Attributes when generating objects
The application must ensure that the transferred templates are both correct and complete. An incorrect or incomplete attribute template when generating an object is not always recognized and expanded (see also PKCS#11 V2.20 standard: chapter 10).
This affects the following functions:
C_CreateObject
C_CopyObject
C_GenerateKey
C_GenerateKeyPair
C_UnwrapKey
C_DeriveKey
The attributes CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_LOCAL, CKA_TOKEN
The notes in this section refer to section 10.4 “Storage objects” in the PKCS#11 V2.20 standard.
The persistent saving of keys and other objects is not supported. The attribute CKA_TOKEN must, as a result, always be set to FALSE.
No continuous protection of secret data of an object. The attributes CKA_SENSITIVE and CKA_EXTRACTABLE are capable of preventing the secret data being read using C_GetAttributeValue or by exporting this data using C_WrapKey. However, the flags that are set by this process are ignored by other Cryptoki functions, thus allowing the protective function to be circumvented. The attribute CKA_LOCAL is also not always set correctly.