check point™ pkcs#11 cryptographic token integration...

OPSEC

Check Point™ PKCS#11 Cryptographic Token Integration Guidelines

OPSEC SDK 6.0

May 2006

© 2003-2006 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2006 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 51.

Table of Contents 5

Contents

Preface Who Should Use This Guide................................................................................ 8Summary of Contents ......................................................................................... 9

Appendices .................................................................................................. 9What the Typographic Variations Mean............................................................... 10

Chapter 1 Introduction Overview ......................................................................................................... 12Prerequisites ................................................................................................... 13Platforms and Products Supported .................................................................... 14Typical VPN-1 Configuration ............................................................................. 15Uses of PKCS#11 Cryptographic Tokens ............................................................ 16

Secure Key Storage..................................................................................... 16Public Key Operation Acceleration................................................................ 16Random Number Generation ........................................................................ 16

Interaction with Check Point Products ............................................................... 17Terminology .................................................................................................... 18

Chapter 2 PKCS#11 Integration OPSEC Categories............................................................................................ 20Configuring Check Point Applications to Use PKCS#11 ....................................... 21Loading and Initializing the PKCS#11 Module.................................................... 22Login and Session Management ........................................................................ 23

Session Open ............................................................................................. 23Login ......................................................................................................... 24

PKCS#11 Operations ....................................................................................... 25RSA Public/Private Key Pair Generation ........................................................ 25Diffie-Hellman (DH) Public/Private Key Pair Generation.................................. 27 Diffie-Hellman (DH) Shared Secret Derivation............................................... 28RSA Signatures .......................................................................................... 29RSA Signature Verification........................................................................... 30RSA Encryption .......................................................................................... 30RSA Decryption .......................................................................................... 31Creating RSA Private Key Objects................................................................. 31Creating RSA Public Key Objects.................................................................. 32

List of Functions Used ..................................................................................... 33List of Mechanisms Used.................................................................................. 34

CKM_RSA_PKCS_KEY_PAIR_GEN ............................................................... 34CKM_RSA_PKCS ........................................................................................ 34CKM_RSA_X_509....................................................................................... 35CKM_DH_PKCS_KEY_PAIR_GEN ................................................................. 35CKM_DH_PKCS_DERIVE............................................................................. 35

List of Objects Used......................................................................................... 36

6

Profiles........................................................................................................... 37Further Requirements ...................................................................................... 39Typical Scenario .............................................................................................. 40

Appendix A Vendor Implementation Automating Registration of PKCS#ll Module on VPN-1 ........................................ 44

Installation of the PKCS#11 module............................................................. 44The ConfigPKCS11onCP script/executable .................................................... 45The Check Point API for Registration and Unregistration................................. 47Unregistering the PKCS#ll Module ............................................................... 49

Index.......................................................................................................... 57

7

Preface PPreface

In This Chapter

Who Should Use This Guide page 8

Summary of Contents page 9

What the Typographic Variations Mean page 10

Who Should Use This Guide

8

Who Should Use This GuideThis document describes the Check Point PKCS#11 Cryptographic Token Integration Guidelines.

This OPSEC specification is written for PKCS #11 cryptographic token vendors who wish to integrate their products into the Check Point VPN-1 token-enabled products.

It assumes you have a basic understanding and a working knowledge of PKCS#11 (a.k.a. CRYPTOKI) standard.

A working knowledge of Check Point products is recommended, but not required.

Summary of Contents

Check Point Product Name Version Release Notes. Last Update — June 5, 2006 9

Summary of ContentsThis guide contains the following chapters:

AppendicesThis guide contains the following appendices

Chapter Description

Chapter 1, “Introduction” Introduces specifications for PKCS #11 cryptographic hardware token vendors to integrate with Check Point’s token enabled products.

Chapter 2, “PKCS#11 Integration”

Explains PKCS #11 Integration.

Appendix Description

Appendix A, “Vendor Implementation”

Describes what a Vendor should implement in order to enable automatic registration/unregistration during PKCS#11 module installation/uninstallation.

What the Typographic Variations Mean

10

What the Typographic Variations MeanThe following table describes the typographic variations used in this book.

Table 1 Typographic Conventions

Typeface or Symbol Meaning Example

AaBbCc123 The names of commands, files, and directories; on-screen computer output; code

Edit your .login file.Use ls -a to list all files.machine_name% You have mail.session = sam_new_session (client, server);

[x] Reference to x. See [PKI10].

<your text> Replace the angle brackets and the text they contain with your text.

Edit the file <FWDIR>\lib\yourfile.xx

11

Chapter 1Introduction

In This Chapter

Overview page 12

Prerequisites page 13

Platforms and Products Supported page 14

Typical VPN-1 Configuration page 15

Uses of PKCS#11 Cryptographic Tokens page 16

Interaction with Check Point Products page 17

Terminology page 18

Overview

12

OverviewThis document provides specifications for PKCS #11 cryptographic hardware token vendors to integrate with Check Point’s token enabled products. These guidelines are the basis for the OPSEC certification program for PKCS #11 hardware token vendors.

PKCS#11 Cryptographic tokens provide acceleration of public key operations and/or secure storage of public/private key pairs.

This document focuses on the minimal requirements for making token products operational in a Check Point environment. It should be viewed as a “baseline” integration specification.

These specifications rely on the dominant standard for PKCS#11 Version 2.01 (a.k.a. Cryptoki).

This document is divided into three chapters:

1. Introduction — An overview of Check Point products and their use of cryptographic tokens.

2. PKCS#11 Integration — Guidelines for integration with Check Point products for vendors who support the PKCS#11 API.

3. Appendix — Describes the requirements for automating registration and unregistration of the PKCS#11 module.

Prerequisites

Chapter 1 Introduction 13

PrerequisitesIt is assumed that you have a basic understanding and working knowledge of the PKCS#11 standard.

A working knowledge of Check Point products is recommended, but not required.

Platforms and Products Supported

14

Platforms and Products SupportedThe following Check Point products support PKCS#11 cryptographic tokens:

• Check Point VPN-1 Version NG

These Check Point products are supported on the platforms listed in Table 1-1.

Additional Check Point products may support cryptographic tokens in the future.

Table 1-1 Platform Summary

Component Platforms

SVN Foundation and SmartCenter Server/VPN/FireWall Module

• Windows NT 4.0 Server (SP6a),Windows 2000 Server (SP1, SP2), Windows 2000 Advanced Server (SP1, SP2)

• Solaris 7 SPARC (32 bit), Solaris 8 SPARC (32-bit and 64-bit)

• RedHat Linux 6.2 (kernels 2.2.14, 2.2.17), RedHat Linux 7.0 (kernels 2.2.16, 2.2.17, 2.2.19)

Note - Visit the Check Point website for up-to-date information about platform compatibility.

Typical VPN-1 Configuration


Typical VPN-1 ConfigurationCheck Point VPN-1 integrates and centrally manages all aspects of network security. VPN-1 examines every packet passing through key locations in a network (Internet gateways, servers, workstations, routers or switches) and blocks all unwanted communications attempts.

VPN-1’s optional VPN (Virtual Private Network) module protects communications on the Internet and enables an enterprise to build its own easy-to-maintain Virtual Private Network (VPN) using private and public network segments.

VPN-1 uses IKE (the Internet Key Exchange protocol) and IPSec (IP Security) to establish client-to-site and site-to-site Virtual Private networks.

Figure 1-1 below illustrates a typical VPN-1 deployment. Figure 1-1 A Typical Deployment

In this configuration, both Fred, working behind the Paris FireWalled gateway, and Alice, working remotely on her laptop, connect to the Application Server protected by the London FireWalled gateway. The connections are encrypted using IKE/IPSEC. Alice’s connection to the Application Server is encrypted between her laptop and the London FireWalled gateway. Fred’s connection is encrypted between the Paris and London FireWalled gateways.

For more information about VPN-1, see VPN-1 Security Administration Guide.

SecuRemoteUser

Alice

FireWalledGateway

London

VPN/FireWall ModuleParis

FireWalledGateway

VPN/FireWall Module

IKE/IPSec

IKE/IPSec

IKE/IPSec

ApplicationServer

Fred Internet

Uses of PKCS#11 Cryptographic Tokens

16

Uses of PKCS#11 Cryptographic TokensThe VPN-1 uses PKCS#11 cryptographic tokens for the following purposes:

• Secure Key Storage

• Public Key Operation Acceleration

• Random Number Generation

Secure Key StorageSecure key storage is achieved by generating a private key on the cryptographic token. The private key never leaves the token and all cryptographic operations are performed on the token. This way, the key is better protected than in a software-only implementation.

Key generation on VPN-1

• RSA key pairs are generated on the PKCS#11 module by the VPN-1 application.

Public Key Operation AccelerationPublic key operation acceleration includes both RSA and DH computations. Elliptic curves or DSA may be desired in the future. Note that DH acceleration is especially important in the context of IKE.

Random Number GenerationThe PKCS#11 module’s capabilities will be used to seed the Pseudo Random Number Generator.

Interaction with Check Point Products


Interaction with Check Point ProductsFigure 1-2 illustrates how VPN-1 can use the PKCS#11 API for secure key storage (SKS), public key operation acceleration (PKOA), and random number generation (RNG).Figure 1-2 Interaction with PKCS#11 Cryptographic Tokens

FireWalledGateway

PKCS#11 Module

VPN/FireWallModule

RSA KeysDH Keys

IKE/IPSEC

Internet

SecuR em oteU ser

A lice

P aris

F ireW alledG atew ay

VPN /F ireW all M odule

IK E /IP S ec

P K C S #11 AP I(used for P K O A,S K S and R N G )

IKE /IP S ec

Terminology

18

TerminologyThis section defines the basic terminology used in this document.

cryptographic token — A physical device used to securely hold cryptographic information or to perform cryptographic operations including acceleration of public key operations and/or secure storage of public/private key pairs for users or servers. Examples of cryptographic token products include Smartcards, PCMCIA tokens, PCI adapters, USB devices, etc.

PKCS#11 standard — Cryptographic Token Interface Standard Version 2.01, RSA Laboratories, December 22, 1997.

PKCS#11 (a.k.a. “CRYPTOKI”) is an industry standard developed by RSA Laboratories. It specifies an API to devices that hold cryptographic information and perform cryptographic functions.

PKCS#11 module — A specific implementation of the PKCS#11 standard, often implemented as a Dynamic Link Library (DLL).

PKCS#11 provider — A vendor implementing a PKCS#11 module.

19

Chapter 2PKCS#11 Integration

In This Chapter

OPSEC Categories page 20

Configuring Check Point Applications to Use PKCS#11 page 21

Loading and Initializing the PKCS#11 Module page 22

Login and Session Management page 23

PKCS#11 Operations page 25

List of Functions Used page 33

List of Mechanisms Used page 34

List of Objects Used page 36

Profiles page 37

Further Requirements page 39

Typical Scenario page 40

OPSEC Categories

20

OPSEC CategoriesThere are two categories of OPSEC certification for PKCS#11 implementations:

1. Server Secure Tokens — provide Secure Key Storage and Random Number Generation for VPN-1.

2. Server Fast Tokens — provide Public Key Acceleration (DH and RSA) for VPN-1.

For more information, see “Profiles” on page 18 and “Further Requirements”” on page 19.

Configuring Check Point Applications to Use PKCS#11

Chapter 2 PKCS#11 Integration 21

Configuring Check Point Applications to Use PKCS#11

The PKCS#11 module must be registered in the VPN-1. before it can be used by a Check Point application.

Registering a PKCS#11 module for use by VPN-1The registration of the PKCS#11 module on the VPN-1. should be part of the PKCS#11 module installation so that VPN-1. will recognize the PKCS#11 module immediately after it’s installation. This eliminates the need for individual registration. This is accomplished by the Vendor writing an executable/script called ConfigPKCS11onCP and using it in the installation of the PKCS#11 module. If users install a VPN-1. after installing the PKCS#11 module they must execute this script/executable manually.

Details for writing and using the ConfigPKCS11onCP executable/script in the installation are located in the “Appendix” Chapter.

Changing the configuration of the PKCS#11 module in the VPN-1. can be done after registration by using the VPN-1 Configuration application (see “cpconfig” on page 4 of Check Point Reference Guide).

Unregistering a PKCS#11 module for use by VPN-1Usually, unregistering the PKCS#11 module is done via the VPN-1 Configuration application (see “cpconfig” on page 4 of Check Point Reference Guide).

In case an uninstall of the PKCS#11 module is desired, the uninstall process should unregister the PKCS#11 module from the VPN-1.

Details for unregistering the PKCS#11 module during the uninstall process are located in the “Vendor Implementation”” Chapter.

Loading and Initializing the PKCS#11 Module

22

Loading and Initializing the PKCS#11 Module

The Check Point application loads the registered PKCS#11 modules using Run-Time Dynamic Linking.

The library is initialized through a call to C_Initialize.

• In VPN-1, the C_Initialize can be called with or without support for multi-threaded access. Without multi-threaded access we use the NULL_PTR as a parameter, with multi-threaded access we set the flags field to CKF_OS_LOCKING_OK and all the other fields will have the value NULL_PTR.

Note that while one session can be used by more than one thread, it is guaranteed that compound operations (e.g. C_FindObjectsInit followed by C_FindObjects and C_FindObjectsFinal) on a single session will be performed from the same thread.

Login and Session Management


Login and Session ManagementVPN-1 spawns several processes. Each process opens several user sessions with each token. Only one of these sessions is a Read/Write session.

Session OpenThe sessions are opened using C_OpenSession.

Read/Write sessions are opened with the following call to C_OpenSession:

Read-only sessions are opened with the following call to C_OpenSession:

Parameters

C_OpenSession(slot, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &sess);

C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL, &sess);

Table 2-1 C_OpenSession parameters

parameter value

slot The slot number.

sess A CK_SESSION_HANDLE.

Note - Because notification callbacks are not currently used, the third and fourth arguments to C_OpenSession are NULL.

Login

24

LoginLogin is performed using C_Login.

C_Login is called as follows:

Parameters

Note that if the CKF_PROTECTED_AUTHENTICATION_PATH bit on the token information flag is set then pPin will be NULL.

C_Login(sess, CKU_USER, pPin, len)

Table 2-2 C_OpenSession parameters

parameter value

sess A CK_SESSION_HANDLE obtained through a previous call to C_OpenSession.

pPin CK_CHAR_PTR — points to the buffer containing the access pin.

PKCS#11 Operations


PKCS#11 OperationsThis section describes the different PKCS#11 operations performed by Check Point products. Note that not all operations need to be supported in each OPSEC category. The profiles of the OPSEC categories are defined in “Profiles”” on page 18.

RSA Public/Private Key Pair GenerationRSA Public/Private key pairs are created through a call to C_GenerateKeyPair with the CKM_RSA_PKCS_KEY_PAIR_GEN mechanism.

This mechanism is used with the following parameters:

The private/public key objects should be of type CKK_RSA (under the attribute CKA_KEY_TYPE).

PKCS#11 operation See...

RSA Public/Private Key Pair Generation page 25

Diffie-Hellman (DH) Public/Private Key Pair Generation page 27

Diffie-Hellman (DH) Shared Secret Derivation page 28

RSA Signatures page 29

RSA Signature Verification page 30

Creating RSA Private Key Objects page 31

Creating RSA Public Key Objects page 32

CK_MECHANISM mech;mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;mech.pParameter = NULL;mech.ulParameterLen = 0;

RSA Public/Private Key Pair Generation

26

Public Key Template

The public key template is given in TABLE 2-3. Attributes not specified are not included in the template supplied to C_GenerateKeyPair.

Private Key Template

The private key template is given in TABLE 2-4. Attributes not specified are not included in the template supplied to C_GenerateKeyPair.

Table 2-3 C_GenerateKeyPair Public Key Template

attribute value

CKA_LABEL optional

CKA_ID a byte array of length 20 (always present)

CKA_TOKEN TRUE/FALSE (always present)

CKA_PRIVATE FALSE (always present)

CKA_MODULUS_BITS 1024 MUST be supported. 2048 SHOULD be supported as well

CKA_ENCRYPT TRUE/FALSE (always present)

CKA_WRAP FALSE (always present)

CKA_VERIFY TRUE/FALSE (always present)

CKA_VERIFY_RECOVER TRUE/FALSE (always present)

CKA_PUBLIC_EXPONENT 3 or 65537 (always present)1

1. The PKCS#11 implementation are allowed to select to use a different public key exponent from the one supplied in the template.

Table 2-4 C_GenerateKeyPair Private Key Template

attribute value

CKA_LABEL optional (same as in the public template)

CKA_ID a byte array of length 20 (same as in the public template)

CKA_TOKEN TRUE/FALSE (always present; same as in the public template)

CKA_PRIVATE TRUE (always present)

CKA_SENSITIVE TRUE/FALSE (always present)

CKA_DECRYPT TRUE/FALSE (always present)

Diffie-Hellman (DH) Public/Private Key Pair Generation


Diffie-Hellman (DH) Public/Private Key Pair Generation

Diffie-Hellman (DH) Public/Private key pairs are created through a call to C_GenerateKeyPair with the CKM_DH_PKCS_KEY_PAIR_GEN mechanism.


The private/public key objects should be of type CKK_DH (under the attribute CKA_KEY_TYPE).

The public key should have the attribute CKA_CLASS set to CKO_PUBLIC_KEY.

The private key should have the attribute CKA_CLASS set to CKO_PRIVATE_KEY.

Public Key Template

The public key template is given in TABLE 2-5. Attributes not specified are not included in the template supplied to C_GenerateKeyPair.


CKA_SIGN TRUE/FALSE (always present)

CKA_UNWRAP FALSE (always present)

CKA_EXTRACTABLE TRUE/FALSE (always present)


attribute value

CK_MECHANISM mech;mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;mech.pParameter = NULL;mech.ulParameterLen = 0;

Table 2-5 C_GenerateKeyPair Public Key Template

attribute value

CKA_TOKEN FALSE (always present)

CKA_PRIME A byte array1

1. The PKCS#11 implementation MUST support DH Primes corresponding to 512, 1024 and 1536 bits. The PKCS#11 implementation should also support 2048 bits primes.

CKA_BASE A byte array2

Diffie-Hellman (DH) Shared Secret Derivation

28

Private Key Template

The private key template is given in Table 2-6. Attributes not specified are not included in the template supplied to C_GenerateKeyPair.

Diffie-Hellman (DH) Shared Secret DerivationDiffie-Hellman (DH) shared secrets are derived using C_DeriveKey with the CKM_DH_PKCS_DERIVE mechanism.


• publen specifies the number of bytes in pub.

• pub is an array of size publen containing a public DH key, padded with leading zeros up to the length of the prime.

The secret key object created should have the attributes defined in the template. It should also have the attribute CKA_VALUE. This attribute can be extracted from the object.

Note that the value under the CKA_VALUE attribute should be padded with leading zeros up to the length of the prime.

2. The CKA_BASE attribute WILL NOT be padded with zeros.


attribute value


CKA_SENSITIVE FALSE (always present)

CKA_EXTRACTABLE TRUE (always present)

CKA_DERIVE TRUE (always present)

CKA_VALUE_BITS This can be any value between 128 and the size in bits of the CKA_PRIME. The PKCS#11 implementation can choose to use a larger than specified value for the CKA_VALUE_BITS (always present).

CK_MECHANISM mech;mech.mechanism = CKM_DH_PKCS_DERIVE;mech.pParameter = pub;mech.ulParameterLen = publen;

RSA Signatures


Public Key Template

The public key template is given in Table 2-7. Attributes not specified are not included in the template supplied to C_DeriveKey.

RSA SignaturesRSA signatures are generated using C_SignInit followed immediately by C_Sign.

The preferred mechanism is CKM_RSA_X_509.

If the token does not support C_Sign with the CKM_RSA_X_509 mechanism, then CKM_RSA_PKC is used.

These mechanisms are used with the following parameters:

Note that the PKCS#11 implementation MUST NOT perform any message digest encoding. Specifically the PKCS#11 implementation MUST NOT add an OID.

Note also that if CKM_RSA_X_509 is used, the PKCS#11 module MUST NOT perform any padding.

Table 2-7 C_DeriveKey Public Key Template

attribute value

CKA_CLASS CKO_SECRET_KEY (always present)

CKA_KEY_TYPE CKK_GENERIC_SECRET (always present)


CKA_EXTRACTABLE TRUE (always present)

CKA_SENSITIVE FALSE (always present)

CKA_VALUE_LEN publen as defined above (always present)

CK_MECHANISM mech;mech.pParameter = NULL;mech.ulParameterLen = 0;

RSA Signature Verification

30

RSA Signature VerificationRSA signature verification is performed in the following descending order of preference:

1. CKM_RSA_X_509 with C_VerifyRecoverInit followed by C_VerifyRecover.

2. CKM_RSA_PKCS with C_VerifyRecoverInit followed by C_VerifyRecover.

3. CKM_RSA_X_509 with C_EncryptInit followed by C_Encrypt (assuming the public key object has the CKA_ENCRYPT set to TRUE).

The output of C_Encrypt MUST be padded with leading zeroes up to the length (in bytes) of the RSA modules.

4. CKM_RSA_X_509 with C_VerifyInit followed by C_Verify.

5. CKM_RSA_PKCS with C_VerifyInit followed by C_Verify.


RSA EncryptionRSA encryption is performed in the following descending order of preference:

1. CKM_RSA_X_509 with C_EncryptInit followed by C_Encrypt.

The length of the input to C_Encrypt is guaranteed to be the size (in bytes) of the RSA modulus. This implies that the PKCS#11 Module MUST NOT perform any padding.

2. CKM_RSA_PKCS with C_EncryptInit followed by C_Encrypt.

The output of C_Encrypt MUST be padded with leading zeroes up to the length (in bytes) of the RSA modulus.



Note - Vendors are strongly urged to support C_Verify_Recover.


RSA Decryption


RSA DecryptionRSA decryption is performed in the following descending order of preference:

1. CKM_RSA_X_509 with C_DecryptInit followed by C_Decrypt.

The output length of C_Decrypt must be the size of the length (in bytes) of the RSA modulus. This means that the PKCS#11 Module MUST NOT perform any unpadding.

2. CKM_RSA_PKCS with C_DecryptInit followed by C_Decrypt.


Creating RSA Private Key ObjectsIt should be possible to create RSA private key objects using C_CreateObject.

The template passed to C_CreateObject is given in Table 2-8. Attributes not specified are not included in the template.


Table 2-8 C_CreateObject Template — Private Key Objects

attribute value

CKA_CLASS CKO_PRIVATE_KEY (always present)


CKA_PRIVATE TRUE (always present)

CKA_KEY_TYPE CKK_RSA (always present)


CKA_SIGN TRUE/FALSE (always present)

CKA_MODULUS Big Integer (always present)

CKA_PUBLIC_EXPONENT Big Integer (always present)

CKA_PRIME_1 Big Integer (always present)

CKA_PRIME_2 Big Integer (always present)

CKA_EXPONENT_1 Big Integer (always present)

CKA_EXPONENT_2 Big Integer (always present)

CKA_COEFFICIENT Big Integer (always present)

Creating RSA Public Key Objects

32

Creating RSA Public Key ObjectsIt should be possible to create RSA public key objects using C_CreateObject.

The template passed to C_CreateObject is given in Table 2-9. Attributes not specified are not included in the template.

Table 2-9 C_CreateObject Template — Public Key Objects

attribute value

CKA_CLASS CKO_PUBLIC_KEY (always present)


CKA_PRIVATE FALSE (always present)

CKA_KEY_TYPE CKK_RSA (always present)

CKA_ENCRYPT TRUE/FALSE (always present)

CKA_VERIFY TRUE/FALSE (always present)

CKA_VERIFY/RECOVER TRUE/FALSE (always present)

CKA_MODULUS Big Integer (always present)

CKA_PUBLIC_EXPONENT Big Integer (always present)

List of Functions Used


List of Functions Used

• C_CloseSession • C_FindObjectsFinal • C_Logout

• C_CreateObject • C_FindObjectsInit • C_OpenSession

• C_Decrypt • C_GenerateKeyPair • C_SeedRandom

• C_DecryptInit • C_GenerateRandom • C_Sign

• C_DeriveKey • C_GetAttributeValue • C_SignInit

• C_DestroyObject • C_GetFunctionList • C_Verify

• C_Encrypt • C_GetInfo • C_VerifyInit

• C_EncryptInit • C_GetSessionInfo • C_VerifyRecover

• C_Finalize • C_Initialize • C_VerifyRecoverInit

• C_FindObjects • C_Login • C_GetSlotList

• C_GetSlotInfo • C_GetMechanismInfo • C_GetTokenInfo

List of Mechanisms Used

34

List of Mechanisms UsedThis section describes the requirements for the mechanisms used for PKCS#11 implementation.

CKM_RSA_PKCS_KEY_PAIR_GENThe CK_MECHANISM_INFO of the CKM_RSA_PKCS_KEY_PAIR_GEN mechanism should have the following properties:

• ulMaxKeySize >= 1024 (2048 recommended)

• ulMinKeySize <= 1024

• flags include CKF_GENERATE_KEY_PAIR

CKM_RSA_PKCSThe CK_MECHANISM_INFO of the CKM_RSA_PKCS mechanism should have the following properties:



• flags include CKF_SIGN, CKF_VERIFY or CKF_VERIFY_RECOVER, CKF_ENCRYPT, CKF_DECRYPT

Mechanism See...

CKM_RSA_PKCS_KEY_PAIR_GEN page 34

CKM_RSA_PKCS page 34

CKM_RSA_X_509 page 35

CKM_DH_PKCS_KEY_PAIR_GEN page 35

CKM_DH_PKCS_DERIVE page 35

CKM_RSA_X_509


CKM_RSA_X_509The CK_MECHANISM_INFO of the CKM_RSA_X_509 mechanism should have the following properties:



• flags include CKF_SIGN, CKF_VERIFY or CKF_VERIFY_RECOVER, CKF_ENCRYPT, CKF_DECRYPT

CKM_DH_PKCS_KEY_PAIR_GENThe CK_MECHANISM_INFO of the CKM_DH_PKCS_KEY_PAIR_GEN mechanism should have the following properties:



CKM_DH_PKCS_DERIVEThe CK_MECHANISM_INFO of the CKM_DH_PKCS_DERIVE mechanism should have the following properties:



• flags include CKF_DERIVE

List of Objects Used

36

List of Objects UsedCKO_PRIVATE_KEY (CKK_RSA, CKK_DH)

CKO_PUBLIC_KEY (CKK_RSA)

CKO_CERTIFICATE (CKC_X_509)

CKO_SECRET_KEY (CKK_GENERIC_SECRET)

Profiles


ProfilesTable 2-10 specifies the profile for each OPSEC category.

Table 2-10 OPSEC category profiles

PKCS#11 Server Secure

Tokens

Server Fast

Tokens

Operations

Creating RSA private key objects

4

Creating RSA public key objects

4

DH Public/Private key pair generation

4

DH shared secret derivation 4

RSA Public/Private key pair generation

4

RSA decryption 4 4

RSA encryption 4

RSA signature verification 4

RSA signatures 4 4

Functions

C_CloseSession 4 4

C_CreateObject 4 4

C_Decrypt 4 4

C_DecryptInit 4 4

C_DeriveKey 4

C_DestroyObject 4 4

C_Encrypt 4

C_EncryptInit 4

C_Finalize 4 4

C_FindObjects 4 4

C_FindObjectsFinal 4 4

C_FindObjectsInit 4 4

Profiles

38

C_GenerateKeyPair 4 4

C_GenerateRandom 4

C_GetAttributeValue 4 4

C_GetFunctionList 4 4

C_GetInfo 4 4

C_GetSessionInfo 4 4

C_Initialize 4 4

C_Login 4 4

C_Logout 4 4

C_OpenSession 4 4

C_SeedRandom 4

C_Sign 4 4

C_SignInit 4 4

C_Verify 4

C_VerifyInit 4

C_VerifyRecover 4

C_VerifyRecoverInit 4

Mechanisms

CKM_RSA_PKCS_KEY_PAIR_GEN 4

CKM_RSA_PKCS 4 4

CKM_RSA_X_509 4 4

CKM_DH_PKCS_KEY_PAIR_GEN 4

CKM_DH_PKCS_DERIVE 4

Table 2-10 OPSEC category profiles (continued)

PKCS#11 Server Secure

Tokens

Server Fast

Tokens

Further Requirements


Further RequirementsThis section describes further requirements for OPSEC categories.

Server Secure TokensThe token SHOULD be able to store at least 5 private RSA key (CKO_PRIVATE_KEY) and 5 public RSA keys (CKO_PUBLIC_KEY). These objects should be stored as Token objects (that is, with the CKA_TOKEN attribute set to TRUE).

Server Fast TokensThe token SHOULD be able to store a total of at least 512 RSA and DH objects (private or public). These objects will be stored as session objects (that is, with the CKA_TOKEN attribute set to FALSE). Note that this means that such objects MUST be securely deleted from the token whenever the session used to create them is closed.

Typical Scenario

40

Typical ScenarioThis section describes a typical sequence of function calls. These functions are used to create a DH key, generate a DH shared secret, import an RSA public key and use it to verify a signature.

1. C_Initialize initializes the PKCS#11 module.

2. C_GetFunctionList gets the list of functions supported by the PKCS#11 module and the Cryptoki version.

3. C_GetInfo gets information on the PKCS#11 module.

4. C_GetSlotList retrieves the list of slots.

5. C_GetSlotInfo gets information on the used slot.

6. C_GetTokenInfo gets information on the token in the slot being used.

7. C_GetMechanismInfo called several times to retrieve information on the following mechanisms:

• CKM_RSA_PKCS

• CKM_RSA_PKCS_KEY_PAIR_GEN

• CKM_DH_PKCS_DERIVE

• CKM_DH_PKCS_KEY_PAIR_GEN

• CKM_DH_PKCS_KEY_PAIR_GEN

8. C_OpenSession opens a new Read-Only session.

Typical Scenario


9. C_GetSessionInfo gets information on the newly opened session.

10. C_Login logs in to the token as a user (CKU_USER).

11. C_GenerateKeyPair generates a DH key pair (as a session object).

12. C_GetAttributeValue retrieves the attribute of the newly generated DH key.

13. C_DeriveKey derives a DH shared secret, creating a CKK_GENERIC_SECRET key.

14. C_GetAttributeValue retrieves the shared secret from the CKK_GENERIC_SECRET key.

15. C_DestroyObject destroys the CKK_GENERIC_SECRET key.

16. C_DestroyObject destroys the DH private and public key objects.

17. C_CreateObject creates a new public RSA object (as a session object).

18. C_GetAttributeValue retrieves the attribute of the RSA object.

19. C_VerifyRecoverInit followed by C_VerifyRecover verifies an RSA signature.

20. C_CloseSession closes the session.

21. C_Finalize unloads the PKCS#11 module.

Typical Scenario

42

43

Appendix AVendor Implementation

In This Appendix

Automating Registration of PKCS#ll Module on VPN-1 page 44

Installation of the PKCS#11 module page 44

The ConfigPKCS11onCP script/executable page 45

The Check Point API for Registration and Unregistration page 47

Unregistering the PKCS#ll Module page 49

Automating Registration of PKCS#ll Module on VPN-1

44

Automating Registration of PKCS#ll Module on VPN-1

This chapter describes what a Vendor should implement in order to enable automatic registration/unregistration during PKCS#11 module installation/uninstallation.

The appendix is broken down into four sections:

Installation of the PKCS#11 moduleThe PKCS#11 module documentation should include:

• a recommendation to install the PKCS#11 module only after VPN-1 is installed

• an explanation of how to run the ConfigPKCS11onCP script/executable if the installation order is reversed (meaning that VPN-1 was installed after the PKCS#11 module)

• In the installation process of the PKCS#11 module (the last phase of the installation), the vendor should call the ConfigPKCS11onCP script/executable with the config command see the “The ConfigPKCS11onCP script/executable”” section

Installation of the PKCS#11 module page 44

The ConfigPKCS11onCP script/executable page 45

The Check Point API for registration and unregistration page 47

Unregistering the PKCS#ll Module page 49

Note - On non-NT platforms (because of the problem interacting with the User in the script during the installation process) the installation should only print the following message:

run <enter the path to the configPKCS11onCP> in order to register the PKCS#11 module in the VPN-1

The ConfigPKCS11onCP script/executable

Chapter A Vendor Implementation 45

The ConfigPKCS11onCP script/executableVendors should supply the user with this script/executable and should reference it in the user documentation. This script/executable can be implemented by the user either during installation or manually.

Optional Parameter [-d]The script/executable can accept one optional parameter [-d] which will cause the executable to print debug information by calling cpPKCS11Config with the [-d] parameter.

Script/executable AlgorithmThe following steps should be included in the script/executable algorithm.

1. Check if it can find the environment variable CPDIR. If it cannot find CPDIR, it will popup the following message and exits:

2. Check the CPDIR/bin directory to find the executable cpPKCS11Config. If it cannot find this executable, it should popup the following message and exits:

3. Initialize the token (if necessary) and reset the token password.

4. Run the cpPKCS11Config executable with the config command, without the -force flag.

For more information on the cpPKCS11Config executable see “The Check Point API for Registration and Unregistration””.

1. If the return code is 0 it will popup the message and exit:

2. If the return code is -20 it will popup the message and exit:

"VPN-1 is not installed. Please, run <enter the path to ConfigPKCS11onCP> after installing VPN-1."

Cannot find the executable cpPKCS11Config in the CPDIR/bin. There is a problem with your VPN-1 installation. Please contact support.

The PKCS#11 token was successfully configured on your VPN-1. Install the policy on VPN-1 for the PKCS#11 token configuration to take effect.

A PKCS#11 token is already configured on your VPN-1. Would you like to replace the current PKCS#11 token with <enter the name of the vendor module> token?

The ConfigPKCS11onCP script/executable

46

If the administrator chooses not to replace the current PKCS#11 token the program should popup the message and exit:

If the administrator chooses to replace the current PKCS#11 token, the program will run the cpPKCS11Config executable with the config command and the -force flag and continue from step 1.


3. If the return code is -19 it will popup the message and exit:

4. Any other return code (not 0 or -19 or -20) will popup the message and exit:

The configuration of your PKCS#11 on your VPN-1 did not change.

The accelerator card is not available. Please, connect the accelerator card in your machine and then run <enter the path to ConfigPKCS11onCP>.

General error while trying to configure the PKCS#11 module on VPN-1.

The Check Point API for Registration and Unregistration



This section describes in detail the Check Point API for registration of a PKCS#11 module, including the parameters it needs.

For usage parameters execute cpPKCS11Config with no parameters.

cpPKCS11Config

cpPKCS11Config configures the PKCS#11 module on the VPN-1.

Prototype for config

cpPKCS11Config config -t <Token name> -l <DLL path> -p <password>-tr <number of threads> [-s <slot number>] [-force] [-d]

Prototype for remove

cpPKCS11Config remove -t <Token name> [-d]

TABLE 0-1 arguments for cpPKCS11Config

parameter definition

-t<Token name> The name of the token can be any string. The data on the token is stored in the registry under the name you choose.

-l<DLL path> The path to the cryptoki DLL.

-p <password> The user password for the PKCS#11 token. If the token does not need a password for login put the string: "a".

-tr <number of threads>

The number of threads to be used when working with the PKCS11 module, in order to use it in the most effective way.


48

Return Values for config

0 if success, otherwise specific negative integers such as -20 when a PKCS#11 module is configured and the -force flag is not used or -19 if the accelerator card is not available.

Return Values for remove

0 if success, otherwise specific negative integers.

Example for config

[-s <slot number>]Optional

This optional parameter is the slot number to use when opening a session with the PKCS#11 module. Default is 0.

[-force]Optional

This optional parameter forces the config operation in the following manner:• Without this flag if there is a PKCS#11

module, which is already configured, the operation will not succeed and the executable will exit with the value -20.

• With this flag even if there is a PKCS#11 module, which is already configured, the executable will unregister the current PKCS#11 module, and will register the new PKCS#11 module.

[-d]Optional

This optional parameter provides debug information.

TABLE 0-1 arguments for cpPKCS11Config

parameter definition

Note - If the executable succeeds, it will always choose to use the accelerator card for all the operations the vendor claim to support.

CpPKCS11Config config -t CheckPoint -l c:/tmp/cryptoki.dll -p 1234 -tr 3

Unregistering the PKCS#ll Module


Example for remove

Unregistering the PKCS#ll ModuleThe uninstall process of the PKCS#11 module should first unregister the PKCS#11 module from the VPN-1 and then continue with the uninstallation. This is done by calling CpPKCS11Config remove -t <Token name> where the token name should be the same as in the config call.


Before calling this API the uninstall process should check that VPN-1 is still installed by checking that the CpPKCS11Config executable still exists.

For further information see step 1 and step 2 in the “Script/executable Algorithm”” section.

CpPKCS11Config remove -t CheckPoint

Unregistering the PKCS#ll Module

50

51

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.

52

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

Chapter 53

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur <[email protected]>

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission.

54

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Chapter 55

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

June 2006 57

Index

Aaccelerator card 46algorithms 45API 47automation overview 9, 44

Ccheck for CPDIR 45CKM_DH_PKCS_DERIVE 28

mechanism info 35OPSEC category profile 38

CKM_DH_PKCS_KEY_PAIR_GEN27mechanism info 35OPSEC category profile 38

CKM_RSA_PKCS 30, 31mechanism info 34OPSEC category profile 38

CKM_RSA_PKCS_KEY_PAIR_GEN 25

mechanism info 34OPSEC category profile 38

CKM_RSA_X_509 30, 31mechanism info 35OPSEC category profile 38

ConfigPKCS11onCP 45cpPKCS11Config 47cryptographic tokens

definition of 18uses of 16

DOptional Parameter / 45Diffie-Hellman (DH) Public/

Private key pair generation 27OPSEC category profile 37private key template 28

Diffie-Hellman (DH) shared secret derivation 28

OPSEC category profile 37public key template 29

Eexample

config 48remove 49

executable 45

F-force flag 45functions

PKCS#11 33

Iinitialize 45installation 44introduction to PKCS#11 12

Kkey pair generation

Diffie-Hellman 27RSA 25

Lloading and initializing the

PKCS#11 module 22login and session

management 23

login 24session open 23

Mmechanisms

PKCS#11 34

Oobjects

PKCS#11 36OPSEC categories

PKCS#11 20profiles 37server fast tokens 39server secure tokens 39

OPSEC certification 20

Pparameters

-l 47-p 47-t 47-tr 47

parameters optional-d 48-force 48-s / 48

PKCS#11configuring CP products 21functions used 33loading and initializing 22login 24loging and session

management 23mechanisms used 34multiple threads 22objects used 36

58

operations 25, 37OPSEC category profiles 37session open 23

PKCS#11 module, definition of 18

PKCS#11 provider, definition of 18

PKCS#11 standard, definition of 18

platforms supported 14prototype

config 47remove 47

Public Key Acceleration (PKOA) 20

Public Key Operation Acceleration (PKOA) 16

RRandom Number Generation

(RNG) 16, 20reset the token password 45return code

0 45-19 46-20 45

return valuesconfig 48remove 48

reversed installation 44RSA decryption 31

OPSEC category profile 37RSA encryption 30

OPSEC category profile 37RSA private key objects,

creating 31RSA public key objects,

creating 32RSA Public/Private key pair

generation 25OPSEC category profile 37private key template 26public key template 26

RSA signature verificationOPSEC category profile 37

RSA signatures 29OPSEC category profile 37

Sscript 45Secure Key Storage (SKS) 16, 20server fast tokens 20, 39server secure tokens 20, 39shared secret derivation

Diffie-Hellman 28

Uunregistering 49

VVPN 15VPN-1

registering for PKCS#11 21typical configuration 15unregistering for

PKCS#11 21

check point™ pkcs#11 cryptographic token integration...

Documents