问题
Our PKCS#11 library miss the implementation of C_CreateObject. Before jumping into its implementation, i want to know the instances where C_CreateObject should be used instead of C_GenerateKey/C_GenerateKeyPair .
回答1:
C_CreateObjectimports existing data objects, certificates and/or keys generated externally into the device. C_GenerateKey generates new symmetric key (DES/AES/...) inside the device. C_GenerateKeyPair generates new asymmetric key pair (RSA/ECC/...) inside the device.
回答2:
The PKCS#11 treats the Key Pairs (Public Key and Private Key), Certificates and Secret Keys as objects on the token. And there is also a Data Object which just holds some data.
The C_GenerateKey would create a Secret Key Object.
The C_GenerateKeyPair would create a Public Key and a Private Key Object (both the public key and private key combined would constitute the key pair).
When you say C_GenerateKey the PKCS#11 knows that it has to generate a Secret Key Object and expects a Secret Key Object Template. And similarly the C_GenerateKeyPair, it knows that it has to create a Public Key Object and a Private Key Object and expects their respective object templates.
But when you sayC_CreateObject, you have to specify which type of object you want to create, and pass in the right Object Template as well. Consider this like an abstract version of the C_GenerateXXX method.
来源:https://stackoverflow.com/questions/43091131/how-c-createobject-c-generatekey-and-c-generatekeypair-are-different