PKCS #11 mechanisms supported by the Soft token
View a list of mechanisms provided by PKCS #11 which you can use to exploit the openCryptoki features for the Soft token from within your application.
Use the pkcsconf command with the shown parameters to retrieve a complete list
of mechanisms that are supported by the Soft token:
$ pkcsconf -m -c <slot>
Mechanism #0
Mechanism: 0x0 (CKM_RSA_PKCS_KEY_PAIR_GEN)
Key Size: 512-4096
Flags: 0x10000 (CKF_GENERATE_KEY_PAIR)
Mechanism #1
Mechanism: 0x120 (CKM_DES_KEY_GEN)
Key Size: 8-8
Flags: 0x8000 (CKF_GENERATE)
Mechanism #2
Mechanism: 0x131 (CKM_DES3_KEY_GEN)
Key Size: 24-24
Flags: 0x8000 (CKF_GENERATE)
…
…The command output shown in Table 1
displays all mechanisms that are supported by the Soft token. Each mechanism provides its supported key size
and some further properties such as hardware support and mechanism information flags. These flags
provide information about the PKCS #11 functions that
may use the mechanism. In some cases, the flags also provide further attributes that describe the
supported variants of the mechanism. Typical functions are for example, encrypt,
decrypt, wrap key, unwrap key, sign, or
verify.
The pkcsconf -m -c <slot> command output corresponds to the list shown in
Table 1.
| Mechanism | Key sizes in bits or bytes | Properties | Support with OC version |
|---|---|---|---|
| CKM_AES_CFB8 | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_AES_CFB128 | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_AES_CBC | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_CBC_PAD | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_CMAC | 16-32 bytes | SIGN, VERIFY | before 3.16 |
| CKM_AES_CMAC_GENERAL | 16-32 bytes | SIGN, VERIFY | before 3.16 |
| CKM_AES_CTR | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_AES_ECB | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_GCM | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.25: WRAP, UNWRAP |
| CKM_AES_KEY_GEN | 16-32 bytes | GENERATE | before 3.16 |
| CKM_AES_KEY_WRAP | 32-64 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.25 |
| CKM_AES_KEY_WRAP_PAD | 32-64 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.25 |
| CKM_AES_KEY_WRAP_KWP | 32-64 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.25 |
| CKM_AES_KEY_WRAP_PKCS7 | 32-64 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.25 |
| CKM_AES_MAC | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_AES_MAC_GENERAL | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_AES_OFB | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_AES_XTS | 32 -64 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.20 |
| CKM_AES_XTS_KEY_GEN | 32 -64 bytes | GENERATE | 3.20 |
| CKM_DES_CBC | 8-8 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES_CBC_PAD | 8-8 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES_CFB8 | 24-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_DES_CFB64 | 24-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_DES_ECB | 8-8 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES_KEY_GEN | 8-8 bytes | GENERATE | before 3.16 |
| CKM_DES_OFB64 | 24-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | 3.17 |
| CKM_DES3_CBC | 24-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES3_CBC_PAD | 24-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES3_CMAC | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_DES3_CMAC_GENERAL | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_DES3_ECB | 24-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES3_KEY_GEN | 24-24 bytes | GENERATE | before 3.16 |
| CKM_DES3_MAC | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_DES3_MAC_GENERAL | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_DH_PKCS_DERIVE | 512-8192 bits | DERIVE | before 3.16 |
| CKM_DH_PKCS_KEY_PAIR_GEN | 512-8192 bits | GENERATE KEY PAIR | before 3.16 |
| CKM_EC_KEY_PAIR_GEN | 160-521 bits | GENERATE_KEY_PAIR, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDH_AES_KEY_WRAP | 160-521 bits | WRAP, UNWRAP, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.25 |
| CKM_ECDH1_DERIVE | 160-521 bits | DERIVE, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_KEY_PAIR_GEN | 160-521 bits | GENERATE_KEY_PAIR, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA1 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA224 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA256 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA3_224 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.24 |
| CKM_ECDSA_SHA3_256 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.24 |
| CKM_ECDSA_SHA3_384 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.24 |
| CKM_ECDSA_SHA3_512 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.24 |
| CKM_ECDSA_SHA384 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA512 | 160-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_GENERIC_SECRET_KEY_GEN | 80-2048 bits | GENERATE | before 3.16 |
| CKM_IBM_DILITHIUM1) | 256-256 bytes | SIGN, VERIFY, GENERATE_KEY_PAIR | 3.24 |
| CKM_IBM_SHA3_224 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_224_HMAC | 112-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_256 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_256_HMAC | 128-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_384 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_384_HMAC | 192-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_512 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_512_HMAC | 256-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_MD5 | n/a | DIGEST | before 3.16 |
| CKM_MD5_HMAC | 8-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_MD5_HMAC_GENERAL | 8-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_MD5_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | before 3.16 |
| CKM_RSA_AES_KEY_WRAP | 512-16384 bits2) | WRAP, UNWRAP | 3.25 |
| CKM_RSA_PKCS | 512-16384 bits2) | ENCRYPT, DECRYPT, SIGN, SIGN_RECOVER, VERIFY, VERIFY_RECOVER, WRAP, UNWRAP | before 3.16 |
| CKM_RSA_PKCS_KEY_PAIR_GEN | 512-16384 bits2) | GENERATE KEY PAIR | before 3.16 |
| CKM_RSA_PKCS_OAEP | 512-16384 bits2) | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | before 3.16 |
| CKM_RSA_X_509 | 512-16384 bits2) | ENCRYPT, DECRYPT, SIGN, SIGN_RECOVER, VERIFY, VERIFY_RECOVER, WRAP, UNWRAP | before 3.16 |
| CKM_SHA_1 | n/a | DIGEST | before 3.16 |
| CKM_SHA_1_HMAC | 80-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA_1_HMAC_GENERAL | 80-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_KEY_DERIVATION | 8-160 bits | DERIVE | 3.24 |
| CKM_SHA_1_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA1_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA224 | n/a | DIGEST | before 3.16 |
| CKM_SHA224_HMAC | 112-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA224_HMAC_GENERAL | 112-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA224_KEY_DERIVATION | 8-224 bits | DERIVE | 3.24 |
| CKM_SHA224_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA224_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA224_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA256 | n/a | DIGEST | before 3.16 |
| CKM_SHA256_HMAC | 128-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA256_HMAC_GENERAL | 128-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA256_KEY_DERIVATION | 8-256 bits | DERIVE | 3.24 |
| CKM_SHA256_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA256_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA256_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA3_224 | n/a | DIGEST | 3.24 |
| CKM_SHA3_224_HMAC | 112-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_224_HMAC_GENERAL | 112-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_224_KEY_DERIVATION | 8-224 bits | DERIVE | 3.24 |
| CKM_SHA3_224_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_224_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_224_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_256 | n/a | DIGEST | 3.24 |
| CKM_SHA3_256_HMAC | 128-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_256_HMAC_GENERAL | 128-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_256_KEY_DERIVATION | 8-256 bits | DERIVE | 3.24 |
| CKM_SHA3_256_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_256_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_256_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_384 | n/a | DIGEST | 3.24 |
| CKM_SHA3_384_HMAC | 192-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_384_HMAC_GENERAL | 192-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_384_KEY_DERIVATION | 8-384 bits | DERIVE | 3.24 |
| CKM_SHA3_384_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_384_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_384_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_512 | n/a | DIGEST | 3.24 |
| CKM_SHA3_512_HMAC | 256-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_512_HMAC_GENERAL | 256-2048 bits | SIGN, VERIFY | 3.24 |
| CKM_SHA3_512_KEY_DERIVATION | 8-512 bits | DERIVE | 3.24 |
| CKM_SHA3_512_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_512_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA3_512_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.24 |
| CKM_SHA384 | n/a | DIGEST | before 3.16 |
| CKM_SHA384_HMAC | 192-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA384_HMAC_GENERAL | 192-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA384_KEY_DERIVATION | 8-384 bits | DERIVE | 3.24 |
| CKM_SHA384_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA384_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA384_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA512 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_HMAC | 256-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_HMAC_GENERAL | 256-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA512_KEY_DERIVATION | 8-512 bits | DERIVE | 3.24 |
| CKM_SHA512_RSA_PKCS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA512_RSA_PKCS_PSS | 512-16384 bits2) | SIGN, VERIFY | 3.16 |
| CKM_SHA512_224 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_224_HMAC | 112-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_224_HMAC_GENERAL | 112-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_224_KEY_DERIVATION | 8-224 bits | DERIVE | 3.26 |
| CKM_SHA512_224_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA512_256 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_256_HMAC | 128-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_256_HMAC_GENERAL | 128-2048 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_256_KEY_DERIVATION | 8-256 bits | DERIVE | 3.26 |
| CKM_SHA512_256_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHAKE_128_KEY_DERIVATION | 8-2048 bits | DERIVE | 3.24 |
| CKM_SHAKE_256_KEY_DERIVATION | 8-2048 bits | DERIVE | 3.24 |
| CKM_SSL3_KEY_AND_MAC_DERIVE | 48-48 bytes | DERIVE | before 3.16 |
| CKM_SSL3_MASTER_KEY_DERIVE | 48-48 bytes | DERIVE | before 3.16 |
| CKM_SSL3_MD5_MAC | 384-384 bits | SIGN, VERIFY | before 3.16 |
| CKM_SSL3_PRE_MASTER_KEY_GEN | 48-48 bytes | GENERATE | before 3.16 |
| CKM_SSL3_SHA1_MAC | 384-384 bits | SIGN, VERIFY | before 3.16 |
|
Notes:
1) Support of this mechanism depends on the version of an installed OpenSSL OQS provider. The installed version must support the Round 2 and Round 3 Dilithium variants. Newer versions of the OQS providers do no longer support the old Round 2 and Round 3, but do only support the official NIST variants. This can lead to a failure of the CKM_IBM_DILITHIUM mechanism with the Soft token. 2) The key size of 16384 bits is available starting with openCryptoki version 3.26. With earlier versions, the maximum key size is still 4096 bits. |
|||
For a description of mechanisms with a name pattern of CKM_IBM_...
refer to IBM-specific mechanisms.
For an explanation of the key object properties see the PKCS #11 Cryptographic Token Interface Standard.