<p>经过大量的例子,我自己发现了这个问题:如果要创建一个持久(CKA_TOKEN=True)对象,CKA_ID是一个必需的属性。我不知道我应该怎么知道这一点(从未在任何文档中看到过),但事实上,在我添加了这一点之后,它确实运行得很好。在</p>
<p>如果驱动程序设置正确,则此代码应该有效:</p>
<pre><code>from PyKCS11 import *
import getpass
libacospkcs = '/usr/lib/libacospkcs11.so'
def createTokenAES256(label):
pkcs11 = PyKCS11Lib()
pkcs11.load(libacospkcs)
theOnlySlot = pkcs11.getSlotList()[0]
session = pkcs11.openSession(theOnlySlot, CKF_SERIAL_SESSION | CKF_RW_SESSION)
PIN = getpass.getpass('Enter User PIN to login:')
session.login(PIN)
print pkcs11.getTokenInfo(theOnlySlot)
template = (
(CKA_CLASS, CKO_SECRET_KEY),
(CKA_KEY_TYPE, CKK_AES),
(CKA_VALUE_LEN, 32),
(CKA_LABEL, label),
(CKA_ID, "1244"),
(CKA_PRIVATE, True),
(CKA_SENSITIVE, True),
(CKA_ENCRYPT, True),
(CKA_DECRYPT, True),
(CKA_TOKEN, True),
(CKA_WRAP, True),
(CKA_UNWRAP, True),
(CKA_EXTRACTABLE, False))
ckattr = session._template2ckattrlist(template)
m = LowLevel.CK_MECHANISM()
m.mechanism = LowLevel.CKM_AES_KEY_GEN
key = LowLevel.CK_OBJECT_HANDLE()
returnValue = pkcs11.lib.C_GenerateKey( session.session, m, ckattr, key)
if returnValue != CKR_OK:
raise PyKCS11Error(returnValue)
# Now execute the above to create AES256 key
createTokenAES256('TestKey')
</code></pre>
<p>在此之后,我可以注销卡并使用pkcs11工具查看新对象:</p>
^{pr2}$