Web Services PKCS #11 library compliance with the PKCS #11 specification

Supported functions

The following sections list the PKCS #11 functions supported by the PKCS #11 library. For a list of supported mechanisms, see Mechanisms.

General purpose functions

The following functions perform as described in the PKCS #11 specification:

  • C_Finalize

  • C_GetInfo

  • C_GetFunctionList

  • C_Initialize.

Slot and token management functions

The following functions perform as described in the PKCS #11 specification:

  • C_GetSlotInfo

  • C_GetTokenInfo

  • C_GetMechanismList

  • C_GetMechanismInfo

  • C_GetSlotList.

C_GetSlotList returns a list of slot IDs. You cannot make any assumptions about the values of these handles. These handles are not equivalent to the slot numbers returned by the Web Services server.

Standard session management functions

The following functions perform as described in the PKCS #11 specification:

  • C_OpenSession

  • C_CloseSession

  • C_CloseAllSessions

  • C_Login

  • C_Logout

  • C_GetSessionInfo

Object management functions

The following functions perform as described in the PKCS #11 specification:

  • C_CreateObject

  • C_DestroyObject

  • C_GetAttributeValue

  • C_FindObjectsInit

  • C_FindObjects

  • C_FindObjectsFinal

C_FindObjects only returns objects that are supported by the PKCS #11 library. It does not list keys with the CKO_PUBLIC_KEY or CKO_PRIVATE_KEY object classes.

Encryption functions

The following functions perform as described in the PKCS #11 specification:

  • C_EncryptInit

  • C_Encrypt

Decryption functions

The following functions perform as described in the PKCS #11 specification:

  • C_DecryptInit

  • C_Decrypt

Sign functions

The following functions perform as described in the PKCS #11 specification:

  • C_SignInit

  • C_Sign

Verify functions

The following functions perform as described in the PKCS #11 specification:

  • C_VerifyInit

  • C_Verify

Key-management functions

The following function performs as described in the PKCS #11 specification:

  • C_GenerateKey

C_CreateObject should not be used to create any key objects. Use C_GenerateKey to generate a secret key object.

C_GenerateKey will only generate key types supported by the PKCS #11 library.

String fields such as CKA_LABEL and CKA_APPLICATION should not contain any HTML character for example <, > or & as this can result in those values becoming corrupted when they are retrieved later.

Objects

The following table lists the objects currently supported by the PKCS #11 library.

Object Notes

CKO_DATA

CKO_CERTIFICATE

CKC_X_509 only

CKO_SECRET_KEY

CKK_AES CKK_SHA256_HMAC CKK_SHA384_HMAC CKK_SHA512_HMAC

Mechanisms

The following table lists the mechanisms currently supported by the PKCS #11 library and the functions available to each one.

Mechanism Encrypt & Decrypt Sign & Verify SR & VR Digest Gen. Key/Key Pair Wrap & Unwrap Derive Key

CKM_AES_CBC_PAD

Y

CKM_AES_CBC

Y

CKM_AES_KEY_GEN

Y

CKM_SHA256_HMAC

Y

CKM_SHA256_HMAC_GENERAL

Y

CKM_SHA384_HMAC

Y

CKM_SHA384_HMAC_GENERAL

Y

CKM_SHA512_HMAC

Y

CKM_SHA512_HMAC_GENERAL

Y

CKM_SHA256_KEY_GEN

Y

CKM_SHA384_KEY_GEN

Y

CKM_SHA512_KEY_GEN

Y

In this table:

  • Y indicates that the function is supported by the mechanism.

  • indicates that the function is not supported by the mechanism.

The AES mechanisms support three different key sizes: 16, 24, and 32 bytes. For non-padded AES mechanisms the plaintext size must be a multiple of the block size (16 bytes).

HMAC_GENERAL mechanisms support signature lengths ranging from half the output size to the full output size. For example CKM_SHA256_HMAC_GENERAL supports outputs in the range 16-32 bytes.

For more information, including minimum and maximum key sizes, run ckmechinfo in Utilities in the Web Services PKCS #11 library.

Attributes

All templates used to create objects or generate keys must contain the following attributes because there is currently no PKCS #11 library support for session or public objects:

Object Attributes Required Notes

CKA_TOKEN

Y

Must be CK_TRUE

CKA_PRIVATE

Y

Must be CK_TRUE

Data object creation is supported:

Data Object Attributes Required Notes

CKA_CLASS

Y

Must be CKO_DATA

CKA_APPLICATION

N

CKA_OBJECT_ID

N

CKA_VALUE

N

The X.509 public object certificate creation is supported:

X.509 Certificate Attributes Required Notes

CKA_CLASS

Y

Must be CKO_CERTIFICATE

CKA_CERTIFICATE_TYPE

Y

Must be CKC_X_509

CKA_VALUE

Y

CKA_SUBJECT

Y

CKA_START_DATE

N

CKA_END_DATE

N

CKA_ISSUER

N

The PKCS #11 library supports generation of the following key types:

  • CKK_AES

  • CKK_SHA256_HMAC

  • CKK_SHA384_HMAC

  • CKK_SHA512_HMAC

Key Attributes Required Notes

CKA_CLASS

Y

Must be CKO_SECRET_KEY

CKA_KEY_TYPE

Y

See list above

CKA_VALUE_LEN

Y

CKA_LABEL

Y

CKA_ENCRYPT

N

Should be CK_TRUE for AES

CKA_DECRYPT

N

Should be CK_TRUE for AES

CKA_SIGN

N

Should be CK_TRUE for HMAC

CKA_VERIFY

N

Should be CK_TRUE for HMAC

CKA_WRAP

N

Function not used in PKCS #11 library

CKA_UNWRAP

N

Function not used in PKCS #11 library

You should set these attributes to false while creating an object, if provided:

  • CKA_DERIVE

  • CKA_EXTRACTABLE

  • CKA_COPYABLE

  • CKA_TRUSTED

  • CKA_UNWRAP

  • CKA_WRAP

  • CKA_WRAP_WITH_TRUSTED

You should set these attributes to true while creating an object, if provided:

  • CKA_ALWAYS_SENSITIVE

  • CKA_NEVER_EXTRACTABLE

  • CKA_LOCAL

  • CKA_SENSITIVE

The attributes not listed above or in tables are currently not supported.

The PKCS #11 library only supports token objects, not session objects.