Appendix A: Supported Algorithms
The following table lists the Java™ algorithms supported by the IBMPKCS11Impl provider and corresponding PKCS#11 mechanisms needed to support them. When multiple mechanisms are listed, they are given in the order of preference and any one of them is sufficient. The algorithms that are supported by the IBMPKCS11Impl provider for a given hardware cryptographic card are determined by the intersection of the cryptographic mechanisms that each supports.
| Java Algorithm | PKCS#11 Mechanisms |
|---|---|
| Signature.MD2withRSA | CKM_MD2_RSA_PKCS |
| Signature.MD5withRSA | CKM_MD5_RSA_PKCS |
 Signature.RSAPSS |
CKM_SHA1_RSA_PKCS_PSS, CKM_SHA224_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS,
CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS |
| Signature.SHA1withECDSA | CKM_ECDSA |
| Signature.SHA224withECDSA | CKM_ECDSA |
| Signature.SHA256withECDSA | CKM_ECDSA |
| Signature.SHA384withECDSA | CKM_ECDSA |
| Signature.SHA512withRSA | CKM_ECDSA |
| Signature.SHA1withRSA | CKM_SHA1_RSA_PKCS |
| Signature.SHA224withRSA | CKM_SHA224_RSA_PKCS |
| Signature.SHA256withRSA | CKM_SHA256_RSA_PKCS |
| Signature.SHA384withRSA | CKM_SHA384_RSA_PKCS |
| Signature.SHA512withRSA | CKM_SHA512_RSA_PKCS |
| Signature.SHA1withDSA | CKM_DSA_SHA1 |
|
Cipher.RSA/ECB/PKCS1Padding
Cipher.RSA/ /PKCS1Padding Cipher.RSA/SSL/PKCS1Padding |
CKM_RSA_PKCS |
|
Cipher.RSA/ECB/NoPadding
Cipher.RSA/ /NoPadding |
CKM_RSA_X_509 |
 Cipher.RSA/ /OAEPPadding |
CKM_RSA_PKCS_OAEP See Notes |
| Cipher.ARCFOUR | CKM_RC4 |
| Cipher.DES/CBC/NoPadding | CKM_DES_CBC |
| Cipher.DESede/CBC/NoPadding | CKM_DES3_CBC |
| Cipher.AES/CBC/NoPadding | CKM_AES_CBC |
| Cipher.Blowfish/CBC/NoPadding | CKM_BLOWFISH_CBC |
| Cipher.AES/GCM/NoPadding | CKM_AES_GCM (See Notes) |
| KeyAgreement.DiffieHellman | CKM_DH_PKCS_DERIVE |
| KeyAgreement.EllipticCurveDiffieHellman |
CKM_ECDH1_DERIVE
CKM_ECDH1_COFACTOR_DERIVE (See Notes) |
| KeyPairGenerator.RSA | CKM_RSA_PKCS_KEY_PAIR_GEN |
| KeyPairGenerator.DSA | CKM_DSA_KEY_PAIR_GEN |
| KeyPairGenerator.DiffieHellman | CKM_DH_PKCS_KEY_PAIR_GEN |
| KeyPairGenerator.EC | CKM_EC_KEY_PAIR_GEN |
| KeyGenerator.ARCFOUR | CKM_RC4_KEY_GEN |
| KeyGenerator.DES | CKM_DES_KEY_GEN |
| KeyGenerator.DESede | CKM_DES3_KEY_GEN |
| KeyGenerator.AES | CKM_AES_KEY_GEN |
| KeyGenerator.Blowfish | CKM_BLOWFISH_KEY_GEN |
| Mac.HmacMD5 | CKM_MD5_HMAC |
| Mac.HmacSHA1 | CKM_SHA_1_HMAC |
| Mac.HmacSHA224 | CKM_SHA224_HMAC |
| Mac.HmacSHA256 | CKM_SHA256_HMAC |
| Mac.HmacSHA384 | CKM_SHA384_HMAC |
| Mac.HmacSHA512 | CKM_SHA512_HMAC |
| MessageDigest.MD2 | CKM_MD2 |
| MessageDigest.MD5 | CKM_MD5 |
| MessageDigest.SHA1 | CKM_SHA_1 |
| MessageDigest.SHA-224 | CKM_SHA224 |
| MessageDigest.SHA-256 | CKM_SHA256 |
| MessageDigest.SHA-384 | CKM_SHA384 |
| MessageDigest.SHA-512 | CKM_SHA512 |
| KeyFactory.RSA | Any supported RSA mechanism |
| KeyFactory.DSA | Any supported DSA mechanism |
| KeyFactory.DiffieHellman | Any supported Diffie-Hellman mechanism |
| KeyFactory.EC | Any supported EC mechanism |
| SecretKeyFactory.ARCFOUR | CKM_RC4 |
| SecretKeyFactory.DES | CKM_DES_CBC |
| SecretKeyFactory.DESede | CKM_DES3_CBC |
| SecretKeyFactory.AES | CKM_AES_CBC |
| SecretKeyFactory.Blowfish | CKM_BLOWFISH_CBC |
Notes:
- Cipher.RSA/ /OAEPPadding is supported on 32-bit
and 64-bit AIX®, 32-bit and 64-bit Linux® on x86 architectures, 32-bit and 64-bit Windows.
- Cipher.AES/GCM/NoPadding is now supported on
32-bit and 64-bit AIX, 32-bit and 64-bit Linux on x86 architectures, 32-bit and 64-bit Windows, as well as the z/OS® platform.
- A new class,
com.ibm.crypto.pkcs11impl.provider.KDFParameterSpec, is available to initialize
the ECDH KeyAgreement object with a KDF value and sharedInfo.
For more information about the class, see the PKCS 11 Implementation Provider API documentation. For more information about how to invoke the CKM_ECDH1_DERIVE and
CKM_ECDH1_COFACTOR_DERIVE hardware mechanisms, see PKCS11 Usage Tip #5:.
Some signature algorithms can be computed with a hardware mechanism and a user supplied hash. These algorithms are listed here:
| Java Algorithm | PKCS#11 Mechanisms |
|---|---|
| Signature.MD2withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.MD5withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.RSAPSS |
CKM_RSA_PKCS_PSS |
| Signature.SHA1withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.SHA224withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.SHA256withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.SHA384withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.SHA512withRSA | CKM_RSA_PKCS, CKM_RSA_X_509 |
| Signature.RSAforSSL | CKM_RSA_PKCS |
| Signature.SHA1withDSA | CKM_DSA, CKM_SHA1 |
| Signature.SHA224withDSA |
CKM_DSA, CKM_SHA224 |
| Signature.SHA256withDSA |
CKM_DSA, CKM_SHA256 |
| Signature.SHA384withDSA |
CKM_DSA, CKM_SHA384 |
| Signature.SHA512withDSA |
CKM_DSA, CKM_SHA512 |
| Signature.NONEwithDSA | CKM_DSA |
| Signature.NONEwithECDSA | CKM_ECDSA |