PKCS #11 mechanisms supported by the EP11 token

View a list of mechanisms provided by PKCS #11 which you can use to exploit the openCryptoki features for the EP11 token from within your application.

Use the pkcsconf command with the shown parameters to retrieve a complete list of mechanisms that are supported by the EP11 token:
$ pkcsconf -m -c <slot>
Mechanism #2
        Mechanism: 0x131 (CKM_DES3_KEY_GEN)
        Key Size: 24-24
        Flags: 0x8001 (CKF_HW|CKF_GENERATE)
…
Mechanism #10
        Mechanism: 0x132 (CKM_DES3_ECB)
        Key Size: 24-24
        Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
Mechanism #11
        Mechanism: 0x133 (CKM_DES3_CBC)
        Key Size: 24-24
        Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
...
On an Crypto Express EP11 coprocessor (CEX*P) which is configured to support all applicable PKCS #11 mechanisms from the current openCryptoki version, the EP11 token can exploit the mechanisms listed by the pkcsconf -m -c <slot> command output. This output corresponds to the list shown in Table 1. Each mechanism provides its supported key size and some further properties such as hardware support and mechanism information flags. These flags provide information about the PKCS #11 functions that may use the mechanism. In some cases, the flags also provide further attributes that describe the supported variants of the mechanism. Typical functions are for example, encrypt, decrypt, wrap key, unwrap key, sign, or verify.
Table 1. PKCS #11 mechanisms supported by the EP11 token

Table with 4 columns that contain information about openCryptoki mechanisms supported by the CCA token.

Mechanism Key sizes in bits or bytes Properties Support with OC version
CKM_AES_CBC 16-32 bytes ENCRYPT, DECRYPT, WRAP, UNWRAP before 3.16
CKM_AES_CBC_PAD 16-32 bytes ENCRYPT, DECRYPT, WRAP, UNWRAP before 3.16
CKM_AES_CMAC 16-32 bytes SIGN, VERIFY before 3.16
CKM_AES_ECB 16-32 bytes ENCRYPT, DECRYPT before 3.16
CKM_AES_KEY_GEN 16-32 bytes GENERATE before 3.16
CKM_AES_XTS1) 32 - 64 bytes ENCRYPT, DECRYPT 3.20
CKM_AES_XTS_KEY_GEN1) 32 - 64 bytes GENERATE 3.20
CKM_DES2_KEY_GEN 16-16 bytes GENERATE before 3.16
CKM_DES3_CBC 16-24 bytes ENCRYPT, DECRYPT, WRAP, UNWRAP before 3.16
CKM_DES3_CBC_PAD 16-24 bytes ENCRYPT, DECRYPT, WRAP, UNWRAP before 3.16
CKM_DES3_CMAC 16-24 bytes SIGN, VERIFY before 3.16
CKM_DES3_ECB 16-24 bytes ENCRYPT, DECRYPT before 3.16
CKM_DES3_KEY_GEN 24-24 bytes GENERATE before 3.16
CKM_DH_PKCS_DERIVE 1024-3072 bits DERIVE before 3.21
CKM_DH_PKCS_KEY_PAIR_GEN 1024-3072 bits GENERATE_KEY_PAIR before 3.16
CKM_DSA 1024-3072 bits SIGN, VERIFY before 3.16
CKM_DSA_KEY_PAIR_GEN 1024-3072 bits GENERATE_KEY_PAIR before 3.16
CKM_DSA_KEY_PAIR_GEN 1024-3072 bits GENERATE_KEY_PAIR before 3.16
CKM_DSA_SHA1 1024-3072 bits SIGN, VERIFY before 3.16
CKM_EC_KEY_PAIR_GEN 192-521 bytes GENERATE_KEY_PAIR, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDH1_DERIVE 192-521 bits DERIVE, EC_F_P, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA 192-521 bits SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA_KEY_PAIR_GEN 192-521 bits GENERATE_KEY_PAIR, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA_SHA1 192-521 bits SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA_SHA224 192-521 bits SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA_SHA256 192-521 bits SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA_SHA3_224 192-521 bits SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS 3.25
CKM_ECDSA_SHA3_256 192-521 bits SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS 3.25
CKM_ECDSA_SHA3_384 192-521 bits SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS 3.25
CKM_ECDSA_SHA3_512 192-521 bits SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS 3.25
CKM_ECDSA_SHA384 192-521 bits SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_ECDSA_SHA512 192-521 bits SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS before 3.16
CKM_GENERIC_SECRET_KEY_GEN 8-256 bytes GENERATE before 3.16
CKM_IBM_ATTRIBUTEBOUND_WRAP 0-4096 bits WRAP, UNWRAP 3.16
CKM_IBM_BTC_DERIVE 16-64 bytes DERIVE 3.19
CKM_IBM_CMAC 16-32 bytes SIGN, VERIFY before 3.16
CKM_IBM_DILITHIUM 256-256 bytes SIGN, VERIFY, GENERATE_KEY_PAIR before 3.16
CKM_IBM_EC_C448 448-448 bytes DERIVE, EC_F_P, EC_UNCOMPRESS before 3.16
CKM_IBM_EC_C25519 256-256 bytes DERIVE, EC_F_P, EC_UNCOMPRESS before 3.16
CKM_IBM_EC_X448 is a synonym for CKM_IBM_EC_C448 448-448 bytes
CKM_IBM_EC_X25519 is a synonym for CKM_IBM_EC_C25519 256-256 bytes
CKM_IBM_ECDSA_OTHER 192-521 bytes SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS 3.19
CKM_IBM_ED448_SHA3 448-448 bytes SIGN, VERIFY, EC_F_P, EC_UNCOMPRESS before 3.16
CKM_IBM_ED25519_SHA512 256-256 bytes SIGN, VERIFY, EC_F_P, EC_UNCOMPRESS before 3.16
CKM_IBM_EDDSA_SHA512 256-256 bytes is a synonym for CKM_IBM_ED25519_SHA512 before 3.16
CKM_IBM_KYBER 204-396 bytes ENCRYPT, DECRYPT, GENERATE_KEY_PAIR, DERIVE 3.21
CKM_IBM_SHA3_224 n/a DIGEST before 3.16
CKM_IBM_SHA3_224_HMAC 112-256 bytes SIGN, VERIFY before 3.16
CKM_IBM_SHA3_256 n/a DIGEST before 3.16
CKM_IBM_SHA3_256_HMAC 128-256 bytes SIGN, VERIFY before 3.16
CKM_IBM_SHA3_384 n/a DIGEST before 3.16
CKM_IBM_SHA3_384_HMAC 192-256 bytes SIGN, VERIFY before 3.16
CKM_IBM_SHA3_512 n/a DIGEST before 3.16
CKM_IBM_SHA3_512_HMAC 256-256 bytes SIGN, VERIFY before 3.16
CKM_PBE_SHA1_DES3_EDE_CBC 24-24 bytes GENERATE before 3.16
CKM_RSA_PKCS 1024-4096 bits ENCRYPT, DECRYPT, SIGN, VERIFY, WRAP, UNWRAP before 3.16
CKM_RSA_PKCS_KEY_PAIR_GEN 1024-4096 bits GENERATE_KEY_PAIR before 3.16
CKM_RSA_PKCS_OAEP 1024-4096 bits ENCRYPT, DECRYPT, WRAP, UNWRAP before 3.16
CKM_RSA_PKCS_PSS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_RSA_X9_31 1024-4096 bits SIGN, VERIFY before 3.16
CKM_RSA_X9_31_KEY_PAIR_GEN 1024-4096 bits GENERATE_KEY_PAIR before 3.16
CKM_SHA_1 n/a DIGEST before 3.16
CKM_SHA_1_HMAC 80-256 bytes SIGN, VERIFY before 3.16
CKM_SHA_1_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA1_KEY_DERIVATION n/a DERIVE before 3.21
CKM_SHA1_RSA_PKCS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA1_RSA_PKCS_PSS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA1_RSA_X9_31 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA224 n/a DIGEST before 3.16
CKM_SHA224_HMAC 112-256 bytes SIGN, VERIFY before 3.16
CKM_SHA224_KEY_DERIVATION n/a DERIVE before 3.21
CKM_SHA224_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA224_RSA_PKCS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA224_RSA_PKCS_PSS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA256 n/a DIGEST before 3.16
CKM_SHA256_HMAC 128-256 bytes SIGN, VERIFY before 3.16
CKM_SHA256_KEY_DERIVATION n/a DERIVE before 3.21
CKM_SHA256_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA256_RSA_PKCS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA256_RSA_PKCS_PSS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA3_2242) n/a DIGEST 3.25
CKM_SHA3_224_HMAC2) 112-256 bytes SIGN, VERIFY 3.25
CKM_SHA3_224_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA3_224_RSA_PKCS2) 1024-4096 SIGN, VERIFY 3.25
CKM_SHA3_2562) n/a DIGEST 3.25
CKM_SHA3_256_HMAC2) 128-256 bytes SIGN, VERIFY 3.25
CKM_SHA3_256_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA3_256_RSA_PKCS2) 1024-4096 bits SIGN, VERIFY 3.25
CKM_SHA3_3842) n/a DIGEST 3.25
CKM_SHA3_384_HMAC2) 192-256 bytes SIGN, VERIFY 3.25
CKM_SHA3_384_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA3_384_RSA_PKCS2) 1024-4096 bits SIGN, VERIFY 3.25
CKM_SHA3_5122) n/a DIGEST 3.25
CKM_SHA3_512_HMAC2) 256-256 bytes SIGN, VERIFY 3.25
CKM_SHA3_512_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA3_512_RSA_PKCS2) 1024-4096 SIGN, VERIFY 3.25
CKM_SHA384 n/a DIGEST before 3.16
CKM_SHA384_HMAC 192-256 bytes SIGN, VERIFY before 3.16
CKM_SHA384_KEY_DERIVATION n/a DERIVE before 3.21
CKM_SHA384_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA384_RSA_PKCS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA384_RSA_PKCS_PSS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA512 n/a DIGEST before 3.16
CKM_SHA512_HMAC 256-256 bytes SIGN, VERIFY before 3.16
CKM_SHA512_KEY_DERIVATION n/a DERIVE before 3.21
CKM_SHA512_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA512_RSA_PKCS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA512_RSA_PKCS_PSS 1024-4096 bits SIGN, VERIFY before 3.16
CKM_SHA512_224 n/a DIGEST before 3.16
CKM_SHA512_224_HMAC 112-256 bytes SIGN, VERIFY before 3.16
CKM_SHA512_224_KEY_GEN 80-2048 bits GENERATE 3.26
CKM_SHA512_256 n/a DIGEST before 3.16
CKM_SHA512_256_HMAC 128-256 bytes SIGN, VERIFY before 3.16
CKM_SHA512_256_KEY_GEN 80-2048 bits GENERATE 3.26
Notes:

1) only applicable with protected key (see How and why to exploit protected keys)

2) Prerequisite: an EP11 host library and a Crypto Express EP11 coprocessor supporting SHA3 algorithms.

For a description of mechanisms with a name pattern of CKM_IBM_... refer to IBM-specific mechanisms.

For more detailed information on how to use the EP11 token, refer to Exploiting Enterprise PKCS #11 using openCryptoki.

For explanation about the key object properties see the PKCS #11 Cryptographic Token Interface Standard.