Web Services PKCS #11 library compliance with the PKCS #11 specification
Supported functions
The following sections list the PKCS #11 functions supported by the PKCS #11 library. For a list of supported mechanisms, see Mechanisms.
General purpose functions
The following functions perform as described in the PKCS #11 specification:
-
C_Finalize
-
C_GetInfo
-
C_GetFunctionList
-
C_Initialize
.
Slot and token management functions
The following functions perform as described in the PKCS #11 specification:
-
C_GetSlotInfo
-
C_GetTokenInfo
-
C_GetMechanismList
-
C_GetMechanismInfo
-
C_GetSlotList
.
C_GetSlotList
returns a list of slot IDs.
You cannot make any assumptions about the values of these handles.
These handles are not equivalent to the slot numbers returned by the Web Services server.
Standard session management functions
The following functions perform as described in the PKCS #11 specification:
-
C_OpenSession
-
C_CloseSession
-
C_CloseAllSessions
-
C_Login
-
C_Logout
-
C_GetSessionInfo
Object management functions
The following functions perform as described in the PKCS #11 specification:
-
C_CreateObject
-
C_DestroyObject
-
C_GetAttributeValue
-
C_FindObjectsInit
-
C_FindObjects
-
C_FindObjectsFinal
C_FindObjects only returns objects that are supported by the PKCS #11 library.
It does not list keys with the CKO_PUBLIC_KEY or CKO_PRIVATE_KEY object classes.
|
Encryption functions
The following functions perform as described in the PKCS #11 specification:
-
C_EncryptInit
-
C_Encrypt
Decryption functions
The following functions perform as described in the PKCS #11 specification:
-
C_DecryptInit
-
C_Decrypt
Sign functions
The following functions perform as described in the PKCS #11 specification:
-
C_SignInit
-
C_Sign
Verify functions
The following functions perform as described in the PKCS #11 specification:
-
C_VerifyInit
-
C_Verify
Key-management functions
The following function performs as described in the PKCS #11 specification:
-
C_GenerateKey
C_CreateObject
should not be used to create any key objects.
Use C_GenerateKey
to generate a secret key object.
C_GenerateKey
will only generate key types supported by the PKCS #11 library.
String fields such as CKA_LABEL and CKA_APPLICATION should not contain any HTML character for example < , > or & as this can result in those values becoming corrupted when they are retrieved later.
|
Objects
The following table lists the objects currently supported by the PKCS #11 library.
Object | Notes |
---|---|
|
|
|
|
|
|
Mechanisms
The following table lists the mechanisms currently supported by the PKCS #11 library and the functions available to each one.
Mechanism | Encrypt & Decrypt | Sign & Verify | SR & VR | Digest | Gen. Key/Key Pair | Wrap & Unwrap | Derive Key |
---|---|---|---|---|---|---|---|
|
Y |
— |
— |
— |
— |
— |
— |
|
Y |
— |
— |
— |
— |
— |
— |
|
— |
— |
— |
— |
Y |
— |
— |
|
— |
Y |
— |
— |
— |
— |
— |
|
— |
Y |
— |
— |
— |
— |
— |
|
— |
Y |
— |
— |
— |
— |
— |
|
— |
Y |
— |
— |
— |
— |
— |
|
— |
Y |
— |
— |
— |
— |
— |
|
— |
Y |
— |
— |
— |
— |
— |
|
— |
— |
— |
— |
Y |
— |
— |
|
— |
— |
— |
— |
Y |
— |
— |
|
— |
— |
— |
— |
Y |
— |
— |
In this table:
-
Y
indicates that the function is supported by the mechanism. -
—
indicates that the function is not supported by the mechanism.
The AES mechanisms support three different key sizes: 16, 24, and 32 bytes. For non-padded AES mechanisms the plaintext size must be a multiple of the block size (16 bytes).
HMAC_GENERAL mechanisms support signature lengths ranging from half the output size to the full output size.
For example CKM_SHA256_HMAC_GENERAL
supports outputs in the range 16-32 bytes.
For more information, including minimum and maximum key sizes, run ckmechinfo
in Utilities in the Web Services PKCS #11 library.
Attributes
All templates used to create objects or generate keys must contain the following attributes because there is currently no PKCS #11 library support for session or public objects:
Object Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
Y |
Must be |
Data object creation is supported:
Data Object Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
N |
|
|
N |
|
|
N |
The X.509 public object certificate creation is supported:
X.509 Certificate Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
Y |
Must be |
|
Y |
|
|
Y |
|
|
N |
|
|
N |
|
|
N |
The PKCS #11 library supports generation of the following key types:
-
CKK_AES
-
CKK_SHA256_HMAC
-
CKK_SHA384_HMAC
-
CKK_SHA512_HMAC
Key Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
Y |
See list above |
|
Y |
|
|
Y |
|
|
N |
Should be |
|
N |
Should be |
|
N |
Should be |
|
N |
Should be |
|
N |
Function not used in PKCS #11 library |
|
N |
Function not used in PKCS #11 library |
You should set these attributes to false while creating an object, if provided:
-
CKA_DERIVE
-
CKA_EXTRACTABLE
-
CKA_COPYABLE
-
CKA_TRUSTED
-
CKA_UNWRAP
-
CKA_WRAP
-
CKA_WRAP_WITH_TRUSTED
You should set these attributes to true while creating an object, if provided:
-
CKA_ALWAYS_SENSITIVE
-
CKA_NEVER_EXTRACTABLE
-
CKA_LOCAL
-
CKA_SENSITIVE
The attributes not listed above or in tables are currently not supported.
The PKCS #11 library only supports token objects, not session objects. |