An application, library, or kernel module that obtains cryptographic services is called aconsumer. An application that provides cryptographic services toconsumers through the framework is referred to as aprovider andalso as aplugin. The software that implementsa cryptographic operation is called amechanism. A mechanismis not just the algorithm but includes the way in which the algorithm is tobe applied. For example, the DES algorithm when applied to authenticationis considered a separate mechanism. DES when applied to block-by-block encryptionwould be a different mechanism.
Atoken isthe abstraction of a device that can perform cryptography. In addition, tokenscan store information for use in cryptographic operations. A single tokencan support one or more mechanisms. Tokens can represent hardware, as in anaccelerator board. Tokens that represent pure software are referred to assoft tokens. A token can beplugged into aslot, which continues the physical metaphor. A slot is the connectingpoint for applications that use cryptographic services.
In addition to specific slots for providers,the Oracle Solarisimplementation provides a special slot called themetaslot.The metaslot is a component of the Cryptographic Framework library (libpkcs11.so). The metaslot serves as a singlevirtual slot with the combined capabilities of all tokens and slots that havebeen installed in the framework. Effectively, the metaslot enables an applicationto transparently connect with any available cryptographic service througha single slot. When an application requests a cryptographic service, the metaslotpoints to the most appropriate slot, which simplifies the process of selectinga slot. In some cases, a different slot might be required, in which case theapplication must perform a separate search explicitly. The metaslot is automaticallyenabled and can only be disabled through explicit action by the system administrator.
Asession isa connection between an application that use cryptographic services and atoken. The PKCS #11 standard uses two kinds of objects: token objects andsession objects.Session objects are ephemeral, thatis, objects that last only for the duration of a session. Objects that persistbeyond the length of a session are referred to astoken objects.
The default location for token objects is$HOME/.sunw/pkcs11_softtoken. Alternatively, token objects can be stored in$SOFTTOKEN_DIR/pkcs11_softtoken. Private token objects are protected by personal identificationnumbers (PIN). To create or change a token object requires that the user beauthenticated, unless the user is accessing a private token object.