PKCS #11 mechanisms supported by the EP11 token
View a list of mechanisms provided by PKCS #11 which you can use to exploit the openCryptoki features for the EP11 token from within your application.
Use the pkcsconf command with the shown parameters to retrieve a complete list
of mechanisms that are supported by the EP11 token:
$ pkcsconf -m -c <slot>
Mechanism #2
Mechanism: 0x131 (CKM_DES3_KEY_GEN)
Key Size: 24-24
Flags: 0x8001 (CKF_HW|CKF_GENERATE)
…
Mechanism #10
Mechanism: 0x132 (CKM_DES3_ECB)
Key Size: 24-24
Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
Mechanism #11
Mechanism: 0x133 (CKM_DES3_CBC)
Key Size: 24-24
Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
...On an Crypto Express EP11 coprocessor (CEX*P) which is configured to
support all applicable PKCS #11 mechanisms from the
current openCryptoki version, the EP11 token can exploit the mechanisms listed
by the pkcsconf -m -c <slot> command output. This output corresponds to the
list shown in Table 1. Each mechanism provides its supported
key size and some further properties such as hardware support and mechanism information flags. These
flags provide information about the PKCS #11
functions that may use the mechanism. In some cases, the flags also provide further attributes that
describe the supported variants of the mechanism. Typical functions are for example,
encrypt, decrypt, wrap key, unwrap key,
sign, or verify.
| Mechanism | Key sizes in bits or bytes | Properties | Support with OC version |
|---|---|---|---|
| CKM_RSA_PKCS_OAEP | 1024-4096 bits | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_RSA_PKCS_KEY_PAIR_GEN | 1024-4096 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_RSA_X9_31_KEY_PAIR_GEN | 1024-4096 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_RSA_X9_31 | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA256_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA256_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA224_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA224_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA384_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA384_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_AES_KEY_GEN | 16-32 bytes | GENERATE | before 3.16 |
| CKM_AES_ECB | 16-32 bytes | ENCRYPT, DECRYPT | before 3.16 |
| CKM_AES_CBC | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_CBC_PAD | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_XTS1) | 32 - 64 bytes | ENCRYPT, DECRYPT | 3.20 |
| CKM_AES_XTS_KEY_GEN1) | 32 - 64 bytes | GENERATE | 3.20 |
| CKM_DES2_KEY_GEN | 16-16 bytes | GENERATE | before 3.16 |
| CKM_DES3_KEY_GEN | 24-24 bytes | GENERATE | before 3.16 |
| CKM_DES3_ECB | 16-24 bytes | ENCRYPT, DECRYPT | before 3.16 |
| CKM_DES3_CBC | 16-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES3_CBC_PAD | 16-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_SHA256 | n/a | DIGEST | before 3.16 |
| CKM_SHA256_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA256_HMAC | 128-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA224 | n/a | DIGEST | before 3.16 |
| CKM_SHA224_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA224_HMAC | 112-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA_1 | n/a | DIGEST | before 3.16 |
| CKM_SHA1_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA_1_HMAC | 80-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA384 | n/a | DIGEST | before 3.16 |
| CKM_SHA384_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA384_HMAC | 192-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA512 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA512_HMAC | 256-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_256 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_256_HMAC | 128-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_224 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_224_HMAC | 112-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_ECDSA_KEY_PAIR_GEN | 192-521 bits | GENERATE_KEY_PAIR, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_ECDSA | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_ECDSA_SHA1 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_ECDH1_DERIVE | 192-521 bits | DERIVE, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_DSA_PARAMETER_GEN | 1024-3072 bits | GENERATE | before 3.16 |
| CKM_DSA_KEY_PAIR_GEN | 1024-3072 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_DSA | 1024-3072 bits | SIGN, VERIFY | before 3.16 |
| CKM_DSA_SHA1 | 1024-3072 bits | SIGN, VERIFY | before 3.16 |
| CKM_DH_PKCS_PARAMETER_GEN | 1024-3072 bits | GENERATE | before 3.16 |
| CKM_DH_PKCS_KEY_PAIR_GEN | 1024-3072 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_DH_PKCS_DERIVE | 1024-3072 bits | DERIVE | before 3.21 |
| CKM_IBM_DILITHIUM | 256-256 bytes | SIGN, VERIFY, GENERATE_KEY_PAIR | before 3.16 |
| CKM_IBM_KYBER | 204-396 bytes | ENCRYPT, DECRYPT, GENERATE, DERIVE | 3.21 |
| CKM_RSA_X9_31 | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_PBE_SHA1_DES3_EDE_CBC | 24-24 bytes | GENERATE | before 3.16 |
| CKM_IBM_SHA3_224 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_256 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_384 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_512 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_224_HMAC | 112-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_256_HMAC | 128-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_384_HMAC | 192-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_512_HMAC | 256-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_ECDSA_SHA224 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_ECDSA_SHA256 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_ECDSA_SHA384 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_ECDSA_SHA512 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EC_C25519 | 256-256 bytes | DERIVE, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EC_X25519 | is a synonym for CKM_IBM_EC_C25519 | ||
| CKM_IBM_EC_C448 | 448-448 bytes | DERIVE, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EC_X448 | is a synonym for CKM_IBM_EC_C448 | ||
| CKM_IBM_ED25519_SHA512 | 256-256 bytes | SIGN, VERIFY, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EDDSA_SHA512 | is a synonym for CKM_IBM_ED25519_SHA512 | before 3.16 | |
| CKM_IBM_ED448_SHA3 | 448-448 bytes | SIGN, VERIFY, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_CMAC | 16-32 bytes | SIGN, VERIFY | before 3.16 |
| CKM_AES_CMAC | 16-32 bytes | SIGN, VERIFY | before 3.16 |
| CKM_DES3_CMAC | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_ATTRIBUTEBOUND_WRAP | 0-4096 bits | WRAP, UNWRAP | 3.16 |
|
Note: 1) only applicable with protected key (see How and why to exploit protected keys).
|
|||
For a description of mechanisms with a name pattern of CKM_IBM_... refer to
IBM-specific mechanisms.
For more detailed information on how to use the EP11 token, refer to Exploiting Enterprise PKCS #11 using openCryptoki.
For explanation about the key object properties see the PKCS #11 Cryptographic Token Interface Standard.