< draft-pechanec-pkcs11uri-19.txt   draft-pechanec-pkcs11uri-21.txt >
Network Working Group J. Pechanec Network Working Group J. Pechanec
Internet-Draft D. Moffat Internet-Draft D. Moffat
Intended status: Standards Track Oracle Corporation Intended status: Standards Track Oracle Corporation
Expires: July 19, 2015 January 15, 2015 Expires: August 17, 2015 February 13, 2015
The PKCS#11 URI Scheme The PKCS#11 URI Scheme
draft-pechanec-pkcs11uri-19 draft-pechanec-pkcs11uri-21
Abstract Abstract
This memo specifies a PKCS#11 Uniform Resource Identifier (URI) This memo specifies a PKCS#11 Uniform Resource Identifier (URI)
Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, and Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, and
also for identifying PKCS#11 tokens, slots or libraries. The URI is also for identifying PKCS#11 tokens, slots or libraries. The URI is
based on how PKCS#11 objects, tokens, slots, and libraries are based on how PKCS#11 objects, tokens, slots, and libraries are
identified in the PKCS#11 Cryptographic Token Interface Standard. identified in the PKCS#11 Cryptographic Token Interface Standard.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 19, 2015. This Internet-Draft will expire on August 17, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 3
3. PKCS#11 URI Scheme Definition . . . . . . . . . . . . . . . . 4 3. PKCS#11 URI Scheme Definition . . . . . . . . . . . . . . . . 4
3.1. PKCS#11 URI Scheme Name . . . . . . . . . . . . . . . . . 4 3.1. PKCS#11 URI Scheme Name . . . . . . . . . . . . . . . . . 4
3.2. PKCS#11 URI Scheme Status . . . . . . . . . . . . . . . . 4 3.2. PKCS#11 URI Scheme Status . . . . . . . . . . . . . . . . 4
3.3. PKCS#11 URI Scheme Syntax . . . . . . . . . . . . . . . . 4 3.3. PKCS#11 URI Scheme Syntax . . . . . . . . . . . . . . . . 4
3.4. PKCS#11 URI Scheme Query Attribute Semantics . . . . . . 9 3.4. PKCS#11 URI Scheme Query Attribute Semantics . . . . . . 9
3.5. PKCS#11 URI Matching Guidelines . . . . . . . . . . . . . 10 3.5. PKCS#11 URI Matching Guidelines . . . . . . . . . . . . . 11
3.6. PKCS#11 URI Comparison . . . . . . . . . . . . . . . . . 12 3.6. PKCS#11 URI Comparison . . . . . . . . . . . . . . . . . 12
3.7. Generating PKCS#11 URIs . . . . . . . . . . . . . . . . . 13 3.7. Generating PKCS#11 URIs . . . . . . . . . . . . . . . . . 13
4. Examples of PKCS#11 URIs . . . . . . . . . . . . . . . . . . 13 4. Examples of PKCS#11 URIs . . . . . . . . . . . . . . . . . . 14
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
5.1. URI Scheme Registration . . . . . . . . . . . . . . . . . 16 5.1. URI Scheme Registration . . . . . . . . . . . . . . . . . 17
6. Internationalization Considerations . . . . . . . . . . . . . 17 6. Internationalization Considerations . . . . . . . . . . . . . 17
7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . 18 8.1. Normative References . . . . . . . . . . . . . . . . . . 19
8.2. Informative References . . . . . . . . . . . . . . . . . 18 8.2. Informative References . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
The PKCS #11: Cryptographic Token Interface Standard [PKCS11] The PKCS #11: Cryptographic Token Interface Standard [PKCS11]
specifies an API, called Cryptoki, for devices which hold specifies an API, called Cryptoki, for devices which hold
cryptographic information and perform cryptographic functions. cryptographic information and perform cryptographic functions.
Cryptoki, pronounced crypto-key and short for cryptographic token Cryptoki, pronounced crypto-key and short for cryptographic token
interface, follows a simple object-based approach, addressing the interface, follows a simple object-based approach, addressing the
goals of technology independence (any kind of device may be used) and goals of technology independence (any kind of device may be used) and
skipping to change at page 3, line 48 skipping to change at page 3, line 48
PKCS#11 API the query component module attributes can be used. PKCS#11 API the query component module attributes can be used.
However, the PKCS#11 URI consumer can always decide to provide its However, the PKCS#11 URI consumer can always decide to provide its
own adequate user interface to locate and load PKCS#11 API producers. own adequate user interface to locate and load PKCS#11 API producers.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Contributors 2. Contributors
Stef Walter, Nikos Mavrogiannopoulos, Nico Williams, Dan Winship, and Stef Walter, Nikos Mavrogiannopoulos, Nico Williams, Dan Winship,
Jaroslav Imrich contributed to the development of this document. Jaroslav Imrich, and Mark Phalan contributed to the development of
this document.
3. PKCS#11 URI Scheme Definition 3. PKCS#11 URI Scheme Definition
In accordance with [RFC4395], this section provides the information In accordance with [RFC4395], this section provides the information
required to register the PKCS#11 URI scheme. required to register the PKCS#11 URI scheme.
3.1. PKCS#11 URI Scheme Name 3.1. PKCS#11 URI Scheme Name
pkcs11 pkcs11
3.2. PKCS#11 URI Scheme Status 3.2. PKCS#11 URI Scheme Status
Permanent. Permanent.
3.3. PKCS#11 URI Scheme Syntax 3.3. PKCS#11 URI Scheme Syntax
The PKCS#11 URI is a sequence of attribute value pairs separated by a The PKCS#11 URI is a sequence of attribute value pairs separated by a
semicolon that form a one level path component, optionally followed semicolon that form a one level path component, optionally followed
by a query. In accordance with Section 2.5 of [RFC3986], the data by a query. Except for the value of the "id" attribute defined later
SHOULD first be encoded as octets according to the UTF-8 character in this section, these attribute value pairs and query components are
encoding [RFC3629]; then only those octets that do not correspond to composed entirely of textual data and therefore SHOULD all first be
characters in the unreserved set or to permitted characters from the encoded as octets according to the UTF-8 character encoding
reserved set should be percent-encoded. This specification suggests [RFC3629], in accordance with Section 2.5 of [RFC3986]; then only
one allowable exception to that rule for the "id" attribute, as those octets that do not correspond to characters in the unreserved
stated later in this section. Note that if a URI does carry set or to permitted characters from the reserved set SHOULD be
characters outside of the US-ASCII character set a conversion to an percent-encoded. Note that the value of the "id" attribute SHOULD
Internationalized Resource Identifier (IRI) defined in [RFC3987] may NOT be encoded as UTF-8 because it can contain non-textual data,
be considered. When working with UTF-8 strings with characters instead it SHOULD be entirely percent-encoded. See important caveats
outside the US-ASCII character sets, see important caveats in in Section 3.5 and Section 6 regarding working with UTF-8 strings
Section 3.5 and Section 6. containing characters outside the US-ASCII character set.
Grammar rules "unreserved" and "pct-encoded" in the PKCS#11 URI Grammar rules "unreserved" and "pct-encoded" in the PKCS#11 URI
specification below are imported from [RFC3986]. As a special case, specification below are imported from [RFC3986]. As a special case,
note that according to Appendix A of [RFC3986], a space must be note that according to Appendix A of [RFC3986], a space must be
percent-encoded. percent-encoded.
The PKCS#11 specification imposes various limitations on the value of The PKCS#11 specification imposes various limitations on the value of
attributes, be it a more restrictive character set for the "serial" attributes, be it a more restrictive character set for the "serial"
attribute or fixed sized buffers for almost all the others, including attribute or fixed sized buffers for almost all the others, including
"token", "manufacturer", and "model" attributes. However, the "token", "manufacturer", and "model" attributes. The syntax of the
PKCS#11 URI notation does not impose such limitations aside from PKCS#11 URI does not impose such limitations. However, if the
removing generic and PKCS#11 URI delimiters from a permitted consumer of a PKCS#11 URI encounters values that would not be
character set. We believe that being too restrictive on the accepted by the PKCS#11 specification, it MUST refuse the URI as
attribute values could limit the PKCS#11 URI usefulness. What is invalid.
more, possible future changes to the PKCS#11 specification should not
affect existing attributes.
A PKCS#11 URI takes the form (for explanation of Augmented BNF, see A PKCS#11 URI takes the form (for explanation of Augmented BNF, see
[RFC5234]): [RFC5234]):
pk11-URI = "pkcs11:" pk11-path [ "?" pk11-query ] pk11-URI = "pkcs11:" pk11-path [ "?" pk11-query ]
; Path component and its attributes. Path may be empty. ; Path component and its attributes. Path may be empty.
pk11-path = [ pk11-pattr *(";" pk11-pattr) ] pk11-path = [ pk11-pattr *(";" pk11-pattr) ]
pk11-pattr = pk11-token / pk11-manuf / pk11-serial / pk11-pattr = pk11-token / pk11-manuf / pk11-serial /
pk11-model / pk11-lib-manuf / pk11-model / pk11-lib-manuf /
pk11-lib-ver / pk11-lib-desc / pk11-lib-ver / pk11-lib-desc /
skipping to change at page 6, line 7 skipping to change at page 6, line 7
pk11-module-name = "module-name" "=" *pk11-qchar pk11-module-name = "module-name" "=" *pk11-qchar
pk11-module-path = "module-path" "=" *pk11-qchar pk11-module-path = "module-path" "=" *pk11-qchar
pk11-v-attr-nm-char = ALPHA / DIGIT / "-" / "_" pk11-v-attr-nm-char = ALPHA / DIGIT / "-" / "_"
; Permitted value of a vendor specific attribute is based on ; Permitted value of a vendor specific attribute is based on
; whether the attribute is used in the path or in the query. ; whether the attribute is used in the path or in the query.
pk11-v-pattr = 1*pk11-v-attr-nm-char "=" *pk11-pchar pk11-v-pattr = 1*pk11-v-attr-nm-char "=" *pk11-pchar
pk11-v-qattr = 1*pk11-v-attr-nm-char "=" *pk11-qchar pk11-v-qattr = 1*pk11-v-attr-nm-char "=" *pk11-qchar
The URI path component contains attributes that identify a resource The URI path component contains attributes that identify a resource
in a one level hierarchy provided by Cryptoki producers. The query in a one level hierarchy provided by Cryptoki producers. The query
component can contain a few attributes that may be needed to retrieve component can contain a few attributes that may be needed to retrieve
the resource identified by the URI path. Attributes in the path the resource identified by the URI path component. Attributes in the
component are delimited by ';' character, attributes in the query path component are delimited by ';' character, attributes in the
component use '&' as a delimiter. query component use '&' as a delimiter.
Both path and query components may contain vendor specific Both path and query components MAY contain vendor specific
attributes. Such attribute names MUST NOT clash with existing attributes. Such attribute names MUST NOT clash with existing
attribute names. Note that in accordance with [BCP178], previously attribute names. Note that in accordance with [BCP178], previously
used convention of starting vendor attributes with an "x-" prefix is used convention of starting vendor attributes with an "x-" prefix is
now depricated. now deprecated.
The general '/' delimiter MUST be percent-encoded in the path The general '/' delimiter MUST be percent-encoded in the path
component so that generic URI parsers never split the path component component so that generic URI parsers never split the path component
into multiple segments. It MAY be unencoded in the query component. into multiple segments. It MAY be unencoded in the query component.
Delimiter '?' MUST be percent-encoded in the path component since Delimiter '?' MUST be percent-encoded in the path component since
the PKCS#11 URI uses a query component. Delimiter '#' MUST be always the PKCS#11 URI uses a query component. Delimiter '#' MUST be always
percent-encoded so that generic URI parsers do not treat a hash as a percent-encoded so that generic URI parsers do not treat a hash as a
beginning of a fragment identifier component. All other generic beginning of a fragment identifier component. All other generic
delimiters MAY be used unencoded (':', '[', ']', and '@') in the delimiters MAY be used unencoded (':', '[', ']', and '@') in the
PKCS#11 URI. PKCS#11 URI.
skipping to change at page 6, line 48 skipping to change at page 6, line 48
| | | PKCS#11 | | | | PKCS#11 |
| | | specification to | | | | specification to |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| | | | | | | |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| id | key identifier for | "CKA_ID" object | | id | key identifier for | "CKA_ID" object |
| | object | attribute | | | object | attribute |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| library-description | character-string | "libraryDescription" | | library-description | character-string | "libraryDescription" |
| | description of the | member of CK_INFO | | | description of the | member of CK_INFO |
| | library | structure. It is an | | | library | structure. It is a |
| | | UTF-8 string. | | | | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| library-manufacturer | ID of the Cryptoki | "manufacturerID" | | library-manufacturer | ID of the Cryptoki | "manufacturerID" |
| | library | member of the | | | library | member of the |
| | manufacturer | CK_INFO structure. | | | manufacturer | CK_INFO structure. |
| | | It is an UTF-8 | | | | It is a UTF-8 |
| | | string. | | | | string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| library-version | Cryptoki library | "libraryVersion" | | library-version | Cryptoki library | "libraryVersion" |
| | version number | member of CK_INFO | | | version number | member of CK_INFO |
| | | structure | | | | structure |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| manufacturer | ID of the token | "manufacturerID" | | manufacturer | ID of the token | "manufacturerID" |
| | manufacturer | member of | | | manufacturer | member of |
| | | CK_TOKEN_INFO | | | | CK_TOKEN_INFO |
| | | structure. It is an | | | | structure. It is a |
| | | UTF-8 string. | | | | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| model | token model | "model" member of | | model | token model | "model" member of |
| | | CK_TOKEN_INFO | | | | CK_TOKEN_INFO |
| | | structure. It is an | | | | structure. It is a |
| | | UTF-8 string. | | | | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| object | description (name) | "CKA_LABEL" object | | object | description (name) | "CKA_LABEL" object |
| | of the object | attribute. It is an | | | of the object | attribute. It is a |
| | | UTF-8 string. | | | | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| serial | character-string | "serialNumber" | | serial | character-string | "serialNumber" |
| | serial number of | member of | | | serial number of | member of |
| | the token | CK_TOKEN_INFO | | | the token | CK_TOKEN_INFO |
| | | structure | | | | structure |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| slot-description | slot description | "slotDescription" | | slot-description | slot description | "slotDescription" |
| | | member of | | | | member of |
| | | CK_SLOT_INFO | | | | CK_SLOT_INFO |
| | | structure. It is an | | | | structure. It is a |
| | | UTF-8 string. | | | | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| slot-id | Cryptoki-assigned | decimal number of | | slot-id | Cryptoki-assigned | decimal number of |
| | value that | "CK_SLOT_ID" type | | | value that | "CK_SLOT_ID" type |
| | identifies a slot | | | | identifies a slot | |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| slot-manufacturer | ID of the slot | "manufacturerID" | | slot-manufacturer | ID of the slot | "manufacturerID" |
| | manufacturer | member of | | | manufacturer | member of |
| | | CK_SLOT_INFO | | | | CK_SLOT_INFO |
| | | structure. It is an | | | | structure. It is a |
| | | UTF-8 string. | | | | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| token | application-defined | "label" member of | | token | application-defined | "label" member of |
| | label, assigned | the CK_TOKEN_INFO | | | label, assigned | the CK_TOKEN_INFO |
| | during token | structure. It is an | | | during token | structure. It is a |
| | initialization | UTF-8 string. | | | initialization | UTF-8 string. |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
| type | object class (type) | "CKA_CLASS" object | | type | object class (type) | "CKA_CLASS" object |
| | | attribute | | | | attribute |
+----------------------+---------------------+----------------------+ +----------------------+---------------------+----------------------+
Table 1: Mapping between URI path component attributes and PKCS#11 Table 1: Mapping between URI path component attributes and PKCS#11
specification names specification names
The following table presents mapping between the "type" attribute
values and corresponding PKCS#11 object classes.
+-----------------+----------------------+
| Attribute value | PKCS#11 object class |
+-----------------+----------------------+
| cert | CKO_CERTIFICATE |
| data | CKO_DATA |
| private | CKO_PRIVATE_KEY |
| public | CKO_PUBLIC_KEY |
| secret-key | CKO_SECRET_KEY |
+-----------------+----------------------+
Table 2: Mapping between the "type" attribute and PKCS#11 object
classes
The query component attribute "pin-source" specifies where the The query component attribute "pin-source" specifies where the
application or library should find the normal user's token PIN, the application or library should find the normal user's token PIN, the
"pin-value" attribute provides the normal user's PIN value directly, "pin-value" attribute provides the normal user's PIN value directly,
if needed, and the "module-name" and "module-path" attributes modify if needed, and the "module-name" and "module-path" attributes modify
default settings for accessing PKCS#11 providers. For the definition default settings for accessing PKCS#11 providers. For the definition
of a "normal user", see [PKCS11]. of a "normal user", see [PKCS11].
The ABNF rules above is a best effort definition and this paragraph The ABNF rules above is a best effort definition and this paragraph
specifies additional constraints. The PKCS#11 URI MUST NOT contain specifies additional constraints. The PKCS#11 URI MUST NOT contain
duplicate attributes of the same name in the URI path component. It duplicate attributes of the same name in the URI path component. It
means that each attribute may be present at most once in the PKCS#11 means that each attribute may be present at most once in the PKCS#11
URI path. Aside from the query attributes defined in this document, URI path component. Aside from the query attributes defined in this
duplicate (vendor) attributes MAY be present in the URI query document, duplicate (vendor) attributes MAY be present in the URI
component and it is up to the URI consumer to decide on how to deal query component and it is up to the URI consumer to decide on how to
with such duplicates. deal with such duplicates.
The whole value of the "id" attribute SHOULD be percent-encoded since As stated earlier in this section, the value of the "id" attribute
it is supposed to be handled as arbitrary binary data. can contain non-textual data. This is because the corresponding
PKCS#11 "CKA_ID" object attribute can contain arbitrary binary data.
Therefore, the whole value of the "id" attribute SHOULD be percent-
encoded.
The "library-version" attribute represents the major and minor The "library-version" attribute represents the major and minor
version number of the library and its format is "M.N". Both numbers version number of the library and its format is "M.N". Both numbers
are one byte in size, see the "libraryVersion" member of the CK_INFO are one byte in size, see the "libraryVersion" member of the CK_INFO
structure in [PKCS11] for more information. Value "M" for the structure in [PKCS11] for more information. Value "M" for the
attribute MUST be interpreted as "M" for the major and "0" for the attribute MUST be interpreted as "M" for the major and "0" for the
minor version of the library. If the attribute is present the major minor version of the library. If the attribute is present the major
version number is REQUIRED. Both "M" and "N" MUST be decimal version number is REQUIRED. Both "M" and "N" MUST be decimal
numbers. numbers.
Slot ID is a Cryptoki-assigned number that is not guaranteed stable Slot ID is a Cryptoki-assigned number that is not guaranteed stable
across PKCS#11 module initializations. However, there are certain across PKCS#11 module initializations. However, there are certain
libraries and modules which provide stable slot identifiers. For libraries and modules which provide stable slot identifiers. For
these cases, when the slot description and manufacturer ID is not these cases, when the slot description and manufacturer ID is not
sufficient to uniquely identify a specific reader, the slot ID MAY be sufficient to uniquely identify a specific reader, the slot ID MAY be
used to increase the precision of the token identification. In other used to increase the precision of the token identification. In other
scenarios, using the slot IDs is likely to cause usability issues. scenarios, using the slot IDs is likely to cause usability issues.
An empty PKCS#11 URI path attribute that does allow for an empty An empty PKCS#11 URI path component attribute that does allow for an
value matches a corresponding structure member or an object attribute empty value matches a corresponding structure member or an object
with an empty value. Note that according to the PKCS#11 attribute with an empty value. Note that according to the PKCS#11
specification [PKCS11], empty character values in a PKCS#11 API specification [PKCS11], empty character values in a PKCS#11 API
producer must be padded with spaces and should not be NULL producer must be padded with spaces and should not be NULL
terminated. terminated.
3.4. PKCS#11 URI Scheme Query Attribute Semantics 3.4. PKCS#11 URI Scheme Query Attribute Semantics
An application MAY always ask for a PIN by any means it decides to. An application can always ask for a PIN by any means it decides to.
What is more, in order not to limit PKCS#11 URI portability the "pin- What is more, in order not to limit PKCS#11 URI portability the "pin-
source" attribute value format and interpretation is left to be source" attribute value format and interpretation is left to be
implementation specific. However, the following rules SHOULD be implementation specific. However, the following rules SHOULD be
followed in descending order for the value of the "pin-source" followed in descending order for the value of the "pin-source"
attribute: attribute:
o if the value represents a local absolute path the implementation o if the value represents a URI it SHOULD be treated as an object
SHOULD use it as a PIN file containing the PIN value containing the PIN. Such a URI may be "file:", "https:", another
PKCS#11 URI, or something else.
o if the value contains "|<absolute-command-path>" the o if the value contains "|<absolute-command-path>" the
implementation SHOULD read the PIN from the output of an implementation SHOULD read the PIN from the output of an
application specified with absolute path "<absolute-command- application specified with absolute path "<absolute-command-
path>". Note that character "|" representing a pipe does not have path>". Note that character "|" representing a pipe does not have
to be percent encoded in the query component of the PKCS#11 URI. to be percent encoded in the query component of the PKCS#11 URI.
o if the value represents a URI it SHOULD be treated as an object
containing the PIN. Such a URI may be "file:", "https:", another
PKCS#11 URI, or something else.
o interpret the value as needed in an implementation dependent way o interpret the value as needed in an implementation dependent way
If a URI contains both "pin-source" and "pin-value" query attributes If a URI contains both "pin-source" and "pin-value" query attributes
the URI SHOULD be refused as invalid. the URI SHOULD be refused as invalid.
Use of the "pin-value" attribute may have security related Use of the "pin-value" attribute may have security related
consequences. Section 7 should be consulted before this attribute is consequences. Section 7 should be consulted before this attribute is
ever used. Standard percent encoding rules SHOULD be followed for ever used. Standard percent encoding rules SHOULD be followed for
the attribute value. the attribute value.
A consumer of PKCS#11 URIs MAY modify default settings for accessing A consumer of PKCS#11 URIs MAY accept query component attributes
a PKCS#11 provider or providers by accepting query component "module-name" and "module-path" in order to modify default settings
attributes "module-name" and "module-path"." for accessing a PKCS#11 provider or providers.
Processing the URI query module attributes SHOULD follow these rules: Processing the URI query module attributes SHOULD follow these rules:
o attribute "module-name" SHOULD contain a case-insensitive PKCS#11 o attribute "module-name" SHOULD contain a case-insensitive PKCS#11
module name (not path nor filename) without system specific module name (not path nor filename) without system specific
affixes. Such affix could be an ".so" or ".DLL" suffix, or a affixes. Such affix could be an ".so" or ".DLL" suffix, or a
"lib" prefix, for example. Not using system specific affixes is "lib" prefix, for example. Not using system specific affixes is
expected to increase portability of PKCS#11 URIs among different expected to increase portability of PKCS#11 URIs among different
systems. A URI consumer searching for PKCS#11 modules SHOULD use systems. A URI consumer searching for PKCS#11 modules SHOULD use
a system or application specific locations to find modules based a system or application specific locations to find modules based
on the name provided in the attribute. on the name provided in the attribute.
o attribute "module-path" SHOULD contain a system specific absolute o attribute "module-path" SHOULD contain a system specific absolute
path to the PKCS#11 module, or a system specific absolute path to path to the PKCS#11 module, or a system specific absolute path to
the directory of where PKCS#11 modules are located. For security the directory of where PKCS#11 modules are located. For security
reasons, a URI with a relative path in this attribute SHOULD be reasons, a URI with a relative path in this attribute SHOULD be
rejected. rejected.
o the URI consumer MAY refuse to accept either of the attributes, or o the URI consumer MAY refuse to accept either of the attributes, or
both. If use of an attribute present in the URI string is not both. If use of the attribute present in the URI string is not
accepted a warning message SHOULD be presented to the provider of accepted a warning message SHOULD be presented to the provider of
the URI. the URI and system specific module locations SHOULD be used.
o if either of the module attributes is present, only those modules o if either of the module attributes is present, only those modules
found matching these query attributes SHOULD be used to search for found matching these query attributes SHOULD be used to search for
an entity represented by the URI. an entity represented by the URI.
o use of the module attributes does not suppress matching of any o use of the module attributes does not suppress matching of any
other URI path component attributes present in a URI. other URI path component attributes present in a URI.
o semantics of using both attributes in the same URI string is o semantics of using both attributes in the same URI string is
implementation specific but such use SHOULD be avoided. Attribute implementation specific but such use SHOULD be avoided. Attribute
skipping to change at page 11, line 9 skipping to change at page 11, line 26
different types of entities the context within which the URI is used different types of entities the context within which the URI is used
may be needed to determine the type. For example, a URI with only may be needed to determine the type. For example, a URI with only
library attributes may either represent all objects in all tokens in library attributes may either represent all objects in all tokens in
all Cryptoki libraries identified by the URI, all tokens in those all Cryptoki libraries identified by the URI, all tokens in those
libraries, or just the libraries. libraries, or just the libraries.
The following guidelines can help a PKCS#11 URI consumer (eg. an The following guidelines can help a PKCS#11 URI consumer (eg. an
application accepting PKCS#11 URIs) to match the URI with the desired application accepting PKCS#11 URIs) to match the URI with the desired
resource. resource.
o the consumer MUST know whether the URI is to identify PKCS#11 o the consumer needs to know whether the URI is to identify PKCS#11
storage object(s), token(s), slot(s), or Cryptoki producer(s). storage object(s), token(s), slot(s), or Cryptoki producer(s).
o if the consumer is willing to accept query component module o if the consumer is willing to accept query component module
attributes only those PKCS#11 providers matching these attributes attributes only those PKCS#11 providers matching these attributes
SHOULD be worked with. See Section 3.4 for more information. SHOULD be worked with. See Section 3.4 for more information.
o an unrecognized attribute in the URI path component, including a o an unrecognized attribute in the URI path component, including a
vendor specific attribute, SHOULD result in an empty set of vendor specific attribute, SHOULD result in an empty set of
matched resources. The consumer SHOULD consider whether an error matched resources. The consumer can consider whether an error
message presented to the user is appropriate in such a case. message presented to the user is appropriate in such a case.
o an unrecognized attribute in the URI query SHOULD be ignored. The o an unrecognized attribute in the URI query SHOULD be ignored. The
consumer SHOULD consider whether a warning message presented to consumer can consider whether a warning message presented to the
the user is appropriate in such a case. user is appropriate in such a case.
o an attribute not present in the URI path but known to a consumer o an attribute not present in the URI path component but known to a
matches everything. Each additional attribute present in the URI consumer matches everything. Each additional attribute present in
path further restricts the selection. the URI path component further restricts the selection.
o a logical extension of the above is that an empty URI path matches o a logical extension of the above is that a URI with an empty path
everything. For example, if used to identify storage objects it component matches everything. For example, if used to identify
matches all accessible objects in all tokens provided by all storage objects it matches all accessible objects in all tokens
PKCS#11 API producers found in the system. provided by all relevant PKCS#11 API producers.
o note that use of PIN attributes may change the set of storage o note that use of PIN attributes may change the set of storage
objects visible to the consumer. objects visible to the consumer.
o in addition to query component attributes defined in this o in addition to query component attributes defined in this
document, vendor specific query attributes may contain further document, vendor specific query attributes may contain further
information about how to perform the selection or other related information about how to perform the selection or other related
information. information.
As noted in Section 6, the PKCS#11 specification is not clear about As noted in Section 6, the PKCS#11 specification is not clear about
skipping to change at page 13, line 9 skipping to change at page 13, line 24
[RFC3986]. The value MUST be split into a major and minor version [RFC3986]. The value MUST be split into a major and minor version
with character '.' (dot) serving as a delimiter. Library version with character '.' (dot) serving as a delimiter. Library version
"M" MUST be treated as "M" for the major version and "0" for the "M" MUST be treated as "M" for the major version and "0" for the
minor version. Resulting minor and major version numbers MUST be minor version. Resulting minor and major version numbers MUST be
then separately compared numerically. then separately compared numerically.
o value of attribute "slot-id" MUST be processed as a specific o value of attribute "slot-id" MUST be processed as a specific
scheme-based normalization permitted by Section 6.2.3 of [RFC3986] scheme-based normalization permitted by Section 6.2.3 of [RFC3986]
and compared numerically. and compared numerically.
o value of "pin-source", if deemed containing the filename with the o value of "pin-source", if containing a "file:" URI or "|<absolute-
PIN value, MUST be compared using the simple string comparison command-path>", MUST be compared using the simple string
after the full syntax based normalization as specified in comparison after the full syntax based normalization as specified
Section 6.2.2 of [RFC3986] is applied. If value of the "pin- in Section 6.2.2 of [RFC3986] is applied. If value of the "pin-
source" attribute is believed to be overloaded the case and source" attribute is believed to be overloaded the case and
percent-encoding normalization SHOULD be applied before the values percent-encoding normalization SHOULD be applied before the values
are compared but the exact mechanism of comparison is left to the are compared but the exact mechanism of comparison is left to the
application. application.
o value of attribute "module-path" MUST be compared using the simple o value of attribute "module-path" MUST be compared using the simple
string comparison after the full syntax based normalization as string comparison after the full syntax based normalization as
specified in Section 6.2.2 of [RFC3986] is applied. specified in Section 6.2.2 of [RFC3986] is applied.
o when comparing vendor specific attributes the case and percent- o when comparing vendor specific attributes the case and percent-
skipping to change at page 14, line 18 skipping to change at page 14, line 33
public objects, a token PIN may not be required. public objects, a token PIN may not be required.
pkcs11:object=my-pubkey;type=public pkcs11:object=my-pubkey;type=public
When a private key is specified either the "pin-source" attribute, When a private key is specified either the "pin-source" attribute,
"pin-value, or an application specific method would be usually used. "pin-value, or an application specific method would be usually used.
Note that '/' is not percent-encoded in the "pin-source" attribute Note that '/' is not percent-encoded in the "pin-source" attribute
value since this attribute is part of the query component, not the value since this attribute is part of the query component, not the
path, and thus is separated by '?' from the rest of the URI. path, and thus is separated by '?' from the rest of the URI.
pkcs11:object=my-key;type=private?pin-source=/etc/token pkcs11:object=my-key;type=private?pin-source=file:/etc/token
The following example identifies a certificate in the software token. The following example identifies a certificate in the software token.
Note an empty value for the attribute "serial" which matches only Note an empty value for the attribute "serial" which matches only
empty "serialNumber" member of the "CK_TOKEN_INFO" structure. Also empty "serialNumber" member of the "CK_TOKEN_INFO" structure. Also
note that the "id" attribute value is entirely percent-encoded, as note that the "id" attribute value is entirely percent-encoded, as
recommended. While ',' is in the reserved set it does not have to be recommended. While ',' is in the reserved set it does not have to be
percent-encoded since it does not conflict with any sub-delimiters percent-encoded since it does not conflict with any sub-delimiters
used. The '#' character as in "The Software PKCS#11 Softtoken" MUST used. The '#' character as in "The Software PKCS#11 Softtoken" MUST
be percent-encoded. be percent-encoded.
pkcs11:token=The%20Software%20PKCS%2311%20Softtoken; pkcs11:token=The%20Software%20PKCS%2311%20Softtoken;
manufacturer=Snake%20Oil,%20Inc.; manufacturer=Snake%20Oil,%20Inc.;
model=1.0; model=1.0;
object=my-certificate; object=my-certificate;
type=cert; type=cert;
id=%69%95%3E%5C%F4%BD%EC%91; id=%69%95%3E%5C%F4%BD%EC%91;
serial= serial=
?pin-source=/etc/token_pin ?pin-source=file:/etc/token_pin
The next example covers how to use the "module-name" query attribute. The next example covers how to use the "module-name" query attribute.
Considering that the module is located in /usr/lib/libmypkcs11.so.1 Considering that the module is located in /usr/lib/libmypkcs11.so.1
file, the attribute value is "mypkcs11", meaning only the module name file, the attribute value is "mypkcs11", meaning only the module name
without the full path, and without the platform specific "lib" prefix without the full path, and without the platform specific "lib" prefix
and ".so.1" suffix. and ".so.1" suffix.
pkcs11:object=my-sign-key; pkcs11:object=my-sign-key;
type=private type=private
?module-name=mypkcs11 ?module-name=mypkcs11
skipping to change at page 16, line 31 skipping to change at page 16, line 47
type=cert type=cert
Both the path and query components MAY contain vendor specific Both the path and query components MAY contain vendor specific
attributes. Attributes in the query component MUST be delimited by attributes. Attributes in the query component MUST be delimited by
'&'. '&'.
pkcs11:token=my-token; pkcs11:token=my-token;
object=my-certificate; object=my-certificate;
type=cert; type=cert;
vendor-aaa=value-a vendor-aaa=value-a
?pin-source=/etc/token_pin ?pin-source=file:/etc/token_pin
&vendor-bbb=value-b &vendor-bbb=value-b
5. IANA Considerations 5. IANA Considerations
5.1. URI Scheme Registration 5.1. URI Scheme Registration
This document moves the "pkcs11" URI scheme from the provisional to This document moves the "pkcs11" URI scheme from the provisional to
permanent URI scheme registry. The registration request complies permanent URI scheme registry. The registration request complies
with [RFC4395]. with [RFC4395].
skipping to change at page 17, line 40 skipping to change at page 18, line 11
applications that create PKCS#11 objects or label tokens do not use applications that create PKCS#11 objects or label tokens do not use
characters outside the US-ASCII character set for the labels. If characters outside the US-ASCII character set for the labels. If
that is not possible, labels SHOULD be normalized to Normalization that is not possible, labels SHOULD be normalized to Normalization
Form C (NFC) [UAX15]. For the same reason PKCS#11 libraries, slots Form C (NFC) [UAX15]. For the same reason PKCS#11 libraries, slots
(token readers), and tokens SHOULD use US-ASCII characters only for (token readers), and tokens SHOULD use US-ASCII characters only for
their names and if that is not possible, they SHOULD normalize their their names and if that is not possible, they SHOULD normalize their
names to NFC. When listing PKCS#11 libraries, slots, tokens, and/or names to NFC. When listing PKCS#11 libraries, slots, tokens, and/or
objects, an application SHOULD normalize their names to NFC if objects, an application SHOULD normalize their names to NFC if
characters outside of the US-ASCII character set are expected. When characters outside of the US-ASCII character set are expected. When
matching PKCS#11 URIs to libraries, slots, tokens, and/or objects, matching PKCS#11 URIs to libraries, slots, tokens, and/or objects,
applications MAY use form-insensitive Unicode string comparison for applications MAY convert names to a chosen normalization form before
matching, as those might pre-date these recommendations. See also the string comparison for matching, as those might pre-date these
Section 3.5. recommendations. See also Section 3.5.
7. Security Considerations 7. Security Considerations
There are general security considerations for URI schemes discussed There are general security considerations for URI schemes discussed
in Section 7 of [RFC3986]. in Section 7 of [RFC3986].
From those security considerations, Section 7.1 of [RFC3986] applies From those security considerations, Section 7.1 of [RFC3986] applies
since there is no guarantee that the same PKCS#11 URI will always since there is no guarantee that the same PKCS#11 URI will always
identify the same object, token, slot, or a library in the future. identify the same object, token, slot, or a library in the future.
skipping to change at page 19, line 5 skipping to change at page 19, line 28
8.2. Informative References 8.2. Informative References
[BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham,
"Deprecating the "X-" Prefix and Similar Constructs in "Deprecating the "X-" Prefix and Similar Constructs in
Application Protocols", RFC 6648, BCP 178, June 2012. Application Protocols", RFC 6648, BCP 178, June 2012.
[PKCS11] RSA Laboratories, "PKCS #11: Cryptographic Token Interface [PKCS11] RSA Laboratories, "PKCS #11: Cryptographic Token Interface
Standard v2.20", June 2004. Standard v2.20", June 2004.
[RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
Identifiers (IRIs)", RFC 3987, January 2005.
[RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and [RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and
Registration Procedures for New URI Schemes", RFC 4395, Registration Procedures for New URI Schemes", RFC 4395,
February 2006. February 2006.
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570, March 2012. and D. Orchard, "URI Template", RFC 6570, March 2012.
[UAX15] Davis, M., Ed., Whistler, K., Ed., and Unicode Consortium, [UAX15] Davis, M., Ed., Whistler, K., Ed., and Unicode Consortium,
"Unicode Standard Annex #15 - Unicode Normalization Forms, "Unicode Standard Annex #15 - Unicode Normalization Forms,
Version Unicode 7.0.0", June 2014. Version Unicode 7.0.0", June 2014.
 End of changes. 42 change blocks. 
89 lines changed or deleted 101 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/