HID® Crescendo® PKCS11
Loading...
Searching...
No Matches
PKCS#11 API Coverage

Supported Attributes

All the attributes conform to the PKCS#11 Cryptographic Token Interface Standard v2.40.

The following tables list the attributes implemented in the Crescendo PKCS#11 API:

General Object Attributes

Attribute Supported
CKA_CLASS Yes
CKA_TOKEN Yes
CKA_PRIVATE Yes
CKA_LABEL Yes
CKA_APPLICATION No
CKA_VALUE Yes
CKA_OBJECT_ID No
CKA_MODIFIABLE Yes 1
CKA_COPYABLE Yes 1
CKA_DESTROYABLE Yes 1

Notes

1. Always set to FALSE (0) in this release

Certificate Object Attributes

Attribute Supported
CKA_CERTIFICATE_TYPE Yes 1
CKA_TRUSTED Yes 2
CKA_CERTIFICATE_CATEGORY Yes
CKA_CHECK_VALUE Yes
CKA_START_DATE Yes
CKA_END_DATE Yes
CKA_PUBLIC_KEY_INFO Yes
CKA_SUBJECT Yes
CKA_ID Yes
CKA_ISSUER Yes
CKA_SERIAL_NUMBER Yes
CKA_URL Yes 3
CKA_HASH_OF_SUBJECT_PUBLIC_KEY Yes
CKA_HASH_OF_ISSUER_PUBLIC_KEY Yes 3
CKA_JAVA_MIDP_SECURITY_DOMAIN Yes 4

Notes

1. In this release, the library will always report the value CKC_X_509 for this attribute 2. In this release, the library will always report the value TRUE (1) for this attribute 3. In this release, the library will always report an empty value for this attribute 4. In this release, the library will always report the value CK_SECURITY_DOMAIN_UNSPECIFIED for this attribute

Key Object Attributes

Attribute Supported
CKA_KEY_TYPE Yes
CKA_SUBJECT Yes 1
CKA_ID Yes
CKA_SENSITIVE Yes
CKA_ENCRYPT Yes 4
CKA_DECRYPT Yes 4
CKA_WRAP Yes 4
CKA_UNWRAP Yes 4
CKA_SIGN Yes 4
CKA_SIGN_RECOVER Yes 4
CKA_VERIFY Yes 4
CKA_VERIFY_RECOVER Yes 4
CKA_DERIVE Yes 4
CKA_START_DATE Yes 1
CKA_END_DATE Yes 1
CKA_MODULUS Yes
CKA_MODULUS_BITS Yes
CKA_PUBLIC_EXPONENT Yes
CKA_PRIVATE_EXPONENT Yes 3
CKA_PRIME_1 Yes 3
CKA_PRIME_2 Yes 3
CKA_EXPONENT_1 Yes 3
CKA_EXPONENT_2 Yes 3
CKA_COEFFICIENT Yes 3
CKA_PUBLIC_KEY_INFO Yes
CKA_PRIME No
CKA_SUBPRIME No
CKA_BASE No
CKA_PRIME_BITS No
CKA_SUB_PRIME_BITS No
CKA_VALUE_BITS No
CKA_VALUE_LEN No
CKA_EXTRACTABLE Yes
CKA_LOCAL Yes 2
CKA_NEVER_EXTRACTABLE Yes
CKA_ALWAYS_SENSITIVE Yes
CKA_KEY_GEN_MECHANISM Yes 3
CKA_ECDSA_PARAMS No
CKA_EC_PARAMS Yes
CKA_EC_POINT Yes
CKA_SECONDARY_AUTH No
CKA_AUTH_PIN_FLAGS No
CKA_ALWAYS_AUTHENTICATE Yes 2
CKA_WRAP_WITH_TRUSTED Yes 5
CKA_GOSTR3410_PARAMS No
CKA_GOSTR3411_PARAMS No
CKA_GOST28147_PARAMS No

Notes

1. Only available if the key has a corresponding certificate on the card. 2. In this release, this will always be set to TRUE (1) 3. In this release, this will always return CK_UNAVAILABLE_INFORMATION 4. These attributes are determined on the usage attribute of the associated certificate, if available. In the future, the algorithm to determine this may change so applications should not rely on these values. These attributes should be considered as unsupported in the current release. 5. In this release, this will always be set to FALSE (0)

Hardware Feature Object Attributes

Attribute Supported
CKA_HW_FEATURE_TYPE No
CKA_RESET_ON_INIT No
CKA_HAS_RESET No

Domain Parameters Object Attributes

Attribute Supported
CKA_PRIME No
CKA_SUBPRIME No
CKA_BASE No
CKA_PRIME_BITS No
CKA_SUB_PRIME_BITS No
CKA_VALUE_BITS No
CKA_VALUE_LEN No

OTP Object Attributes

Attribute Supported
CKA_OTP_FORMAT No
CKA_OTP_LENGTH No
CKA_OTP_TIME_INTERVAL No
CKA_OTP_USER_FRIENDLY_MODE No
CKA_OTP_CHALLENGE_REQUIREMENT No
CKA_OTP_TIME_REQUIREMENT No
CKA_OTP_COUNTER_REQUIREMENT No
CKA_OTP_PIN_REQUIREMENT No
CKA_OTP_USER_IDENTIFIER No
CKA_OTP_SERVICE_IDENTIFIER No
CKA_OTP_SERVICE_LOGO No
CKA_OTP_SERVICE_LOGO_TYPE No
CKA_OTP_COUNTER No
CKA_OTP_TIME No

Supported Mechanisms

All the mechanisms conform to the PKCS#11 Cryptographic Token Interface Standard v2.40 and to the PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40.

The following table lists the mechanisms implemented in the Crescendo PKCS#11 API:

Mechanism Description Supported
CKM_RSA_X_509 X.509 (raw) RSA mechanism Yes
CKM_RSA_PKCS_OAEP PKCS #1 RSA OAEP mechanism Yes
CKM_RSA_PKCS_KEY_PAIR_GEN PKCS #1 RSA key pair generation mechanism No
CKM_RSA_PKCS PKCS #1 v1.5 RSA mechanism Yes
CKM_RSA_PKCS_PSS PKCS #1 RSA PSS mechanism Yes
CKM_SHA1_RSA_PKCS_PSS PKCS #1 RSA PSS signature with SHA-1 mechanism Yes
CKM_SHA256_RSA_PKCS_PSS PKCS #1 RSA PSS signature with SHA-256 mechanism Yes
CKM_SHA512_RSA_PKCS_PSS PKCS #1 RSA PSS signature with SHA-512 mechanism Yes
CKM_SHA1_RSA_PKCS PKCS #1 v1.5 RSA signature with SHA-1 mechanism Yes
CKM_SHA256_RSA_PKCS PKCS #1 v1.5 RSA signature with SHA-256 mechanism Yes
CKM_SHA512_RSA_PKCS PKCS #1 v1.5 RSA signature with SHA-512 mechanism Yes

Supported Functions

All the functions conform to the PKCS#11 Cryptographic Token Interface Standard v2.40.

The following tables list the functions implemented in the Crescendo PKCS#11 API:

General Purpose Functions

Function Description Supported
C_Initialize Initializes Cryptoki Yes
C_Finalize Cleans up miscellaneous Cryptoki-associated resources Yes
C_GetInfo Obtains general information about Cryptoki Yes
C_GetFunctionList Obtains entry points of Cryptoki library functions Yes

Slot and Token Management Functions

Function Description Supported
C_GetSlotList Obtains a list of slots in the system Yes
C_GetSlotInfo Obtains information about a particular slot Yes
C_GetTokenInfo Obtains information about a particular token Yes
C_GetMechanismList Obtains a list of mechanisms supported by a token Yes
C_GetMechanismInfo Obtains information about a particular mechanism Yes
C_WaitForSlotEvent Waits for a slot event, such as token insertion or removal No
C_InitToken Initializes a token No
C_InitPIN Initializes the normal user’s PIN No
C_SetPIN Modifies the PIN of the user that is currently logged in No

Session Management Functions

Function Description Supported
C_OpenSession Opens a connection between an application and a token Yes
C_CloseSession Closes a session Yes
C_CloseAllSessions Closes all sessions with a token Yes
C_GetSessionInfo Obtains information about the session Yes
C_Login Logs into a token Yes
C_Logout Logs out from a token Yes
C_GetOperationState Obtains a copy of the cryptographic operations state of a session No
C_SetOperationState Restores the cryptographic operations state of a session No

Object Management Functions

Function Description Supported
C_GetObjectSize Obtains the size of an object in bytes No
C_GetAttributeValue Obtains an attribute value of an object Yes
C_FindObjectsInit Initializes an object search operation Yes
C_FindObjects Continues an object search operation Yes
C_FindObjectsFinal Finishes an object search operation Yes
C_CreateObject Creates a new object No
C_CopyObject Copies an object No
C_DestroyObject Destroys an object No
C_SetAttributeValue Sets an attribute value of an object No

Encryption Functions

Function Description Supported
C_EncryptInit Initializes an encryption operation Yes
C_Encrypt Encrypts single-part data Yes
C_EncryptUpdate Continues a multiple-part encryption operation Yes
C_EncryptFinal Finishes a multiple-part encryption operation Yes

Decryption Functions

Function Description Supported
C_DecryptInit Initializes a decryption operation Yes
C_Decrypt Decrypts single-part encrypted data Yes
C_DecryptUpdate Continues a multiple-part decryption operation Yes
C_DecryptFinal Finishes a multiple-part decryption operation Yes

Message Digest Functions

Function Description Supported
C_DigestInit Initializes a message-digesting operation No
C_Digest Digests single-part data No
C_DigestUpdate Continues a multiple-part message-digesting operation No
C_DigestKey Digests the value of a secret key as part of a message-digesting operation No
C_DigestFinal Finishes a multiple-part message-digesting operation No

Signing and MACing Functions

Function Description Supported
C_SignInit Initializes a signature (private key encryption) operation Yes
C_Sign Signs single-part data Yes
C_SignUpdate Continues a multiple-part signature operation Yes
C_SignFinal Finishes a multiple-part signature operation Yes
C_SignRecoverInit Initializes a signature operation, where the data can be recovered from the signature No
C_SignRecover Signs data, where the data can be recovered from the signature No

Verifying Signatures and MACs Functions

Function Description Supported
C_VerifyInit Initializes a verification operation, where the signature is an appendix to the data Yes
C_Verify Verifies a signature, where the signature is an appendix to the data Yes
C_VerifyUpdate Continues a multiple-part verification operation Yes
C_VerifyFinal Finishes a multiple-part verification operation Yes
C_VerifyRecoverInit Initializes a verification operation, where the data is recovered from the signature No
C_VerifyRecover Verifies a signature, where the data is recovered from the signature No

Dual-Purpose Cryptographic Functions

Function Description Supported
C_DigestEncryptUpdate Continues a multiple-part digesting and encryption operation No
C_DecryptDigestUpdate Continues a multiple-part decryption and digesting operation No
C_SignEncryptUpdate Continues a multiple-part signing and encryption operation No
C_DecryptVerifyUpdate Continues a multiple-part decryption and verify operation No

Key Management Functions

Function Description Supported
C_GenerateKey Generates a secret key, creating a new key object No
C_GenerateKeyPair Generates a public/private key pair, creating new key objects No
C_WrapKey Wraps (encrypts) a key, creating a wrapped key object No
C_UnwrapKey Unwraps (decrypts) a wrapped key, creating a new key object No
C_DeriveKey Derives a key from a base key, creating a new key object No

Random Number Generation Functions

Function Description Supported
C_SeedRandom Mixes additional seed material into the token’s random number generator No
C_GenerateRandom Generates random data No

Legacy Parallel Function Management Functions

Function Description Supported
C_GetFunctionStatus Obtains the status of a function running in parallel No
C_CancelFunction Cancels a function running in parallel No