how C_CreateObject , C_GenerateKey and C_GenerateKeyPair are different ?

Question

Our PKCS#11 library miss the implementation of C_CreateObject. Before jumping into its implementation, i want to know the instances where C_CreateObject should be used instead of C_GenerateKey/C_GenerateKeyPair .

Answer 1

The PKCS#11 treats the Key Pairs (Public Key and Private Key), Certificates and Secret Keys as objects on the token. And there is also a Data Object which just holds some data.

The C_GenerateKey would create a Secret Key Object.

The C_GenerateKeyPair would create a Public Key and a Private Key Object (both the public key and private key combined would constitute the key pair).

When you say C_GenerateKey the PKCS#11 knows that it has to generate a Secret Key Object and expects a Secret Key Object Template. And similarly the C_GenerateKeyPair, it knows that it has to create a Public Key Object and a Private Key Object and expects their respective object templates.

But when you sayC_CreateObject, you have to specify which type of object you want to create, and pass in the right Object Template as well. Consider this like an abstract version of the C_GenerateXXX method.

Answer 2

C_CreateObjectimports existing data objects, certificates and/or keys generated externally into the device. C_GenerateKey generates new symmetric key (DES/AES/...) inside the device. C_GenerateKeyPair generates new asymmetric key pair (RSA/ECC/...) inside the device.