An operation is a series of several functions.
The notes in this section refer to chapter 11 “Functions” of the PKCS#11 V2.20 standard.
In BS2000 most functions from version 1.1 can be executed not just synchronously via the BS2000 specific assembler interfaces, but also asynchronously.
You can fine more detailed information on this in section “Asynchronous execution”.
The following general functions are not required in BS2000.
C_InitToken
C_Login
C_Logout
The maximum output data length for the functions, encryptFinal, decryptFinal, digestFinal, signFinal, verifyFinal, wrapKey and generateRandom is 2048 bytes.
For certain functions you should not initially determine the size of the output area. This has an adverse effect on performance. See section 11.2 “Conventions for functions returning output in a variable-length buffer” of the PKCS#11 V2.20 standard.
All operations initiated using ...Init will not be terminated by follow-up calls that supply the return code CKR_SESSION_HANDLE_INVALID or CKR_ARGUMENTS_BAD. The return codes CKR_KEY_HANDLE_INVALID, CKR_MECHANISM_INVALID, CKR_ATTRIBUTE_VALUE_INVALID will not usually terminate the active operation either. See the section 11.4 “General-purpose functions” of the PKCS#11 V2.20 standard.
The number of sessions that a user can open simultaneously is limited to 999. You can set this limit to a lower value with the CRYPTO-SESSION-LIMIT operand of the ADD-USER or MODIFY-USER-ATTRIBUTES command. Further information regarding this command you will find in the “BS2000 OS DX Commands” user manual [2].
If this limit of parallel session is exceeded the return code session_count provided.
C_Initialize, C_Finalize
C_Initialize:
In addition to the functionality described in the PKCS#11 standard, C_Initialize in BS2000 controls whether the program works synchronously or asynchronously with CRYPT:If you select synchronous function execution, a C_Initialize in BS2000 is not required.pInitArgs must be a NULL_PTR.
C_Finalize:
C_Finalize has no effect in BS2000.
Compare section 11.4 “General-purpose functions” in the PKCS#11 V2.20 standard.
C_GetMechanismInfo
In the mechanism information data of the mechanisms CKM_RSA_PKCS and CKM_RSA_X_509, the flags for the operations Sign and Verify are not set. Despite this, the corresponding operations are still supported.
See the section 11.5 “Slot and token management functions” of the PKCS#11 V2.20 standard.
C_CopyObject:
The flags CKA_SENSITIVE and CKA_EXTRACTABLE which are used to protect the security-relevant data of a key from being read or from being extracted can be changed in both directions.
See section 11.7 “Object management functions” of the PKCS#11 V2.20 standard.
C_SetAttributeValue
No complete check of transferred values is carried out. It is possible that inconsistent states may occur since it is possible to set incorrect attribute values and to modify attributes which (according to the standard) may not be modified. The calling application must ensure that these states do not occur.
C_GenerateKeyPair
In order to generate an RSA key it is not necessary to specify the attribute CKA_PUBLIC_EXPONENT. See the section 11.14 “Key management functions” of the PKCS#11 V2.20 standard.
C_Encrypt, C_Decrypt, C_Digest, C_Sign, C_Verify
The cryptographic single-part operations (C_Encrypt, C_Decrypt, C_Digest, C_Sign, C_Verify) correspond to an update operation followed by a final operation.
As a result, you can terminate a sequence of C_EncryptUpdate calls using either C_EncryptFinal or C_Encrypt.
Single-part operation | Corresponding update and final operations |
C_Encrypt | C_EncryptUpdate + C_EncryptFinal |
C_Decrypt | C_DecryptUpdate + C_DecryptFinal |
C_Digest | C_DigestUpdate + C_DigestFinal |
C_Sign | C_SignUpdate + C_SignFinal |
C_Verify | C_VerifyUpdate + C_VerifyFinal |
The input data length of an update operation need not necessarily meet the criteria described in chapters 12 and following of the PKCS#11 V2.20 standard. These criteria only refer to the overall length.
See sections 11.8 though 11.12 “Encryption / Decryption / Message digesting / Signing and MACing functions and functions for verifying signatures and MACs” of the PKCS#11 V2.20 standard.