Package nss :: Module nss :: Class PK11Slot
[hide private]
[frames] | no frames]

type PK11Slot

object --+
         |
        PK11Slot

An object representing a PKCS #11 Slot
Instance Methods [hide private]
 
__init__(...)
x.__init__(...) initializes x; see help(type(x)) for signature
a new object with type S, a subtype of T
__new__(T, S, ...)
 
__str__(x)
str(x)
Parameters:
authenticate(load_certs=False, user_data1=..., ...)
If True load certificates after authenticating.
 
change_passwd(old_passwd=None, new_passwd=None)
Change the user password on the token.
bool
check_security_officer_passwd(security_officer_passwd)
Verify security officer password.
 
check_user_passwd(user_passwd)
Verify security officer password.
string)
format(level=0, indent=' ')
This is equivalent to: indented_format(obj.format_lines()) on an object providing a format_lines() method.
[(level, string),...]
format_lines(level=0)
Formats the object into a sequence of lines with indent level information.
 
generate_key_pair(...)
generate_key_pair(mechanism, key_params, token, sensitive, [user_data1, ...]) -> public_key, private_key
length
get_best_key_length(mechanism)
Return the best key length for this slot and mechanism.
mechanism
get_best_wrap_mechanism()
Find the best key wrap mechanism for this slot.
integer
get_disabled_reason()
Returns a diabled reason enumerated constant (i.e.
bool
has_protected_authentication_path()
Returns True if token has a "protected authentication path", whereby a user can log into the token without passing a PIN through the library, False otherwise.
bool
has_root_certs()
Returns True if the slot contains the root certificate , False otherwise.
 
init_pin(security_officer_passwd=None, user_passwd=None)
Initialize the token's pin for first use.
bool
is_disabled()
Returns True if the slot is disabled, False otherwise.
bool
is_friendly()
Returns True if the slot allows certificates to be read without logging in to the token, False otherwise.
bool
is_hw()
Returns True if the slot is implemented in hardware, False otherwise.
bool
is_internal()
Returns True if the the slot is internal, False otherwise.
bool
is_logged_in(user_data1=..., ...)
Return True if token is logged in, False otherwise.
bool
is_present()
Returns True if the slot's token present, False otherwise.
bool
is_read_only()
Returns True if the the slot is read-only, False otherwise.
bool
is_removable()
Returns True if the token is removable, False otherwise.
 
key_gen(...)
key_gen(mechanism, sec_param, key_size, [user_data1, ...]) -> PK11SymKey object
(Certificate, ...)
list_certs()
Returns a tuple of Certificate objects found in the slot.
 
logout(...)
logout()l
bool
need_login()
Returns True if there are some cryptographic functions that a user must be logged in to perform, False otherwise.
bool
need_user_init()
Returns True if the slot needs to be logged into by the user by providing their pin, False otherwise.
 
pbe_key_gen(...)
pbe_key_gen(algid, password, [user_data1, ...]) -> PK11SymKey object
 
user_disable()
Prevents the slot from being used, and sets disable reason to PK11_DIS_USER_SELECTED.
 
user_enable()
Allow all mechanisms that are ON before PK11Slot.user\_disable() was called to be available again.
Properties [hide private]
  slot_name
slot name
  token_name
token name
Method Details [hide private]

__init__(...)
(Constructor)

 
x.__init__(...) initializes x; see help(type(x)) for signature
Overrides: object.__init__

__new__(T, S, ...)

 
Returns: a new object with type S, a subtype of T
Overrides: object.__new__

__str__(x)
(Informal representation operator)

 
str(x)
Overrides: object.__str__

authenticate(load_certs=False, user_data1=..., ...)

 
load_certs : bool
If True load certificates after authenticating.

Checks to see if token needs to be logged in. If so it invokes the password callback (set via nss.set\_password\_callback()) passing the optional user_data parameters to the password callback.

Returns:
Parameters:

change_passwd(old_passwd=None, new_passwd=None)

 
Change the user password on the token.
Parameters:
  • old_passwd (string or None) - Previouis password.
  • new_passwd (string or None) - New password.

check_security_officer_passwd(security_officer_passwd)

 
Verify security officer password.
Parameters:
  • security_officer_passwd (string) - Security Officer password.
Returns: bool

check_user_passwd(user_passwd)

 
Verify security officer password.
Parameters:
  • user_passwd (string) - user password.

format(level=0, indent=' ')

 
This is equivalent to: indented_format(obj.format_lines()) on an object providing a format_lines() method.
Parameters:
  • level (integer) - Initial indentation level, all subsequent indents are relative to this starting level.
  • indent (string) - string replicated once for each indent level then prepended to output line
Returns: string)

format_lines(level=0)

 

Formats the object into a sequence of lines with indent level information. The return value is a list where each list item is a tuple. The first item in the tuple is an integer representing the indentation level for that line. Any remaining items in the tuple are strings to be output on that line.

The output of this function can be formatted into a single string by calling nss.nss.indented\_format(), e.g.:

print indented_format(obj.format_lines())

The reason this function returns a tuple as opposed to an single indented string is to support other text formatting systems such as GUI's with indentation controls. See nss.nss.indented\_format() for a complete explanation.

Parameters:
  • level (integer) - Initial indentation level, all subsequent indents are relative to this starting level.
Returns: [(level, string),...]

generate_key_pair(...)

 

generate_key_pair(mechanism, key_params, token, sensitive, [user_data1, ...]) -> public_key, private_key

Generate a public and private key pair.

Example:

# Generate a DSA key pair
key_params = nss.KEYPQGParams()
mechanism = nss.CKM_DSA_KEY_PAIR_GEN
slot = nss.get_best_slot(mechanism)
pub_key, priv_key = slot.generate_key_pair(mechanism, key_params, False, False)

# Generate a DSA key pair
key_params = nss.RSAGenParams()
mechanism = nss.CKM_RSA_PKCS_KEY_PAIR_GEN
slot = nss.get_best_slot(mechanism)
pub_key, priv_key = slot.generate_key_pair(mechanism, key_params, False, False)
Parameters:
  • mechanism (int) - key mechanism enumeration constant (CKM_*)
  • key_params (SecItem object or None) - SecItem key parameters. None is also valid.
  • token (bool) - If true the key is a token object otherwise it's a session object.
  • sensitive (bool) - If a key is sensitive, certain attributes of the key cannot be revealed in plaintext outside the token. It is also more expensive to move between tokens.
  • user_dataN (object ...) - zero or more caller supplied parameters which will be passed to the password callback function

get_best_key_length(mechanism)

 
Return the best key length for this slot and mechanism. A zero result means that token knows how long the key should be, the result is typically used with key_gen(), token_key_gen(), or token_key_gen_with_flags()
Parameters:
  • mechanism (int) - key mechanism enumeration constant (CKM_*)
Returns: length

get_disabled_reason()

 

Returns a diabled reason enumerated constant (i.e. PK11_DIS_*).

May be one of:

  • PK11_DIS_NONE
  • PK11_DIS_USER_SELECTED
  • PK11_DIS_COULD_NOT_INIT_TOKEN
  • PK11_DIS_TOKEN_VERIFY_FAILED
  • PK11_DIS_TOKEN_NOT_PRESENT
Returns: integer

has_protected_authentication_path()

 
Returns True if token has a "protected authentication path", whereby a user can log into the token without passing a PIN through the library, False otherwise. An example might be a token with an integrated key pad.
Returns: bool

init_pin(security_officer_passwd=None, user_passwd=None)

 
Initialize the token's pin for first use.
Parameters:
  • security_officer_passwd (string or None) - Security Officer password used to unlock token.
  • user_passwd (string or None) - User password to set as token pin.

is_logged_in(user_data1=..., ...)

 
Return True if token is logged in, False otherwise.
Parameters:
  • user_data1 (object ...) - zero or more caller supplied parameters which will be passed to the password callback function
Returns: bool

key_gen(...)

 

key_gen(mechanism, sec_param, key_size, [user_data1, ...]) -> PK11SymKey object

Generate a symmetric key.

Parameters:
  • mechanism (int) - key mechanism enumeration constant (CKM_*)
  • sec_param (SecItem object or None) - SecItem key parameters. None is also valid.
  • key_size (int) - key length (use get_best_key_length())
  • user_dataN (object ...) - zero or more caller supplied parameters which will be passed to the password callback function

logout(...)

 

logout()l

Logs a user out of a session destroying any objects allocated on their behalf.

pbe_key_gen(...)

 

pbe_key_gen(algid, password, [user_data1, ...]) -> PK11SymKey object

Generate a PBE symmetric key.

Parameters:
  • algid (AlgorithmID object) - algorithm id
  • password (string) - the password used to create the PBE Key
  • user_dataN (object ...) - zero or more caller supplied parameters which will be passed to the password callback function

user_disable()

 

Prevents the slot from being used, and sets disable reason to PK11_DIS_USER_SELECTED.

Mechanisms that were on continue to stay on. Therefore, when the slot is enabled again via PK11Slot.user\_enable(), it will remember what mechanisms needs to be turned on.

user_enable()

 
Allow all mechanisms that are ON before PK11Slot.user\_disable() was called to be available again. Sets disable reason to PK11_DIS_NONE.