Developer's Guide
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
KMIP Reference Guide

Introduction

The SKC toolkit provides C++ based component libraries that currently implement the KMIP 1.0/1.1/1.2 protocols. The toolkit provides full KMIP message parsing and message generation. The toolkit provides several different layers of abstraction, each building on the previous, enabling the developer to use whichever layer or layers best suit their needs. The toolkit comes with binaries for Linux, Solaris, and Windows platforms.

SKC implements the translation of binary KMIP protocol messages into a standard DOM tree. Since a KMIP message is essentially a tree of nested structures this translation is straight forward. The result is a powerful new tool that can be used with KMIP 1.0, 1.1, and 1.2. The DOM tree is capable of outputting its contents into XML, JSON, JsonML, and has been extended to support binary nodes so that it can very efficiently handle KMIP binary messages and other binary data such as keys. The library supports logging of incoming and outgoing KMIP messages in XML, JSON, and JsonML to simplify development and trouble shooting.

Implementing binary KMIP message support in our standard DOM tree makes available a wealth of other P6R technologies for use. For example, any part of a KMIP message can be searched for and/or extracted using XPath 2.0. Using XSLT 2.0, a portion of one KMIP message could be transformed into a new message, or the message could be transformed into XHTML for viewing or XML for input into another tool or database.

A description of the unique design of this client can be found at: https://www.p6r.com/articles/2012/01/30/p6r-kmip-toolkit-introduction/

Includes

Interfaces

Ease of Use

The same client API allows a client developer to send KMIP messages encoded in TTLV, XML, or JSON. The exact same client API allows the client developer to send KMIP messages using HTTPS POST or the default SSL connection. No significant code change is required to switch between any of these features. All that is required is to set a set of flags when initializing the KMIP client. In the p6IKMIPClient::initialize() method there is a "preferences" parameter of type P6KMIP_PREF. One of the fields of a P6KMIP_PREF is a bit mask field:

* compatibility1 - A bit mask to enable special features of the KMIP specification (e.g., XML or JSON message format, HTTPS).
* Bit mask values are defined at the end of the p6kmip.h file.
*

Just by setting the KMIP_CMP_MSGXML (KMIP XML Message format) flag the client will send XML encoded messages to the server over HTTPS POST. Or by setting the KMIP_CMP_HTTPSPOST (KMIP HTTPS POST) flag the client will send TTLV encoded messages to the server over HTTPS POST. Thus the exact same calls to the P6R client can be used to interact with a KMIP server(s) in different ways by just changing the values of a bit mask.

The default client preferences are as follows:

* message format: TTLV
* network protocol: SSL
* protocol version: 1.1
*

All of these defaults can be over ridden by the preferences parameter when initializing a P6R KMIP client object (e.g., protocol version can be defined by the P6KMIP_PREF pVersion field).

Server to Client Configuration Parameters

Most of the the client's configuration parameters (e.g., host name and port to connect to) are passed as parameters to an API function. However, a few values appear in the p6kmip.conf file since they are mostly static.

* [p6kmip-gen]
* logDir = "/var/log/kmip"
* errorStream = "kmipclient-errors.txt"
* uri = "/kmip"
* enableCache = true
* cacheSize = 70
* cacheHitRatio = 62
*
*
* [p6kmip-server-gen]
* listenPort = 65524
* maxBufSize = 20000
* initialBufCount = 5
* growBufBy = 5
* threadCount = 2
* listenIPAddr = 0.0.0.0
*
*

The "logDir" configuration parameter (string value), defines an existing, writable directory where the KMIP client can write log files. If this configuration parameter is missing then logging will be disabled. Note, that the KMIP client will create directories under this log directory. One directory will be created for each KMIP server it connects to. For example:

* /var/log/kmip
* /var/log/kmip/abc.example.com
* /var/log/kmip/abc.example.com/query_server_call
* /var/log/kmip/abc.example.com/query_server_call/kmip-1382493469125976.xml
* /var/log/kmip/abc.example.com/query_server_call/kmip-1382493469426757.xml
* /var/log/kmip/abc.example.com/query_server_call/http-1382376977461914.txt
* /var/log/kmip/abc.example.com/create_symmetric_key
* /var/log/kmip/q.onecompany.com
*
* /var/log/kmip/abc.example.com/server
* /var/log/kmip/abc.example.com/server
* /var/log/kmip/abc.example.com/server/kmip-1398708919306640-14844.xml
* /var/log/kmip/abc.example.com/server/kmip-1398708919309570-10592.xml
* /var/log/kmip/abc.example.com/server/kmip-1398708919378906-14844.xml
*

In the above example, "abc.example.com" and "q.onecompany.com" are KMIP servers that the P6R client has connected to. The KMIP client API allows the the definition of another level of directories to be created under each of these server directories (e.g., see abc.example.com/query_server_call above). Also note that each KMIP message sent and received get its own file with a file name of the form: "kmip-unix time stamp.xml/json", so the files are ordered by time. Logging can be in XML or JSON when TTLV message format is used, however, when using XML message format logging will be in XML and when using JSON message format logging will be in JSON (to capture the exact message content). When HTTPS POST is used it is possible to turn on logging to capture the HTTP headers sent to the server. This logging will result in additional files with the format "http-unix time stamp.txt"

The KMIP server component (i.e., p6IKMIPServer) creates a "server" directory under the domain name / ip address of the connecting client (e.g., /var/log/kmip/abc.example.com/server). All Notify / Put requests made by that client are logged into that directory. Note, that the file names for the server have an extra part to their file name (e.g., kmip-1398708919378906-14844.xml), where the value after the 2nd "-" is the thread identifer. that worked on the request. Since the server is multi-threaded messages will be mixed and sorted by time. To find the matching response sent for a request look for the next message with the same thread identifier, since a single thread handles the entire incoming request.

The "errorStream" configuration parameter (string value), is the name of a file to be created in the log directory that includes any XML/JSON/JsonML parsing errors and warning.

The "uri" configuration parameter (string value), is the path to be used in an HTTPS POST to the KMIP server.

The "enableCache" configuration parameter (boolean value), is optional and allows disabling of the internal expression cache. This parameter defaults to true. The expression cache is used to improve performance.

The "cacheSize" configuration paramter (positive numeric value), is optional and allows changing the size of the internal expression cache. This paramter defaults to 50. When logging is turned on, internal cache statistics are logged when the p6IKMIPClient::close() function is called. Note that the larger the cache the more memory that can be used.

The "cacheHitRatio" configuration parameter (positive numeric value), is optional and defaults to 45 percent. If the internal expression cache fills up and the cache hit ratio falls below this percentage, then the internal cache is automatically cleared of all entries. This can prevent the cache from becoming ineffective. Setting this value to zero disables the cache auto clear feature.

The following configuration items are for the KMIP server component: p6IKMIPServer.

The "listenPort" configuration parameter (positive numeric value), is the port that the KMIP server component should listen on for incoming Notify / Put operations. The default value is 65524. This value can also be passed into the p6IKMIPServer::initialize() call allowing multiple instances of the KMIP server running at the same time.

The "maxBufSize" configuration paramter (positive numeric value), is the size of each allocated server buffer. The default value is 5000 bytes if not defined in the p6kmip.conf file.

The "initialBufCount" configuration parameter (positive numeric value), is the number of buffers the server should allocate on start up. The default value is 5 if not defined in the p6kmip.conf file.

The "growBufBy" configuration parameter (positive numeric value), is the number of buffers the server will allocate at once time when additional buffers are required to handle incoming requests. The default value is 5 if not defined in the p6kmip.conf file.

The "threadCount" configuration parameter (positive numeric value), is the number of threads created whenever a p6IKMIPServer component is created to process incoming Notify and Put requests. The default value is 2 if not defined in the p6kmip.conf file.

The "listenIPAddr" configuration parameter (string value), allows the KMIP server to support multi-homed machines. The default value is "0.0.0.0" if not defined in the p6kmip.conf file.

Server to Client Configuration Parameters

A second configuration file: p6kmip_auxiliary.conf, has been added for values that a customer would likely want to modify.

Configuration items under the "p6kmip-server-auxiliary" section are meant for the KMIP Server component only and are for return values for the Server to Client Query operation (add in KMIP 1.3). The server queries the client for details on its capabilities. In this file we have defined a set of default values listing all the capabilities of P6R's client SDK. A customer can modify any of the fields below to tailor what they want to return to a KMIP server. Of particular interest would be adding any Validations (such as a FIPS rating).

* [p6kmip-server-auxiliary]
* vendorId = "www.p6r.com; [client side] KMIP Server"
* operations = 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,29,30,31,32,33,34,35,36,37,38,39,40,41
* objects = 1,2,3,4,5,6,7,8,9
* profiles = 3,4,7,8,9,13,14,15,19,20,21,25,27,29,31,32,33,34,35,36,37,38,39,43,44,45,49,50,51,55,56,57,61,62,63,67,68,69,73,74,75,79,80,81
*
* # Note these validations are added as an example and are not validations assigned to the P6R client SDK.
* validCount = 2
* validation1 = 2,"US","http://csrc.nist.gov/groups/STM/cmvp/",2,,3,1,1747,"http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1747",,
* validation2 = 2,"US","http://csrc.nist.gov/groups/STM/cmvp/",2,1,2,2,1749,"http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1749",,
*
* shreddingAlgorithm = 1
* destroyAction = 1
*

The "vendorId" configuration parameter (string value), is the string returned to a KMIP client performing a Query operation against P6R's KMIP server. In this case, the contents of the vendorId parameter is returned as part of a Query response when the "Query Server Information" flag is part of the Query request. This parameter is optional, nothing is returned for vendor information if vendorId parameter is not defined.

The "operations" configuration parameter, (a comma separated list of positive numeric values), defines all client side operations supported by the P6R client SDK. Operation values are defined in file p6kmip.h, Section 9.1.3.2.27 Operation Enumeration. The integer values in the list are the integer values defined for each enumeration.

The "objects" configuration parameter, (a comma separated list of positive numeric values), defines all objects types supported by the P6R client SDK. Object values are define in file p6kmip.h, Section 9.1.3.2.12 Object Type Enumeration. The integer values in the list are the integer values defined for each enumeration.

The "profiles" configuration parameter, (a comma separated list of positive numeric values), defines all the client profiles supported by the P6R client SDK. Profile values are defined in file p6kmipprofiles.h, Section 9.1.3.2.42 Profile Name Enumeration. The integer values in the list are the integer values defined for each enumeration. Note, that Suite B profiles depending on the customer using an OpenSSL library with the proper (EC) key support (profiles: 49,50,51,55,56,57).

The "validCount" configuration parameter, (positive numeric value), defines how many 'validationX' fields are defined, where X starts at [1 .. n]. These configuration items defined what calidations (e.g., FIPS, Common Critera) that the client product holds. Servers may want to know what validations a client holds.

* CSV Format:
* authority type, country, URI, Version major, version minor, validation type, validation level, certificate Id URI, Profile
* enumeration string string integer integer enumeration integer string string
*

authority types are defined in file p6kmip.h, Section 9.1.3.2.40 Validation Authority Type Enumeration validation types are defined in file p6kmip.h, Section 9.1.3.2.41 Validation Type Enumeration

If a field is empty it should look like: ",,", that is each field is separated by a comma even if empty. Make sure URIs (and all strings) are quoted. Below is an example of how 2 validations could be defined.

The "shreadingAlgorithm" configuration parameter, (positive numeric value) defines the shreadding algorithm used by the client when destroying a key. Shreading algorithms are defined in file p6kmip.h, Section 9.1.3.2.45 Shredding Algorithm Enumeration. If not defined here the value defaults to KMIP_SHREDALG_UNSPECIFIED (1) (which is what most likely the value should be returned as).

The "destroyAction" configuration parameter, (positive numeric value) defines the the destroy action used by the client when destroying a key. Destroy action enumeration is defined in the file p6kmip.h, Section 9.1.3.2.44 Destroy Action Enumeration. If not defined here the value defaults to KMIP_ONDESTROY_UNSPECIFIED (1) (which is what most likely the value should be returned as).

The "unrapMode" configuration parameter, (positive numeric value) defines how the client unraps a wrapped key. The unrap mode enumeration is defined in the file p6kmip.h, Section 9.1.3.2.43 Unwrap Mode Enumeration. If not defined here the value defaults to KMIP_UNWRAPMODE_UNSPECIFIED (1).

The "RNGMode" configuration parameter, (positive numeric value) defines how a random number generator is implemented by the client. The RNG mode enumeration is defined in the file p6kmip.h, Section 9.1.3.2.46 RNG Mode Enumeration. If not defined here the value defaults to KMIP_RNGMODE_UNSPECIFIED (1).

The "attestationEnabled" configuration parameter, (a boolean value) defines whether or not the client supports attestation. Note that the P6R client SDK supports the creation of all attestation fields in a request message and all parsing of a server's response. The client code has to provide the attestation "data" and interpretation of the server's responses. If not defined here the value defaults to false.

The "streamingEnabled" configuration parameter, ( a boolean value) defines whether or not the client supports streaming cryptographic operations. Note that the P6R client SDK does support this feature. If not defined here the value defaults to true.

The "asynchEnabled" configuration parameter, (a boolean value) defines whether or not the client support asynchronous KMIP operation handling. Note that the P6R client SDK does support this feature but requires the client software to call the poll() API function to implement it. If not defined here the value defaults to true.

Enumerators

The KMIP protocol often returns a list of items back from an operation (e.g., attributes of a key). The size of this list can be unknown by the client. To deal with this our API uses enumerators (in Java these are called iterators). Enumerators are heavily relied upon in our API and so once you are familiar with using one they are practically all the same (of course each enumerator returns different data / structures).

For example, if we look at one API call:

* P6COMMETHOD getAttributes( P6KMIP_GETATTRIBPARAMS attrib, P6KMIP_ATTRIBRESULT* pGetResult, P6KMIP_RESULT* pResult );
*
* // P6KMIP_ATTRIBRESULT
* // The result of one of the attribute related functions.
* // pUniqueId - an enumerator holding one unique identifier for a managed object
* // pAttribute - an enumerator holding attributes defined for the manged object identified by pUniqueId
*
* typedef struct {
* p6IKMIPStr* pUniqueId;
* p6IKMIPAttribute* pAttribute;
* } P6KMIP_ATTRIBRESULT;
*
*

Looking at the example above, both the pUniqueId and pAttribute fields are enumerators. If you look for the p6IKMIPAttribute class you will see that it follows a standard pattern with the following functions: reset(), next(), and count() (see file p6kmipclient.h). Of course each enumerator returns different data / structures but the idea is the same. The pUniqueId enumerator returns strings while pAttribute returns a structure containing several fields describing an attribute.

Here is a list of the current enumerator classes: P6R::p6IKMIPVersions – returns the protocol versions supported by a KMIP sever P6R::p6IKMIPEnum – returns KMIP enumeration values (e.g., the different KMIP operations that a server supports via the Query operation) P6R::p6IKMIPStr – returns strings such as unique identifiers to managed objects such as keys, certificates P6R::p6IKMIPBinary – returns binary blobs P6R::p6IKMIPAttribute – returns a list of attributes associated with a managed object like a key or certificate (note that there are many types of attributes) P6R::p6IKMIPNamespace – returns a list of application namespaces P6R::p6IKMIPName – returns a list of KMIP template names P6R::p6IKMIPExtInfo – returns a list of KMIP extension information values P6R::p6IKMIPResult – use in API functions that perform multiple operations at the same time (e.g., addAttributes()) P6R::p6IKMIPValInfo – returns a list of server or client validations (e.g., FIPS, common critera) and is new in KMIP 1.3 P6R::p6IKMIPProfileInfo – returns a list of server or client conformance profiles and is new in KMIP 1.3 P6R::p6IKMIPRNGInfo – returns a list of random number generators supported by a KMIP server and is new in KMIP 1.3

When enumerators return a text string or byte array the call of the enumerator must provide a buffer to which a value stored in the enumerator is copied. For example, looking at the p6IKMIPAttribute enumerator (see p6kmipclient.h) returns structures of the type P6KMIP_OBJECT_ATTRIBUTE, which allows many different attributes to be returned to the caller. Lets pick one such attribute for this example, "P6NCSTR contactInformation". The type P6NCSTR contains a pointer to a string and its corresponding length. When calling the p6IKMIPAttribute enumerator to extract the contact information attribute value the field contactInformation.pString needs to point to an allocated buffer that is being passed into the enumerator. To be clear the enumerator does not return back a pointer to a buffer the calling code must pass in a buffer so the contact information can be copied into it. Now how does the calling code know how big a buffer to allocate. Just set the contactInformation.pString field to NULL and upon return from the call the contactInformation.length field will return the required buffer size (and typically the function will return the error code eTooSmall). The whole purpose of this approach is to reduce memory leaks by following the simple rule that the code which allocated a memory block is responsible for freeing it. The all code allocated internally by an enumerator is freed by that enumerator and is not passed out to a caller. Included examples 9, 11, and 12 demonstrate how enumerators work.

Required KMIP Attributes

The API functions: registerCertificateObject(), registerKeyObject(), registerMDOObject(), registerSecretDataObject(), registerOpaqueObject(), and registerTemplateObject() result in a Register KMIP operation being sent to a KMIP server. The Register operation requires the "Cryptographic Usage Mask" attribute. Failure to include that attribute in a call to the above API functions will result in an error returned from the KMIP server and a failed operation.

As an example, the following code snippet for a call to registerKeyObject() is typical. The example, does not show how "pClient" and "pKey" are assigned proper objects (see included SDK examples for full details).

* P6KMIP_RESULT resultCodes;
* P6KMIP_REGKEYPARAMS keyParams;
* P6KMIP_NEWOBJECT newKey;
* P6KMIP_ATTRIBUTE attribList[5];
* p6IKMIPClient* pClient;
* p6ICryptoKey* pKey;
*
* attribList[0].type = KMIP_ATTRIB_CRYPTOUSAGEMASK;
* attribList[0].index = 0;
* attribList[0].value.cryptoUsageMask = KMIP_USE_ENCRYPT | KMIP_USE_DECRYPT;
* keyParams.attributes.attribCount = 1;
* keyParams.attributes.pAttributeList = attribList;
* keyParams.type = 1;
* keyParams.value.pKey = pKey;
* err = pClient->registerKeyObject( keyParams, &newKey, &resultCodes );
*

Support for Notify and Put Operations

The KMIP specification defines a set of server-to-client operations (i.e., Section 5, KMIP 1.2 specification draft). The purpose of these operations is to allow a KMIP server to asynchronously communicate to a KMIP client to send it notifications (e.g., attributes of an existing key have changed) or to take actions on managed objects (e.g., re-key a client by sending a replacement key for a key that the client already holds [via a Put operation], or to send a new certificate replacing one that will soon expire [also via a Put operation]).

The nature of these server-to-client operations require that the KMIP client listen on a configured port for an incoming, unsolicited request from the KMIP server. In this regard, the client becomes the server and the server a client. P6R's implementation of all Notify and Put operations is done by the p6IKMIPServer and p6IKMIPResponse components. Applications using these components creates one p6IKMIPServer for each port they wish to listen to. As part of the initialization of the p6IKMIPServer component the application passes in a callback function to the p6IKMIPServer component. The p6IKMIPServer component will parse all incoming Notify and Put requests and pass them (in a well defined structure) to the application's defined callback function where the application will process the request (e.g., replace an expiring certificate in a local keystore). The return code of the callback function will determine the actual KMIP response sent back.

In a future release, an application can set the P6KMIPFLAGS value of P6KMIPFLG_SERVER_TLS in the p6IKMIPServer::initialize() method for the p6IKMIPServer component to use server side TLS to receive all incoming requests. In the current release this setting will return an eNotSupported error code. The current p6IKMIPServer component can be used with a TLS tunnel (e.g., stunnel https://www.stunnel.org/index.html) to provide the server side TLS support.

In a future release, detailed examples will be given to show how an application can work with the p6IKMIPServer component. In addition, in the near future the TLS server side protocol will be added to the p6IKMIPServer component.

P6R's KMIP client follows the standards defined in the following documents.

1) OASIS, "Key Management Interoperabilty Protocol Specification 1.0", OASIS Standard, 15 June 2010.

2) OASIS, "Key Management Interoperabilty Protocol Specification 1.1", OASIS Standard, 24 January 2013.

3) OASIS, "Key Management Interoperabilty Protocol Specification 1.2", Candidate OASIS Standard 01, 13 January 2015.

4) OASIS, "Key Management Interoperability Protocol Test Cases Version 1.1", Working Draft 10, 27 April 2012.

5) OASIS, "Key Management Interoperability Protocol Test Cases Version 1.2", Committee Note 01, 11 November 2014.

6) OASIS, "KMIP Additional Message Encodings Version 1.0", Candidate OASIS Standard 01, 13 January 2015.

7) OASIS, "KMIP Asymmetric Key Lifecycle Profile Version 1.0", Candidate OASIS Standard 01, 13 January 2015.

8) OASIS, "KMIP Cryptographic Services Profile Version 1.0", Candidate OASIS Standard 01, 03 Feburary 2015.

9) OASIS, "KMIP Symmetric Key Foundry for FIPS 140-2 Profile Version 1.0", Candidate OASIS Standard 01, 13 January 2015.

10) OASIS, "KMIP Symmetric Key Lifecycle Profile Version 1.0", Candidate OASIS Standard 01, 13 January 2015.

11) OASIS, "KMIP Opaque Managed Object Store Profile Version 1.0", Candidate OASIS Standard 01, 03 Feburary 2015.

12) OASIS, "KMIP Tape Library Profile Version 1.0", Candidate OASIS Standard 01, 13 January 2015.

13) OASIS, "KMIP Storage Array with Self-Encrypting Drives Profile Version 1.0", Candidate OASIS Standard 01, 13 January 2015.

14) OASIS, "KMIP Suite B Profile Version 1.0", Candidate OASIS Standard 01, 03 Feburary 2015.

15) OASIS, "Key Management Interoperability Protocol Test Cases Version 1.3", Working Draft 2, 26 January 2015

Conformance

* KMIP 1.0 Operations
* Client provides both synchronous and asynchronous versions of the following operations:
*
* Create, Create Key Pair, Register, Re-key, Derive Key, Certify, Re-certify, Locate, Check, Get, Get Attributes,
* Get Attribute List, Add Attribute, Modify Attribute, Delete Attribute, Obtain Lease, Get Usage Allocation,
* Activate, Revoke, Destroy, Archive, Recover, Validate, Query (synch only), Cancel, Poll, Notify, Put
*
*
* KMIP 1.1 Operations
* Client provides both synchronous and asynchronous versions of the following operations:
*
* Create, Create Key Pair, Register, Re-key, Derive Key, Certify, Re-certify, Locate, Check, Get, Get Attributes,
* Get Attribute List, Add Attribute, Modify Attribute, Delete Attribute, Obtain Lease, Get Usage Allocation,
* Activate, Revoke, Destroy, Archive, Recover, Validate, Query (synch only), Cancel, Poll, Re-key Key Pair,
* Discover Versions (synch only), Notify, Put
*
*
* KMIP 1.2 Operations
* Client provides both synchronous and asynchronous versions of the following operations:
*
* Create, Create Key Pair, Register, Re-key, Derive Key, Certify, Re-certify, Locate, Check, Get, Get Attributes,
* Get Attribute List, Add Attribute, Modify Attribute, Delete Attribute, Obtain Lease, Get Usage Allocation,
* Activate, Revoke, Destroy, Archive, Recover, Validate, Query (synch only), Cancel, Poll, Re-key Key Pair,
* Discover Versions (synch only), Encrypt, Decrypt, Sign, Signature Verify, MAC, MAC Verify, RNG Retrieve,
* RNG Seed, Hash, Create Split Key, Join Split Key, Notify, Put
*
*
* KMIP 1.3 Operations
* Client provides both synchronous and asynchronous versions of the following operations:
*
* Create, Create Key Pair, Register, Re-key, Derive Key, Certify, Re-certify, Locate, Check, Get, Get Attributes,
* Get Attribute List, Add Attribute, Modify Attribute, Delete Attribute, Obtain Lease, Get Usage Allocation,
* Activate, Revoke, Destroy, Archive, Recover, Validate, Query (synch only), Cancel, Poll, Re-key Key Pair,
* Discover Versions (synch only), Encrypt, Decrypt, Sign, Signature Verify, MAC, MAC Verify, RNG Retrieve,
* RNG Seed, Hash, Create Split Key, Join Split Key, Notify, Put
*
* The following operations support streaming: Encrypt, Decrypt, Sign, Signature Verify, MAC, MAC Verify, Hash
* Additional Server to Client operations supported: Discover Versions, Query
*
*
* KMIP Version 1.0 Test Cases Supported
* TC-311-10 Create / Destroy
* TC-312-10 Register / Create / Get attributes / Destroy
* TC-313-10 Create / Locate / Get / Destroy
* TC-314-10 Dual Client Test Case, ID Placeholder-linked Locate & Get Batch
* TC-315-10 Register / Destroy Secret Data
* TC-32-10 Asynchronous Locate
* TC-41-10 Revoke Scenario
* TC-51-10 Get Usage Allocation Scenario
* TC-61-10 Import of a Third-party Key
* TC-71-10 Unrecognized Message Extension with Criticality Indicator False
* TC-72-10 Unrecognized Message Extension with Criticality Indicator True
* TC-81-10 Create a Key Pair
* TC-82-10 Register Both Halves of a Key Pair
* TC-91-10 Create a Key, Re-key
* TC-92-10 Existing Key Expired, Re-key with Same Life-cycle
* TC-93-10 Existing Key Compromised, Re-key with Same Life-cycle
* TC-94-10 Create Key, Re-key with New Life-cycle
* TC-95-10 Obtain Lease for Expired Key
* TC-101-10 Create a Key, Archive and Recover it
* TC-111-10 Credential, Operation Policy, Destroy Date
* TC-121-10 Query, Maximum Response Size
* TC-131-10 Register an Asymmetric Key Pair in PKCS1 Format
* TC-132-10 Register an Asymmetric Key Pair and a Corresponding X509 Certificate
* TC-134-10 Register Key Pair, Certify and Re-certify Public Key
* TC-NP-1-10 Put
* TC-NP-2-10 Notify & Put
* TC-ECC-1-10 Register an ECC Key Pair
* TC-ECC-2-10 Register an ECC Key Pair in PKCS8 Format
* TC-ECC-3-10 Register an ECC Key Pair and ECDSA Certificate
*
*
* Symmetric Key Lifecycle Profile Version 1.0
* SKLC-M-1-10 Create, GetAttributes, Destroy
* SKLC-M-2-10 Create, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* SKLC-M-3-10 Create, GetAttributes, Activate, GetAttributes, ModifyAttribute, Revoke, GetAttributes, Destroy
* SKLC-O-1-10 Create, GetAttributes, Destroy, GetAttributes
*
*
* Symmetric Key Foundry for FIPS 140-2 Profile Version 1.0
* SKFF-M-1-10 Create, Destroy AES-128
* SKFF-M-2-10 Create, Destroy AES-192
* SKFF-M-3-10 Create, Destroy AES-256
* SKFF-M-4-10 Create, Destroy DES3-168
* SKFF-M-5-10 Create, Locate, Get, Destroy, Locate AES-128
* SKFF-M-6-10 Create, Locate, Get, Destroy, Locate AES-192
* SKFF-M-7-10 Create, Locate, Get, Destroy, Locate AES-256
* SKFF-M-8-10 Create, Locate, Get, Destroy, Locate DES3-168
* SKFF-M-9-10 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-128
* SKFF-M-10-10 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-192
* SKFF-M-11-10 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-256
* SKFF-M-12-10 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy DES3-168
* SKFF-O-1-10 Create, Destroy SKIPJACK-80
* SKFF-O-2-10 Create, Locate, Get, Destroy, Locate SKIPJACK-80
* SKFF-O-3-10 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy SKIPJACK-80
* SKFF-O-4-10 Create, Destroy DES3-112
* SKFF-O-5-10 Create, Locate, Get, Destroy, Locate DES3-112
* SKFF-O-6-10 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy DES3-112
*
*
* Asymmetric Key Lifecycle Profile Version 1.0 Supported
* AKLC-M-1-10 CreateKeyPair, GetAttributes, GetAttributes, Destroy
* AKLC-M-2-10 CreateKeyPair, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* AKLC-M-3-10 CreateKeyPair, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* AKLC-O-1-10 CreateKeyPair, GetAttributes, Destroy, GetAttributes
*
*
* KMIP Opaque Managed Object Store Profile Version 1.0
* OMOS-M-1-10 Register small opaque object
* OMOS-O-1-10 Register large (>10k) opaque object
*
*
* KMIP Tape Library Profile Version 1.0
* TL-M-1-10 Configuration
* TL-M-2-10 Write with new (created) key
* TL-M-3-10 Read an encrypted tape
*
*
* Key Management Interoperability Protocol Storage Array with Self-Encrypting Drives Profile Version 1.0
* SASED-M-1-10 Configuration
* SASED-M-2-10 Register the authentication key
* SASED-M-3-10 Retrieve Authentication Key
*
*
* SEPATON Profile Version 1.0
* SEPATON-1-10 Query
* SEPATON-2-10 Locate, Create
* SEPATON-3-10 Locate, Get, GetAttributes, Activate, GetAttributes
*
*
* KMIP Additional Message Encodings Version 1.0 Supported
* MSGENC-HTTPS-M-1-10 - HTTPS POST: Query, Maximum Response Size
* MSGENC-XML-M-1-10 - Message Encoding XML: Query, Maximum Response Size
* In addition, we have run all above test cases in XML mode.
* MSGENC-JSON-M-1-10 - Message Encoding JSON: Query, Maximum Response Size
* In addition, we have run all above test cases in JSON mode.
*
* KMIP Suite B Profile Version 1.0
* SUITEB_128-M-1-10 Query
* SUITEB_192-M-1-10 Query
*
*
*
* KMIP Version 1.1 Test Cases Supported
* TC-311-11 Create / Destroy
* TC-312-11 Register / Create / Get attributes / Destroy
* TC-313-11 Create / Locate / Get / Destroy
* TC-314-11 Dual Client Test Case, ID Placeholder-linked Locate & Get Batch
* TC-315-11 Register / Destroy Secret Data
* TC-32-11 Asynchronous Locate
* TC-41-11 Revoke Scenario
* TC-51-11 Get Usage Allocation Scenario
* TC-61-11 Import of a Third-party Key
* TC-71-11 Unrecognized Message Extension with Criticality Indicator False
* TC-72-11 Unrecognized Message Extension with Criticality Indicator True
* TC-81-11 Create a Key Pair
* TC-82-11 Register Both Halves of a Key Pair
* TC-91-11 Create a Key, Re-key
* TC-92-11 Existing Key Expired, Re-key with Same Life-cycle
* TC-93-11 Existing Key Compromised, Re-key with Same Life-cycle
* TC-94-11 Create Key, Re-key with New Life-cycle
* TC-95-11 Obtain Lease for Expired Key
* TC-101-11 Create a Key, Archive and Recover it
* TC-111-11 Credential, Operation Policy, Destroy Date
* TC-112-11 Device Credential, Operation Policy, Destroy Date
* TC-121-11 Query, Maximum Response Size
* TC-122-11 Query Vendor Extensions
* TC-131-11 Register an Asymmetric Key Pair in PKCS1 Format
* TC-132-11 Register an Asymmetric Key Pair and a Corresponding X509 Certificate
* TC-133-11 Create, Re-key Key Pair
* TC-134-11 Register Key Pair, Certify and Re-certify Public Key
* TC-141-11 Key Wrapping using AES Key Wrap and No Encoding
* TC-142-11 Key Wrapping using AES Key Wrap with Attributes
* TC-151-11 Locate a Fresh Object from the Default Group
* TC-152-11 Client-side Group Management
* TC-153-11 Default Object Group Member
* TC-161-11 Discover Versions
* TC-171-11 Handling of Attributes and Attribute Index Values
* TC-181-11 Digests of Symmetric Keys
* TC-182-11 Digests of RSA Private Keys
* TC-NP-1-11 Put
* TC-NP-2-11 Notify & Put
* TC-ECC-1-11 Register an ECC Key Pair
* TC-ECC-2-11 Register an ECC Key Pair in PKCS8 Format
* TC-ECC-3-11 Register an ECC Key Pair and ECDSA Certificate
*
*
* Symmetric Key Lifecycle Profile Version 1.0
* SKLC-M-1-11 Create, GetAttributes, Destroy
* SKLC-M-2-11 Create, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* SKLC-M-3-11 Create, GetAttributes, Activate, GetAttributes, ModifyAttribute, Revoke, GetAttributes, Destroy
* SKLC-O-1-11 Create, GetAttributes, Destroy, GetAttributes
*
*
* Symmetric Key Foundry for FIPS 140-2 Profile Version 1.0
* SKFF-M-1-11 Create, Destroy AES-128
* SKFF-M-2-11 Create, Destroy AES-192
* SKFF-M-3-11 Create, Destroy AES-256
* SKFF-M-4-11 Create, Destroy DES3-168
* SKFF-M-5-11 Create, Locate, Get, Destroy, Locate AES-128
* SKFF-M-6-11 Create, Locate, Get, Destroy, Locate AES-192
* SKFF-M-7-11 Create, Locate, Get, Destroy, Locate AES-256
* SKFF-M-8-11 Create, Locate, Get, Destroy, Locate DES3-168
* SKFF-M-9-11 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-128
* SKFF-M-10-11 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-192
* SKFF-M-11-11 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-256
* SKFF-M-12-11 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy DES3-168
* SKFF-O-1-11 Create, Destroy SKIPJACK-80
* SKFF-O-2-11 Create, Locate, Get, Destroy, Locate SKIPJACK-80
* SKFF-O-3-11 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy SKIPJACK-80
* SKFF-O-4-11 Create, Destroy DES3-112
* SKFF-O-5-11 Create, Locate, Get, Destroy, Locate DES3-112
* SKFF-O-6-11 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy DES3-112
*
*
* Asymmetric Key Lifecycle Profile Version 1.0 Supported
* AKLC-M-1-11 CreateKeyPair, GetAttributes, GetAttributes, Destroy
* AKLC-M-2-11 CreateKeyPair, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* AKLC-M-3-11 CreateKeyPair, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* AKLC-O-1-11 CreateKeyPair, GetAttributes, Destroy, GetAttributes
*
*
* KMIP Opaque Managed Object Store Profile Version 1.0
* OMOS-M-1-11 Register small opaque object
* OMOS-O-1-11 Register large (>10k) opaque object
*
*
* KMIP Tape Library Profile Version 1.0
* TL-M-1-11 Configuration
* TL-M-2-11 Write with new (created) key
* TL-M-3-11 Read an encrypted tape
*
*
* Key Management Interoperability Protocol Storage Array with Self-Encrypting Drives Profile Version 1.0
* SASED-M-1-11 Configuration
* SASED-M-2-11 Register the authentication key
* SASED-M-3-11 Retrieve Authentication Key
*
*
* KMIP Additional Message Encodings Version 1.1 Supported
* MSGENC-HTTPS-M-1-11 - HTTPS POST: Query, Maximum Response Size
* MSGENC-XML-M-1-11 - Message Encoding XML: Query, Maximum Response Size
* In addition, we have run all above test cases in XML mode.
* MSGENC-JSON-M-1-11 - Message Encoding JSON: Query, Maximum Response Size
* In addition, we have run all above test cases in JSON mode.
*
*
* KMIP Suite B Profile Version 1.0
* SUITEB_128-M-1-11 Query
* SUITEB_192-M-1-11 Query
*
*
*
* KMIP Version 1.2 Test Cases Supported
* TC-311-12 Create / Destroy
* TC-312-12 Register / Create / Get attributes / Destroy
* TC-313-12 Create / Locate / Get / Destroy
* TC-314-12 Dual Client Test Case, ID Placeholder-linked Locate & Get Batch
* TC-315-12 Register / Destroy Secret Data
* TC-32-12 Asynchronous Locate
* TC-41-12 Revoke Scenario
* TC-51-12 Get Usage Allocation Scenario
* TC-61-12 Import of a Third-party Key
* TC-71-12 Unrecognized Message Extension with Criticality Indicator False
* TC-72-12 Unrecognized Message Extension with Criticality Indicator True
* TC-81-12 Create a Key Pair
* TC-82-12 Register Both Halves of a Key Pair
* TC-91-12 Create a Key, Re-key
* TC-92-12 Existing Key Expired, Re-key with Same Life-cycle
* TC-93-12 Existing Key Compromised, Re-key with Same Life-cycle
* TC-94-12 Create Key, Re-key with New Life-cycle
* TC-95-12 Obtain Lease for Expired Key
* TC-101-12 Create a Key, Archive and Recover it
* TC-111-12 Credential, Operation Policy, Destroy Date
* TC-112-12 Device Credential, Operation Policy, Destroy Date
* TC-121-12 Query, Maximum Response Size
* TC-122-12 Query Vendor Extensions
* TC-131-12 Register an Asymmetric Key Pair in PKCS1 Format
* TC-132-12 Register an Asymmetric Key Pair and a Corresponding X509 Certificate
* TC-133-12 Create, Re-key Key Pair
* TC-134-12 Register Key Pair, Certify and Re-certify Public Key
* TC-141-12 Key Wrapping using AES Key Wrap and No Encoding
* TC-142-12 Key Wrapping using AES Key Wrap with Attributes
* TC-151-12 Locate a Fresh Object from the Default Group
* TC-152-12 Client-side Group Management
* TC-153-12 Default Object Group Member
* TC-161-12 Discover Versions
* TC-171-12 Handling of Attributes and Attribute Index Values
* TC-181-12 Digests of Symmetric Keys
* TC-182-12 Digests of RSA Private Keys
* TC-NP-1-12 Put
* TC-NP-2-12 Notify & Put
* TC-ECC-1-12 Register an ECC Key Pair
* TC-ECC-2-12 Register an ECC Key Pair in PKCS8 Format
* TC-ECC-3-12 Register an ECC Key Pair and ECDSA Certificate
* TC-PGP-1-12 Register PGP Key - RSA
* TC-MDO-1-12 Register MDO Key
* TC-MDO-2-12 Locate MDO keys by Key Value Present
* TC-MDO-3-12 Register MDO Key using PKCS11 URI
* TC-SJ-1-12 Create and Split/Join
* TC-SJ-2-12 Register and Split / Join
* TC-SJ-3-12 Join Split Keys
* TC-SJ-4-12 Register and Split / Join with XOR
*
*
* Symmetric Key Lifecycle Profile Version 1.0
* SKLC-M-1-12 Create, GetAttributes, Destroy
* SKLC-M-2-12 Create, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* SKLC-M-3-12 Create, GetAttributes, Activate, GetAttributes, ModifyAttribute, Revoke, GetAttributes, Destroy
* SKLC-O-1-12 Create, GetAttributes, Destroy, GetAttributes
*
*
* Symmetric Key Foundry for FIPS 140-2 Profile Version 1.0
* SKFF-M-1-12 Create, Destroy AES-128
* SKFF-M-2-12 Create, Destroy AES-192
* SKFF-M-3-12 Create, Destroy AES-256
* SKFF-M-4-12 Create, Destroy DES3-168
* SKFF-M-5-12 Create, Locate, Get, Destroy, Locate AES-128
* SKFF-M-6-12 Create, Locate, Get, Destroy, Locate AES-192
* SKFF-M-7-12 Create, Locate, Get, Destroy, Locate AES-256
* SKFF-M-8-12 Create, Locate, Get, Destroy, Locate DES3-168
* SKFF-M-9-12 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-128
* SKFF-M-10-12 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-192
* SKFF-M-11-12 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy AES-256
* SKFF-M-12-12 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy DES3-168
* SKFF-O-1-12 Create, Destroy SKIPJACK-80
* SKFF-O-2-12 Create, Locate, Get, Destroy, Locate SKIPJACK-80
* SKFF-O-3-12 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy SKIPJACK-80
* SKFF-O-4-12 Create, Destroy DES3-112
* SKFF-O-5-12 Create, Locate, Get, Destroy, Locate DES3-112
* SKFF-O-6-12 Create, Get, Activate, Revoke, Locate, Add/Mod/Del Attributes, Destroy DES3-112
*
*
* Asymmetric Key Lifecycle Profile Version 1.0 Supported
* AKLC-M-1-12 CreateKeyPair, GetAttributes, GetAttributes, Destroy
* AKLC-M-2-12 CreateKeyPair, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* AKLC-M-3-12 CreateKeyPair, GetAttributes, Activate, GetAttributes, Destroy, Revoke, GetAttributes, Destroy
* AKLC-O-1-12 CreateKeyPair, GetAttributes, Destroy, GetAttributes
*
*
* KMIP Opaque Managed Object Store Profile Version 1.0
* OMOS-M-1-12 Register small opaque object
* OMOS-O-1-12 Register large (>10k) opaque object
*
*
* KMIP Tape Library Profile Version 1.0
* TL-M-1-12 Configuration
* TL-M-2-12 Write with new (created) key
* TL-M-3-12 Read an encrypted tape
*
*
* Key Management Interoperability Protocol Storage Array with Self-Encrypting Drives Profile Version 1.0
* SASED-M-1-12 Configuration
* SASED-M-2-12 Register the authentication key
* SASED-M-3-12 Retrieve Authentication Key
*
*
* KMIP Cryptographic Services Profile Version 1.0 (KMIP 1.2) Supported
* CS-BC-M-1-12 Encrypt with New Symmetric Key
* CS-BC-M-2-12 Decrypt with New Symmetric Key
* CS-BC-M-3-12 Encrypt and Decrypt with New Symmetric Key
* CS-BC-M-4-12 Encrypt with Known Symmetric Key
* CS-BC-M-5-12 Decrypt with Known Symmetric Key
* CS-BC-M-6-12 Encrypt and Decrypt with Known Symmetric Key
* CS-BC-M-7-12 Encrypt with Known Symmetric Key with Usage Limits
* CS-BC-M-8-12 Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding
* CS-BC-M-9-12 Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding
* CS-BC-M-10-12 Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding and CBC
* CS-BC-M-11-12 Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding and CBC and IV
* CS-BC-M-12-12 Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding and CBC and IV
* CS-BC-M-13-12 Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding and CBC and Random IV
* CS-BC-M-14-12 Encrypt and Decrypt with Known Symmetric Key Date Checks
* CS-RNG-M-1-12 RNG Retrieve
* CS-RNG-O-1-12 Seed RNG with Server Accept
* CS-RNG-O-2-12 Seed RNG with Server Partial Accept
* CS-RNG-O-3-12 Seed RNG with Server Ignore
* CS-RNG-O-4-12 Seed RNG with Server Deny
* CS-AC-M-1-12 Sign with Known Asymmetric Key
* CS_AC_M_2_12 Signature Verify with Known Asymmetric Key
* CS-AC-M-3-12 Sign and Signature Verify with Known Asymmetric Key
* CS-AC-M-4-12 MAC with Known Key
* CS_AC_M_5_12 MAC Verify with Known Key
* CS-AC-M-6-12 MAC and MAC Verify with Known Key
* CS-AC-M-7-12 Hash
* CS-AC-M-8-12 Sign and Signature Verify with Known Asymmetric Key Date Checks
*
*
* KMIP Additional Message Encodings Version 1.2 Supported
* MSGENC-HTTPS-M-1-12 - HTTPS POST: Query, Maximum Response Size
* MSGENC-XML-M-1-12 - Message Encoding XML: Query, Maximum Response Size
* In addition, we have run all above test cases in XML mode.
* MSGENC-JSON-M-1-12 - Message Encoding JSON: Query, Maximum Response Size
* In addition, we have run all above test cases in JSON mode.
*
*
* KMIP Suite B Profile Version 1.0
* SUITEB_128-M-1-12 Query
* SUITEB_192-M-1-12 Query
*
*
*
* KMIP Version 1.3 Test Cases Supported
* TC-CREG-2-13 Retrieve Initial Client Credentials
* TC-OTP-1-13 One Time Pad support
* TC-OTP-2-13 One Time Pad support
* TC-OTP-3-13 One Time Pad support
* TC-OTP-4-13 One Time Pad support
* TC-Q-CAP-1-13 Query Server Capabilities
* TC-Q-CAP-2-13 Query Server Capabilities
* TC-Q-CREG_1-13 Query Server Client Registration Methods
* TC-Q-PROF-1-13 Query Server supported profiles
* TC-Q-PROF-2-13 Query Server supported profiles
* TC-Q-PROF-3-13 Query Server supported profiles
* TC-Q-RNGS-1-13 Query Server supported RNG
* TC-Q-RNGS-2-13 Query Server supported RNG
* TC-Q-RNGS-3-13 Query Server supported RNG
* TC-Q-RNGS-4-13 Query Server supported RNG
* TC-Q-RNGS-5-13 Query Server supported RNG
* TC-Q-S2C-1-13 Server to Client Query client capabilities
* TC-Q-S2C-2-13 Server to Client Query client supported KMIP protocol versions
* TC-Q-S2C-PROF-1-13 Server to Client Query client supported profiles
* TC-Q-S2C-PROF-2-13 Server to Client Query client supported profiles
* TC-Q-VAL-1-13 Query Server Validations
* TC-Q-VAL-2-13 Query Server Validations
* TC-RNG-ATTR-1-13 Register / Get Attributes / Destroy
* TC-RNG-ATTR-2-13 Register / Get Attributes / Destroy
* TC-STREAM-HASH-1-13 (Streaming) Hash
* TC-STREAM-HASH-2-13 (Streaming) Hash
* TC-STREAM-HASH-3-13 (Streaming) Hash
* TC-STREAM-ENC-1-13 (Streaming) Encrypt with New Symmetric Key
* TC-STREAM-ENC-2-13 (Streaming) Encrypt with Known Symmetric Key
* TC-STREAM-ENCDEC-1-13 (Streaming) Encrypt and Decrypt with Known Symmetric Key and PKCS5 Padding and CBC
*
*
* Managed Objects Supported
* Certificate, Symmetric Key, Public Key, Private Key, Split Key, Template,
* Secret Data, Opaque Object, PGP Key
*
*
* Product SKC Version 1.2.0 and greater, customer provides openSSL
*
* Cryptographic Algorithms
* DES, 3DES, DES-X, AES (including counter mode), RSA, DSA, DH, HMAC-SHA1, HMAC-SHA224
* HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, HMAC-MD2, HMAC-MD4, HMAC-MD5,
* Blowfish, CAST5, IDEA, RC2, RC4, RC5, ECDSA, ECDH, ECMQV, EC
*
* Key Format Types
* Raw, Opaque, PKCS#1, PKCS#8, X.509, ECPrivateKey, Transparent Symmetric Key,
* Transparent DSA Private Key, Transparent DSA Public Key,
* Transparent RSA Private Key, Transparent RSA Public Key,
* Transparent ECDSA Private Key, Transparent ECDSA Public Key,
* Transparent ECDH Private Key, Transparent ECDH Public Key,
* Transparent ECMQV Private Key, Transparent ECMQV Public Key
*
* Certificate Types
* X.509
*

Support for the Suite B Profile

This profile is defined by the document: OASIS, "KMIP Suite B Profile Version 1.0", Candidate OASIS Standard 01, 03 Feburary 2015

P6R's KMIP client uses the OpenSSL library for its SSL/TLS support (see http://www.openssl.org/). Our client allows the user to select the ciphers to use for SSL/TLS via the API call:

* setSSLOptions( const P6WCHAR* pCiphers, P6SECURESOCKETFLAGS fSecureFlags )
*
* where the "pCiphers" paramter is a pointer to a NULL terminated wide character string containing the OpenSSL
* cipher command (see http://www.openssl.org/docs/apps/ciphers.html). If pCiphers parameter is NULL, then the
* secure default will be automatically be used: "TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH" which enables
* SSLv3 and TLSv1, disables SSLv2, disables ciphers that do not use authentication, disables 3DES, and prefers
* the strongest ciphers first.
*
* The setSSLOptions() API call is maked before the open() call creating the connection to the KMIP server.
* Here are two examples of properly setting the Suite B cipher.
*
* p6IKMIPClient* pClient;
*
* err = pClient->setSSLOptions( P6TEXT("ECDHE-ECDSA-AES128-GCM-SHA256"), (P6SSF_METHOD_NEGOTIATE | P6SSF_SECURE_CLIENT | P6SSF_SECURE_CLIENT_AUTH ));
* OR
* err = pClient->setSSLOptions( P6TEXT("ECDHE-ECDSA-AES256-GCM-SHA384"), (P6SSF_METHOD_NEGOTIATE | P6SSF_SECURE_CLIENT | P6SSF_SECURE_CLIENT_AUTH ));
*

The only constraint, is that the specified ciphers in the setSSLOptions API call are supported by the OpenSSL library in use (which is provided by the customer).

The accepted cipher suites for Suite B are: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384

Lastly, the proper KMIP server generated Suite B credentials also has to be provided by the server and passed to the P6R KMIP SDK. These includes the servers root certificate, the client certificate and private key.