The HSM management tool (hsm_mgmt_tool) uses constants to represent the attributes of keys in HSM. This topic helps you understand key attributes, view the constants representing keys in commands, and understand key attribute values.
Key attribute constants
Attribute | Constant | Value |
Attribute | Constant | Value |
OBJ_ATTR_CLASS | 0 | 2: Public keys in a public-private key pair. 3: Private keys in a public-private key pair. 4: Private (symmetric) keys. |
OBJ_ATTR_TOKEN | 1 | 0: False. Session keys. 1: True. Permanent keys. |
OBJ_ATTR_PRIVATE | 2 | 0: False. 1: True. This attribute indicates whether an unauthenticated user can list the attributes of the key. Because the CloudHSM PKCS#11 provider does not support public sessions, this attribute is set to 1 for all keys, including public keys in public-private key pairs. |
OBJ_ATTR_LABEL | 3 | User-defined string. It does not have to be unique within the cluster. |
OBJ_ATTR_TRUSTED | 134 | 0: False. 1: True. |
OBJ_ATTR_KEY_TYPE | 256 | 0: RSA. 1: DSA. 3: EC. 16: Regular secret. 18: RC4. 21: Triple DES (3DES). 31: Advanced Encryption Standard (AES). |
OBJ_ATTR_ID | 258 | User-defined string. It must be unique within the cluster. The default value is an empty string. |
OBJ_ATTR_SENSITIVE | 259 | 0: False. Public keys in a public-private key pair. 1: True. |
OBJ_ATTR_ENCRYPT | 260 | 0: False. 1: True. The key can be used to encrypt data. |
OBJ_ATTR_DECRYPT | 261 | 0: False. 1: True. The key can be used to decrypt data. |
OBJ_ATTR_WRAP | 262 | 0: False. 1: True. The key can be used to encrypt keys. |
OBJ_ATTR_UNWRAP | 263 | 0: False. 1: True. The key can be used to decrypt keys. |
OBJ_ATTR_SIGN | 264 | 0: False. 1: True. The key can be used for signing (private keys). |
OBJ_ATTR_VERIFY | 266 | 0: False. 1: True. The key can be used for verification (public keys). |
OBJ_ATTR_DERIVE | 268 | 0: False. 1: True. This function derives keys. |
OBJ_ATTR_MODULUS | 288 | Modulus used to generate RSA key pairs. For EC keys, this value represents the DER encoding of the ANSI X9.62 ecPoint value Q in hexadecimal format. This attribute does not exist for other key types. |
OBJ_ATTR_MODULUS_BITS | 289 | Length of the modulus used to generate RSA key pairs. For EC keys, this represents the elliptic curve ID used to generate the key. This attribute does not exist for other key types. |
OBJ_ATTR_PUBLIC_EXPONENT | 290 | Public exponent used to generate RSA key pairs. This attribute does not exist for other key types. |
OBJ_ATTR_VALUE_LEN | 353 | Key length (bytes). |
OBJ_ATTR_EXTRACTABLE | 354 | 0: False. 1: True. The key can be exported from the HSM. |
OBJ_ATTR_LOCAL | 355 | 0: False. The key has been imported into the HSM. 1: True. |
OBJ_ATTR_NEVER_EXTRACTABLE | 356 | 0: False. 1: True. The key cannot be exported from the HSM. |
OBJ_ATTR_ALWAYS_SENSITIVE | 357 | 0: False. 1: True. |
OBJ_ATTR_DESTROYABLE | 370 | 0: False. 1: True. |
OBJ_ATTR_KCV | 371 | Key Check Value. For more information, see Key Check Value (KCV). |
OBJ_ATTR_ALL | 512 | Represents all properties. |
OBJ_ATTR_WRAP_WITH_TRUSTED | 528 | 0: False. 1: True. |
OBJ_ATTR_UNWRAP_TEMPLATE | 1073742354 | The value uses the attribute template applied to any key unwrapped with this wrapping key. |
OBJ_ATTR_WRAP_TEMPLATE | 1073742353 | The value uses the attribute template to match the key wrapped with this wrapping key. |
Key Check Value (KCV)
The KCV refers to the 3-byte hash or check value of a key in HSM. You can calculate the KCV outside the HSM by referring to the HSM generation rules, and compare it with the KCV obtained from the HSM through getAttribute to confirm the identity and integrity of the key.
The KCV generation rules for Alibaba Cloud HSM are as follows:
Symmetric key: Executes the encryption algorithm on the zero-block (all 0) data segment with the key to obtain the ciphertext, and take the first 3 bytes of the ciphertext as the check value.
Asymmetric key pair: The first 3 bytes of the SHA-1 hash value of the public key.
HMAC key: KCV for HMAC keys is not supported.
