Vendor annotations on P11 mechanisms

Vendor notes on PKCS #11 mechanisms to complement the specification.

CKM_RSA_PKCS_OAEP

The hashAlg and the mgf values specified by CK_RSA_PKCS_OAEP_PARAMS must have the same SHA hash size. If they do not have the same hash size, then the encryption or decryption fails with a return value of CKR_MECHANISM_PARAM_INVALID. The supported pairs of values are as follows:

hashAlg mgf

CKM_SHA_1

CKG_MGF1_SHA1

CKM_SHA224

CKG_MGF1_SHA224

CKM_SHA256

CKG_MGF1_SHA256

CKM_SHA384

CKG_MGF1_SHA384

CKM_SHA512

CKG_MGF1_SHA512

CKM_SHA3_224

CKG_MGF1_SHA3_224

CKM_SHA3_256

CKG_MGF1_SHA3_256

CKM_SHA3_384

CKG_MGF1_SHA3_384

CKM_SHA3_512

CKG_MGF1_SHA3_512

For a hash length h and RSA modulus length k in bytes, the longest message that can be encrypted is k-2h-2 bytes long.

CKM_RSA_PKCS_PSS and CKM_SHA*_RSA_PKCS_PSS

The hashAlg and the mgf values specified by CK_RSA_PKCS_PSS_PARAMS must have the same SHA hash size. If they do not have the same hash size, then the signing or verifying fails with a return value of CKR_MECHANISM_PARAM_INVALID.

The sLen value is expected to be the length of the message hash in bytes. If this is not the case, then the signing or verify again fails with a return value of CKR_MECHANISM_PARAM_INVALID.

The supported sets of values for hashAlg, mgf and sLen are as follows:

hashAlg mgf sLen

CKM_SHA_1

CKG_MGF1_SHA1

20

CKM_SHA224

CKG_MGF1_SHA224

28

CKM_SHA256

CKG_MGF1_SHA256

32

CKM_SHA384

CKG_MGF1_SHA384

48

CKM_SHA512

CKG_MGF1_SHA512

64

CKM_SHA3_224

CKG_MGF1_SHA3_224

28

CKM_SHA3_256

CKG_MGF1_SHA3_256

32

CKM_SHA3_384

CKG_MGF1_SHA3_384

48

CKM_SHA3_512

CKG_MGF1_SHA3_512

64

To use a mechanism with SHA hash size n bits, the public modulus of the RSA key must be at least 2n+2 bits long.