Supported mechanisms for EP11 tokens
View a list of the supported mechanisms for the EP11 token in the openCryptoki implementation.
Use the pkcsconf command
with the shown parameters to retrieve a complete list
of algorithms (or mechanisms) that are supported by the
token:
$ pkcsconf -m -c <slot>
Mechanism #2
Mechanism: 0x131 (CKM_DES3_KEY_GEN)
Key Size: 24-24
Flags: 0x8001 (CKF_HW|CKF_GENERATE)
…
Mechanism #10
Mechanism: 0x132 (CKM_DES3_ECB)
Key Size: 24-24
Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
Mechanism #11
Mechanism: 0x133 (CKM_DES3_CBC)
Key Size: 24-24
Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
...The list displays all mechanisms that are supported by this token. The mechanism ID and name corresponds to the PKCS #11 specification. Each mechanism provides its supported key size and some further properties such as hardware support and mechanism information flags. These flags provide information about the PKCS #11 functions that may use the mechanism. In some cases, the flags also provide further attributes that describe the supported variants of the mechanism. Typical functions are for example, encrypt, decrypt, wrap key, unwrap key, sign, or verify.
On an Crypto Express EP11 coprocessor which is
configured to support all applicable PKCS #11
mechanisms from openCryptoki version 3.10, the
EP11 token can exploit the mechanisms listed in
Table 1:
| Mechanism | Key sizes (in bits) | Properties |
|---|---|---|
| CKM_AES_CBC | 16,24,32 | ENCRYPT,DECRYPT, WRAP,UNWRAP |
| CKM_AES_CBC_PAD | 16,24,32 | ENCRYPT,DECRYPT, WRAP,UNWRAP |
| CKM_AES_CMAC | 16,24,32 | SIGN,VERIFY |
| CKM_AES_CMAC_GENERAL | 16,24,32 | SIGN,VERIFY |
| CKM_AES_ECB | 16,24,32 | ENCRYPT,DECRYPT |
| CKM_AES_KEY_GEN | 16,24,32 | GENERATE |
| CKM_DES2_KEY_GEN | 16 | GENERATE |
| CKM_DES3_CBC | 16,24 | ENCRYPT,DECRYPT, WRAP,UNWRAP |
| CKM_DES3_CBC_PAD | 16,24 | ENCRYPT,DECRYPT, WRAP,UNWRAP |
| CKM_DES3_CMAC | 16,24 | SIGN,VERIFY |
| CKM_DES3_CMAC_GENERAL | 16,24 | SIGN,VERIFY |
| CKM_DES3_ECB | 16,24 | ENCRYPT,DECRYPT |
| CKM_DES3_KEY_GEN | 24 | GENERATE |
| CKM_DH_PKCS_DERIVE | 1024-3072 | DERIVE |
| CKM_DH_PKCS_KEY_PAIR_GEN | 1024-3072 | GENERATE_KEY_PAIR |
| CKM_DH_PKCS_PARAMETER_GEN | 1024-3072 | GENERATE |
| CKM_DSA | 1024-3072 | SIGN,VERIFY |
| CKM_DSA_KEY_PAIR_GEN | 1024-3072 | GENERATE_KEY_PAIR |
| CKM_DSA_PARAMETER_GEN | 1024-3072 | GENERATE |
| CKM_DSA_SHA1 | 1024-3072 | SIGN,VERIFY |
| CKM_EC_KEY_PAIR_GEN | 192,521 | GENERATE_KEY_PAIR, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDH1_DERIVE [1] | 192,521 | DERIVE, EC_F_P, EC_UNCOMPRESS |
| CKM_ECDSA | 192,521 | SIGN,VERIFY, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDSA_KEY_PAIR_GEN | 192,521 | GENERATE_KEY_PAIR, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDSA_SHA1 | 192,521 | SIGN,VERIFY, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDSA_SHA224 | 192-521 | SIGN,VERIFY, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDSA_SHA256 | 192-521 | SIGN, VERIFY, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDSA_SHA384 | 192-521 | SIGN,VERIFY, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_ECDSA_SHA512 | 192-521 | SIGN,VERIFY, EC_F_P, EC_NAMEDCURVE, EC_UNCOMPRESS |
| CKM_IBM_CMAC | 16,32 | SIGN,VERIFY |
| CKM_IBM_DILITHIUM [2] | 256 | SIGN,VERIFY, GENERATE_KEY_PAIR |
| CKM_IBM_EC_C25519 | 256 | DERIVE, EC_F_P, EC_UNCOMPRESS |
| CKM_IBM_EC_C448 | 448 | DERIVE, EC_F_P, EC_UNCOMPRESS |
| CKM_IBM_ED25519_SHA512 | 256 | SIGN,VERIFY, EC_F_P, EC_UNCOMPRESS |
| CKM_IBM_ED448_SHA3 | 448 | SIGN,VERIFY, EC_F_P, EC_UNCOMPRESS |
| CKM_IBM_EDDSA_SHA512 | n/a | SIGN,VERIFY |
| CKM_IBM_SHA3_224 | n/a | DIGEST |
| CKM_IBM_SHA3_224_HMAC | 112-256 | SIGN,VERIFY |
| CKM_IBM_SHA3_256 | n/a | DIGEST |
| CKM_IBM_SHA3_256_HMAC | 128-256 | SIGN,VERIFY |
| CKM_IBM_SHA3_384 | n/a | DIGEST |
| CKM_IBM_SHA3_384_HMAC | 192-256 | SIGN,VERIFY |
| CKM_IBM_SHA3_512 | n/a | DIGEST |
| CKM_IBM_SHA3_512_HMAC | 256 | SIGN,VERIFY |
| CKM_PBE_SHA1_DES3_EDE_CBC | 24 | GENERATE |
| CKM_RSA_PKCS | 1024-4096 | ENCRYPT,DECRYPT, SIGN,VERIFY, WRAP,UNWRAP |
| CKM_RSA_PKCS_KEY_PAIR_GEN | 1024-4096 | GENERATE_KEY_PAIR |
| CKM_RSA_PKCS_OAEP [3] | 1024-4096 | ENCRYPT,DECRYPT, WRAP,UNWRAP |
| CKM_RSA_PKCS_PSS | 1024-4096 | SIGN,VERIFY |
| CKM_RSA_X9_31 | 1024-4096 | SIGN, VERIFY |
| CKM_RSA_X9_31_KEY_PAIR_GEN | 1024-4096 | GENERATE_KEY_PAIR |
| CKM_SHA_1 | n/a | DIGEST |
| CKM_SHA_1_HMAC | 80-256 | SIGN,VERIFY |
| CKM_SHA1_KEY_DERIVATION | n/a | DERIVE |
| CKM_SHA1_RSA_PKCS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA1_RSA_PKCS_PSS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA1_RSA_X9_31 | 1024-4096 | SIGN,VERIFY |
| CKM_SHA224 | n/a | DIGEST |
| CKM_SHA224_HMAC | 112-256 | SIGN, VERIFY |
| CKM_SHA224_HMAC_GENERAL | 80-2048 | SIGN, VERIFY |
| CKM_SHA224_KEY_DERIVATION | n/a | DERIVE |
| CKM_SHA224_RSA_PKCS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA224_RSA_PKCS_PSS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA256 | n/a | DIGEST |
| CKM_SHA256_HMAC | 128-256 | SIGN,VERIFY |
| CKM_SHA256_KEY_DERIVATION | n/a | DERIVE |
| CKM_SHA256_RSA_PKCS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA256_RSA_PKCS_PSS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA384 | n/a | DIGEST |
| CKM_SHA384_HMAC | 192-256 | SIGN,VERIFY |
| CKM_SHA384_KEY_DERIVATION | n/a | DERIVE |
| CKM_SHA384_RSA_PKCS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA384_RSA_PKCS_PSS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA512 | n/a | DIGEST |
| CKM_SHA512_224 | n/a | DIGEST |
| CKM_SHA512_224_HMAC | 112-256 | SIGN,VERIFY |
| CKM_SHA512_224_HMAC_GENERAL | 16,256 | SIGN,VERIFY |
| CKM_SHA512_256 | n/a | Digest |
| CKM_SHA512_256_HMAC | 128-256 | SIGN,VERIFY |
| CKM_SHA512_256_HMAC_GENERAL | 16,256 | SIGN,VERIFY |
| CKM_SHA512_HMAC | 256 | SIGN,VERIFY |
| CKM_SHA512_KEY_DERIVATION | n/a | DERIVE |
| CKM_SHA512_RSA_PKCS | 1024-4096 | SIGN,VERIFY |
| CKM_SHA512_RSA_PKCS_PSS | 1024-4096 | SIGN,VERIFY |
|
||
For explanation about the key object properties see the PKCS #11 Cryptographic Token Interface Standard.