_GetSlotList Ta Sy C_GetTokenInfo
173 175 .It Sy C_InitPIN Ta Sy C_InitToken
174 176 .It Sy C_Initialize Ta Sy C_Login
175 177 .It Sy C_Logout Ta Sy C_OpenSession
176 178 .It Sy C_SeedRandom Ta Sy C_SetAttributeValue
177 179 .It Sy C_SetOperationState Ta Sy C_SetPIN
178 180 .It Sy C_Sign Ta Sy C_SignEncryptUpdate
179 181 .It Sy C_SignFinal Ta Sy C_SignInit
180 182 .It Sy C_SignRecover Ta Sy C_SignRecoverInit
181 183 .It Sy C_SignUpdate Ta Sy C_UnwrapKey
182 184 .It Sy C_Verify Ta Sy C_VerifyFinal
183 185 .It Sy C_VerifyInit Ta Sy C_VerifyRecover
184 186 .It Sy C_VerifyRecoverInit Ta Sy C_VerifyUpdate
185 187 .It Sy C_WaitForSlotEvent Ta Sy C_WrapKey
186 188 .El
187 189 .Ss "SUNW Extensions"
188 190 .Bl -column -offset indent ".Sy SUNW_C_GetMechSession" ".Sy C_DecryptDigestUpdate"
189 191 .It Sy SUNW_C_GetMechSession Ta Sy SUNW_C_KeyToObject
190 192 .El
191 193 .Sh FILES
192 194 .Bl -tag -compact -width Pa
193 195 .It Pa /usr/lib/libpkcs11.so.1
194 196 shared object
195 197 .It Pa /usr/lib/64/libpkcs11.so.1
196 198 64-bit shared object
197 199 .El
198 200 .Sh ATTRIBUTES
|
↓ open down ↓ |
77 lines elided |
↑ open up ↑ |
199 201 See
200 202 .Xr attributes 5
201 203 for descriptions of the following attributes:
202 204 .Sh INTERFACE STABILITY
203 205 .Sy Committed
204 206 .Sh MT-LEVEL
205 207 The SUNW Extension functions are MT-Safe.
206 208 The PKCS#11 Standard functions are MT-Safe with exceptions.
207 209 See Section 2.5.3 of PKCS#11 Cryptographic Token Usage Guide v2.40 and
208 210 Section 5.1.5 of PKCS#11 Cryptographic Token Interface Base Standard v2.40
209 -.Sh STANDARD
210 -The PKCS#11 Standard functions conform to PKCS#11 Cryptographic Token
211 -Interface Profiles v2.40 Extended Provider.
212 211 .Sh SEE ALSO
213 212 .Xr cryptoadm 1M ,
214 213 .Xr pkgadd 1M ,
215 214 .Xr Intro 3 ,
216 215 .Xr syslog 3C ,
217 216 .Xr SUNW_C_GetMechSession 3EXT ,
218 217 .Xr attributes 5 ,
219 218 .Xr pkcs11_kernel 5 ,
220 219 .Xr pkcs11_softtoken 5
221 220 .Rs
222 221 .%T "PKCS#11 Cryptographic Token Interface Base Specification v2.40 Plus Errata 01"
|
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
223 222 .%U http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os.html
224 223 .Re
225 224 .Rs
226 225 .%T "PKCS#11 Cryptographic Token Interface Profiles v2.40"
227 226 .%U http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/pkcs11-profiles-v2.40.html
228 227 .Re
229 228 .Rs
230 229 .%T "PKCS#11 Cryptographic Token Interface Usage Guide v2.40"
231 230 .%U http://docs.oasis-open.org/pkcs11/pkcs11-ug/v2.40/pkcs11-ug-v2.40.html
232 231 .Re
232 +.Sh STANDARDS
233 +The PKCS#11 Standard functions conform to PKCS#11 Cryptographic Token
234 +Interface Profiles v2.40 Extended Provider.
233 235 .Sh NOTES
234 236 If an application calls
235 237 .Fn C_WaitForSlotEvent
236 238 without the
237 239 .Dv CKF_DONT_BLOCK
238 240 flag set,
239 241 .Nm
240 242 must create threads internally.
241 243 If, however,
242 244 .Dv CKF_LIBRARY_CANT_CREATE_OS_THREADS
243 245 is set,
244 246 .Fn C_WaitForSlotEvent
245 247 returns
246 248 .Dv CKR_FUNCTION_FAILED .
247 249 .Lp
248 -The PKCS#11 library does not work with Netscape 4.\fIx\fR but does work with
249 -more recent versions of Netscape and Mozilla.
250 -.Lp
251 250 Because
252 -.Fn C_Initalize
251 +.Fn C_Initialize
253 252 might have been called by both an application and a
254 253 library, it is not safe for a library or its plugins to call
255 254 .Fn C_Finalize .
256 255 A library can be finished calling functions from
257 256 .Nm ,
258 257 while an application might not.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX