What is CKA_VALUE used in AES secret key generation template?

Question

I am trying to integrate safenet HSM with our application. I am writing the program in C. I am referring to the PKCS11 v2.20 cryptoki standard document from RSA labs. I need to generate an AES 256 bit key. While defining the template for key generation I am not sure what value needs to be passed for CKA_VALUE. While generating a DES3 key, I didn't provide this attribute and I was able to generate a key.

I searched for sample programs for CKA_LABEL but failed to find any solid examples in C. I found a couple of Java programs where they have used CKA_VALUE_LEN instead of CKA_VALUE. I am not sure if that will work.

This is the snippet given in the document. Most websites give only this snippet as an example. Nothing is specified for the array value.

CK_OBJECT_CLASS class = CKO_SECRET_KEY;
CK_KEY_TYPE keyType = CKK_AES;
CK_UTF8CHAR label[] = “An AES secret key object”;
CK_BYTE value[] = {...};
CK_BBOOL true = CK_TRUE;
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &keyType, sizeof(keyType)},
{CKA_TOKEN, &true, sizeof(true)},
{CKA_LABEL, label, sizeof(label)-1},
{CKA_ENCRYPT, &true, sizeof(true)},
{CKA_VALUE, value, sizeof(value)}
};

Answer 1

The CKA_VALUE is the actual value of the key. When you tell the HSM to generate a secret key, it will generate a key for you on the hardware based on the attributes you pass in secret key template, and set the value generated in the CKA_VALUE. This attribute however cannot be read/extracted nor it can be set when generating the key, because the HSM won't allow you to inject a key (directly) from the software nor allow you to extract it from the HSM (directly).

The CKA_VALUE_LEN is the length of the key you can tell the HSM to generate. The AES key can be of length 128, 192 or 256 bits. Depending on the key size you want you would set the CKA_VALUE_LEN as 16, 24 or 32 (key size as bytes).