|
|
Library Spi Parameters Return Value Comments | Api Parameters Description Errors See Also |
API:CSSM_RETURN CSSMAPI CSSM_DeriveKey(CSSM_CC_HANDLE CCHandle,CSSM_DATA_PTR Param,uint32 KeyUsage,uint32 KeyAttr,const CSSM_DATA *KeyLabel,const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,CSSM_KEY_PTR DerivedKey)SPI:CSSM_RETURN CSSMCSPI CSP_DeriveKey(CSSM_CSP_HANDLE CSPHandle,CSSM_CC_HANDLE CCHandle,const CSSM_CONTEXT *Context,CSSM_DATA_PTR Param,uint32 KeyUsage,uint32 KeyAttr,const CSSM_DATA *KeyLabel,const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,CSSM_KEY_PTR DerivedKey)
cdsa$incssm300_shr.exe
)CCHandle (input) | ||
The handle that describes the context of this cryptographicoperation. | ||
Param (input/output) | ||
This parameter varies depending on the derivationalgorithm. Password based derivation algorithms use this parameterto return a cipher block chaining initialization vector. Concatenationalgorithms use this parameter to get the second item to concatenate. | ||
KeyUsage (input) | ||
A bit mask indicating all permitted uses for thenew derived key. | ||
KeyAttr (input) | ||
A bit mask defining other attribute values for thenew derived key. | ||
KeyLabel (input/optional) | ||
Pointer to a byte string that will be used as thelabel for the derived key. | ||
CredAndAclEntry (input/optional) | ||
A structure containing one or more credentials authorizedfor creating a key and the prototype ACL entry that will controlfuture use of the newly created key. The credentials and ACL entryprototype can be presented as immediate values or callback functionscan be provided for use by the CSP to acquire the credentials and/orthe subject of the ACL entry interactively. If the CSP providespublic access for creating a key, then the credentials can be NULL.If the CSP defines a default initial ACL entry for the new key,then the ACL entry prototype can be empty. | ||
DerivedKey (output) | ||
A pointer to a CSSM_KEY structure that returns thederived key. |
CSPHandle (input) | ||
The handle that describes the add-in CryptographicService Provider module used to perform up calls to CSSM for thememory functions managed by CSSM. | ||
Context (input) | ||
Pointer to CSSM_CONTEXT structure that describesthe attributes with this context. |
Authorization policy can restrict the set of callers who cancreate a new resource. In this case, the caller must present a setof access credentials for authorization. Upon successfully authenticatingthe credentials, the template that verified the presented samplesidentifies the ACL entry that will be used in the authorization computation.If the caller is authorized, the new resource is created.
The caller must provide an initial ACL entry to be associatedwith the newly created resource. This entry is used to control futureaccess to the new resource and (since the subject is deemed to bethe "Owner") exercise control over its associated ACL. The callercan specify the following items for initializing an ACL entry:
Subject | A CSSM_LIST structure, containing the type of thesubject and a template value that can be used to verify samplesthat are presented in credentials when resource access is requested. | |
Delegation flag | ||
A value indicating whether the Subject can delegatethe permissions recorded in the AuthorizationTag .(This item only applies to public key subjects). | ||
Authorization tag | ||
The set of permissions that are granted to the Subject. | ||
Validity period | ||
The start time and the stop time for which the ACLentry is valid. | ||
ACL entry tag | ||
A user-defined string value associated with theACL entry. The service provider can modify the caller-provided initialACL entry to conform to any innate resource-access policy that theservice provider may be required to enforce. If the initial ACLentry provided by the caller contains values or permissions thatare not supported by the service provider, then the service providercan modify the initial ACL appropriately or can fail the requestto create the new resource. Service providers list their supported AuthorizationTag valuesin their Module Directory Services primary record.The CSP can require that the cryptographic context includeaccess credentials for authentication and authorization checks whenusing a private key or a secret key. |
CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS
KeyData
field of the CSSM_KEY structureis allocated by the CSP. The application is required to free this memoryusing the CSSM_FreeKey()
(CSSM API), or CSP_FreeKey()
(CSP SPI) call, or with the memory functions registeredfor the CSPHandle
.Intel CDSA Application Developer's Guide
Functions: CSSM_CSP_CreateDeriveKeyContext
|
|