Clients: PKCS#11 Supported Functions and Mechanisms

  • Updated on Apr 2, 2025
  • Published on Jun 21, 2024
  • 1 minute(s) read

1.0 PKCS#11 Library

This article describes the functions and mechanisms supported by PKCS#11 library.

1.1 Assumptions for PKCS11 library

The following are some assumptions for the PKCS#11 library:

  • There are 32 slots in Fortanix HSM, and all have a token that is already initialized. C_InitToken should fail, and the PIN on the token cannot be changed. You must use the Fortanix-provided authorization key as the PIN.

    • Multiple slots can be advantageous when dealing with multiple groups or endpoints. Basically, you can specify a separate config or pin for each slot during C_Login. Of course, you can always use C_Login and C_Logout with a single slot, but multiple slots can allow you to do the same concurrently.

  • Nobody can log in as a Security Officer (SO). Fortanix returns CKR_PIN_INCORRECT when someone tries to log in as an SO.

  • Session objects are deleted when the session is closed, but if the session is terminated in between, session objects will persist in the backend.

  • All objects are created as private. Fortanix does not support the creation of public objects.

  • Key handles are specific to a session and cannot be used across sessions.

  • If C_Digest is called before C_Login, we use the hashing functions from the OpenSSL library to compute the digest locally.

1.2 Mechanisms Supported

The following are the supported mechanisms for the PKCS#11 library:

  • CKM_AES_CBC

  • CKM_AES_CBC_ENCRYPT_DATA

  • CKM_AES_CBC_PAD

  • CKM_AES_CFB128

  • CKM_AES_CMAC

  • CKM_AES_ECB

  • CKM_AES_ECB_ENCRYPT_DATA

  • CKM_AES_GCM

  • CKM_AES_KEY_GEN

  • CKM_AES_OFB

  • CKM_DES2_KEY_GEN

  • CKM_DES3_CBC

  • CKM_DES3_CBC_ENCRYPT_DATA

  • CKM_DES3_CBC_PAD

  • CKM_DES3_ECB

  • CKM_DES3_ECB_ENCRYPT_DATA

  • CKM_DES3_KEY_GEN

  • CKM_DES_CBC

  • CKM_DES_CBC_ENCRYPT_DATA

  • CKM_DES_CBC_PAD

  • CKM_DES_CFB64

  • CKM_DES_ECB

  • CKM_DES_ECB_ENCRYPT_DATA

  • CKM_DES_KEY_GEN

  • CKM_DES_OFB64

  • CKM_ECDH1_DERIVE

  • CKM_ECDSA

  • CKM_ECDSA_KEY_PAIR_GEN

  • CKM_ECDSA_SHA224

  • CKM_ECDSA_SHA256

  • CKM_ECDSA_SHA384

  • CKM_ECDSA_SHA512

  • CKM_EC_EDWARDS_KEY_PAIR_GEN

  • CKM_EDDSA

  • CKM_GENERIC_SECRET_KEY_GEN

  • CKM_RSA_PKCS

  • CKM_RSA_PKCS_KEY_PAIR_GEN

  • CKM_RSA_PKCS_OAEP

  • CKM_RSA_PKCS_PSS

  • CKM_RSA_X_509

  • CKM_SHA_1

  • CKM_SHA_1_HMAC

  • CKM_SHA1_RSA_PKCS

  • CKM_SHA1_RSA_PKCS_PSS

  • CKM_SHA224

  • CKM_SHA224_HMAC

  • CKM_SHA224_RSA_PKCS

  • CKM_SHA224_RSA_PKCS_PSS

  • CKM_SHA256

  • CKM_SHA256_HMAC

  • CKM_SHA256_RSA_PKCS

  • CKM_SHA256_RSA_PKCS_PSS

  • CKM_SHA384

  • CKM_SHA384_HMAC

  • CKM_SHA384_RSA_PKCS

  • CKM_SHA384_RSA_PKCS_PSS

  • CKM_SHA512

  • CKM_SHA512_HMAC

  • CKM_SHA512_RSA_PKCS

  • CKM_SHA512_RSA_PKCS_PSS

  • CKM_RSA_X9_31_KEY_PAIR_GEN

1.3 Exposed Functions

The following table describes the PKCS#11 functions and whether they are supported in a regular Fortanix-Data-Security-Manager (DSM) group:

FUNCTIONS

SUPPORT AGAINST REGULAR DSM GROUPS (non-external groups)

General Purpose Functions

  • C_Finalize

  • C_Initialize

  • C_GetInfo

  • C_GetFunctionList

All supported

Slot and Token Management Functions 

  • C_GetSlotInfo

  • C_GetSlotList

  • C_GetTokenInfo

  • C_WaitForSlotEvent

  • C_GetMechanismInfo

  • C_GetMechanismList

  • C_InitPIN

  • C_InitToken

  • C_SetPIN

Session Management Functions

  • C_GetOperationState

  • C_GetSessionInfo

  • C_Login

  • C_Logout

  • C_OpenSession

  • C_CloseAllSessions

  • C_CloseSession

  • C_SetOperationState

 

All supported except C_GetOperationState


and C_SetOperationState.

Object Management Functions

  • C_CopyObject

  • C_CreateObject

  • C_DestroyObject

  • C_GetObjectSize

  • C_GetAttributeValue

  • C_SetAttributeValue

  • C_FindObjects

  • C_FindObjectsFinal

  • C_FindObjectsInit

 

All supported except C_CopyObject


and C_GetObjectSize.


Encryption/Decryption Functions

  • C_Decrypt

  • C_DecryptFinal

  • C_DecryptInit

  • C_DecryptUpdate

  • C_Encrypt

  • C_EncryptFinal

  • C_EncryptInit

  • C_EncryptUpdate

All supported.

Message Digesting Functions 

  • C_DigestFinal

  • C_DigestInit

  • C_DigestKey

  • C_DigestUpdate

  • C_Digest

All supported except C_DigestKey.

Sign and Verify Functions

  • C_SignFinal

  • C_SignInit

  • C_SignRecover

  • C_SignRecoverInit

  • C_SignUpdate

  • C_Sign

  • C_Verify

  • C_VerifyFinal

  • C_VerifyInit

  • C_VerifyRecover

  • C_VerifyRecoverInit

  • C_VerifyUpdate

All supported except C_SignRecover, C_SignRecoverInit,

C_VerifyRecover and C_VerifyRecoverInit.

Dual Purpose Functions 

  • C_DecryptDigestUpdate

  • C_DecryptVerifyUpdate

  • C_DigestEncryptUpdate

  • C_SignEncryptUpdate

None supported

Key Management Functions 

  • C_GenerateKey

  • C_GenerateKeyPair

  • C_UnwrapKey

  • C_WrapKey

  • C_DeriveKey

All supported

RNG Functions

  • C_SeedRandom

  • C_GenerateRandom

 

All supported

Parallel Function Management Functions

  • C_CancelFunction

  • C_GetFunctionStatus

 

None supported

Related articles