Skip to content

Latest commit

 

History

History
146 lines (117 loc) · 9.85 KB

features.md

File metadata and controls

146 lines (117 loc) · 9.85 KB
Raw

Features

  • ✅ : Fully functional
  • ⚠️ : Functional but with limitations
  • ❌ : Not implemented

Base features

Feature Status Notes
C_GetFunctionList
C_Initialize Custom mutexes are not supported
C_Finalize
C_GetInfo

Session

Feature Status Notes
C_OpenSession Notify not supported
C_CloseSession
C_CloseAllSessions
C_GetSessionInfo
C_GetOperationState No demand
C_SetOperationState No demand
C_GetFunctionStatus Returns CKR_FUNCTION_NOT_PARALLEL
C_CancelFunction Returns CKR_FUNCTION_NOT_PARALLEL

Token

Feature Status Notes
C_GetSlotList
C_GetSlotInfo
C_GetTokenInfo
C_InitToken
C_GetMechanismList
C_GetMechanismInfo
C_Login The PIN is used as the password, login as SO means logging in with an Administrator account ("admin" username set by default)
C_Logout
C_WaitForSlotEvent CKF_DONT_BLOCK set: checks if a slot has changed state since last check. CKF_DONT_BLOCK clear: waits for a slot to change state

Decrypt

Mechanisms:

  • AES-CBC
  • RSA-X-509 (Raw RSA)
  • RSA-PKCS
  • RSA-PKCS-OAEP: data hashed with MD5/SHA1/SHA224/SHA256/SHA384/SHA512
Feature Status Notes
C_DecryptInit
C_Decrypt
C_DecryptUpdate The length of the output buffer will always be 0. The decrypted data will be all sent in the C_DecryptFinal call
C_DecryptFinal
C_DecryptVerifyUpdate Verify is not supported by NetHSM

Encrypt

Mechanisms:

  • AES-CBC
Feature Status Notes
C_EncryptInit
C_Encrypt
C_EncryptUpdate
C_EncryptFinal AES-CBC expects messages with a length multiple of 16

Sign

Mechanisms:

  • RSA-PKCS
  • SHA1-RSA-PKCS (Hash is computed by the PKCS#11 module)
  • SHA224-RSA-PKCS (Hash is computed by the PKCS#11 module)
  • SHA256-RSA-PKCS (Hash is computed by the PKCS#11 module)
  • SHA384-RSA-PKCS (Hash is computed by the PKCS#11 module)
  • SHA512-RSA-PKCS (Hash is computed by the PKCS#11 module)
  • RSA-PKCS-PSS: expects already hashed value with MD5/SHA1/SHA224/SHA256/SHA384/SHA512 (set the correct one in CK_RSA_PKCS_PSS_PARAMS)
  • SHA1-RSA-PKCS-PSS (Hash is computed by the PKCS#11 module)
  • SHA224-RSA-PKCS-PSS (Hash is computed by the PKCS#11 module)
  • SHA256-RSA-PKCS-PSS (Hash is computed by the PKCS#11 module)
  • SHA384-RSA-PKCS-PSS (Hash is computed by the PKCS#11 module)
  • SHA512-RSA-PKCS-PSS (Hash is computed by the PKCS#11 module)
  • EDDSA
  • ECDSA
  • ECDSA-SHA1 (Hash is computed by the PKCS#11 module)
  • ECDSA-SHA224 (Hash is computed by the PKCS#11 module)
  • ECDSA-SHA256 (Hash is computed by the PKCS#11 module)
  • ECDSA-SHA384 (Hash is computed by the PKCS#11 module)
  • ECDSA-SHA512 (Hash is computed by the PKCS#11 module)
Feature Status Notes
C_SignInit
C_Sign
C_SignUpdate
C_SignFinal
C_SignRecoverInit Not supported by NetHSM
C_SignRecover Not supported by NetHSM
C_SignEncryptUpdate Not supported by NetHSM

Digest ❌

Digest is not supported by NetHSM

Verify ❌

Verify is not supported by NetHSM

Generation

Feature Status Notes
C_GenerateKey Needs Administrator
C_GenerateKeyPair Needs Administrator
C_GenerateRandom
C_SeedRandom ⚠️ Returns OK but the arguments are ignored
C_WrapKey Not supported by NetHSM
C_UnwrapKey Not supported by NetHSM
C_DeriveKey Not supported by NetHSM

Objects

Feature Status Notes
C_FindObjectsInit ⚠️ Only lists the available keys
C_FindObjects ⚠️ Only lists the available keys
C_FindObjectsFinal
C_GetAttributeValue
C_GetObjectSize
C_CreateObject ⚠️ Needs to be logged as Administrator (SO). Only private keys can be added.
C_CopyObject Always returns CKR_ACTION_PROHIBITED
C_DestroyObject ⚠️ Needs to be logged as Administrator (SO). Only private keys can be deleted.
C_SetAttributeValue Returns CKR_ACTION_PROHIBITED. A compatibility option is available for Java Sun PKCS11 (e.g. EJBCA): enable_set_attribute_value

Pin management

Feature Status Notes
C_InitPIN
C_SetPIN Changes the password of the user