Token specifications

Edit online

Application programmers find documentation about available token mechanisms to be invoked from cryptographic applications. openCryptoki administrators find additional token-specific tools and information about required token-specific configurations, if applicable.

Each token plugged into openCryptoki can implement a selection of the provided PKCS #11 mechanisms to be used in application programs. The names of these mechanisms start with the prefix "CKM_". For example, the CKM_AES_KEY_GEN mechanism generates an AES cryptographic key. This mechanism is offered by the CCA token, the ICA token, the EP11 token, and the Soft token, and can therefore be used to generate an AES key by any application that accesses one or more of these tokens.

Companies which collaborate with the openCryptoki open source community can contribute their company-specific mechanisms to openCryptoki. For example, all mechanisms which IBM® adds to openCryptoki in addition to the PKCS #11 standard start with the vendor-specific prefix "CKM_IBM_". An example for an IBM-specific PKCS #11 mechanisms is CKM_IBM_SHA3_384_HMAC which you can use from an EP11 token to sign and verify a message using the SHA3-384 hash function.

Issue the pkcsconf command with the -m parameter to display all mechanisms that are supported by the token of interest residing in the slot specified with parameter -c.

$ pkcsconf -m -c <slot>

For example, if you want to display all supported PKCS #11 mechanisms of an ICA token that resides in slot number 1 in your environment, issue the following command:

# pkcsconf -m -c 1

The output depends on the supported Crypto Express coprocessors together with the openCryptoki version. The beginning of the output list may look as shown in Figure 1. The name corresponds to the PKCS #11 specification. Each mechanism provides its supported key size and some further properties such as hardware support and mechanism information flags. These flags provide information about the PKCS #11 functions that may use the mechanism. Typical functions are for example, encrypt, decrypt, wrap key, unwrap key, sign, or verify. For some mechanisms, the flags show further attributes that describe the supported variants of the mechanism.

Figure 1. List of supported mechanisms for a certain token

Mechanism #0
        Mechanism: 0x0 (CKM_RSA_PKCS_KEY_PAIR_GEN)
        Key Size: 512-4096
        Flags: 0x10001 (CKF_HW|CKF_GENERATE_KEY_PAIR)
Mechanism #1
        Mechanism: 0x1 (CKM_RSA_PKCS)
        Key Size: 512-4096
        Flags: 0x67B01 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_SIGN_RECOVER|
                        CKF_VERIFY|CKF_VERIFY_RECOVER|CKF_WRAP|CKF_UNWRAP)
Mechanism #2
        Mechanism: 0x3 (CKM_RSA_X_509)
        Key Size: 512-4096
        Flags: 0x67B01 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_SIGN_RECOVER|
                        CKF_VERIFY|CKF_VERIFY_RECOVER|CKF_WRAP|CKF_UNWRAP)
…

Note: Linux® on IBM Z and IBM LinuxONE do not support the Trusted Platform Module (TPM) token library.