eHSM PKCS11 Reference
Last updated January 18, 2019
The eHSM implements the PKCS#11 specification v2.4.
This document specifies the default values and algorithms supported by the eHSM.
PKCS#11 object classes supported:
- CKO_DATA
- CKO_CERTIFICATE
- CKO_PRIVATE_KEY
- CKO_PUBLIC_KEY
- CKO_SECRET_KEY
Default PKCS#11 Object Attributes
| Attribute | Default | Comments |
|---|---|---|
| CK_TOKEN | false | By default an object will be stored in volatile session data. |
| CKA_PRIVATE | true | By default a logged in session is required. |
| CKA_DESTROYABLE | true | By default an object can be deleted. |
| CKA_COPYABLE | true | By default an object can be copied. |
| CKA_MODIFIABLE | true | By default object attributes can be modified. |
Default PKCS#11 Key Attributes
Besides the default object attributes set above, the following default values are specific to key objects
| Attribute | Default | Comments |
|---|---|---|
| CKA_ALWAYS_AUTHENTICATE | false | By default authentication is only required for the session, not each cryptographic operation. |
| CKA_EXTRACTABLE | false | By default a key is not extractable. |
| CKA_DERIVE | false | By default the key cannot be used for key derivation. |
| CKA_SENSITIVE | true | By default a key is sensitive and cannot be read. |
| CKA_DECRYPT | true | By default a private key can be used for decryption. |
| CKA_SIGN | true | By default a private key can be used for signing. |
| CKA_VERIFY | true | By default a public key can be used for verification. |
| CKA_UNWRAP | true | By default a key can be used for unwrapping. |
| CKA_WRAP | false | By default a key can not be used for wrapping. |
Implemented PKCS#11 Functions
Note: all cryptographic operations are implemented on the eHSM. For performance reasons it might be faster for users to perform C_Digest and public key verifications (C_Verify) in software.
| Function Name | Comments |
|---|---|
| C_Initialize | |
| C_Finalize | |
| C_GetInfo | |
| C_GetFunctionList | |
| C_GetSlotList | |
| C_GetSlotInfo | |
| C_GetTokenInfo | |
| C_GetMechanismList | |
| C_GetMechanismInfo | |
| C_InitToken | |
| C_InitPIN | |
| C_SetPIN | |
| C_OpenSession | |
| C_CloseSession | |
| C_CloseAllSessions | |
| C_GetSessionInfo | |
| C_Login | |
| C_Logout | |
| C_CreateObject | |
| C_CopyObject | |
| C_DestroyObject | |
| C_GetObjectSize | |
| C_GetAttributeValue | |
| C_SetAttributeValue | |
| C_FindObjectsInit | |
| C_FindObjects | |
| C_FindObjectsFinal | |
| C_EncryptInit | |
| C_Encrypt | |
| C_EncryptUpdate | |
| C_EncryptFinal | |
| C_DecryptInit | |
| C_Decrypt | |
| C_DecryptUpdate | |
| C_DecryptFinal | |
| C_DigestInit | |
| C_DigestUpdate | |
| C_DigestKey | |
| C_DigestFinal | |
| C_SignInit | |
| C_Sign | |
| C_SignUpdate | |
| C_SignFinal | |
| C_VerifyInit | |
| C_Verify | |
| C_VerifyUpdate | |
| C_VerifyFinal | |
| C_GenerateKey | |
| C_GenerateKeyPair | |
| C_WrapKey | |
| C_UnwrapKey | |
| C_DeriveKey | |
| C_SeedRandom | |
| C_GenerateRandom | |
| C_GetFunctionStatus | |
| C_CancelFunction | |
| C_WaitForSlotEvent |