Attributes

Main menu option: Attributes

Shows the attributes of the object indicated.

As long as the authenticated user has permission to read objects in other partition(s), the operation can be performed, indicating the name of the partition and the name of the object with the formation rule:

partition/object

Actions

There is a menu of Actions possible on the object, displayed below the list of attributes. The menu varies according to the type of object.

Actions options in attributes

.
.
.
Actions:

 1 - Block
 2 - Edit Metadata
 3 - PKCS#10 CSR

 0 - Main Menu
Option :

In the case of RSA or ECC keys, it is possible to generate a CSR (Certificate Signing Request) PKCS#10 in the menu options of Actions, see details below.

Attribute Groups

The attributes are displayed in groups.

Common

These are the operation attributes, common to all objects:
1. Type: type.
2. Temporary: determines whether the object will be automatically destroyed at the end of the operation session.
3. Exportable: determines whether the object can be exported from the HSM.
4. Encrypted: all objects in the HSM are stored encrypted.
5. Blocked: determines whether the object is blocked for cryptographic operations.
SP 800-57-1

It is the state of the object according to SP 800-57-1(NIST Special Publication 800-57 Part 1 Revision 5, Recommendation for Key Management: Part 1 - General). This state is an intrinsic attribute of the object, regardless of the medium or API through which it is manipulated.

The cryptographic purpose mask and the state transition dates during the object's life cycle are also displayed.

The states are:
1. Pre-Active
2. Active
3. Deactivated
4. Compromised
5. Destroyed
6. Destroyed Compromised
The following image illustrates the possible states and transitions.
```
---
title: States and transitions SP 800-57-1
---
stateDiagram-v2
  Pre_Active: Pre Active
   Destroyed_Compromised: Destroyed Compromised

    [*] --> Pre_Active:1
   Pre_Active --> Destroyed:2
   Pre_Active --> Compromised:3
   Pre_Active --> Active:4
    Active --> Compromised:5
    Active --> Deactivated:6
    Deactivated --> Destroyed:7
    Deactivated --> Compromised:8
    Compromised --> Destroyed_Compromised:9
    Destroyed --> Destroyed_Compromised:10
   Destroyed_Compromised --> [*]
```
Danger

Changes to the HSM clock can affect the state attribute. For example, if an object has an activation date later than the HSM's current date, the state will be PRE-ACTIVE, which prevents cryptographic operations with the object.
Specific

These are the specific attributes of each type, including the size of the cryptographic material.
PKCS#11

These are the attributes mainly used by the API PKCS#11but are available to any application and/or caller. Some of these attributes are freely assigned by the user, such as the CKA_LABEL e CKA_APPLICATIONbut others are for the internal purposes of the HSMfor example the type, identifier and cryptographic material. For more details on the PKCS#11 integration API, see the topic PKCS#11.

Warning

All attributes are consistent between the groups when there is overlap. A change in one attribute of a group is immediately reflected in the equivalent attributes of the other groups.

Attributes of an RSA key

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

Keys/Objects - Attributes

Name (HSM) : myRSA
                            Type : rsa2048
                       Temporary : no
                      Exportable : no
                       Encrypted : yes
                         Blocked : no

                           State : ACTIVE
                            Mask : SIGN, DECRYPT, CERTIFICATE_SIGN, CRL_SIGN
                    Initial date : 2022-01-12 00:54:54 GMT
                 Activation date : 2022-01-12 00:54:54 GMT
                    Archive date : none
                 Compromise date : none
      Compromise occurrence date : none
               Deactivation date : none
                Last change date : 2022-01-12 00:54:54 GMT
          Original creation date : 2022-01-12 00:54:54 GMT
              Process start date : none
               Protect stop date : none

            Public exponent(hex) : 010001
                        Key size : 2048 bits

                    CKA_KEY_TYPE : 0
                       CKA_CLASS : 3
                 CKA_EXTRACTABLE : no
                   CKA_SENSITIVE : yes
           CKA_NEVER_EXTRACTABLE : yes
                       CKA_LOCAL : yes
            CKA_CERTIFICATE_TYPE : 0
                     CKA_MODULUS : 9F84737F2EB33E8E8265B1C0F93F6582109DEA495448420ABF3FD9DA262C1CA328E81DAE8D5C6EEF363803D46FB6B500F910132A8F38C7272433737187421B28281F12FB301764F47897A6A6D9726DDD18FA5AEA2EEEB7C61DBBD2D9BEAEDE59938C523109F789D4C3F786ABAE2C8346EE6588A593A7933BA672B5B2C4779D2166F86A0156D121781BAF4FBF7FA61A92D1559152EC456F47B29694E2C41D9EA0630C345C6FC3183CE1B812ABB118FA64BF0EBE2B50AE1B35A29467E264DA7199813F156985A71E2FD6D2CC21D13410891CC3137BF3698C9FA62FC93D4191BF0525CB706639C74A67143913E7B9BC9A63D9C18D1FBE2EC3BDF9BEA4F1483DE363
             CKA_PUBLIC_EXPONENT : 010001
             CKA_PUBLIC_KEY_INFO : 30820122300D06092A864886F70D01010105000382010F003082010A02820101009F84737F2EB33E8E8265B1C0F93F6582109DEA495448420ABF3FD9DA262C1CA328E81DAE8D5C6EEF363803D46FB6B500F910132A8F38C7272433737187421B28281F12FB301764F47897A6A6D9726DDD18FA5AEA2EEEB7C61DBBD2D9BEAEDE59938C523109F789D4C3F786ABAE2C8346EE6588A593A7933BA672B5B2C4779D2166F86A0156D121781BAF4FBF7FA61A92D1559152EC456F47B29694E2C41D9EA0630C345C6FC3183CE1B812ABB118FA64BF0EBE2B50AE1B35A29467E264DA7199813F156985A71E2FD6D2CC21D13410891CC3137BF3698C9FA62FC93D4191BF0525CB706639C74A67143913E7B9BC9A63D9C18D1FBE2EC3BDF9BEA4F1483DE3630203010001
                   CKA_EC_PARAMS :
                     CKA_SUBJECT :
                      CKA_ISSUER :
                          CKA_SN :
                       CKA_TOKEN : yes
                  CKA_MODIFIABLE : yes
                CKA_MODULUS_BITS : 2048
                     CKA_PRIVATE : yes
                      CKA_DERIVE : no
                        CKA_WRAP : no
                      CKA_UNWRAP : yes
                        CKA_SIGN : yes
                      CKA_VERIFY : yes
                     CKA_ENCRYPT : no
                     CKA_DECRYPT : yes
                   CKA_OBJECT_ID :
                 HSM_OBJ_VERSION : 2
                    HSM_OBJ_TYPE : 6
                    HSM_OBJ_ATTR : 0
                     HSM_OBJ_LEN : 1461
                      HSM_OBJ_ID : master/myRSA
                  HSM_OBJ_PVALUE : 62E90C37DDBCD46D50CBEAB3FAAD3DC50E1C0665
                       CKA_LABEL :
                          CKA_ID :
                CKA_SIGN_RECOVER : no
              CKA_VERIFY_RECOVER : no
                 CKA_APPLICATION :
                     CKA_TRUSTED : no
            CKA_JMIDP_SEC_DOMAIN : 0
               CKA_CERT_CATEGORY : 0
           CKA_KEY_GEN_MECHANISM : 0
           CKA_WRAP_WITH_TRUSTED : no
                   HSM_ASSOCIATE :

Actions:

 1 - Block
 2 - Edit Metadata
 3 - PKCS#10 CSR

 0 - Main Menu
Option :

Block

When locking a key by changing its attribute block to trueit cannot be used. For locked keys, the option changes to Unblock.

Edit Metadata

Some metadata, such as Label PKCS#11, can be edited for use by applications. This editable metadata does not affect the key material or access controls.

CSR issue

Option only available for private keys (RSA and ECC).

It allows the issuance of a certificate request, CSR(Certificate Signing Request), generated from the signature with a private key, to be sent to a Certificate Authority, which will issue the corresponding certificate. The standard is PKCS#10. The CSR generated can be saved in files or displayed on screen.

Attention

The fields in the DN (Distinguished Name) X.509 must be preceded by /according to the representation defined in RFC 1779. Separation by , is not accepted.

Example:

/CN=Elias Jacob/O=TAC/OU=Engenharia/L=Brasilia/ST=Distrito Federal/C=BR/EMAIL=elias@tac.com

DN accepts the following fields:

CN: Common Name
O: Organization
OR: Organization Unit
L: Local/City
ST (or S): State
C: Country
EMAIL (or E): e-mail address

If no DNthe CSR generated will have a DN default with training /CN=<user_id>_<key_id>.

Generating a CSR from a private key

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

Keys/Objects - Attributes

Private Key name (HSM): prod
DN (ENTER for default, /CN=<user_id>_<key_id>): /CN=Elias Jacob/O=TAC/OU=Engenharia/L=Brasilia/ST=Distrito Federal/C=BR/EMAIL=elias@tac.com
Hash :
 1 - Default
 2 - SHA-1
 3 - SHA-224
 4 - SHA-256
 5 - SHA-384
 6 - SHA-512
Option : 4
Output File (local) (ENTER to dump on screen) :

-----BEGIN CERTIFICATE REQUEST-----
MIIC+TCCAeECAQAwgZIxFDASBgNVBAMMC0VsaWFzIEphY29iMQwwCgYDVQQKDANU
QUMxEzARBgNVBAsMCkVuZ2VuaGFyaWExETAPBgNVBAcMCEJyYXNpbGlhMRkwFwYD
VQQIDBBEaXN0cml0byBGZWRlcmFsMQswCQYDVQQGEwJCUjEcMBoGCSqGSIb3DQEJ
ARYNZWxpYXNAdGFjLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM2vYbnukQ2u8bME9Evsz1ze/+nbB/p0a3lEoX5kCotDMQKQ/9Fv2989Pd2dYr+5
IeINNiONR0ZuwwPSmrGR7dmE0dCyjFpu/fRvy/ZkbsQKzfKocuYSVH5jR+Gb320i
A7/vD72VSgElT1kmyINFPeYOI+bv05yuYbW/q5KRDlJMdWOLx352AcY0S1vmFJIg
YEeJMxVsU2jhe7SxT1vupi5rBO7wqe3O7fwUawctGk9OOQRWGfDzH0dNk3kBQKl0
xxKXc6yv5syBfIm9RM8w7V9RWZbd8jDSpNEYG3PhruUGDu9d3G5osXGOv0E5ImMD
bFMUXSvnFdADl6WnU5BQrxECAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0P
AQH/BAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IBAQBcdrcfskoey1oZP+CpfBDXDDQL
cqDQySEMzWkb1AzXf5gr92yF5htRpwb0YQti9ck2/uQBsiQxI2KE/D+SYDfqU+Hf
Jkr2VpvqfjszePr36fLUHEUHGxUhM58Zo9hchZPTD+xVa1Tqp64/qBK/MieasAWT
3W5CLFkSdMPGLCsmX7AC05QseMHk+Ql8kfgQ0njp/LN0caHzdd2NY6r3UU2wafLq
sCulPWi4gCCU741ELuRHPikhVdvE30OL043V8o9dhaqburwmmhD97sgylCn4xx8Z
toL0pfwOTWxRBgMlrYwPjB3rgbkR0IeOgZtF6h8o/pVjQvuqLyY6ZQel53EA
-----END CERTIFICATE REQUEST-----

File exported successfully.

Press ENTER key to continue...

Warning

To issue CSR PCKS#10 in the format required for the SPB (Brazilian Payment System) standard, see the SPB topic.

Warning

To issue CSRs in the EMV standard, see the topic EFT.