PKCS #11 mechanisms supported by the EP11 token
View a list of mechanisms provided by PKCS #11 which you can use to exploit the openCryptoki features for the EP11 token from within your application.
$ pkcsconf -m -c <slot>
Mechanism #2
Mechanism: 0x131 (CKM_DES3_KEY_GEN)
Key Size: 24-24
Flags: 0x8001 (CKF_HW|CKF_GENERATE)
…
Mechanism #10
Mechanism: 0x132 (CKM_DES3_ECB)
Key Size: 24-24
Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
Mechanism #11
Mechanism: 0x133 (CKM_DES3_CBC)
Key Size: 24-24
Flags: 0x60301 (CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|CKF_UNWRAP)
...
| Mechanism | Key sizes in bits or bytes | Properties | Support with OC version |
|---|---|---|---|
| CKM_AES_CBC | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_CBC_PAD | 16-32 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_AES_CMAC | 16-32 bytes | SIGN, VERIFY | before 3.16 |
| CKM_AES_ECB | 16-32 bytes | ENCRYPT, DECRYPT | before 3.16 |
| CKM_AES_KEY_GEN | 16-32 bytes | GENERATE | before 3.16 |
| CKM_AES_XTS1) | 32 - 64 bytes | ENCRYPT, DECRYPT | 3.20 |
| CKM_AES_XTS_KEY_GEN1) | 32 - 64 bytes | GENERATE | 3.20 |
| CKM_DES2_KEY_GEN | 16-16 bytes | GENERATE | before 3.16 |
| CKM_DES3_CBC | 16-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES3_CBC_PAD | 16-24 bytes | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_DES3_CMAC | 16-24 bytes | SIGN, VERIFY | before 3.16 |
| CKM_DES3_ECB | 16-24 bytes | ENCRYPT, DECRYPT | before 3.16 |
| CKM_DES3_KEY_GEN | 24-24 bytes | GENERATE | before 3.16 |
| CKM_DH_PKCS_DERIVE | 1024-3072 bits | DERIVE | before 3.21 |
| CKM_DH_PKCS_KEY_PAIR_GEN | 1024-3072 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_DSA | 1024-3072 bits | SIGN, VERIFY | before 3.16 |
| CKM_DSA_KEY_PAIR_GEN | 1024-3072 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_DSA_KEY_PAIR_GEN | 1024-3072 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_DSA_SHA1 | 1024-3072 bits | SIGN, VERIFY | before 3.16 |
| CKM_EC_KEY_PAIR_GEN | 192-521 bytes | GENERATE_KEY_PAIR, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDH1_DERIVE | 192-521 bits | DERIVE, EC_F_P, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_KEY_PAIR_GEN | 192-521 bits | GENERATE_KEY_PAIR, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA1 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA224 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA256 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA3_224 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.25 |
| CKM_ECDSA_SHA3_256 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.25 |
| CKM_ECDSA_SHA3_384 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.25 |
| CKM_ECDSA_SHA3_512 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.25 |
| CKM_ECDSA_SHA384 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_ECDSA_SHA512 | 192-521 bits | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | before 3.16 |
| CKM_GENERIC_SECRET_KEY_GEN | 8-256 bytes | GENERATE | before 3.16 |
| CKM_IBM_ATTRIBUTEBOUND_WRAP | 0-4096 bits | WRAP, UNWRAP | 3.16 |
| CKM_IBM_BTC_DERIVE | 16-64 bytes | DERIVE | 3.19 |
| CKM_IBM_CMAC | 16-32 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_DILITHIUM | 256-256 bytes | SIGN, VERIFY, GENERATE_KEY_PAIR | before 3.16 |
| CKM_IBM_EC_C448 | 448-448 bytes | DERIVE, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EC_C25519 | 256-256 bytes | DERIVE, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EC_X448 | is a synonym for CKM_IBM_EC_C448 | 448-448 bytes | |
| CKM_IBM_EC_X25519 | is a synonym for CKM_IBM_EC_C25519 | 256-256 bytes | |
| CKM_IBM_ECDSA_OTHER | 192-521 bytes | SIGN, VERIFY, EC_F_P, EC_OID, EC_UNCOMPRESS, EC_COMPRESS | 3.19 |
| CKM_IBM_ED448_SHA3 | 448-448 bytes | SIGN, VERIFY, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_ED25519_SHA512 | 256-256 bytes | SIGN, VERIFY, EC_F_P, EC_UNCOMPRESS | before 3.16 |
| CKM_IBM_EDDSA_SHA512 | 256-256 bytes | is a synonym for CKM_IBM_ED25519_SHA512 | before 3.16 |
| CKM_IBM_KYBER | 204-396 bytes | ENCRYPT, DECRYPT, GENERATE_KEY_PAIR, DERIVE | 3.21 |
| CKM_IBM_SHA3_224 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_224_HMAC | 112-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_256 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_256_HMAC | 128-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_384 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_384_HMAC | 192-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_IBM_SHA3_512 | n/a | DIGEST | before 3.16 |
| CKM_IBM_SHA3_512_HMAC | 256-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_PBE_SHA1_DES3_EDE_CBC | 24-24 bytes | GENERATE | before 3.16 |
| CKM_RSA_PKCS | 1024-4096 bits | ENCRYPT, DECRYPT, SIGN, VERIFY, WRAP, UNWRAP | before 3.16 |
| CKM_RSA_PKCS_KEY_PAIR_GEN | 1024-4096 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_RSA_PKCS_OAEP | 1024-4096 bits | ENCRYPT, DECRYPT, WRAP, UNWRAP | before 3.16 |
| CKM_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_RSA_X9_31 | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_RSA_X9_31_KEY_PAIR_GEN | 1024-4096 bits | GENERATE_KEY_PAIR | before 3.16 |
| CKM_SHA_1 | n/a | DIGEST | before 3.16 |
| CKM_SHA_1_HMAC | 80-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA_1_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA1_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA1_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA1_RSA_X9_31 | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA224 | n/a | DIGEST | before 3.16 |
| CKM_SHA224_HMAC | 112-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA224_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA224_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA224_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA224_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA256 | n/a | DIGEST | before 3.16 |
| CKM_SHA256_HMAC | 128-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA256_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA256_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA256_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA256_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA3_2242) | n/a | DIGEST | 3.25 |
| CKM_SHA3_224_HMAC2) | 112-256 bytes | SIGN, VERIFY | 3.25 |
| CKM_SHA3_224_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_224_RSA_PKCS2) | 1024-4096 | SIGN, VERIFY | 3.25 |
| CKM_SHA3_2562) | n/a | DIGEST | 3.25 |
| CKM_SHA3_256_HMAC2) | 128-256 bytes | SIGN, VERIFY | 3.25 |
| CKM_SHA3_256_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_256_RSA_PKCS2) | 1024-4096 bits | SIGN, VERIFY | 3.25 |
| CKM_SHA3_3842) | n/a | DIGEST | 3.25 |
| CKM_SHA3_384_HMAC2) | 192-256 bytes | SIGN, VERIFY | 3.25 |
| CKM_SHA3_384_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_384_RSA_PKCS2) | 1024-4096 bits | SIGN, VERIFY | 3.25 |
| CKM_SHA3_5122) | n/a | DIGEST | 3.25 |
| CKM_SHA3_512_HMAC2) | 256-256 bytes | SIGN, VERIFY | 3.25 |
| CKM_SHA3_512_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA3_512_RSA_PKCS2) | 1024-4096 | SIGN, VERIFY | 3.25 |
| CKM_SHA384 | n/a | DIGEST | before 3.16 |
| CKM_SHA384_HMAC | 192-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA384_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA384_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA384_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA384_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_HMAC | 256-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_KEY_DERIVATION | n/a | DERIVE | before 3.21 |
| CKM_SHA512_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA512_RSA_PKCS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_RSA_PKCS_PSS | 1024-4096 bits | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_224 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_224_HMAC | 112-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_224_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
| CKM_SHA512_256 | n/a | DIGEST | before 3.16 |
| CKM_SHA512_256_HMAC | 128-256 bytes | SIGN, VERIFY | before 3.16 |
| CKM_SHA512_256_KEY_GEN | 80-2048 bits | GENERATE | 3.26 |
|
Notes:
1) only applicable with protected key (see How and why to exploit protected keys) 2) Prerequisite: an EP11 host library and a Crypto Express EP11 coprocessor supporting SHA3 algorithms. |
|||
For a description of mechanisms with a name pattern of CKM_IBM_... refer to IBM-specific mechanisms.
For more detailed information on how to use the EP11 token, refer to Exploiting Enterprise PKCS #11 using openCryptoki.
For explanation about the key object properties see the PKCS #11 Cryptographic Token Interface Standard.