GenerateKey(3)GenerateKey(3)NAME
GenerateKey, CSSM_GenerateKey, CSP_GenerateKey - Generate a symmetric
key (CDSA)
SYNOPSIS
# include <cdsa/cssm.h>
API: CSSM_RETURN CSSMAPI CSSM_GenerateKey (CSSM_CC_HANDLE CCHandle,
uint32 KeyUsage, uint32 KeyAttr, const CSSM_DATA *KeyLabel, const
CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, CSSM_KEY_PTR Key) SPI:
CSSM_RETURN CSSMCSPI CSP_GenerateKey (CSSM_CSP_HANDLE CSPHandle,
CSSM_CC_HANDLE CCHandle, const CSSM_CONTEXT *Context, uint32 KeyUsage,
uint32 KeyAttr, const CSSM_DATA *KeyLabel, const CSSM_RESOURCE_CON‐
TROL_CONTEXT *CredAndAclEntry, CSSM_KEY_PTR Key)
LIBRARY
Common Security Services Manager library (libcssm.so)
API PARAMETERS
The handle that describes the context of this cryptographic operation
used to link to the CSP-managed information. A bit mask indicating all
permitted uses for the new key. A bit mask defining attribute values
for the new key. Pointer to a byte string that will be used as the
label for the key. A structure containing one or more credentials
authorized for creating a key and the prototype ACL entry that will
control future use of the newly created key. The credentials and ACL
entry prototype can be presented as immediate values or callback func‐
tions can be provided for use by the CSP to acquire the credentials
and/or the ACL entry interactively. If the CSP provides public access
for creating a key, then the credentials can be NULL. If the CSP
defines a default initial ACL entry for the new key, then the ACL entry
prototype can be an empty list. Pointer to CSSM_KEY structure used to
hold the new key. The CSSM_KEY structure should be empty upon input to
this function. The CSP will ignore any values residing in this struc‐
ture at function invocation. Input values should be supplied in the
cryptographic context, KeyUsage, KeyAttr, and KeyLabel input parame‐
ters.
SPI PARAMETERS
The handle that describes the add-in cryptographic service provider
module used to perform up-calls to CSSM for the memory functions man‐
aged by CSSM. Pointer to CSSM_CONTEXT structure that describes the
attributes with this context. Pointer to CSSM_KEY structure used to
obtain the key. Upon function invocation, any values in the CSSM_Key
structure should be ignored. All input values should be supplied in the
cryptographic Context, KeyUsage, KeyAttr, and KeyLabel input parame‐
ters.
DESCRIPTION
This function generates a symmetric key. The KeyUsage, and KeyAttr are
used to initialize the keyheader for the newly created key. These val‐
ues are not retained in the cryptographic Context, which contains addi‐
tional parameters for this operation. The CSP may cache keying material
associated with the new symmetric key. When the symmetric key is no
longer in active use, the application can invoke the CSSM_FreeKey()
interface to allow cached keying material associated with the symmetric
key to be removed.
Authorization policy can restrict the set of callers who can create a
new resource. In this case, the caller must present a set of access
credentials for authorization. Upon successfully authenticating the
credentials, the template that verified the presented samples identi‐
fies the ACL entry that will be used in the authorization computation.
If the caller is authorized, the new resource is created.
The caller must provide an initial ACL entry to be associated with the
newly created resource. This entry is used to control future access to
the new resource and (since the subject is deemed to be the "Owner")
exercise control over its associated ACL. The caller can specify the
following items for initializing an ACL entry: Subject - A CSSM_LIST
structure, containing the type of the subject and a template value that
can be used to verify samples that are presented in credentials when
resource access is requested. Delegation flag - A value indicating
whether the Subject can delegate the permissions recorded in the Autho‐
rizationTag. (This item only applies to public key subjects). Autho‐
rization tag - The set of permissions that are granted to the Subject.
Validity period - The start time and the stop time for which the ACL
entry is valid. ACL entry tag - A user-defined string value associated
with the ACL entry.
The service provider can modify the caller-provided initial ACL
entry to conform to any innate resource-access policy that the
service provider may be required to enforce. If the initial ACL
entry provided by the caller contains values or permissions that
are not supported by the service provider, then the service
provider can modify the initial ACL appropriately or can fail
the request to create the new resource. Service providers list
their supported AuthorizationTag values in their Module Direc‐
tory Services primary record.
NOTES
The KeyData field of the CSSM_KEY structure is allocated by the CSP.
The application is required to free this memory using the
CSSM_FreeKey() (CSSM API), or CSP_FreeKey() (CSP SPI), function or with
the memory functions registered for the CSPHandle.
RETURN VALUE
A CSSM_RETURN value indicating success or specifying a particular error
condition. The value CSSM_OK indicates success. All other values repre‐
sent an error condition.
ERRORS
Errors are described in the CDSA technical standard. See
CDSA_intro(3). CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS
SEE ALSO
Books
Intel CDSA Application Developer's Guide (see CDSA_intro(3))
Reference Pages
Functions for the CSSM API:
CSSM_GenerateRandom(3), CSSM_GenerateKeyPair(3)
Functions for the CSP SPI:
CSP_GenerateRandom(3), CSP_GenerateKeyPair(3)GenerateKey(3)