Pkcs11 attributes

Oregon State University

Pkcs11 attributes

Pkcs11 attributes. History Jan 6, 2020 · Objects, as described by PKCS #11, consist of a number of attributes that define both the object and its access policy. opened this issue on Nov 24, 2017 · Fixed by. Mar 13, 2024 · #C_GetAttributeValue(template) ⇒ Array< PKCS11::CK_ATTRIBUTE > Also known as: attributes Obtains the value of one or more attributes of the object in a single call. so and it works with example on the README. Also requires the pkcs11 module to understand extractable and session objects. 5. Definition: core_pkcs11_mbedtls. Dec 8, 2021 · 2021. c. If a call to C_CreateObject cannot support the precise template supplied to it, it will fail and return without creating any object. The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping mechanism. objects is a model of the object hierarchy presented in this PKCS#11 standard. 4. It features a number of commands similar to the unix CLI utilities, such as ls , mv , rm , od , and more . Specify the list of additional data types that SHALL be supported. Some tokens store all of the above attributes, which can assist in performing rapid RSA computations. When you use the PKCS #11 library, we assign default values as specified by the PKCS #11 standard. Jun 15, 2020 · If an attribute has no value, then ulValueLen = 0, and the value of pValue is irrelevant. wrapper package is the interface to a PKCS#11 module and provides access to the functions defined by PKCS#11. dene(AkisImzaImpl. Given an Object, you can retrieve it's readable attributes. java. security. pkcs. How can I get objects attributes on the card (certificate holder name etc)? I dont understand the FindObjects() logic. If the attributes do not conflict with the user supplied attribute template, in 'pTemplate', then the unwrap will proceed. 0. Object The attributes option allows you to specify additional PKCS#11 attributes that should be set when creating PKCS#11 key objects. In this release of CADP for C, the Pkcs11Interop is used to load the unmanaged PKCS#11 library. Jun 15, 2020 · Implement functionality as mandated by [PKCS11-Base] Section 6 (PKCS#11 Implementation Conformance) 2. Objects, as described by PKCS #11, consist of a number of attributes that define both the object and its access policy. Also, BouncyCastle is open-sourced, you can locate precisely which line of code throws the exception. CKR_TEMPLATE_INCOMPLETE: The template specified for creating an object is incomplete, and lacks some necessary attributes. A user can configure a mapper list in the pam_pkcs11. Reload to refresh your session. If the subject DN does not include an email address, the certificate extension subjectAltName must include an email address. 0 or later . This is what the CKR_ATTRIBUTE_SENSITIVE Aug 25, 2019 · When using pkcs11-tool when listing objects, you'll see warning that an attribute is invalid. 6 -> MUST not be specified when object is attributes(, CKO_PRIVATE_KEY, CKK_RSA) = { CKA_TOKEN=true } You can add a separate stanza for each key type you require. See PKCS #1 for more information on RSA keys. The first command creates a self-signed Certificate for "NXP Semiconductor". CK_ATTRIBUTE Struct Reference. Users can list and read PINs, keys and certificates stored on the token. To create the service ID for the SO user, follow these steps: Click Create. The PKCS11Connector instantiates an object that implements this PKCS11 interface. token. The Cryptographic Token Interface Standard, PKCS#11, is produced by RSA Security and defines native programming interfaces to cryptographic tokens, such as hardware cryptographic accelerators and Smartcards. 1 Description of this Document. You will also want to check the label of the private key you imported (or generated). The subjectAltName extension is part of the X. pValue should Aug 10, 2015 · Caused by: sun. From PKCS11 spec 2. The CKA_WRAP attribute must be true Feb 18, 2018 · I use java 1. Following figure presents the typical usage of Pkcs11Interop library in . 509. pem -text -x509 -subj "/CN=NXP Semiconductor". As owlstead suggests, I tried to create a public key starting from the modulus and public exponent of a key created in a previous session (in CAPI or, just for this test, in PKCS11). C_GetAttributeValue" where it gets the CKR_ATTRIBUTE_TYPE_INVALID. Specify the list of additional objects that SHALL be supported. NewAttribute(pkcs11. It exposes interfaces for cryptographic hardware offload using the Security The interface PKCS11 in the iaik. 40 is intended to complement [PKCS11-Base], [PKCS11-Curr], [PKCS11-Hist] and [PKCS11-Prof] by providing guidance on how to implement the PKCS #11 interface most effectively. Smart cards. I am using PyKCS11 library to read read the certificates from a token device. getLogger (name) # using a hacked version of python-pkcs11 0. Is there a way to do it? EDIT. The CKA_WRAP attribute must be true. Note: the following attributes are not implemented and retrieving them throws an exception: CKA_WRAP_TEMPLATE; CKA_UNWRAP_TEMPLATE; CKA_DERIVE_TEMPLATE; Note: the following attributes internally provide a struct describing the date, but are here returned as a string: CKA_START_DATE Makes all PKCS #11 attributes available for use and the Crypt::PKCS11::Attributes module itself is a container for multiple attributes usually used for templates when working with objects and keys. [in] hObject: PKCS #11 object handle to be queried. PKCS11Exception: E. The attribute may be useful if a user needs to provide the key via a PKCS #11 module stored on a removable media, for example. KeyStore. This is distinct from the CKA_SUBJECT attribute contained in CKC_X_509 certificates because the ASN. Return type. --output-file path, -o path Specify the path to a file for Version 2. Aug 17, 2021 · To generate a certificate with key in the Secure Object module, the. #11 security tokens. You signed in with another tab or window. Parameters. Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS. Pointer to a list of attributes that the generated public key should possess. [in] pPublicKeyTemplate. 5 %µµµµ 1 0 obj >>> endobj 2 0 obj > endobj 3 0 obj >/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/Annots[ 9 0 R 10 0 R 11 0 R 12 0 R 13 0 R 14 0 R 15 0 R 16 Jul 27, 2022 · The pkcs11_parse_uri() implementation supports the following attributes: token, manufacturer, serial, model, object, type, id, and pin-source. attrs (dict(Attribute,)) – attributes of the object to create. pkcs11 = PyKCS11Lib() pkcs11. 3. This # doesn't work with Luna, even if the attribute is set to False. In addition, some NVIDIA extensions are included. So chances are that the object being returned does not contain a prperty that Java is expecting. Handle of a valid PKCS #11 session. Note pkcs11-tool is more of a test/example program. We would like to show you a description here but the site won’t allow us. CK_ATTRIBUTE is a structure that includes the type, value, and length of an attribute. --input-file path, -i path Specify the path to a file for input. 1 for more information. ¨ CK_ATTRIBUTE; CK_ATTRIBUTE_PTR. Tokens vary in what they actually store for RSA private keys. For more information on each attribute, see the RFC 7512 specification. Feb 18, 2021 · The attributes as known by PKCS11 are just stored in a sqlite3db, as they really are not of any use to the TPM itself. Attribute{ pkcs11. 509 attribute certificate object attributes, in addition to the common attributes defined for this object class: DER-encoding of the attribute certificate's subject field. This is only a base class, see Crypt::PKCS11::Attributes for a list of all available attributes. For interoperability, vendors should register their attribute types through the PKCS process. Click Create. In this port, the only searchable attribute is object label. getSlotList()[2] pkcs11-tools is a toolkit containing a bunch of small utilities to perform key management tasks on cryptographic tokens implementing a PKCS#11 interface. At this time, CKM_EC_KEY_PAIR_GEN is the only supported mechanism. Pointer to a mechanism. Thank you for your help in advance! This library is used to load a cryptographic device vendor’s PKCS#11 library and allows the functions within the library to be accessible to . Attribute. java:55) 5 PKCS#11リファレンス・ガイド. Jan 8, 2017 · Hi, I use another pkcs11. pxTemplate. The following attribute descriptions are intended to Requires a read/write session, unless the object is not to be stored. For example, the PKCS#11 Sensitive and Extractable attributes are being added to KMIP version 1. 3 with cluster package 1. Meta Objects are opaque objects with algorithm opaque-data that store the values of CKA_ID and CKA_LABEL attributes of another object on the YubiHSM 2, thus working around the hard limit on the length of those values and the inability to change those attributes after the fact. HANDLE LABEL TYPE OBJECT-ID. 64-bit callers must use CSFPGAV6. The following table defines the X. Access policy should be provided by the user based on their particular requirements. 0 automatically adds the capabilities # CKA_ENCRYPT CKA_VERIFY CKA_WRAP to the unwrap template. CKA_KEY_TYPE -> CKK. $ openssl req -new -key dev_key. 3 -> MUST be specified when object is generated with C_GenerateKey or C_GenerateKeyPair. This is the code I am using right now, the problem is that the attributes are binary. roberts@intel. pValue should be set to the attribute to be queried. AkisImzaImpl. In this DB are two blobs that are the TPM keys, sealed to the TPM. You signed out in another tab or window. 1 syntax and encoding are different. In general, the ProtectToolkit -C system will define the object’s attributes. engineLoad(P11KeyStore. Without params all known attributes are tried to read from the Object. 0_31. 2. Depending on the token, there may be limits on the length of the key components. User PIN authentication is performed for those operations that require it. And you could create a mapping mechanism to the corresponding Jan 8, 2014 · PKCS11 Cryptoki Library Data Fields. The callable service can be invoked in AMODE(24), AMODE(31), or AMODE(64). 0 to use clusters. See Section 10. I got the modulus and public exponent from a private key in these buffers: PKCS#11 is a programming interface to create and manipulate cryptographic tokens. The SunPKCS11 P11ECDHKeyAgreement class always wants to return the bytes of the derived shared secret as the result of the generateSecret () method. PKCS#11是使用非常普遍的密码设备接口，在实际应用中，国密的密码设备应用接口规范GMT0018与之作用相同，在技术体系架构中处于类似的位置。. 6. NET application: [in] hSession: Handle of a valid PKCS #11 session. load(KeyStore. Rectify this by adding the missing attributes. See full list on docs. Vault Enterprise's HSM PKCS11 support is activated by one of the following: The presence of a seal "pkcs11" block in Vault's configuration file. 5. Using OpenSC SPY can help in debugging/understanding PKCS11 calls when writing your own PKCS11 application. I am trying to create a keystore to get a private key with a smart card reader. Jul 27, 2022 · The pam_pkcs11 module provides a configurable way with mappers to specify cert-to- user mapping. I'm having problems with my application that generates xml signed, but just happen it on Windows, I don't have the problem on Linux, proves with jre 7 and jre 8 thanks advance. [in] pMechanism. 2) So no, you can't do anything with a certificate object other than store it and retrieve The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS. pValue, and will be updated to contain the actual length of the data copied. – Kirill Gamazkov. An array of CK_ATTRIBUTE s is called a "template" and is used for creating, manipulating and searching for objects. NET applications. Other than providing access to certificate objects, Cryptoki does not attach any special meaning to certificates. Many APIs will optionally accept iterables and act as generators Sep 4, 2020 · Reading attributes from private key. NET application. is the number of attributes in the template; phObject. Run the following command and look for a pkcs11 wrapper for Go. You switched accounts on another tab or window. java:763) at java. 8. Having initialized your device, you can query it to check your token label with: $ pkcs11-tool --module <module path> --list-token-slots. PKCS #11 is a cryptographic token interface standard, which specifies an API, called Cryptoki. The interface is designed to follow the logical structure of a HSM, with useful defaults for obscurely documented parameters. The order of the attributes in a template never matters, even if the Jan 5, 2022 · CreateObject(template []pkcs11. com> I am new to SmartCard and need some help. With this API, applications can address cryptographic devices as tokens and can perform cryptographic functions as implemented by these tokens. dll") slot = pkcs11. これらのインタフェースは、総称してJava暗号化アーキテクチャ (JCA)およびJava暗号化拡張機能 (JCE)と呼ばれて - Refer to [PKCS11-Base] table 11 for footnotes. Nov 24, 2017 · PKCS11 function C_GetAttributeValue (MODULUS_BITS) failed · Issue #1208 · OpenSC/OpenSC · GitHub. If I were using X509Certificate2, I'd filter certificates based on Dec 14, 2016 · You may use the Start_Date attribute of the PrivateKey Object to store the created date. A high level, “more Pythonic” interface to the PKCS#11 (Cryptoki) standard to support HSM and Smartcard devices in Python. Users can list and read PINs, keys and certificates stored on the. CK_RV C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) Initializes an object search operation. We are compliant with the specification for all attributes we support. Many mappers are provided by the pam_pkcs11 module, for example, the common name (CN) mapper, the digest mapper, the Email mapper, or the LDAP mapper. Correct this by adding it in for all PKCS11 Private Keys as well as PKCS11 Secret Keys. org Jan 6, 2020 · An Introduction to PKCS#11. Public key template must have the following attributes: Label should be no longer than pkcs11configMAX_LABEL_LENGTH and must be supported by port's PKCS #11 PAL. md. It seems the checksum attribute is not supported, and some common application requires it (example: Amazon Voice Assistance, see this link for reference). PKCS#11 tokens are containers that hold digital certificates and keys. hSession. java:1445) at deneme. 在密码产品的开发中，按照PKCS#11或者GMT0018接口规范 Feb 25, 2021 · While I agree that this code sample lacks quality and more information would be helpful it mainly seems that mainly the templates are wrong: Mechanism CKM_EC_KEY_PAIR_GEN only needs the curve OID in CKA_EC_PARAMS (the commmented part is right, the actual code is wrong) in the public key template only. But I used the nesseary attributes: CKA. CKA_CLASS, pkcs11. Nov 30, 2018 · PKCS#11 is a platform-independent API that can be used to manage and utilise cryptographic security hardware. 5313 00000103000003A1 RSAPrivateKey 201603040001. All names of classes, data structures and methods are the same as the corresponding PKCS#11 counterpart. これらのインタフェースは、総称してJava暗号化アーキテクチャ (JCA)およびJava暗号化拡張機能 (JCE)と呼ばれて Dec 9, 2019 · Refactoring the attribute handling resulted in the loss of CKA_SENSITIVE attribute. [in,out] pTemplate: Attribute template. pem -out cert. The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. 8 and the following code works for many USB pkcs11 devices but this week I found a new model of a token that when I execute Note that the PKCS#11 URI specifies a list of attributes which must match. In order to do this the derived secret must be marked as non-sensitive and extractable, otherwise the HSM will refuse to reveal the raw bytes. 2, 2 -> MUST not be specified when object is created with C_CreateObject. 4. Attribute() for more available object attributes. If this attribute is not present on the unwrapping key then no additional attributes For when key is copied (cryptoki API functions C_CopyObject () ): Nothing to do, PKCS11_CKA_VALUE cannot be modified and PKCS11_CKA_CHECK_VALUE would simply be copied. %PDF-1. The presence of the environment variable VAULT_HSM_LIB set to the library's path as well as VAULT_SEAL_TYPE Aug 20, 2020 · Project description. Among others we have copied the following two attributes from one of the interface's code samples: MODULUS_BITS (0x0121) = 1024 PUBLIC_EXPONENT (0x0122) = { 0x01, 0x00, 0x01 } We're pretty sure that the used values are demo values only and we need to use different ones in our production code. Use the PKCS #11 Get Attribute Value callable service (CSFPGAV) to retrieve the attributes of an object. pkcs11:object=my-sign-key; type=private ?module-name=mypkcs11 The following example covers how to use the "module-path" query attribute. PKCS#11标准解读之概念和常用接口函数. NET environment. python-pkcs11 is fully documented and has a full integration test suite for all features, with continuous integration against multiple HSM platforms including: Thales nCipher. I'm trying to use Pkcs11Interop to sign a message using the private key from a smart card certificate in a C# application. While pkcs11 has oodles of attributes, the TPM only has a few. I try to run a test program (see below), but keep getting this exception, sun. 08 17:30:55 字数 1,138. parameters provides classes for objects that act as parameters for mechanisms which require specific arguments. 3, Luna HSM Firmware 7. Data Fields: CK_ATTRIBUTE_TYPE type CK_VOID_PTR May 29, 2019 · Attribute types CKA_VENDOR_DEFINED and above are permanently reserved for token vendors. points to the location that receives the new object's handle. You can always write your own application and call PKCS11. PKCS11Exception: CKR_DATA_INVALID. Two questions actually: 1. An array of CK_ATTRIBUTEs is called a “template” and is used for creating, manipulating and searching for objects. 00 specification. It is defined as follows: Jan 8, 2020 · Objects, as described by PKCS #11, consist of a number of attributes that define both the object and its access policy. (§4. Jan 3, 2020 · Package pkcs11 is a wrapper around CKA_MIME_TYPES = 0x00000482 CKA_MECHANISM_TYPE = 0x00000500 CKA_REQUIRED_CMS_ATTRIBUTES = 0x00000501 CKA_DEFAULT . Public key template must have the following attributes: python-pkcs11 also includes numerous utility functions to convert between PKCS #11 data structures and common interchange formats including PKCS #1 and X. The value of this attribute is an attribute template and the size is the number of items in the template times the size of CK_ATTRIBUTE. conf file. PKCS #11 Attributes. The smart card we are using contain multiple certificates - usually one is for signing, and one is for authentication. CKK_GENERIC_SECRET; Ideas? Code DESCRIPTION. PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID. pkcs11のメカニズムのいずれかで問題が発生した場合、pkcs11プロバイダ全体ではなく、その特定のメカニズムのみを無効にすることにより、問題を解決できます(それまでにpkcs11プロバイダを無効にしていた場合は、再度有効にすることを忘れないでください)。 4 days ago · The following custom PKCS#11 extensions apply to Luna keyrings only (see Cluster Extensions). It loads unmanaged PKCS#11 library provided by the cryptographic device vendor and makes its functions accessible to . Quoting the PKCS#11 specification: Certificate objects (object class CKO_CERTIFICATE) hold public-key or attribute certificates. 2, and HSM Client 10. You may use Data Object that are meant to store any data, to store your metadata like the IV and other info. 0 # Default python-pkcs11 0. load("C:\Windows\System32\eTPKCS11. 40 section 2. Apr 27, 2014 · 1. DESCRIPTION. pem. [in] pTemplate: Pointer to a template which specifies the object attributes to match. In version 2. pem -in req. Pkcs11Interop is managed library written in C# that brings full power of PKCS#11 API to the . This is because the required default set of attributes is missing from tpm2-pkcs11 objects. so ). ulValueLen should be set to the length of the buffer allocated at pxTemplate. 5 %µµµµ 1 0 obj >>> endobj 2 0 obj > endobj 3 0 obj >/XObject >/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/Annots[ 11 0 R 12 0 R 13 0 R 14 0 R 15 0 R 16 0 Sep 26, 2013 · I also tried with other attributes. The package iaik. oasis-open. 0, the use of Meta Objects is introduced. TOKEN: True, see pkcs11. Create a name SO user and description for the SO user service ID. This layer solely builds upon the Java API for PKCS#11 as implemented by the Java Wrapper for Sep 7, 2023 · To create a service ID for the SO user and the corresponding API key, complete the following steps: In the UI, go to Manage > Access (IAM), and select Service IDs. Nov 6, 2020 · In PKCS11 specification v2. OpenSC / OpenSC Public. Fixes: tpm2-software#347 Signed-off-by: William Roberts <william. If an attribute has no value, then ulValueLen = 0, and the value of pValue is irrelevant. Closed. ProviderException: sun. wrapper. Those blobs contain the key usages, as known by the TPM. [in] hSession: Handle of a valid PKCS #11 session. For example, changing the PKCS11 configuration file can be useful when using iKeyman with an underlying PKCS11 key store, and a crypto adapter for which CKA_TOKEN=false is the default. For CBC mode, the wrapping key must be a DES, DES2, DES3, or AES secret key object. Cryptographic security hardware can include: USB dongles. 40, we see some confusion with CKA_VALUE_LEN attribute and UnwrapKey behavior. Oct 7, 2016 · Here's the a list of just a couple of the HSM objects. The order of the attributes in a template never python-pkcs11 also includes numerous utility functions to convert between PKCS #11 data structures and common interchange formats including PKCS #1 and X. CKO_SECRET_KEY; CKA. CKA_CLASS -> CKO. By default, the SunPKCS11 provider only specifies mandatory PKCS#11 attributes when creating objects. 12. c:3285 Nov 23, 2022 · You will also need to find the path to your module, a shared object file ( . Javaプラットフォームでは、暗号化操作を実行するための一連のプログラミング・インタフェースを定義しています。. I'm trying to pull just one of the Labels. Attribute) (Object, error) // FindObject finds a single object in the token that matches the attributes in // the template. pkcs11. Sep 6, 2016 · Viewed 3k times. The PKCS#11 Cryptographic Token Interface Standard, also known as Cryptoki, is one of the Public Key Cryptography Standards developed by RSA Security. Thales recommends Luna Network HSM Appliance Software 7. Attributes are defined when the key object is created. Extension. Such hardware devices are often referred to as cryptographic tokens, hence the name "Cryptoki" (from Cryptographic Token Interface). This PKCS #11 Cryptographic Token Interface Usage Guide Version 2. Specify the list of additional attributes that SHALL be supported. Jan 5, 2019 · import logging LOG = logging. There is considerable overlap between members of the two technical committees. Attributes corresponds to a CKA type and a base attribute value, see the man page for the base attribute value module for information how to set/get 5 PKCS#11リファレンス・ガイド. pValue should May 7, 2014 · An email address must be included in the attribute of the subject DN or the mail attribute of the subject DN. It is the stated objective of both the PKCS#11 and KMIP committees to align the standards where practicable. Some of these match criteria may be redundant — in this case we've asked it to list the certificates in a token which has a model of "PKCS#15 emulated" and a manufacturer of "piv_II" and serial number 108421384210c3f5 and token label "PIV_II (PIV Card Holder pin)" . PKCS 8 formatting (CBC mode with padding and GCM mode) is supported for wrapping a private or secret key with a secret key. Crypt::PKCS11::Attributes A module to handle a set of Crypt::PKCS11::Attribute objects and also lists all available PKCS #11 attributes. P11KeyStore. pValue should Dec 13, 2023 · The Security Services PKCS#11 library is a user space library available to DRIVE OS applications running on the Guest OS that provides a sub-set of the PKCS#11 interface as specified by the PKCS#11 v3. Oct 19, 2020 · These attributes could be added to pkcs11-tool. Support for Windows and Linux is included in the Pkcs11Interop library. $ openssl x509 -signkey dev_key. For example, for RSA public keys it specifies the key type and algorithm (CKA_CLASS and CKA_KEY_TYPE) and the key values for RSA public keys (CKA_MODULUS and CKA_PUBLIC_EXPONENT). Example: the certificate subject name is used to create the CKA_SUBJECT attribute. In particular, it includes the following guidance: Feb 16, 2018 · As we can clearly see here, it is attempting a "PKCS11. pem -out req. Oct 21, 2015 · PKCS11Exception ckr_attribute_type_invalid. PKCS#11 defines the interface between an application and a cryptographic device. In general, the SafeNet ProtectToolkit -C system will define the object’s attributes. 509 v3 and PKIX specifications. This standard, first developed by the RSA Laboratories in cooperation with representatives from industry Jan 8, 2019 · 2. IBM TouchToken for iOS components that run on z/OS use a PKCS#11 token to generate and manage secret keys, and to perform hash message authentication code (HMAC) operations. The following attribute descriptions are intended to Jan 17, 2022 · I generated an ed25519 key pair with golang PKCS11 library branch v3 (it is connected to SoftHSM2): publicKeyTemplate := []*pkcs11. at sun. Trivial way to check whether you use cipher correctly is to encrypt some hard-coded data, then decrypt it back and compare with original contents. For GCM mode, the wrapping key must be an AES secret key object. My system is Windows 7 64-bit and java version is 1. AWS CloudHSM does not support all attributes listed in the PKCS #11 specification. To permanently store the object in the HSM add pkcs. points to the object's template; ulCount. CK_VALUE is the attribute that holds the actual value that makes the PrivateKey. The following attribute descriptions are By default, the SunPKCS11 provider only specifies mandatory PKCS#11 attributes when creating objects. Contribute to miekg/pkcs11 development by creating an account on GitHub. is the session's handle; pTemplate. 1 Answer. 5314 00000103000003A1 X509PublicKeyCertificate 201603040001. This chapter gives a general outline of PKCS#11 and some of its basic concepts. qb qg mk ep js tf mc sf lw jj