1. Fortanix
  2. Fortanix Data Security Manager (DSM)
  3. Developer Zone

PKCS#11 - Supported Functions and Mechanisms

Last Updated: 

PKCS#11 Library

This article describes the functions and mechanisms supported by PKCS#11 library.

Assumptions for PKCS11 library

Following are some assumptions for the PKCS#11 library.

  • There are 32 slots in Fortanix HSM, and all have a token that is already initialized. C_InitToken should fail, and the PIN on the token cannot be changed. You must use the Fortanix-provided authorization key as the PIN.
    • Multiple slots can be advantageous when dealing with multiple groups or endpoints. Basically, you can specify a separate config or pin for each slot during C_Login. Of course, you can always use C_Login and C_Logout with a single slot, but multiple slots can allow you to do the same concurrently.
  • Nobody can log in as a Security Officer (SO). Fortanix returns CKR_PIN_INCORRECT when someone tries to log in as an SO.
  • Session objects are deleted when the session is closed, but if the session is terminated in between, session objects will persist in the backend.
  • All objects are created as private. Fortanix does not support the creation of public objects.
  • Key handles are specific to a session and cannot be used across sessions.
  • If C_Digest is called before C_Login, we use the hashing functions from the OpenSSL library to compute the digest locally.

Mechanisms Supported

Following are the supported mechanisms for the PKCS#11 library.

  • CKM_AES_CBC
  • CKM_AES_CBC_ENCRYPT_DATA
  • CKM_AES_CBC_PAD
  • CKM_AES_CFB128
  • CKM_AES_CMAC
  • CKM_AES_ECB
  • CKM_AES_ECB_ENCRYPT_DATA
  • CKM_AES_GCM
  • CKM_AES_KEY_GEN
  • CKM_AES_OFB
  • CKM_DES2_KEY_GEN
  • CKM_DES3_CBC
  • CKM_DES3_CBC_ENCRYPT_DATA
  • CKM_DES3_CBC_PAD
  • CKM_DES3_ECB
  • CKM_DES3_ECB_ENCRYPT_DATA
  • CKM_DES3_KEY_GEN
  • CKM_DES_CBC
  • CKM_DES_CBC_ENCRYPT_DATA
  • CKM_DES_CBC_PAD
  • CKM_DES_CFB64
  • CKM_DES_ECB
  • CKM_DES_ECB_ENCRYPT_DATA
  • CKM_DES_KEY_GEN
  • CKM_DES_OFB64
  • CKM_ECDH1_DERIVE
  • CKM_ECDSA
  • CKM_ECDSA_KEY_PAIR_GEN
  • CKM_ECDSA_SHA224
  • CKM_ECDSA_SHA256
  • CKM_ECDSA_SHA384
  • CKM_ECDSA_SHA512
  • CKM_EC_EDWARDS_KEY_PAIR_GEN
  • CKM_EDDSA
  • CKM_GENERIC_SECRET_KEY_GEN
  • CKM_RSA_PKCS
  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_RSA_PKCS_OAEP
  • CKM_RSA_PKCS_PSS
  • CKM_RSA_X_509
  • CKM_SHA_1
  • CKM_SHA_1_HMAC
  • CKM_SHA1_RSA_PKCS
  • CKM_SHA1_RSA_PKCS_PSS
  • CKM_SHA224
  • CKM_SHA224_HMAC
  • CKM_SHA224_RSA_PKCS
  • CKM_SHA224_RSA_PKCS_PSS
  • CKM_SHA256
  • CKM_SHA256_HMAC
  • CKM_SHA256_RSA_PKCS
  • CKM_SHA256_RSA_PKCS_PSS
  • CKM_SHA384
  • CKM_SHA384_HMAC
  • CKM_SHA384_RSA_PKCS
  • CKM_SHA384_RSA_PKCS_PSS
  • CKM_SHA512
  • CKM_SHA512_HMAC
  • CKM_SHA512_RSA_PKCS
  • CKM_SHA512_RSA_PKCS_PSS
  • CKM_RSA_X9_31_KEY_PAIR_GEN

Exposed Functions

The following table describes the PKCS#11 functions and whether they are supported in a regular Fortanix DSM group.

FUNCTIONS SUPPORT AGAINST REGULAR DSM GROUPS (non-external groups)

General Purpose Functions

  • C_Finalize
  • C_Initialize
  • C_GetInfo
  • C_GetFunctionList
 All supported

Slot and Token Management Functions 

  • C_GetSlotInfo
  • C_GetSlotList
  • C_GetTokenInfo
  • C_WaitForSlotEvent
  • C_GetMechanismInfo
  • C_GetMechanismList
  • C_InitPIN
  • C_InitToken
  • C_SetPIN

Session Management Functions

  • C_GetOperationState
  • C_GetSessionInfo
  • C_Login
  • C_Logout
  • C_OpenSession
  • C_CloseAllSessions
  • C_CloseSession
  • C_SetOperationState

 

 All supported except C_GetOperationState
and C_SetOperationState.

Object Management Functions

  • C_CopyObject
  • C_CreateObject
  • C_DestroyObject
  • C_GetObjectSize
  • C_GetAttributeValue
  • C_SetAttributeValue
  • C_FindObjects
  • C_FindObjectsFinal
  • C_FindObjectsInit

 

 All supported except C_CopyObject
and C_GetObjectSize.

Encryption/Decryption Functions

  • C_Decrypt
  • C_DecryptFinal
  • C_DecryptInit
  • C_DecryptUpdate
  • C_Encrypt
  • C_EncryptFinal
  • C_EncryptInit
  • C_EncryptUpdate
 All supported.

Message Digesting Functions 

  • C_DigestFinal
  • C_DigestInit
  • C_DigestKey
  • C_DigestUpdate
  • C_Digest
 All supported except C_DigestKey.

Sign and Verify Functions

  • C_SignFinal
  • C_SignInit
  • C_SignRecover
  • C_SignRecoverInit
  • C_SignUpdate
  • C_Sign
  • C_Verify
  • C_VerifyFinal
  • C_VerifyInit
  • C_VerifyRecover
  • C_VerifyRecoverInit
  • C_VerifyUpdate
 All supported except C_SignRecover, C_SignRecoverInit,

C_VerifyRecover and C_VerifyRecoverInit.

Dual Purpose Functions 

  • C_DecryptDigestUpdate
  • C_DecryptVerifyUpdate
  • C_DigestEncryptUpdate
  • C_SignEncryptUpdate
 None supported

Key Management Functions 

  • C_GenerateKey
  • C_GenerateKeyPair
  • C_UnwrapKey
  • C_WrapKey
  • C_DeriveKey
 All supported

RNG Functions

  • C_SeedRandom
  • C_GenerateRandom

 

 All supported

Parallel Function Management Functions

  • C_CancelFunction
  • C_GetFunctionStatus

 

 None supported

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful