DeriveKey, CSSM_DeriveKey, CSP_DeriveKey - Derive new symmetric
key (CDSA)
# include <cdsa/cssm.h>
API: CSSM_RETURN CSSMAPI CSSM_DeriveKey (CSSM_CC_HANDLE
CCHandle, CSSM_DATA_PTR Param, uint32 KeyUsage, uint32
KeyAttr, const CSSM_DATA *KeyLabel, const
CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
CSSM_KEY_PTR DerivedKey) SPI: CSSM_RETURN CSSMCSPI
CSP_DeriveKey (CSSM_CSP_HANDLE CSPHandle, CSSM_CC_HANDLE
CCHandle, const CSSM_CONTEXT *Context, CSSM_DATA_PTR
Param, uint32 KeyUsage, uint32 KeyAttr, const CSSM_DATA
*KeyLabel, const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
CSSM_KEY_PTR DerivedKey)
Common Security Services Manager library (libcssm.so)
The handle that describes the context of this cryptographic
operation. This parameter varies depending on the
derivation algorithm. Password based derivation algorithms
use this parameter to return a cipher block chaining initialization
vector. Concatenation algorithms use this
parameter to get the second item to concatenate. A bit
mask indicating all permitted uses for the new derived
key. A bit mask defining other attribute values for the
new derived key. Pointer to a byte string that will be
used as the label for the derived key. A structure containing
one or more credentials authorized for creating a
key and the prototype ACL entry that will control future
use of the newly created key. The credentials and ACL
entry prototype can be presented as immediate values or
callback functions can be provided for use by the CSP to
acquire the credentials and/or the subject of the ACL
entry interactively. If the CSP provides public access for
creating a key, then the credentials can be NULL. If the
CSP defines a default initial ACL entry for the new key,
then the ACL entry prototype can be empty. A pointer to a
CSSM_KEY structure that returns the derived key.
The handle that describes the add-in cryptographic service
provider module used to perform up calls to CSSM for the
memory functions managed by CSSM. Pointer to CSSM_CONTEXT
structure that describes the attributes with this context.
This function derives a new symmetric key using the context
and/or information from the base key in the context.
The CSP can require that the cryptographic context include
access credentials for authentication and authorization
checks when using a private key or a secret key.
Authorization policy can restrict the set of callers who
can create a new resource. In this case, the caller must
present a set of access credentials for authorization.
Upon successfully authenticating the credentials, the
template that verified the presented samples identifies
the ACL entry that will be used in the authorization computation.
If the caller is authorized, the new resource is
created.
The caller must provide an initial ACL entry to be associated
with the newly created resource. This entry is used
to control future access to the new resource and (since
the subject is deemed to be the "Owner") exercise control
over its associated ACL. The caller can specify the following
items for initializing an ACL entry: A CSSM_LIST
structure, containing the type of the subject and a template
value that can be used to verify samples that are
presented in credentials when resource access is
requested. A value indicating whether the Subject can
delegate the permissions recorded in the AuthorizationTag.
(This item only applies to public key subjects). The set
of permissions that are granted to the Subject. The start
time and the stop time for which the ACL entry is valid.
A user-defined string value associated with the ACL entry.
The service provider can modify the caller-provided
initial ACL entry to conform to any innate
resource-access policy that the service provider
may be required to enforce. If the initial ACL
entry provided by the caller contains values or
permissions that are not supported by the service
provider, then the service provider can modify the
initial ACL appropriately or can fail the request
to create the new resource. Service providers list
their supported AuthorizationTag values in their
Module Directory Services primary record.
The CSP can require that the cryptographic context
include access credentials for authentication and
authorization checks when using a private key or a
secret key.
A CSSM_RETURN value indicating success or specifying a
particular error condition. The value CSSM_OK indicates
success. All other values represent an error condition.
Errors are described in the CDSA technical standard. See
CDSA_intro(3). CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS
The KeyData field of the CSSM_KEY structure is allocated
by the CSP. The application is required to free this memory
using the CSSM_FreeKey() (CSSM API), or CSP_FreeKey()
(CSP SPI) call, or with the memory functions registered
for the CSPHandle.
Books
Intel CDSA Application Developer's Guide (see
CDSA_intro(3))
Reference Pages [Toc] [Back]
Functions: CSSM_CSP_CreateDeriveKeyContext(3)
DeriveKey(3)
[ Back ] |